Ever feel overwhelmed by the complexities of cybersecurity? You're not alone! In our latest podcast, Elia Cohen from AT&T Cybersecurity shares invaluable insights on how to improve your cybersecurity posture without breaking the bank. Whether you're a small business owner or run a large enterprise, there are simple and effective steps you can take to protect yourself and your business from online threats. So, where do you start, and what can be done to make a significant impact? Listen in to find out!
Max:00:08
I just finished recording a podcast with Elliot Cohen, who is a director of cybersecurity sales for AT and T Cybersecurity. That's a mouthful. And I love talking with Elliot, you know, just in terms of the breadth of what he sees with within the AT and T cybersecurity umbrella of, you know, everything from really small SMBs to the largest businesses on the planet and, you know, state and local governments, federal government, etcetera. I mean, just everything across every segment they have exposure to. And the conversation gets and cybersecurity can get depressing very quickly.
Max:00:39
And just this this sensation of not knowing where to start and not knowing how to help and and just, you know, overwhelming it can be. And reflecting on this chat was it's actually always is very positive in terms of there's so many things that can be done that don't cost a lot of money that can radically improve your cybersecurity posture and the continuity and defense of your business. And this isn't as overwhelming as it needs to be I mean there is there are people and programs and systems and availability out there in place that can help you go through the steps of where are you now and where do you need to be and how do we help you get there and how do we make measurable massive impacts in the protection of your business and this is a conversation I enjoy having you know with our customers and with new companies all the time about you know here's easy things that you can do that'll improve your users experience, improve your IT team's experience, and improve your business experience. We we actually avoided a lot of acronyms. We don't need to talk about cybersecurity and acronyms.
Max:01:40
I don't need to, you know, pound you with all these all these initials that mean absolutely nothing to you, but we but really more about outcomes. And the outcome really is how do you keep your business running and how do you protect and defend your company? And the unfortunate reality of cybersecurity and and risk to your business at this point is if you are connected to the Internet, you are a target and you are a potential victim. What you do with that information is completely up to you my advice to you is to defend yourself and protect and protect your business and Elia actually uses some some very interesting analogies on how to think about this and what the mental exercises and and applying different technologies and layers of technologies on this but the big takeaway you know and and what I want to impress is if you have nothing it is okay let's get started on the journey and start improving your posture And the sooner you do it, the better off you're gonna be. I hope you enjoy the conversation.
Max:02:30
It's always a pleasure for me to chat with Elliot. He's a fantastic resource, and AT and T cybersecurity is doing fantastic things for their customers. I'm Max Clark. This is an IT broker deep dive. Today I have Eli Cohen who is senior director of sales for AT and T Security.
Max:02:46
Now, it's important to notice this, this is not AT and T. This is AT and T Security Division. We'll talk about that in more more detail, but I think one of the first notes that we get out of people a lot is AT and T is this horrible company that doesn't install fiber properly. And why would I use them for security? And and we'll get into that, although AT and T installs fiber just fine.
Max:03:06
So, Elliot, thanks for joining and I've been looking forward to this a little for a while. I've got some notes to try to keep me organized but we're gonna go off the rails probably immediately. So but let's talk about your AT and T's customer focus. Big big phone company, been around for a few years, I have a few employees, have a few customers, but also a pretty big range of of customers by segment, which which makes this a very interesting animal. And I'm curious if you could talk a little bit about how you segment who your customers are, and what that really means within the AT and T cybersecurity teams.
Elliot:03:41
Yeah. So, you're absolutely right. I mean, AT and T is more of a conglomerate, has a lot of different things that it does. And I'm a part of the cybersecurity division. So, really, our focus is cybersecurity exclusively.
Elliot:03:52
So, we do collaborate with other, teams internally to make sure that customers have the right experience, but our focus is cybersecurity. So, in terms of customers, how we segment, there there's the typical, small business, midsize, enterprise, and then all of the public sector across, led, SLED, and, federal. Those are kind of the class, the the general classifications of customers. And we have solutions that spans across every single one of those, those those types of businesses. So it's a pretty exciting time to be here just because our focus is really to, to leverage some best of breed technologies in the industry and then wrap services and consulting experiences to give customers right outcomes when using cybersecurity technologies.
Max:04:40
I've read, I think, only a 1,000 different definitions of what SMB versus mid market is. I would love it if somebody was like, this is the definitive, like how you define these. How does AT and T cybersecurity define SMB to mid market to enterprise? Like, what are your is it revenue? Is it employee count?
Max:04:56
Is it I mean, what's what's the lines?
Elliot:04:58
Yeah. I mean, that's a tough one. Because I think even internally, we have a few different definitions of it. And then all of our partners like you, have your own classification of it. And so I would say that at the heart, there's really 2 metrics that that are being utilized internally.
Elliot:05:15
1 is, build revenue with AT and T. The other one is, is your more traditional, kind of less than 20 or 50, users or, employees, that's gonna be considered more on the small side. And then mids, I'd say probably up to maybe a1000, maybe 15 100, 2 1,000, employees. And then we start to tick into maybe midenterprise after that and, and go beyond from there. I've I've been after that and, and go beyond from there.
Elliot:05:40
I've I've been kicking around a new way of defining
Max:05:41
this, which is, are you on an enterprise license for Office 365 or Google Workspace? And if you are, then you're enterprise. And if you're not, then you're not.
Elliot:05:48
Yeah. I'm sure
Max:05:49
there's a user classification that aligns to that. But, yeah,
Elliot:05:52
user classification that aligns to that. But, yes, that's probably very fair.
Max:05:56
I I mean, you're you're forced in the enterprise at 300 anyways. So, I mean, at some point, it gets like that. Now you're mid market. You're you have over 300 employees or you're on you've hit the bullet and you've you've switched to e385 and okay. Great.
Max:06:07
You know you know, get access to the fun stuff. This is one that that's always I don't wanna say, like, surprised or impressed me, but, you know, with with the amount of SMB business that AT and T has, you have cybersecurity solutions that really address SMB. And this has been this is a pretty big challenge for us when we're when we're dealing with the medium to small businesses and, you know, and people that have, you know, high end needs at those sizes and really what what tooling and what solutions are available to it. So how do you think about this? And how do you approach it?
Max:06:37
And how is AT and T really kind of tackled, like, the the low end of the customer market?
Elliot:06:41
Yeah. I mean, I think, your prime example of, bringing customers that have exactly that definition. Feel like this is a leading question. I've I've seen over the years that, you've you've brought customers that are kind of more in a startup mode. They're they're defining their business, they're maturing, and they're rapidly scaling.
Elliot:07:03
And so they have, demands, maturity cybersecurity maturity requirements that are being demanded upon them by their customers, their, future business directions. You have to be able to figure out how to scale that. And so, one of the benefits that AT and T has is the size of AT and T. And that's sometimes daunting for customers or partners or anybody else, but it's also a pretty big advantage because that size, that scale allows us to have some pretty powerful, volume purchasing. And with that, we're able to get really, really good priced products with services to customers that would otherwise not be able to afford them and probably forego the cybersecurity controls.
