It's CSOC o'clock! In this episode, we dive into the high-stakes world of cyber defense with the manager of cybersecurity operations at a critical infrastructure organization. From ransomware threats and zero-day exploits to the rise of nation-state-backed Advanced Persistent Threats (APTs), our guest reveals how security teams manage 24/7 threats, the mindset it takes to thrive in cybersecurity, and why community collaboration is becoming essential in cyber warfare. Whether you're an IT pro, a security hopeful, or just curious about what keeps defenders up at night, this episode is packed with insights, laughs, and the real grit of the job.
RELATED LINKS:
Sean Sebring:
Welcome to SolarWinds TechPod. I’m your host, Sean Sebring, and with me as always is my co-host, Chrystal Taylor. If you’ve been keeping up with episodes lately, you’ll notice we’ve been talking a lot about security. So to securely unpack a look into the day-to-day of security, the mindset, and what keeps you up at night, let’s talk to Ryan, a manager of cybersecurity operations. Ryan, would you tell us a little bit about yourself?
Ryan:
Hey, my name’s Ryan. I am the manager of a cybersecurity operations center in critical infrastructure here in the United States. And we have a good time trying to fend off all these threats day-to-day, every hour on the hour. It’s never boring. That’s for darn sure.
Sean Sebring:
So, excited to have you here. In our most recent security episodes, we’ve done a lot of talk about transitioning into the career. We don’t have to dive into that. Today, we’re going to take a different approach. But if you could, just give us, if you don’t mind, a little exploration of what brought you to this role.
Ryan:
It’s actually kind of funny. I never thought that I would be in a cybersecurity role. It was not part of my grand design. Initially, I had actually started studying video game design. So I worked at multiple video game companies in the past trying to break into that, doing support, and it was cutthroat. It was a terrible time. They pay you terribly and they’re not nice people. You don’t really have a lot of creative freedom.
And so, from there, I got an offer to do service desk in an IT firm randomly. It was better pay. I already knew most of the stuff that was going on. So I thought, “Why not? Let’s give it a shot.” And then from there, I kind of fell into a cybersecurity team because of what I was doing with the service desk and I just fell in love with it. I was infatuated because it’s always a puzzle. It’s a brain tease every day. Just going through this stuff, breaking things apart, tearing them down, looking into it, doing the research. It’s never boring. It’s always enlightening and it keeps me going because I am very distracted. I have ADHD like no other. And so, this scratches that itch that nothing else really could.
Sean Sebring:
I love it. I think that’s a good kind of segue because you mentioned all the excitement that goes on about it. So one thing I’ve tried to crack into in these episodes, and I think you’ll be great to help us feel what it’s like to be in the shoes, is what’s the sequence of events in your day-to-day? From identifying a threat to what you do with that and to how you go about both mitigating and then we’ll kind of roll that into what’s next after this.
Ryan:
Before you even get into the actual incident or anything popping off, you want to make sure your tools are tuned, because we’re getting a bunch of false positives. You essentially have security tools that are just crying wolf over and over again and it’s going to be ignored. It’s just part of human nature. You could be one of the best security researchers or analysts on the planet. But if you have that much noise, it’s going to get under your skin. So after that’s all done and the big heavy scary lift of tuning everything is completed or at least further along, because it’s never really complete, right? Then you get to the part where an incident occurs.
And so, first, the adrenaline comes in, you’re like, “Oh, no. This is terrible.” But also, you’re just really excited at the same time. You’re just like, “Oh, I get to finally put some skills to the test.” And so, you do the dive. So at this point, you want to enact… Usually, if you’re mature enough, you’ll have an incident response plan in place. So you want have your team picking apart what’s going on logically. You don’t want everybody just running around with their heads cut off. Because then, you’re not going to get anything done. And these days with cyber and a breach, it takes little to no time for an adversary, if it is indeed a true positive, to actually get in your network and start taking things apart. Ransomware happens in minutes, so you want to be able to move on this as quick as possible so you can look into it. So you have some subsects of people that are looking at the logs, seeing what’s going on, and correlating them with other logs and other systems. Seeing how they traversed, what’s going on with these accounts.
But you still don’t want to sleep on any other new incidents or alerts that are coming in. Because this might be a false flag operation and they’re just trying to distract you here, while secretly they’re trying to sneak in a different way. And so, it depends on the flavor of the incident. But you certainly want to pick it apart and dive into it, but not rabbit hole, if you will. You want to get into it and touch and go and try and put together the pieces of what actually is happening in the network.
And then, from there, you actually start mitigating or at least trying to, once you get the whole map of everything that happened, start trying to mitigate it. But once again, it comes down to logic. If somebody’s been on a system for days and you’re finally getting an alert, you aren’t going to want to cut it off immediately because they don’t know that you know that they’re there yet. And so, if you cut them off, they might have some logic bomb or something else sitting on your network ready to go off in case you catch them. So it really is like a ridiculous game of stupid internet chess but I love playing it.
