Strengthening Your Cybersecurity Blue Team: Pro Tips
In this episode, we explore the essential strategies and best practices for building and optimizing a blue team cybersecurity approach. Our guest, Mike Sailor, shares his expertise on how organizations can effectively prepare for and respond to cyber incidents. From establishing relationships with law enforcement to conducting tabletop exercises and understanding cyber insurance policies, Mike provides valuable insights to help companies strengthen their cybersecurity posture.
Throughout the episode, we discuss the importance of focusing on detection and response capabilities, not just prevention, and how a well-prepared blue team can make all the difference in the face of a cyber threat. Mike also shares real-world stories that illustrate the key lessons and takeaways for organizations looking to enhance their cybersecurity efforts. Tune in to learn how you can better protect your company from cyber threats with a robust blue team approach.
Speaker:
W. Curtis Preston: This week on the backup wrap up, we are playing
Speaker:
defense, cybersecurity, defense to be specific, and we've recruited
Speaker:
an amazing player for our team.
Speaker:
Mike Saylor has spent decades on the Blue team side working side by side with
Speaker:
hundreds of organizations as they defend themselves from an active cyber attack.
Speaker:
He works hand in hand with the FBI and the Secret Service, and
Speaker:
he's got a great secret service story that I know you'll enjoy.
Speaker:
I.
Speaker:
For our longtime listeners, this is a trimmed down rebroadcast of
Speaker:
Mike's appearance from last year.
Speaker:
It was one of our most popular and insightful episodes.
Speaker:
He gives some amazing advice and insight for organizations looking to
Speaker:
strengthen their cybersecurity posture.
Speaker:
I learned a lot, and I know you will too.
Speaker:
By the way, if this is your first time listening, I'm w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I've been passionate about backup and recovery for over 30 years,
Speaker:
ever since my backup's broke, and I had to tell my boss we had no backups.
Speaker:
I, I don't want that to happen to me.
Speaker:
I don't want it to happen to you.
Speaker:
That's why I do this.
Speaker:
On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.
Speaker:
This is the backup wrap up.
Speaker:
Welcome to the show.
Speaker:
W. Curtis Preston: I'm your host, w Curtis Preston, a k a, Mr.
Speaker:
Backup.
Speaker:
And I have with me a guy who once again, has astonished me with knowledge
Speaker:
that why does he know this stuff?
Speaker:
He's gonna solve my office chair problem.
Speaker:
Prasanna Malaiyandi how's it going?
Speaker:
Prasanna,
Prasanna Malaiyandi:
I am good, Curtis.
Prasanna Malaiyandi:
I'm good.
Prasanna Malaiyandi:
So yeah, let's talk about you needing a new office chair.
Prasanna Malaiyandi:
W. Curtis Preston: so it, it
Prasanna Malaiyandi:
show the listeners.
Prasanna Malaiyandi:
Just, just squeak.
Prasanna Malaiyandi:
W. Curtis Preston: Well, let's, yeah.
Prasanna Malaiyandi:
So this is, so, you know, in a, in a podcast, my mic is picking
Prasanna Malaiyandi:
up my squeaky office chair.
Prasanna Malaiyandi:
And so either I need a new office chair or I need to lose a few pounds.
Prasanna Malaiyandi:
One or the other, or maybe both.
Prasanna Malaiyandi:
But uh, so you brought up what was the, it was Crandall.
Prasanna Malaiyandi:
Yep.
Prasanna Malaiyandi:
Crandall Furniture.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah.
Prasanna Malaiyandi:
Crel Furniture, which is, they're, they're apparently repurposing,
Prasanna Malaiyandi:
uh, you know, all those office chairs that nobody's using anymore.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Yeah, they buy chairs.
Prasanna Malaiyandi:
They refurbish them with like new foam.
Prasanna Malaiyandi:
They fix the lift mechanism.
Prasanna Malaiyandi:
Sometimes they replace the arms and then they resell it at a discount.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah,
Prasanna Malaiyandi:
it's crazy how expensive office chairs are.
Prasanna Malaiyandi:
Like some of the high-end ones are like a thousand, $1,800.
Prasanna Malaiyandi:
Who wants to spend that on a chair?
Prasanna Malaiyandi:
Like I get it.
Prasanna Malaiyandi:
You spend a lot of time sitting in a chair just like you do, sleeping in a bed.
Prasanna Malaiyandi:
But still, it's a good chunk of money to spend when you can go to like
Prasanna Malaiyandi:
your local office, supply store and pick up a cheap chair for like $99.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, and I don't think this was 99, but
Prasanna Malaiyandi:
it wasn't much more than that.
Prasanna Malaiyandi:
I don't, I don't have, if, if I had to guess, I probably got it from Costco.
Prasanna Malaiyandi:
'cause I get.
Prasanna Malaiyandi:
Many other things from Costco.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Um, but yeah,
Prasanna Malaiyandi:
I had one of those chairs.
Prasanna Malaiyandi:
I had one of those chairs as well, right, where I was like, yeah, it worked well.
Prasanna Malaiyandi:
And then I'll, once the pandemic hit and we were working from home, I ended up
Prasanna Malaiyandi:
getting some wellness dollars from my employer and use that to get myself a
Prasanna Malaiyandi:
nice standing desk and an office chair.
Prasanna Malaiyandi:
W. Curtis Preston: And, uh, with that we'll turn to our guest at this moment.
Prasanna Malaiyandi:
Uh, he's, uh, specialized in cybersecurity for over 20 years and is a member of
Prasanna Malaiyandi:
F B I InfraGard, which is A group that I didn't even know existed.
Prasanna Malaiyandi:
But it's a partnership between the F B I and the private sector for the
Prasanna Malaiyandi:
protection of US critical infrastructure.
Prasanna Malaiyandi:
He's now the c e O of Black Swan, a company that strives to democratize
Prasanna Malaiyandi:
enterprise level security services.
Prasanna Malaiyandi:
Which one of my first questions is gonna be, what does that mean?
Prasanna Malaiyandi:
Welcome to the pod, Mike Sailor.
Mike Saylor:
Thank you.
Mike Saylor:
Thanks for having me
Mike Saylor:
W. Curtis Preston: so what does that mean?
Mike Saylor:
So
Mike Saylor:
Well, uh,
Mike Saylor:
W. Curtis Preston: on your website that it says you wanted to democratize
Mike Saylor:
enterprise level security services.
Mike Saylor:
Sure.
Mike Saylor:
Well, I think in, in, you know,
Mike Saylor:
simple explanation is that we're trying to provide, uh, enterprise class services.
Mike Saylor:
The, you know what, what the big boys pay for Fortune 50, fortune 100.
Mike Saylor:
And make it affordable and scalable and flexible enough for smaller organizations,
Mike Saylor:
small, medium sized businesses.
Mike Saylor:
Uh, part of our mission is to provide that enterprise class service to
Mike Saylor:
what we consider underserved markets.
Mike Saylor:
So, uh, education, uh, family offices, uh, credit unions as an example.
Mike Saylor:
Um, but also understanding that in each one of those situations you've
Mike Saylor:
got a variety of, uh, business sizes.
Mike Saylor:
So you've got a five person credit union and you've got a
Mike Saylor:
billion dollar credit union.
Mike Saylor:
Uh, and they both need, uh, help, uh, understanding and applying, um,
Mike Saylor:
cybersecurity controls and, and services.
Prasanna Malaiyandi:
So what happens today for those small customers, right?
Prasanna Malaiyandi:
Or like the five person credit union, like how do they even
Prasanna Malaiyandi:
approach cybersecurity today?
Prasanna Malaiyandi:
Or what is their solutions look like?
Mike Saylor:
Uh, they usually don't have one.
Mike Saylor:
Um, I.
Mike Saylor:
And they even have to, uh, in, in a lot of cases, have to outsource their just normal
Mike Saylor:
help desk, you know, hardware support.
Mike Saylor:
And they're relying on that, you know, that technology expertise to, uh, assist
Mike Saylor:
them in cyber to the extent possible.
Mike Saylor:
Um, but that's changing.
Mike Saylor:
Um, and it, and it has to, uh, a lot of, uh, services and.
Mike Saylor:
Protections and controls that any organization today rely
Mike Saylor:
on, like, like insurance.
Mike Saylor:
Uh, in order to qualify for cybersecurity insurance policies, you have to
Mike Saylor:
demonstrate these, you know, kind of, uh, good cyber hygiene practices, uh, whether
Mike Saylor:
you do it internally or you outsource it.