Elliot:07:42
So I'd say that that's probably one of the the biggest advantages that we have as a large organization in serving smaller customers is just the the the buying power and then the ability to create, repeatable services, for smaller businesses. And I'll give you a couple examples. We're able to, you know, not many people can sell a single license of SentinelOne. Extremely small business that's maybe working from home and has a single computer there. And we also have network security solutions that start at $15 and maybe go up, on the lower rent, maybe $100 a month.
Elliot:08:12
So security can be affordable for just about anybody. But then as the business starts to mature and, increase in, capabilities and demands, then we can scale up the services to things that align a little bit more to, their future needs.
Max:08:26
And we've talked about this a lot, but there's a few different, like, sizing checkpoints where you kind of get into where solutions make sense and you know, send a one at a dollar sorry send a one at a dollar that'd be amazing sign me up I mean a single seat sentinel one is fantastic right but you know when you when you start talking about you know, 25 seat minimums, you've got interesting solutions of 50 seat minimums, a 100 seat minimums, you know, getting to some enterprise platforms where it's like a 1000 seat makes sense. And, you know a 1,000 seat enterprise is of course dealing with very different things in a 50 seat you know SMB there's there that's also always interesting for me just changing gears and thinking about it in terms of like okay here's the kitchen sink you know we could throw everything at this at the problem but you know at this size it doesn't really make sense yet I want to start here. And this this is this is not organized. It's just I want, you know, discussion here topic. What is driving cybersecurity across these segments and what are you seeing?
Max:09:23
And as you're talking to as you're talking to companies, what actually is driving this and and what I've experienced with it is in traditional IT purchases you know people like to talk about TCO and ROI and and attaching some sort of you know productivity metric or, you know, or cost savings or efficiency or these things around it. And that doesn't line up exactly in the cybersecurity world. Right? You're you're talking about a different outcome or a different approach. And, you know from an SMB space you know there's not a lot of SMBs are really running out and looking to invest in cybersecurity because maybe they just don't perceive the necessity for it enterprises of course you deal with different issues and I'm curious what your thoughts on this and what you're really seeing out there in terms of actually driving this conversation and driving the purchasing decision.
Elliot:10:12
I mean, I there there's so many drivers out there for it. And I I think you're spot on that ROI is definitely not the the appropriate metric here. But on the the really small business side, I'll give you an example. So, an accountant that has a bunch of local businesses that they're, and, individuals that they're doing tax work for. They came to us post breach because they got compromised.
Elliot:10:40
They got hit with ransomware. They they did click that link, and I think it was just a husband and wife duo that was, running that business. But they were dealing with individuals within the community. They were dealing with local, businesses that were, kind of larger for the size of their firm, their accounting firm. They, as a result of this incident, had to go back and apologize to all of their customers, fall on their sword, and indicate that their data has been, jeopardized.
Elliot:11:13
And that there's really not a whole lot that they can do about it now. And the only thing that they could do now in hindsight is put the right controls in place and start to take security seriously. On the small end, when there isn't necessarily a forced driver like that, where maybe maybe they're midsized customers that are, getting accounting services from them, they probably had to have, and should have had better supplier management, requirements for, whoever's doing, accounting work or privilege and has privileged information, to ensure that they're doing business with the right type of business versus mom and pop shop that doesn't really even know how to spell security. But then with this particular small business, they probably started to see a downtick. They ended up paying the ransom.
Elliot:11:58
They they asked to split that ransom because it impacted the other business and they couldn't afford it on their own. I mean, that's a bad place to be. And so, after that, you know, they bought some security controls. They bought, different types of solutions for, protecting their data and their their business. But they're not gonna get back to the same type of, market share with those, past customers.
Elliot:12:20
So it only takes one of those instances to realize the impact, to you and to your business, to take security a little bit more seriously. The other part is, you know, if people are out at the the golf club or dinner or some sort of a community event, and they're hearing these stories from their fellow, you know, businesses that they're collaborating with and they hear that story, they're gonna wonder like, hey, this might happen to me too. And maybe I should also do this before, an incident actually takes place.
Max:12:49
I'd say so a lot, by the way. That firm, and I've I've seen this and I'm sure you've seen this as well. They had an experience that has driven them into understanding and investing in cybersecurity to prevent that from happening again in the future. But if you'd gone to them a month earlier and said you should really do some things here to improve yourself and and have a better, you know, cybersecurity posture, they might have said we're not, you know, we don't need it. We're not at risk.
Max:13:16
We're not a target. Nobody wants what we have. This isn't gonna happen to us. I mean, there's a certain you know, I don't know what the right expression is, but there's a certain disbelief of of the reality of of the world. And now, of course, they say, okay.
Max:13:27
Look. We've had this experience, and we need it. We've gone through this horrible event. But how do you what do you tell the people that are on the other side of this? They're still in the, like, oh, we're not a target.
Max:13:35
We don't have anything that people want. And, you know, we don't have to do anything here. Like, it's not important to us.
Elliot:13:40
I mean, there's not a whole lot you can do about it. If somebody doesn't wanna invest in, take security seriously, then sometimes you just, leave them be. Give them some time to, to observe the market. Share with them information as things come up and as new new ways of securing a business change, be ready, be there for them, and await that phone call. I think that's the only thing you can do.
Elliot:14:05
On the flip side, considering all the different things that you do for helping businesses, you do have the ability to look at maybe other things they're doing, other things they're spending on. Maybe help them just reshuffle some things around with the intent of just doing the right thing, which is putting a few security controls in place.
Max:14:23
I've I've won I've I've been I mean for years I've I've wondered about this in terms of what becomes the driving factor, you know, and and for a long time I kind of thought that, insurance would be the driving factor, you know, is is security, you know, is investing in security, you know, equivalent to buying insurance. It doesn't really parallel that way because, of course, insurance is designed to pay you after something bad happens to you. And cybersecurity is designed to prevent something bad from happening to you. Right? Like, it's it's a it's a different type of, an you know, investment.
Max:14:51
I was expecting cyber you know insurance policies to really drive you know cyber insurance uptick but that doesn't seem to really be the driver you know I'm seeing insurance carriers exiting it or actually creating more exclusions nation state you know sponsored hacking is just excluded from most policies at this point And they decided it was a nation state actor. Like, you're just there's no insurance. Sorry. I'm seeing customers mandated in supply chain, you know, with supply chain controls. And that's actually been really impressive and just just but that doesn't feel like it's coming from, like, individuals, you know, which accounting firm.
Max:15:22
Like, you know, if I'm selecting an accounting firm or my neighbor is, I don't think they're they're asking their accounting firms what their security controls are, compliances are. It really feels like it's big businesses pushing us down to smaller businesses in terms of what their security controls are. So now I'm now I just wonder if this is more a reflection of scar tissue. So is a phrase I use. Like, there needs to be, you know, enough horrible stories of people basically either completely going out of business or almost going out of business or going through this, you know, and coming out on the other side before this becomes widespread and just a an understanding that this is now a cost of doing business.
