.png)
Cyber Crime Junkies
Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
How to CATCH a HACKER
🔥 New Episode Alert 🔥 In this exciting discussion, CISSP security leader Braxton Molton and host David Mauro on why you’re not too small to be hacked, the importance of detection and we explain How Small Business Can Catch Hackers. The message is clear on why small business needs better security. Exclusive insight from the front lines.
Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466
🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!
Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/
Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast
Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!
🔥 New Episode Alert 🔥 In this exciting discussion, CISSP security leader Braxton Molton and host David Mauro on why you’re not too small to be hacked, the importance of detection and we explain How Small Business Can Catch Hackers. The message is clear on why small business needs better security. Exclusive insight from the front lines.
Chapters
00:00 The Illusion of Cybersecurity Safety
03:02 Understanding Network Monitoring vs. Security Monitoring
06:08 The Role of Security Operations Centers (SOCs)
09:10 Navigating Compliance and Regulations
12:00 The Reality of Data Breaches
14:56 The Lifecycle of a Cyber Attack
17:46 The Importance of Security Information and Event Management (SIEM)
29:53 Understanding SIM and Its Importance
32:36 Risks of Not Implementing Security Measures
35:58 The Evolution of Cybersecurity Needs
39:16 The Role of SIEM in Threat Detection
42:10 Real-World Examples of Cyber Threats
46:45 The Necessity of Managed Security Services
54:05 Conclusion and Call to Action
In this conversation, cybersecurity experts discuss the critical importance of understanding the realities of cyber threats and the necessity of robust security measures for businesses. They emphasize that many organizations operate under a false sense of security, believing they are safe from cyber attacks. The discussion covers the differences between network monitoring and security monitoring, the role of Security Operations Centers (SOCs), compliance with regulations, the lifecycle of cyber attacks, and the significance of Security Information and Event Management (SIEM) systems in detecting and responding to threats. In this conversation, the speakers delve into the critical role of Security Information and Event Management (SIEM) systems in modern cybersecurity. They discuss the risks businesses face without proper security measures, including compliance issues and potential data breaches. The conversation highlights the evolution of cybersecurity needs due to digital transformation and the importance of managed security services. Real-world examples of cyber threats, particularly business email compromise, illustrate the necessity of proactive threat detection and response. The discussion concludes with a call to action for businesses to assess their security posture and consider professional security services.
Speaker 2 (00:00.12)
So think you're too small to be hacked? Isn't that special? Let me guess, you've got some employees a nice office space, great customers, software subscriptions, and you still think the word firewall is something the IT guy builds in Minecraft. Let me guess, you've never spoken to an actual security expert in your life since your IT guy is saying that you're safe. Here's the news flash. You're not safe.
and your IT guy is wrong. Don't believe me? Then we may wind up reading about your destruction in the news. Maybe we'll do an episode on your company. After you're forced to shutter your doors, only time will tell. So here's your surprise. Not only are you not safe, you're really just blind, ignoring the mountain you are flying directly toward. Watch to the end and you'll understand why.
Why cyber criminals love business leaders when they take your approach of flying blind and doing the same as they've always done. In today's episode, I'm sitting down with Braxton Moulton, a CISSP security expert who's basically fought more hackers than a Marvel movie. And we are breaking down why your business is the low hanging fruit of the internet. This is not just a wake up call. This is a fire drill.
Welcome to the face of cybercrime. So let's find out how to catch a hacker before they catch you. This is Cybercrime Junkies and now the show.
Speaker 2 (01:53.23)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.
Speaker 2 (02:13.014)
All right, well, welcome, everybody. I'm David Mauro Vice President with NetGain Technologies, headquartered here in Lexington, Kentucky. And I am joined by Braxton Moulton, one of our senior cybersecurity leaders. Braxton, welcome, sir.
Thank you. Thanks for having me.
Well, I'm excited about what we're going to be talking about today. We're going to be talking about eyes on glass and monitoring your network. Who's monitoring your network and why does that matter to business leaders, right? In all shapes and sizes of organizations, but in particularly in that mid market, that smaller organization that that maybe hasn't considered this in in the past. And we're going to explore kind of how
security operations center, a SOC security operations center fits into somebody's IT stack. Right. And so as we jump in, you know, I'd like you to introduce yourself briefly, Braxton, and kind of tell us a little bit about your experience and what you guys do as head of a cybersecurity team and in particular here with with NetGain Technologies.
Sure. So as David already mentioned, my name is Braxton Moulton. I am the technical director of security at NetGain Technologies. My primary role is I work as a virtual chief security officer with our clients. It's across many different verticals, healthcare, manufacturing, finance, a lot of firms even. But that's in the effort of working with them on a consulting basis.
Speaker 1 (04:00.014)
helping them to improve their cybersecurity posture across known cybersecurity frameworks. That could be NIST 800-53, 800-171, the NIST cybersecurity framework, HIPAA, CMMC, you name it. There's all kinds of frameworks that I could list off here. We don't have enough time for that today, but outside of that, we also have our SOC, Security Operations Center.
that we are partnered with a SIEM provider where we and our security engineers, we review those alerts and incidents and we are the response, we're the boots on the ground for those incidents as they come through. So on top of that, along with helping to provide vulnerability scanning, security awareness training, and just general cyber hygiene.