Mike Saylor:
Uh, and so in order just to even get insurance, uh, you have to, uh, spend
Mike Saylor:
some money to check some of these boxes.
Mike Saylor:
Um, and they're just, there's, there's not a whole lot of solutions out
Mike Saylor:
there options for them to, to go with.
Mike Saylor:
W. Curtis Preston: Interesting.
Mike Saylor:
Um, and let's talk also a little bit about, uh, F B I in regard.
Mike Saylor:
'cause like I said, I, I did, I didn't even know this in, I'm, I'm
Mike Saylor:
really glad to hear that it exists, but I didn't even know it exists.
Mike Saylor:
Uh, what, what, what does that look like?
Mike Saylor:
Sure.
Mike Saylor:
Uh, well, so it started in the late nineties.
Mike Saylor:
Uh, I think the, the first chapter was, uh, um, in the mid nineties.
Mike Saylor:
Um, and the, the idea is, Uh, for every F B I field office, um, there should be
Mike Saylor:
an InfraGuard chapter, and the objective of the chapter is to tie the office into
Mike Saylor:
the community, thereby, uh, expanding its eyes and ears, uh, but also, um,
Mike Saylor:
helping elevate the, uh, intelligence and awareness of the organizations in the
Mike Saylor:
community, uh, for the things that the F B I and that community is working on.
Mike Saylor:
Uh, so some, some bi-directional, uh, intelligence sharing, which
Mike Saylor:
really didn't happen for a long time.
Mike Saylor:
It's probably only been in the last five or six years that that's, that's
Mike Saylor:
really, uh, become more valuable.
Mike Saylor:
Um, prior to that, you, you might get an infra regard notice,
Mike Saylor:
uh, a few hours or a day before something comes out on the news.
Mike Saylor:
So you really weren't ahead of it too much.
Mike Saylor:
Um, but so now there's, there's 45 chapters.
Mike Saylor:
Of InfraGard throughout the country.
Mike Saylor:
Uh, there's an InfraGard National Alliance that kind of manages
Mike Saylor:
all those independent chapters.
Mike Saylor:
Um, and the chapters are made up of people from the community,
Mike Saylor:
uh, across all sectors.
Mike Saylor:
Uh, kind of initially it was all technology people.
Mike Saylor:
Uh, so 90, 90 plus percent, uh, membership and InfraGard were people and, you know,
Mike Saylor:
CIOs and engineers and help desk people.
Mike Saylor:
Uh, but today we have nurses and doctors and farmers and, um, People
Mike Saylor:
that work in infrastructure, water dams, uh, federal government, um,
Mike Saylor:
agriculture, I mentioned, um, nuclear.
Mike Saylor:
Uh, so each critical infrastructure section sector, uh, has an infra regard
Mike Saylor:
sector chief, uh, at each chapter.
Mike Saylor:
Uh, who is responsible for going out and.
Mike Saylor:
Uh, not just recruiting others from that sector, uh, to kind of
Mike Saylor:
strengthen the, the mix and dynamics of the chapters, uh, membership.
Mike Saylor:
Um, but it's also, uh, both a feeder into the F B I, uh, for intelligence
Mike Saylor:
and threats and awareness of what's going on out in the community, uh,
Mike Saylor:
but also the FBI's ability to, to, uh, To share with them so that they
Mike Saylor:
can do their job better, uh, get ahead of threats, um, be more aware.
Mike Saylor:
Uh, so it's been a pretty, pretty effective, um, partnership over the years.
Mike Saylor:
Uh, I helped stand up the North Texas chapter in the late nineties, and
Mike Saylor:
I've, I've been sector, I'm currently a sector chief over healthcare.
Mike Saylor:
I was a sector chief over technology.
Mike Saylor:
Initially I was the president of the chapter.
Mike Saylor:
Um, and we have a, a pretty strong.
Mike Saylor:
Uh, showing, uh, in our company as far as InfraGard goes, our
Mike Saylor:
c f O was a, a past president.
Mike Saylor:
She's also the past, uh, national regional representative over I think
Mike Saylor:
three or four different states.
Mike Saylor:
Our c o o was the president of the Houston chapter.
Mike Saylor:
He was also a national regional rep for a period of time.
Mike Saylor:
Uh, and then everybody in our company pretty much is a member.
Mike Saylor:
Um, and there's similar, there's a similar, uh, organization
Mike Saylor:
for the Secret Service.
Mike Saylor:
They call it.
Mike Saylor:
They used to call it the Electronic Crimes Task Force, of which I'm also a member.
Mike Saylor:
Uh, and then both of those are kind of related to the, in Texas we have the
Mike Saylor:
North Texas Crime Commission and they have subcommittees like cyber crime.
Mike Saylor:
And then, uh, the fusion centers that police departments, uh, fun, uh, operate.
Mike Saylor:
Um, in north Texas, there's the Collin County Sheriff Fusion Center, uh, from
Mike Saylor:
which I'm also a fusion liaison officer.
Mike Saylor:
So tons of intelligence sharing, information sharing.
Mike Saylor:
Uh, both to support the community, but also naturally with what we do, uh, that
Mike Saylor:
feeds really nicely into the value that we can, uh, we can give our clients.
Prasanna Malaiyandi:
That's awesome.
Prasanna Malaiyandi:
I actually, like you said, Curtis, I had never heard about this and Mike,
Prasanna Malaiyandi:
thank you for going into details because that's actually a really cool program.
Prasanna Malaiyandi:
Like I didn't realize that the F B I connected in like this in
Prasanna Malaiyandi:
sort of a systematic way, right?
Prasanna Malaiyandi:
To all these other organizations.
Mike Saylor:
Mm-hmm.
Mike Saylor:
W. Curtis Preston: Yeah, we've, we've come a long way since, um,
Mike Saylor:
the days of the cuckoo's egg, which I'm, I'm assuming you've read a
Mike Saylor:
Cuckoo's Egg or the c the cuckoo egg.
Mike Saylor:
I think, you know, because in that story from Cliff Sto back in the
Mike Saylor:
day when he contacts the F B I about a cyber attack that's happening on
Mike Saylor:
his infrastructure, They're like, well, did they steal anything?
Mike Saylor:
Right.
Mike Saylor:
They didn't, they really weren't aware of the concept of a cybersecurity attack.
Mike Saylor:
So I, I'm, I'm glad to hear that.
Mike Saylor:
You know, things have come a long way since that was the
Mike Saylor:
seventies, so, you know, whatever,
Mike Saylor:
And, and on
Mike Saylor:
the,
Mike Saylor:
W. Curtis Preston: while since then.
Mike Saylor:
Kind of along those lines.
Mike Saylor:
Uh, the other benefit of that is, uh, similar to the situation where, you know,
Mike Saylor:
there was an event, uh, we always preach.
Mike Saylor:
Uh, as far as incident response goes, you've gotta get ahead of that so that
Mike Saylor:
on game day, you know what players you can call into the, to, uh, onto the field
Mike Saylor:
and uh, you know, who's gonna show up.
Mike Saylor:
And so, um, you know, we're very adamant about.
Mike Saylor:
Establishing those relationships with law enforcement and subject matter experts
Mike Saylor:
and vendors in the community so that when something bad happens, you're not
Mike Saylor:
leaving a voicemail, you're not having to figure out the right person to talk to.
Mike Saylor:
And so in regard, and the, uh, the Secret Service organizations give you
Mike Saylor:
the opportunity to actually go to, they have chapter meetings and a lot of
Mike Saylor:
times they're at the, the FBI's field office, which is also kind of cool.
Mike Saylor:
Um, and so you get to meet people and exchange business cards and go
Mike Saylor:
to coffee and have their cell phone number instead of a mailbox number and.
Mike Saylor:
Um, and find the right person to talk to so that you can put 'em in your
Mike Saylor:
plan and you know who to call and they already know you, they've met you before.
Mike Saylor:
It's not a first date type of situation.
Mike Saylor:
So when, when, when things are going bad and the the house is
Mike Saylor:
on fire, uh, you know who to call and, um, they know who you are.
Mike Saylor:
W. Curtis Preston: Yeah, I preached the, the same thing, Mike, and,
Mike Saylor:
and, and so it's, but it sounds like InfraGard is a, is a organization
Mike Saylor:
that I can contact, go to these meetings that you were talking about.
Mike Saylor:
That, that it, that it could be that liaison.
