Transcripts
You found the backup wrap up, your go-to podcast for all things
Speaker:backup recovery and cyber recovery.
Speaker:Got a little something different for you.
Speaker:Uh, Mike and I have been, um, Mike Saylor and I have been working really hard on.
Speaker:Finishing the book for you, the, the upcoming ransomware book.
Speaker:And we did, um, that's the good news.
Speaker:The bad news is we didn't have enough time to record another, an episode.
Speaker:So I reached back into the archives and found, this is, uh, a recording from
Speaker:Mike when he, uh, came on the podcast to talk about, uh, detecting ransomware.
Speaker:And, uh, I'm, I'm trying something different here.
Speaker:Let's see how it goes.
Speaker:What I actually did was I tightened up the episode, uh, looked through and I
Speaker:just grabbed really the, you know, the, the really relevant parts of this piece.
Speaker:So it's a tighter episode than the original recording.
Speaker:Should be around a half hour instead of the 45 minutes.
Speaker:It's something I'm gonna try.
Speaker:I really wanna know what you think about it.
Speaker:So whether you're watching this on YouTube or on, uh, you know, the, uh, uh, backup
Speaker:wrap up.com, I, I'd love to hear from you as to what you think of this tighter
Speaker:format and specifically the one here where I took a longer show and, uh, tightened it
Speaker:up to make it a little bit more, um, you know, I don't know, easier to listen to.
Speaker:This is the backup wrap up.
Speaker:Welcome to the show.
Speaker:I am w Curtis Preston, AKA, Mr. Backup, and I have with me Prasanna Malaiyandi.
Speaker:How's it going?
Speaker:Prasanna.
Speaker:I am good, Curtis.
Speaker:It's time to bring on our, uh, our guest.
Speaker:Once again, our resident cybersecurity expert, CEO of Black Swan Security.
Speaker:Mike Saylor.
Speaker:How's it going, Mike?
Speaker:It is going well guys.
Speaker:Thanks for having me.
Speaker:We're talking about ransomware.
Speaker:So this week I wanted to talk about.
Speaker:The actual phase or you know, whatever the things that we need to
Speaker:do in order to detect ransomware.
Speaker:And I remember talking about this a little bit with you before, but can
Speaker:you, um, aside from like a, a SEIM/SOAR tool, sort of going off and noticing
Speaker:something, can you think of weird things that have happened in people's
Speaker:environments where it ended up being.
Speaker:The ultimate thing was they were actually under a ransomware attack.
Speaker:You know what I'm saying?
Speaker:Like, like for some reason the, you know, the company dishwasher stopped working
Speaker:and uh, you have weird stories like that.
Speaker:Uh, I, I do.
Speaker:And so there, there are, there are, there's malware.
Speaker:There's a category of malware called polymorphic.
Speaker:So it, it, it changes.
Speaker:Uh, some of that change depends on what the malware
Speaker:has identified as, as its host.
Speaker:And so there, there is a strain.
Speaker:There are strains of malware that are specific to certain, you know, they're,
Speaker:they're targeting specific, uh, devices.
Speaker:Um, we saw this with stuck net.
Speaker:Uh, we saw it with, uh, point of sale specific malware.
Speaker:Uh, and now there's ransomware that is looking for specific.
Speaker:Uh, specific hosts.
Speaker:It doesn't want to trigger the ransomware on, on an invaluable host.
Speaker:Like, I don't care if that's got ransomware, just throw it out the window.
Speaker:Uh, but, and then tip, its, tip its cards to what it, you know,
Speaker:the, the attackers are doing.
Speaker:They don't want to trigger the alarms before the, the, the jewels are stolen.
Speaker:So there, there are kind of your, your.
Speaker:Your analogy to the dishwasher's not working anymore.
Speaker:If it's a smart dishwasher, it could very well start to malfunction or perform
Speaker:poorly if malware is interrogating it to determine if it's its target.
Speaker:Uh, there's even malware, uh, the ransomware that,
Speaker:that cleans up after itself.
Speaker:So maybe it gets to the dishwasher and decides, well, this is a
Speaker:dishwasher and it moves on.
