Blue team stories from the cyber attack trenches
Nothing tells the story like a good story, right? This week we have Mike Saylor, the CEO of Black Swan, a cybersecurity company. Boy, has he been in the trenches. He tells some great stories about responding to cyber attacks. They're great stories and he's a great storyteller. We also learn about FBI Infragard, a partnership between the FBI and the private sector. We hope you enjoy the episode.
Mentioned in this episode:
Interview ad
Speaker:
this episode is a good one.
Speaker:
We've got a cybersecurity expert that has been in the room when people are
Speaker:
responding to various cyber attacks.
Speaker:
He's got some great stories.
Speaker:
I love listening to them and I know you will too.
Speaker:
Hope you enjoy it.
Speaker:
hi, and welcome to backup.
Speaker:
Central's restored all podcast.
W. Curtis Preston:
I'm your host, w Curtis Preston, a k a, Mr.
W. Curtis Preston:
Backup.
W. Curtis Preston:
And I have with me a guy who once again, has astonished me with knowledge
W. Curtis Preston:
that why does he know this stuff?
W. Curtis Preston:
He's gonna solve my office chair problem.
W. Curtis Preston:
Prasanna Malaiyandi how's it going?
W. Curtis Preston:
Prasanna,
Prasanna Malaiyandi:
I am good, Curtis.
Prasanna Malaiyandi:
I'm good.
Prasanna Malaiyandi:
So yeah, let's talk about you needing a new office chair.
W. Curtis Preston:
so it, it
Prasanna Malaiyandi:
show the listeners.
Prasanna Malaiyandi:
Just, just squeak.
W. Curtis Preston:
Well, let's, yeah.
W. Curtis Preston:
So this is, so, you know, in a, in a podcast, my mic is picking
W. Curtis Preston:
up my squeaky office chair.
W. Curtis Preston:
And so either I need a new office chair or I need to lose a few pounds.
W. Curtis Preston:
One or the other, or maybe both.
W. Curtis Preston:
But uh, so you brought up what was the, it was Crandall.
Prasanna Malaiyandi:
Yep.
Prasanna Malaiyandi:
Crandall Furniture.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
Crel Furniture, which is, they're, they're apparently repurposing,
W. Curtis Preston:
uh, you know, all those office chairs that nobody's using anymore.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Yeah, they buy chairs.
Prasanna Malaiyandi:
They refurbish them with like new foam.
Prasanna Malaiyandi:
They fix the lift mechanism.
Prasanna Malaiyandi:
Sometimes they replace the arms and then they resell it at a discount.
W. Curtis Preston:
Yeah,
Prasanna Malaiyandi:
it's crazy how expensive office chairs are.
Prasanna Malaiyandi:
Like some of the high-end ones are like a thousand, $1,800.
Prasanna Malaiyandi:
Who wants to spend that on a chair?
Prasanna Malaiyandi:
Like I get it.
Prasanna Malaiyandi:
You spend a lot of time sitting in a chair just like you do, sleeping in a bed.
Prasanna Malaiyandi:
But still, it's a good chunk of money to spend when you can go to like
Prasanna Malaiyandi:
your local office, supply store and pick up a cheap chair for like $99.
W. Curtis Preston:
Yeah, and I don't think this was 99, but
W. Curtis Preston:
it wasn't much more than that.
W. Curtis Preston:
I don't, I don't have, if, if I had to guess, I probably got it from Costco.
W. Curtis Preston:
'cause I get.
W. Curtis Preston:
Many other things from Costco.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, but yeah,
Prasanna Malaiyandi:
I had one of those chairs.
Prasanna Malaiyandi:
I had one of those chairs as well, right, where I was like, yeah, it worked well.
Prasanna Malaiyandi:
And then I'll, once the pandemic hit and we were working from home, I ended up
Prasanna Malaiyandi:
getting some wellness dollars from my employer and use that to get myself a
Prasanna Malaiyandi:
nice standing desk and an office chair.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
Um, so I, I think I got the same wellness money.
W. Curtis Preston:
And I spent it on a webcam.
W. Curtis Preston:
That's what I did.
W. Curtis Preston:
I,
Prasanna Malaiyandi:
sorry, this is for my current employer
W. Curtis Preston:
Oh, for your current employer?
W. Curtis Preston:
Oh, that's right.
W. Curtis Preston:
We, because we were at the same employer.
W. Curtis Preston:
But you're saying you got wellness money from your, your new employer,
W. Curtis Preston:
um, and, uh, which is, you know, just as good as time as any to mention
W. Curtis Preston:
that this is an independent podcast.
W. Curtis Preston:
We're not representing, uh, you know, any employers or non employers in my case.
W. Curtis Preston:
And, um, I.
W. Curtis Preston:
You know that, uh, the opinions that you hear are ours.
W. Curtis Preston:
And also, uh, be sure to rate us, uh, uh, uh, you know, by, uh,
W. Curtis Preston:
going to your favorite podcast.
W. Curtis Preston:
You're scrolling down and giving us all the stars and comments.
W. Curtis Preston:
We'd love seeing comments from listeners.
W. Curtis Preston:
And if you'd like to be a part of the conversation, I could be
W. Curtis Preston:
reached at w Curtis Preston at gmail or um, WC Preston on Twitter.
W. Curtis Preston:
And also linkedin.com/in/mr.
W. Curtis Preston:
Backup.
W. Curtis Preston:
That is Mr.
W. Curtis Preston:
Backup on LinkedIn and you can find me.
W. Curtis Preston:
And, uh, with that we'll turn off to our guest at this moment.
W. Curtis Preston:
Uh, he's, uh, specialized in cybersecurity for over 20 years and is a member of
W. Curtis Preston:
F B I InfraGard, which is A group that I didn't even know existed.
W. Curtis Preston:
But it's a partnership between the F B I and the private sector for the
W. Curtis Preston:
protection of US critical infrastructure.
W. Curtis Preston:
He's now the c e O of Black Swan, a company that strives to democratize
W. Curtis Preston:
enterprise level security services.
W. Curtis Preston:
Which one of my first questions is gonna be, what does that mean?
W. Curtis Preston:
Welcome to the pod, Mike Sailor.
Mike Saylor:
Thank you.
Mike Saylor:
Thanks for having me
W. Curtis Preston:
so what does that mean?
W. Curtis Preston:
So
Mike Saylor:
Well, uh,
W. Curtis Preston:
on your website that it says you wanted to democratize
W. Curtis Preston:
enterprise level security services.
Mike Saylor:
Sure.
Mike Saylor:
Well, I think in, in, you know, simple explanation is that we're trying to
Mike Saylor:
provide, uh, enterprise class services.
Mike Saylor:
The, you know what, what the big boys pay for Fortune 50, fortune 100.
Mike Saylor:
And make it affordable and scalable and flexible enough for smaller organizations,
Mike Saylor:
small, medium sized businesses.
Mike Saylor:
Uh, part of our mission is to provide that enterprise class service to
Mike Saylor:
what we consider underserved markets.
Mike Saylor:
So, uh, education, uh, family offices, uh, credit unions as an example.
Mike Saylor:
Um, but also understanding that in each one of those situations you've
Mike Saylor:
got a variety of, uh, business sizes.
Mike Saylor:
So you've got a five person credit union and you've got a
Mike Saylor:
billion dollar credit union.
Mike Saylor:
Uh, and they both need, uh, help, uh, understanding and applying, um,
Mike Saylor:
cybersecurity controls and, and services.
Prasanna Malaiyandi:
So what happens today for those small customers, right?
Prasanna Malaiyandi:
Or like the five person credit union, like how do they even
Prasanna Malaiyandi:
approach cybersecurity today?
Prasanna Malaiyandi:
Or what is their solutions look like?
Mike Saylor:
Uh, they usually don't have one.
Mike Saylor:
Um, I.
Mike Saylor:
And they even have to, uh, in, in a lot of cases, have to outsource their just normal
Mike Saylor:
help desk, you know, hardware support.
Mike Saylor:
And they're relying on that, you know, that technology expertise to, uh, assist
Mike Saylor:
them in cyber to the extent possible.
Mike Saylor:
Um, but that's changing.
Mike Saylor:
Um, and it, and it has to, uh, a lot of, uh, services and.
Mike Saylor:
Protections and controls that any organization today rely
Mike Saylor:
on, like, like insurance.
Mike Saylor:
Uh, in order to qualify for cybersecurity insurance policies, you have to
Mike Saylor:
demonstrate these, you know, kind of, uh, good cyber hygiene practices, uh, whether
Mike Saylor:
you do it internally or you outsource it.
Mike Saylor:
Uh, and so in order just to even get insurance, uh, you have to, uh, spend
Mike Saylor:
some money to check some of these boxes.
Mike Saylor:
Um, and they're just, there's, there's not a whole lot of solutions out
Mike Saylor:
there options for them to, to go with.
W. Curtis Preston:
Interesting.
W. Curtis Preston:
Um, and let's talk also a little bit about, uh, F B I in regard.