Mike Saylor:
So that I can start to form those relationships.
Mike Saylor:
'cause you're right, it's like, uh, you know, just reaching out to, to the
Mike Saylor:
F B I blindly, um, you know, Hey, I'd like to talk to you about a potential
Mike Saylor:
future event that might happen.
Mike Saylor:
Right.
Mike Saylor:
So it sounds like Ingar can be that liaison then.
Mike Saylor:
I
Mike Saylor:
And, and you're right.
Mike Saylor:
And they do have, uh, they have, uh, speaker, um, what do they call it?
Mike Saylor:
Um, you can, you can sign up to be a speaker, uh, like as a
Mike Saylor:
resource, uh, subject matter expert.
Mike Saylor:
But then the F b I also has, uh, speakers that can come to your event.
Mike Saylor:
And so very often you can pull in that, that law enforcement, uh, perspective
Mike Saylor:
to, to your message and your content.
Mike Saylor:
And they'll bring their own slides and, you know, whatever data they
Mike Saylor:
can, they can share publicly as far as current events and statistics.
Mike Saylor:
And it's, it's usually a pretty good, uh, value add, uh, as far as content.
Mike Saylor:
And, and sometimes it's a, it's a draw.
Mike Saylor:
Uh, you know, people may not want to just come see me talk, but if it's me plus
Mike Saylor:
the supervisory special agent over cyber, then all of a sudden it's interesting.
Mike Saylor:
Uh, so.
Mike Saylor:
Um,
Mike Saylor:
yeah,
Prasanna Malaiyandi:
for you, Mike.
Prasanna Malaiyandi:
Come on.
Mike Saylor:
there's a lot of value.
Mike Saylor:
There's a lot of value in membership.
Mike Saylor:
Um, each chapter has their own dues.
Mike Saylor:
Like our, I think our chapter, it's 25 or $50 a year.
Mike Saylor:
Uh, but that also pays for, um, you know, food at an event or you get
Mike Saylor:
discounts to go into some conference.
Mike Saylor:
Uh, so there's a lot of, a lot of kind of cool ecosystem, um, you belong to
Mike Saylor:
once, once you, uh, become a member.
Prasanna Malaiyandi:
I am surprised this isn't publicized more
Mike Saylor:
It's infraguard.org I N F R A G A R d.org.
Mike Saylor:
W. Curtis Preston: Yeah, I'm all over
Mike Saylor:
you can sign up online.
Mike Saylor:
The, uh, the application process is, is can be kind of long, anywhere
Mike Saylor:
from, you know, 45 to 120 days.
Mike Saylor:
Uh, they do a cursory background and then each office has to do kind
Mike Saylor:
of a vetting, uh, to determine if, uh, You know, membership is for you.
Mike Saylor:
Uh, but then, uh, you're invited to kind of a new member session
Mike Saylor:
and you get to meet people, the board, uh, other members, uh, F B I.
Mike Saylor:
And, and one of the things that I'll mention is, so for every InfraGard
Mike Saylor:
chapter there is a full-time F B I agent that is your liaison.
Mike Saylor:
And they, so they kind of manage from the F B I side.
Mike Saylor:
Everything your chapter's doing, even though your chapter has its
Mike Saylor:
own board of directors and event planning and all that stuff, there's
Mike Saylor:
always a full-time F b I person.
Mike Saylor:
Um, at your event, at your board meeting, um, kind of the liaison
Mike Saylor:
for anything you need that the, that the bureau can, can help you with.
Prasanna Malaiyandi:
That's awesome.
Prasanna Malaiyandi:
Now,
Prasanna Malaiyandi:
W. Curtis Preston: Go ahead.
Prasanna Malaiyandi:
just a follow up, I know you talked about sort of
Prasanna Malaiyandi:
establishing those relationships, right?
Prasanna Malaiyandi:
With other people who are in the chapter, do they do things like tabletop exercises
Prasanna Malaiyandi:
or other things or is that kind of, I.
Prasanna Malaiyandi:
Outside the scope of this group.
Mike Saylor:
So the, the InfraGard membership, well, and, and different
Mike Saylor:
chapters do different things like the Louisiana chapter is there.
Mike Saylor:
They're kind of known for, um, uh, anti, you know, maritime
Mike Saylor:
anti drone capabilities.
Mike Saylor:
So there are people at, in that chapter that are involved in how to
Mike Saylor:
protect businesses along the river, uh, from drones and drone strikes and
Mike Saylor:
surveillance and all that good stuff.
Mike Saylor:
And so they, they do exercises pretty often and they have
Mike Saylor:
some really good events.
Mike Saylor:
And they're, the Houston chapter's, good New York chapter.
Mike Saylor:
Not only do they do, um, Exercises, but they have a podcast, so
Mike Saylor:
they, they broadcast things.
Mike Saylor:
I, I wanna say it was at least weekly, maybe monthly, but I
Mike Saylor:
think it's weekly and they're very well known for their multimedia.
Mike Saylor:
Um, and so there, there are different chapters kind of
Mike Saylor:
specialize and do their own thing.
Mike Saylor:
Um, But then you're also invited to bigger events.
Mike Saylor:
Uh, so, um, I know that there's kind of a, uh, a large scale FEMA
Mike Saylor:
event, uh, every now and then.
Mike Saylor:
And so we're, you know, we're invited to participate in that.
Mike Saylor:
But as a chapter, as a community, we don't.
Mike Saylor:
The North Texas chapter has not gotten together and said, you know, we could
Mike Saylor:
probably add a lot of value if we start to collaborate and, and participate together.
Mike Saylor:
Uh, maybe this time we help, you know, this, this company or this
Mike Saylor:
set of companies, maybe this, this sector like technology or healthcare.
Mike Saylor:
And, you know, next time we focus on something else, I think it's a great idea.
Mike Saylor:
But, uh, I, I haven't seen it done, but it's definitely something
Mike Saylor:
that they're open to doing.
Mike Saylor:
W. Curtis Preston: Yeah, this is great.
Mike Saylor:
So, well let me just ask you one, one final question about this
Mike Saylor:
topic and then I wanna move on.
Mike Saylor:
Um, and that is, there is a debate when, you know, as I've been continuing to
Mike Saylor:
research incident response, having to do with ransomware, there is a debate as to.
Mike Saylor:
When or if to contact the F B I, right?
Mike Saylor:
Or just law enforcement in general, but in the us The F B I W.
Mike Saylor:
What's your opinion on that?
Mike Saylor:
Uh, my opinion is as soon as possible, however, um, You know,
Mike Saylor:
it's not always up to, to us and us by us, I mean, you know, technology,
Mike Saylor:
leadership, you know, whether you're the CISO or the c I o, unless, unless
Mike Saylor:
you're chartered to do so by executive management, uh, I always suggest that
Mike Saylor:
whoever the IT leadership is, you know, we're just, we're just putting out a fire.
Mike Saylor:
Uh, you know what?
Mike Saylor:
Whatever the incident is, we're putting out the fire.
Mike Saylor:
So from a technology perspective, our job is to recover.
Mike Saylor:
Or from a business perspective, you really need to defer that to your
Mike Saylor:
legal counsel or, or your, whoever your executive is or your insurance company.
Mike Saylor:
Uh, but your insurance company is gonna say, involve law
Mike Saylor:
enforcement as soon as possible.
Mike Saylor:
Your legal counsel, whether it's internal or, or, or outside
Mike Saylor:
counsel is gonna want to know more.
Mike Saylor:
Um, But at, at the end of the day, uh, and I, and I've, I've seen this from,
Mike Saylor:
from a lot of different perspectives.
Mike Saylor:
'cause I'm also, I also do expert testimony in court.
Mike Saylor:
So if this ended up in court, you know, one of the things
Mike Saylor:
that that benefits you from.
Mike Saylor:
Contacting law enforcement as soon as possible is, is a
Mike Saylor:
phrase called due diligence.
Mike Saylor:
So when, when we talk about, all right, so you guys screwed up, but how diligent
Mike Saylor:
were you in trying to prevent this?
Mike Saylor:
How diligent were you in responding to this?
Mike Saylor:
And how diligent were you in, in asking for help from everybody that you
Mike Saylor:
could possibly ask from for help from?
Mike Saylor:
And how open were you in?
Mike Saylor:
Um, And understanding and communicating what the problem was.
Mike Saylor:
And so if, if in any of those phases, uh, you're perceived as less than
Mike Saylor:
diligent, uh, and possibly, um, I.
