Business security is more than just having the right tools—it’s about implementing the right strategies. Whether you’re managing risks or safeguarding SMBs, having a solid plan is essential. Leadership plays a critical role in maintaining a secure environment. Without strong guidance, even the best security tools can fall short. Understanding your data flow and managing risks effectively can save your business from serious issues. Don’t assume that simply having security tools means you're fully protected. How are you staying ahead in your business security?
Max:00:07
You know, intros or outros versus this versus that, and, like, everybody ends up with their style. And I'm kinda, like, in this point right now. We're, like, it's we're gonna do it live. Let's just do
AJ:00:16
it live. Yes. Yes. Just like the Fox just like the Fox News host without the profanity. Right?
Max:00:21
What an epic meltdown that was. You know, it's so easy to fall down this rabbit hole in terms of, like, equipment. And, you know, the AirPods are actually really good quality. If you use the AirPods, they're really good quality. The thing that that, like, makes everybody crazy is you have to go into your Bluetooth settings and make it so the AirPod doesn't automatically switch between devices.
Max:00:39
So if you remember to do that, then you don't have to worry about, like, your phone taking your AirPod off your computer and then doing something else with it and, like which is why, like, everybody's like, oh, just get, like, a actual corded headset and, like, plug it into the computer because then you've got this thing. And you notice it. I mean, if you get, like, really into it I I don't do the production, but I've listened to enough of them now where it's like you can hear the difference between a regular mic, you know, this mic, that mic, you know, and the differential is so is so minimal.
AJ:01:08
Yeah. But in some cases, you know, it's people going from, you know, a Pinto that's 30 years old. Right. Which is a $17 you know, microphone that they bought at Walmart. Right.
AJ:01:19
And, and just upgrading to something like a headset like this, right. Makes a significant difference in quality. Right. So you look at the first couple that we recorded and you listed the audio on a few people on there, and it's just like, you know? And it just like you said, you can spend a lot of money in in getting gear for podcasts.
Max:01:36
So I had a blue Yeti. The thing I liked about the blue Yeti was I could pace in my office on on speakerphone, and, like, the Yeti would get it. But then when you were using it for recording, it would get everything else as well. So it wasn't it wasn't great. So I went from a Blue Yeti to the Shure, which was great.
Max:01:53
But then all of a sudden, you need an audio interface, phantom power, a discreet headset, and you, like, you turn around, and you're like, did I really need all this stuff? But, like, you're so far into like, you're just, like, digging, like, shoveling dirt over your shoulder. You're like
AJ:02:07
Do you have the little mixer board yet? Like that's got the presets that you sit in front of you?
Max:02:13
I bought one. I used it for a little bit and I was like, I don't need this. And I got rid of it, you know, with like the reaction sounds.
AJ:02:20
Yeah. Yeah. It would make you look like a real professional podcaster. Come on.
Max:02:24
No. I don't think you'd like the the the noise. No. I don't I don't I I I literally I bought one. I got rid of it.
Max:02:29
I what I did was so I'm in, like, this light experience right now trying to figure out lighting, and that's another deep hole that once you start digging, like, it is so deep. And Elgato Elgato, I think, is a company, they have their their lights, the key lights, which are pretty good. So that's why I bought that that thing for the desk so I could turn the lights on and off. But then they're, like, 2.4 gigahertz, you know, Wi Fi. So then they, like, lose sync and they come back.
Max:02:53
You can't turn them on. And, like, there was, like I was having all this drama with those lights, and so I ended up buying, like, something just to have on tripods, like, set up for lights. Dude, it's I'm telling you, just record. Like like, just just just like
AJ:03:06
Don't let perfection get in the way of progress. Right? Just get out there and start recording and learn stuff along the way. Yeah.
Max:03:11
So you just got back from Black Hat. Right? You were out you were out of Black Hat?
AJ:03:14
No. This year, I did I I didn't go. We have, we have a significant amount of work this year. And so we sent Jake Williams, our VP of R and D out there. And he, he represented Hunter this year.
Max:03:24
I haven't been to a black hat in forever. I can remember I was thinking about this last night. I think the first black hat that I went to was probably like 25, 26 years ago. And it was like such the perfect encapsulation of, like, what black hat actually is. And, like, some crazy stupid off strip hotel that's, like, happier there because they're gonna go under if they're not if they don't get the revenue, but at the same time, they're, like, at war with all of everybody, like, showing up for the conference and all these nerds running around with their ham radios.
Max:03:54
And, like, you know, what was incredible about that I had 2 two things that came out of that one for me. The first one was I sat in a a talk, and it was, like, standing room, sitting room only with Bruce Schneider. His presentation was elliptical curve cryptography and quantum computing for break. I mean, it was like I
AJ:04:09
understood some of those words.
Max:04:10
I absorbed, like, all of, like, that much of what he was talking about, but it was just it was like you had this and it was this was, like, 99. In 98, 99. And you could have this, like, glimpse of the future of, like, where things were going and how far forward this guy was was thinking because we're just starting to see quantum computing now. That was impressive. Second thing that happened was before another talk, they were doing, like, lightning rounds, and a guy gets up and just starts reading out people's passwords because everybody's like,
AJ:04:37
I think that was the, the, the old wall of, Pondo owner wall of shame or something like that. I can't remember what it, what it was, but yeah.
Max:04:43
That was, but that was like the same thing for me. It was like, you know, walking into that place, I knew not to carry a cell phone, not to have a laptop, not to have anything beaconing. It was just like, you just know you're going to get yourself in trouble.
AJ:04:52
Look, I mean, there's always element that element to it, but I would say, you know, in my experience, the vast majority of, of, you know, hackers that are there are there to not cause a bad scene. Right. And not cause a problem. You know, this year there was quite a bit of, of, of drama, right. With what Hilton did and how they, how they handled, you know, communications.
AJ:05:12
And so, thankfully that I'm aware of, there's no major incidents out of, out of Defcon or Blackhat. So. It it's, it's definitely a community and it's definitely a place where, you know, one bad apple can ruin the whole bunch. Right. All it takes is one moron to do something stupid, to give a, you know, a bad name to a conference.
AJ:05:29
And unfortunately those people are there. Right. And
Max:05:33
so the thing that was always amazing about it to me was just, just a level of curiosity of people, you know, really like more than anything else. It was just the, like, I want to know how this works and I'm going to figure out how this works and you can't like, nobody's going to tell me how this works. So I'm just going to figure out how it works. And, you know, and that, like, kinda, like, you know, like the real hacker ethos. You know?
AJ:05:52
Yeah. And I think that's the appeal of the summer camp, to be honest with you. Right? And it's that's what it's called as hacker summer camp for a lot of people. Right?
AJ:05:58
Because Defcon and Black Hat overlap each other, and it's basically 2 weeks. Right? 10 days. Right. And as an adult, right.
AJ:06:05
If you can line your PTO up, right. And your workup appropriately, it's 10 days where exactly what you said, where you get to be a kid again. Right. And you get to go look at all the things that you don't know about. Right.
AJ:06:19
Or you don't have time to investigate. Right. In, in the hacking world, you can be like, oh, I'm gonna go over here and mess with hardware hacking village. Right. For 3 days, because that's what I wanna do.
AJ:06:28
And I can't do it, you know, and I don't have the stuff in my everyday job. Right. So it really is, you know, this font of, of, you know, renewal for a lot of hackers every year where they're go and get all of their, you know, curiosity that maybe they can't get in their everyday life fulfilled. So I think it's a great thing. I think that it's, you know, it's challenging in Vegas and, you look at other conferences like in a wild west tack and fest that's in Deadwood that is just moving to Denver next year.
AJ:06:55
Right. And, the moving to other cities, right. That are easily accessible and are maybe a little bit more friendly on the InfoSec side. So those are some things that I would, you know, blue team con while wild west, I confess those kinds of cons are really where you get to know, I think more of the, of the community and you get a lot more closeness, right. Rather than some of the larger cons that are out there.
AJ:07:15
So they have their purposes, right? Don't get me wrong. I learned a lot, do a lot of cool stuff and there's, there's scale of things that you, you know, that you can do black hat. You can't do it smaller cons. And it's an experience.
AJ:07:25
I remember my first Defcon I took, I was at 1st or second. I think it was second Defcon. And it'll be interesting to see if this person actually ever sees this, this part of the, if we ever edit this in. Right. But first, Defcon, I took an employee with an employee with me who had 3 children and was not supposed to have a 4th.
AJ:07:41
And his 4th child was conceived into Vegas the very first time I ever took him to Defcon because he took his wife with him. And so now I tell him, you're welcome. I am responsible for your 4th child. Right?
Max:07:53
That's a great story, though. Yeah. And she I put together, like, a little docket when we first set this up. But now when we set this up to schedule it to now, like, a lot's happened. So I think before we go into, like, any of my list here, I kinda throw it to you of, like, anything you think we should talk about because there's there's been a little news in the security world in the last couple of weeks.
AJ:08:13
Yeah. Good point. And I'm thankful that you're editing this Max's is the short of it, and we can restate that if you want because I gotta think a minute because I I didn't have notes, ready to go.
Max:08:23
So you've got some, of course, amazing stories on Twitter about, you know, physical pen testing with different facilities. They're always fun. And knowing people that have done this and been in this space is always, of course, wild to see. And, you know, myself like going through secure facilities. I think, you know, the realities of what people tell you are and the differences between what people tell you versus what's actually going on, you know, like, with that.
Max:08:44
We could talk about that. That's interesting. That kinda leads into, like, this idea around checking the box security. Right? We see this a lot right now.
Max:08:51
Usually, it's compliance driven external orgs, you know, supply chain. Hey. You have to go do x, y, and z. I have mixed feelings about that. I'd like I'd I'd be interested in your thoughts.
AJ:08:59
One of the other things that I would look at too, and there's actually a really, really good talk as well. That Jake Williams, our VP of our needed at RSA and it talks about security for the have nots. Right. And it's really about security in the SMB world. Right.
AJ:09:14
And how, in some cases, how high the bar is. Right. For just a, like, I mean, look, you mentioned it earlier on, right? When it talks about, Hey, if I want to get into podcasting and I wanted to use Riverside, one user, right. It's $900 a month.
AJ:09:30
Right. And when you start talking about, you know, low, services in the security world and you're like, Hey, I am a 2 or 3 person, right. CPA office, right. That has access to
Max:09:42
a bunch of sensitive financial or legal office, right. That has access to
AJ:09:42
a bunch of sensitive financial or legal office. Right. That has access to a bunch of sensitive financial or personal information. They don't have the overhead. Right.