Max:15:53
You're connected to the Internet. You need to have this in place.
Elliot:15:55
Yeah. I mean, I had, a customer that they were a 2 brothers that built up this business to do, custom, printing, t shirts and things of that sort. And they had a really nice sized business, but they hadn't done anything for security. And, they went through, they got hit with ransomware, and they decided to forgo paying the ransom and just really beef up their security controls. They spent about a month down without the ability to actually, do anything and make revenue past the contracts that they were trying to fulfill didn't get fulfilled, so they had angry customers to deal with.
Elliot:16:35
Quote from the brother who was the, CEO of the company, pretty much told me that was the worst experience of his life, and he will do whatever it takes to never ever have to go experience that again. But I think to your now your question about, is this is this insurance, I mean, if you start to think of, like, the the structure that you ultimately get to with insurance, let's just say fire insurance, you have your, your building has to be built soundly, with, proper, defensible space around the house, around the the structures. You have to have your fireproof doors. You have to have your fire alarms, your smoke detectors, all these different things to then be able to get to maybe having even a phone to be able to call the fire department. And eventually, when all that stuff has an impact, negatively impacts, you as the homeowner, then you actually get to take advantage of your insurance.
Elliot:17:31
So cybersecurity is really all that stuff that comes prior to the insurance to make sure that you're not having bodily harm. You're reducing the likelihood and the quantity of, lost property. It's it's really all of that and the the response that comes with it. That's the way that I like to to kind of look at it.
Max:17:50
I think it's a great analogy and a great way of phrasing it. Ransomware. Let's stuck around ransomware for a moment. You know? A printing company ransomware.
Max:17:56
A small county firm ransomware. Big companies ransomware. Right? Like, this is not
Elliot:18:00
3 here recently, in the last month, 3 big ones.
Max:18:05
So, how does ransomware happen? You know, this is, you know, for the purpose of the conversation, like like, where does it come from? How does it happen? You know, what's what's a ransomware attack look like? You know, walk walk us through the the life cycle of
Elliot:18:19
it. I mean, the short of it is a piece of software that has malicious intents that's on the endpoint, that then does, lock locks you out of your data. So the how it gets there, there's a number of different ways. It could be a thumb drive that has that malicious software on it to auto load when somebody plugs it into their computer. It could be, somebody going to a website that has a malicious link that they click on or that they, that automatically, launches itself.
Elliot:18:50
It could be a user that is, coerced and tricked into clicking a link or opening an attachment, laptop or desktop or on their mobile device that then uses credentials that are compromised to then move over to the the more physical environment. So there's all these different ways that attackers are utilizing, and they're getting pretty sophisticated in in the how. And I think we saw here with, just recently in one of the breaches where the help desk team was, social engineered, to then, probably just take legitimate software, what they thought was legitimate, what they thought were legitimate actions. But in reality, they just loaded up malicious software that ended up being ransomware.
Max:19:32
The current estimate from MGM that they released was a $100,000,000. So a $100,000,000 was the cost of that, and that was a password reset with I mean, that's just that's depressing. But, okay. So here's the other question, and I wanna hear you say it. What makes you a target for ransomware?
Max:19:46
What is it about your business, your operations, your company that makes you a target and vulnerable to ransomware?
Elliot:19:52
Depends. Everything. Anything and everything. It could be that you're providing all sorts of core capabilities to some, conflict in another world. It could be that you are, a business supplying services to another business that they're trying to target.
Elliot:20:10
It could be that they just know that because you're a small business, you're not gonna take security seriously and you're gonna be an easy target, and they can probably extort 10, 20, $30,000 out of you, in a moment's notice.
Max:20:23
If you're connected to the Internet, you are a target of ransomware. It's basically the answer. Right? I mean, that's that's just a simple thing. Right?
Max:20:29
If you have anything that's connected to the Internet, the only things could protect you from ransomware is if you never connect to the Internet and you don't plug in a drive ever and you live in a cave, with no electricity. And then you'll probably be safe from ransomware at this point.
Elliot:20:41
Chances are you probably have somebody that comes visit you every once in a while, and that person will be your source of the breach. So I feel like no matter what, there's still somebody that will somehow, be a part of the experience.
Max:20:56
So, that that's that's a pretty big distinction here is there's directed attacks. Right? You know, social engineering is usually a directed attack and then there's non directed account attacks which is just, you know, we've somehow managed to get you to run a payload or we've we've, you know, run a payload on one of your devices and that can just be you're connected to the internet we're sending email out something gets through we've compromised something somewhere that then you get you know attached to because somebody you know it's it's you know there there's a certain randomness that kind of, I don't wanna say spray and pray because it's very effective but it's, it's not directed I think that's that's a that's the one thing we should probably clarify here on this one which is hacking is not necessarily directed activity they could just be that you were connected to the wrong website at the wrong time and and and you get hit cybersecurity is a mess of acronyms there are and it's like every day there's a new acronym that comes out you know and dub you know SWG and RBI and APT and ctna and blah blah blah blah blah blah and you know it's like in conjunction, those are tools.
Max:22:00
Right? Usually, you start talking about tools and techniques to reach some kind of objective and actually we should circle back around on this. But then we start I I think we talk about frameworks and maturity. So cybersecurity as an industry talks about, like, your security, maturity, like, where you are in a framework. And and I really hate that model because it makes no sense.
Max:22:17
Like, you know, well, it makes no sense to me. Like, you know, you should be like a 2 out of a 5 or a 3 out of a 10. And what does that actually mean? NIST has CSF. There's a cyber defense matrix.
Max:22:28
There's a there's a bunch of different, you know, kind of goals with these things in terms of of, like, how how far you are. As you're talking with companies and they say to you, we have nothing. We have something. We have this. We have that.
Max:22:41
And we wanna strengthen our defenses and go up the stack. Like, can you walk me through that conversation and, you know, how you go about, like, sussing out what's already there, what their goals are, how do they achieve it? You know, if they have 0 and they're looking at I mean, what?
Elliot:22:56
Yeah. I mean, I think it starts with just looking at who the customer is. That's that's the very first thing that I'll do is as, somebody that knows doesn't know the business, knows nothing about them, I'll just go to their website and figure out what business they're in. And that usually gives me an indication of, maybe what they may be susceptible to, and, an understanding of what's at stake. Is it data?
Elliot:23:20
Is it intellectual property? Is it patents? Is it who they're servicing? Is it disruption to supply chain or to other businesses that they're may be, building parts for? That's the what's at stake.
Elliot:23:33
And, I usually try to, in a conversation, hear the customer share with me what their thoughts are on what's at stake so that we can have a tangible, quantifiable, element of, impact and risk, to the business should something take place. The reality is when you start to look at cybersecurity, cybersecurity is really there for business continuity and disaster recovery. So it's an element of a BCDR plan. They could get hit by, you know, lightning strike, earthquake, whatever. But cybersecurity is just another one of those things that could impact the business.