Fantastic. Yeah, I mean, the work that you guys do is absolutely remarkable. When we think about network monitoring, there's a little bit of confusion. And when we speak with business organizational leaders, know, some of them may not have, you know, threat hunting or actual security network monitoring. They might have different or IT network monitoring and
they may have a false sense of security because they feel, well, we haven't been breached in the past. And whenever I hear that, the first question that comes to mind, whether it's articulated or not, is how do you know? Like, how do you actually know you haven't been breached or haven't been, you know, exfiltrated? You might not have been extorted, right? You might not have had it brought to your attention, but you don't necessarily know what you can't see.
And so can you explain to us a little bit about what security network monitoring is compared to garden variety network monitoring, both of which are critical. But if you could walk us through that and what that really means to business leaders, that would be great.
Speaker 1 (06:08.726)
So yeah, so we've got a little breakdown here on this slide of what a SOC is, what a NOC is. Security Operations Center and Network Operations Center. I want to start on the right side, which is the Network Operations Center. This is what we might be more familiar with, because that is a more common component that we see with standard IT operations. So if you've got someone internal as an IT team, maybe it's just one person, or if you're more familiar with just working with an MSP to help.
provide IT operations for you. Anok is probably in use in some degree. So that's providing things like performance monitoring, heartbeats for devices, making sure that they're online. That's going to assist your IT personnel in terms of the standard operations of the devices and how they work on the day to day. That's going to make you more aware of like when devices go offline, when they're online. It's just a key component for monitoring.
your IT infrastructure in general. Now the flip side of that is your SOC, your Security Operations Center, because what a NOC doesn't typically capture is what actually occurs granularly in terms of security incidents and events. If accounts or devices are doing some nefarious communications through...
certain protocols or certain accounts are being leveraged in a way that they're not supposed to be. That's where these typical solutions like a SIM backed by a SOC can come into play because you said it best, is you don't know what you don't know, right? So when you have those blind spots in terms of cybersecurity for what's happening with my devices, what are...
potential bad actors trying to exploit on my devices, what malicious programs are trying to be ran. The SOC comes into play with having like cybersecurity experts, cybersecurity analysts that understand what those threats are, what they're trying to do, and also help you with the types of data that might be accessed, types of data that potentially might be exfiltrated. And not knowing that could mean
Speaker 1 (08:25.55)
unbelievable amounts of money to the business in the event that you are extorted like you mentioned David or if you are under some sort of compliance or regulation where a potential breach would actually come down on you as like a potential fine or even worse.
Right. Yeah. Okay. So that's a lot to break down. So it sounds to me like what you're saying is the knock the network operation center, which is standard in most MSP models and standard in a lot of internal IT builds when an organization starts to build it. It does the, the critical role of making sure that devices are online, healthy.
It focuses on the reason people buy the technology in the first place, which is to be more productive, to streamline operations, et cetera. Right. So absolutely critical. What is missing in that is while there are certain security controls in place when they do that, right, there's still that lack of visibility. So organizations might think I've got my network monitored.
for bad actors, for bad behavior, for escalated privileges, for lateral movement, for catching hackers as I hear all the time. And the truth is, that's not part of it. That is really the role that the Security Operations Center does. Is that fair?
That's fair, yeah, SOC
Speaker 2 (10:05.642)
And the network traffic, like whether they're moving, whether data is being exfiltrated, which is a fancy word for stealing, right? Like taking away from your network. Like, hey, don't take that. That's ours. That type of thing. Right. Cool. Yeah, that's that's that's really, really helpful. So what are the rules like? There's a lot of rules in one of the.
Correct. Correct.
Speaker 2 (10:33.246)
struggles that organizations have, one of the struggles we've had, we have in the industry is it really depends who the organization is, what field, what industry, how many employees, et cetera. And then they fit within these frameworks. And in addition to all these rules, there's also common law, right? Because even if you're not required to comply with HIPAA or CMMC or one of the others, right? You still, should there be a breach, there's a lot of
financial and civil liability. And they'll still cite some of these as like evidence of negligence and things like that. So you still have to know what they are and comply at least with the core ones. Is that fair?
Yeah, and it's exactly right and just this list alone. It seems like a lot This isn't even all of them. She's why I didn't want to spend the next you know six hours trying to list off the different frameworks or regulations the vertical vertical of your business matters because there are different regulations that you might have to adhere to and although I would say a lot of the regulations are extremely similar in what they look for in terms of like the general concept of
a controls like that they're all going to look for are you using in point protection are you using you know are you doing vulnerable
Are you doing some vulnerability scanning? you doing like, like, do you have an incident response plan like that type of thing?
Speaker 1 (12:00.92)
But things will vary between how often are you doing it, how far are going, the granularity changes from regulation. So pay attention to your vertical, which I'm sure all business leaders are, but the regulations behind it because you might be compelled to look into your options for like a SIM or a SOC and what's going to be required there for that detection.