AJ:09:51
To run a proper security program.
Max:09:53
Let's talk about this. Let's get into this a little bit. I'm going to prompt you with a couple of things with this one. Okay. So in our world, when we're out, when we're talking with our clients and talking with enterprises and people that are, like, in some phase of a security journey, I notice a huge line for most service providers at around a 100 seats.
Max:10:07
You know, there's the 100 and under, 100 and over, becomes like the first really big line. Now there's other lines. Right? But a lot of tooling really kind of has this idea that you're coming to the table with 100 seats. So if you're less than 100 seats, it gets really difficult, because your cost per seat increases a lot.
Max:10:22
Now there's another issue with that with the S and B. There's vendors in the market that have SMB bundles, and they try to put a bunch of tooling together. And maybe it's an EDR plus asset and vulnerability and patching and, like, all these things that kind of swirl together. I've had a lot of conversations with the SMBs after they've had issues. You know?
Max:10:37
Like, something has happened to them, and then that's usually a triggering event for most people. Like, we've had something happen, and, like, it didn't put us out of business, but, like, we had a bad experience with a bad taste in our mouth. Let's not do this. We know now what do we do? And we start talking about it.
Max:10:50
Like, here's kind of, like, the the levels. Like, do this, do this, do this, and kinda work your way down or work your way up, however you wanna how to, you know, visualize it. And then you get into like, you run into the wall. And, like, I had a conversation, you know, a few weeks ago, and this, you know, the the CEO, the owner of the company says to me, man, it sounds like a drag. You know?
Max:11:07
Now in that case, the drag was
AJ:11:10
Welcome to my life in security.
Max:11:14
Let's talk about this. Right? So in that case, what we're talking about that was a drag was enabling MFA on his Google Workspace account. Right? We're not we I wasn't, like, I wasn't you know, we weren't, like, really getting into the weeds of, like, let's do some really crazy stuff.
Max:11:25
It was like, let's just turn on multifactor.
AJ:11:27
Right. You're not talking DLP or data labeling or you know?
Max:11:31
And here's my last my last thing of prompting here. The question I'm asking you is because I've been asking this question for for the better part of a decade right now, which is how do you sell security to people that are not buying security? Because everybody there's, like, this idea and this expectation of, like, you know, everybody needs it. Everybody wants it. But but how do you actually sell it?
Max:11:48
And that's and not be, like, just in this order transactional process of like, hey. We're out shopping for an EDR. We're out shopping for a SEG. We're out shopping for a blank tool and, like, check that box and go sell it. And I thought that for a long time that it was insurance that would push this issue, which kinda seems like it maybe is or maybe isn't.
Max:12:03
And now I think it might be something else, but I I wanna hear your side of this first. And we could talk about the SMBs, and we could talk about enterprise.
AJ:12:08
Yeah. And like you said, there's lots of, fingers, right, that we can go and and spin off on here from a discussions perspective right in the space. And I liked your comment around how do you sell people, you know, security that aren't buying security because you're right. It's very much, you know, as you said, that all I could think about was car insurance. Right.
AJ:12:25
And there are definitely an element of people that even though it's mandated and required that you drive on the street with car insurance, they don't have car insurance. Right. There's a reason why there's underinsured and under uninsured. Right. And, you know, the thing I would say is I do think that insurance is slowly driving changes in the space.
AJ:12:43
Right. So there's a conference that happens twice a year. 1 on the west coast, 1 on the east coast it's called net diligence. And it is a conference effectively for the cybersecurity risk space. Right?
AJ:12:54
So it's for underwriters, it's for privacy lawyers, right. For defer, type of events. And they get together and they talk about cybersecurity insurance. And so this was, this was. 2 to 3 years ago now.
AJ:13:08
Right. I was at the woman in Santa Monica and conversations there that were from actual providers, right. People that issue the insurance policies are that things such as, well, you're not going to be issued an insurance policy unless you have 24 by 7. Right. So unless you have an MDR service of some kind right in the F that's coming right in the future now to your point.
AJ:13:30
So what I don't buy cyber insurance anyway. Thanks. Right. And, you know, I think the reality there comes down in, in, to your point from a business perspective is, is how do you create the desire right. To purchase, or the need to purchase.
AJ:13:46
And this is one of my favorite stories and I do calls for, for I am so the Institute of Applied Network Security on a weekly basis. And one of the things that I talk about in there is as security practitioners, we oftentimes take accountability or ownership of risk, right? Because we, I don't, we feel obligated to do it. We know how to take care of it. We feel bad about the risk.
AJ:14:08
Right. And we change the pain point for the person who is responsible for the risk ultimately. Right. And so the story goes, you know, you walk up to a farmer and he's sitting on a, on a porch with his dog and this kid walks up to the farmer. And every so often the dog like raises out, up head up in the Allen house and pain.
AJ:14:24
The kids like, what's wrong with your dog, man? He's like, oh, he's laying on a nail. And he was like, why doesn't he move? And he goes, he will, when I heard it's bad enough. Right.
AJ:14:34
And unfortunately in, in a lot of cases, that's the reality right now in this case hurts bad enough. Right. Can mean your business shuts down. Right. Because you know, it can be a life ending or a business ending event.
AJ:14:50
I should say life ending, but, you know, in, in certain cases,
Max:14:53
well, it could be life ending depending on industry.
AJ:14:56
Sure. Fair enough. Yeah. If you, if you're, if you're in industry and you're working, you know, in that space, it could be, you know, At least the approach, today is I don't know the answer to that question. Right.
AJ:15:08
Of how do you sell security to someone who's not buying? I think that the only thing that you can do is continue to make it painful. And I think the bigger challenge comes into the general population, right. As a whole, doesn't both understand. Right.
AJ:15:23
And know how to ask. Right. And there's such a a lack of understanding of everywhere our data goes right. Anymore. The, just as most recent breach, right.
AJ:15:32
They said every single social security number of every American. And I'm just, I'm sitting there just like, yeah, whatever My social security was gone long time ago. All this, you know, this security monitoring insurance is a joke. Right? It's just
Max:15:43
If anybody ever pays for credit monitoring at this point, like, you're just you've you've you like, why? Like, you're gonna have free credit monitoring for the rest of your life. You know?
AJ:15:52
All you gotta do is do some paperwork and fill it out. Yeah, exactly.
Max:15:55
Yeah. Because you, you guaranteed your, your information is compromised somewhere and you have free credit monitoring. And by the time that one expires, another one's going to come up. Right?
AJ:16:03
Yeah. Agree. So, you know, people crap on Microsoft, you know, and others, because they're like, oh, you know, bundled security and all these things. And it's like, are those products that Microsoft has best in, best of breed? No, they're not.
AJ:16:19
And almost all cases. They're not now. I'm not saying they're not good. Right. You talk defender, you talk, you know, Sentinel.
AJ:16:25
Those are all things that you know, defender loses to CrowdStrike, right? In some instances. Right. But it makes it accessible right To, to the small business owner and makes it to where they don't have to necessarily think or understand. Right.
AJ:16:41
And I think that where some of the disconnect lies is everybody. And this is one of the things I like about office, right. Is where Microsoft office is. Sometimes it forces the purchase right. Of, of those other tools that are out there.
AJ:16:53
And I personally believe that the likes of Microsoft and Google should be turning things on by default. Right. In other words, you don't get the option anymore to have an email account that doesn't have MFA. Sorry. That's just how things work.
AJ:17:07
Right. I don't care if you don't like it. Right. It's like a password. I'm sorry that you don't like to, you know, you want your password to be 1, 2, 3, 4, 5, 6.
AJ:17:14
We've shut that ability off. Off. Right. So to me, I. We talked quite a bit there, but there's, there's a lot of different elements.
AJ:17:18
I don't think either one of us will know the why ultimately it comes down to, they don't understand it it's too, and it's too expensive, right. For them and their, and their operating model. And when they start heck, man, how many people in the US, you know, operate at a 7th grade reading level, I think, or 8th grade reading level. I think they said 70 or 80%.
Max:17:39
Okay. So let's, let's defend. Let's start with, with E5 secondurity.
AJ:17:42
Sure. Since I know you're a huge fan.
Max:17:44
I'm a huge fan. I started my career as a MCSE. Like, I went through the m MCSE program, nt4.0. I did 3 of the tests. I went out and I got a job as a as a network engineer, field engineer for VAR going on doing field support.
Max:17:58
Right? So I'm not an MCSE because I never took, like, whatever, but I did. Right. NT 4, TCP IP, and Exchange 5 0 are, like, my certs, if I remember correctly.
AJ:18:05
So I
Max:18:06
don't think I got the file and print cert. Like, I'm sorry. You know? Like, to your point, right, like, defaults. Defaults matter and are so critical.
Max:18:15
And when you my my base argument against the purchasing cycle of e five secondurity is not, you know, on the lower end of the market of, like, okay. Now we're being forced into it or it's there or it's accessible to us, and let's get it. Because 100%. Right? Like, adding adding Sentinel and Defender on top of, you know, your stack, like, it takes you from, like, here to, like, so you you know, like, you you get into, like, nuances.
Max:18:42
Like, okay. You know, CrowdStrike versus Sentinel versus this versus that versus the next thing. And, like, we can talk about, like, the technical differences of these things. But, like, the overall improvement of your of your posture is already so high. But the problem that I see with these things deployed all the time is this false perception of, like, okay.
Max:18:58
I have it now. I'm secure. I'm okay. Or we installed it, and my fill in the blank IT team that's not trained on this product can actually implement this properly. Or the third one I see, which is, oh, we've we've hired some service provider in our neighborhood that has 6 engineers that are now ours and we're now, like, our security team, and we're secure.
Max:19:17
And I'm like and and you get in these conversations, you're like, okay. Well so you have a managed detection response, like, you know, an MDR service in play. And you say, okay. Well, how big is the SOC? Well, well, there's there's no SOC.
Max:19:27
Okay. What's the network engineering, you know, bench look like? Oh, there's 6 there's 6 you know? Well, I don't know. Okay.
Max:19:32
Let's ask. How many engineers do you have? Well, we have 6. How are you managing cybersecurity for your customers? You're not.
Max:19:39
You're just, like, installing the tool and checking the box and then saying and then there's this press you know, this this perception. And I worry about that from the eventuality of, like, oh, we were supposed to be secure because that's what we were told, but then we weren't. And, like, it doesn't work, and so let's rip this whole thing out. Like, I got people talking about ripping CrowdStrike out now, and you're like, pump the brakes. Like, that's not a response we want.