Sean Sebring:
So you said chess, I was thinking like Dragon Ball Z. You both fire a Kamehameha wave and whoever clacks on the keyboard harder wins the energy blast battle.
Ryan:
I mean, that… I wish it was like that. But instead of me getting more powerful at the end of the fight, I just end up more tired.
Chrystal Taylor:
Well, you mentioned a couple of things there that I want to ask you more about. So you said it’s important… The first thing you said was it’s important to keep your tools tuned, so what… And you don’t have to mention any vendors or anything like that, but what are the tools that you use in the CSOC? And also, is all of what you mentioned one person doing all of that? Is it like a team of people and everyone has their own role? Expand on that a little bit for us.
Ryan:
Yeah, yeah. So the only tool we use is SolarWinds. I’m kidding. I’m kidding. But no, I’m not going to plug any other vendors or anything like that because it really does depend on your environment and the tools are constantly getting better. So what might be top tier today, a year from now, somebody is going to have a better suite. And so, just as a general overview is you’re going to want to have an EDR XDR solution. So endpoint detection response or extended detection response which is your basic malware scanner kind of things from the past that kind of evolved into being called EDR solutions.
So you’re going to want to have something like that so you can protect your system, whatever flavor works for your company. You’re certainly going to want to have a vulnerability scanner because you want to make sure your vulnerabilities are patched in all your systems. As much as you’d like to believe that your system for teams or that your service desk or whoever is patching those all the time, things are going to slip through the cracks. Let’s be real.
You’re also going to want to have, the big, big one is a SIEM or Security Information Event Management system. What this does is it correlates all the logging from all of the different tools in your environment, whether they’re security or not, and puts them into one location. So that way, you can paint that bigger picture easier. It is difficult to master a SIEM but it is absolutely necessary, in my opinion, to have one of those in your environment. And certainly, there’s other tools you could certainly want to add in there that would help but there’s no need to go down that too, too far. But just by doing a bit of research, you can find out what’s out there and what they’re capable of.
Now, as far as your second question for who does it, once again, it depends on the company. So for where I was at initially, each of our tool suites like the EDR, the SIEM, we had SMEs for each of them within my team. So they were the ones to go to, they knew everything. I found that to be a potential shortcoming. So I went ahead and cross-trained my team, so we’d have a backup SME for each of those tool sets. But they’re all at least versed in the tools. They may not be experts in every tool, but they know each tool in and out and how to get around in them and how to mitigate things within said tool sets.
Chrystal Taylor:
I think that the problem with having single SMEs is that you run into bottlenecks like, “What do you do when that person goes out?” I mean, you’re talking about something that you’re having to keep tabs on every hour of every day if what you said earlier was true, right? Security threats are persistent. And I was going to ask you, to that end, I don’t know how long you’ve been doing this, but have you seen it change much in the last couple of years? It seems like, like from public perception, and this could just be because there’s more conversation around cybersecurity in the public perception now than there used to be, but it seems like it’s gotten more prevalent and just more. There’s more of them and more of it happening all of the time. Is that something that you’ve experienced and has that changed how you address any of that from the day-to-day over the last couple years?
Ryan:
This is an excellent question and I thank you for asking it. Because now, I get to plug myself here, or at least the security community as a whole. For the actual job itself, it certainly changes, the tools have changed. The mindset stays the same because it’s more of a mindset in my opinion. Yes, you can be a master of any tool, whether you’re in security or networking or whatnot. But you have to have the mind to want to constantly learn and to keep staying current with current events.
Now, it has changed on the other side from the perspective outside. So before, when I started, which I think I’ve been in the industry for 10-ish years now? Either way, time’s but a construct, right? But it certainly has shifted. Before when we were in there, people did not want to fund security teams. They did not want to give the money for the security teams to get their tools. They didn’t want to bring on the staff. And it’s because security does not… It doesn’t gain any money. It doesn’t get any money for the company. It just prevents loss.
And until the companies actually saw that happen, then they’d fund it. That’s after that, “Oh. Holy crap,” moment where they get got and they’re like, “Now, we’re going to fund it.” But at that point, it’s too little too late. That security team… I mean, I would get out of there. It’s like, “You didn’t fund me before. You should have listened. It’s too late for you to come asking me for forgiveness now. You’re going to tarnish my reputation. I’m out of here because you won’t listen.”
But now, we’ve seen a shift. And because of the news, because of the whole world, and everything that’s been going on, companies are starting to fund security with all these ransomware attacks. And getting got for especially a public company, could be at least the end of your business for a year’s time if you can recover from it. I mean, like the Target hack that happened. They are very lucky that they’re a huge company. It’s Target but even that got them some bad press and they weren’t doing great for so long. So it’s started to shift in a positive way. It is definitely a positive way.