Absolutely. So let's talk about a data breach. So we hear in the news, you know, this organization got breached. Business leaders go to conferences, luncheons, know, community events. They talk to competitors, you know, peers, and they hear somebody had to go through a breach. And there's a lot of things that go into like, first of all, not all breaches are equal, right? Like there are some that are much more devastating or accessed.
a lot of data or were inside longer, right? Then there are others that, yeah, there might technically be an unauthorized access, but they couldn't get to anything of value and it was addressed right away and they were blocked out. So was it a breach? Well, maybe, maybe not. Meaning there might've been unauthorized access. It might've been an incident, but because you had things in place, you were able to stop them and kick them out.
Was it a breach? Yeah. Was there damage? No. Right. Like it was just an incident and it got remediated. And that's where I think every business leader wants to be because that way they're like, well, we don't have to stop everything. We just have to stop everything from hurting us. Right. And so walk us through like the, the timeline of a, of a garden variety breach. Like we've got a visual. What walk us through.
But yeah, let's stick with this example of like a potential business email compromise, for example. Of course, we know our end users are typically the riskiest asset of a business because they are the weakest link. My analogy, I haven't decided if it's good or not yet, but I continue to use it. I must, but if you, know, I'm talking to you, David, you're on one side of the door. I'm on the other. I want to get into the door. Okay.
Speaker 2 (13:59.628)
MMMM
Speaker 2 (14:13.678)
Let's hear it.
Speaker 1 (14:23.222)
You have 17 different locks on the Okay. If I want to get in without your permission, now I could try to pick those 17 locks. It's possible. It's contingent on my ability to pick the locks. It's contingent on how much time I'm willing to spend to pick those locks. Or I could spend 30 seconds talking to you and convince you that I'm a good person and that I'm not going to do anything malicious. And you'll just unlock the door for me and let me in.
That's not a bad analogy because that's really how it's happening, right? Like, like, yeah, that's good.
Yeah. Someone gets a phishing email. They send you a malicious link. You convince the end user that you're a good person, that you are who you say you are, and that you're trying to do this good thing. Maybe you pose as someone that they often do business with. They click a link, they input their credentials. Bam, they're in. Right? Now, once they're in, that's that first step. Someone clicks a link for a phishing email. Now they're in. The attacker's in. They're gonna hang out. They're gonna start performing reconnaissance.
Because now that they've got credentials, they've gotten access into the environment, they need to figure out what all they can touch, what all they can access within that environment.
Yeah. And where everything is located, right? Like it's a flat organization and there's not a lot of hierarchy in the technology. They'll be able to access things by just moving this way. Sometimes if they're going to launch things like ransomware, they have to escalate privileges to the admin level of super admin levels. So that way they could launch down works like that, right?
Speaker 1 (15:54.51)
Exactly right. And somewhere between them performing that reconnaissance is when we start moving into lateral movement. When they've discovered where all they can go to, then they start actually pivoting within the network, within the environment, accessing those critical assets, maybe gaining access to other privileged accounts potentially. And then at that moment is when we move into privilege escalation. So now, you know, they're moving on to the asset that they wanted. Let's say it's a file server. They've got
there's financial documents on there. They need to log in as potential domain admin or something of that nature. And they were able to escalate their privileges to a super user, like you mentioned. And now they have full access. You know, they've got full keys to the kingdom to the files on that server or even to the whole environment at this point, who knows. But then they start ex-fool trading the data, taking it for potential either to just sell it or to sell it and
keep recording and then all in that same line is where we start to see like the ransomware extortion. So that takes time. That doesn't just happen.
you and extort you.
Speaker 2 (17:06.924)
Yeah, because they have to learn about the environment. They have to figure out what tools they're going to use. They use undetectable tools like covers so that people can't see them. Yes. Circling back to what we talked about earlier in the traditional model of IT support, while this is going on, nobody sees like the typical without the security operations center, like with eyes on glass.
Nobody's going to see this because they haven't knocked anything offline. They are just moving. It's just a it's just bad behavior inside, right?
Right, right. So like, for example, if if an IT admin, which you shouldn't be doing this, but I'm sure it's happened somewhere, if an IT admin wrote down a password to a domain admin account or even a local admin account somewhere, they just changed it temporarily. They wrote it down, had all the intentions to change it to something else and not have it written up, but they forgot they got this right. Someone's walking by and they saw it. They wrote that down. Then they went, you know, maybe back to their computer and they started using that.
those credentials to try to access different things. If it failed for whatever reason, like if they try to access like a file share for some reason, using those credentials and they couldn't access it, that's one thing. And if they could access it, it's totally different thing. But in a traditional IT operations without like a SIM or a SOC behind it, you're not going to be alerted to those attempts, whether they were failed or successful at all. A SIM and a SOC.
comes in and says, hey, someone's trying to use these credentials. We don't know if this is right or not, but we're making you aware. And then it's
Speaker 2 (18:53.016)
And then you can threat hunt and investigate and look into it and just validate it before you notify the Makes perfect sense. Makes perfect sense. And then when ransomware is launched, right? That's when everybody finds out oftentimes, right? Because then nothing is working. Leadership gets a call. All of our stuff is down. We have to negotiate on a tox channel.