Max:20:02
So that's that's where I get really fired up about this. Now I get the whole other thing, which is the buying a security tool from the OEM that's riding the operating system, that's trying to patch the operating system that's not just included with the operating system. It would be I'm at the point where, like, should this just be a feature of 365 as opposed to a paid add on? Like, this is comes with it. Like, that would be, I think, would be now SENTINEL with the storage.
Max:20:27
I do like Sentinel also, and I think Sentinel is really good for the MDR vendors who now can decouple the SIM from their sales cycle where you don't have to explain how much your data retention is gonna be. And that's like on the enterprise.
AJ:20:41
So, well, the thing I would say, but that's like, so look in hunter operates in this space, right? Like we, we operate almost exclusively in cloud based SIM. Right. And, and, and manage sock. And what I would tell you is Sentinel is extremely hard to understand it in price, right?
AJ:20:59
Like you have to give such a wide birth of range to your customer because 99.99 percent of people. Right. Don't know what their data flow is. Right. They have no clue.
AJ:21:13
Right. And so even if you run through the Microsoft calculator, right. And input all of the things correctly, Right. You're talking in most cases, you know, let's just take a roughly 2,000 person headcount organization. Right.
AJ:21:28
You're talking. 15 to 20 grand a month. Right. Of just ingest right. On, on, on the Sentinel side of things.
AJ:21:37
Right. And then to your point, right. It comes in the play of, well, we have security. Someone that had local admin got a fishing right email and they clicked on a thing and Oh my God. What good is our security?
AJ:21:51
You know, you guys don't ever stop anything. Right. And so, yes, you were right in the small business world. Right. You can have all the things, but then there's just the, you know, there's the belief, right.
AJ:22:02
That, well, I bought the thing and the thing is going to protect me from everything. Right. And, and if I, if, if I have it, why aren't I paying for it? And then the third thing I would say, that's been really good in the S and B space is the release of, of lighthouse for defender. Right.
AJ:22:18
Which is the ability right. For an SMB provider, right. To go into these smaller shops that don't have Sentinel, right. That don't have that don't have CrowdStrike or others. And maybe all they have, you know, is defender for endpoint in their environment on top of their office 3 65 subscription.
AJ:22:35
And you can now ingest a shop of 60 users right into your, your Microsoft MSSP lighthouse tenant. And as a provider, it does not cost you any dollars Right. To set that up. Right. And so I like that model and the ability to support smaller customers with that model.
AJ:22:54
But you're right. It's I like to call it, it's such a Russian, Russian nesting doll problem. Right. Where it's just like, oh, let's go fix this problem. Oh, now this right.
AJ:23:02
And you have to get that, that business owner to understand. Right. A lot of things at the very small layer and how they support the stack foundation layer across security. And it, and it's a challenge, Right? It's hard.
Max:23:14
Where I've gone to this is, like, my core of these, I think, come down to let's call it, like, 3 evils. Right? The first evil is that since the start of time, like, IT and business don't know how to talk to each other. And so that we end up with terms that get pushed from business to IT, that IT then learns how to talk. Right?
Max:23:30
So ROI and TCO. And being in a security engagement, you know, and then it's like people wanna talk about ROI and TCO on a security suite. And you're like, we can quantify it in terms of like risk reduction for an insurance policy, because that has a direct correlation. But what is the ROI on deploying? You know, this tooling, that's not, and everybody's like, oh, it's like an insurance policy.
Max:23:57
You know, like security is not an insurance policy. Insurance policies pay you after that, that the building burns down. Like what you're trying to do here is keep the building from burning down. So like, what's the ROI of a sprinkler system. Right?
AJ:24:07
Like, yeah. And the thing I'll go and I'll just interrupt real quick on that, which is just what's hard is in order to actually calculate that kind of stuff in the enterprise, they go to your, your, your BCPDR team and they say, Hey, go give me your BIAs. Right. I want to have an understanding of all your business processes and all the breakdowns in there. Right.
AJ:24:24
Because if this one business process goes down, right. Because of a security event, it costs us $27,000 an hour for this to be down. Right. And so. To your point, it's not a ROI, right.
AJ:24:38
It's just a removal of potential spend in the future because you did a thing. Right. And even then to your point, it's not a guaranteed, right. You know, removal of the thing
Max:24:49
and in your, and what you do. And now let's go back. Right. Because that process you're talking about in that documentation SMB versus enterprise doesn't exist. I mean, like sub sub, a couple of 1000 seats.
Max:25:01
You will okay.
AJ:25:02
It doesn't exist in enterprise.
Max:25:05
We're not talking about that right now. I can't. Like, 111 so that's that's my first evil. 2nd evil, the security industry, I think, perpetuated, which is the security maturation model for enterprise. And then you end up with these, like, vendor presentations that show, like, you know, ladder stepping of, like, where are you on the on the security maturation?
Max:25:23
You know? And, like, are you here? Are you here? And then your quadrants are all these different things, and you're talking to a nontechnical buyer. And they're like, okay.
Max:25:31
Well, what's the difference between, like, a level 4 and a level 6 and a level 8? And you're like, I don't I don't know. I can't tell you. Like, it's better, but, like, what's the difference between it? Like, I don't know.
AJ:25:44
I mean, in theoretically speaking, it's a 1,000 differences. Right. Cause it, cause, cause you could, you could be a level 8, right. And be level 4 over here, or you could be a level 8 over here and a level 4 over here and they both equal out to be level 5. Right.
AJ:25:57
So like, it's just to your point, it's, it's impossible to exploit.
Max:26:00
And then my third one, and this is really kind of what I think is so, like, I'm happy that that supply chain's pushing it. I'm happy that we're seeing things like CMMC that are pushing this. I'm happy that, like, you know, we have TPN and and media entertainment pushing, you know, security down the stack. Right? These are all reactions, of course, to bad events happening and them saying, security down the stack.
Max:26:15
Right? These are all reactions, of course, to bad events happening and them saying, let's not have this bad event again. And so I my my third kind of hypothesis is just scar tissue. Right? Which is, you know, how long does it take for enough bad things to happen to enough people that there becomes this, like, collective response to, like, oh, no.
Max:26:30
My neighbor's business went under because they had an email thing that happened to them. And, like, how do we not have the email thing ourselves? Because I saw this guy lose his house, and, you know, I want locks on my doors now because I've learned the lesson. Like, you need to have locks. So I kind of I kind of wonder about it in that term a little bit of just how long it takes for, like, the collective pay because a lot of this stuff is underground.
Max:26:51
People will be like, oh, we've had this breach, and all your Social Security numbers have been leaked. And everybody's like, okay. Yeah. Whatever. Who cares?
Max:26:56
You know? And then you see imagery, you know, like, from Colonial Pipeline with, like, people filling up pickup beds, truck, you know, with, like, tarps in them with gasoline. And you're like, you've got a plastic tarp in the bed of your pickup truck and you're pumping gasoline into it. Or or what was the one in Boston, the hospital chain in Boston that had rass ransomware? And they enlisted the National Guard to come out and help them reimagine the computers.
Max:27:18
And there's there's photos of fatigue wearing National Guard in the hospital, like, going computer to computer just because they needed additional bodies to try to go and recover the hospital network, you know, however many how many, you know, buildings were down. And you look at this, you know, like, man, like, this is it's terrifying for me because, like, you know, like, you think you project forward a little
AJ:27:39
bit. Yeah. No, no, no, completely agree. And when we talk about business ending events, right. And unfortunately, that's really terrible to say actually.
AJ:27:50
Right. But unfortunately, unfortunately, we, we, as a society rate and mute and have tools. Right. I was just reading last night about a particular, Tool that's available. And I'm a, I'm going to forget the name of it now.
AJ:28:02
But it's available effect, effect. It's an acronym of course. Right. But it's a financial recourse tool where, you know, for an example, the $15,000,000 right. That got paid for, ransomware for Caesars.
AJ:28:13
Like they got $13,000,000 of that back. Right. They seized 13,000,000. Right. And then this other case, they got 42,000,000 back.
AJ:28:20
Right. So even though the person committed the, the issue. Right. And they had, they, they, they went through some of these benefits, or through some of these steps, right. To be compromised by the threat actor and send the money after the fact, we were able to pull that back and stop the pain.
AJ:28:34
Right. And it's just such to your point in the SMB space. There's so many things. In, unless there's an event security will most likely not come to the top of someone's mind unless they work in a regulated industry. Right.
AJ:28:51
And they're forced to by regulation. Right. But let's, I mean, if you take and you push those together and you say, well, that's great. Then the state of the medical world security should be awesome because we have HIPAA and we have PCI and we have, you know, all these rules and it's like, it's almost like counterintuitive. You have war legislation right around protecting things that are in the medical space.
AJ:29:12
And yet the medical world is probably one of the worst security, you know, verticals out there from, from the world security perspective. And so it's, it's, it's expensive to keep people it's expensive to hire providers. Right. And as, as you said, that most people don't think about that in relation to their product. Right.
AJ:29:29
They price their product. And if you are operating as a, you know, a lawyer or a doctor or whatever it may be in a certain area and everybody's competing and no one else is including the cost of security in their business model. Right. And now you do. Right.
AJ:29:42
And you start losing business because you've had to increase your prices. Right. It's it's, it's a, it's a self perpetuated model. It's challenging.
Max:29:50
I'm gonna tell you 2 stories. They're similar, but there are 2 stories. I'm gonna tell you 2 stories, and then I'm interested in getting your feedback. Right? So the first story, I'm at a conference, and I think my NDA still exists.
Max:30:00
Right? And there's a CSO talking from a $1,000,000,000 plus revenue organization with lots of locations and lots of employees and lots of stuff. We'll just kinda leave it at that. And this person basically explains, you know, where they are in the org chart and that this person has a total budget for security of $11,000,000 of tools and people. So north of a $1,000,000,000 $1,000,000,000 plus revenue business, not not not valuation, like dollars coming in, top line, over a 1,000,000,000.
Max:30:30
And the entire security apparatus for the business was $11,000,000 for tools and people. And what this person was explaining was reflecting on on what they were trying to accomplish with their job became very, like they viewed their job really in their team of just trying to identify stuff as quickly as possible and figure out how to take it off the network and then have other people go deal with it, pushing it back to the traditional it team. You know, Hey, this device is doing something weird. Go figure it out. Right.
Max:30:55
Like it became this very, you know, like, what do you, what can you hope to achieve is basically a couple of years later, I'm having a conversation with another person who's running security for a unicorn company. So this is not revenue. This is valuation after funding. Lots of users. Same thing.