Sean Sebring:
Speaking from a broader IT perspective, I feel that that paradigm shift has taken place for most parts of IT. Trying to look at it instead of a cost center as a value center, right? Loss prevention should absolutely be something that is considered valuable because risk is always there. If you assume there’s no risk and you’re erring on the side of, “Eh, let’s just… What would a perfect world be like?” You’re in for some trouble, as you’ve mentioned. And as sad as it is when it happens to an organization, the way it’s publicized just helps other organizations, especially if they’re in the same industry, realize, “Oh, I don’t want to be next. I don’t want to be next.”
Chrystal Taylor:
Yeah.
Ryan:
Definitely.
Sean Sebring:
So if we go back to kind of the day-to-day, you had taken us through the excitement, the adrenaline rush of seeing it. And you did specify, try not to rabbit hole, and this is mostly while you’re in the security event, the incident, right? It’s mostly while you’re in it. You got to do your research. Now, that research, I would imagine after you’re secure, you’ve come back from whatever it is you needed to come back from, now you can rabbit hole. So this is where I kind of want to understand. Because to me, puzzling things out, looking where is the end of the trail almost is one of my favorite parts. Of course, you got to take care of what needs to be taken care of right now. But let’s go tangential into APT. What does that stand for again? I keep forgetting.
Ryan:
It stands for Advanced Persistent Threat. And so-
Sean Sebring:
Okay.
Ryan:
Yeah. These are the groups that are generally state-sponsored. They have countries to back them. A lot of these individuals are trained as children from a young age to be cyber professionals so they can do that work. And it’s impressive and absolutely terrifying at the same time because these are top tier of the cyber people in their country. They know what they’re doing, how they’re doing it.
Sean Sebring:
And heavy sponsorship too, I’d imagine, you’d mentioned in a previous talk-
Ryan:
Full-
Sean Sebring:
Yeah.
Ryan:
I don’t mean this to be doomy but it’s kind of terrifying because it has the full backing of a country. So seemingly unlimited money, but also not only because they have that and that is their job, we are seeing a lot more cyber warfare happen. That’s another reason cyber has started to get more backing because these groups actually have started hitting the public eye. It’s been the last decade or so is when they’ve really started to take off.
But specifically within the last five years I feel, they’ve really been making their presence known because a lot of these countries have found out that it’s way cheaper to wage war in the cyberspace than it is to put boots on the ground. It’s also harder to track on who’s attacking you if you can cover your tracks enough so you can wage full-on warfare in the background without risking physical life and spending all of that money on military and risking a World War III, for example. And so, even leading up to the war with Ukraine, Russia was attacking their infrastructure with their cyber folks ahead of time. And in return, if I recall correctly, Ukraine was using their cyber folks to shut down the rail systems so Russia couldn’t get stuff into the country. So the cyber warfare even started before the regular war even happened. It’s honestly wild to behold.
Sean Sebring:
Yeah. And you need to analyze these trends kind of ahead of time to even understand, is the cyber war taking place now? And you had given some examples when we were preparing for the episode of, I would say, classic misdirection potentially or even ulterior motive. And your specific example was about maybe some threats against public services, right? What that threat was, does it really represent what took place there or was it misdirection or for gathering purposes for something different?
Ryan:
I mean, at this point, all I have is just educated guess because the misdirection is good. These people are good at what they do. They aren’t sloppy, they aren’t script kiddies, if it isn’t generally an APT. But it’s known that a lot of different APT groups are after each other’s infrastructure. I mean, ours is certainly. The water sector specifically here in the United States has been under heavy attack to the point where CISA themselves, which they help us out a lot, but they actually put out some guidance because a lot of these wastewater facilities were getting hit. And they didn’t have a proper security personnel to help assist and prevent these attacks or their defenses just weren’t shored up because it wasn’t something they really needed to think about. I mean, they were wastewater. Who wants to come after that? Well, it turns out everybody because water’s very necessary.
So they’re trying to clean that up but it’s hard to tell with even energy. It could look like it’s coming from Russia, but it could be China that’s actually pretending to be Russia so that they’re trying to get America to be mad at Russia. Or some other country trying to start something up like that too or they just cover their tracks entirely and it’s just really hard to deobfuscate to see exactly who it is, where they’re coming from, except for time later with actual government resources for ourselves to look into that because… I mean, my team is only so many people. I don’t have the full backing of the government like that. So it’s hard to find a way to unravel that without some assistance sometimes. It’s preventing, mitigating, and all that fun stuff. But seeing exactly the bigger picture is difficult to do.
Sean Sebring:
Now, it’s that mindset you were talking about. You kind of just went on a great tangent to express that it’s a mindset, right? Ask seven different questions about a single scenario, “What could they possibly be after? Well, why would they do this?” And you mentioned, “I don’t have unlimited resource or bandwidth to do that,” right? In your role, you don’t. Just out of curiosity, are there dedicated roles to, “Hey, we want you to tell us about an idea or a concern or a trend you might be identifying. We’re going to go deeper into that,” or does it all kind of stay within an organization because they don’t want to share that information?