Speaker:Well, as it moves on, it deletes.
Speaker:Its, you know, it cleans up after itself.
Speaker:So when you go look at the, at the dishwasher, you, you're like, I
Speaker:don't, I don't know what caused that.
Speaker:But,
Speaker:Seems to be working fine now.
Speaker:more, more often than not, it's, it's user feedback about, you
Speaker:know, complaining about their.
Speaker:their computer running slowly, or, you know, I can't watch
Speaker:Netflix at lunch anymore.
Speaker:Um,
Speaker:Dexter.
Speaker:No Dexter at lunch.
Speaker:right.
Speaker:So it it's usually it's system, you know, performance degradation or, or.
Speaker:Um, just weird stuff.
Speaker:Symptoms, uh, weird symptomatic stuff that usually get, uh, you get
Speaker:notifications on to determine, well, that's weird, but then you go look
Speaker:at it and there's nothing there.
Speaker:Well, it's, well forensically you can still see some stuff, but at
Speaker:the, you know, kind of the, the surface level, you're like, I
Speaker:don't, there's no malware here.
Speaker:Um.
Speaker:but in that case though, like I'm guessing that that user would call
Speaker:their IT help desk and the IT TA person would probably take a look and
Speaker:be like, oh yeah, nothing happened.
Speaker:And then they'd probably just close it and move on.
Speaker:Right.
Speaker:Very like does, how often does it really get escalated?
Speaker:Be like, Hey, that seems weird.
Speaker:Let's figure out like, is there a security issue or something else?
Speaker:It, it, the, the frequency or the, or I guess the likelihood that that
Speaker:gets escalated is, is almost directly related to whether or not they've
Speaker:had to deal with it in the past.
Speaker:So if you've had ransomware, you're a little more diligent and
Speaker:suspicious of weird stuff happening.
Speaker:Like, all right, well we've had, we don't wanna go through that again.
Speaker:Uh, I'm gonna, I'm gonna take every call about weird stuff happening as
Speaker:if it might be ransomware or some other malware versus an environment
Speaker:where maybe they haven't had the, put a fire out or go through that.
Speaker:They're, they're, they're a little more skeptical about, you
Speaker:know, that's just user error.
Speaker:Or, you know, it's, it's Tuesday.
Speaker:Uh.
Speaker:do and do anybody, um, does anybody ever report actually seeing, like
Speaker:someone taking over their desktop?
Speaker:Like they're, they happen to see mouses moving around or
Speaker:windows opening and closing?
Speaker:Do they see that?
Speaker:We have, we have worked a few, there's other cases, and
Speaker:this is actually a a what.
Speaker:In, in the, in a corporate environment, we don't see it as often.
Speaker:Uh, but small businesses and individuals often get scammed into the hole.
Speaker:You've got a virus call this phone number, we then remote access into your
Speaker:machine and then, you know, their access persists or, or something else happened
Speaker:to, to drive that, that weird behavior.
Speaker:The other problem is managed service providers.
Speaker:So you've got this one company that, that supports the, you
Speaker:know, technology to some degree.
Speaker:Whether it's everything, uh, servers and workstations and
Speaker:help desk is all outsourced.
Speaker:Or it's some something specific like a, like a core processing server
Speaker:that does your financials if you're a credit union at, so you have
Speaker:this one, one to many relationship.
Speaker:You've got this one company that supports many clients and.
Speaker:Uh, just human nature.
Speaker:We wanna make sure that that's as easy as possible.
Speaker:So what we found were what we call cons, uh, coincidental passwords.
Speaker:So this one vendor uses the same credentials to log
Speaker:into all of their clients.
Speaker:And so what we've seen recently is, yeah, there's this remote control
Speaker:stuff going on because that vendor was compromised and they didn't know it.
Speaker:But now bad guys have access to the environments of all
Speaker:the clients they support.
Speaker:So, so what we've been talking about so far is sort of.
Speaker:Users noticing something odd happening, calling in, right,
Speaker:getting in, troubleshooting.