Max:31:12
Lots of stuff. And was asked to write the plan. Like, how do we you know, what do we need to do here? And wrote the plan. And basically came back and was told, like, okay.
Max:31:21
You're not getting this. You asked for this. You're gonna get this. Figure it out kind of thing. And this person I was talking I was talking to them later, and and they basically told me that they had a very nice salary to be the person that was fired when something happened.
Max:31:35
Like they checked the box.
AJ:31:37
No, it's serious. Like I let's let's jam on that one for just a little bit. Right. Because I had a almost exact same conversation with Jake earlier this week. And it was just, you know, and we were talking about the position of security executives.
AJ:31:51
Right. And the fact that a lot of these firms will hire a CSO. Right. And to your point, the only job of that CSO right. Is to juggle balls, answer, you know, pretty questionnaires and then be the fall guy when something happens.
AJ:32:06
So they can be like, we've sacked our CSO. Right. And we were, you know, and, and to your point, That's their job. Right. And they know it and they, and they know that, that they are only there for that purpose.
AJ:32:17
Right. And then you mentioned earlier, you talked about this, this facility that's like that their only job is to, Hey, there's a problem. Right. And, and I think one of my favorite commercials ever that I talk about in security all the time and I, and I, I can't re I think it's like a state farm commercial. I'm gonna have to go find it, but it's, you know, the scene opens up and people are standing in a bank and it's a nice, quiet afternoon.
AJ:32:38
There's a, there's a security guard standing there. Right. And all of a sudden 4 masked men burst into the bank and everybody on the ground, everybody on the ground. Right. And the masked men, the security guard gets down and lay next to the lady.
AJ:32:48
And she's like, you're a security guard. Aren't you going to do anything? And he's like, oh, I'm not a security guard. I'm a security monitor. And he looks at her and goes, there's a robbery.
AJ:32:56
Right. And I just die. Like, cause it's such a great illustration and security, which is just like, Hey, there's a, there's something wrong over here. I'm done now. Bye.
AJ:33:07
Right. Like and that's really what it feels like. Right. In, in a lot of cases is we're not empowered right. To do the job that you're being asked us to do and or your just given a a figurehead.
AJ:33:19
Right?
Max:33:20
Where's the breakdown come from? Where do you think I mean, because fundamentally, I think people in the it space and security space are trying to, you know, like you were saying earlier, take on a lot of stuff. Right? Like I I have yet to meet somebody who doesn't really, like, try to take on a lot of stuff and is really trying to do something good for the organization they're working for. Right?
Max:33:36
But there's a really big disconnect. What do you think how do we fix that disconnect in the security space of the organization? And, I mean, it's gotta be and I'm hoping that there's something that that's more than, you know, my idea of, like, scar tissue. Right? Like, what is the miss right now for for people in security t you know, space?
Max:33:54
Like, going and talking the GC of a company and really moving the ball forward.
AJ:34:00
I worked in the financial services world. Right. And, when I joined it, right. Security team. And again, at the time this organization was fortune 1 14, multiple 1,000,000,000 of dollars in revenue.
AJ:34:12
Right. When I joined, they had 7 people on their security team, right. They're in 50 countries, Nate, globally. Right. 4 of those people were GRC people that.
AJ:34:23
The ISO 27,000 BCP process. Right. So there wasn't an actual hands on security function. Right. I remember we had a BEC event, right.
AJ:34:33
Because they didn't have MFA deployed. Right. And got through that event. But I'll never forget one of the comments that, you know, that came out of our chief legal counsel officers mouth was we have an ISO 27,001 certificate. Doesn't that mean anything?
AJ:34:48
And. It's hard as a security person, right. To not do what you just did. Right. Which is just like, you're in the middle of this huge incident.
AJ:34:56
And somebody says something to you that you're just like, you just want to face Palm and slide your hand down your face while they say it. Right. And so when you talk about shifting number 1, it is educating, right. And getting people to understand what security means. I think that security people as a whole really suck at selling.
AJ:35:17
They selling the idea, the need, the concept, the drivers behind security. So that's number 1. I talked about it earlier about moving the nail right from a pain point perspective. And when I talk about things like third party vendor risk management, right. And third party management in organizations, these TP VRM teams.
AJ:35:37
They don't have good risk acceptance policies in place. They don't have good risk acceptance processes in place, and they're not reporting on those things. Right. And so in the enterprise, when you're talking about those things, it's okay, Mr. You know, product owner, or Mr.
AJ:35:51
COO, you know, or Mrs. You know, CFO, whatever it may be that, that runs the organization. This software, this infrastructure, this whatever would not exist. If it wasn't for your particular line of business, your particular needs, you are the owner
Max:36:07
of
AJ:36:07
this. Right. It does not own this, Right. We are the dealership that you bring your car to for servicing. Right.
AJ:36:16
Maybe a little bit more than that. Right. But we don't own it. And unfortunately, A lot of it and security people take a lot of ownership in the, in the system. Right now, I'm not saying that that is from a mental space is bad, right?
AJ:36:29
But from a decisioning space, and you think about a racing chart, right? Responsible, accountable, consent, and informed. It's you may be the R that does the hands on keyboard type stuff, but you're not accountable for the overall health of that program. Right. And so from a business perspective, what I encourage people to do is number 1, build a risk acceptance program where when someone that owns an asset tells you that they don't want to do something in a security world, you go great.
AJ:36:56
I'm going to write up the risk right here. I'm going to write up, I'm going to give you a section that says, Hey, here's the reason why we need this. We're going to make $27,000,000,000 right on this one line of business. So I'm going to accept this risk and you say, great, awesome. Fill out the paper signing here, please.
AJ:37:11
Right. And let's be clear. There's lots of nuance to sign here. Right. Because the company officer has to be the one that does it, right?
AJ:37:16
Like there's so don't let anybody do it. Right. We can get into risk management programs all day long, but then it's then take that. Aggregate it, right. Go to your quarterly board meetings with an aggregation, right.
AJ:37:31
Of all of your accepted risk. And you're constantly re bubbling that up, talking about it, right. Forcing recertification of that risk. Right. And until that happens, right?
AJ:37:43
I don't, again, the people who are responsible for signing the checks are not feeling the pain. Right. And we take that away from them regularly because I'm not forcing someone who Owns insurance, right? Like directors of boards, Carrie E and O insurance officers of companies, Carrie E and O insurance, right. For these reasons, right.
AJ:38:03
For different kinds of reasons. So when they accept risk, right. If they have a problem, they can fall back on that. Right. Officers of companies are legally liable, right.
AJ:38:12
Especially publicly traded companies, right. For the decisions that they make can be. To account by their stakeholders. So if you, as a security person are like, well, yep. These guys said they can't do MFA because that's a, that's a, it's a legacy application that sits on the mainframe.
AJ:38:25
So we're just going to have to put that on the risk register and away we go. And that rich risk register is, is, is never reviewed. That executive never has to write, put any pain towards it. You start thinking about things like ramping security costs, right? Risky cars have more costs, right.
AJ:38:40
To ensure than a Toyota Camry. Right. And so there's there. I think there's lots of levers, but it to, to change that paradigm, but it takes a lot of work and it takes a leadership team in both the security and business space that are tied in and care and want to do those things, right? Like you can try to establish a risk acceptance program.
AJ:39:00
And if your, you know, executive team, your audit committee, whatever it be, doesn't support you. Good luck. Right. So that's at least my initial viewpoint of how you start steering away from, from ownership in it and security.
Max:39:13
I've written more BCDR plans than I ever want to. Like, verbalize. And early in my career developing a BCDR plan, it was always like the 10 point earthquake's gonna hit, and we have to do x, y, and z and yada yada yada. And, like, there's always these things. Right?
Max:39:27
Being being in SoCal. And after a few years of doing this and the frustration of, like, you know, like, how many, like, you know, days, weeks, months of my life, you know, into this, like, massive document, you know, and then having nothing happen with it finally occurred to me. And I think this was part of the, like, the maturation cycle of the other night, you know, it practitioner was the board had a fiduciary duty to evaluate the risk versus cost mitigation, but not necessarily to actually mitigate or address the risk. Right. So we had, you know, and this is a really simplistic example of this, right?
Max:40:03
Like, oh, potential risk of an earthquake hitting. And this is what happens to our facilities if it does. And this is what it costs to protect against this, you know, risk and the perceived, you know, occurrence of this this particular event is so low that, like, what do we do with it? Right? And those cases, it was like, oh, okay.
Max:40:21
Great. Thank you for the plan. We've have the plan. We've evaluated it. We've done our fiduciary duty to the company.
Max:40:25
We've decided it's not worth spending the money to implement a mitigation to this risk. Right? And, you know, and there's a I've heard a lot of chatter and talk about, you know, this, like, shifting of, you know, personal liability, you know, for people making these decisions in the board. And, like, what does that actually mean? And I what I'm what I'm always kind of fascinated with with that conversation becomes, if the company can't afford to do something, like, have you done the fiduciary duty to the company as your role on the board of directors or as an executive to say, hey.
Max:40:57
Look. We we evaluated this, and we decided not to do it, you know, because we just couldn't do it. You know? So, like, now you get into the E and O policy. Right?
Max:41:05
Does the E and O policy start mandating certain things because now they're you know? Like but, you know, okay. We have we have cyber insurance policies that dictate that you have to do penetration testing. I know a company that has to do their annual penetration testing, and it runs and they fail, and they get the report, and then they find in their logs the IP address of the pen test system. They block that pen test IP.
Max:41:27
They run the pen test again. They pass, they move on with their life. Right.
AJ:41:30
Somebody give me a pen so I can stab at my eye. Like, come on. Yes. And, and as an offensive security provider, right. You run into those people from time to time as well.
AJ:41:41
Right. That's just like, can't you just run the scan and give us the thing? And it's like, sorry, that's not a pen test, you know?
Max:41:46
But what they get and what their requirement is, that's just it. They, you know, somebody on the other side is like going through their process and saying, oh, if we pen tested all of our vendors, and it's like the vendor, have they passed the pen test? And it's like, oh, they have a we have a successful pen test that's come down. Now I don't think that anybody involved in this actually thinks they have security. They're just, like, trying to move on with their life in, you know, in the easiest way possible.
AJ:42:09
You One of the things that just popped into my mind when you said that was automobile safety, right. And automobile manufacturing. And if you think of some of the correlations there, right, there are a standardized set of tests that every single automobile goes through. Right? Example being NTSB has a, requirement for crush, right?