Ryan:
It’s funny you mentioned that. So within our organization, we certainly encourage that. So even if it’s outside of the cyber department – and within – if anybody has an idea, there’s no idea that’s a dumb idea. We want to be approachable people. We aren’t the shell-in nerds that hide in the closet that Gollum-ing all the time. That’s a thing of the past. We’re pretty sociable people, I like to think. So those ideas, certainly within the organization, but I’ve been branching out myself. I’ve started an initiative to reach out to other power utilities within the United States to their cyber department specifically to see what they see trending or what tool sets they’re using.
Because a salesperson is going to pitch you their product regardless of whether it’s going to be a good fit or not, but the person actually using it is going to know better. And the person that’s in my specific industry that’s using it is going to know even better than just a general cyber person. But also, working with them to see trends on what they’re seeing hit their firewalls, their intrusion prevention systems. It’s very helpful for us to be like, “Oh, yeah. We’re seeing that too. Let’s take these logs, let’s dig deeper, see if we can get anything else out of it,” or that way, we can just proactively block it.
It may not be getting through but it never hurts to add an additional layer of security to it. But I found that to be very helpful because the reality is, especially in the United States, the power’s interconnected for most of the states. I mean, if you bring down enough utilities at the same time, the grid’s going to go down. So it behooves us to work together because we’re going to see the same tactics across the board. If it is indeed an APT hitting us at this point in time, they’re going to be the ones that could bring us down and they’re going to hit certainly more than one utility. They’re going to do it all at the same time. And so, working together, I find, to be helpful.
Chrystal Taylor:
So everything that you’ve mentioned so far has been really about critical infrastructure and things like that. So would you say that these are things that you need to be worried about if you don’t work in critical infrastructure? Like if I was working at just a corporate entity that doesn’t have anything to do with education or healthcare or energy or whatever, where I’m not supporting any of that critical infrastructure, do I also need to be concerned about APT or other threats? How much time are we investing in that and should companies be spending more time? And do you have any advice for anybody in these roles to look for that kind of stuff?
Ryan:
Definitely. I feel that any company, regardless of how small or large you think you are, should be worried about it because you never know what angle the APT might be coming from. Something you think may not be relevant is relevant to them. They may be seeing something that you are not. I mean, heck. Not even a year ago, Krispy Kreme got ransomwared by an APT. Why Krispy Kreme? I don’t know. Maybe they just hated their donuts, but they still got got and it still made their customer base suffer. A bunch of stuff got leaked, I think. Don’t quote me on that, but they did get got and I know it did have a public impact. At least, the public eye was on the story.
What was the value of attacking Krispy Kreme? Not sure, but they saw something there to go after them and they did it. So I’d say still be wary about it generally, because there’s always something of value in a company. No matter what it be. Maybe it’s just a ransom and they just want some money. Maybe there’s something else. Maybe you’re connected to a different company in some way. A business-to-business connection, that they want that specifically, but they have to go through you because you’re the easier target. It depends. And I’m sorry. What was the second question?
Chrystal Taylor:
The second question was do you have any advice for people, right? We’re trying not to be doomsayers over here or get too in the weeds of like, “It’s terrible out there.” But also, you seem to really enjoy doing your job. And if that is the case and you really enjoy the puzzles and all of that, do you have any advice for people who maybe don’t work in critical infrastructure but do still need to be on the lookout for stuff like that? They’re not trained to necessarily to do all those things so what should they be on the lookout for? Do you have any advice for them, is the question.
Ryan:
Definitely. I mean, certainly make use of the resources that are free on the internet. There is plenty of articles, plenty of indicators of compromise and tactics and techniques used by these threat groups and just other individuals may not even be affiliated. They’re just hackers for fun or script kiddies for fun. So as long as you stay current on the news and all of that fun stuff, you’re sitting pretty already there because staying educated.
I know resources can be limited if you’re not part of a larger company, but there are a lot of different cyber groups that are more than willing to help out. I mean, even my company, once again, not going to name it. But even we help out smaller utilities that can’t afford a full-fledged cyber team because they need it. We have the resources, we’re going to help them out. Outside of that, I’d say certainly join your local DEFCON group. So DEFCON’s a conference where a bunch of cyber folk get together.
It’s usually in Vegas, but not everybody can afford to go to that. And it’s busy and I get it. And some companies, if you’re trying to get a company sponsorship to go, won’t pay for that either. But in almost every city, certainly every major city, there is a local group that meets at least once a month you can join. You don’t even have to be in cyber. You can just show up. They have a bunch of presentations. You’re going to meet a bunch of cyber folk. Or maybe not cyber folk, people that just have that same mindset and it’s good networking. It’s good education. And I mean, honestly, it’s just a good social time. So I’m definitely going to plug them every time.