Mike Saylor:
You know, hiding something or, or, or trying to cover something
Mike Saylor:
up when it gets to damages.
Mike Saylor:
If, if this lawsuit goes to damages, that's where it's gonna come back on you.
Mike Saylor:
Uh, 'cause everybody that, that goes through an incident, obviously you're
Mike Saylor:
guilty of having gone through an incident.
Mike Saylor:
You didn't do enough of something, which is almost impossible.
Mike Saylor:
But, you know, when you're in court, it's kind of black and white and you,
Mike Saylor:
at the end of the day, the fact is you had a breach, you had an incident,
Mike Saylor:
and it, it resulted in these things.
Mike Saylor:
Um, all right, so there's.
Mike Saylor:
You, you, you get a judgment for that.
Mike Saylor:
Alright, well then we go to damages.
Mike Saylor:
And some of that's black and white too, California especially, you
Mike Saylor:
know, for every record of California citizen, there's, it's defined.
Mike Saylor:
But, uh, on top of that, uh, so that's statutory.
Mike Saylor:
But then the, the judge can say, you guys were not diligent in
Mike Saylor:
protecting, responding, communicating.
Mike Saylor:
And, and because of that, I'm going to assess these additional fines.
Mike Saylor:
And so, uh, there's a lot to consider.
Mike Saylor:
And back to the tabletop exercise, that's when you need to start talking
Mike Saylor:
through, this is how this should actually go, and someone's gonna
Mike Saylor:
go, when do we call law enforcement?
Mike Saylor:
And we should look at the people in the room that would typically have
Mike Saylor:
that answer, and let's get that in writing ahead of time, uh, and put
Mike Saylor:
that in our plan as, uh, as part of, uh, how we respond to stuff.
Mike Saylor:
W. Curtis Preston: You don't want to be the, the, the, the rogue, uh, incident
Mike Saylor:
response cyber security person just randomly deciding to call the F B I.
Mike Saylor:
Uh, this needs to be decided up upfront.
Mike Saylor:
now I've been through some incidents, uh, just real quick
Mike Saylor:
where, uh, the incident was something illegal and management said, you're
Mike Saylor:
not reporting that to anybody.
Mike Saylor:
We'll handle it internally, but there are certain cases where
Mike Saylor:
you are a mandatory reporter.
Mike Saylor:
Having identified certain types of things, um, and it's kind of up to
Mike Saylor:
you on how to handle that, but I would suggest, uh, even if management
Mike Saylor:
said, don't report it, that's your, your life you're dealing with.
Mike Saylor:
If they find out you didn't report it and you knew about it, now you're going to
Mike Saylor:
jail regardless of what your boss said.
Mike Saylor:
Um, so I would suggest there's ways doing anonymous, uh, reporting and
Mike Saylor:
then just capture that activity as evidence that you did report it.
Mike Saylor:
Um, So there's, there's a, there's a lot of things to consider when you're, you're
Mike Saylor:
responsible for responding to stuff.
Mike Saylor:
Uh, and in addition to that, you may have access to things that, that require you as
Mike Saylor:
a mandatory reporter for doing something.
Prasanna Malaiyandi:
I was interesting you brought that up, Mike.
Prasanna Malaiyandi:
I was just reading a, I think on Twitter or read or something like that where
Prasanna Malaiyandi:
people were saying like as a programmer, right, if you're asked to do something,
Prasanna Malaiyandi:
which doesn't seem right, right, and the company gets caught in the end,
Prasanna Malaiyandi:
you're sort of the one responsible because you wrote the code, right?
Prasanna Malaiyandi:
You did something when someone told you to do something illegal, potentially.
Prasanna Malaiyandi:
Right?
Prasanna Malaiyandi:
And it's still your neck on the line.
Prasanna Malaiyandi:
Versus like, no one ever really gets like penalized like that for
Prasanna Malaiyandi:
saying no to doing something illegal.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And so it applies in various cases, including responding to being
Prasanna Malaiyandi:
told to do something illegal.
Prasanna Malaiyandi:
Uh, the one thing I did want to ask you, Mike, just going back to the
Prasanna Malaiyandi:
question Curtis asked about sort of reporting, how do you feel that
Prasanna Malaiyandi:
companies have done in being transparent about cybersecurity incidences?
Prasanna Malaiyandi:
I.
Mike Saylor:
Well, I think that's a double-edged sword because it could
Mike Saylor:
seem like they're not being very transparent when really they just
Mike Saylor:
don't have a clue of what's going on.
Mike Saylor:
Uh, and, and I think that's the case.
Mike Saylor:
The majority of the time we got ransomware.
Mike Saylor:
How did it happen?
Mike Saylor:
Someone clicked something, I guess, but they really don't know, or that's
Mike Saylor:
what they were told, even though that's not maybe really how it happened.
Mike Saylor:
So I think understanding and understanding comes from, you know, information.
Mike Saylor:
Well, how do we get information?
Mike Saylor:
Well, you've gotta have the right technology stack.
Mike Saylor:
You've gotta have the right visibility and people and all reporting.
Mike Saylor:
And if, if any one of those areas is lacking, Then your ability to
Mike Saylor:
really know what happened, uh, is diminished to some degree.
Mike Saylor:
So I, I think there's two, there's, there's, there's a couple of perspectives.
Mike Saylor:
I'm not just gonna say there's two.
Mike Saylor:
There's, there's the one where they just really didn't know what happened in their.
Mike Saylor:
They're sharing what they, they know in whatever way they know how.
Mike Saylor:
Uh, and a lot of those cases, it's because they tried to address it on their own.
Mike Saylor:
They didn't bring in the law enforcement or outside help or
Mike Saylor:
professional firm or, or what have you.
Mike Saylor:
They just said, we had a problem.
Mike Saylor:
We're gonna accept the, you know, the, the fact that it happened and pay
Mike Saylor:
our dues or, you know, whatever the consequences are and we'll move on.
Mike Saylor:
And, uh, so there's that perspective.
Mike Saylor:
The other one is companies that truly.
Mike Saylor:
Can't or have decided they can't take the reputational
Mike Saylor:
risk of divulging what happened.
Mike Saylor:
Uh, some of that might be privacy or contractual.
Mike Saylor:
Like you will never tell people that our network was, uh, compromised
Mike Saylor:
because that, because we rely on you for these other things.
Mike Saylor:
And so clients could be impacted by, by your incident, you know, their,
Mike Saylor:
their business or service too.
Mike Saylor:
So, uh, depending on how your business functions and how you, how complex it is
Mike Saylor:
with, with providing services or data to.
Mike Saylor:
To clients or third parties.
Mike Saylor:
Uh, you may be limited in what you can say, um, but I think what you're
Mike Saylor:
getting at is, yeah, there are definitely companies out there that will deny
Mike Saylor:
altogether that there was a comp.
Mike Saylor:
I don't, so, you know, some, some bad guys put all of our customer data on
Mike Saylor:
the, on the internet and you can see it.
Mike Saylor:
They'll, they will still deny to the nth degree that they were not compromised,
Mike Saylor:
that they did not get that data from us.
Mike Saylor:
And I was actually in a case like that with a telecom company.
Mike Saylor:
Uh, the Secret Service called us and said, Actually the F b I called
Mike Saylor:
us first and said, we're seeing your client data on the internet.
Mike Saylor:
And um, this was in the, the late nineties.
Mike Saylor:
Um, we're seeing your customer's data on the internet.
Mike Saylor:
And when we started looking into it, they were all of our internet customers.
Mike Saylor:
And so we went back to our internet provider and said, it looks like all
Mike Saylor:
this data's coming from you, and they denied it Well, Secret Service got
Mike Saylor:
involved, uh, due to jurisdiction.
Mike Saylor:
It was different states and different things.
Mike Saylor:
And so we went, we actually went to that company, uh, onsite with the
Mike Saylor:
Secret Service and said, we're here to talk about this, that, and the other.
Mike Saylor:
And well, it wasn't us.
Mike Saylor:
Uh, it, it didn't come from us.
Mike Saylor:
Well, all the data that we were seeing, and it's not just related
Mike Saylor:
to you, it's got metadata in it.
Mike Saylor:
That said it did come from you.
Mike Saylor:
No, it didn't.
Mike Saylor:
Well, we're not leaving until we talk to somebody, so they
Mike Saylor:
put us in this conference room.
Mike Saylor:
And locked us in there.
Mike Saylor:
Didn't let us out to go talk to anybody.