AJ:42:32
Where the, the, you know, and it's literally every car is put into a machine and they apply a hydraulic crusher to it. And they're like, do you meet the requirements of, you know, 3 X, the, whatever it may be right before, before the car fails? And so you start talking about things like what are regulation and, and, and, and things along those lines. It's like to your point, because human beings are so red teamy and hacky in nature, they're just like, how can I do the minimum to get around this? Right.
AJ:42:59
It's you have to be like the legislation will have to get very, very granular and verbose. And I think we're going to have to introduce some forms of standards, right. That define this is what a pen test is. And the funny part is too, I don't know if you've run into. Right.
AJ:43:16
Like the crest certification, right. And the cancer that is crest. But I think that that's what they were trying to do effectively is you're a crest certified provider, which says you operate, you know, pen testing off of these standards. But the person's just going
Max:43:28
to go find somebody that doesn't care. Right. And give them the report anyway. And I'll, so, and of course, like this whole thing becomes so acronym heavy. It's like, oh, you know, are we doing DAST, you know, versus SAST?
Max:43:42
Right? And, like, what are we actually trying to achieve with this? And what I've really kind of I'm trying to force, like, for myself this thing of, like, are we communicating in a way that, like, the business understands? Like, is there a why that we're actually driving towards? Otherwise, like, what are we doing, you know, here?
Max:43:56
Like, what's the business why? Because then people understand what you're trying to explain to them. And that's actually an interesting segue. I tell everybody, you know, when they're starting out and they're asking, like, okay. We wanna do you know, we we've something's happened.
Max:44:08
Whatever's going on, we wanna improve our security because we've either hit some requirement wall. We just know we need to do it or we had some issue or whatever it is. And I start with identity. Like, do you actually have some sort of identity provider that makes sense that you have control over? Right?
Max:44:22
Usually for most people that's their on 365 or Google Workspace or they're on Okta. Right? It's like, have you have you selected an identity provider? And then my next question is is, like, where are you on the MFA journey? I mean, SMS based 2 factor authentication, I think is like such hard garbage.
Max:44:36
And the fact that I have banks that like, won't give me another alternative. It's like, well, we're not going to do business with you anymore as a bank. Like this is nuts.
AJ:44:42
Yeah. I bank at Wells Fargo. And it's one of those things where like, you either have SMS or they give you an RSA hard coded, token. And it's like, what?
Max:44:51
But so, like, in the 2 factor in the multifactor world, you have SMS. You know, Google's actually you know, like and and Microsoft and Google, I think, are really trying to push the the ball forward here on this one and Google doing MFA inside of other apps. Like, open the YouTube app. Like, there's a cynic in me which is like, okay. Now you have to have the YouTube app installed on your phone, which they know is gonna lead to, like, view time.
Max:45:09
Right? Minutes of consumption. But, like, at the same time, you're like, okay. You know, that actually is a better security posture for most people. Like, okay.
Max:45:16
You know, like, I I can accept the, like, approach. And then you get into, like, the keys. Right? You know? Like, YubiKeys are not expensive, but the level of effort for a company to go from SMS to, you know, TOTP to, you know, WebAuthn to YubiKey.
Max:45:30
Right? Like, these are like hurtling mountains. You know, it feels like with a lot of people.
AJ:45:36
Especially, you know, look, and and here's the thing, good to your point, you find out where they sit on an identity journey. Right. And identity is a big passion of mine as well. And when you start talking about things like birthright roles, right. And, and join a mover, leave her programs.
AJ:45:50
Right. And all of the different elements of that when they don't have any of those in place, you're just like, okay, when was the last time you did a user entitlement review? User what? Right. And, you know, I think you bring up a great point, which is, it's not just a technological hurdle, right?
AJ:46:09
It's 3 to 5 years to implement a strong, solid, good identity program as a whole. Right. If you're starting from scratch. Right. And people don't understand that.
AJ:46:19
Right. They don't understand the investment that it takes and look to your point, you're buying products that are not secured by default. Right. And so you're literally adding to your technical debt, right. As you're going along the path rate of, of 3 to 5 years, you still have to operate business and all those things.
AJ:46:35
Right. And let
Max:46:36
me interrupt you. CBO forces 10, does 10 year projections on legislation, because because that way you can't have politicians pushing legislation. But then at the same time, the counter to that becomes projects that are too long. Politicians won't push because it has no political, you know, value for them if it's a 10 year project, and they're gonna be running for reelection in 2 years and yada yada yada. And when you say, like, a strong identity project has 3 to 5 years of you've got a 2 year turnover average for enterprise, you know, of, like, stat I mean, you know, you have people that that that are shorter and longer, but when you look at it all the way up and down the stack, including executive teams, at this point, like, you know, there's roughly, like, a 2 year, like, churn rate.
Max:47:14
How the heck do you approach a project that's a 3 to 5 year, like, life cycle if you're talking about churning your org that's running that all the way up to your executive sponsor, like twice, at least inside of that duration of time.
AJ:47:28
Yeah. And I think we could spend another 3 hours talking about like the spinoffs of why people are turning over. Right. And in lots of places. Right.
AJ:47:36
But it's like, I think you have to break it down into smaller consumable chunks. Right. And I think that you have to start creating incentive. Look, people, people do what they are incentivized to do at the end of the day. Right.
AJ:47:47
And so it's like, if you are hiring AC, so you're hiring an executive team, right? You're you're building a security team. It's like, Build your incentives around where you want them to go and what you want them to do. Right. But now we're getting back to the root of the problem, which is if you're hiring a CSO, how, you know, and as a, as a security issue, right.
AJ:48:07
You don't know what to tell them. Right? Like, yeah, it's a, it's a, it's a chicken and egg problem. Well,
Max:48:12
and these things are so important. Colonial pipeline, you know, credentials from a person who had was long gone, you know, VPN access into the network, and then you run hog wild. Right? So you're talking about, like, what was the actual financial exposure to that company because you had a VPN concentrator authenticating with credentials for somebody that wasn't with the business for at least a year. And you, like you unpack that for a second.
Max:48:34
You're like you know, on the surface, you're like, this isn't a huge technical challenge, but then the reality of orgs of these sizes, it becomes huge technical challenges because of the amount of, like, everything that's going on inside of this org and how difficult it is to actually implement these things.
AJ:48:50
Yeah. And, I don't think we have a good answer for that. Right. Which in reality, it just comes down to, you're going to have to break your identity program to smaller chunks. You're gonna have to start educating, you know, at the highest levels.
AJ:49:04
Right. And I think that's, that's a lot of what some of these bigger consulting firms are trying to do. Right. Is, is start educating at the highest levels, but then you've got the, you've got the McKinsey's, you've got the, you know, of the world that are going into a boardroom and educating. Sorry, educating.
AJ:49:22
Right. And, and it's a 28 year old master's student. Right. That has never actually seen something. Right.
AJ:49:27
And they're reading off of, of a list of, of, of recommendations. Right. I think, I don't know if you saw it, the McKinsey study on New York and the trash cans and it's like, they paid. I don't remember several $1,000,000 right. For them to come back and be like, Hey guys, you need trash cans.
AJ:49:45
You know, it's like, what are we doing?
Max:49:48
Stop putting trash on the street, put them in trash cans. Okay. I think this is interesting. I'm going to S I'm going to take this as a slightly different direction. There's lots of vendors in the space, in the market.
Max:49:57
We've got tool vendors. We've got professional services organizations. We have SOX. We have all these different things. Now there's a lot of roll up.
Max:50:02
There's a lot of action and activity going on in the PE space, rolling up MDR platforms and and coming up. So what does that create? That creates sales teams. Sales teams have quotas. They go out, and they cold call, and they do all these different things.
Max:50:15
A few years ago, there was a really viral moment on LinkedIn over a company in the Bay, and it started with a security practitioner who had was cold called on her cell phone and then posted this rant that she received a cold call on her cell phone from this, like, horrible security company, which then was piled on with her SecOps team or CSO from this company, you know, going on about how offensive it is. They've gotten a phone call from a security company, like, trying to, like, talk to them about their product and, like, don't call us, we'll call you. And by the way, we won't call you because if we need something, we're gonna ask our friends what they're running and that's how we're going to make decisions in the security world.
AJ:50:58
Yeah. And I think what you're pointing out here really is it just comes down. There's a lot of look in any, in all areas of business. There's a lot of good old boys. Right.
AJ:51:08
And there's a lot of, of handshaking. There's a lot of television. Right. And unfortunately, you know, the good old boy that you choose to be your plumber to blow out, you know, to pump out your septic tank. And you're like, Hey, my buddy pumps out septic tanks probably doesn't matter as much.
AJ:51:23
Right. And if you take the same approach in the security world, the impact is significantly different. Right. I saw something on Twitter the other day that was like, every time that you think that you are failing, it's like, remember that there's someone out there that is confidently wrong, right. Advising other people.
AJ:51:40
Right. In the same aspect. And unfortunately, Security is a new enough domain and there's enough black magic around it. Right? There's enough voodoo around it.
AJ:51:49
There's enough, you know, it's opaque enough that it's still somewhat easy, right. For a person to come in and masquerade that they know what they're doing. Right. And you know, it ends up being the blind leading the blind. Right.
AJ:52:01
And you get a bad security leader in look, let's be honest, you get a bad leader in any spot that impacts, but right. But security tends to be, you know, I would say more of those. And so how do you fight those? Well, look in this particular instance, I now I'm going to have to go look this up. Right.
AJ:52:17
But, it's funny too. I even caught myself like LinkedIn is going crazy ways. Like, I'm like, wow, you said that on LinkedIn? Like I saw some of that stuff this morning and I'm just like, man, you people are bold. You're posting on your work, your work, you know, associated, like, you know, and it's just like, geez.
AJ:52:32
Right. So that's a whole nother conversation by itself. Right. But at the end of the day, I, what I've come down to, right. And how I have you know, built our, my organization and our team is, is this, is this relationship and education, right?
AJ:52:46
If you are out there in security, trying to, you know, throw a butt against the wall and see if it sticks and trying to build it fast. Right? Sure. There are lots of unicorns, but if you're talking about in the services world, right, it's about relationship and it's about delivery. Right.
AJ:52:59
And it's about showing people how they can start winning with some smaller efforts and some small changes and how, how they can drastically change their posture with just a few small things. Right. So can you fight against the good old boys? No. And it's like screaming into the void.
AJ:53:17
In most cases, it's just going to get you frustrated. Right. And is it really going to do anything? So if you run into someone like that, right. It, at that point, it's just like, I keep moving forward.