Exactly.
Speaker 2 (19:21.614)
download the Tor browser and negotiate with a foreign adversary in on the dark web. And most business leaders have no idea what that is, nor do they ever want to do it. Right. Because the people on the other line are extremely good at what they do. So, in, in that sense, that's when both the network operations center and security operations center, when everything goes haywire and everything goes south.
That's when that occurs.
Exactly. Yes. And you mentioned the dark web, just to throw that out there. When you if you watch like a lot of like CSI or NCIS, they use the term dark web and mainframes and things like that. Those things are real. They're just not using the right context. So the dark web is real. It's littered with credentials and other nasty things that are out there. But it's just things that you don't typically like typical end users can't access.
So correct.
Yep. Well, and throughout this whole process, one of the most remarkable statistics from IBM and IBM threat report is the, and attendees, you can Google this, right? Like how long are attackers inside my network undetected on average in the United States? And it ranges because it changes periodically, but on average right now it's like 206 days. mean, that is a long time.
Speaker 2 (20:54.358)
That is more than six months. To me, that's like somebody having stolen your wallet, using your credit cards for more than six months before you even know it's happening and can call the bank or do anything about it. It's really painful. It's the difference between breaches being in the news and being bad and breaches just being remedied and just being an incident.
Right. So I guess to kind of highlight that is you don't know if someone's in the environment without the sin and you don't know how long they've been in the environment without the sin. Yeah. I feel something is executed typically like rancing wear or extortion. So and these bad actors that go into environments, they're smart about it. They wait. They take their time because the more that they cause noise, the more attention they get.
Right. So that's why we see these long periods of time where they're in.
Yep, absolutely. So you use the phrase SIM. So that means security information and event management, right? It's S I E it's pronounced SIM like a SIM card in a phone and walk us through what it does. Now granted, it's just the tool set, but it's the tool set that when used properly by a security operations center or security analyst actually gives visibility eyes on glass.
to that network traffic and that bad behavior.
Speaker 1 (22:27.864)
Correct, yeah. SIM or SIEM, I won't, I'll to you if you call it SIEM, it doesn't matter to me. So security information and event management tracks and helps correlate logs for potential security incidents. So it pulls, let's take a standard environment, Windows Active Directory, it's pulling logs.
I I won't.
Speaker 2 (22:56.622)
firewall, like firewall, cloud apps, stuff like that. Right. And all of these technologies, they put off events that are like raw events that is just raw data that humans can't analyze. couldn't do it. So the SIM tool collects all that because they're kept in logs and then it translates that into English for us. Correct.
Correct. It helps provide context, for instance. So if you were just looking at raw logs, for example, in Active Directory, there's a lot of noise, hard to pick out if there's actually something actionable there. What a SIEM will do is kind of correlate. It will pull in the logs from the firewall, pull in the logs from Active Directory, pull in the logs from Office 365. And it'll say, OK, on Office 365, someone signed in from Belarus. We know they're not from Belarus.
And then a few minutes later, had the same IP from Belarus came through the firewall and logged into a device on the network. And then it used the local Active Directory credentials from the Office 365 account because maybe it's synced or something and just correlates it and makes it more accurate enabled in your ability to ascertain whether not this is something that's a potential instance.
Yeah. mean, think about it. Like there's logs for everything, right? Somebody updates Adobe on their work computer. There's going to, they're going to create a log for that. There's going to be a log. And so you don't want something alerting your IT or your security team because you don't want to be going and investigating it. It's fine. Somebody just updated a regular app, but it still creates a log. So the SIM actually filters like somebody's trying to download data to Belarus and somebody's just updating.
you know, Adobe in Ohio, like there's there's a difference in terms of risk there to the organization.
Speaker 1 (24:51.182)
That's exactly right. like you mentioned, the sim is the tool. It's the solution. The stock is where it comes into play to really make it more worth its value.
So analogies, because we love analogies. So an analogy is almost like it's almost like a security camera, right? Like there's a security camera top down over your whole home, right? Like in the, you know, yes, we could still let them in. Like you could still socially engineer us, we'll unlock the seven locks and let you in. But the point is, is hopefully with these things in place, you'd be able to see them walking up. You'd be able to see them knocking on the door.
you'd be able to catch them in the act or at least immediately once they got inside, right? Like once, once I let you in, right, you'll have cameras on that. You'll be able to see the person walking around the house and catch them before they're inside and camping out for six months.
Yeah, I guess to a small caveat that I say it's like a security camera that also can detect motion.
Yeah, it's one emotion detection. Yeah, like that.
Speaker 1 (26:06.412)
Yeah, yeah, like sometimes security cameras don't do that and security cameras are nice because if you know someone broke in then you know you have that you can go back and look but you there's nothing there to tell you that it's happening in the moment unless there's like right, you know a smarter camera that's
Right.