Speaker:But I'm guessing though that users aren't always the best people to recognize
Speaker:when things go wrong, and they're probably not always at their desk
Speaker:when the bad actor is doing something.
Speaker:So what happens for all those other scenarios?
Speaker:So there's, there's other things that we do in a corporate environment that
Speaker:we hopefully would notice weird things, our backups, our network bandwidth.
Speaker:Um.
Speaker:And there, there's tons of places that you can set up alerts and triggers,
Speaker:uh, firewall, uh, weird IP addresses, different protocols, uh, unexpected
Speaker:data going out, different ports.
Speaker:Um.
Speaker:There's a lot of things we could look at and, and, and it's, it's a pretty
Speaker:lengthy list, but humanly possible.
Speaker:Like, is there one person that's gonna go down this whole checklist every
Speaker:day, you know, several times a day?
Speaker:Uh, that's just not, that's not feasible.
Speaker:Uh, and so you've really gotta roll that up into a tool that can automate it and
Speaker:just give you a dashboard view of things.
Speaker:Um.
Speaker:The, the, the secret, the, the key is how many things, how
Speaker:much visibility do we have?
Speaker:Finding tools and the data sources and the use cases that all line up.
Speaker:Like there's a, there's a ransomware use case.
Speaker:All right?
Speaker:So from ran, if, if we're, if, if our focus or objective
Speaker:is to identify ransomware.
Speaker:Then working backwards from that objective, we've gotta find the data
Speaker:sources that would give us the indicators.
Speaker:Uh, then we've gotta have the technology that can consume or
Speaker:connect and consume that data source.
Speaker:Uh, then we've gotta have some policy procedure around the source of that data.
Speaker:Like, what is it?
Speaker:Is it a server?
Speaker:You know, uh, firewall, how's it configured?
Speaker:How do we patch it?
Speaker:How do we update it?
Speaker:How do we back it up?
Speaker:Uh, so that playbook is, is fairly extensive, but the, the detection
Speaker:part of that is all about visibility.
Speaker:Um, and, well, I guess fundamentally too, understanding how ransomware works.
Speaker:Um, 'cause I mean, your, your smart dishwasher probably isn't gonna
Speaker:get infected with, with ransomware.
Speaker:Uh.
Speaker:Hmm.
Speaker:Not yet.
Speaker:So when we start talking about this, we've got to start talking about some
Speaker:sort of tools that are, and there's three tools that I'm aware of and, um, you
Speaker:know, which would be XDR, sim and soar.
Speaker:SOAR is more about the response, right?
Speaker:But XDR and SIM tools are about the actual detection.
Speaker:Did I, did I get that right?
Speaker:So the, the XDR is, is the platform that you would, um, consolidate
Speaker:all of your alerts and data sources from different other tools.
Speaker:So it's kind of like the top, the top of your security stack.
Speaker:Okay.
Speaker:And then the, the sim is, is kind of below that.
Speaker:So SIM is one of the.
Speaker:One of the feeds into your XDR platform, EDR, you know, your anti malware endpoint
Speaker:stuff, that's another data source.
Speaker:Um, and, and so.
Speaker:I just thought all the, all the EDR tools were calling themselves XDR tools.
Speaker:That
Speaker:that's
Speaker:And, and they're really not.
Speaker:Um,
Speaker:the evolution of EDR into more of a managed service is still
Speaker:missing the network layer.
Speaker:So the, the eds like CrowdStrike that say that they, they do XDR, they're
Speaker:still missing the, the east, west, you know, network traffic, net flow,
Speaker:Okay.
Speaker:EDR would be endpoint detection response, which typically what we're
Speaker:talking about there is, is like desktops and laptops and things like that.
Speaker:Not so much servers.
Speaker:Would that be right?
Speaker:Well servers too.
Speaker:I mean, you can, you can put EDR on, on servers for sure.
Speaker:But not necessarily networks, like network
Speaker:it, it, uh, CrowdStrike doesn't do network analysis.
Speaker:And so, you know, even before, you know, the, the first, the first kind
Speaker:of acronym was NDR Network Layer stuff.
Speaker:So that's like extra hop, uh, you know, net flow, uh, your, your router.