W. Curtis Preston:
'cause like I said, I, I did, I didn't even know this in, I'm, I'm
W. Curtis Preston:
really glad to hear that it exists, but I didn't even know it exists.
W. Curtis Preston:
Uh, what, what, what does that look like?
Mike Saylor:
Sure.
Mike Saylor:
Uh, well, so it started in the late nineties.
Mike Saylor:
Uh, I think the, the first chapter was, uh, um, in the mid nineties.
Mike Saylor:
Um, and the, the idea is, Uh, for every F B I field office, um, there should be
Mike Saylor:
an InfraGuard chapter, and the objective of the chapter is to tie the office into
Mike Saylor:
the community, thereby, uh, expanding its eyes and ears, uh, but also, um,
Mike Saylor:
helping elevate the, uh, intelligence and awareness of the organizations in the
Mike Saylor:
community, uh, for the things that the F B I and that community is working on.
Mike Saylor:
Uh, so some, some bi-directional, uh, intelligence sharing, which
Mike Saylor:
really didn't happen for a long time.
Mike Saylor:
It's probably only been in the last five or six years that that's, that's
Mike Saylor:
really, uh, become more valuable.
Mike Saylor:
Um, prior to that, you, you might get an infra regard notice,
Mike Saylor:
uh, a few hours or a day before something comes out on the news.
Mike Saylor:
So you really weren't ahead of it too much.
Mike Saylor:
Um, but so now there's, there's 45 chapters.
Mike Saylor:
Of InfraGard throughout the country.
Mike Saylor:
Uh, there's an InfraGard National Alliance that kind of manages
Mike Saylor:
all those independent chapters.
Mike Saylor:
Um, and the chapters are made up of people from the community,
Mike Saylor:
uh, across all sectors.
Mike Saylor:
Uh, kind of initially it was all technology people.
Mike Saylor:
Uh, so 90, 90 plus percent, uh, membership and InfraGard were people and, you know,
Mike Saylor:
CIOs and engineers and help desk people.
Mike Saylor:
Uh, but today we have nurses and doctors and farmers and, um, People
Mike Saylor:
that work in infrastructure, water dams, uh, federal government, um,
Mike Saylor:
agriculture, I mentioned, um, nuclear.
Mike Saylor:
Uh, so each critical infrastructure section sector, uh, has an infra regard
Mike Saylor:
sector chief, uh, at each chapter.
Mike Saylor:
Uh, who is responsible for going out and.
Mike Saylor:
Uh, not just recruiting others from that sector, uh, to kind of
Mike Saylor:
strengthen the, the mix and dynamics of the chapters, uh, membership.
Mike Saylor:
Um, but it's also, uh, both a feeder into the F B I, uh, for intelligence
Mike Saylor:
and threats and awareness of what's going on out in the community, uh,
Mike Saylor:
but also the FBI's ability to, to, uh, To share with them so that they
Mike Saylor:
can do their job better, uh, get ahead of threats, um, be more aware.
Mike Saylor:
Uh, so it's been a pretty, pretty effective, um, partnership over the years.
Mike Saylor:
Uh, I helped stand up the North Texas chapter in the late nineties, and
Mike Saylor:
I've, I've been sector, I'm currently a sector chief over healthcare.
Mike Saylor:
I was a sector chief over technology.
Mike Saylor:
Initially I was the president of the chapter.
Mike Saylor:
Um, and we have a, a pretty strong.
Mike Saylor:
Uh, showing, uh, in our company as far as InfraGard goes, our
Mike Saylor:
c f O was a, a past president.
Mike Saylor:
She's also the past, uh, national regional representative over I think
Mike Saylor:
three or four different states.
Mike Saylor:
Our c o o was the president of the Houston chapter.
Mike Saylor:
He was also a national regional rep for a period of time.
Mike Saylor:
Uh, and then everybody in our company pretty much is a member.
Mike Saylor:
Um, and there's similar, there's a similar, uh, organization
Mike Saylor:
for the Secret Service.
Mike Saylor:
They call it.
Mike Saylor:
They used to call it the Electronic Crimes Task Force, of which I'm also a member.
Mike Saylor:
Uh, and then both of those are kind of related to the, in Texas we have the
Mike Saylor:
North Texas Crime Commission and they have subcommittees like cyber crime.
Mike Saylor:
And then, uh, the fusion centers that police departments, uh, fun, uh, operate.
Mike Saylor:
Um, in north Texas, there's the Collin County Sheriff Fusion Center, uh, from
Mike Saylor:
which I'm also a fusion liaison officer.
Mike Saylor:
So tons of intelligence sharing, information sharing.
Mike Saylor:
Uh, both to support the community, but also naturally with what we do, uh, that
Mike Saylor:
feeds really nicely into the value that we can, uh, we can give our clients.
Prasanna Malaiyandi:
That's awesome.
Prasanna Malaiyandi:
I actually, like you said, Curtis, I had never heard about this and Mike,
Prasanna Malaiyandi:
thank you for going into details because that's actually a really cool program.
Prasanna Malaiyandi:
Like I didn't realize that the F B I connected in like this in
Prasanna Malaiyandi:
sort of a systematic way, right?
Prasanna Malaiyandi:
To all these other organizations.
Mike Saylor:
Mm-hmm.
W. Curtis Preston:
Yeah, we've, we've come a long way since, um,
W. Curtis Preston:
the days of the cuckoo's egg, which I'm, I'm assuming you've read a
W. Curtis Preston:
Cuckoo's Egg or the c the cuckoo egg.
W. Curtis Preston:
I think, you know, because in that story from Cliff Sto back in the
W. Curtis Preston:
day when he contacts the F B I about a cyber attack that's happening on
W. Curtis Preston:
his infrastructure, They're like, well, did they steal anything?
W. Curtis Preston:
Right.
W. Curtis Preston:
They didn't, they really weren't aware of the concept of a cybersecurity attack.
W. Curtis Preston:
So I, I'm, I'm glad to hear that.
W. Curtis Preston:
You know, things have come a long way since that was the
W. Curtis Preston:
seventies, so, you know, whatever,
Mike Saylor:
And, and on
Mike Saylor:
the,
W. Curtis Preston:
while since then.
Mike Saylor:
Kind of along those lines.
Mike Saylor:
Uh, the other benefit of that is, uh, similar to the situation where, you know,
Mike Saylor:
there was an event, uh, we always preach.
Mike Saylor:
Uh, as far as incident response goes, you've gotta get ahead of that so that
Mike Saylor:
on game day, you know what players you can call into the, to, uh, onto the field
Mike Saylor:
and uh, you know, who's gonna show up.
Mike Saylor:
And so, um, you know, we're very adamant about.
Mike Saylor:
Establishing those relationships with law enforcement and subject matter experts
Mike Saylor:
and vendors in the community so that when something bad happens, you're not
Mike Saylor:
leaving a voicemail, you're not having to figure out the right person to talk to.
Mike Saylor:
And so in regard, and the, uh, the Secret Service organizations give you
Mike Saylor:
the opportunity to actually go to, they have chapter meetings and a lot of
Mike Saylor:
times they're at the, the FBI's field office, which is also kind of cool.
Mike Saylor:
Um, and so you get to meet people and exchange business cards and go
Mike Saylor:
to coffee and have their cell phone number instead of a mailbox number and.
Mike Saylor:
Um, and find the right person to talk to so that you can put 'em in your
Mike Saylor:
plan and you know who to call and they already know you, they've met you before.
Mike Saylor:
It's not a first date type of situation.
Mike Saylor:
So when, when, when things are going bad and the the house is
Mike Saylor:
on fire, uh, you know who to call and, um, they know who you are.
W. Curtis Preston:
Yeah, I preached the, the same thing, Mike, and,
W. Curtis Preston:
and, and so it's, but it sounds like InfraGard is a, is a organization
W. Curtis Preston:
that I can contact, go to these meetings that you were talking about.
W. Curtis Preston:
That, that it, that it could be that liaison.
W. Curtis Preston:
So that I can start to form those relationships.
W. Curtis Preston:
'cause you're right, it's like, uh, you know, just reaching out to, to the
W. Curtis Preston:
F B I blindly, um, you know, Hey, I'd like to talk to you about a potential
W. Curtis Preston:
future event that might happen.
W. Curtis Preston:
Right.
W. Curtis Preston:
So it sounds like Ingar can be that liaison then.
W. Curtis Preston:
I
Mike Saylor:
And, and you're right.
Mike Saylor:
And they do have, uh, they have, uh, speaker, um, what do they call it?
Mike Saylor:
Um, you can, you can sign up to be a speaker, uh, like as a
Mike Saylor:
resource, uh, subject matter expert.
Mike Saylor:
But then the F b I also has, uh, speakers that can come to your event.
Mike Saylor:
And so very often you can pull in that, that law enforcement, uh, perspective
Mike Saylor:
to, to your message and your content.
Mike Saylor:
And they'll bring their own slides and, you know, whatever data they
Mike Saylor:
can, they can share publicly as far as current events and statistics.
Mike Saylor:
And it's, it's usually a pretty good, uh, value add, uh, as far as content.