Mike Saylor:
And we had to, like, someone would come in and say, what do
Mike Saylor:
you want to, what do you need?
Mike Saylor:
And we would say it.
Mike Saylor:
And they would go out and, and look, uh, or, or collect that for us.
Mike Saylor:
And, uh, sometime during the day, I asked if I could plug into their, their
Mike Saylor:
wall jack and, uh, so I could have internet access to, to check email.
Mike Saylor:
And they said, sure.
Mike Saylor:
Well, I started running, running a, a network sniffer, uh, capturing network
Mike Saylor:
W. Curtis Preston: you did.
Mike Saylor:
And, and back in the day they were using, uh, I C
Mike Saylor:
Q, the, the chat, the chat app.
Mike Saylor:
And I was capturing in plain text everything they were saying.
Mike Saylor:
And it was all about, ha ha, we've got 'em locked in the conference room.
Mike Saylor:
They'll give up talking to us at some point and just go home.
Mike Saylor:
We're not gonna give 'em anything.
Mike Saylor:
Um, Tell Bob that he's safe, you know that his screw up is we're
Mike Saylor:
gonna brush it under the rug and all.
Mike Saylor:
So I remember this, this little secret service lady, uh, and
Mike Saylor:
I say she really was little.
Mike Saylor:
She was like five feet tall.
Mike Saylor:
Um, her name was Kim.
Mike Saylor:
She kicked the conference room door open and it was, it was the door that
Mike Saylor:
opened in, but she kicked it out.
Mike Saylor:
I mean, she.
Mike Saylor:
She knew how to kick a door and she kicked that door and said, I need
Mike Saylor:
the executive team in this office right in front of me in the next five
Mike Saylor:
minutes where people are going to jail.
Mike Saylor:
And she took control.
Mike Saylor:
And, and it was probably, uh, maybe later that year, we actually
Mike Saylor:
caught the hacker that did that.
Mike Saylor:
His name was Matthew Freeze.
Mike Saylor:
He, uh, we caught him in Corpus Christi with the Sheriff's Department.
Mike Saylor:
Uh, he's in, I think he's still in jail.
Mike Saylor:
W. Curtis Preston: Right, right.
Mike Saylor:
Well, that's, that's a great story with the, with, with a, with a great climax.
Mike Saylor:
I love the, the agent kicking down the door.
Mike Saylor:
Uh, yeah, that must have been something to be there.
Mike Saylor:
Um, so, so let me, let, let me do a change of tack here.
Mike Saylor:
So, you know, let's say we're a company, we have done.
Mike Saylor:
From a, so we, you know, we have, we have an incident response plan, right?
Mike Saylor:
We, we've, we've decided whether or not we're gonna contact law enforcement.
Mike Saylor:
We, um, we did all of the things that a cybersecurity company asked
Mike Saylor:
us to do in terms of prevention and, and, and all of those things.
Mike Saylor:
One thing I am.
Mike Saylor:
Interested in is obviously we, we spend a lot of our time with
Mike Saylor:
talking about ransomware, right?
Mike Saylor:
And the, and I understand that ransomware really in the end is
Mike Saylor:
just a payload of a, a much bigger cybersecurity problem, right?
Mike Saylor:
Um, what I'm seeing a lot is that I, I, I'm reading that now.
Mike Saylor:
I think it was like more than 90% of what we used to just call ransomware
Mike Saylor:
attacks are really exfiltration attacks accompanied with ransomware.
Mike Saylor:
Right.
Mike Saylor:
Um, and so I, I have a couple of, you know, sort of questions about.
Mike Saylor:
Uh, starting with, you know, given the way, the way a typical
Mike Saylor:
ransomware attack happens, right?
Mike Saylor:
You get the initial access broker, then you get somebody that's in there
Mike Saylor:
and they start probing around, right?
Mike Saylor:
They start seeing how they can, you know, how they can get around.
Mike Saylor:
And then my understanding is as soon as they can, they start exfiltrating data.
Mike Saylor:
So my question is, it is sort of two questions.
Mike Saylor:
you know, beyond the usual, you know, there are some things, you
Mike Saylor:
know, there are some things that we know we should all be doing, right?
Mike Saylor:
You know, in terms of password management and M f A and, um, you
Mike Saylor:
know, all, all of those you, you know, and, and, and, uh, patch management.
Mike Saylor:
Um, can you think of some things.
Mike Saylor:
That a company that wants to take that next step, things that,
Mike Saylor:
that, that could either stop, um, lateral movement number one.
Mike Saylor:
And then, and then just as importantly, if not, if not more
Mike Saylor:
importantly, exfiltration of data.
Mike Saylor:
That was a really long question.
Mike Saylor:
Sorry about that.
Mike Saylor:
And, and I had so many things I wanted to chime in with that.
Mike Saylor:
I've, I've lost some of them, but, uh, I'm, I'm glad you, I'm glad When you
Mike Saylor:
said typical ransomware, you didn't go down, they, they clicked on an email.
Mike Saylor:
'cause that's not typical anymore.
Mike Saylor:
That's, that's statistically the.
Mike Saylor:
Probably the higher probability of success, but in a lot of cases
Mike Saylor:
it's just that user that gets compromised, not not the whole company.
Mike Saylor:
So you're right, typically the, the enterprise, uh, scale attack
Mike Saylor:
is, uh, via some either access broker or the ransomware campaign.
Mike Saylor:
Uh, has, you know, their own.
Mike Saylor:
Uh, squad of pen testers that are finding ways into environments, but you're right.
Mike Saylor:
So typically it is access to the environment that then, you know, as
Mike Saylor:
far as the phases of attack goes, then they start, uh, the reconnaissance.
Mike Saylor:
Uh, to answer your question about, um, how do we, how do we
Mike Saylor:
address the exfiltration piece?
Mike Saylor:
Um, my favorite response is it depends, and I say that a lot in a lot of
Mike Saylor:
different scenarios and, and, Uh, and it's for good reason because it
Mike Saylor:
really depends on the organization.
Mike Saylor:
And so each company needs to go through an exercise of figuring out what's important
Mike Saylor:
to them and where is it because maybe your data's already exfiltrated, it's
Mike Saylor:
out in, you know, a cloud somewhere.
Mike Saylor:
So I'm not even have to attack your company anymore.
Mike Saylor:
I just have to go figure out where your data is and attack that company.
Mike Saylor:
Um, and, or maybe it's a partner or whoever, and there's
Mike Saylor:
tons of examples of, of.
Mike Saylor:
F bad guys.
Mike Saylor:
Figuring out where the, where the important stuff is and making best
Mike Saylor:
use of their time and resources.
Mike Saylor:
So, so it really does depend on the organization, uh, understanding
Mike Saylor:
your technology stack, your architecture, your culture.
Mike Saylor:
I.
Mike Saylor:
Uh, and then obviously where is your stuff?
Mike Saylor:
Is it data?
Mike Saylor:
Is it a system, is it a service?
Mike Saylor:
Uh, because that's what bad guys are gonna figure out when
Mike Saylor:
they're doing the reconnaissance.
Mike Saylor:
They're looking for, you know, who is this company?
Mike Saylor:
'cause in a lot of cases, they don't, they didn't specifically attack you.
Mike Saylor:
Uh, they just, they were running some tools and found a vulnerability and
Mike Saylor:
they picked at it, and now they've got access to some company's network.
Mike Saylor:
So they've gotta figure that out first.
Mike Saylor:
Once they figure out who you are, they wanna figure out what you do.
Mike Saylor:
Uh, where, where is your important stuff?
Mike Saylor:
Including your backups.
Mike Saylor:
Uh, and then to some degree, they're also looking for your financials and if they
Mike Saylor:
can find a copy of your insurance, uh, policy, all these things, well, all right.
Mike Saylor:
So depending on the company, uh, and, and your organization's particular situation,
Mike Saylor:
um, there are ways of addressing.
Mike Saylor:
Uh, the data exfiltration problem, one of those is, well, let's put our ti
Mike Saylor:
put tighter controls around our data.
Mike Saylor:
And that includes like data integrity, monitor file integrity monitoring, um,
Mike Saylor:
restricted access, network segmentation, firewall rules that throttle, you know,
Mike Saylor:
data uploads or alerts of, of doing so.
Mike Saylor:
Um, but I did wanna address one, um, one comment you made.
Mike Saylor:
How do we prevent this from happening?
Mike Saylor:
And I really think.