Elliot:24:12
So I start to think about, and you mentioned a few different frameworks there. The frameworks are there as a best practice of all the different things that you should be doing. There's a lot of controls inside of them. Some are probably gonna be, your your first and foremost and most important things versus, others. So just having some sort of your own personal, scoring of what's important, what will have the most impact, and then starting to cross reference with them, what they have, what they don't have.
Elliot:24:44
And not just technology, but how they're actually utilizing the technology. So, clearly, some sort of, EDR tool is really important. Making sure that, it's being watched and, somebody's paying attention to it. I'd say vulnerability management's probably another one of those that's super, super important these days just because, if you don't know your exposures on a on a pretty regular basis, then somebody else will know your exposures and utilize those against you. So, scanning your network internal, external, all that's really important.
Elliot:25:20
Patching is also just as important because if you don't have a repeatable way to patch, then all of those vulnerabilities will continue to sit there and be, utilized. And then, some sort of network security controls to make sure that, there's a firewall, if there's some sort, just depending on the structure of their network, that there's something there protecting the network, and that it's staying up to date and somebody has configured it appropriately. Countless businesses I've talked to where they tell me, oh yeah, we have a firewall. Well, how have you had it? Well, we had some guy come over maybe 7 years ago and install it.
Elliot:25:58
And I'm like, well, has he been back? And I kind of know the answers when they tell me it's that old, of what's coming next, but I'm just helping, like, helping them realize that you can't just, you know, buy a car and just drive it into the ground. You have to maintain it and you have to, at some point, replace it. As as a guy who used to work for a company and part of my job was installing
Max:26:21
firewalls for customers it is my mission to eradicate all on premise firewalls because 99.99 percent of all 999 probably like 7 nines of firewalls have the same policy which is allow everything out you know you're like okay Great. You know, I mean, it's just a NAT gateway for the most part.
Elliot:26:38
Oh, quick. Well, well, if
Max:26:39
we have time, we'll come back to that. I wanna you shared something with me about a year ago, 2 years ago, which I'll dub the, LA metrics, which was protect your users, protect your devices, protect your network. Right? It really kind of simplistic way of of approaching this. And I love it if you could dive a little bit deeper into this, you know, kind of idea of how do you protect your users and then how do you protect your devices and how do you protect your network?
Max:27:01
Because, you know, SANS used to release these things of, like, what are your what are your, you know, threat vectors in your network. Right? And it was always like, oh, it was like malicious acts by internal employees, accidental acts by internal employees, this act you know, acts by external people. But, you know, people are I don't know. The sort I mean, you people on user accounts are the source of basically everything that happens on network at this point.
Max:27:22
And, how do you how do you actually go about and layering, you know, this this idea of, you know, protect your users, protect your devices, and protect your network?
Elliot:27:30
The users, I'd say, is one of the most challenging things these days, because I think there's still a lot of businesses that are in flux on some sort of, local on premise, identity service. Everybody's moved into some flavor of SaaS and cloud. And, not everyone has consolidated onto a single thing. And the reality is, as soon as you move to, SaaS like, Azure AD and 0365 or, Google, you're you're kind of exposing all of your authentication out to the entire world. So something that used to be very private is now very public.
Elliot:28:14
And you have to think about how what that means, how that integrates to all the different things that your users are trying to connect to or utilize to connect with. And then also, make sure that it's really rigid, in terms of the the the security aspects of it. So multifactor is gonna be super important. Making sure that your users are using strong passwords with some level of rotation. Following some of the best guidelines there, are are is gonna be important.
Elliot:28:43
But then, if you start to look at users, it's not just users and their access, it's also what they do with the data. Appropriately, inappropriately, knowing what users are supposed to have access to, what they're not supposed to have access to, what they, maybe are sending externally or or taken offline, appropriately, inappropriately. All that stuff needs to be kind of reviewed. And knowing that your users can be doing things, for for good, but they can also be doing things for bad. They can also be utilized to do bad things without even knowing it.
Elliot:29:20
And that's where all the, you know, you mentioned the the the end points in the network as well. All of those things have to work in harmony, harmony, because, ransomware, for example, it may start with compromising credentials to then infiltrate the network to drop a payload, but it can also just go right to the endpoint, from a based off of a network action or a user action. And so having those things work in parallel, is really key and having consolidated visibility across everything, your users, your network, your endpoint, is how you start to, turn this into a real security program. And, and then the other part is, what's the right way that the business wants all this stuff to work? So, having defined policies, procedures, standards, all of that also works in parallel, to define exactly how the environment should look to then be able to, put the right enforcement and response, controls in place.
Elliot:30:22
And one more thing I'll say is and I'll take a quick pause. Is, just this week I was chatting with one of our SOC engineers, and, one of their what they're seeing is one of the more recent and prevalent attack factors is, smishing attacks. So so, malicious SMS or text messages being sent to to to employees, that because, as I was mentioning earlier, credentials are all in the cloud on Office 365 or some other, cloud based service. As soon as they click that link, it'll compromise the, the credentials of the user to then be able to move laterally to other devices and other parts of the network. And that is then how ransomware is most commonly getting put in place, and virtually nobody has any kind of mobile security in place today.
Max:31:20
So, okay.
Elliot:31:21
Little bit little bit of stuff to unpack there.
Max:31:24
Smishing and what was the other one that's that's that's popular and circulating right now is, Quishing Quishing attacks, QR code, like, attacks. So okay. So this is this is a a question in terms of order.
Elliot:31:35
Yeah. I've got a funny one. QR codes if you want. Oh, great. I'd like tell me.
Elliot:31:39
Tell me. I was at a conference, and, I wrapped up my whole session with a, hey. Thanks for joining my session and here's a QR code on how to stay in touch with us. No. Oh my god.
Max:31:53
Oh my god.
Elliot:31:53
Oh my god. Oh my god.
Max:31:54
You didn't.
Elliot:31:56
After I did a little bit of a security awareness trading and so like portfolio reviews and all that, and the entire room room was up there with, like taking a picture of it. And, it it was funny, and fortunately, it was a it was a good, well intended, landing page that just said, hey, we got you. And you should really think twice before you, use QR codes. And pretty much everybody in the room was like, oh, yeah. I guess we really should.
Max:32:27
My my version of that story is, early 2000 at a Defcon conference. And, the talk was irrelevant. But at the end of the talk, there's like a lightning round and this guy gets up and he had a pineapple, you know, device basically, a precursor of pineapple. And he gets up there and he just starts reading off passwords. And he didn't he he wasn't saying usernames and he didn't say, like, what services it was, but just literally started reading off passwords from everybody that was in the audience trying to connect to Wi Fi and, like, check their email or do whatever.
Max:32:55
And it was just like and he's just reading through this list of passwords and people in the audience were just having were just freaking out. And it was it was that easy. You know? It was like he was just sitting in the room just, you know, really unsophisticated kind of stuff. Okay.