AJ:53:28
I ignore that person and I move on, but to what you speak of, it's, it's a, it's a problem in the larger industry as a whole. And how do we solve that? I'm quite certain that a lot of people on LinkedIn saw that and knew it was wrong. Right. And knew that the team saying it was wrong.
AJ:53:47
And I'm not saying that LinkedIn is the place to do this. Right. Because it's not right. And you shouldn't be calling out those people. We have to police our own.
AJ:53:56
Right.
Max:53:56
I, for some reason, didn't get involved in this debate. I just sat on it for a couple of days and there were a couple of things about it. It was like first off, yelling at the SDR or AE that called you and putting them on blast. It's like your cell phone number is in ZoomInfo. Like, get over it.
Max:54:11
You know? Like and who put it in Zoom ZoomUp? The the vendor you're currently using. You know? Like, you you know, that's who put it in Zoom ZoomInfo.
Max:54:19
Right? They updated the database. But, you know, after a few days of, like, kinda thinking about that one specifically, what I what it kinda dawned on me was they don't have any budget to even think about evaluating these tools probably. You know? So it's like it's this weird thing where you've got now a company in a sales org actually calling out and trying to prospect and develop business, and you're calling into organizations that by definition, like, don't have budget.
Max:54:42
Like, you know, like, there's a reason why they're not shopping for your tool because they they can't get it. You know? And I don't and I wonder it wasn't stated this way, but I wonder how much of that was just a frustration response of, like, getting called, like, every day with some new tool and being in a position where you have no budget to go acquire a tool in the first place.
AJ:55:00
Yeah. And look, speaking as a guy that gets calls on his cell phone from security vendors, right now, while I would never take that to LinkedIn and put somebody on blast on LinkedIn, unless somebody was just like racist or misogynistic or something like that with me on a call. Right. I wouldn't ever put them on blast, but, but you know, one, let's be honest here. Right.
AJ:55:22
You know, some of those, some of those calls that come in, right. Are not necessarily professional level calls. Right. And you know, you're getting, you know, some of necessarily professional level calls. Right.
AJ:55:26
And you know, you're getting, you know, some of it's the sales approach. Again, I go back to cyber. Right. And just saying like it is, we, as a, as a cybersecurity, you know, vertical stink at understanding, you know, what customers are. So it's, it's a little bit of a hard problem to have to your point.
AJ:55:43
It's absolutely, you know, uncalled for behavior. How do we solve it? We've been talking about it for the last hour. Right. There's there's, there's so many, there's so many elements to it, right?
AJ:55:52
That, that, that it's, it's pretty challenging. I think it just starts with one day at a time, a 1, 1 percent at a time. Right. And, and slowly chewing things down. I don't know that the security industry right as a whole, I think that the collective, the, you, the me's of the world, right.
AJ:56:08
That are at in the trenches, right. Going out and doing the fighting. Those are the people that, that make the difference that go in and have the, the, the conversations with the small business owners that spend the time to educate them. Right. And that's why I like relationship.
AJ:56:21
Right. That's why I like the approach that I have. Right. Or that, that, that we take. Right.
AJ:56:25
And I think you do too. Right. I've seen, I've seen the conversations that you've had in some of your podcasts and the way that you talk about things, which is just like, look, I'm not here to get things over on you. Right. I'm not here to get you to buy a thing.
AJ:56:36
I'm here to help you be more secure and help your business, you know, be more resilient if that's what you want to do. Great. If not, no problem right now. The unfortunate part is in the security world that, and when you're, when you're selling services that, you know, so many, no problems in you, you no longer have a business, right?
Max:56:52
There's different ways that we approach that here, which is some of it becomes like I don't want to say subversive. Right? But, like, there's a certain element where it's you can find ways of of of squeezing better security posture into other things. You know? Like, hey.
Max:57:09
We're doing a network overhaul. We're doing SD WAN overhaul. It's like, you know, you can like and a lot of times, maybe it's just positioning where it's like, I can you know, you have you you you have enough experience with this. It's like, I can look 16, 17, 18 months down the road with an organization and say, okay. Let's solve this problem, but let's put something in place right now that makes it really easy for you to tackle the next thing.
Max:57:29
When it wake, when you like get to that point. And those are like my favorite phone calls. When I get a call back from a client that says, okay, we need to do X, Y, and Z. And it's like, okay, fantastic. You're already ready for it.
Max:57:40
Like, all we have to do is just, like, do an addendum on this thing and turn it on. And they're like, wait. That's it. And it's like, yeah. You know, that's it.
AJ:57:48
Yeah. Let's let's jam on that for a minute. Right? Because I think that a lot of security leaders to your point, you talked earlier about not having a budget for something. Right.
AJ:57:57
And let's use the example that you just used, which is network segmentation, right. Is a huge foundational security control. Right. Which I'm quite positive out of the total number of companies in the world. 99% of them don't have it.
AJ:58:10
Right. And just like, don't have it in any way or don't have it done properly. Right. Let you know,
Max:58:16
show me a firewall and I'll show you and allow everything outbound role, you know?
AJ:58:22
Well, I mean, look, let's go, let's go back to the, the solar winds hack, right? There was only one department in the entirety of the US government that wasn't impacted. Why they had outbound egress filtering implemented. Right. And so, you know, let's use it as an example though, and just say as a security leader, right.
AJ:58:41
And you joined an organization and you, and you like, wow, we don't have any network segmentation at all. I need to put that project on my project list. Right. Okay. Sure.
AJ:58:52
Are you going and talking to your peers that run the network, right? Are you understanding what project cycles they are at, what they are, their pain points are, what they're attempting to do it because to your point, right. Who knows? Maybe they're spinning up a new network segment for some other project and you can be like, Hey, while you're doing that, can we start spinning up a network segment that I can slowly start migrating things into over time that is going to help with the segmentation? Right.
AJ:59:17
I'll provide the, the architecture, I'll provide the resources. I'll do whatever help you. Right. But can we do this right. And add it in, and you would be surprised to your point, how often you're going to get across the aisle collaboration.
AJ:59:30
Right. But you have to invest the time as a security leader to 1, understand what your needs are. Right. And to go and build that relationship with your peer in the space to help accomplish things that you won't otherwise do. And some people may come out and say, well, that's not fair.
AJ:59:45
Security is the only one that has to do that. I'm like, so. Right. They they're not just to be clear. But the answer that I come back with is, so what?
AJ:59:53
Right.
Max:59:55
Everybody sees the world from their own eyes and their own position. Right? And you made a comment earlier about, like, you know, IT is doesn't they don't own your application. They're there to help you with the application, but it's not like, how many applications did IT actually pick and the history of them in the organization? Right?
Max:01:00:11
Like, the answer is maybe
AJ:01:00:12
Maybe VMware. Maybe.
Max:01:00:14
Maybe VMware, but, like, but they didn't pick what's running on top of VMware. Right? You know? Like, you know, like, VMware is there to to help them make whatever else is there run easier. Right?
Max:01:00:23
And, you know, segmentation. So this is this is a fun one. Okay. Let's let's so segmentation and network upgrades. Triggering events.
Max:01:00:31
Right? We have a new office. We have a new build. We have a new geography. We're going expansion international.
Max:01:00:36
We need to have visibility into our network traffic between 2 different locations. We wanna overlay marketing, some sort of marketing, something on top of this traffic as well. We need to have a segment for guest access, guest Wi Fi. We wanna track people in our in our retail locations. Right?
Max:01:00:51
Like, there's like, all those examples, if you're not actually talking to organization and trusted in helping people achieve their business goals, like, you're not gonna find out. But if you knew that the person who runs your retail organization for all of your retail locations across whatever geography is trying to do some marketing initiative where they can track customer traffic through your stores, and you can tack onto that and be like, hey. We can solve that problem. And for free, we can also get all this other stuff as well at the same time. Like, those are phenomenal wins for the organization.
Max:01:01:24
Right?
AJ:01:01:25
I love. Yeah. And look, that's the thing that when you talk about how do you get security initiatives forward, what you just said is the skeleton key, right? Which is go find a business initiative that either won't go through. Right.
AJ:01:01:43
Or will be greatly enhanced or you can hide, hide is the wrong term. Right. Cause it's terrible. It's a, it's a terrible illustration, but you can pair up right to your point and your security requirements with this business initiative and for air quotes, free or very little amount of dollars. Right.
AJ:01:02:01
You can change the security posture. Right. Again, that's absolutely right. A path that you should take. And you talked earlier in the show about ROI, right.
AJ:01:02:10
Which is just like, that is a great way to show ROI. Right. And it's, it's hard to do. Right. But if you can go find that initiative and if you can spend the time again, you hear everyone always talk about, talk more like a business leader, learn the business, learn this.
AJ:01:02:26
Right. And I remember as a young security executive being like, what are they talking about? Right. Like, w like what am I supposed to be doing here? Right.
AJ:01:02:34
And, and understand it and really that's it, which is go and find the business objectives, go and find the each departmental level. Right. What are the what's the COO of that department trying to accomplish? Right. And to your point, Within the last decade, financial services organization, we were doing a contract with Goldman Sachs.
AJ:01:02:53
Right. And that particular, leader of that unit, that COO right. Needed me and my team to get that contract through. Right. And what did I do?
AJ:01:03:05
Right. Is to your point, you pair up, you deliver with them. Right. You use that as a proof of concept. I implemented certain things with his business unit as a proof of concept to show that they worked.
AJ:01:03:16
Right. And then the very next cycle you go back to your board and you say, look, I did all these things with this business unit and only costs us X amount of dollars because they leaned in. Right. And now the board's like, oh, cool. You can do it.
AJ:01:03:26
Right. And by the way, you are now creating a environment of competition where all the other people, right. Don't want to look crappy compared to the new guy who just bumped all of his security level up. Right. And they may not want to invest the effort to be first, but they damn sure don't want to be last.
AJ:01:03:41
Right. So if they're coming into those next risk meetings, they're going to be like, oh yeah, we went and talked to AIJ about that thing on security. Right. And we're working on all these other things too now. Right.
AJ:01:03:51
Just, and so you can play with a little bit of some of the elements of human psychology there.
Max:01:03:55
I find a lot of people go after this and they do it from like a share shift approach. You know? It comes from, like, a human resourcing standpoint. I mean, a good example is, like, oh, we've got 500 firewalls deployed. Like, what's our you know, the big ones you go into is our capex cycle on those firewalls.
Max:01:04:11
What's our annual opex and support on those firewalls? But then you say, okay. What's our our patching and firmware update process on those firewalls? You have 500 firewalls. How often do you touch them?