Mike Saylor:
People need to stop thinking about preventing it and start looking at
Mike Saylor:
ways of identifying it as soon as possible with either automated or
Mike Saylor:
human response as soon as possible.
Mike Saylor:
Uh, and then how do we collect all the information we need to make sure
Mike Saylor:
that we understand how it happened, what they did, and, and capture
Mike Saylor:
what we did to respond to that.
Mike Saylor:
And so that's very important, uh, for a lot of different reasons.
Mike Saylor:
One, if you put too much, uh, emphasis on prevention, then.
Mike Saylor:
A couple of things are gonna happen.
Mike Saylor:
One, you've, you've invested a lot of money that could be more appropriately
Mike Saylor:
used in identification and response.
Mike Saylor:
Uh, two, you're very likely going to become complacent thinking that you've
Mike Saylor:
got everything in place you need, and that's not gonna happen to us.
Mike Saylor:
And then lastly, a lot of those preventative controls don't do
Mike Saylor:
the data collection necessary to figure out how things happened.
Mike Saylor:
Um, and, and we get asked a lot.
Mike Saylor:
We had this incident and all we need to know is, is there
Mike Saylor:
evidence of data exfiltration?
Mike Saylor:
Because that's all we have to report.
Mike Saylor:
So what we had ransomware, so what we had a breach.
Mike Saylor:
If there was no data taken, then we don't have to report it.
Mike Saylor:
Okay, great.
Mike Saylor:
Well, let's look at your technology stack and, and the things that you have
Mike Saylor:
that would've collected that information and they didn't have anything or what
Mike Saylor:
they have wasn't configured well.
Mike Saylor:
And so we didn't have the information to, to determine whether or not
Mike Saylor:
data was exfiltrated to any degree.
Mike Saylor:
Uh, so we could see the, the network connections and the sessions, uh,
Mike Saylor:
but we couldn't see, uh, the data throughput or, or even what the data was.
Prasanna Malaiyandi:
so.
Prasanna Malaiyandi:
In that case though, Mike, is it you have to assume worst case, that there
Prasanna Malaiyandi:
was personal data or other things that was exfiltrated or is it, I don't
Prasanna Malaiyandi:
know what was happened, so I'll just say I don't know or nothing happened.
Mike Saylor:
There's a couple of things there too.
Mike Saylor:
Uh, so I mean, fundamentally, all of your data should be encrypted as often as it
Mike Saylor:
as it can be, uh, at rest in transit.
Mike Saylor:
Um, so that if it is exfiltrated, you, you, you were diligent protecting your
Mike Saylor:
data so that if it was stolen, there's a small likelihood that it's even usable.
Mike Saylor:
Well, not usable within, you know, relatively, you
Mike Saylor:
know, 10 years or whatever.
Mike Saylor:
Right.
Mike Saylor:
Um, so encryption is very important from a diligence perspective.
Mike Saylor:
Well then in the absence of evidence that data was exfiltrated, um,
Mike Saylor:
and this is something you have to work with your legal counsel on.
Mike Saylor:
How do we then word our communication, uh, to employees or clients or even the state
Mike Saylor:
or regulatory agency about what happened?
Mike Saylor:
And very often it is, uh, stated similar to, uh, no evidence was found to support.
Mike Saylor:
Right.
Mike Saylor:
So it's not yes or no, it's, we didn't find anything that said it did happen.
Mike Saylor:
W. Curtis Preston: Yeah.
Mike Saylor:
We've talked about a number of those incidents.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston: We, we have no evidence that that data was stolen.
Prasanna Malaiyandi:
That because we had really bad tracking mechanisms that would
Prasanna Malaiyandi:
give, that would tell us that data.
Mike Saylor:
and it, and it also depends on the threat actors.
Mike Saylor:
There are some threat actors that have a, uh, You know, a good
Mike Saylor:
reputation if you can have one.
Mike Saylor:
Uh, as a, as a threat actor that says, you know, they, they live by their code,
Mike Saylor:
and their code is, you know, if we steal your data, uh, you have, let's just say
Mike Saylor:
three days to acknowledge that you were breached and then you have, uh, and then
Mike Saylor:
we'll, we'll submit to you an offer.
Mike Saylor:
Uh, so you ransom note, and if so, first, if you, if you acknowledge that you are,
Mike Saylor:
were attacked and you contact us within three days, then we won't put your company
Mike Saylor:
on the wall of shame, which is a public indication that you were compromised.
Mike Saylor:
And, and people that know us know that we have some or all of your data.
Mike Saylor:
So we won't do that, and then we'll give you the ransom note.
Mike Saylor:
And if you pay that ransom note, or if we start these negotiations and we get,
Mike Saylor:
we go through this process and you pay us, then we promise to, to destroy all
Mike Saylor:
your data and, and keep it confidential and we'll even give you good tech
Mike Saylor:
support while you're trying to recover.
Mike Saylor:
Um, and so I've been through a variety of, of, of those types of incidents, seeing
Mike Saylor:
the, the gamut of, uh, bad actors that.
Mike Saylor:
Aren't very well organized and don't care, uh, all the way up through
Mike Saylor:
the very organized ones that, that operate like a, like a business and
Mike Saylor:
they've got good customer support or, you know, as good as it can be.
Mike Saylor:
Um, but, um, I will say that, you know, there is a trend towards
Mike Saylor:
data exfiltration with ransomware.
Mike Saylor:
Uh, there's, there's a still a large um, A large occurrence of ransomware where
Mike Saylor:
they don't care about your data, they just wanna make sure you're all locked up.
Mike Saylor:
And that's what they're gonna use for leverage to get you to pay.
Mike Saylor:
Because there's also the, the on the backside of that, even though threat
Mike Saylor:
actors are very risk averse, there's less risk from a, a consequence
Mike Saylor:
perspective, a prosecution perspective of just compromising your network
Mike Saylor:
and, and encrypting your stuff.
Mike Saylor:
Sure, I'll get in trouble.
Mike Saylor:
Sure.
Mike Saylor:
I'll get jail time and all this stuff, but if I also steal your data,
Mike Saylor:
Especially if it's regulatory data, healthcare, p i i, whatever, that's
Mike Saylor:
additional charges if I get caught.
Mike Saylor:
And so in a lot of cases, similar to the data access brokers, you
Mike Saylor:
also have, um, uh, network access brokers in addition to them.
Mike Saylor:
You also have the data brokers.
Mike Saylor:
So you've got the, and so it's this whole ecosystem.
Mike Saylor:
All right, so who do I know?
Mike Saylor:
Who, who can I pay to compromise your network?
Mike Saylor:
Alright, got that.
Mike Saylor:
I have the access.
Mike Saylor:
Who can I pay to develop the payload?
Mike Saylor:
Alright, got that.
Mike Saylor:
So payload's in there, ransomware's running, and now we've got
Mike Saylor:
their environment locked up and we've got this data set.
Mike Saylor:
I don't want the data set 'cause I don't want to get caught with it.
Mike Saylor:
So now I gotta find a data broker that will buy it from me, who knows how
Mike Saylor:
then to kinda like diamonds, right?
Mike Saylor:
I bought the rod diamonds, I gotta find a diamond cutter and then I
Mike Saylor:
gotta find a diamond distributor.
Mike Saylor:
And, you know, everybody makes their own cut.
Mike Saylor:
Um, so there isn't, there are uh, uh, there's still a large volume of, of
Mike Saylor:
attacks where this eco, this whole ecosystem comes into play and, and you're
Mike Saylor:
just, Depending on where you, where you catch the attack, you're dealing
Mike Saylor:
with different, um, threat actors.
Mike Saylor:
W. Curtis Preston: Yeah, that, that's interesting.
Mike Saylor:
I wasn't aware.
Mike Saylor:
Um, you know, it sounds like it's kind of like felony murder, right?
Mike Saylor:
Where, you know, like, um, it, it makes it worse, right?
Mike Saylor:
You killed somebody, but you killed somebody in the
Mike Saylor:
commission of another felony.
Mike Saylor:
It makes it, it makes it worse.
Mike Saylor:
Even if you didn't mean to kill them, right.
Mike Saylor:
That's my understanding.
Mike Saylor:
Like even if it, if it would otherwise be considered like accidental homicide
Mike Saylor:
or whatever, that because you, it happened in the commission of a
Mike Saylor:
felony, it makes it felony murder.
Mike Saylor:
Um, that, that is an interesting concept.