Max:33:07
So in your little just talk back then, I think I counted maybe between 7 and 9 different acronyms of tools to accomplish the different examples of business objectives that you were talking about. Like, you know, protect data access and protect this and protect that. And, you know, I like that you weren't throwing out tools because it's it's more granular when you say, like, how do you make sure that your finance team is only authenticating with your ERP when they're, you know, in a time zone that they should be in. Right? You know, the the classic example of why is your CFO trying to, you know, log in from Nigeria into and I just picked Jerry out of the room.
Max:33:46
But, you know, whatever into your ERP at 3 o'clock in the morning. Probably not like of of a valid, you know, remote access. Multi factor authentication and SSO is one for me that's very interesting because it it really, done correctly, it accomplishes two things for you. It it makes your users lives better because now it's easier for them to authenticate and gain access to your tools and your and your systems and it also makes your life better the company's life better because you have a a stronger control around those identities And of course the big example of that is you know we start talking about, you know serving a URL to the browser and not typing a username and password into that you know, password form, you know the unicor you know that it's really easy to mask and make a website look like it's the right website and even looking at the URL there's characters that are the wrong character but looks like the right character in terms of URLs like, you know, I think for a long time it was, you know, there was this perception of like, oh, why did you click on this link you moron and you you bozo and you, like, launches attack.
Max:35:00
But I mean, it's it's very sophisticated. It is basically impossible to assume that your users and even your your practitioners in this space are going to not fall victim to these things because, you know, this is a big industry and people spend a lot of time in engineering doing it. So, we're starting to see passkeys and hardware keys coming out. Are you seeing that as a I mean, MFA and, like, an SMS being sent to a user is better than nothing? And having a, like, a, TOTP, you know, like, a Google Authenticator type thing is better than nothing?
Max:35:34
And is, like, the next step? Are you seeing a push to pass keys and and harbor keys, like Titan keys or YubiKeys or these sorts of things, you know, really becoming prevalent now, you know, out there with with companies?
Elliot:35:46
It depends on the industry. As a whole, I think it's still a bit early. People are still trying to figure out what what the right, path forward will be. A lot of these businesses, they've literally just made a giant investment on, multifactor. So, for them to now have to shift to yet the next greatest thing, I think it's gonna take a few years for them to advertise that investment.
Elliot:36:10
Mhmm. And
Max:36:12
The reality is corporate purchasing cycles come into play. Yep.
Elliot:36:14
Yeah. I think so. And but I but I think that's probably gonna be the direction, here, within the next maybe 2 or 3 years is a shift towards, towards the new technologies for it.
Max:36:25
It's it's harder to fish somebody when they have to plug a key into the computer, and that key has to look and and, identify that URL as being a valid URL before it can do, you know, take action or put a password in. Right? Like, it's just that that doesn't
Elliot:36:39
I mean, if you have the DID, they've been doing that for years.
Max:36:42
Yeah. I mean, you know? Okay, everybody. There it is. Just do what the DOD does and you're gonna have no cyber security problems.
Elliot:36:49
They have a very designated card that that is their ID that they have to walk around with and utilize, but And put it into things. Can you imagine your, small business walking around with an extra thing that they have to keep on their key chain or in their on their person to authenticate to the device? I mean, I that's the part that the the user experience of that is, the part that concerns me.
Max:37:13
So, I like the concept of passkeys. And and so, you know, we're a small business by, you know, user count. We're sophisticated users, but we're a small business by by headcount. And, I like passkeys and push authentication that goes into applications on a on a, you know, like on your mobile, you know? And so even if you're using a passkey or a hardware key to do the initial authentication onto the mobile device, but then when you're signing into a service, you know, Google's actually, I think really trying to do the right thing here of being like, okay.
Max:37:40
We're gonna actually push an alert to some other app, you know, to your mobile device in the application to validate that it's you when you're you're signing in. So I I think that's a that's a really good step forward in the right direction. It's a little bit harder to, know, do the do the obviously bad attacks of getting people's passwords. You know, I I see all these horror stories on Instagram where people are like, my account was hacked. And it's like, no, I don't know if your account was hacked or if you just gave me your password without realizing that you were doing that.
Max:38:04
I feel bad for them but it's, you know, that the actual attack is unsophisticated. So, we'll circle back on something. So we talk about SSO, MFA, identity, identity management. By the way, this is really important because, you know, colonial pipeline wasn't is a was a compromised VPN account for a user that was no longer at the company and they paid over $4,000,000 in ransomware plus whatever loss they had in in revenue and everything else that they had to deal with. Right?
Max:38:27
So this is a this is an 8 figure plus attack from a a an account that shouldn't have been active on a platform that could have been dealt with in a very simple way. You mentioned EDR, and you talk about EDR and in the same kind of con sentence, you talk about mobile devices and not having any sort of mobile security deployed most most of these companies. So EDR is is is this like kind of, you know, default. Like, you should get your EDR in place first. Is that do you think that's the right play?
Max:38:52
Because, you know, looking at these tools and especially when it comes into, like, a sassy definition, and I'll start using some acronyms but let's just say you know secure web gateways or remote browser inspection you know something that's actually doing you know in line traffic inspection and URL filtering for devices so both you know a desktop and a mobile device and being a little bit more in the chain or it's like more of like an offensive measure as opposed to an EDR that's really almost a defensive measure. Is there more value? I mean is it just you need the EDR because you have to have the EDR and that's just the foundation for everything else that you need or do a lot of these controls and sophistication really come from these? There's, like, next step of tooling of saying, okay. You know, you're you're you're gonna be better served having something that can actually say, you know, this is a bad URL.
Max:39:36
We're not gonna let you get there.
Elliot:39:38
So I think it goes back to what what we were just talking about where you have to protect your users, your devices, your network, and your, applications and data. I'm gonna put put some assumptions in place, assuming that your users are not gonna do anything, bad to harm you because that's a whole other level of inspection on what's being done.
Max:39:58
Yeah. I mean, so you take away from the intentional acts by some rogue actor inside your company.
Elliot:40:02
Yes. So if we're if we're just following on external actors that are really targeting you as a business, then EDR, So let's start at the the users. So considering all of their authentication is being done, now on Office 365 in the cloud, if that's compromised, then they get access to everything else. So you have to protect the authentication with some kind of multifactor, and that'll at least do some really good for that business. The next thing is the users are, like, in that business is gonna be connected to the internet.
Elliot:40:34
And they're gonna be connected to the internet through devices. Their data will be somewhere either on an internal network, on the external, or both, today's standards. So as users are going to the Internet, they're not just gonna go to Office 365 or to Salesforce or to whatever the applications are. They're gonna go to Facebook. They're gonna go to, do Google searches and everything else that they, are gonna do as a part of just being a human that has access to the internet.
Elliot:40:59
So, you have to put the right controls in place on the network to protect and limit the malicious things that they're potentially able to expose themselves to, to prevent malicious things from coming down to the network. But even then, things are still gonna slip through the cracks. So you have to have something on the endpoints protecting the endpoints and making sure that those endpoints are looking at the the payloads and the downloads and the the, the applications or, exploit attempts that are taking place on those endpoints. And that's where the EDR comes in. So it's really kind of those things combined that give some very rudimentary controls for, any business to to to really start to, secure that business.
