Detecting Ransomware Before It's Too Late

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we tackled the critical challenge of detecting ransomware

before it wreaks havoc on your systems.

I've got Dr.

Mike Saylor from Black Swan Security here to break down the

various tools and techniques that you need to know about from XDR

to Soar and everything in between.

We're diving into real world examples of how ransomware gets spotted,

what signs to watch for and why you might want to think twice about

handling this stuff on your own.

Of course, Prasanna joins us too as we explore why that weird network traffic

might be more sinister than you think.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that we had no backups of the production

database that we had just lost.

I.

I don't want that to happen to you, and that's why I do this podcast.

On this podcast, we turn unappreciated backup admins into Cyber recovery heroes.

This is the backup wrap up.

Welcome to the show.

If I could ask you to take a quick second and subscribe or follow us wherever

you watch or listen to the podcast.

Remember, you can watch us on YouTube or you can follow us on

any of your favorite, uh, podcast platforms, uh, with the same name.

Uh, the backup wrap up.

I am w Curtis Preston, AKA, Mr.

Backup, and I have with me a guy who just for some reason wants

to know how, how much, how much Dexter I watch Prasanna Malaiyandi.

How's it going?

Prasanna.

I am good, Curtis.

Yeah.

Uh, Dexter is a great show.

It's been a while since I've watched it.

I've, I.

Here's the thing.

Some shows I'll go back and rewatch

some shows.

I'm kind of on the fence whether I wanna go back and dedicate

that much time to watching.

And

there are some really, really good shows.

Like I know you just recently Rewatched Breaking Bad.

Yeah,

are currently rewatching West Wing at the same time that you are

watching Dexter.

yeah,

there

And I totally get it.

But yeah, it's just one of those things like, it's such an amazing show.

I don't wanna be.

I don't wanna ruin that memory that I have.

The first time I watched the show.

It is a really good show.

Um, it, it's a very dark show, right?

Um, you know, I tell people, you know, you, you have to ask yourself

whether or not you think you could root for a serial killer, right?

If you don't think in your wildest imagination that you could root for a

serial killer, it's probably not for you.

Um, even if he's a good serial killer, um, you know, with a code.

Um, although, you know, in the episodes that I'm starting to get

to, he's starting to break the code.

No spoilers.

Yeah.

Anyway, um, spoilers, but, um, but yeah, every time I talk to you, you're like, uh,

how many episodes of Dexter did you watch?

It does give you some great ideas on potentially how to get away with a murder.

Yeah,

Just saying.

that's why, that's why, uh, I, I had somebody heard, so, you know, like

for some reason women really like the, like the murder podcasts, right?

And, and guys are like, yeah, it's training.

But anyway, uh, it's time to bring on our, uh, our guest.

Once again, our resident cybersecurity expert, CEO of Black Swan Security.

Mike Saylor.

How's it going, Mike?

It is going well guys.

Thanks for having me.

Do you watch Dexter?

I've watched, I've watched some Dexter.

I, it's, it's not, uh, it's not on my binge list, but I've, I've watched it.

It's a good, it's a good show.

But hey, we're not here to talk about death and dismemberment.

We're talking, talking about something just as horrible ransomware.

Um.

Uh, you know, how's it, how's it been going?

You, you've been, I don't know, the last time I talked to you, you were

knee deep in, in an incident, but that's probably, uh, a Tuesday for you.

Uh, it's usually Thursdays,

Yeah.

Oh,

guy, bad guys.

You know, talking about, uh, bad guys with, with ethics, they try to

give you the benefit of the weekend,

So nice of the.

Yeah.

Yeah.

Do you, do you ever get weekends off or are you often, you know, in the,

in the throes of one of these things?

No, there, there's quite a few weekends off.

Um, depending on how well prepared, uh, an organization is, you know, if

it happens on Thursday and yeah, there, there's some things that they'll have

to address maybe over the weekend, but for the most part you can get 'em.

I.

Get 'em secured and triaged, uh, you know, midnight Friday night and, you know, they

may have to rebuild re-image and redeploy over the weekend, but that's, that's kind

of, uh, you know, the incident response.

Uh, specialists and leads have, have done their job and putting the fire out.

Um, so it's, it's usually a, we get a call on Thursday and we work the weekend.

We get a call on Thursday and we're, we, we try to get it.

Handled by the weekend, or we get a call during the weekend.