Speaker 2 (26:22.55)
like motion detector, like an AI motion detection that can alert there is somebody there walking around right now, which a lot of them have now, which is good. That is a very good analogy to it. So that's awesome. So walk us through kind of what a SIM platform does. And you've explained it pretty well, but we have this other beautiful slide. So I'd like you to give it some value and like walk us through it because it does bring up a really good point.
Right. So again, it is just like a correlation of logs and events. So it's very hard for even someone that's like a standard system administrator. are not, know, that's not that cybersecurity is not their focus. Cybersecurity is not the not the bread and butter. And the SIM can really help with the understanding of here's the here's the things that are happening within our solutions, because like Active Directory is incredibly noisy just in general.
It logs, if it's configured to do so, it logs and tracks, I mean, everything that devices are doing, yeah, and that accounts are doing, stuff that doesn't matter to us. So like if there's a file server out there that's hosting like a file share and you have your end users that are accessing that file share, each of those things are tracked. That's noise because not any of that is a problem for us unless...
someone's accessing a file share that they shouldn't have accessed. That's where these things like a SIM comes into play because it's the correlation. It's the, this is a privileged user that is logging in and remoting to devices that it typically doesn't. That's things that, those are things that, and activities that see that a SIM learns that a SOC is able to alert on. That's relying on things like Active Directory and
the endpoint controls and the traffic coming in and out of the endpoint and the logging on potentially a domain control. It three different things that it's relying on to come and tell you that this might be a problem. Whereas if you're just looking at the one thing from one perspective, you may not see the whole picture. That's what the SIM does is it just provides the context, it paints the picture.
Speaker 1 (28:45.038)
You know one device one endpoint looking at the logs there that sketches it out the other things provide the shade and the color and Really make it stand out
Yeah, that's really good. And when you talk about privilege escalation, when somebody, when a threat actor, a hacker, as Hollywood calls them, like if they socially engineer somebody and somebody lets them in, well, if they can act as that person and have the access that the person that let them in has, right? That employee may not know how to move around that network or escalate privileges, but the threat actor will, right? And that's where their skill set comes in.
And when they do that, they might be using that employee's credentials or access to be accessing these things that the employee normally doesn't. And so it's like in that scenario, I'm letting you in the house and you're like, okay, we want to go upstairs to that master bedroom because that's where the gold is. And I'd be like, look, I just work here. I'm I don't have access to that. And they're like, well, just I'm going to show you how to get access and they're going to go up and they're going to do it.
But that movement and that that accessing it when you really shouldn't be accessing it. That's the type of bad behavior that before they launch and typically nobody would see SIM actually gives visibility to.
I'll tell you another thing about that that scenario is at the end of the day when you get an alert on from the SIM someone's someone's account is accessing something they normally didn't they they don't once that's been remediated you are also you also have the information of that account was able to access this data
Speaker 2 (30:29.079)
Let's.
let's review if they should have been able to in the first place. So that's additional info that you may not have had before from like potential privilege creep and just again just additional understanding in your environment that you may not have been aware of.
That's really good point. So in terms of the goals of having security operations centers and leveraging a SIM, what are the risks that businesses have? Walk us through some of the risks that businesses have without it. a lot of, like we pointed out one and that is they feel oftentimes that they have eyes on glass already. There is monitoring of my network.
But it's not like there is monitoring of the network for productivity and optimization and IT support. But there's not monitoring of your network for security incidents unless it's too late and then everybody finds out because they've been in for six months.
Yeah. David, you run the risk of not knowing who's accessing your data. And maybe it's not your data. Maybe it's customer data or government data, but data that you are supposed to be protecting the business. Right. So that leads back to your negligence thing with common law and daily regulations we were talking about prior. So you run the risk of not being aware of who's accessing your data, who shouldn't be and who should be. You run the risk of running into trouble.
Speaker 1 (32:02.284)
with compliance and regulations if you don't have these solutions in place. cyber insurance will take exception to the fact that you don't have these tools and solutions in place, particularly if you have to file a claim because of a security incident. And you also, the other intangibles that come with potential breaches and incidences like reputation damage.
how long if they execute ransomware how long am I gonna be down you don't know how long you're gonna things like that
There's a whole bunch of things that organizations don't really think about, There's the, cause everybody talks about all ransomware tech. What's, what are they asking in the ransom? And they think that's the only cost. That's like a quarter of the cost, right? Like there's the ransom itself or the extortion amount so that they don't leak the data, right? It's still extortion. So it's the extortion costs. Then there's the downtime and the average
Small to mid-sized business, depending on your industry, is between 18 and 23, 24 days right now in the U.S. for organizations with fewer than 200 employees. That's a long time to not be productive, right, for an organization. So there's business loss there and there's business costs there. And then there's the restoring of devices, refreshing, getting new networks, getting new tools in place, systems in place, should they be damaged.
And should they not be able to get unencrypted should they have launched ransomware? Right. And then there's the the long tail customer trust, reputation, harm, things like that, that are quite difficult to calculate. Although in hindsight, after a few years, you can go back and see like the arc of like if it's a publicly traded company, that's easy to measure because the stock price went down.