Mike Saylor:
And, and sometimes it's a, it's a draw.
Mike Saylor:
Uh, you know, people may not want to just come see me talk, but if it's me plus
Mike Saylor:
the supervisory special agent over cyber, then all of a sudden it's interesting.
Mike Saylor:
Uh, so.
Mike Saylor:
Um,
Mike Saylor:
yeah,
Prasanna Malaiyandi:
for you, Mike.
Prasanna Malaiyandi:
Come on.
Mike Saylor:
there's a lot of value.
Mike Saylor:
There's a lot of value in membership.
Mike Saylor:
Um, each chapter has their own dues.
Mike Saylor:
Like our, I think our chapter, it's 25 or $50 a year.
Mike Saylor:
Uh, but that also pays for, um, you know, food at an event or you get
Mike Saylor:
discounts to go into some conference.
Mike Saylor:
Uh, so there's a lot of, a lot of kind of cool ecosystem, um, you belong to
Mike Saylor:
once, once you, uh, become a member.
Prasanna Malaiyandi:
I am surprised this isn't publicized more
Mike Saylor:
It's infraguard.org I N F R A G A R d.org.
W. Curtis Preston:
Yeah, I'm all over
Mike Saylor:
you can sign up online.
Mike Saylor:
The, uh, the application process is, is can be kind of long, anywhere
Mike Saylor:
from, you know, 45 to 120 days.
Mike Saylor:
Uh, they do a cursory background and then each office has to do kind
Mike Saylor:
of a vetting, uh, to determine if, uh, You know, membership is for you.
Mike Saylor:
Uh, but then, uh, you're invited to kind of a new member session
Mike Saylor:
and you get to meet people, the board, uh, other members, uh, F B I.
Mike Saylor:
And, and one of the things that I'll mention is, so for every InfraGard
Mike Saylor:
chapter there is a full-time F B I agent that is your liaison.
Mike Saylor:
And they, so they kind of manage from the F B I side.
Mike Saylor:
Everything your chapter's doing, even though your chapter has its
Mike Saylor:
own board of directors and event planning and all that stuff, there's
Mike Saylor:
always a full-time F b I person.
Mike Saylor:
Um, at your event, at your board meeting, um, kind of the liaison
Mike Saylor:
for anything you need that the, that the bureau can, can help you with.
Prasanna Malaiyandi:
That's awesome.
Prasanna Malaiyandi:
Now,
W. Curtis Preston:
Go ahead.
Prasanna Malaiyandi:
just a follow up, I know you talked about sort of
Prasanna Malaiyandi:
establishing those relationships, right?
Prasanna Malaiyandi:
With other people who are in the chapter, do they do things like tabletop exercises
Prasanna Malaiyandi:
or other things or is that kind of, I.
Prasanna Malaiyandi:
Outside the scope of this group.
Mike Saylor:
So the, the InfraGard membership, well, and, and different
Mike Saylor:
chapters do different things like the Louisiana chapter is there.
Mike Saylor:
They're kind of known for, um, uh, anti, you know, maritime
Mike Saylor:
anti drone capabilities.
Mike Saylor:
So there are people at, in that chapter that are involved in how to
Mike Saylor:
protect businesses along the river, uh, from drones and drone strikes and
Mike Saylor:
surveillance and all that good stuff.
Mike Saylor:
And so they, they do exercises pretty often and they have
Mike Saylor:
some really good events.
Mike Saylor:
And they're, the Houston chapter's, good New York chapter.
Mike Saylor:
Not only do they do, um, Exercises, but they have a podcast, so
Mike Saylor:
they, they broadcast things.
Mike Saylor:
I, I wanna say it was at least weekly, maybe monthly, but I
Mike Saylor:
think it's weekly and they're very well known for their multimedia.
Mike Saylor:
Um, and so there, there are different chapters kind of
Mike Saylor:
specialize and do their own thing.
Mike Saylor:
Um, But then you're also invited to bigger events.
Mike Saylor:
Uh, so, um, I know that there's kind of a, uh, a large scale FEMA
Mike Saylor:
event, uh, every now and then.
Mike Saylor:
And so we're, you know, we're invited to participate in that.
Mike Saylor:
But as a chapter, as a community, we don't.
Mike Saylor:
The North Texas chapter has not gotten together and said, you know, we could
Mike Saylor:
probably add a lot of value if we start to collaborate and, and participate together.
Mike Saylor:
Uh, maybe this time we help, you know, this, this company or this
Mike Saylor:
set of companies, maybe this, this sector like technology or healthcare.
Mike Saylor:
And, you know, next time we focus on something else, I think it's a great idea.
Mike Saylor:
But, uh, I, I haven't seen it done, but it's definitely something
Mike Saylor:
that they're open to doing.
W. Curtis Preston:
Yeah, this is great.
W. Curtis Preston:
Yeah, I'm, I, I was just looking at the site and I, I wanna say, so, so, so
W. Curtis Preston:
Prasanna, two areas of California where there's like a really big city and then
W. Curtis Preston:
a smaller city next to the big city.
W. Curtis Preston:
One of these.
W. Curtis Preston:
Places has its own San Diego chapter, I'm sorry, San Diego Field
W. Curtis Preston:
office of the F B I and therefore a chapter of this organization.
W. Curtis Preston:
The other one does not.
W. Curtis Preston:
Do you understand what I'm trying to say to you?
Prasanna Malaiyandi:
No.
W. Curtis Preston:
There is a San Diego.
W. Curtis Preston:
There is a San Diego field office.
Prasanna Malaiyandi:
Speaker:
There's not a Santa Clara
W. Curtis Preston:
There is not a, there is not a E, there's
W. Curtis Preston:
not even a Southern Bay Area.
W. Curtis Preston:
There is just San Francisco Bay Area field office.
W. Curtis Preston:
They, they didn't, they didn't
Mike Saylor:
they also have.
W. Curtis Preston:
Bay, go ahead.
Mike Saylor:
They also have satellite offices and the F B I does.
Mike Saylor:
So for example, um, Frisco, Texas is kind of northwest of downtown Dallas,
Mike Saylor:
but you know, within 30 minute driving.
Mike Saylor:
Uh, so the Dallas F B I headquarters is in downtown Dallas, but they have
Mike Saylor:
a satellite office in Frisco and they have a satellite office in Fort Worth.
Mike Saylor:
Uh, all of that is considered, uh, under the purview of the Dallas
Mike Saylor:
Field Office, and our North Texas chapter goes from Waco to Lubbock and.
Mike Saylor:
Abilene, uh, I'm sorry.
Mike Saylor:
Um, just east of El Paso all the way out to Shreveport.
Mike Saylor:
So technically, like quite literally all of North Texas is part of one chapter.
Mike Saylor:
However, we have some of the, uh, members that are out in like the Abilene area
Mike Saylor:
as an example, that feel disconnected.
Mike Saylor:
Like we can't keep driving to Dallas.
Mike Saylor:
Every time you guys have an event, we wanna start our own chapter, uh, and.
Mike Saylor:
They got enough support for that, where they did a feasibility study and, uh,
Mike Saylor:
and interest and they were going to help them build their own chapter.
Mike Saylor:
I'm not sure the status of that, but, uh, that is an option.
Mike Saylor:
If, if you find enough interest in membership and you know it's feasible,
Mike Saylor:
um, you know, they'll, they're, they're open to starting other chapters.
W. Curtis Preston:
well, sadly, there's no one in the South Bay area that
W. Curtis Preston:
knows anything about technology or.
Prasanna Malaiyandi:
Not at all.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Yeah.
W. Curtis Preston:
anyway.
W. Curtis Preston:
So, well let me just ask you one, one final question about this
W. Curtis Preston:
topic and then I wanna move on.
W. Curtis Preston:
Um, and that is, there is a debate when, you know, as I've been continuing to
W. Curtis Preston:
research incident response, having to do with ransomware, there is a debate as to.
W. Curtis Preston:
When or if to contact the F B I, right?
W. Curtis Preston:
Or just law enforcement in general, but in the us The F B I W.
W. Curtis Preston:
What's your opinion on that?
Mike Saylor:
Uh, my opinion is as soon as possible, however, um, You know,
Mike Saylor:
it's not always up to, to us and us by us, I mean, you know, technology,
Mike Saylor:
leadership, you know, whether you're the CISO or the c I o, unless, unless
Mike Saylor:
you're chartered to do so by executive management, uh, I always suggest that
Mike Saylor:
whoever the IT leadership is, you know, we're just, we're just putting out a fire.
Mike Saylor:
Uh, you know what?
Mike Saylor:
Whatever the incident is, we're putting out the fire.
Mike Saylor:
So from a technology perspective, our job is to recover.
Mike Saylor:
Or from a business perspective, you really need to defer that to your
Mike Saylor:
legal counsel or, or your, whoever your executive is or your insurance company.
Mike Saylor:
Uh, but your insurance company is gonna say, involve law
Mike Saylor:
enforcement as soon as possible.
Mike Saylor:
Your legal counsel, whether it's internal or, or, or outside
Mike Saylor:
counsel is gonna want to know more.