Uh, so some Sunday afternoon is another good, uh, another common phone call.

Um, so, you know, if, if the Cowboys are playing, that's a good distraction.

Uh, I'd rather, I'd rather, I'd rather deal with ransomware than watch

that game, uh, in a lot of cases.

So, no.

you, at least you have a football team.

I live in San Diego.

We used to have a football team.

They moved up to Los Angeles and um, I, I call 'em the who, you know,

if people are like, oh, do you, do you still follow the chargers?

And I'm like, the who?

Right.

Yeah.

So at least you got a team.

So this week I wanted to talk about.

The actual phase or you know, whatever the things that we need to

do in order to detect ransomware.

And I remember talking about this a little bit with you before, but can

you, um, aside from like a, a SEIM/SOAR tool, sort of going off and noticing

something, can you think of weird things that have happened in people's

environments where it ended up being.

The ultimate thing was they were actually under a ransomware attack.

You know what I'm saying?

Like, like for some reason the, you know, the company dishwasher stopped working

and uh, you have weird stories like that.

Uh, I, I do.

And so there, there are, there are, there's malware.

There's a category of malware called polymorphic.

So it, it, it changes.

Uh, some of that change depends on what the malware

has identified as, as its host.

And so there, there is a strain.

There are strains of malware that are specific to certain, you know, they're,

they're targeting specific, uh, devices.

Um, we saw this with stuck net.

Uh, we saw it with, uh, point of sale specific malware.

Uh, and now there's ransomware that is looking for specific.

Uh, specific hosts.

It doesn't want to trigger the ransomware on, on an invaluable host.

Like, I don't care if that's got ransomware, just throw it out the window.

Uh, but, and then tip, its, tip its cards to what it, you know,

the, the attackers are doing.

They don't want to trigger the alarms before the, the, the jewels are stolen.

So there, there are kind of your, your.

Your analogy to the dishwasher's not working anymore.

If it's a smart dishwasher, it could very well start to malfunction or perform

poorly if malware is interrogating it to determine if it's its target.

Uh, there's even malware, uh, the ransomware that,

that cleans up after itself.

So maybe it gets to the dishwasher and decides, well, this is a

dishwasher and it moves on.

Well, as it moves on, it deletes.

Its, you know, it cleans up after itself.

So when you go look at the, at the dishwasher, you, you're like, I

don't, I don't know what caused that.

But,

Seems to be working fine now.

more, more often than not, it's, it's user feedback about, you

know, complaining about their.

their computer running slowly, or, you know, I can't watch

Netflix at lunch anymore.

Um,

Dexter.

No Dexter at lunch.

right.

So it it's usually it's system, you know, performance degradation or, or.

Um, just weird stuff.

Symptoms, uh, weird symptomatic stuff that usually get, uh, you get

notifications on to determine, well, that's weird, but then you go look

at it and there's nothing there.

Well, it's, well forensically you can still see some stuff, but at

the, you know, kind of the, the surface level, you're like, I

don't, there's no malware here.

Um.

but in that case though, like I'm guessing that that user would call

their IT help desk and the IT TA person would probably take a look and

be like, oh yeah, nothing happened.

And then they'd probably just close it and move on.

Right.

Very like does, how often does it really get escalated?

Be like, Hey, that seems weird.

Let's figure out like, is there a security issue or something else?

It, it, the, the frequency or the, or I guess the likelihood that that

gets escalated is, is almost directly related to whether or not they've

had to deal with it in the past.

So if you've had ransomware, you're a little more diligent and

suspicious of weird stuff happening.

Like, all right, well we've had, we don't wanna go through that again.

Uh, I'm gonna, I'm gonna take every call about weird stuff happening as

if it might be ransomware or some other malware versus an environment

where maybe they haven't had the, put a fire out or go through that.

They're, they're, they're a little more skeptical about, you

know, that's just user error.

Or, you know, it's, it's Tuesday.

Uh.

do and do anybody, um, does anybody ever report actually seeing, like

someone taking over their desktop?

Like they're, they happen to see mouses moving around or

windows opening and closing?

Do they see that?

We have, we have worked a few, uh, one was a, a water district, um, where they

thought they were compromised because the mouse was moving and stuff was happening.

Uh.

So we, we've seen that report that that particular incident turned

out to be, you know, Bob took the day off but forgot to do something.

So he logged in and everybody thought Bob was not there.

And so why is this mouse moving?