Mike Saylor:
Um, I, I, I, by the way, Mike, even though it sounds like maybe I was saying
Mike Saylor:
differently, I completely agree with you with sort of the, the assumed breach.
Mike Saylor:
Concept, right?
Mike Saylor:
That you need to spend, you need to be just as good if not better, with
Mike Saylor:
detection and response, uh, and recovery than the prevention aspect, right?
Mike Saylor:
Um, you know, having said that, there's nothing wrong with, with
Mike Saylor:
an ounce of prevention, right?
Mike Saylor:
Um, and that's why, um, I, I just, it, it bothers me.
Mike Saylor:
Like, on, on one hand we talk about some of the advanced things that you
Mike Saylor:
could do to, to help, but most people I.
Mike Saylor:
Um, you know, such as preventing, preventing lateral movement
Mike Saylor:
between systems that don't need to have lateral movement, right.
Mike Saylor:
Um, the, there's nothing wrong with that, but you're right, there's a cost and of
Mike Saylor:
doing it initially, there's a cost of maintaining that and there's a cost of.
Mike Saylor:
Of, you know, well, cybersecurity is always a pain, right?
Mike Saylor:
The be the more security you have, the harder it's to do your job.
Mike Saylor:
Right?
Mike Saylor:
Unless you're the si the sc the cybersecurity guy.
Mike Saylor:
That's why secure, that's why convenience stores are
Mike Saylor:
robbed more than security stores.
Mike Saylor:
W. Curtis Preston: I see, I see what you did there.
Mike Saylor:
Let's talk about response and recovery.
Mike Saylor:
Um, the, which is generally what we end up talking most of our time about here.
Mike Saylor:
What do you think is, you know, we talked about the things that you
Mike Saylor:
need to do in advance, establishing a communication with the F B I or other law
Mike Saylor:
enforcement, um, you know, establishing a relationship with somebody like yourself.
Mike Saylor:
Um, you know, so, so that you're not, you're not making that conversation the
Mike Saylor:
first time in the middle of an incident.
Mike Saylor:
What else do you think people need to do to be ready to respond,
Mike Saylor:
uh, in, in a cyber attack?
Mike Saylor:
Well, I think, uh, ex tabletop exercises are a great way to kind
Mike Saylor:
of ferret that out for your organization.
Mike Saylor:
Sit down with as many people in your company as you can.
Mike Saylor:
I mean, a lot of it departments are like, let's just do it with us first so we don't
Mike Saylor:
look stupid in front of everybody else.
Mike Saylor:
And that's fine.
Mike Saylor:
You know, you know, have a, have your, have your, you
Mike Saylor:
know, red, blue or red white.
Mike Saylor:
You know, scrimmage game, um, but then involve as many people as possible.
Mike Saylor:
And I've seen this be so successful.
Mike Saylor:
Um, and, and even involve your insurance broker and your outside counsel and invite
Mike Saylor:
the F b I invite the Secret Service, um, have this exercise and, and pick a topic.
Mike Saylor:
Um, and whether you do it yourself or, or, you know, look for a moderator.
Mike Saylor:
Uh, and there's a lot of good moderators out there.
Mike Saylor:
I'm, I, I do these all the time.
Mike Saylor:
I'm considered a breach coach.
Mike Saylor:
But then there's, there's even cybersecurity law firms that will, uh,
Mike Saylor:
will facilitate, uh, a good tabletop.
Mike Saylor:
And the idea is, let's pick a topic.
Mike Saylor:
Ransomware or intellectual property theft or.
Mike Saylor:
Um, our data center gets hit by a plane 'cause we're close to an airport.
Mike Saylor:
Whatever it is, pick a topic, invite as many people as you can
Mike Saylor:
and walk through the scenario.
Mike Saylor:
Um, you know, somebody clicked the link and, and you know, they came to
Mike Saylor:
work and their desktop icons are all changed and they can't use anything.
Mike Saylor:
Well, and then we got another call and then, alright, well
Mike Saylor:
let's start with who do they call?
Mike Saylor:
Who does an employee talk?
Mike Saylor:
Who is their phone number?
Mike Saylor:
Is there an what if email doesn't work?
Mike Saylor:
Uh, so who do they call?
Mike Saylor:
And then what does that person do?
Mike Saylor:
How do we, how do we assess the situation?
Mike Saylor:
And which is, you know, kind of phase one of incident response is how do we
Mike Saylor:
categorize this event into an incident?
Mike Saylor:
Is it a non-event?
Mike Saylor:
Is it critical?
Mike Saylor:
Uh, and then that then based on your plan, would indicate
Mike Saylor:
who else needs to be involved.
Mike Saylor:
Once we categorize, once we categorize the, uh, the incident, well then I.
Mike Saylor:
Having as many people there as possible is, is valuable two ways.
Mike Saylor:
One, maybe you don't know who needs to be in involved.
Mike Saylor:
And you can start asking all the attendees, uh, who are the right
Mike Saylor:
people, uh, because you know, I sent this email out five months ago and
Mike Saylor:
nobody's responded who the right person is, but we're all in the same room.
Mike Saylor:
Let's working out.
Mike Saylor:
But at the same time, uh, you're gonna get some people going.
Mike Saylor:
I.
Mike Saylor:
Would've had no idea that's what's involved with doing X, Y,
Mike Saylor:
or Z unless I was in this room.
Mike Saylor:
And I'll tell you a funny story.
Mike Saylor:
We were doing a, a tabletop for a, a company, uh, I think they're in
Mike Saylor:
healthcare and part of the scenario was, uh, threat actor used the contact us.
Mike Saylor:
Button on their website to say, that's how they said, you
Mike Saylor:
know, we have all your data.
Mike Saylor:
Call us in three days.
Mike Saylor:
Um, and here's the information to do so.
Mike Saylor:
And so that was part of the scenario.
Mike Saylor:
So I, uh, I asked, well, who's in charge of the website?
Mike Saylor:
And there were two people in the audience and they said, we are.
Mike Saylor:
And I said, well, what would you do if you got that email?
Mike Saylor:
And they said, we'd probably delete it.
Mike Saylor:
'cause we wouldn't believe it was true.
Mike Saylor:
Well, okay, well maybe you shouldn't delete it anymore.
Mike Saylor:
You should, you know, forward that to the security team
Mike Saylor:
and let them figure that out.
Mike Saylor:
And they said, good.
Mike Saylor:
Good call, uh, good policy.
Mike Saylor:
So, but there were, there were a lot of people in the audience that said, I'm
Mike Saylor:
glad I was here because I would've had no idea that all these moving parts,
Mike Saylor:
and this is this level of effort and this stuff would, is necessary for
Mike Saylor:
responding to whatever the incident was.
Mike Saylor:
Well then, well now it's a good time to ask the insurance broker who's on the call
Mike Saylor:
or in the meeting, when do we contact you?
Mike Saylor:
And they're gonna say, well, as soon as possible.
Mike Saylor:
And, and from, from an employee, uh, company perspective, I think there
Mike Saylor:
was a misconception that calling the insurance like as soon as possible
Mike Saylor:
is somehow gonna affect your premium.
Mike Saylor:
Like, we're gonna pay more because we called you.
Mike Saylor:
Um, and that's not the case.
Mike Saylor:
They want to be involved as soon as possible to help you make the right
Mike Saylor:
decisions because you may be using third parties and buying, you know,
Mike Saylor:
going through this, this expense that, uh, may not be reimbursable.
Mike Saylor:
You know, you might not be able to get paid back for that
Mike Saylor:
if, even if your claim is.
Mike Saylor:
Is accepted, but at the same time, the insurance company wants to know
Mike Saylor:
about how diligent you're being and they wanna be involved in the process.
Mike Saylor:
And that's gonna help you determine or, or hopefully help you, uh,
Mike Saylor:
towards getting your claim approved.
Mike Saylor:
Um, and then they're gonna be the ones, uh, along with your legal counsel, helping
Mike Saylor:
you make the right decisions about how to communicate, uh, situations to third
Mike Saylor:
parties and outside, you know, clients and what have you, but also internally.
Mike Saylor:
And we walked through this, just adding this real quick.
Mike Saylor:
Alright, so you've got this incident.
Mike Saylor:
And, and we did this, uh, we did a tabletop with an engineering company and
Mike Saylor:
they didn't do anything we suggested.
Mike Saylor:
And then like six weeks later, they got hit with ransomware and they
Mike Saylor:
were down for two and a half months.