Max:41:40
For clarity, you know, on on, like, a, you know, rough scale, being here with nothing and then adding EDR. It's not like you're going from here to here. It's like adding the EDR goes from, like, here to, like, here. You know, it's it's a lot of these things are are monumental leaps forward in terms of your overall posture and your overall program. You know, having MFA isn't like a little thing.
Max:41:59
It's like a huge evolutionary leap for for a business. So these, you know, if if you're watching this and you're kinda wondering, like, oh, you know, how much benefit am I gonna get out of this? Each each thing you actually get a huge benefit from. You know, it's it's massive improvements.
Elliot:42:11
I mean, I'll go back to the, to the the fire analogy. I would say that EDR would be in new construction where you're mandated to put in sprinklers inside, the building. It'll detect the fire, but it'll also start to put it out. And that's really versus just having a smoke alarm or having your defensible space or your reinforced doors. This actually starts to, detect and respond to it.
Max:42:36
Something that I've noticed with our customers and we're talking with new companies is at about a 1000 employees ish, there starts to become a dedicated security function within that company. Maybe you have a team of 2 to 3 people that actually are, like, designated security practitioners. You know, under under a1000, it's just somebody in IT that gets designated as, like, you're you're gonna be, like, the security guy, right, or gal. Microsoft with you can you can overlay security with their Sentinel tool and, Defender, you know, on e three licenses, you can buy it with an e five package. And I'm starting to see a lot of companies say, okay.
Max:43:07
Great. We're gonna go out. We're gonna get Microsoft. And we're running e five secondurity. And so now we're fine.
Max:43:10
We got all we're we're protected. And and and this turns into, like, a do it yourself versus having a partner and bringing in a company like AT and T to actually help implement and manage these programs. And I'm curious your thoughts on this do it yourself versus do it with a partner and the trade offs that really are coming out. And and I have my version of this, but I'm really interested to hear your version of it.
Elliot:43:32
Yeah. If you have the IT person that is also doing security and hit at sub a 1000, you might only be looking at 1 or 2 IT people. The skills aren't there. So I'm not gonna get into whether Microsoft Defender is good or bad or if there's better out there or worse. But focus focusing just on the human aspect of it.
Elliot:43:53
They're not gonna have the time, the capacity, or the understanding to be able to look at what's taking place with the tool and respond appropriately and make changes to the environment as appropriate. And when you start to go to the example that you gave at that 1,000, user threshold with maybe 1 or 2, dedicated security titles in the organization, still not enough. 1 or 2, they're gonna be working 8 to 5, 9 to 5. And what happens overnight when those servers are still running? Those cloud workloads are still running.
Elliot:44:27
The businesses, customer facing applications that they're hosting are still running. Nobody's there to look at it and pay attention to it. Businesses today are more and more running 24 by 7, and they actually need 24 by 7, monitoring and response capabilities, available to them because the adversaries, they may be domestic, they may be overseas, they may be in the same or different time zones or reposings, or they're just using automation and they may be sleeping and still attacking us. So we have to be ready and defending at all times, and you can't do that with 1 or 2 or even a small army of people. And the other part of it is accountability.
Elliot:45:09
I personally would rather say that I had outsourced my security to one of the the best MSSPs name brand with recognition and said, we did everything that we could, and we still got hit. And that's also kind of the part of reality today. But we were able to recover faster and more efficiently, and we have proof that we did all the right things.
Max:45:32
Yes. It's not it's not what's the word is? Prudence. Prudence is the word. We we took we were prudent in the actions that we took.
Max:45:37
And we're not negligent right I think I think those 2 words are gonna start being used a lot more especially in the public company or or companies that are have investors in them in terms of what potentially happens to the board members and the executive teams Is there personal liability? Did you act in a prudent way or did you act in a negligent way? That'll be interesting to watch that flush out. You mentioned vulnerability management and patch management. I can't think of 2 terms that are more unsexy for a company to go out and purchase.
Max:46:05
I don't see very many people lining up and, you know, tripping over themselves trying to buy an asset management, vulnerability management, patching management system. You know, this is kinda like one of those, like, very bottom of the like, the priority list in terms of, like, resume building activities. I'd love it if we could dive into this a little bit more in terms of what you get out of these things and why they actually are so critical. And I can share some stories, but I wanna hear hear you first.
Elliot:46:27
Sure. So might not be sexy, but it's, I would say it's like wake up in the morning washing your face, brushing your teeth, it's just proper hygiene. It's it's what, IT environment should be doing, on a continual basis. So I consider that to be just basic IT and cybersecurity hygiene for, an environment. And, while it's not, sexy, it's it's also not difficult if you're equipping yourself with the right tooling.
Elliot:46:58
That right tooling is super cost effective these days. And so for the little that you spend on it, the the the rewards that you're gonna get out of it, and the additional security of your environment are just tremendous. Let alone the automation for, the like, when you start to look at patch management. I'll I'll talk about another one of these small businesses that I've worked with where, I was talking to the, IT manager over there. When I mentioned Patch Management, she with pride and joy told me that she part of her daily function is to walk around to each of the PCs in the environment to do all of the necessary patching.
Max:47:41
Why would you wanna do that? Just just just in what world is that like a positive for you?
Elliot:47:49
I mean, when it's what you've done for the last 10 plus years, it's what you know. It's it's what pays your gives you a check every month. Like, do you wanna mess with that? I mean, I feel like that's what it is.
Max:48:02
Let me just just stop you right here. If if anybody is listening to this and they think that this is what drives value for their employment status with their company, it doesn't. The outcome is what drives value. Right? The patches are done.
Max:48:15
You walking around to every desk is not what does it. They don't you're you're I guarantee management ownership does not care how much time you spent patching just that the patches were done. So for the for the love of your sanity and time, please do not do this manually.
Elliot:48:31
Don't do
Max:48:32
it, No. Seriously, like, your executive if you think about it. Execute you know, like, your your boss, your executive team, your ownership, whatever whatever you wanna put in terms of your, like, upper level management, you know, they wanna see, you know, are you tracking KPIs and are you improving them? You know, like what's your time to patch? What's your patch deployment?
Max:48:50
You know, what metrics can you derive? You know, how are you you know, what's what's your response? I mean, that's the kind of stuff that they want. They don't wanna hear that you were walking around patching every desktop and like you need a pat on the back because like you're you're doing such a good job, like, running Windows update on a 100 computers. Like
Elliot:49:04
They're they're pretty visible when they're walking around.
Max:49:08
Oh, jeez.
Elliot:49:10
But I think you're spot on. Like, the KPIs is, is the inherent value of moving towards vulnerability management and patch management. Like, right there within the tool, you can show your all of those KPIs of time to remediate, the the high, medium, lows, and the the time that those were actually there. Not only that, you also have, like, the what you should do for the non patchable things. Like, what are the recommendations that otherwise would take you maybe either towards the path of waiting and skipping it because you don't know what to do and the patch isn't available, to maybe a compensating control that you can put in, to minimize the the negative impacts of that vulnerability.