Speaker:XDR, the extended detect is that we can plug anything into our console.
Speaker:So that's our sim, that's an anti malware, uh, NetFlow, uh, and even
Speaker:like some XDR platforms can do like physical security devices, like
Speaker:badges and motion cameras, and, um.
Speaker:I, OT things, uh, like, hey, my dishwasher's throwing errors a bunch.
Speaker:Uh, you know, you can, I guess if there's a use case for that.
Speaker:Um, so XD the idea with XDR, uh, and even, even broader than that, is an
Speaker:open XDR uh, platform that just about anything you can imagine can be fed into
Speaker:this thing, uh, to correlate events and, and if it's capable, develop behavioral
Speaker:baselines and some other cool stuff.
Speaker:So then, um, does Soar fit into that, all of that?
Speaker:So SOAR is also not a new term.
Speaker:Uh, so SOAR is security orchestration and automated response.
Speaker:Uh, so the idea with SOAR is that we have this playbook, and historically
Speaker:it's been a manual playbook, right?
Speaker:We get out the book and we look through it and say, this is what we're gonna
Speaker:do in response to whatever this.
Speaker:Thing is, so it could be an incident, it could be a, a malware, it could
Speaker:be a stolen laptop, whatever.
Speaker:You've got this playbook and, and the idea with playbooks is you assess
Speaker:yourself, like our company does these things and we have these assets, and
Speaker:what is the most likely impact to us?
Speaker:Ransomware's at the top should be at the top of everybody's list these
Speaker:days, if you're connected to the internet and have users, uh, ransomware
Speaker:is just statistically more likely than a lot of other things these
Speaker:days, but it could be other stuff.
Speaker:You should have a playbook on, uh, denial of service if your company
Speaker:relies on internet connectivity, um, for revenue and communications.
Speaker:You, if you have a, a large remote workforce and they have laptops that have.
Speaker:Company data on it that you should have a playbook on stolen laptops.
Speaker:Is this similar to the incident response plan stuff we talked about
Speaker:a couple or many episodes ago?
Speaker:it is, and, uh, however, uh, soar, uh, traditionally and, and I was kind of,
Speaker:I was getting to that the, the Soar traditionally was more broadly defined.
Speaker:So you could have something that might not be considered an incident yet.
Speaker:Um, so, so, so back in the day also incorporated, well,
Speaker:how do we analyze this event?
Speaker:Hmm.
Speaker:Uh, and then we, and then we started to developing more technical incident
Speaker:response plans and programs that said, all right, that playbook is now part
Speaker:of our plan, and here are the more technical, tactical things we need to do.
Speaker:Well then the evolution of Soar, uh, from a platform or technology
Speaker:perspective is, all right, how do we automate some of this stuff?
Speaker:Yeah.
Speaker:And so there are, there are third party tools that are, so our sim, our
Speaker:XDR platform, identified this stuff.
Speaker:Uh, let's integrate this automation tool or, or we have this tool now that's,
Speaker:that we can then go and, and use to say, we need to handle this, this incident.
Speaker:So as an example, could it be something like, I've detected some random
Speaker:network traffic on this particular client that doesn't look right.
Speaker:The SOAR detects it and maybe it shuts off the network port.
Speaker:Yes.
Speaker:And so in the Soar you would, you would again, define these playbooks
Speaker:when this happens, do these things.
Speaker:And so with ransomware as an example, if, uh, user account experiences, several
Speaker:failed logins and then a successful login.
Speaker:And then service, you know, anti malware is shut off on the endpoint and
Speaker:there is internet traffic to geo, you know, whatever IP address, uh, around
Speaker:the world do these things, right?
Speaker:Disabled user revoke, MFA tokens, uh, uh, shun or, or quarantine
Speaker:that, that endpoint, you know, take it off the, you know, um, uh.
Speaker:Block its IP address, uh, notify whoever and do these things,
Speaker:and you can automate that.
Speaker:Um, and it can be as, as detailed as that.
Speaker:It, it could be, uh, and any variation of that.