Speaker 2 (34:03.584)
still stayed down for a long time, right? Or they had to sell off assets. in the private non-public sector, then there's all the others, right? The lost customer trust, the contracts that might get lost. Then there's also the regulatory aspect that you guys get involved in, right? Like when auditors come in or after there's a claim.
There could be, if it's HIPAA, there's gonna be an investigation. There could be fines. There could be audit costs and exams and things like that as well.
Mm-hmm. That's exactly right. So, I mean, there's just so many facets to the different regulations that drive your business that unfortunately the sim and the sock has become very much tied to. So not having it would be very detrimental to you at this point.
Yeah, because it's really, to me, it's always, and I don't want to digress, but to me, 15, 20 years ago, we were all aware of these things. And as security people that are passionate about protecting organizations, like we thought everybody should have it and it was great, but it didn't really make as much of a business case to do it back then because look, we had computers in the office and frankly, if they were down for a couple of weeks, we were still fine. We could still function. We could still pay employees.
Engage with customers. We still have paper versions of everything. The last 15, 20 years, we've all gone through digital transformation. Once the last time we went to a physician and the nurse came in with a stack of our medical records. Like it doesn't happen, right? It's all on a tablet. It's all on a PC. It's everything's been digitized. And so because of that, there's risk. And when things go down, because we're more reliant on the technology for everything we do,
Speaker 2 (35:58.808)
there's those blurred lines between that physical realm and the digital realm. So I mean, to me, it seems it's more of a standard now. Now it's something that to, to understand what your risk is and to know as a business leader, what your risk appetite is, you need to know what it is. You need to be able to see, you need to have visibility. And that's what this provides makes, makes perfect sense. So walk us through, through this walk us.
through the difference between just the tool and what the security services are that leverage the tool. You've touched on it already, but it kind of tells us like a typical stack in a small to mid-sized business and then things that you're not able to see.
So lots of different tools here on the left firewall antivirus email encryption, you name it We we preach a multi-layered defense in cyber security everybody and you should there is no Tool that is a hundred percent effective if there was David you and I wouldn't be sitting here
No, would be on board with that one tool if it existed, but it doesn't exist.
Exactly. So we preach a multilayer approach. The issue with that is they don't talk to each other. They might log in there, but they don't talk to each other. That's why SM exists. Again, going back to that correlating logs, because firewalls, antivirus, email encryption, those things don't pick up.
Speaker 2 (37:34.094)
Really good. Sim kind of pulls it all together, doesn't it? Sim is like the one and I hate to use that phrase because everybody's tired of it, but that one pane of glass that sees all the different sets pulls it all together.
We kind of made a problem with ourselves of like the whole multi-layered defense thing and we came up with all these different tools that do wonderful things and then we were like, wait
I'm gonna see all this. I was supposed to look at all this stuff.
The industry made the SIM, right? And then that's, you know, that's why we're here. And but like insider threats, those aren't tracked. Again, I the analogy about someone being behind the door and just getting in there and they're behind all the defenses, right? Insider threats. If you have like a disgruntled employee that already has like the access to the data, you know, and they take it, you're not going to have a solution in place that might alert you that someone downloaded this document.
that probably shouldn't have been downloaded, for example. So having all these different tools is amazing and we need to have, again, that multi-layered approach, but without some sort of correlation or aggregator, you're gonna be blind to what occurs as the events move from one tool to the next.
Speaker 2 (38:52.856)
So really good point. Yeah. And so things you wouldn't see are things like backdoors, malicious software, insider threats, ransomware, suspicious logins, lateral movement. Right. mean, that's right. And those are the things that those are the things that bring organizations into the news for data breach are those things. Right. And so without
The antivirus would catch malicious software. That's the expectation. But there's questions to ask about that. How did it get there?
Well, an antivirus is stopping known malicious software. The last time you updated it, whatever that vendor knew was bad, it has its whole list of bad code and it's blocking it. But then the next day occurs and hackers aren't dumb and now there's new code. And so that's why antivirus isn't enough anymore. It's still required because it does block the bulk of it.
But we're not worried about the bulk. We're worried about the outliers.
That's right. So like the new things, polymorphic viruses, malicious code that, you know, can change itself or just things that are completely branded that no one's seen before. That's not going to be captured by your traditional antivirus. But in an IT operations world, traditionally we work break fix, right? Something's broken, we fix what we move on. We're asking the question of that broke. Why? How? That's what a Sim's trying to help. So like malicious software, how do they get deployed? How? Did someone
Speaker 1 (40:26.106)
Did someone go to a website they shouldn't have? How'd they get there? Well, right, so...
Well, to me, that's where the blurring of the lines between the physical and the digital occur in the blurring between our private lives and our work lives, because a lot of us, we use similar devices or we access personal things from work devices. And there's all this blur or we have our phones, which are computers and pull in all of it. Right. And if we don't have those habits of being vigilant.
in our personal lives, then we're bringing that right to work. We could click on ads, go to rogue websites, bring in malicious info stealers and stuff like that. And then meanwhile, then we go log in at work and it's coming right in with us.