Uh, so that turned out to be kind of funny, but,

What we have here is a failure to communicate.

right.

Um, but then there's other cases, and this is actually a a what.

In, in the, in a corporate environment, we don't see it as often.

Uh, but small businesses and individuals often get scammed into the hole.

You've got a virus call this phone number, we then remote access into your

machine and then, you know, their access persists or, or something else happened

to, to drive that, that weird behavior.

Uh, but in a corporate environment, well, you know what, I, I take that back.

So the other problem that we've run into.

Uh, is managed service providers.

So you've got this one company that, that supports the, you

know, technology to some degree.

Whether it's everything, uh, servers and workstations and

help desk is all outsourced.

Or it's some something specific like a, like a core processing server

that does your financials if you're a credit union at, so you have

this one, one to many relationship.

You've got this one company that supports many clients and.

Uh, just human nature.

We wanna make sure that that's as easy as possible.

So what we found were what we call cons, uh, coincidental passwords.

So this one vendor uses the same credentials to log

into all of their clients.

And so what we've seen recently is, yeah, there's this remote control

stuff going on because that vendor was compromised and they didn't know it.

But now bad guys have access to the environments of all

the clients they support.

There wa there was a big, uh, there was a big one a few years ago where it was.

It was a dentist, it was a dental service provider.

I remember where they, they, they were like the software that

every dentist uses in the US and, um, it was that kind of thing.

And so basically they had, um, they were able to take control or of, of

hundreds of, uh, dentists around the us.

I remember that.

Um.

Oh darn.

My dental appointment got canceled.

you know, it's probably, it was probably a kid that didn't want to go to the dentist

and he is the one that pulled that off.

Yeah.

You know, whenever I think about the dentist, I think about

Steve Martin and, um, um, what's the, um, oh darn it, um, the.

It will come to me later.

There's a, there's a musical, it's a, it was a Broadway musical, and then they made

a movie of it starring Rick Moranis and Steve Martin plays the Sadistic Dentist.

Um, it's a, if you just, if you want a good laugh, go type in YouTube

and type in Steve Martin dentist.

Um, uh, yeah,

it's a good laugh.

Anyway, go

so, so what we've been talking about so far is sort of.

Users noticing something odd happening, calling in, right,

getting in, troubleshooting.

But I'm guessing though that users aren't always the best people to recognize

when things go wrong, and they're probably not always at their desk

when the bad actor is doing something.

So what happens for all those other scenarios?

So there's, there's other things that we do in a corporate environment that

we hopefully would notice weird things, our backups, our network bandwidth.

Um.

And there, there's tons of places that you can set up alerts and triggers,

uh, firewall, uh, weird IP addresses, different protocols, uh, unexpected

data going out, different ports.

Um.

There's a lot of things we could look at and, and, and it's, it's a pretty

lengthy list, but humanly possible.

Like, is there one person that's gonna go down this whole checklist every

day, you know, several times a day?

Uh, that's just not, that's not feasible.

Uh, and so you've really gotta roll that up into a tool that can automate it and

just give you a dashboard view of things.

Um.

The, the, the secret, the, the key is how many things, how

much visibility do we have?

Finding tools and the data sources and the use cases that all line up.

Like there's a, there's a ransomware use case.

All right?

So from ran, if, if we're, if, if our focus or objective

is to identify ransomware.

Then working backwards from that objective, we've gotta find the data

sources that would give us the indicators.

Uh, then we've gotta have the technology that can consume or

connect and consume that data source.

Uh, then we've gotta have some policy procedure around the source of that data.

Like, what is it?

Is it a server?

You know, uh, firewall, how's it configured?

How do we patch it?

How do we update it?

How do we back it up?

Uh, so that playbook is, is fairly extensive, but the, the detection

part of that is all about visibility.

Um, and, well, I guess fundamentally too, understanding how ransomware works.

Um, 'cause I mean, your, your smart dishwasher probably isn't gonna

get infected with, with ransomware.

Uh.

Hmm.

Not yet.

Not yet.

Uh, now your, your, your internet connected Instapot, uh, that we,

there, there's actually been at least, uh, laboratory ex uh, examples of

getting malware on your Instapot.

Uh, 'cause you can make the display say different things, or your

voting machine, I guess is a good relevant, uh, near term scenario.

Um,

Well, those should not be network connected, so hope not.

Well, we say should a lot,

people get involved and people do incon inconsistent things.