Max:49:50
And and some of these, vulnerability management tools, got really sophisticated in terms of they'll actually tell you, like, this is a this is a an exploit that we know is in the wild. Basically, you get scoring of, like, this is a really bad thing, but you have to have local access and this and the other thing. And it's, like, basically, it's it's, you know, like, not likely to be an event that you really are too terrified about versus, like, stop everything and figure out what to do about this right this second because bad things can happen to you. So we have a shared customer. And by just fluke of timing they deployed a vulnerability management system right before Log 4 j happened and the conversation with them pre vulnerability management going into place was something along the lines if they didn't need it and wasn't gonna give much value and that they were secure you know and you know we've they had it managed and they knew where everything was and and they had an external requirement that that require you know that that forced them to put this into place and then long for j happened and it was literally everywhere I mean places that they had no idea it was not only was log 4 j everywhere but then the vulnerable versions of log 4 j as log 4 j was being revved up to try to deal with stuff and then it was like there was like 3, 4, 5 versions where they would release a version and then that had vulnerability and that that was just in this nightmare of like log4j updates finding versions and vulnerable versions that would I mean, it was the same.
Max:51:07
It was ridiculous how prevalent this was in in their environment and in places where they had no idea that it would have been running because you know why would it have that dependency and who would have thought that it was there and it was really it was really impressive to have that conversation pre log4j exploit and during log for j exploit and post log for j for exploit of just really seeing that like mentality shift from start to finish going through of of the now they didn't have a patch management system deploy that was actually maintained do all that for them automatically and they had a lot of other fire drills I had to deal with but it was, as an outside observer was pretty amazing to just witness the chaos caused by this seemingly benign thing that nobody really knew about or cared about because it wasn't, you know, who talks about log4j on the daily basis. Hey, Bob. How's it going? You know? Oh, yeah.
Max:51:54
You know, we got this Log 4 j thing running out there.
Elliot:51:57
Vulnerabilities exist out there. They're they're out there on a regular basis, and I'll I'll give you the another example here. We a customer that had, you know, they they had a computer, desktop, that was sitting in the closet. They decided to pull it out and see what was on it. As soon as they powered it on, of course, they had it plugged into the network.
Elliot:52:21
And, it was, vulnerable to the the old, yesteryear, SMB vulnerabilities. It actually had WannaCry sitting on it. And as soon as they powered it on, it tried to go laterally, but very quickly, all of the EDR, that was on the network previously installed. Fortunately, they were at that level, immediately saw it and blocked it. So the like, you never know what you're gonna run into in an environment and what the root cause of a potential impact, will be.
Elliot:52:55
But fortunately, they didn't notice that this thing was starting to run. But the EDR and the managed services that we provided were able to tell the customer, hey. You got one of pride that's coming from some device on your network. We haven't seen that in a while. You need to go investigate and figure out what that device is that that's just come online.
Max:53:14
Let's talk about something that we've started leveraging more that I don't think a lot of people understand is your v c so services and, let's start with what are they and what can you do with them?
Elliot:53:26
Yeah. So v c so virtual, chief information security officer. Officer. So, average cost of a CISO, like a legitimate CISO is, easily, when you look total compensation, sign on bonuses, retention bonuses, equity benefits, everything else, you're looking at easily half a1000000, to a1000000 dollars plus, depending on the size of the organization that they're, they're gonna be running. So the virtual CSO gives you an equally capable and and caliber, consultant and a time share of it.
Elliot:54:05
So it's a fractional share of that CSO, personnel. And we're able to line up the appropriate resource based off of the business and we're able to line up the appropriate resource based off of the business site that you're in, the outcomes that you're looking for. But really, it's more there for strategy development. And, can be used for execution, but we can typically layer on other services like, security architects, to, fulfill some of the tactical execution that the CISO, defines. But really strategy, risk, how you should be communicating your customers or your the your your, pure businesses.
Elliot:54:44
What are the policies that should be in place for business of your type? Are we, managing the appropriate level of risk? Are we fulfilling cyber insurance requirements appropriately? Those are all kind of the strategy and direction and starting to look at not just where we are right now, but also where's this business going in the next, 3 to 5 years, and how do we plan for that and make sure that the not just IT, but security, is empowering the business to get to those outcomes.
Max:55:13
And, I mean, this isn't something that exclusively requires you to not have a CISO in place, but you could use and leverage AT and T's vCSO if you already have a security team in place. Right?
Elliot:55:22
You can. It gets delicate. Like, if there's a CSO already in place because then the CSO hired a VC so it starts to look the optics of that just don't look very good. You can sometimes also have a, like, a really good security person that's just overworked and doesn't have the the bandwidth to to scale out, but has the aspirations of becoming the CSO someday. So we're sometimes flexible, based off the customer needs and the the perception that they're trying to build of calling it a virtual CSO versus maybe a strategy trusted advisor.
Elliot:55:54
That way we're giving the the the outcome that the customer's looking for while not stepping on any toes.
Max:56:00
One of my favorite, like VC so stories is a customer that was going through, they were going through a SOC process. They were doing SOC 2 compliance. And part of it, they had to document all their controls and, procedures and policies for the business. And their team, of course, was running around, with their hair on fire trying to get everything else done for their SOC compliance, and they use, VC so service to author and create all this I mean, just basically just pure documentation play. We need to produce, you know, a couple 100 pages of policy documentation, best practices, adherence, you know, what we're currently doing.
Max:56:32
You know? And that's and that's how they use the VC. So it was the conversation was literally I don't have the time or energy or want to have anything to do with this. And so for, you know, a nominal amount of money, we'll just not deal with it. Like, it's and it was they were very happy.
Max:56:46
I mean, this is another one of those things. Like, the business needed an outcome. They needed SOC 2 compliance. They didn't need somebody working for them slaving over producing this material. They just needed the material done.
Max:56:56
And it was a very it was a very easy trade for them to make of just saying, hey, let's just, you know, let's just pay for somebody to do it and and get it very quickly. And and they had the result they wanted in a very, very short amount of time and we're very happy with the outcome. Last thing, let's I wanna I wanna touch on because we talked about at the beginning was incident response and and this of course turns into incident response plans and retainers or retainers and implants so seeing this from supply chain where where people are now being asked you know what is your IR plan Do you have one documented? Or maybe it's a cyber insurance. Do you have a an IR plan in place?
Max:57:31
Do you have a retainer in place? These sorts of things. What does what does incident response entail? If somebody's being pushed into it or thinking about it, what would you, you know, how do you how do you explain it and talk through it? What are the options available?
Max:57:43
Why do you need 1?
Elliot:57:44
Yeah. I mean, so what is it and why do you need it? Again, back to that fire analogy, it's the firefighters. Do you need firefighters? Well, probably most people will never ever need them.