Sean Sebring:
So you’ve brought up community a couple times and I want to pair that with the fact that you’ve also mentioned the question like, why would they do that, right? When we were talking about Krispy Kreme, why? I don’t know. So it sounds like especially if you can create or join or be part of a community, industry specific might be even better, right? Because you can bounce ideas off of peers, competitors, however you want to look at it. You ideally both have the most altruistic goal of, “How can we all stay secure?” But saying, “What’s the most valuable in our industry? What could they be coming after? What should we focus protection on?” And again, if you’re doing it in a community sense, you’re getting ideas that you may not have thought of, or sharing ideas that they may not have thought of. And yeah, I like the idea of, “Let’s grow together. Let’s make things secure together,” and the community aspect of it.
Ryan:
I mean, the larger cyber community has been there for a while. But industry specific has not really, as far as I’ve seen, taken off as much because people are worried about competitors or somebody stealing that kind of data or whatever it may be. To a cyber person, I find it to be irrelevant because we’re trying to protect this. It’s not like we’re giving away company secrets or anything. If you have a specific script that I can use in my SIEM to look for a certain type of indicator compromise that I don’t have built yet that I’m like, “Oh, that would be very useful,” I’d love to have it.
But I think it’s that corporate mindset that’s still preventing a lot of cyber folks from bleeding over in that gap. Because once again, we aren’t gaining any money for the company. We’re just preventing loss. So if I can talk to somebody else that’s in the same industry, even a competitor, that can help us prevent that loss, definitely. It’s not like they’re going to be sabotaging us. I mean, cyber community is still a very niche role. A very small community, rather. And so, you’re going to burn bridges if you start hosing people over because they’re a competitor. So I mean, definitely it’s starting to take off more, I feel. But I think we need to keep on pushing that because once again, with APTs backed by full-on nations, you can’t stand alone in that. Because if they really, really, really want to get in and they’re hyperfocused on you, they’re going to get in.
They have billions of dollars to back them. They’re just going to take some patience and they’ll figure it out. Because to tangent real quick as to why I’m saying that, one of the things we’ve seen recently, tactic-wise, is they’re leveraging zero-day attacks the day the zero-day drops. So zero-day comes out and they’re already hitting the companies they want to within hours. So who can patch their systems within hours? That’s not realistic for most companies. Even if you can get that off the ground with an emergency change, the system’s still got to get that patch and update which still can take hours.
Chrystal Taylor:
Well, I love how much you’re pushing for the community aspect of this. I think that it could be helpful for… We’ve talked about this in the past in our other security episodes that it can often seem kind of intimidating to try and get into it if you’re trying to transition from another field or if you’re trying to… Even from within IT, trying to transition into security can be… It seems kind of intimidating if there’s so much going on and it may feel like you have to do things alone. But you’ve just proven you don’t. You’re not alone and there’s everyone else in the community that can help talk to people and share experiences and all of that, which is great. I did want to touch on something that you said. But now, I’ve forgotten what it was, so I’ve lost it-
Ryan:
Roll the tape back. Let’s roll the tape back.
Chrystal Taylor:
Yeah. We were talking about the why you would do things. I think that part of the thing that I’ve seen and I’ve noticed a lot is that one of the… And I recently actually just read this in another survey that was done that 56%, I think it was, 56% of the companies that responded to the survey said that users are the biggest concern security-wise. And I think that to the point of like, “Why would you hit Krispy Kreme?”, or, “Why would you hit any of these other places?” Users are a big part of why. You said connectivity like businesses are connected to other businesses. But also, users are connected. So maybe I’m a big time… I go to Krispy Kreme every week and I work in a government entity or whatever. There is opportunity there for threat actors to get information that they can then use somewhere else. So being negligent is not… It’s not a thing that anybody should be doing-
Sean Sebring:
It is not an option.
Chrystal Taylor:
It’s not an option. Yeah. I don’t know where I was going with that but that’s-
Ryan:
No, I get exactly… I mean, it certainly can be that way especially… A lot of my cyber brethren and sisters are certainly paranoid individuals. But I’m of the mindset that I’m not a celebrity, I’m not a politician, so nobody’s coming after me personally. The only reason they would right now is because of where I work potentially but it certainly doesn’t hurt to… I mean, APTs can pivot that way. I can’t think of a good example right now off the cuff. But we’ve seen them do some crazy tactics like that in the past where it’s like some huge false flag operation to go after for one tiny little specific thing. It’s like, “That’s what you wanted? But why did you want that?” But you’re right, the weakest link in the organization, this is not to be disparaging to our employees or users-
Chrystal Taylor:
It just is.
Ryan:
… and people that aren’t… Our homies out there in the field, they are… Humans are the weakest link because we’re human. We make mistakes. I make mistakes. Heck, even as a cyber person, I mean, there’s certainly things where I’ve been like, “Huh?” And be like, “Oh, I should run this through a sandbox.” I’m like, “Okay. Glad I didn’t click on that. That would’ve been stupid.” But things are getting more and more advanced. With AI, people are able to… I mean, if you have a clip of your CEO on YouTube, they can spoof his voice and call your phone and pretend to be your CEO.