Yeah.

Um, so it's interesting, you know, our last episode was actually about

election integrity, so it's just interesting that you mention that.

Um, yeah, uh, I, I'll just say that.

Well, I.

Any voting machine that I'm aware of, the design does not have a

network connection, but we can have a whole other discussion about that.

But, um, so the, the we, we did have a discussion though sometimes, uh,

with, uh, with our red team member.

He talked about using, um, he was.

He used the television, the smart tv, in the lobby of the, um, of

the company to, you know, to, to hack the rest of the environment.

And basically he figured out what the TV was.

They bought the tv, they, you know, uh, reverse engineered it, figured out

how to, you know, how to hack it, uh, and then use that as a, you know, as

a way to bridge into the environment.

Um, but, um.

uh, so when we start talking about this, we've got to start talking about some

sort of tools that are, and there's three tools that I'm aware of and, um, you

know, which would be XDR, sim and soar.

SOAR is more about the response, right?

But XDR and SIM tools are about the actual detection.

Did I, did I get that right?

So the, the XDR is, is the platform that you would, um, consolidate

all of your alerts and data sources from different other tools.

So it's kind of like the top, the top of your security stack.

Okay.

And then the, the sim is, is kind of below that.

So SIM is one of the.

One of the feeds into your XDR platform, EDR, you know, your anti malware endpoint

stuff, that's another data source.

Um, and, and so.

I just thought all the, all the EDR tools were calling themselves XDR tools.

That

that's

And, and they're really not.

Um,

the evolution of EDR into more of a managed service is still

missing the network layer.

So the, the eds like CrowdStrike that say that they, they do XDR, they're,

I think they're their definition.

I think it's a terminology problem.

XDR, the extended detect respond.

Maybe they're, they're, they're expanding their visibility, uh, uh, you know,

out from just workstations and servers and they're doing some other stuff.

But really it's just the managed service and response capabilities that they're

putting on top of their EDR solution.

But they're still missing the, the east, west, you know, network traffic, net flow,

Okay.

Okay, so EEDR.

Sorry to interrupt.

EDR would be endpoint detection response, which typically what we're

talking about there is, is like desktops and laptops and things like that.

Not so much servers.

Would that be right?

Well servers too.

I mean, you can, you can put EDR on, on servers for sure.

But not necessarily networks, like network

it, it, uh, CrowdStrike doesn't do network analysis.

And so, you know, even before, you know, the, the first, the first kind

of acronym was NDR Network Layer stuff.

So that's like extra hop, uh, you know, net flow, uh, your, your router.

Trip wire type stuff.

And then, and then we have the, the anti-malware antivirus

group grew into anti-malware.

Now that's an EDR, so it's managed with, and it's really, that's,

that's a, that's not a new concept.

It's really just console view of your anti-malware deployment.

And that's been around for a long time.

Uh, but then as a managed service, we want to call it something.

So there's your EDR.

So it's more than just monitoring and managing.

It's also the ability to respond.

So now we have NDR and EDR.

Well, then MDR came into the, into play and, and the idea with MDR was now we

can look at network, primarily network, uh, and then the evolution of that.

Uh, monitor, detect, monitor, detect

Oh, okay.

like MSPs, the managed security service providers, they, they're also slash mdr.

That's, that's our, that's our, our, uh, our del our delivery service.

Uh, well then that's expanded now to say, well, I can, depending on my sim and

MDR was primarily just a sim solution.

That's, that's the top of their stack.

Well, is your sim technology capable of ingesting the EDR data from your

EDR console or, or your endpoints?

Uh, it was really good at NDR if, if you had the technology in your environment

to collect and provide the, the network

The

west traffic.

So even, even MDR at, at, at the beginning was just like, sis log

server events and your firewall.

And that was pretty much it.

Uh, well then.

XDR in, in every case network.

The MDR uh, component, the.

Does a little bit more than network.

And then the E-D-R-X-D-R, the idea with XDR, the extended detect is that

we can plug anything into our console.

So that's our sim, that's an anti malware, uh, NetFlow, uh, and even

like some XDR platforms can do like physical security devices, like

badges and motion cameras, and, um.

I, OT things, uh, like, hey, my dishwasher's throwing errors a bunch.

Uh, you know, you can, I guess if there's a use case for that.