Max:01:04:20
How do you get people on-site? It's crazy because even in an organization running that, when you started asking those questions, not all the times will have hard answers for you. And they're like, well, we don't know. It's like, well, how long does it take you to deploy a firmware update across all 500 boxes in your fleet? Right?
Max:01:04:33
We're like, oh, I don't know. Let's go talk about it. And then you say, what's your change management control process? Right? Like, how do you get this approved?
Max:01:04:39
Back to
AJ:01:04:39
the Russian nesting doll problem, my friend.
Max:01:04:41
Uh-huh. Exactly. And then you could say, okay. Great. Well, you know, like, do you wanna get out of this business?
Max:01:04:46
And do you wanna invest in something else that, like, kinda takes you forward? You focus on offensive security. And I look at this, I think, a lot broader than you do. Right. Cause I have to be,
AJ:01:04:56
well, let's, let's just be clear too, just for clarification. So I have an offensive security team, right. But we have a blue team and a red team. So, okay.
Max:01:05:04
You should define those, like what that actually means.
AJ:01:05:07
I'm sorry. Like for the show.
Max:01:05:08
Yeah. Sorry.
AJ:01:05:09
My bad. I missed that question. Great, great point. So blue team and red team and, and look, you know, the thing I would say, it's funny. Cause I'm a bit pedantic right on our, offensive security side and our team is called offensive security operations, right?
AJ:01:05:22
Or short OSO. Cause a lot of us are military from a military background. Right. But right. Red teaming is also.
AJ:01:05:31
Subcategory of offensive security, right? So people can get oftentimes confused about the differences between red team and red teaming. Right. And, and what they exist for. So from a layman's terms, blue is.
AJ:01:05:45
Red is offense, right? So if you think about this in the football world, your red team is supposed to be your scout team, right? That comes up against the varsity team and makes them better. Right? They're the ones that are supposed to be going out and studying the plays, running the plays.
AJ:01:06:01
Right. And testing and preparing the blue team for the game. Right. The game of security that happens every single day. Right.
AJ:01:06:08
So your, your red team is the ones that are coming out. Your is coming out and performing your penetration, testing your physical security, right? They're looking at application security, right? They're doing things like Sash, you know, static. Code analysis, dynamic code analysis, all those things.
AJ:01:06:23
And your blue team is effectively your defensive organization that is saying we're doing the monitoring, we're doing the engineering, we're doing configuration, right? They're doing all of the defensive apparatus monitoring apparatus right within your environment. And I'm going to say this, Loudly and proudly, the red team only exists to make the blue team better. Right. Period dot.
AJ:01:06:42
And if you think that your job as a red teamer is different, right. You're wrong. Right. And I will die on that hill. Right.
AJ:01:06:50
So. When it comes down in, in, in, in red versus blue, right. And how you go about interacting between those 2 and the things that you find and, and, and the work that you do, it's, it's critically important to have a good relationship between the 2 and have a symbiotic relationship between, you know, red and blue, which is. When you talk about how hard it is to, to, to move the dial. In my opinion, that's, that's a little bit of the secret, right.
AJ:01:07:16
Is, is using the red team. That's why for, for all of our customers, right. At a base level, we loop in, you know, 40 hours a year of offensive security, which is just like, you can use this on whatever you want, but we're going to make you use it. You're going to pay for it. Right.
AJ:01:07:29
You're already paying for it already. And you start using those things to get people to highlight and understand. Right. Security. I think that the average person would be scared if you went and did a physical security evaluation of their house.
AJ:01:07:43
Right. There's a lot of people that sit there and they have this false sense of security about their house. Right. They're just like, oh yeah, I got great dead bolt on my door. And it's like 90% of doors.
AJ:01:07:51
I can one kick through.
Max:01:07:52
Right. Yeah. You have a good dead bolt, but you've got a 3 quarter inch screw into your door frame. You know, if you, if you didn't put it in a 3 inch. Yeah, I'm with you.
Max:01:08:03
I get
AJ:01:08:03
even then. Right. Where you've got a half inch of a 2 by 4 that's holding, you know, the dead bolt right. In, in, into the wall and some plywood that's on top or some sheet rock that's on top of it. Right.
AJ:01:08:12
So it just comes down to there's this, the, a false sense of security, right. In, in a lot of places and people don't know how to react. So I lost a little bit of the train of thought there because you asked me to define red and blue.
Max:01:08:24
So Now what I wanted to get to with this was, there becomes like a, I think, an expectation in the standards and, like, people just conform to these expectations and standards. So at this point, for the most part, people understand that they should have identity. They should have MFA. They should have an EDR. I don't think a lot of people understand if they should have a SIM, what the SIM does for them, what threat intelligence does for them, like, how they do the rest of this stuff.
Max:01:08:46
Right? And the conversation I've started having a lot with and it's it's like EDR versus SWG. You know? SWG and RBI. Right?
Max:01:08:56
And and how do you fit like, if you if you could budget for only one of them, this here's a hypothetical. AJ, you could have an SWG with RBI, or you could have an EDR in your organization. You know? So this becomes, I think, a lot of the fund you know, like, I've noticed this challenge in a lot of places. It's like, how do you you know, it's like, okay.
Max:01:09:16
I get what an SWG does, a secure web gateway. Right? I get an SWG does. I get what, you know, browser inspection does and be able to upload a payload. You know, I wanna have micro segmentation or I wanna have, you know, zero trust network access.
Max:01:09:28
I wanna have, you know, ZTNA deployed. You know, I want CASB. I want, you know, DLP. Like, by the way, everything I just described kinda gets wrapped up into this, like, sassy kind of platform and SSC platform. You know?
Max:01:09:38
So you could turn a lot of these things. Well, a lot of these providers now, you can, like, select which tools you're turning on, which is nice. So that's getting nice. But when you're talking about this with an organization, you say, okay. As I'm going through this journey now of trying to modernize an organization, and we've gone after and we've tackled identity to a reasonable stand you know, level, and we've gone after and we've we've got MFA to a reasonable level.
Max:01:09:59
Like everybody has some form of MFA running. Like what what's next and why?
AJ:01:10:04
And there's lots of different approaches that you can come through there. Right. And I think, unfortunately, In the non SMB world, right. You're not going to have a choice. EDR is going to be mandated to you by, insurance policy.
AJ:01:10:19
Right. You know, it's interesting that I was at RSA earlier this year. Right. And was having conversations you know, with Mandiant and was actually talking to one of the CTI leads at Mandiant. And you look at things like, Google's enterprise browser, right.
AJ:01:10:34
And Google and Mandiant as a whole, they've, they've literally taken all of their applications. So, you know, Microsoft or Google now has this fully embedded Android, operating system right inside of Chrome. And Mandiant has taken and converted all of their applications into browser based applications that, that, that run on the Android OS inside of Chrome. And so a little bit of my, my conversation comes back to saying things like, well, it's a consultant answer of it depends right on where you're at in other spaces in your journey. Right.
AJ:01:11:03
Cause I would come back to you and be like, Hey, great. You have MFA deployed, but to our earlier conversation, what does your identity look like? Right. Have you hardened it? Right.
AJ:01:11:11
Your active directory environment, right? Have you hardened your endpoint environment? Has removed the local administrator from your endpoints? Right. To me before I go and engage with anything that is going to require, I would say additional spend or expertise or learn new platforms.
AJ:01:11:29
I'm going to go back and look at the foundational controls that exist in your environment, right? Do you have asset? Do you have asset management in place? Right.
Max:01:11:38
Probably not. Probably not. Probably
AJ:01:11:40
not. Right. Which is just like, and people don't understand why, why, why is asset management number 1? Right? Like it's been the CIS number 1 for as long as I can remember.
AJ:01:11:51
I think since CIS has come out
Max:01:11:53
and it's the least invested, nobody wants to buy it. It's not sexy.
AJ:01:11:56
It's not, but it's like, what? Like, look, we have this challenge all the time where people like, well, I want AI. Right. I want automation in my sec ops. Cool.
AJ:01:12:04
You're not getting that at all, unless you have asset management in place, right? Like period dot you're not getting your you, you shouldn't have a proper automation in place because how am I supposed to action on things that I don't know exist? What their context is, who owns them? How can I set up rules around those things? Right.
AJ:01:12:21
Any of those things. And so that's what I would be going back with is to, to your point. What if you went and looked at what is the vast, the vast majority of causes of these larger hacks throughout the world? Right. To your point, identity is one of them.
AJ:01:12:37
Right. Even the, the, the, the last, the storm issue with Microsoft. Right. Oh, sorry. It was the development account we forgot about that didn't have MFA
Max:01:12:47
on it. Right? That stuff is so frustrating to me because you're like it's always such low hanging fruit, it seems. You know? At the end of the day, it comes it's, like, such low hanging fruit.
Max:01:12:56
And there's this perception of, like, hackers being this, like, really organized targeted thing. And you're like you're like, no. Take a device, plug it on the Internet, turn it on, and and and just wait. And it it's gonna get like, it's just blah, blah, blah. You know?
AJ:01:13:12
So let's use that for a second because I don't think that the, you know, the average person understands that. Right. And I'll harken an incident, a real life incident that happened. Right. And I want to say in 2019, we were doing firewall work, in an organization.
AJ:01:13:27
We were troubleshooting a particular issue with email. We were trying to understand we were going through an office 3 65 migration at the time. Right. And we were trying to understand why there was an issue. Right.
AJ:01:13:36
And why email flow was being interrupted. And we had a very skilled, but also. Arrogant consultant, right. Working on that particular effort. And there's probably 15 people right.
AJ:01:13:49
On a call and we're working through it. He's like, well, I'm gonna, I'm gonna go ahead and remove some of these ACLs. Right. Or access control lists, rules and firewall. And we're like, he tells us which one he's going to remove.
AJ:01:13:59
And we're like, okay, well you can, you know, you can pause those temporarily or comment them out. Right. And we're going through it and, you know, things are working now. Literally we're scrolling. Right.
AJ:01:14:11
I'm I'm not hands on keyboard at this point. I'm in a leadership role and we're watching through it. I'm like, hold on, hold on. Right. Like I just saw TCP IP, any, any in that, in that config what's going on.
AJ:01:14:21
Right. And this individual had done a TCP IP, any on the external interface and had left it open for 47 minutes. Right. Understand in that 47 minutes, right. That there were 7 to 8 machines that were already in the process of they had been hit from a scanner.
AJ:01:14:40
They had been identified as, as, as vulnerable. Right. And they had started having malware installed on them. Right. So to your point, you go and look at some of these, you know, the Twitter feeds of people that, that run honeypots professionally, right.