Alright.
So definitely has a strong value. So in terms of real world examples, what can you, I mean, obviously without telling us the, you know, the client names, because I know as I've explained to people, like we get called in a lot of times as first responders, right? Like we get called in like when there's a breach and they're not currently our client, but we get called in to triage things.
Speaker 2 (41:45.838)
or we get, you know, we've been able to leverage SIM in our security operations center services to catch something before it is technically a breach. Like what, what can you share? you have any war stories? I know you do. Cause I've heard like 50 of them, but what can we share with them? Uh, that, that would be relevant.
Business email compromise is the most common attack we see today and is undoubtedly the most common one that we have to respond to.
So what is it from a high level? What is business email compromise high level down for anybody that might've joined exit.
Yep, someone's business email is compromised, their credentials are stolen and or leaked or just let me flat out provided to a bad actor through a phishing email or even social engineering is possible in that scenario.
Or they buy it on the dark web, Because people again in their personal lives are using the same password on Facebook and Instagram and LinkedIn that they are for work, right? Which by the way, we're not supposed to be doing. And then that gets leaked or stolen or socially engineered. And then they log in as you at work.
Speaker 1 (43:09.876)
Lots of precious data is stored in users' Outlook caches,
And in sent folders, right? Like I've talked to hackers who immediately when they get into somebody's outlook, they're going to the sent folder because they they've told me like, look, the people forget all the confidential data that they sent out in between teams and, you know, internally. And it's all sitting there still from six months earlier, right in their sent folder. It's really a great point.
Once they're in there, they're going to hang out. They're going to start like we were saying, timeline of an incident or a breach. They're going to do some reconnaissance to see what you sent, see who you've got access to in terms of contact. They're going to look at potential data that you've sent out before to take copies of. And then they're probably going to do some things like they're going to set up some rules in your outlook to hide themselves because what does
does that mean? Like, explain that to us.
So what we often see is they start targeted attacks from that account that they've compromised that they have access to. This is different from a spoof. They're not spoofing because it's your account.
Speaker 2 (44:24.632)
Right. They are you online. Yeah. That's scary thing. They are.
anybody that they email, it's going to look like it's from you because it's from your account. So they're going to start making some plans of either sending some targeted emails to like perform like a wire transfer or some things that we've seen before, or they're going to start sending out mass emails on your behalf to your contact lists to try to reach either other companies or other accounts. So what they'll do is they'll set up Outlook rules.
and when they send those emails out the expectation is that they're going to get replies. Well, you and the bad actor are going to be logged into your account at the same time. You don't get kicked out just because someone else logged into your Outlook. So if you start, if you're looking at your Outlook and you start receiving replies from an email that you never personally
You didn't
then we have a problem. the bad actor has to hide that from you. So they create rules to say, okay, any replies with this in the subject line, send it to delete or send it
Speaker 2 (45:33.352)
So then you don't even see that you're being compromised.
don't see it. then they can be in
It's like they've done this before. It's like it's like threat actors know what they're doing.
Yeah. Wow. And then from there, they're able to, well, do a whole bunch of social engineering things and to get access to sensitive information. Right.
Yeah, and that causes a huge problem for particular verticals like let's just say that healthcare, example, pH.
Speaker 2 (46:10.702)
And there's yeah, and there's no alerts going off because nothing's gone offline. Right? Right. Like in general, without the threat hunting inside Microsoft 365, we call it ITDR, right? You know, identity threat protection, which we, we provide, but without that, and not a lot of our organizations, lot of our clients do have that, but a lot of organizations we meet with don't even know about that or don't have that. And
That's one of the things that can capture that, which is really key.
Yeah, it doesn't have to be healthcare either. can be banking. know, they have to report incidents within a certain set period of time. Then the question becomes, boy, like did they access PII? Did they access customer data? Like to notify these people that this has happened. And SM is really important in that effort as well because it keeps the logs of what's been accessed, right? Of the data.
And all the forensic work can be found so you can find out and go back and say, here's really how it happened. Here's how we didn't know it. Here's how we discovered it. And then that's how we start.
Correct. So, you know, if you're in a scenario like that, getting that data is valuable, especially if you're going to talk to your cyber insurance, because they might have a forensics team on standby for you. They may not, but they're going to look for that data. They want to know.
Speaker 2 (47:41.474)
Yeah, because depending on what you put on that application, there could be reasons to decline the coverage, which they want to find first before they spend a of money. Right. There's a whole bunch of different things going on in the background, which is good because by having security operations services in a SIM, you're like, that's what the insurance companies want you to have in the first place. So
By having that and being able to get that data, you're so much more protected than just the actual even services that it is providing because it's tying together all the other things that you have. That's really good.
So why walk us through kind of...
why a SIM needs to be managed by a security operations center. We kind of have touched on this, but briefly as we wrap up, mean, there's a modest investment in the SIM and the security operations tool set. There's clearly a return on that investment in terms of the lowering of risk, the mitigation of damages and what that actually means to you.
as a client in financial dollars. But like in terms of a client and they want to just go buy a SIM tool and give it to their IT person, right? Like why is that not ideal? And it's not just because we provide the services that can help. It's really because it's really not that effective, like as brilliant as the person is, right? They don't work 24 seven, 365, right? They don't have shifts and
Speaker 2 (49:31.67)
At that point, you're trying to build a security operations center yourself, which is really not cost effective, generally speaking.