Um, so XD the idea with XDR, uh, and even, even broader than that, is an

open XDR uh, platform that just about anything you can imagine can be fed into

this thing, uh, to correlate events and, and if it's capable, develop behavioral

baselines and some other cool stuff.

So then, um, does Soar fit into that, all of that?

So SOAR is also not a new term.

Uh, so SOAR is security orchestration and automated response.

Uh, so the idea with SOAR is that we have this playbook, and historically

it's been a manual playbook, right?

We get out the book and we look through it and say, this is what we're gonna

do in response to whatever this.

Thing is, so it could be an incident, it could be a, a malware, it could

be a stolen laptop, whatever.

You've got this playbook and, and the idea with playbooks is you assess

yourself, like our company does these things and we have these assets, and

what is the most likely impact to us?

Ransomware's at the top should be at the top of everybody's list these

days, if you're connected to the internet and have users, uh, ransomware

is just statistically more likely than a lot of other things these

days, but it could be other stuff.

You should have a playbook on, uh, denial of service if your company

relies on internet connectivity, um, for revenue and communications.

You, if you have a, a large remote workforce and they have laptops that have.

Company data on it that you should have a playbook on stolen laptops.

Is this similar to the incident response plan stuff we talked about

a couple or many episodes ago?

it is, and, uh, however, uh, soar, uh, traditionally and, and I was kind of,

I was getting to that the, the Soar traditionally was more broadly defined.

So you could have something that might not be considered an incident yet.

Um, so, so, so back in the day also incorporated, well,

how do we analyze this event?

Hmm.

Uh, and then we, and then we started to developing more technical incident

response plans and programs that said, all right, that playbook is now part

of our plan, and here are the more technical, tactical things we need to do.

Well then the evolution of Soar, uh, from a platform or technology

perspective is, all right, how do we automate some of this stuff?

Yeah.

And so there are, there are third party tools that are, so our sim, our

XDR platform, identified this stuff.

Uh, let's integrate this automation tool or, or we have this tool now that's,

that we can then go and, and use to say, we need to handle this, this incident.

So as an example, could it be something like, I've detected some random

network traffic on this particular client that doesn't look right.

The SOAR detects it and maybe it shuts off the network port.

Yes.

And so in the Soar you would, you would again, define these playbooks

when this happens, do these things.

And so with ransomware as an example, if, uh, user account experiences, several

failed logins and then a successful login.

And then service, you know, anti malware is shut off on the endpoint and

there is internet traffic to geo, you know, whatever IP address, uh, around

the world do these things, right?

Disabled user revoke, MFA tokens, uh, uh, shun or, or quarantine

that, that endpoint, you know, take it off the, you know, um, uh.

Block its IP address, uh, notify whoever and do these things,

and you can automate that.

Um, and it can be as, as detailed as that.

It, it could be, uh, and any variation of that.

So yeah, those, those, that's a great example of how that, that

tool and it, and it would do it so quick, like milliseconds versus the,

the human version of that is, um.

You know, your sim tool pops up and says, you know, you've

got something to look into.

An analyst takes 15 to 20 minutes to verify it.

Uh, we have a valid thing.

Let me escalate it to level two.

Level two looks at it, you know, another 15, 20 minutes.

Now we're looking at other, other data sources like the firewall and some stuff.

We've now validated that then we, we escalate that to the client if it's

an MSP version, uh, or, or the, the business owner or the stakeholder

in a, in a corporate environment.

Uh.

And we're waiting for a response from them to determine what to do next.

And so now that that millisecond soar automated response has turned into at a

minimum hour and a half, two hours, and who knows what, you know, that malware

is, especially the ones that, that, uh, can run autonomously, is our, they've

already done reconnaissance to look at what else this thing has access to.

And I've already spread and done other stuff.

Time is of the essence.

yeah.

Yeah.

So all, all right.

So let, let's say, let's say I'm a company, I'm an organization that

has none of these tools, right?

Just, and I'm, I'm listening to this episode, I'm like, holy crap.

Like, how many things do I need to buy and where should I start?

Um, I, I think that's.

I think that's where the average person might be right now.

Um, and that's where I am.

Um, I'm like, wow, that's a, that's an awful lot of tools where, you know, and,

and, and each of them thinks they're, they're, you know, well, you gotta have

this, you gotta have MDR, you gotta have XDR, you gotta have sim, you gotta have,

so you gotta have all these things.

And I'm sure there's an acronyms that we haven't got to, um, where,

where does, you know, I'm worried that I'm gonna get ransomware where.