AJ:01:14:53
As part of their business. And they that's what they do. Right. They literally take an unpatched machine and they plug it into the internet. That's it.
AJ:01:15:00
Right. And to your point, there are a Legion of automations out there that are just looking for open vulnerabilities, right. To say, Hey, let's go.
Max:01:15:09
Dwell time used to be north of 200 days. Now we see dwell time. I mean, like, I don't know what stats scarier to me, actually. I don't know if a dwell time, you know, of almost a year nor you know, or north of a year is scary versus a dwell time of, like, you know, 2 weeks. And, you know, because, like, the idea of, like, somebody being on a network for a year before, you know, they're found compromised, you know, event happens, or that, you know, dwell time has gotten so short because they've gotten so good at just going in and said, the heck with it.
Max:01:15:40
We're we're on the network. We sold credentials. We've we've moved it on to somebody else and they've taken, they've launched, they've done something. Like, it's both equally terrifying, you know? And and in reading those stats, somebody it was a joke I read recently on meme, and it was like, every network is beaconing something to Nigeria or China.
Max:01:15:56
You know, like, take your pick. Right? And it's like asset management. I'm just thinking about asset manager stories. The one that did it for me for the asset management, that made me I mean, like, really made me a believer in asset management.
Max:01:16:07
I'm not successful at getting everybody to use it, but, like, made me a believer was Log 4 j. And I had one organization and there were 2 things actually this organization went through. The first one was Log 4 j and, like, the reality of, like, Log 4 j was literally running everywhere. Like, they had no idea that they were running Log 4 j. Like, Log 4 j is in everything on their network.
Max:01:16:27
And then every time they think they patch Log 4 j, then it became like, oh, nope. That was exploitable too, and that's still exploitable. And there was, like, this whack a mole going on, but at least they knew where it was. Like, they they I mean, it was a crazy process for them, and it was a nightmare for them, but they knew where it was. That same organization went through fun with the Circle CIC, you know, which is another one that I just will rant about to the end of the universe.
Max:01:16:49
God bless whoever was their customer that noticed, you know, credentials being misused and actually notified them that by the way, you've been compromised. We've traced it to you. They never disclosed it. So I don't, I don't know if I can say it.
AJ:01:17:04
Yeah. Fair, fair enough. So I do want to go back and answer your answer from question. Cause I've been kind of chewed on it. We, we said asset management, right?
AJ:01:17:10
What's number 1. One. But if I was going to say, what's the first immediate thing that has the most impact from a risk perspective, I would absolutely go and do what you said, which is a user access review, right? Which is sure you've already applied MFA, but but let's implement a process from a regular user access review. I would recommend people do it quarterly at a minimum, right.
AJ:01:17:31
Where you're auditing your journey, your mover leader processes. Right. And you're making sure that people are not over provisioned in their security space, that there's not an active account of someone who's been terminated, you know any of those things. Right. And then number 2 for me would probably be if you have any sort of directory in place, like go hard in that directory, right.
AJ:01:17:51
Go spend the time to invest. Like if you have an enterprise agreement with Microsoft, they have some great services that are out there that you can do, you know, active directory. I can't remember what it's called. But it's as a service. Right.
AJ:01:18:01
And I think the first time that I, that I used it with Microsoft, we got like a 92 page remediation report right. Of, Hey, go, go, go, go implement all these things and just you're laughing. Yeah. And, and, and just to be clear, it was 18 months, right, of every single weekend, right, making changes just to get rid of the criticals. Right?
Max:01:18:24
I'm laughing because the I mean, this is like the whole thing of, like, oh, we're running 3 we're we're on we're on the cloud. We're secure. And it's like, no. No. You're not.
Max:01:18:31
And, like, hey. We're a professional organization, and we have a 92 page remediation report from the vendor that everybody else is using with the same issues that, like, it's just at, like, every company you're like probably got a 92 page remediation process on your active directory at this point. You know?
AJ:01:18:45
Like Yeah. And, you know, saying that I would say brought something up that I think is is really important in the SMB space. And that is if you're an SMB owner, right. That maybe understands technology in some way or plays in the technology market space marketplace, understand that there are a ton of open source community tools that are out there that you can use to harden your network. Right.
AJ:01:19:09
So let's just, let's just use, directory services as an example, right? Ping castles recently in the news because they got acquired. Right. You can go out today and download a community version of pink castle, even if you are not a technologist, right? Like even if you're not a hands on keyboard, you can figure out how to download and run that and point that, and you can get a report inside of an hour, right.
AJ:01:19:30
That will cost you $0 And it will tell you 90% of the things. Right. Just as an example, and this is a complete tangent, but it's like, how many of you have reset your care care, BTGT token in the last 5 years?
Max:01:19:43
How many people even know what that means?
AJ:01:19:45
Right. Agree. Right. But, but that's my point. But like pink castle will go out and run report for you and be like, Hey, you should do this thing.
AJ:01:19:52
And oh, by the way, Microsoft actually recommends you do that every quarter. Right. And there's lots of downstream impacts, but my point being, look, there's community versions of bloodhound. There's community versus a pink castle, right? There's community rooms of raptor, right?
AJ:01:20:03
There's all kinds of community versions. Out there that you can use if you don't have the budget. So keep that in mind.
Max:01:20:09
And this is this is why, I mean, look, I came from IT consulting. I went in house. I, I owned a service provider. Right. Like, I've been around the horn on this one a couple of times, And this is why it's become my, like, underlying, like, you should be engaging service providers for a lot of these things because, like, you're I'm sorry.
Max:01:20:27
Your your your team is being crushed right now just trying to keep the lights on, and there's no way that you're, like
AJ:01:20:34
Other duties as assigned.
Max:01:20:35
Yeah. No. I mean, like, I love it. Like, oh, we download installer installed Snort, and it's like, how long did you run it before you turned off the email alerts? 25 minutes, you know, or, like, whatever it was.
Max:01:20:45
And you know my favorite actual Trojan horse? You you you triggered this for me. HRIS systems. So if your company like, here's a here's a free tidbit of information. Right?
Max:01:20:55
If your company at some you get to a certain size or you're already that size and you're going backwards. Right? But Workday, Rippling, like, I don't care what it is that you're implementing. But if you're implementing an HRS system, that is, like, literally just the opportunity of a lifetime to go tackle an identity project inside the organization because the deliverable to the business is, hey, HR team and business leaders. You can now onboard and off board on your own without talking to us as an IT organization.
Max:01:21:31
No ticket creation. No follow ups. No emails. You could do it all inside the HRS platform, and that's what our promise is to you. And and in exchange, like, we just have to do x, y, and z, which is gonna take us some time.
Max:01:21:42
And you know what happens?
AJ:01:21:43
Yeah. Don't even mention security. Right? You just say it's
Max:01:21:47
No. No. No. No. There there is no conversation about security.
Max:01:21:51
The conversation is is, hey, HR team. Do you wanna never talk to IT again when you have to onboard or offboard a person from the organization? And, by the way, you talk about churn based on organization size. Like, organizations just churn a certain percent, like, like, like, monthly. Like, it's just a normal thing.
Max:01:22:09
Like, you know, you get to, you know, a 1000 employees. Like, you're you've you've just got people coming and going every all the time. Right? And now if you say, hey. You know, CRO, like, you can hire salespeople without talking to us.
Max:01:22:20
They're like, oh, shoot, man. We want that. Right? I'm not saying, like, to be, like, totally subversive about it because everybody gets what they want. You know, everybody else gets the ability to not talk to IT to do something.
Max:01:22:29
And IT, guess what? You're gonna get a strong identity platform out of this exchange with some version of SAML, some version of SSO, and, you know, and and maybe, you know, like not YubiKey or Titan Key or whatever, but you'll probably end up with a good MFA platform in the process as well. I don't know
AJ:01:22:45
if you've seen that commercial or the it's not a commercial, but it's like, I think it's a TikTok or something where, like, a person's feeding a blind dog. Right. And they hold steak in front of its face. Right. And they're like, oh yeah.
AJ:01:22:56
And then it puts broccoli in its mouth. Right. And after about 3 or 4 temps, the dog was like, wait a minute, this isn't freaking steak. Right. And so to your point, weaving in those things, like, is like weaving in your vegetables right into your meal, but the vegetables still taste like steak because you get what you want.
AJ:01:23:10
Right. So. Solid approach.
Max:01:23:13
There's endless amounts of these things. Like I'm not a, I'm not a, like a RTO work from home. Like, I I that's such an organizational specific thing, and and, like, I've I've got opinions on companies that are forcing RTOs of, like, what the underlying purpose is, AKA quiet layoffs layoffs. But, again, you know, you've got an organizational desire to be like, oh, you know, is Max actually working when he's at home? You know, like, with the Wall Street Journal is finally talking about mouse jigglers.
Max:01:23:41
You know? Like like
AJ:01:23:45
You can strike this part, Max. Okay? There's a freaking mouse jiggler right there, buddy. Like, security professionals use this stuff all the time. I think I have 3 of them in my room.
AJ:01:23:53
Right?
Max:01:23:54
Man. I'm gonna laugh about this for the rest of the day, but, I mean, it's but but that's the thing. I mean, I think this is where I don't know. I'm gonna come back to this because we've talked about this a few times right now where it's like, it's there's so much opportunity within security within IT and security to get like, it's funny. Security.
Max:01:24:11
You want a better security posture for the organization to make this organization more secure. And, like, this you you kinda have to, like you know, it's like, can you, like, frogger it a little bit across the road in order to get where you need to get. You know?
AJ:01:24:22
So it's almost like that guy with a fishing pole in the dollar. You gotta be faster than that. You gotta be faster than that. You know?
Max:01:24:27
I was thinking if there was anything else I wanted to cover and talk on. Just as an aside, without saying names, companies, if you're ever going to a tech conference and you have a booth at the tech conference, please learn the lesson that companies are having to relearn and think about what your marketing team is putting in the booth. I'm just gonna stop it there. I'm not gonna say anything more. I'm just gonna say, please just consider
AJ:01:24:52
In the booth at after hours events.
Max:01:24:55
Just the whole thing. Just, you know, because
AJ:01:24:59
At the dance squads in the street.
Max:01:25:01
Just just know it's not a good idea at this point in life. Like, just please please please please please.
AJ:01:25:07
Yeah. Agreed.
Max:01:25:08
AJ, thank you very much for the time. Really appreciate it.
AJ:01:25:11
Yeah. Thanks, Max. It was great. Talk soon.
Max:01:25:13
Talk to you. Bye.