Mike Saylor:
Um, But at, at the end of the day, uh, and I, and I've, I've seen this from,
Mike Saylor:
from a lot of different perspectives.
Mike Saylor:
'cause I'm also, I also do expert testimony in court.
Mike Saylor:
So if this ended up in court, you know, one of the things
Mike Saylor:
that that benefits you from.
Mike Saylor:
Contacting law enforcement as soon as possible is, is a
Mike Saylor:
phrase called due diligence.
Mike Saylor:
So when, when we talk about, all right, so you guys screwed up, but how diligent
Mike Saylor:
were you in trying to prevent this?
Mike Saylor:
How diligent were you in responding to this?
Mike Saylor:
And how diligent were you in, in asking for help from everybody that you
Mike Saylor:
could possibly ask from for help from?
Mike Saylor:
And how open were you in?
Mike Saylor:
Um, And understanding and communicating what the problem was.
Mike Saylor:
And so if, if in any of those phases, uh, you're perceived as less than
Mike Saylor:
diligent, uh, and possibly, um, I.
Mike Saylor:
You know, hiding something or, or, or trying to cover something
Mike Saylor:
up when it gets to damages.
Mike Saylor:
If, if this lawsuit goes to damages, that's where it's gonna come back on you.
Mike Saylor:
Uh, 'cause everybody that, that goes through an incident, obviously you're
Mike Saylor:
guilty of having gone through an incident.
Mike Saylor:
You didn't do enough of something, which is almost impossible.
Mike Saylor:
But, you know, when you're in court, it's kind of black and white and you,
Mike Saylor:
at the end of the day, the fact is you had a breach, you had an incident,
Mike Saylor:
and it, it resulted in these things.
Mike Saylor:
Um, all right, so there's.
Mike Saylor:
You, you, you get a judgment for that.
Mike Saylor:
Alright, well then we go to damages.
Mike Saylor:
And some of that's black and white too, California especially, you
Mike Saylor:
know, for every record of California citizen, there's, it's defined.
Mike Saylor:
But, uh, on top of that, uh, so that's statutory.
Mike Saylor:
But then the, the judge can say, you guys were not diligent in
Mike Saylor:
protecting, responding, communicating.
Mike Saylor:
And, and because of that, I'm going to assess these additional fines.
Mike Saylor:
And so, uh, there's a lot to consider.
Mike Saylor:
And back to the tabletop exercise, that's when you need to start talking
Mike Saylor:
through, this is how this should actually go, and someone's gonna
Mike Saylor:
go, when do we call law enforcement?
Mike Saylor:
And we should look at the people in the room that would typically have
Mike Saylor:
that answer, and let's get that in writing ahead of time, uh, and put
Mike Saylor:
that in our plan as, uh, as part of, uh, how we respond to stuff.
W. Curtis Preston:
You don't want to be the, the, the, the rogue, uh, incident
W. Curtis Preston:
response cyber security person just randomly deciding to call the F B I.
W. Curtis Preston:
Uh, this needs to be decided up upfront.
Mike Saylor:
now I've been through some incidents, uh, just real quick
Mike Saylor:
where, uh, the incident was something illegal and management said, you're
Mike Saylor:
not reporting that to anybody.
Mike Saylor:
We'll handle it internally, but there are certain cases where
Mike Saylor:
you are a mandatory reporter.
Mike Saylor:
Having identified certain types of things, um, and it's kind of up to
Mike Saylor:
you on how to handle that, but I would suggest, uh, even if management
Mike Saylor:
said, don't report it, that's your, your life you're dealing with.
Mike Saylor:
If they find out you didn't report it and you knew about it, now you're going to
Mike Saylor:
jail regardless of what your boss said.
Mike Saylor:
Um, so I would suggest there's ways doing anonymous, uh, reporting and
Mike Saylor:
then just capture that activity as evidence that you did report it.
Mike Saylor:
Um, So there's, there's a, there's a lot of things to consider when you're, you're
Mike Saylor:
responsible for responding to stuff.
Mike Saylor:
Uh, and in addition to that, you may have access to things that, that require you as
Mike Saylor:
a mandatory reporter for doing something.
Prasanna Malaiyandi:
I was interesting you brought that up, Mike.
Prasanna Malaiyandi:
I was just reading a, I think on Twitter or read or something like that where
Prasanna Malaiyandi:
people were saying like as a programmer, right, if you're asked to do something,
Prasanna Malaiyandi:
which doesn't seem right, right, and the company gets caught in the end,
Prasanna Malaiyandi:
you're sort of the one responsible because you wrote the code, right?
Prasanna Malaiyandi:
You did something when someone told you to do something illegal, potentially.
Prasanna Malaiyandi:
Right?
Prasanna Malaiyandi:
And it's still your neck on the line.
Prasanna Malaiyandi:
Versus like, no one ever really gets like penalized like that for
Prasanna Malaiyandi:
saying no to doing something illegal.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And so it applies in various cases, including responding to being
Prasanna Malaiyandi:
told to do something illegal.
Prasanna Malaiyandi:
Uh, the one thing I did want to ask you, Mike, just going back to the
Prasanna Malaiyandi:
question Curtis asked about sort of reporting, how do you feel that
Prasanna Malaiyandi:
companies have done in being transparent about cybersecurity incidences?
Prasanna Malaiyandi:
I.
Mike Saylor:
Well, I think that's a double-edged sword because it could
Mike Saylor:
seem like they're not being very transparent when really they just
Mike Saylor:
don't have a clue of what's going on.
Mike Saylor:
Uh, and, and I think that's the case.
Mike Saylor:
The majority of the time we got ransomware.
Mike Saylor:
How did it happen?
Mike Saylor:
Someone clicked something, I guess, but they really don't know, or that's
Mike Saylor:
what they were told, even though that's not maybe really how it happened.
Mike Saylor:
So I think understanding and understanding comes from, you know, information.
Mike Saylor:
Well, how do we get information?
Mike Saylor:
Well, you've gotta have the right technology stack.
Mike Saylor:
You've gotta have the right visibility and people and all reporting.
Mike Saylor:
And if, if any one of those areas is lacking, Then your ability to
Mike Saylor:
really know what happened, uh, is diminished to some degree.
Mike Saylor:
So I, I think there's two, there's, there's, there's a couple of perspectives.
Mike Saylor:
I'm not just gonna say there's two.
Mike Saylor:
There's, there's the one where they just really didn't know what happened in their.
Mike Saylor:
They're sharing what they, they know in whatever way they know how.
Mike Saylor:
Uh, and a lot of those cases, it's because they tried to address it on their own.
Mike Saylor:
They didn't bring in the law enforcement or outside help or
Mike Saylor:
professional firm or, or what have you.
Mike Saylor:
They just said, we had a problem.
Mike Saylor:
We're gonna accept the, you know, the, the fact that it happened and pay
Mike Saylor:
our dues or, you know, whatever the consequences are and we'll move on.
Mike Saylor:
And, uh, so there's that perspective.
Mike Saylor:
The other one is companies that truly.
Mike Saylor:
Can't or have decided they can't take the reputational
Mike Saylor:
risk of divulging what happened.
Mike Saylor:
Uh, some of that might be privacy or contractual.
Mike Saylor:
Like you will never tell people that our network was, uh, compromised
Mike Saylor:
because that, because we rely on you for these other things.
Mike Saylor:
And so clients could be impacted by, by your incident, you know, their,
Mike Saylor:
their business or service too.
Mike Saylor:
So, uh, depending on how your business functions and how you, how complex it is
Mike Saylor:
with, with providing services or data to.
Mike Saylor:
To clients or third parties.
Mike Saylor:
Uh, you may be limited in what you can say, um, but I think what you're
Mike Saylor:
getting at is, yeah, there are definitely companies out there that will deny
Mike Saylor:
altogether that there was a comp.
Mike Saylor:
I don't, so, you know, some, some bad guys put all of our customer data on
Mike Saylor:
the, on the internet and you can see it.
Mike Saylor:
They'll, they will still deny to the nth degree that they were not compromised,
Mike Saylor:
that they did not get that data from us.
Mike Saylor:
And I was actually in a case like that with a telecom company.
Mike Saylor:
Uh, the Secret Service called us and said, Actually the F b I called
Mike Saylor:
us first and said, we're seeing your client data on the internet.
Mike Saylor:
And um, this was in the, the late nineties.
Mike Saylor:
Um, we're seeing your customer's data on the internet.
Mike Saylor:
And when we started looking into it, they were all of our internet customers.
Mike Saylor:
And so we went back to our internet provider and said, it looks like all
Mike Saylor:
this data's coming from you, and they denied it Well, Secret Service got
Mike Saylor:
involved, uh, due to jurisdiction.
Mike Saylor:
It was different states and different things.
Mike Saylor:
And so we went, we actually went to that company, uh, onsite with the
Mike Saylor:
Secret Service and said, we're here to talk about this, that, and the other.
Mike Saylor:
And well, it wasn't us.