Do I start with all these tools?

There's a lot of different, uh, approaches to the problem and understanding.

The problem is, is fundamentally economics, right?

I can't afford.

The people or the, the software or the whatever it is to, to

truly, um, improve my, my odds.

And that's really what it is.

I mean, you can invest everything you have in protecting yourself and

you're still a statistic at some point.

'cause bad guys are gonna figure out how to get to you.

Um, but remember that ransomware is malware.

And all malware requires user, user interaction in order to infect your thing.

So your computer, um, if it's not connected to the internet and you're not

looking at email and going to websites, you're, you're, you're good, right?

Or you're, you know, 99% there.

Uh, you also have to disable all your USB ports and Bluetooth

and all that other stuff too.

Um, which means you really can't use your, your computer for anything.

Um.

So then, but, but if you start there, all right.

If my computer's not connected to anything, what can I do?

Well, I can't do much.

Well, I need to do this thing.

Well, what do I need to do that thing?

Well, I need internet to get to this website so I can log in to do my work.

Okay, well then can we exclude the majority of other things

that you don't need to do?

Yeah.

All right.

So let's, we can write policy about that.

That's okay.

Well, what else do you need?

Oh, I need email.

I need email to be able to send and receive files and talk to people.

Okay.

Well, are there ways of restricting email's ability to, to present me with

things that, that could be a risk?

Well, yeah, that's, you know, email filtering and spam

filtering and stuff of that stuff.

Some of those tools, some of the, some of that stuff that I've

mentioned is, are probably already a capability of what you've purchased.

Like Office 365 comes with some good stuff.

They just don't do a real good job at teaching you how to,

how to use it and configure it.

And us as consumers are really poor at, at reading the manual.

Um.

comes with some other stuff that, but they do charge quite a, quite a bit for it,

They do.

And so,

um, but you know, going back to how many tools do I need to

buy, that's another decision.

Do I, do I buy more licensing and, and capabilities from this one tool?

Or do I look at, you know, what other things can I bolt

on and, and add to, to this?

Maybe it's more cost effective, but now you've got a, now you've

got overhead and having to spend more time doing these other tools,

well then all.

So you've, you've been somewhat diligent.

You've, you're, you're using your computer responsibly and you, you've

figured out how to use what you paid for, uh, to do, you know, what,

what you can with what you have.

Mm-Hmm.

Then it all comes down to just be being aware and, and you know that that

email from so and so, you know, the.

Uh, it's an email about A PDF.

You need to sign.

Well, were you expecting a PDF to sign?

Did you just, you just sign random PDFs?

Uh, you just can't wait to wake up in the morning and, and look

for a PDF to sign in your inbox.

Um,

transfer the, the money, you know what I mean?

The.

So,

another big one is like, you know, you get the, the thing from the boss

saying, I need you to do this EFT

to this new customer.

Right?

And you need to call your boss.

You know, people that are sending you stuff to sign, uh, people

that are asking you for money.

Those are, those are important things.

yeah.

Call them.

Yeah.

Call your boss, call, you know that vendor that sent you something to sign and

And don't use the number that's on the invoice.

You don't call the.

number, you know, not the, not the number that they, they sent you.

It's kinda like back in the day with credit card fraud.

Hey, your, your account is, there's a problem with your account.

Call this number.

Well

that number's on the back of your debit card too, so you should call that number.

Not the number They, they texted

Yeah.

And and I would say you should call the boss's cell phone, not

something on the company phone system if you still have one.

that's a great point too.

Um.

But, you know, kind of at the end of the day, and, and maybe getting

back to your, your original question with, well, how do, how does the

average person protect themself?

It starts with just being diligent.

Just take a minute and, and think through the, you know, rationale of whatever

it is that you're, you were gonna do.

Click on something, open something, download something, go to a website,

scan a QR code with your phone.

Um.

These are all things that you maybe just, just take a minute

and, and really think through.

Do I need to do that?

Was I expecting that?

Could there be something, you know, malicious or, or, uh,

wrong with whatever this is?

And it never hurts to phone a friend.

Um.

And, and, you know, making friends is important in this, in, in cyber.

'cause you know, as, as a individ, as an individual, you, you're

probably not gonna be exposed to or experience a lot of things.

Um, and then the more people you talk to about what you see and and your questions,

the more likely you're gonna get somebody that's probably already made that mistake

and can help you not make it yourself.