Speaker:So yeah, those, those, that's a great example of how that, that
Speaker:tool and it, and it would do it so quick, like milliseconds versus the,
Speaker:the human version of that is, um.
Speaker:You know, your sim tool pops up and says, you know, you've
Speaker:got something to look into.
Speaker:An analyst takes 15 to 20 minutes to verify it.
Speaker:Uh, we have a valid thing.
Speaker:Let me escalate it to level two.
Speaker:Level two looks at it, you know, another 15, 20 minutes.
Speaker:Now we're looking at other, other data sources like the firewall and some stuff.
Speaker:We've now validated that then we, we escalate that to the client if it's
Speaker:an MSP version, uh, or, or the, the business owner or the stakeholder
Speaker:in a, in a corporate environment.
Speaker:Uh.
Speaker:And we're waiting for a response from them to determine what to do next.
Speaker:And so now that that millisecond soar automated response has turned into at a
Speaker:minimum hour and a half, two hours, and who knows what, you know, that malware
Speaker:is, especially the ones that, that, uh, can run autonomously, is our, they've
Speaker:already done reconnaissance to look at what else this thing has access to.
Speaker:And I've already spread and done other stuff.
Speaker:Time is of the essence.
Speaker:yeah.
Speaker:Yeah.
Speaker:So all, all right.
Speaker:So let, let's say, let's say I'm a company, I'm an organization that
Speaker:has none of these tools, right?
Speaker:Just, and I'm, I'm listening to this episode, I'm like, holy crap.
Speaker:Like, how many things do I need to buy and where should I start?
Speaker:Um, I, I think that's.
Speaker:I think that's where the average person might be right now.
Speaker:Um, and that's where I am.
Speaker:Um, I'm like, wow, that's a, that's an awful lot of tools where, you know, and,
Speaker:and, and each of them thinks they're, they're, you know, well, you gotta have
Speaker:this, you gotta have MDR, you gotta have XDR, you gotta have sim, you gotta have,
Speaker:so you gotta have all these things.
Speaker:And I'm sure there's an acronyms that we haven't got to, um, where,
Speaker:where does, you know, I'm worried that I'm gonna get ransomware where.
Speaker:Do I start with all these tools?
Speaker:There's a lot of different, uh, approaches to the problem and understanding.
Speaker:The problem is, is fundamentally economics, right?
Speaker:I can't afford.
Speaker:The people or the, the software or the whatever it is to, to
Speaker:truly, um, improve my, my odds.
Speaker:And that's really what it is.
Speaker:I mean, you can invest everything you have in protecting yourself and
Speaker:you're still a statistic at some point.
Speaker:'cause bad guys are gonna figure out how to get to you.
Speaker:Um, but remember that ransomware is malware.
Speaker:And all malware requires user, user interaction in order to infect your thing.
Speaker:So your computer, um, if it's not connected to the internet and you're not
Speaker:looking at email and going to websites, you're, you're, you're good, right?
Speaker:Or you're, you know, 99% there.
Speaker:Uh, you also have to disable all your USB ports and Bluetooth
Speaker:and all that other stuff too.
Speaker:Um, which means you really can't use your, your computer for anything.
Speaker:Um.
Speaker:So then, but, but if you start there, all right.
Speaker:If my computer's not connected to anything, what can I do?
Speaker:Well, I can't do much.
Speaker:Well, I need to do this thing.
Speaker:Well, what do I need to do that thing?
Speaker:Well, I need internet to get to this website so I can log in to do my work.
Speaker:Okay, well then can we exclude the majority of other things
Speaker:that you don't need to do?
Speaker:Yeah.
Speaker:All right.
Speaker:So let's, we can write policy about that.
Speaker:That's okay.
Speaker:Well, what else do you need?
Speaker:Oh, I need email.
Speaker:I need email to be able to send and receive files and talk to people.
Speaker:Okay.
Speaker:Well, are there ways of restricting email's ability to, to present me with
Speaker:things that, that could be a risk?
Speaker:Well, yeah, that's, you know, email filtering and spam
Speaker:filtering and stuff of that stuff.
Speaker:Some of those tools, some of the, some of that stuff that I've
Speaker:mentioned is, are probably already a capability of what you've purchased.