Mike Saylor:
But, uh, that's the other important thing about tabletops or, or any type of
Mike Saylor:
assessment, you really need to take the remediation seriously, uh, and take action
Mike Saylor:
on those things as soon as possible.
Mike Saylor:
'cause if, if we found them, bad guys have probably found them too.
Mike Saylor:
But one of the things that we found out in a tabletop, or that
Mike Saylor:
came to mind was communication.
Mike Saylor:
Specifically internally.
Mike Saylor:
So this engineering company got hit with ransomware.
Mike Saylor:
They were down, nobody could do any work and they couldn't even email people.
Mike Saylor:
Alright, so, Do you have a system, uh, that collects
Mike Saylor:
personal emails and phone numbers?
Mike Saylor:
Do you have a system where people can call in to get status?
Mike Saylor:
Like, is it a snow day?
Mike Saylor:
Uh, are we off for the day?
Mike Saylor:
Uh, is there an incident?
Mike Saylor:
When are we gonna hear an update?
Mike Saylor:
That kind of stuff.
Mike Saylor:
But then do you also have a policy that says, in the event of an
Mike Saylor:
incident, you are prohibited from discussing this stuff on social media?
Mike Saylor:
Don't put on LinkedIn.
Mike Saylor:
Oh, we had an incident today.
Mike Saylor:
I got, I guess I got the next two months off.
Mike Saylor:
Um, that you're, you've gotta contain that and or at least, uh, uh,
Mike Saylor:
define the messaging for that stuff.
Mike Saylor:
Get ahead of it.
Mike Saylor:
Uh, go ahead and make your templates for internal and external communications.
Mike Saylor:
Like, what are we gonna say?
Mike Saylor:
Well, you should, uh, plan for that now, uh, instead of wasting time during an
Mike Saylor:
incident, you know, trying to figure it out while the house is on fire.
Mike Saylor:
Um, so having said all of that, um, you know, incident response
Mike Saylor:
exercises are very valuable.
Mike Saylor:
Um, And even though you may want to have your own little huddle to figure
Mike Saylor:
out, you know, how well are we before we invite the rest of the, the crew,
Mike Saylor:
um, you should invite as many people, internal, external, subject matter
Mike Saylor:
experts, partners, um, um, as you can, uh, to get everybody, um, playing on
Mike Saylor:
the same team, on the same field they show up for at the, at the right time.
Mike Saylor:
Um, and they have an idea of what the playbook is.
Mike Saylor:
W. Curtis Preston: Wow.
Prasanna Malaiyandi:
Wow, that's, yeah, very detailed.
Prasanna Malaiyandi:
And like you mentioned, it's sort of plan ahead of time, right?
Prasanna Malaiyandi:
I'm sure there are so many companies where it's like, Hey, ransomware
Prasanna Malaiyandi:
hits, or We have an incident.
Prasanna Malaiyandi:
It's just IT and the security org that's dealing with this, right?
Prasanna Malaiyandi:
But like you mentioned, there's so many other folks involved.
Prasanna Malaiyandi:
And just knowing who those people are, especially if you're a large company, you
Prasanna Malaiyandi:
don't know, like one department doesn't know who the other department is even.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And having that.
Mike Saylor:
We had a situation where for, for four days, we were operating under
Mike Saylor:
the un, uh, assumption that they only had a, uh, $3 million cyber insurance policy.
Mike Saylor:
So we were restricting, uh, who was involved to restrict
Mike Saylor:
the expense and the overhead.
Mike Saylor:
Uh, and it wasn't until we were on a, uh, I think it was like 11
Mike Saylor:
o'clock at night on a Sunday, we were on a, an update call and we were
Mike Saylor:
talking about this $3 million policy.
Mike Saylor:
When someone walks, I could see them walk behind the person talking on the
Mike Saylor:
camera, and they go, we have 6 million.
Mike Saylor:
Like, what?
Mike Saylor:
What do you mean?
Mike Saylor:
We have two, $3 million policies?
Mike Saylor:
And nobody knew that.
Mike Saylor:
Nobody else, but this person knew that.
Mike Saylor:
And that completely changed.
Mike Saylor:
We're like, well, look, we need to start getting more resources in here.
Mike Saylor:
You know, call, call the big brand response teams and all.
Mike Saylor:
So that really changed the game because that just happened to come out in a
Mike Saylor:
meeting without, you know, everybody else being really aware of, uh, Yeah.
Mike Saylor:
And the other bad part of that situation, uh, unfortunately, was that,
Mike Saylor:
uh, they had $6 million in coverage.
Mike Saylor:
But what they didn't also know is that it was a self-funded insurance policy.
Prasanna Malaiyandi:
Uh,
Mike Saylor:
So they were paying into that over, over time and the
Mike Saylor:
insurance company said, we'll cover you, uh, if the day comes, but then
Mike Saylor:
you've gotta pay it back pretty much.
Mike Saylor:
And so, um, they didn't know that either.
Mike Saylor:
So a lot of things
Prasanna Malaiyandi:
Raid your
Prasanna Malaiyandi:
policy.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston: they found that out.
Prasanna Malaiyandi:
, Mike, we could talk all day.
Prasanna Malaiyandi:
I, I, I love the stories by the way.
Prasanna Malaiyandi:
I,
Prasanna Malaiyandi:
eh.
Prasanna Malaiyandi:
W. Curtis Preston: you know, you, you know me, Prasanna, I'm, I'm a
Prasanna Malaiyandi:
storyteller myself, and I, I think nothing, nothing tells the story
Prasanna Malaiyandi:
like a good story, you know, nothing, nothing drills that point home, uh,
Prasanna Malaiyandi:
better than a good story, for sure.
Prasanna Malaiyandi:
Um, and I, I love hearing.
Prasanna Malaiyandi:
From these real incidents, uh, what, you know, what, what I'm hearing?
Prasanna Malaiyandi:
So I, I like, you know, the things that I picked up here.
Prasanna Malaiyandi:
First off, I like the amount of time we spent on the F B
Prasanna Malaiyandi:
I, uh, and for guard program.
Prasanna Malaiyandi:
Uh, I definitely wanna look more into that and I think the listeners
Prasanna Malaiyandi:
should look more into that.
Prasanna Malaiyandi:
And I like this idea, uh, and of, of using them as a way to establish those
Prasanna Malaiyandi:
communication channels before an event.
Prasanna Malaiyandi:
Um, and I like the idea of, well, you know, we, we, we always promote
Prasanna Malaiyandi:
the idea of, of tabletop exercises and, um, you know, in, in my
Prasanna Malaiyandi:
world, you know, we call them Dr.
Prasanna Malaiyandi:
Dr exercises right back before the, the cyber world was also
Prasanna Malaiyandi:
attacking backup systems.
Prasanna Malaiyandi:
Um, so I, you know, I think this has been a great conversation, Mike.
Prasanna Malaiyandi:
So I want to thank you for coming on.
Mike Saylor:
Certainly.
Mike Saylor:
W. Curtis Preston: And, uh, Prasanna once again, as always,
Mike Saylor:
you with your, with your wisdom.
Prasanna Malaiyandi:
Yeah, anytime Curtis, and I hope you'll be ordering a chair
Prasanna Malaiyandi:
or at least, or uh, browsing chair soon.
Prasanna Malaiyandi:
And Mike, thank you for the info.
Prasanna Malaiyandi:
I.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
It's always fascinating hearing these real life stories because that's something
Prasanna Malaiyandi:
that you don't hear about, right?
Prasanna Malaiyandi:
What did people experience and what was it like going through?
Prasanna Malaiyandi:
It's just like what you read, like reading the Cuckoo's Egg, right?
Prasanna Malaiyandi:
It's like those are the types of stories that are interesting that
Prasanna Malaiyandi:
you learn from, especially new people in this space, like myself, right?
Prasanna Malaiyandi:
Where it's like, hey, what really goes on behind the scenes and
Prasanna Malaiyandi:
what does it take to recover?
Prasanna Malaiyandi:
So thank you for sharing.
Mike Saylor:
Certainly.
Mike Saylor:
Yeah.
Mike Saylor:
I've got stories all day.
Mike Saylor:
W. Curtis Preston: Sounds like
Mike Saylor:
Prasanna Malaiyandi: we'll have you back on.
Mike Saylor:
W. Curtis Preston: Yeah, you and me over beers, Mike, nobody would
Mike Saylor:
ever get the word in edgewise.
Mike Saylor:
And once again, I want to thank our listeners,
Listen On