Yeah.

And Mike, just on that last point, I think it's a great thing, and I

know we did an entire discussion about like cyber insurance,

right?

And how they're like a trusted advisor.

You should talk to them because I'm sure they could give you good advice on sort

of how to shore up your defenses and be able to detect and protect yourself

against ransomware and other malware.

And there's a couple of, a couple of real quick, uh, like things to consider

if, if you think you've got ransomware or malware, just turn your computer off.

Power it off, take the battery out, unplug it.

'cause that, that stuff needs power to do its job.

And if, if you really think, you know, I've got my critical, my

whole life is on this computer and I think I have malware, shut it off.

Unplug it.

Take the battery out and find somebody that can help you get your data

off of it and make sure it's clean.

Um, and that way at least you've got a backup.

Backups are, are critical with ransomware.

Um, but yeah, don't.

Don't just sit there.

It's kind of like, you know, especially guys, and I'm, I'm definitely guilty.

I'm a little hardheaded when it comes to illness and health.

If you've got symptoms, call the doctor.

Right.

Don't, don't sit there and go, oh, I'll give it.

I'll give it another day.

Or maybe I just need a nap.

Yeah.

Yeah, I, um.

Which brings up, and, and this is a giant tee up, and, uh, but you know, it would

seem to me that this is too important for you to try to figure it out yourself.

Like if you, if you're not a cybersecurity specialist, if you, if you, if

you're not living your life, this thing, it's kinda like backup, right?

Where it's like, it's way more difficult than you think it is.

Right.

Um, and that, and that's why MSPs exist, right?

And so it would seem to me that I.

Rather than try to figure out which of 10 different, you know, I mean, somebody

showed me a, um, it was like the, it was like the, one of those things where they

have just company logos and it was like the cybersecurity landscape and there were

like just hundreds of these logos up there of products and services that I could buy.

And, and it would seem to me that what I need, I need two things.

I need.

Tools that work, right, that, that, that do the things that I need.

And more importantly, I need somebody that knows how to use those tools.

'cause it doesn't do any good if I buy this great.

You know, uh, detection tool to find, you know, what's going on and, but I

don't know how to configure it so that it works and I don't know what to do.

And of course, one of the most common things is that I configured it such

a way that I get a whole bunch of false positives and then very quickly

it, it just ends up becoming ignored.

Right.

So I, I think that's where the, where the MSSP and obviously I'm, I'm,

I'm teeing it up for you, but I, I.

I don't know what else, what else would be right for, for a small organization

or even a medium sized organization that has never done this before.

No, I appreciate that.

Uh, and, and you're right.

Um, going back to kind of the initial comments of, uh, you know, just good

visibility if you wanna do it yourself, make sure you have the fundamentals.

Good anti vi, anti malware.

Um, that gives you consolidated, a consolidated view of all your assets.

You know, you don't have to go to every computer and see if there's an infection.

It needs to report up to a, a console that you can log into and, and get real

updates and know where the problems are.

Um, the, the other, the other gap, I mean, you, you managed, I mean, you

mentioned needing someone that knows the technology and you know, an expert.

To expand on that, it needs to be someone that's available 24 hours a day.

'cause bad guys aren't gonna go, oh, you know, they're probably still

at work working on the computer now is a good time to attack them.

No, it's, it's when you're asleep and you're in middle of the

night, uh, you know, Thur Thursday morning or Thursday after midnight

is when they're gonna hit you.

And, and because they also know that you're not gonna wanna,

uh, be at work over the weekend.

So they, for whatever reason, all right, they're, they're not gonna make it.

Uh, uh, easy for you.

Uh, and, and in a lot of cases, that's also because they're, they're

overseas in a different time zone anyway, so the fundamentals are good.

Endpoint protection, the, uh, good visibility across your environment.

Um, good firewall, uh, cloud, uh, office 365, Google AWS, whatever

you got, whatever's being used.

Um.

And then someone that, that you can call or someone that is looking

at your stuff 24 hours a day.

And there are some service providers where, you know, maybe you do have a

staff during the day, uh, and so you just need nights and weekends and holidays.

And so there are some providers like us that, that are flexible

in that, in that regard.

So that does help with, uh, cost and the economics.

Um.

But at the end of the day, absolutely, um, make friends with some experts,

uh, that you can call for nothing else.

Uh, if nothing else, just to ask questions.