Mike Saylor:
Uh, it, it didn't come from us.
Mike Saylor:
Well, all the data that we were seeing, and it's not just related
Mike Saylor:
to you, it's got metadata in it.
Mike Saylor:
That said it did come from you.
Mike Saylor:
No, it didn't.
Mike Saylor:
Well, we're not leaving until we talk to somebody, so they
Mike Saylor:
put us in this conference room.
Mike Saylor:
And locked us in there.
Mike Saylor:
Didn't let us out to go talk to anybody.
Mike Saylor:
And we had to, like, someone would come in and say, what do
Mike Saylor:
you want to, what do you need?
Mike Saylor:
And we would say it.
Mike Saylor:
And they would go out and, and look, uh, or, or collect that for us.
Mike Saylor:
And, uh, sometime during the day, I asked if I could plug into their, their
Mike Saylor:
wall jack and, uh, so I could have internet access to, to check email.
Mike Saylor:
And they said, sure.
Mike Saylor:
Well, I started running, running a, a network sniffer, uh, capturing network
W. Curtis Preston:
you did.
Mike Saylor:
And, and back in the day they were using, uh, I C
Mike Saylor:
Q, the, the chat, the chat app.
Mike Saylor:
And I was capturing in plain text everything they were saying.
Mike Saylor:
And it was all about, ha ha, we've got 'em locked in the conference room.
Mike Saylor:
They'll give up talking to us at some point and just go home.
Mike Saylor:
We're not gonna give 'em anything.
Mike Saylor:
Um, Tell Bob that he's safe, you know that his screw up is we're
Mike Saylor:
gonna brush it under the rug and all.
Mike Saylor:
So I remember this, this little secret service lady, uh, and
Mike Saylor:
I say she really was little.
Mike Saylor:
She was like five feet tall.
Mike Saylor:
Um, her name was Kim.
Mike Saylor:
She kicked the conference room door open and it was, it was the door that
Mike Saylor:
opened in, but she kicked it out.
Mike Saylor:
I mean, she.
Mike Saylor:
She knew how to kick a door and she kicked that door and said, I need
Mike Saylor:
the executive team in this office right in front of me in the next five
Mike Saylor:
minutes where people are going to jail.
Mike Saylor:
And she took control.
Mike Saylor:
And, and it was probably, uh, maybe later that year, we actually
Mike Saylor:
caught the hacker that did that.
Mike Saylor:
His name was Matthew Freeze.
Mike Saylor:
He, uh, we caught him in Corpus Christi with the Sheriff's Department.
Mike Saylor:
Uh, he's in, I think he's still in jail.
Mike Saylor:
Um, But I went down to interview Matt Freeze, uh, and uh, thinking
Mike Saylor:
I was gonna have a chance to talk to him about how he did it and get
Mike Saylor:
the, the, the verbal confirmation that it did come from this company.
Mike Saylor:
'cause they're still denying it.
Mike Saylor:
And, uh, I was there for nine hours waiting in line of, uh, more important
Mike Saylor:
people than me to talk to this guy.
Mike Saylor:
He had hacked NASA and Department of Defense and.
Mike Saylor:
Library of Congress, all these other people were there to ask him how he
Mike Saylor:
did what he did and get his confession.
Mike Saylor:
And so I ended up giving my list of questions to a Homeland Security guy.
Mike Saylor:
Back then, it wasn't called Homeland Security, it was, uh, uh, ice.
Mike Saylor:
Um, and so I got, I got his confession that way.
Mike Saylor:
But, uh, I, I'm, I'm not even sure why, how we got, oh, uh, people
Mike Saylor:
saying that they weren't hacked.
Mike Saylor:
Even though you've got all the evidence points,
W. Curtis Preston:
Right, right.
W. Curtis Preston:
Well, that's, that's a great story with the, with, with a, with a great climax.
W. Curtis Preston:
I love the, the agent kicking down the door.
W. Curtis Preston:
Uh, yeah, that must have been something to be there.
W. Curtis Preston:
Um, so, so let me, let, let me do a change of tack here.
W. Curtis Preston:
So, you know, let's say we're a company, we have done.
W. Curtis Preston:
From a, so we, you know, we have, we have an incident response plan, right?
W. Curtis Preston:
We, we've, we've decided whether or not we're gonna contact law enforcement.
W. Curtis Preston:
We, um, we did all of the things that a cybersecurity company asked
W. Curtis Preston:
us to do in terms of prevention and, and, and all of those things.
W. Curtis Preston:
Um, what one, one thing I am.
W. Curtis Preston:
Interested in is obviously we, we spend a lot of our time with
W. Curtis Preston:
talking about ransomware, right?
W. Curtis Preston:
And the, and I understand that ransomware really in the end is
W. Curtis Preston:
just a payload of a, a much bigger cybersecurity problem, right?
W. Curtis Preston:
Um, what I'm seeing a lot is that I, I, I'm reading that now.
W. Curtis Preston:
I think it was like more than 90% of what we used to just call ransomware
W. Curtis Preston:
attacks are really exfiltration attacks accompanied with ransomware.
W. Curtis Preston:
Right.
W. Curtis Preston:
Um, and so I, I have a couple of, you know, sort of questions about.
W. Curtis Preston:
Uh, starting with, you know, given the way, the way a typical
W. Curtis Preston:
ransomware attack happens, right?
W. Curtis Preston:
You've got your, the, the initial, um, uh, I forgot what
W. Curtis Preston:
actually what the world calls it.
W. Curtis Preston:
The, the initial access broker, right?
W. Curtis Preston:
You get the initial access broker, then you get somebody that's in there
W. Curtis Preston:
and they start probing around, right?
W. Curtis Preston:
They start seeing how they can, you know, how they can get around.
W. Curtis Preston:
And then my understanding is as soon as they can, they start exfiltrating data.
W. Curtis Preston:
So my question is, it is sort of two questions.
W. Curtis Preston:
you know, beyond the usual, you know, there are some things, you
W. Curtis Preston:
know, there are some things that we know we should all be doing, right?
W. Curtis Preston:
You know, in terms of password management and M f A and, um, you
W. Curtis Preston:
know, all, all of those you, you know, and, and, and, uh, patch management.
W. Curtis Preston:
Um, can you think of some things.
W. Curtis Preston:
That a company that wants to take that next step, things that,
W. Curtis Preston:
that, that could either stop, um, lateral movement number one.
W. Curtis Preston:
And then, and then just as importantly, if not, if not more
W. Curtis Preston:
importantly, exfiltration of data.
W. Curtis Preston:
That was a really long question.
W. Curtis Preston:
Sorry about that.
Mike Saylor:
And, and I had so many things I wanted to chime in with that.
Mike Saylor:
I've, I've lost some of them, but, uh, I'm, I'm glad you, I'm glad When you
Mike Saylor:
said typical ransomware, you didn't go down, they, they clicked on an email.
Mike Saylor:
'cause that's not typical anymore.
Mike Saylor:
That's, that's statistically the.
Mike Saylor:
Probably the higher probability of success, but in a lot of cases
Mike Saylor:
it's just that user that gets compromised, not not the whole company.
Mike Saylor:
So you're right, typically the, the enterprise, uh, scale attack
Mike Saylor:
is, uh, via some either access broker or the ransomware campaign.
Mike Saylor:
Uh, has, you know, their own.
Mike Saylor:
Uh, squad of pen testers that are finding ways into environments, but you're right.
Mike Saylor:
So typically it is access to the environment that then, you know, as
Mike Saylor:
far as the phases of attack goes, then they start, uh, the reconnaissance.
Mike Saylor:
Uh, to answer your question about, um, how do we, how do we
Mike Saylor:
address the exfiltration piece?
Mike Saylor:
Um, my favorite response is it depends, and I say that a lot in a lot of
Mike Saylor:
different scenarios and, and, Uh, and it's for good reason because it
Mike Saylor:
really depends on the organization.
Mike Saylor:
And so each company needs to go through an exercise of figuring out what's important
Mike Saylor:
to them and where is it because maybe your data's already exfiltrated, it's
Mike Saylor:
out in, you know, a cloud somewhere.
Mike Saylor:
So I'm not even have to attack your company anymore.
Mike Saylor:
I just have to go figure out where your data is and attack that company.
Mike Saylor:
Um, and, or maybe it's a partner or whoever, and there's
Mike Saylor:
tons of examples of, of.
Mike Saylor:
F bad guys.
Mike Saylor:
Figuring out where the, where the important stuff is and making best
Mike Saylor:
use of their time and resources.
Mike Saylor:
So, so it really does depend on the organization, uh, understanding
Mike Saylor:
your technology stack, your architecture, your culture.
Mike Saylor:
I.
Mike Saylor:
Uh, and then obviously where is your stuff?
Mike Saylor:
Is it data?
Mike Saylor:
Is it a system, is it a service?
Mike Saylor:
Uh, because that's what bad guys are gonna figure out when
Mike Saylor:
they're doing the reconnaissance.
Mike Saylor:
They're looking for, you know, who is this company?
Mike Saylor:
'cause in a lot of cases, they don't, they didn't specifically attack you.