Speaker:Like Office 365 comes with some good stuff.
Speaker:They just don't do a real good job at teaching you how to,
Speaker:how to use it and configure it.
Speaker:And us as consumers are really poor at, at reading the manual.
Speaker:Um.
Speaker:comes with some other stuff that, but they do charge quite a, quite a bit for it,
Speaker:They do.
Speaker:And so,
Speaker:um, but you know, going back to how many tools do I need to
Speaker:buy, that's another decision.
Speaker:Do I, do I buy more licensing and, and capabilities from this one tool?
Speaker:Or do I look at, you know, what other things can I bolt
Speaker:on and, and add to, to this?
Speaker:Maybe it's more cost effective, but now you've got a, now you've
Speaker:got overhead and having to spend more time doing these other tools,
Speaker:well then all.
Speaker:So you've, you've been somewhat diligent.
Speaker:You've, you're, you're using your computer responsibly and you, you've
Speaker:figured out how to use what you paid for, uh, to do, you know, what,
Speaker:what you can with what you have.
Speaker:Mm-Hmm.
Speaker:Then it all comes down to just be being aware and, and you know that that email
Speaker:but, you know, kind of at the end of the day, and, and maybe getting
Speaker:back to your, your original question with, well, how do, how does the
Speaker:average person protect themself?
Speaker:It starts with just being diligent.
Speaker:Just take a minute and, and think through the, you know, rationale of whatever
Speaker:it is that you're, you were gonna do.
Speaker:Click on something, open something, download something, go to a website,
Speaker:scan a QR code with your phone.
Speaker:Um.
Speaker:These are all things that you maybe just, just take a minute
Speaker:and, and really think through.
Speaker:Do I need to do that?
Speaker:Was I expecting that?
Speaker:Could there be something, you know, malicious or, or, uh,
Speaker:wrong with whatever this is?
Speaker:And it never hurts to phone a friend.
Speaker:Um.
Speaker:And, and, you know, making friends is important in this, in, in cyber.
Speaker:'cause you know, as, as a individ, as an individual, you, you're
Speaker:probably not gonna be exposed to or experience a lot of things.
Speaker:Um, and then the more people you talk to about what you see and and your questions,
Speaker:the more likely you're gonna get somebody that's probably already made that mistake
Speaker:and can help you not make it yourself.
Speaker:Yeah.
Speaker:And Mike, just on that last point, I think it's a great thing, and I
Speaker:know we did an entire discussion about like cyber insurance,
Speaker:right?
Speaker:And how they're like a trusted advisor.
Speaker:You should talk to them because I'm sure they could give you good advice on sort
Speaker:of how to shore up your defenses and be able to detect and protect yourself
Speaker:against ransomware and other malware.
Speaker:And there's a couple of, a couple of real quick, uh, like things to consider
Speaker:if, if you think you've got ransomware or malware, just turn your computer off.
Speaker:Power it off, take the battery out, unplug it.
Speaker:'cause that, that stuff needs power to do its job.
Speaker:And if, if you really think, you know, I've got my critical, my
Speaker:whole life is on this computer and I think I have malware, shut it off.
Speaker:Unplug it.
Speaker:Take the battery out and find somebody that can help you get your data
Speaker:off of it and make sure it's clean.
Speaker:Um, and that way at least you've got a backup.
Speaker:Backups are, are critical with ransomware.
Speaker:Um, but yeah, don't.
Speaker:Don't just sit there.
Speaker:It's kind of like, you know, especially guys, and I'm, I'm definitely guilty.
Speaker:I'm a little hardheaded when it comes to illness and health.
Speaker:If you've got symptoms, call the doctor.
Speaker:Right.
Speaker:Don't, don't sit there and go, oh, I'll give it.
Speaker:I'll give it another day.
Speaker:Or maybe I just need a nap.
Speaker:Yeah.
Speaker:Yeah, I, um.
Speaker:Which brings up, and, and this is a giant tee up, and, uh, but you know, it would
Speaker:seem to me that this is too important for you to try to figure it out yourself.