Mm-hmm. Oh, yeah overheads a big problem when we talk about a sem Again, I know it's like probably like the fourth time we've reiterated it but as a as a log aggregator and collector It's there's a lot of data there to try to parse through Sims do a pretty good job at Providing you what's actionable but there still has to be someone there to look at it and to review it and potentially
And to know the difference between what's a false positive based on their experience and their training. And, you know, because a false positive is a wasted resource that is like you're heading to the building. It's down the street. You hear, you know, there's a dark alley over there. You hear some rustling. So you spend the next hour and a half going down there to see if there's anything bad. You come back an hour and a half later. There was nothing bad. And now you're still walking toward that building. You're like,
And if I keep doing this, every time I hear something that's not real, it's a huge waste of time and resource.
Exactly. Yeah, I mean antivirus solutions have false positives. Sims have false positives. It's just the nature of it. It's not again. It's not a hundred percent accurate It's not a hundred percent foolproof. If it was we wouldn't be sitting here
Speaker 2 (50:50.338)
Right. that's where the human element comes in to be able to discern the difference. Right.
But your person, your internal IT may not have the time, it may not have the bandwidth. So asking them to parse through all those events and things that Ascend might provide them just may not be feasible, just based off of time. The other issue is they may not be the appropriate personnel to actually make that determination of whether something's actionable or false positive or not. Typically, you know, what we would anticipate from SOC analysts is that
You know, they have cyber security background expertise that they're certified in cyber security to some degree. They understand what these different types of attacks might be trying to do. They understand, you know, at a glance, what the potential impact might be or the different aspects of their IT might have been touched as a result of that. So, like, again, going back to be a small compromise. It's not just their email account that's compromised. What else do they have in there? Did someone send passwords in their email? What were those passwords?
What does that have access to? This user account, is it synced to local Active Directory? So they could have potentially logged in to the domain and done something. You can see how it goes, you know, different areas. That level of expertise and that experience may not be available to that IT person or team. That is what you might anticipate to actually review the SIEM. So labor costs, skill sets.
what?
Speaker 2 (52:24.81)
It's often more expensive to like when you go and you buy the actual tool itself, you've got to be paying for all that storage for all those logs and you wind up storing a ton of data that you don't need. And you end up spending all this for something that is brilliant as the internal IT resource can be like that's it's not a knock against them at all. It's just it's more a matter of biology than anything else than technology, because
as brilliant as they are, they know what they know. They don't know what they don't know. And they can only be in X number of places at once and can only work so many hours. Right. And while they're doing it and they have to go remediate something that they let's say that they actually found, then who's watching the SIM during that time? Like there's a whole bunch of real life scenarios where it really does make sense to use a service that that does that for you. And then that's
that internal IT resource that makes them even more strategic, right, and more valuable to the organization.
If you're gonna keep it in house, you gotta have the personnel and you have to have the infrastructure
Absolutely. Yep, that's excellent. So if anybody would like to find out more, we offer a no cost tech forward workshop where we will put up best practices, put up compliance controls, things like that that are relevant to you. Initiatives give you, you know, identify what you're currently doing today. Identify gaps. Find a good road map.
Speaker 2 (54:05.282)
that makes sense for you. And we do that in a collaborative whiteboard manner. And it's all done at no cost with no strings attached. So if anybody has any interest in that, we welcome the chance for you to sit down with one of us and learn what good looks like, what great looks like, and kind of chart your course to securing your organization's brand.
Braxton, really thank you so much for spending the time with us and walking through this. was really, it's really enlightening and it's, and I love the analogies. I'm always looking for good, for good analogies. And you know, the one thing I, you know, that we like to explain to small to midsize businesses is you don't have to do every single thing under the sun, right? Is that a fair statement, Braxton? Like,
The truth is, that attackers, they might not necessarily be looking at you, your organization, but they're looking for the open doors that are out there. They're looking, they're running campaigns for vulnerabilities. They're going through like, like minded or very similar suited organizations, just like yours. And not having the resistance is going to be that open door, right? Picture in your mind.
a robber like a bunch of cars parked at the target parking lot. And threat actors are really the robber that is walking by all the car doors and just seeing which ones are open. Yes, they can always break the glass and do that, but that's going to cause a scene. Security cameras are going to go up, whatever. Right. And they're going to get caught. So what they're doing is looking for the low hanging fruit. They're looking for the ones that leave the car doors open. And and that's really the key.
And what SIM does is keeps those doors locked and has cameras on the car, right? Like it is, it is, it's able to record it afterward for posterity sake when you'll need it, but it's also able to catch it in the act. And that's really important. So to find out more, please reach out to us. If anybody has any questions, we are happy to address or we can address them later and reach out. But we thank everybody for, for attending.