Mike Saylor:
Uh, they just, they were running some tools and found a vulnerability and
Mike Saylor:
they picked at it, and now they've got access to some company's network.
Mike Saylor:
So they've gotta figure that out first.
Mike Saylor:
Once they figure out who you are, they wanna figure out what you do.
Mike Saylor:
Uh, where, where is your important stuff?
Mike Saylor:
Including your backups.
Mike Saylor:
Uh, and then to some degree, they're also looking for your financials and if they
Mike Saylor:
can find a copy of your insurance, uh, policy, all these things, well, all right.
Mike Saylor:
So depending on the company, uh, and, and your organization's particular situation,
Mike Saylor:
um, there are ways of addressing.
Mike Saylor:
Uh, the data exfiltration problem, one of those is, well, let's put our ti
Mike Saylor:
put tighter controls around our data.
Mike Saylor:
And that includes like data integrity, monitor file integrity monitoring, um,
Mike Saylor:
restricted access, network segmentation, firewall rules that throttle, you know,
Mike Saylor:
data uploads or alerts of, of doing so.
Mike Saylor:
Um, but I did wanna address one, um, one comment you made.
Mike Saylor:
How do we prevent this from happening?
Mike Saylor:
And I really think.
Mike Saylor:
People need to stop thinking about preventing it and start looking at
Mike Saylor:
ways of identifying it as soon as possible with either automated or
Mike Saylor:
human response as soon as possible.
Mike Saylor:
Uh, and then how do we collect all the information we need to make sure
Mike Saylor:
that we understand how it happened, what they did, and, and capture
Mike Saylor:
what we did to respond to that.
Mike Saylor:
And so that's very important, uh, for a lot of different reasons.
Mike Saylor:
One, if you put too much, uh, emphasis on prevention, then.
Mike Saylor:
A couple of things are gonna happen.
Mike Saylor:
One, you've, you've invested a lot of money that could be more appropriately
Mike Saylor:
used in identification and response.
Mike Saylor:
Uh, two, you're very likely going to become complacent thinking that you've
Mike Saylor:
got everything in place you need, and that's not gonna happen to us.
Mike Saylor:
And then lastly, a lot of those preventative controls don't do
Mike Saylor:
the data collection necessary to figure out how things happened.
Mike Saylor:
Um, and, and we get asked a lot.
Mike Saylor:
We had this incident and all we need to know is, is there
Mike Saylor:
evidence of data exfiltration?
Mike Saylor:
Because that's all we have to report.
Mike Saylor:
So what we had ransomware, so what we had a breach.
Mike Saylor:
If there was no data taken, then we don't have to report it.
Mike Saylor:
Okay, great.
Mike Saylor:
Well, let's look at your technology stack and, and the things that you have
Mike Saylor:
that would've collected that information and they didn't have anything or what
Mike Saylor:
they have wasn't configured well.
Mike Saylor:
And so we didn't have the information to, to determine whether or not
Mike Saylor:
data was exfiltrated to any degree.
Mike Saylor:
Uh, so we could see the, the network connections and the sessions, uh,
Mike Saylor:
but we couldn't see, uh, the data throughput or, or even what the data was.
Prasanna Malaiyandi:
so.
Prasanna Malaiyandi:
In that case though, Mike, is it you have to assume worst case, that there
Prasanna Malaiyandi:
was personal data or other things that was exfiltrated or is it, I don't
Prasanna Malaiyandi:
know what was happened, so I'll just say I don't know or nothing happened.
Mike Saylor:
There's a couple of things there too.
Mike Saylor:
Uh, so I mean, fundamentally, all of your data should be encrypted as often as it
Mike Saylor:
as it can be, uh, at rest in transit.
Mike Saylor:
Um, so that if it is exfiltrated, you, you, you were diligent protecting your
Mike Saylor:
data so that if it was stolen, there's a small likelihood that it's even usable.
Mike Saylor:
Well, not usable within, you know, relatively, you
Mike Saylor:
know, 10 years or whatever.
Mike Saylor:
Right.
Mike Saylor:
Um, so encryption is very important from a diligence perspective.
Mike Saylor:
Well then in the absence of evidence that data was exfiltrated, um,
Mike Saylor:
and this is something you have to work with your legal counsel on.
Mike Saylor:
How do we then word our communication, uh, to employees or clients or even the state
Mike Saylor:
or regulatory agency about what happened?
Mike Saylor:
And very often it is, uh, stated similar to, uh, no evidence was found to support.
Mike Saylor:
Right.
Mike Saylor:
So it's not yes or no, it's, we didn't find anything that said it did happen.
W. Curtis Preston:
Yeah.
W. Curtis Preston:
We've talked about a number of those incidents.
Prasanna Malaiyandi:
Yeah.
W. Curtis Preston:
We, we have no evidence that that data was stolen.
W. Curtis Preston:
That because we had really bad tracking mechanisms that would
W. Curtis Preston:
give, that would tell us that data.
Mike Saylor:
and it, and it also depends on the threat actors.
Mike Saylor:
There are some threat actors that have a, uh, You know, a good
Mike Saylor:
reputation if you can have one.
Mike Saylor:
Uh, as a, as a threat actor that says, you know, they, they live by their code,
Mike Saylor:
and their code is, you know, if we steal your data, uh, you have, let's just say
Mike Saylor:
three days to acknowledge that you were breached and then you have, uh, and then
Mike Saylor:
we'll, we'll submit to you an offer.
Mike Saylor:
Uh, so you ransom note, and if so, first, if you, if you acknowledge that you are,
Mike Saylor:
were attacked and you contact us within three days, then we won't put your company
Mike Saylor:
on the wall of shame, which is a public indication that you were compromised.
Mike Saylor:
And, and people that know us know that we have some or all of your data.
Mike Saylor:
So we won't do that, and then we'll give you the ransom note.
Mike Saylor:
And if you pay that ransom note, or if we start these negotiations and we get,
Mike Saylor:
we go through this process and you pay us, then we promise to, to destroy all
Mike Saylor:
your data and, and keep it confidential and we'll even give you good tech
Mike Saylor:
support while you're trying to recover.
Mike Saylor:
Um, and so I've been through a variety of, of, of those types of incidents, seeing
Mike Saylor:
the, the gamut of, uh, bad actors that.
Mike Saylor:
Aren't very well organized and don't care, uh, all the way up through
Mike Saylor:
the very organized ones that, that operate like a, like a business and
Mike Saylor:
they've got good customer support or, you know, as good as it can be.
Mike Saylor:
Um, but, um, I will say that, you know, there is a trend towards
Mike Saylor:
data exfiltration with ransomware.
Mike Saylor:
Uh, there's, there's a still a large um, A large occurrence of ransomware where
Mike Saylor:
they don't care about your data, they just wanna make sure you're all locked up.
Mike Saylor:
And that's what they're gonna use for leverage to get you to pay.
Mike Saylor:
Because there's also the, the on the backside of that, even though threat
Mike Saylor:
actors are very risk averse, there's less risk from a, a consequence
Mike Saylor:
perspective, a prosecution perspective of just compromising your network
Mike Saylor:
and, and encrypting your stuff.
Mike Saylor:
Sure, I'll get in trouble.
Mike Saylor:
Sure.
Mike Saylor:
I'll get jail time and all this stuff, but if I also steal your data,
Mike Saylor:
Especially if it's regulatory data, healthcare, p i i, whatever, that's
Mike Saylor:
additional charges if I get caught.
Mike Saylor:
And so in a lot of cases, similar to the data access brokers, you
Mike Saylor:
also have, um, uh, network access brokers in addition to them.
Mike Saylor:
You also have the data brokers.
Mike Saylor:
So you've got the, and so it's this whole ecosystem.
Mike Saylor:
All right, so who do I know?
Mike Saylor:
Who, who can I pay to compromise your network?
Mike Saylor:
Alright, got that.
Mike Saylor:
I have the access.
Mike Saylor:
Who can I pay to develop the payload?
Mike Saylor:
Alright, got that.
Mike Saylor:
So payload's in there, ransomware's running, and now we've got
Mike Saylor:
their environment locked up and we've got this data set.
Mike Saylor:
I don't want the data set 'cause I don't want to get caught with it.
Mike Saylor:
So now I gotta find a data broker that will buy it from me, who knows how
Mike Saylor:
then to kinda like diamonds, right?
Mike Saylor:
I bought the rod diamonds, I gotta find a diamond cutter and then I
Mike Saylor:
gotta find a diamond distributor.
Mike Saylor:
And, you know, everybody makes their own cut.
Mike Saylor:
Um, so there isn't, there are uh, uh, there's still a large volume of, of
Mike Saylor:
attacks where this eco, this whole ecosystem comes into play and, and you're
Mike Saylor:
just, Depending on where you, where you catch the attack, you're dealing
Mike Saylor:
with different, um, threat actors.
W. Curtis Preston:
Yeah, that, that's interesting.
W. Curtis Preston:
I wasn't aware.
W. Curtis Preston:
Um, you know, it sounds like it's kind of like felony murder, right?