Speaker:Like if you, if you're not a cybersecurity specialist, if you, if you, if
Speaker:you're not living your life, this thing, it's kinda like backup, right?
Speaker:Where it's like, it's way more difficult than you think it is.
Speaker:Right.
Speaker:Um, and that, and that's why MSPs exist, right?
Speaker:And so it would seem to me that I. Rather than try to figure out which of
Speaker:10 different, you know, I mean, somebody showed me a, um, it was like the, it was
Speaker:like the, one of those things where they have just company logos and it was like
Speaker:the cybersecurity landscape and there were like just hundreds of these logos up there
Speaker:of products and services that I could buy.
Speaker:And, and it would seem to me that what I need, I need two things.
Speaker:I need.
Speaker:Tools that work, right, that, that, that do the things that I need.
Speaker:And more importantly, I need somebody that knows how to use those tools.
Speaker:'cause it doesn't do any good if I buy this great.
Speaker:You know, uh, detection tool to find, you know, what's going on and, but I
Speaker:don't know how to configure it so that it works and I don't know what to do.
Speaker:And of course, one of the most common things is that I configured it such
Speaker:a way that I get a whole bunch of false positives and then very quickly
Speaker:it, it just ends up becoming ignored.
Speaker:Right.
Speaker:So I, I think that's where the, where the MSSP and obviously I'm, I'm, I'm
Speaker:teeing it up for you, but I, I. I don't know what else, what else would
Speaker:be right for, for a small organization or even a medium sized organization
Speaker:that has never done this before.
Speaker:No, I appreciate that.
Speaker:Uh, and, and you're right.
Speaker:Um, going back to kind of the initial comments of, uh, you know, just good
Speaker:visibility if you wanna do it yourself, make sure you have the fundamentals.
Speaker:Good anti vi, anti malware.
Speaker:Um, that gives you consolidated, a consolidated view of all your assets.
Speaker:You know, you don't have to go to every computer and see if there's an infection.
Speaker:It needs to report up to a, a console that you can log into and, and get real
Speaker:updates and know where the problems are.
Speaker:Um, the, the other, the other gap, I mean, you, you managed, I mean, you
Speaker:mentioned needing someone that knows the technology and you know, an expert.
Speaker:To expand on that, it needs to be someone that's available 24 hours a day.
Speaker:'cause bad guys aren't gonna go, oh, you know, they're probably still
Speaker:at work working on the computer now is a good time to attack them.
Speaker:No, it's, it's when you're asleep and you're in middle of the
Speaker:night, uh, you know, Thur Thursday morning or Thursday after midnight
Speaker:is when they're gonna hit you.
Speaker:And, and because they also know that you're not gonna wanna,
Speaker:uh, be at work over the weekend.
Speaker:So they, for whatever reason, all right, they're, they're not gonna make it.
Speaker:Uh, uh, easy for you.
Speaker:Uh, and, and in a lot of cases, that's also because they're, they're
Speaker:overseas in a different time zone anyway, so the fundamentals are good.
Speaker:Endpoint protection, the, uh, good visibility across your environment.
Speaker:Um, good firewall, uh, cloud, uh, office 365, Google AWS, whatever
Speaker:you got, whatever's being used.
Speaker:Um.
Speaker:And then someone that, that you can call or someone that is looking
Speaker:at your stuff 24 hours a day.
Speaker:And there are some service providers where, you know, maybe you do have a
Speaker:staff during the day, uh, and so you just need nights and weekends and holidays.
Speaker:And so there are some providers like us that, that are flexible
Speaker:in that, in that regard.
Speaker:So that does help with, uh, cost and the economics.
Speaker:Um.
Speaker:But at the end of the day, absolutely, um, make friends with some experts,
Speaker:uh, that you can call for nothing else.
Speaker:Uh, if nothing else, just to ask questions.
Speaker:But ideally, uh, someone that can help you identify the right
Speaker:solutions, uh, to give you the right visibility and the right coverage.
Speaker:Uh, and again, I it's gotta be 24 hours a day.
Speaker:Yeah, so Mike, most of these organizations, right, they
Speaker:don't have unlimited budget.