Elliot:57:59
But the ones that do are really appreciative that they're there, because it will it really, provided some immediate and immense value. And, so from a cybersecurity perspective, it's kinda the same thing that if you don't have an incident response team or a retainer or a defined response plan, until you have an incident, you won't really know the impact of that. And Unless there's some other driving requirements that are forcing you to have it, you may just overlook that and, not have it, which will then, be catastrophic at the moment that you need it the most. So what is it? It's a, so a retainer is a, it is a statement of work or contract that's in place with a appropriate firm like AT and T Cybersecurity that gives you access to those incident responders on a moment's notice when you actually need the help.
Elliot:58:54
Difference between your IT team, your even your SOC services, your MDR services and all that, is skillsets. MDRs skillsets and, access to the environment. Like, MDR services will typically, provide, manage detecting response services, utilizing the tools that they're furnishing to you as a part of the service. It could be a SIEM. It could be, EDR tool.
Elliot:59:20
They're not gonna actually VPN into your environment and log into your Windows workstation as compromised, and then do, do forensics and response and manually go through and dissect whatever needs to take place to go eradicate the threat. So that's what the incident response, retainer, provides you. It gives you resources that can then go off and do that. And as a part of our retainers, we're gonna have an onboarding phase, just like any of our services, where we're gonna go through and, document access, get provision credentials specifically for us so that they can be audited, and then, understand the rotation policies for, the the access control, methods that were being furnished. We're gonna get an understanding of the environment.
Elliot:01:00:04
Personnel, establish the communication protocol for the customer to the incident response team, for their MDR service to us. All that gets flushed out. It's not really a plan because that's specifically for utilizing our service. Your incident response plan is, the customer's incident response plan of what they actually do if an incident takes place, who gets notified, who's gonna be involved from legal, what c levels, VPs, boards have to be notified of what's taking place, who makes the final decision on pay or not pay that ransom. There there's a lot of stuff that needs to be kind of documented and, thought through to be able to then make sure that all these things are working effectively when that time comes?
Max:01:00:48
All things that you wanna have in place before you have a fire, pretty much. Right? You know, we're doing this with our kids right now of, like, get out of the house, where do you go, then call 911. You know, like, just just what are the steps? Do you practice it?
Max:01:00:59
Does everybody know what their role is? You know, like, really basic things. Like, it's your job to get the dog or not. Like, who's responsible for getting the dog? You know?
Max:01:01:06
You know, also interestingly is now depending on what is your what kind of business you're in, you can have very specific legal requirements. Not not in terms of, like, your own internal, like, getting your legal team involved, but you could have legal requirements to, you know, the state or to the federal governments of what you're required to do and provide and capture and track and, you know, and and maintain that you probably don't wanna find out after the fact that you were supposed to do. You know? It's it's better to have an awareness of that before you have to maintain whatever it is that you have to maintain. Also, you know, your cyber insurance policy might require you to have certain things in place, right, Or conduct certain actions or discover and figure out certain things in order to get a check from from your insurance company after the fact.
Max:01:01:48
I mean, you don't wanna go to ask them for money and then find out. And he was like, oh, you you didn't do step 3, and so therefore, you were not paying you because you just invalidated your insurance policy. It's so complicated, Elliot. You know, why, why is this so complicated?
Elliot:01:02:03
Well, because there's a lot at stake. There's a lot that that other people would like to have that they don't, and they can quickly monetize or disrupt impact, just depending on the the threat actors. There's a lot of reasons as to why. Since there's, a potential, there's a potential of something that they're looking for, you have to be ready to defend what you have.
Max:01:02:26
So what I hope came out of this and just to kinda summarize a lot of this conversation for me when we talk is AT and T cybersecurity can provide the tool. You can provide the management configuration of the tool. You can provide, strategy advice guidance of the tool. You can provide, instant response remediation services, you know, on top of it. You have a very large logo that's reputable and trusted.
Max:01:02:49
So if you're dealing with third parties and externals and and one of the things that that we've seen in practice that's really nice is, hey. My customer, this agency requires us to have these things and who's doing it. And then when that shows up and it's got AT and T's logo on it, it's like, okay. Great. AT and T knows what they're doing.
Max:01:03:03
We don't have to dig into this too much. That's that's been a very pleasant experience to see. Not have to, like, oh, well, we hired our neighbor to do this for us and what are their credentials? You know, that's not a conversation topic. And we talked about it briefly, but, you know, I think we should end on the sound bite.
Max:01:03:18
You know, for people that have had experiences or bad experiences with AT and T on the, you know, mass market telco, you know, DSL phone line, whatever side of the business, you know, what would you say to them about, you know, working with AT and T cybersecurity and and and the differences?
Elliot:01:03:33
I mean, when you're working with such a large organization, there's so many different facets of the organization and so many experiences that every human out there has had with a brand like AT and T. Could be on the your personal cell phone plan, calling in for that, going into a store, could be your business, connectivity. But when you start to look at cybersecurity, although those are all other services that exist within the umbrella, cybersecurity is, carved out into its own business unit, specifically with, cybersecurity focused, SLAs, cybersecurity focused, resources. Our personnel is dedicated to cybersecurity. So one of the questions I get all the time is, will my customer end up calling the same call center for connectivity or mobility, as they do for cybersecurity or is that gonna be different?
Elliot:01:04:21
I'm like, yes. It's different.
Max:01:04:23
It's yes. I the the tagline to all this is, yes, it's AT and T cybersecurity, but it's completely different.
Elliot:01:04:30
Yes.
Max:01:04:31
Everything about it's different and separate. It's a completely separate thing. We have all the money and resources from AT and T, but we are completely separate and and and distinctly different. Elliot, any any any parting shots or thoughts or things that we did not talk about that we should spend some time talking about? Or did we, do you think that we I I mean, I I'm looking through my notes here.
Max:01:04:53
I can't I can't think of anything else I wanna talk to you about. Well, actually, I wanna talk to you about everything with you, but, that makes sense for this right now.
Elliot:01:05:00
No. I think for for today's topic, I think we did a pretty good job of, capturing all the aspects of it. It's always a pleasure to speak with you. The just the thoughtfulness that you have in, and just advising your customers and making sure that the they're getting and doing the right things and maturing over time, as quickly as they can and should. And, the guidance that you provide is, is I think we we saw a lot of that today on, the way that you structure this conversation.
Elliot:01:05:25
So really appreciate that.
Max:01:05:26
Well, thank you, Elliot, for all as always. I'm hoping that as time passes, these conversations change a little bit. I mean, I can remember 20 years ago in data centers, you know, you know, DDoS mitigation wasn't a thing, you know. And and if you were, you know, in the early tens and o's and tens, you had a DOS attack. You've learned very quickly that you just needed to have DOS mitigation as part of your connectivity.
Max:01:05:48
And and nowadays, anyway, that went through that experience just, you know, yes, it adds expense to it, but it's just the cost of being on the Internet. And, I'm hoping we're getting closer and closer to that with businesses and cybersecurity. And we're gonna stop seeing so many of these horrible stories of, you know, companies having horrible things happen to them and people losing jobs and everything else that comes comes as a byproduct. So, Ilya, thank you very much. Always a pleasure.