W. Curtis Preston:
Where, you know, like, um, it, it makes it worse, right?
W. Curtis Preston:
You killed somebody, but you killed somebody in the
W. Curtis Preston:
commission of another felony.
W. Curtis Preston:
It makes it, it makes it worse.
W. Curtis Preston:
Um, the, um, Um, and so like, even if you didn't mean to kill them, right.
W. Curtis Preston:
That's my understanding.
W. Curtis Preston:
Like even if it, if it would otherwise be considered like accidental homicide
W. Curtis Preston:
or whatever, that because you, it happened in the commission of a
W. Curtis Preston:
felony, it makes it felony murder.
W. Curtis Preston:
Um, that, that is an interesting concept.
W. Curtis Preston:
Um, I, I, I, by the way, Mike, even though it sounds like maybe I was saying
W. Curtis Preston:
differently, I completely agree with you with sort of the, the assumed breach.
W. Curtis Preston:
Concept, right?
W. Curtis Preston:
That you need to spend, you need to be just as good if not better, with
W. Curtis Preston:
detection and response, uh, and recovery than the prevention aspect, right?
W. Curtis Preston:
Um, you know, having said that, there's nothing wrong with, with
W. Curtis Preston:
an ounce of prevention, right?
W. Curtis Preston:
Um, and that's why, um, I, I just, it, it bothers me.
W. Curtis Preston:
Like, on, on one hand we talk about some of the advanced things that you
W. Curtis Preston:
could do to, to help, but most people I.
W. Curtis Preston:
Um, you know, such as preventing, preventing lateral movement
W. Curtis Preston:
between systems that don't need to have lateral movement, right.
W. Curtis Preston:
Um, the, there's nothing wrong with that, but you're right, there's a cost and of
W. Curtis Preston:
doing it initially, there's a cost of maintaining that and there's a cost of.
W. Curtis Preston:
Of, you know, well, cybersecurity is always a pain, right?
W. Curtis Preston:
The be the more security you have, the harder it's to do your job.
W. Curtis Preston:
Right?
W. Curtis Preston:
Unless you're the si the sc the cybersecurity guy.
W. Curtis Preston:
Um, the, um, uh, I had a point, I was on my, I was on my way to
W. Curtis Preston:
a point and it seems to have,
Mike Saylor:
that's why secure, that's why convenience stores are
Mike Saylor:
robbed more than security stores.
W. Curtis Preston:
I see, I see what you did there.
W. Curtis Preston:
Um, the, um, The, uh, let's talk about response and recovery.
W. Curtis Preston:
Um, the, which is generally what we end up talking most of our time about here.
W. Curtis Preston:
What do you think is, you know, we talked about the things that you
W. Curtis Preston:
need to do in advance, establishing a communication with the F B I or other law
W. Curtis Preston:
enforcement, um, you know, establishing a relationship with somebody like yourself.
W. Curtis Preston:
Um, you know, so, so that you're not, you're not making that conversation the
W. Curtis Preston:
first time in the middle of an incident.
W. Curtis Preston:
What else do you think people need to do to be ready to respond,
W. Curtis Preston:
uh, in, in a cyber attack?
Mike Saylor:
Well, I think, uh, ex tabletop exercises are a great way to kind
Mike Saylor:
of ferret that out for your organization.
Mike Saylor:
Sit down with as many people in your company as you can.
Mike Saylor:
I mean, a lot of it departments are like, let's just do it with us first so we don't
Mike Saylor:
look stupid in front of everybody else.
Mike Saylor:
And that's fine.
Mike Saylor:
You know, you know, have a, have your, have your, you
Mike Saylor:
know, red, blue or red white.
Mike Saylor:
You know, scrimmage game, um, but then involve as many people as possible.
Mike Saylor:
And I've seen this be so successful.
Mike Saylor:
Um, and, and even involve your insurance broker and your outside counsel and invite
Mike Saylor:
the F b I invite the Secret Service, um, have this exercise and, and pick a topic.
Mike Saylor:
Um, and whether you do it yourself or, or, you know, look for a moderator.
Mike Saylor:
Uh, and there's a lot of good moderators out there.
Mike Saylor:
I'm, I, I do these all the time.
Mike Saylor:
I'm considered a breach coach.
Mike Saylor:
But then there's, there's even cybersecurity law firms that will, uh,
Mike Saylor:
will facilitate, uh, a good tabletop.
Mike Saylor:
And the idea is, let's pick a topic.
Mike Saylor:
Ransomware or intellectual property theft or.
Mike Saylor:
Um, our data center gets hit by a plane 'cause we're close to an airport.
Mike Saylor:
Whatever it is, pick a topic, invite as many people as you can
Mike Saylor:
and walk through the scenario.
Mike Saylor:
Um, you know, somebody clicked the link and, and you know, they came to
Mike Saylor:
work and their desktop icons are all changed and they can't use anything.
Mike Saylor:
Well, and then we got another call and then, alright, well
Mike Saylor:
let's start with who do they call?
Mike Saylor:
Who does an employee talk?
Mike Saylor:
Who is their phone number?
Mike Saylor:
Is there an what if email doesn't work?
Mike Saylor:
Uh, so who do they call?
Mike Saylor:
And then what does that person do?
Mike Saylor:
How do we, how do we assess the situation?
Mike Saylor:
And which is, you know, kind of phase one of incident response is how do we
Mike Saylor:
categorize this event into an incident?
Mike Saylor:
Is it a non-event?
Mike Saylor:
Is it critical?
Mike Saylor:
Uh, and then that then based on your plan, would indicate
Mike Saylor:
who else needs to be involved.
Mike Saylor:
Once we categorize, once we categorize the, uh, the incident, well then I.
Mike Saylor:
Having as many people there as possible is, is valuable two ways.
Mike Saylor:
One, maybe you don't know who needs to be in involved.
Mike Saylor:
And you can start asking all the attendees, uh, who are the right
Mike Saylor:
people, uh, because you know, I sent this email out five months ago and
Mike Saylor:
nobody's responded who the right person is, but we're all in the same room.
Mike Saylor:
Let's working out.
Mike Saylor:
But at the same time, uh, you're gonna get some people going.
Mike Saylor:
I.
Mike Saylor:
Would've had no idea that's what's involved with doing X, Y,
Mike Saylor:
or Z unless I was in this room.
Mike Saylor:
And I'll tell you a funny story.
Mike Saylor:
We were doing a, a tabletop for a, a company, uh, I think they're in
Mike Saylor:
healthcare and part of the scenario was, uh, threat actor used the contact us.
Mike Saylor:
Button on their website to say, that's how they said, you
Mike Saylor:
know, we have all your data.
Mike Saylor:
Call us in three days.
Mike Saylor:
Um, and here's the information to do so.
Mike Saylor:
And so that was part of the scenario.
Mike Saylor:
So I, uh, I asked, well, who's in charge of the website?
Mike Saylor:
And there were two people in the audience and they said, we are.
Mike Saylor:
And I said, well, what would you do if you got that email?
Mike Saylor:
And they said, we'd probably delete it.
Mike Saylor:
'cause we wouldn't believe it was true.
Mike Saylor:
Well, okay, well maybe you shouldn't delete it anymore.
Mike Saylor:
You should, you know, forward that to the security team
Mike Saylor:
and let them figure that out.
Mike Saylor:
And they said, good.
Mike Saylor:
Good call, uh, good policy.
Mike Saylor:
So, but there were, there were a lot of people in the audience that said, I'm
Mike Saylor:
glad I was here because I would've had no idea that all these moving parts,
Mike Saylor:
and this is this level of effort and this stuff would, is necessary for
Mike Saylor:
responding to whatever the incident was.
Mike Saylor:
Well then, well now it's a good time to ask the insurance broker who's on the call
Mike Saylor:
or in the meeting, when do we contact you?
Mike Saylor:
And they're gonna say, well, as soon as possible.
Mike Saylor:
And, and from, from an employee, uh, company perspective, I think there
Mike Saylor:
was a misconception that calling the insurance like as soon as possible
Mike Saylor:
is somehow gonna affect your premium.
Mike Saylor:
Like, we're gonna pay more because we called you.
Mike Saylor:
Um, and that's not the case.
Mike Saylor:
They want to be involved as soon as possible to help you make the right
Mike Saylor:
decisions because you may be using third parties and buying, you know,
Mike Saylor:
going through this, this expense that, uh, may not be reimbursable.
Mike Saylor:
You know, you might not be able to get paid back for that
Mike Saylor:
if, even if your claim is.
Mike Saylor:
Is accepted, but at the same time, the insurance company wants to know
Mike Saylor:
about how diligent you're being and they wanna be involved in the process.
Mike Saylor:
And that's gonna help you determine or, or hopefully help you, uh,
Mike Saylor:
towards getting your claim approved.
Mike Saylor:
Um, and then they're gonna be the ones, uh, along with your legal counsel, helping
Mike Saylor:
you make the right decisions about how to communicate, uh, situations to third
Mike Saylor:
parties and outside, you know, clients and what have you, but also internally.