How are you going to… I mean, outside of the number and if they spoof the number too, how can you differentiate across that? I mean, emails are getting better. And then, I mean, to the point where some… One trend I’ve been seeing recently is they’re compromising legitimate companies that you might work with to send you emails from the legitimate domain. So they aren’t even trying to spoof anymore because protections… Well, they still are. But protections have gotten a lot more advanced, so they’re pivoting and changing their game much like we need to.
Certainly, employees need to stay vigilant and stay educated, but it still comes down to the human element. There’s going to be something that slips through the crack. And as long as you can take care of it and you’re honest with your security team, things happen. You got to let us know so we can take care of it. We’ll get an alert for it. But if you let us know ahead of time, we can respond even quicker.
Sean Sebring:
Man, the AI that changes voices or captures voices is really weird. I recently just did a recording for some training material and someone shared with me that I’m speaking Arabic. They’re like, “Cool. We’re going to run this through our AI. You’re now going to be hosting this same training in Arabic,” and it was me speaking Arabic. I played it for my family. It was so weird-
Chrystal Taylor:
Which you don’t know.
Sean Sebring:
… because it was… I’m like, “Can I add this to my resume now? Apparently, I speak Arabic. So it is”-
Ryan:
That Duolingo really helped you out.
Sean Sebring:
Yeah, yeah. It was-
Chrystal Taylor:
That’s terrifying though.
Sean Sebring:
Fortunately, this was for a good purpose. But yeah, it was just bizarre to be like, “What?” I felt a little vulnerable, exposed, taken advantage of. But it was also neat because I was like, “Oh, that’s really cool.”
Ryan:
Almost anything good on the internet can also be used for evil.
Sean Sebring:
Yes, yes, yes.
Ryan:
The intentions are there but totally understand. And that’s the same thing with emails, even without the voice recording. Before, one of the telltale signs of grabbing up a phishing email is like the headers, seeing if it’s from the actual address, any of that fun stuff. But also, the grammar, it was usually not good. It was not well-spoken English. Now, with AI, that is a thing of the past. It is locked up nice and tight so-
Chrystal Taylor:
Does that stifle your excitement for new innovations? Like when they find a new thing for AI or a new technology that comes out that’s cool, does it stifle the excitement that you would otherwise have because you’re already thinking about how someone’s going to use it for evil?
Ryan:
No, actually, I still… I mean, because I know it’s going to be used for evil. It certainly just helps me want to pivot. Because I mean, if people aren’t using things for evil, then I don’t have a job. So it helps me out there but-
Chrystal Taylor:
Fair enough.
Ryan:
… even with… What was it? Let me see here. Even with AI though, recently… What was it? Microsoft Copilot even had a zero-click AI data leak flaw. It didn’t get released to the public. It got patched. But like AI also, in itself, inherently has its flaws. And so, seeing how that’s going to go… It’s terrifying because protecting against that… Everybody wants to sprint on getting AI in their organizations and I get it. It’s an exciting time but pump the brakes a little bit and let us get these controls in place first. But most people aren’t willing to wait for that unfortunately. So I’m worried that we’re going to see some fun things happen with AI across the board in the near future. And the only thing I’ll say about AI aside is certainly that any data you get back from it, don’t trust it inherently. That’s just like back in the day when the internet was but a brand new thing. What did your parents always tell you? Don’t trust everything you read on the internet. Same goes with AI. Don’t trust everything AI spits back out to you.
Chrystal Taylor:
I’m just thinking of that State Farm commercial. Bonjour.
Sean Sebring:
So we’re talking about some emerging technology AI. One that’s not quite emerging but has definitely changed and I think you probably have lived in the era of bring your own device and cloud, obviously, is where your career really took off. But in contrasting with classic security, is there anything you can share that’s kind of more niche to maybe bring your own device? Basically disconnected from a network or a local network, disconnected from the organization’s… Local here, I’m the organization. This is my own device connected to the internet, it’s cloud application, anybody could access it potentially from anywhere. Any advice, thoughts, or additional cautions because of this?
Ryan:
Oh, definitely. So I mean, Apple purists will always be like, “Oh, iOS is so secure.” Yes, it’s pretty dang secure but there’s breaches that happen. Oh, hey. What’s up, Abs? There’s hacks and different ways to get into those. They get patched quickly enough, but it’s not any more secure than an Android phone. I mean, unless you’re specifically making your Android insecure, but they’re your own devices. And because the company, unless you have it managed by corporate, and most companies don’t, because the company doesn’t manage it, it’s inherently open to being abused. You might download something fun from the Play Store and it happens to be a piece of malware. And now because you have, let’s say, Microsoft Teams and Outlook on your phone, they’re in there.
Or alternatively, if you don’t have your cloud locked up tight enough, they can access any of your apps that are attached to Azure Intra. I mean, so my advice there would be in your cloud environment… Okay. She’s opening doors now. In your cloud environment, lock it down, make sure it’s specific only to the corporate network, unless it’s a few specific applications you would like people to access from their personal cellphone devices. Even then, I’d recommend considering mobile application management at the very least, which manages the silos of the applications on your phone. It won’t manage all your stuff. It can’t access the rest of your data. But it can prevent copying, downloading emails, all that fun stuff for those applications, and even encrypts it at rest on your phone for the application. So it isn’t the perfect fix but it’s better than nothing.