But ideally, uh, someone that can help you identify the right

solutions, uh, to give you the right visibility and the right coverage.

Uh, and again, I it's gotta be 24 hours a day.

Yeah, so Mike, most of these organizations, right, they

don't have unlimited budget.

Right.

Cost is always a concern in terms of priority.

Right.

I know you talked about endpoint, you talked about XDR,

you talked about sim, right?

You talked about all these things.

If they're looking for sort of what is the first thing that they should

go after and try to protect or detect ransomware on or malware on, what

is, what is sort of like the most important thing in their environment

that they should be concerned with?

It depends.

It really, it really does depend.

I mean, some businesses, uh, so you've really got back to

understanding yourself before you can understand your, your enemy.

'cause your enemy's gonna probably know you better than you.

You do.

In order to be successful, uh, you've really gotta understand your business.

And so again, if your business is, uh, highly driven by your workforce and your

workforce is out, you know, on the, on the, you know, they're road warriors or

they're working from home, absolutely.

Endpoint protection is a priority because they're prob, they

probably have company data on that.

Device or they're using that device to log into, you know, VPN or, or your cloud.

And so if that device is compromised, then your, your

production network, your production environment may be compromised also.

But what if, what if you're, you're a data center and you don't have, all

your endpoints are servers, right?

Uh, and then so, but then there also.

Co, uh, co-managed, they're, they're not yours.

You, you own the hardware, but you don't own the, the, the, the virtual

machines or, or, or what have you.

So now your, your focus is your perimeter

and your connectivity.

Uh, so I think those are two extreme, you know, one, one end of the other.

Uh, but truly understand your environment first, uh, and where you're.

Your critical assets are, and your data and your use cases, uh, and what's

most likely impacting your business.

Uh, and then from that, uh, derive your priorities.

And,

Hmm

and there are some, there are some organizations that fit smack dab

in the middle, and you just have to have good hygiene across all of it.

Uh,

I could, I could probably go on for hours on, on a good

approach to this, but the, the.

It all depends.

Next episode.

The, the other real quick thing, uh, in order to know how, and, and this kind

of tags on to know yourself, but there's a lot of organizations that aren't real

familiar, uh, or real accurate with all the things they need to protect anyway.

Similar to backups.

You know, I can, yeah, I can run back up.

But I can only back up what I know about, uh, and ideally even, even more

so to the next level, how important, how do I prioritize those backups?

Security is the same.

Uh, I can only secure what I know.

And if, if there's stuff on the network and there's stuff in the cloud and

there's people working from home that I don't know, then I can't protect that.

And if I am gonna protect it, how do I protect it?

You know that, that visibility part.

How do I get the data from those things, those tools?

To know if there's a problem and how to respond to it.

Is it automated?

Is it a person?

Um, and then all of that is going to kind of bubble up to what are my options and

what does it cost and what do I need?

Is that, is that something I can do on my own?

Is that, uh, opportunity to bring in a managed service provider?

Um, and I think real quick on, on, on the, the cost, I think

there's a big misconception that.

Yeah, I'm a small company.

I can't afford cybersecurity.

Uh, that is a huge misconception.

There are, there are a number of providers out there like us that, that

are flexible and scalable and I mean, our, our smallest we have, we have

clients that just have two employees and they work out of their garage.

But they are, they've determined, uh, from an analysis of themselves that

they, they are, they have a huge cyber risk and they need that protection.

And so, uh, it, it can be affordable, um, if we know what we're protecting and,

and what the, what the playbooks are.

I know a couple of guys that do a podcast from their dining room.

Well, hey Mike, it's been great talking to you again.

It's the whole thing of like.

There, there's a lot of people, by the way, who do literally say, I don't

have enough money for backup too.

Right.

And, and just like, you know, makes my head explode.

So, um, uh, yeah.

Thanks for bringing that up.

All right, folks.

Um, and Prasanna, thanks for, thanks for, uh, being here as, as always.

Yeah, no, this was fun.

And Mike, it's been great chatting.

It's been a while.

So glad to have you back on.

For sure I missed you.

Yeah.

And, uh, thanks to the, uh, our listeners, uh, we'd be nothing without you.

That is a wrap.

The backup wrap up is written, recorded and produced by me w Curtis Preston.

If you need backup or Dr.

Consulting content generation or expert witness work,

check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that you

hear are those of the speaker.

And not necessarily an employer.

Thanks for listening.