Mike Saylor:
And we walked through this, just adding this real quick.
Mike Saylor:
Alright, so you've got this incident.
Mike Saylor:
And, and we did this, uh, we did a tabletop with an engineering company and
Mike Saylor:
they didn't do anything we suggested.
Mike Saylor:
And then like six weeks later, they got hit with ransomware and they
Mike Saylor:
were down for two and a half months.
Mike Saylor:
But, uh, that's the other important thing about tabletops or, or any type of
Mike Saylor:
assessment, you really need to take the remediation seriously, uh, and take action
Mike Saylor:
on those things as soon as possible.
Mike Saylor:
'cause if, if we found them, bad guys have probably found them too.
Mike Saylor:
But one of the things that we found out in a tabletop, or that
Mike Saylor:
came to mind was communication.
Mike Saylor:
Specifically internally.
Mike Saylor:
So this engineering company got hit with ransomware.
Mike Saylor:
They were down, nobody could do any work and they couldn't even email people.
Mike Saylor:
Alright, so, Do you have a system, uh, that collects
Mike Saylor:
personal emails and phone numbers?
Mike Saylor:
Do you have a system where people can call in to get status?
Mike Saylor:
Like, is it a snow day?
Mike Saylor:
Uh, are we off for the day?
Mike Saylor:
Uh, is there an incident?
Mike Saylor:
When are we gonna hear an update?
Mike Saylor:
That kind of stuff.
Mike Saylor:
But then do you also have a policy that says, in the event of an
Mike Saylor:
incident, you are prohibited from discussing this stuff on social media?
Mike Saylor:
Don't put on LinkedIn.
Mike Saylor:
Oh, we had an incident today.
Mike Saylor:
I got, I guess I got the next two months off.
Mike Saylor:
Um, that you're, you've gotta contain that and or at least, uh, uh,
Mike Saylor:
define the messaging for that stuff.
Mike Saylor:
Get ahead of it.
Mike Saylor:
Uh, go ahead and make your templates for internal and external communications.
Mike Saylor:
Like, what are we gonna say?
Mike Saylor:
Well, you should, uh, plan for that now, uh, instead of wasting time during an
Mike Saylor:
incident, you know, trying to figure it out while the house is on fire.
Mike Saylor:
Um, so having said all of that, um, you know, incident response
Mike Saylor:
exercises are very valuable.
Mike Saylor:
Um, And even though you may want to have your own little huddle to figure
Mike Saylor:
out, you know, how well are we before we invite the rest of the, the crew,
Mike Saylor:
um, you should invite as many people, internal, external, subject matter
Mike Saylor:
experts, partners, um, um, as you can, uh, to get everybody, um, playing on
Mike Saylor:
the same team, on the same field they show up for at the, at the right time.
Mike Saylor:
Um, and they have an idea of what the playbook is.
W. Curtis Preston:
Wow.
Prasanna Malaiyandi:
Wow, that's, yeah, very detailed.
Prasanna Malaiyandi:
And like you mentioned, it's sort of plan ahead of time, right?
Prasanna Malaiyandi:
I'm sure there are so many companies where it's like, Hey, ransomware
Prasanna Malaiyandi:
hits, or We have an incident.
Prasanna Malaiyandi:
It's just IT and the security org that's dealing with this, right?
Prasanna Malaiyandi:
But like you mentioned, there's so many other folks involved.
Prasanna Malaiyandi:
And just knowing who those people are, especially if you're a large company, you
Prasanna Malaiyandi:
don't know, like one department doesn't know who the other department is even.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And having that.
Mike Saylor:
We had a situation where for, for four days, we were operating under
Mike Saylor:
the un, uh, assumption that they only had a, uh, $3 million cyber insurance policy.
Mike Saylor:
So we were restricting, uh, who was involved to restrict
Mike Saylor:
the expense and the overhead.
Mike Saylor:
Uh, and it wasn't until we were on a, uh, I think it was like 11
Mike Saylor:
o'clock at night on a Sunday, we were on a, an update call and we were
Mike Saylor:
talking about this $3 million policy.
Mike Saylor:
When someone walks, I could see them walk behind the person talking on the
Mike Saylor:
camera, and they go, we have 6 million.
Mike Saylor:
Like, what?
Mike Saylor:
What do you mean?
Mike Saylor:
We have two, $3 million policies?
Mike Saylor:
And nobody knew that.
Mike Saylor:
Nobody else, but this person knew that.
Mike Saylor:
And that completely changed.
Mike Saylor:
We're like, well, look, we need to start getting more resources in here.
Mike Saylor:
You know, call, call the big brand response teams and all.
Mike Saylor:
So that really changed the game because that just happened to come out in a
Mike Saylor:
meeting without, you know, everybody else being really aware of, uh, Yeah.
Mike Saylor:
And the other bad part of that situation, uh, unfortunately, was that,
Mike Saylor:
uh, they had $6 million in coverage.
Mike Saylor:
But what they didn't also know is that it was a self-funded insurance policy.
Prasanna Malaiyandi:
Uh,
Mike Saylor:
So they were paying into that over, over time and the
Mike Saylor:
insurance company said, we'll cover you, uh, if the day comes, but then
Mike Saylor:
you've gotta pay it back pretty much.
Mike Saylor:
And so, um, they didn't know that either.
Mike Saylor:
So a lot of things
Prasanna Malaiyandi:
Raid your
Prasanna Malaiyandi:
policy.
Prasanna Malaiyandi:
Yeah.
W. Curtis Preston:
they found that out.
W. Curtis Preston:
Um, well, listen, um, wait, I'm, did I mute myself?
W. Curtis Preston:
No.
W. Curtis Preston:
There.
W. Curtis Preston:
I muted.
W. Curtis Preston:
Okay.
W. Curtis Preston:
Sorry.
W. Curtis Preston:
Um, listen, Mike, we could talk all day.
W. Curtis Preston:
I, I, I love the stories by the way.
W. Curtis Preston:
I,
Prasanna Malaiyandi:
eh.
W. Curtis Preston:
you know, you, you know me, Prasanna, I'm, I'm a
W. Curtis Preston:
storyteller myself, and I, I think nothing, nothing tells the story
W. Curtis Preston:
like a good story, you know, nothing, nothing drills that point home, uh,
W. Curtis Preston:
better than a good story, for sure.
W. Curtis Preston:
Um, and I, I love hearing.
W. Curtis Preston:
From these real incidents, uh, what, you know, what, what I'm hearing?
W. Curtis Preston:
So I, I like, you know, the things that I picked up here.
W. Curtis Preston:
First off, I like the amount of time we spent on the F B
W. Curtis Preston:
I, uh, and for guard program.
W. Curtis Preston:
Uh, I definitely wanna look more into that and I think the listeners
W. Curtis Preston:
should look more into that.
W. Curtis Preston:
And I like this idea, uh, and of, of using them as a way to establish those
W. Curtis Preston:
communication channels before an event.
W. Curtis Preston:
Um, and I like the idea of, well, you know, we, we, we always promote
W. Curtis Preston:
the idea of, of tabletop exercises and, um, you know, in, in my
W. Curtis Preston:
world, you know, we call them Dr.
W. Curtis Preston:
Dr exercises right back before the, the cyber world was also
W. Curtis Preston:
attacking backup systems.
W. Curtis Preston:
Um, so I, you know, I think this has been a great conversation, Mike.
W. Curtis Preston:
So I want to thank you for coming on.
Mike Saylor:
Certainly.
W. Curtis Preston:
And, uh, Prasanna once again, as always,
W. Curtis Preston:
you with your, with your wisdom.
Prasanna Malaiyandi:
Yeah, anytime Curtis, and I hope you'll be ordering a chair
Prasanna Malaiyandi:
or at least, or uh, browsing chair soon.
Prasanna Malaiyandi:
And Mike, thank you for the info.
Prasanna Malaiyandi:
I.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
It's always fascinating hearing these real life stories because that's something
Prasanna Malaiyandi:
that you don't hear about, right?
Prasanna Malaiyandi:
What did people experience and what was it like going through?
Prasanna Malaiyandi:
It's just like what you read, like reading the Cuckoo's Nest or Cuckoo's Egg, right?
Prasanna Malaiyandi:
It's like those are the types of stories that are interesting that
Prasanna Malaiyandi:
you learn from, especially new people in this space, like myself, right?
Prasanna Malaiyandi:
Where it's like, hey, what really goes on behind the scenes and
Prasanna Malaiyandi:
what does it take to recover?
Prasanna Malaiyandi:
So thank you for sharing.
Mike Saylor:
Certainly.
Mike Saylor:
Yeah.
Mike Saylor:
I've got stories all day.
W. Curtis Preston:
Sounds like
Prasanna Malaiyandi:
Speaker:
we'll have you back on.
W. Curtis Preston:
Yeah, you and me over beers, Mike, nobody would
W. Curtis Preston:
ever get the word in edgewise.
W. Curtis Preston:
And once again, I want to thank our listeners, uh, and remember to subscribe
Listen On