Outside of that even, because you mentioned BYOD, I’d like to… Because this has been fun for me and a lot of other companies I’ve seen is the evolution of cloud apps. Cloud computing’s not going anywhere. It’s been here for a while. But a lot of companies have been moving to just services that are hosted in the cloud, so they aren’t on-prem which I’m here for it. Data centers could be expensive. However, if you don’t have a mature way to onboard these, then it’s become problematic for security teams to know like, “Oh, yeah. I just spun this up. We used the company card. We have this new Jira or variation thereof instance,” and we don’t know that it’s there because you didn’t tell us. It’s not hooked into our environment. And so, it’s out there sitting there without those security controls we’d want in there. And it’s not feeding through our SSO or however we have it plugged in so we don’t know.
And so, certainly need… I cannot press this enough. Certainly need to have a mature process to onboard applications so that your security teams and even the other teams are aware of what’s going on. So the controls and settings can be configured ahead of time. Because even if you find out about this app afterwards and you try and bake it into your program, yeah, you’ll get there. But there’s going to be a lot more resistance because the app is already where the people want it to be at. And so, by changing things when they’re already used to it, they aren’t too happy about that generally.
Chrystal Taylor:
Expanding on that, are there additional concerns or things that you have to deal with with SaaS applications because your company doesn’t have any ownership or hosting capabilities or anything for any of the backend or really any ownership of it at all? So your security footprint, arguably for your company would be smaller, but does it increase concerns in other ways and are there additional fail safes and things you have to put in place for SaaS applications specifically?
Ryan:
Yeah. I mean, it… And I’d say it goes with even outside of SaaS applications. But SaaS-specific definitely because you don’t own it. It is not yours. It is not baked into your environment. It’s not in your hardware. You’d want to make sure that it’s compliant. It’s got all the things that would meet what you need in your industry. So for example, we want FedRAMP compliance. We want to make sure that they have a SOC 2 report if possible. And I can go into the definitions if you really want to get bored about that, but just making sure they’re compliant there.
And then, I also like to look and see if the company has suffered a breach or a data leak anytime in the past, because that will certainly help drive my decision one way or another. Now, generally speaking, a company that suffers a breach in the past, they come back because they suffered even stronger than ever. And so, they slipped up, they know what’s going on, and they have something to prove. Whilst the company that hasn’t gotten got yet. Generally, they’re like, “Oh, no. That wasn’t us. We’re good.” And then years later, it happens to them.
But it still will influence my decision on which service we want to go with and it depends on what happened. Was it something that was preventable? Was it something silly? Was it something that was so ridiculously complicated that it’s like, “Well, okay. Yeah. That makes sense. I get it.”? It just depends but you certainly want to make sure that it checks all the boxes you need and that it’s configurable for what you need in your environment. And even then, before pulling the trigger on anything, definitely do a proof of concept to make sure it actually does what you expect it to do. Because once again, with salespeople, they’ll tell you anything you want to get you to buy that product, but I’m not buying it until I test it for a couple of months.
Sean Sebring:
Hey, hey, hey. Hey, hey, hey.
Chrystal Taylor:
Yeah, Sean –
Sean Sebring:
I kind of want to –
Ryan:
Other salespeople.
Sean Sebring:
Yeah. Other salespeople. So I kind of want to spin that in a different way because I may have a different philosophy because I’ve started enjoying technology as we’ve moved closer to more modern tech like SaaS and the deferred ownership. And potentially, the amount of resources that a vendor may have to dedicate to securing their stuff, right? The point of my question is, do you feel it’s potentially easier if you have a good vetting process to feel secure by onboarding SaaS versus hosting yourself? And it’s just a thought leadership question. You don’t have to give the answer. Just curious, what are your thoughts?
Ryan:
It’s very much a mixed bag there. So SaaS, yeah, you don’t have to have the ownership. But you’re paying somebody potentially a smaller amount as opposed to having to buy equipment and refresh it all the time onsite. But once again, it’s not onsite and that’s not your equipment. If something goes wrong and the service goes down, you have to wait on them. You can’t just run to the data center and bring that machine back up or try and troubleshoot it there. It’s dependent on the vendor. But I mean on the other side of the token, having all your stuff hosted onsite, what if you have a natural disaster? Then your whole data center is hosed if you’re hosting onsite, outside of a specific data center meant to resist natural disasters. Or let’s say you have your data center onsite and you have a very disgruntled employee that has access and knows something’s going on, that person can absolutely wreck your whole data center.
Yeah. They’re going to go to prison. But if they’ve already lost their mind that much, that kind of is irrelevant to them. They’re not going to be thinking logically. So there’s boons and pitfalls to both sides of things. It just depends on the flavor. I’d say it kind of depends on what your industry is in. Sometimes it makes more sense to host onsite. If it’s that critical, you do not want it to be up there in the cloud. But sometimes, it’s cheaper and easier to host up in the cloud, especially if you have a limited IT team as a whole. Because now, you don’t have to worry about that headache as much. It’s just a different headache, a different flavor of one. I hope that answers your thought… Not answers but-
Sean Sebring:
No, you’ve dodged it way too much-
Ryan:
… I hope it tickles your brain.
Sean Sebring:
You’re not being genuine. I’m just kidding. Yeah. No. So it’s-
Ryan:
Oh, let’s fight.
Sean Sebring:
It’s just a simply… It’s always going to be a little bit of both, right? I just like to get people to start thinking about those questions is, “What makes most sense?” It’s always going to be a balance of what makes most sense, right-sized, as I’ve heard before in the past.
Ryan:
Ah, yeah. I once heard a demon, a devil of sorts tell me that. I think it was the sixth layer of hell. But yeah, he’s been defeated. I don’t have to worry about that guy anymore. But you’re right, it is a balance and I want to touch on that. That’s very key there. There’s a lot of people that are biased to on-prem or biased to cloud-only. No, no, no. It doesn’t need to be one way or another. It should fit what you need it to fit and what the organization needs but it should also make sense. And so, yeah, cloud is never going away. It’s going to keep on coming, but on-prem also I don’t see fully ever disappearing either.
Sean Sebring:
So Ryan, I think what might be a good final topic is, is there anything you want to leave the audience with before we wrap our episode today?
Ryan:
Yeah. I mean, for anybody, and I know that we came in with the curiosity, so for anybody interested in cybersecurity, it’s not a terrifying scary beast like some people can make it out to be. It can get very technical, you can go down the rabbit hole, but we are short millions of jobs globally. Those positions are out there and waiting to be filled. At the end of the day, yeah, it can be technical but it comes down to the mindset. As long as you have the mindset of securing things and you have that curiosity and you want to constantly learn, you’re already a good fit for it.
At least dip your toes in, see what’s going on. Hit some sites like Hack the Box. It’s free. You get to do legal hacking on secure systems. It’ll teach you along the way just to see if it intrigues you. Check out articles on Bleeping Computer. Check out some other podcasts. Check out this podcast. If it intrigues you, take the dive. Half of the people I’ve worked with in the past, when I first initially started working with them in cybersecurity and we onboarded them, they had little to no cyber experience. And they’re some of the best individuals I’ve worked with because they had that curiosity and that drive, they wanted to learn. So don’t be afraid of it. Ask your local cyber folks. Get involved. We need you. We do.
Sean Sebring:
I have a follow-up and I have a feeling I know the answer and it’s in-
Ryan:
Yes, Sean. We’re hiring.
Sean Sebring:
What do you think is probably the best skill you could bring to this role?
Ryan:
The best skill. Honestly, it’s the skill of not already being jaded or set in your ways. If you already have that mindset and you already think things should operate a certain way or you’re like, “This is how we’ve done it. This is how these people do it,” that’s not the answer. You have to be malleable. You have to be moldable. You have to be able to transform situational or on a case-by-case basis. That’s the most important thing. You can’t come in with that mind of stone. You have to have that curiosity and also be open to questions people are asking you or probing your mind about different things. They might have a different way to take care of something cyber-wise or they might have a different solution. It doesn’t mean it’s wrong. It’s thought-provoking and that is what is most important.
Sean Sebring:
That is one long skill. I’m teasing. Yeah. So no, open-mindedness, I think, is kind what I take away from it. So yeah, 100%. I think that is very transferable.
Ryan:
It definitely is. I mean, in an industry where everything’s constantly changing, you have to be open-minded, that’s what it all boils down to. Because something might be one way today and then tomorrow, the answer’s exactly different, it’s the exact opposite. And so, I can’t just be like, “No, this is not the right way.” It’s like, “Oh, okay. Let’s try this new tactic. All right.”
Chrystal Taylor:
Well, and as you mentioned earlier, if they’re changing rapidly, you also have to be changing rapidly or you’re not going to be able to catch the threats. That seems like a really important part of this whole process is that you have to be looking for things that you’re not expecting.
Ryan:
Definitely. The adaptability is certainly necessary. Because as soon as they pivot, we pivot, and it’s just a constant… That’s why I made a comparison to chess because it’s a constant battle, back and forth, but it’s certainly fun and engaging. I mean, I am never bored. That is for sure.
Sean Sebring:
All right. Well thanks, Ryan. This has been great for me. It’s exciting to see such an energetic take on security and I really appreciate your encouragement to look into cybersecurity.
Ryan:
Yeah. Chrystal and Sean, thank you so much for having me. I’m always more than happy to spread some awareness and just stay safe and stay curious, friends.
Sean Sebring:
I’m your host, Sean Sebring, joined by fellow host, Chrystal Taylor. If you haven’t yet, make sure to subscribe and follow for more TechPod content. Thanks for tuning in.