Speaker:Right.
Speaker:Cost is always a concern in terms of priority.
Speaker:Right.
Speaker:I know you talked about endpoint, you talked about XDR,
Speaker:you talked about sim, right?
Speaker:You talked about all these things.
Speaker:If they're looking for sort of what is the first thing that they should
Speaker:go after and try to protect or detect ransomware on or malware on, what
Speaker:is, what is sort of like the most important thing in their environment
Speaker:that they should be concerned with?
Speaker:It depends.
Speaker:So you've really got back to understanding yourself before you
Speaker:can understand your, your enemy.
Speaker:'cause your enemy's gonna probably know you better than you.
Speaker:You do.
Speaker:In order to be successful, uh, you've really gotta understand your business.
Speaker:And so again, if your business is, uh, highly driven by your workforce and your
Speaker:workforce is out, you know, on the, on the, you know, they're road warriors or
Speaker:they're working from home, absolutely.
Speaker:Endpoint protection is a priority because they're prob, they
Speaker:probably have company data on that.
Speaker:Device or they're using that device to log into, you know, VPN or, or your cloud.
Speaker:And so if that device is compromised, then your, your
Speaker:production network, your production environment may be compromised also.
Speaker:But what if, what if you're, you're a data center and you don't have, all
Speaker:your endpoints are servers, right?
Speaker:Uh, and then so, but then there also.
Speaker:Co, uh, co-managed, they're, they're not yours.
Speaker:You, you own the hardware, but you don't own the, the, the, the virtual
Speaker:machines or, or, or what have you.
Speaker:So now your, your focus is your perimeter
Speaker:and your connectivity.
Speaker:Uh, so I think those are two extreme, you know, one, one end of the other.
Speaker:Uh, but truly understand your environment first, uh, and where you're.
Speaker:Your critical assets are, and your data and your use cases, uh, and what's
Speaker:most likely impacting your business.
Speaker:Uh, and then from that, uh, derive your priorities.
Speaker:And,
Speaker:Hmm
Speaker:and there are some, there are some organizations that fit smack dab
Speaker:in the middle, and you just have to have good hygiene across all of it.
Speaker:There's a lot of organizations that aren't real familiar, uh, or
Speaker:real accurate with all the things they need to protect anyway.
Speaker:Similar to backups.
Speaker:You know, I can, yeah, I can run back up.
Speaker:But I can only back up what I know about, uh, and ideally even, even more
Speaker:so to the next level, how important, how do I prioritize those backups?
Speaker:Security is the same.
Speaker:Uh, I can only secure what I know.
Speaker:And if, if there's stuff on the network and there's stuff in the cloud and
Speaker:there's people working from home that I don't know, then I can't protect that.
Speaker:And if I am gonna protect it, how do I protect it?
Speaker:You know that, that visibility part.
Speaker:How do I get the data from those things, those tools?
Speaker:To know if there's a problem and how to respond to it.
Speaker:Is it automated?
Speaker:Is it a person?
Speaker:Um, and then all of that is going to kind of bubble up to what are my options and
Speaker:what does it cost and what do I need?
Speaker:Is that, is that something I can do on my own?
Speaker:Is that, uh, opportunity to bring in a managed service provider?
Speaker:Um, and I think real quick on, on, on the, the cost, I think
Speaker:there's a big misconception that.
Speaker:Yeah, I'm a small company.
Speaker:I can't afford cybersecurity.
Speaker:Uh, that is a huge misconception.
Speaker:There are, there are a number of providers out there like us that, that
Speaker:are flexible and scalable and I mean, our, our smallest we have, we have
Speaker:clients that just have two employees and they work out of their garage.
Speaker:But they are, they've determined, uh, from an analysis of themselves that
Speaker:they, they are, they have a huge cyber risk and they need that protection.
Speaker:And so, uh, it, it can be affordable, um, if we know what we're protecting and,
Speaker:and what the, what the playbooks are.
Speaker:Well, hey Mike, it's been great talking to you again.
Speaker:And Prasanna, thanks for, thanks for, uh, being here as, as always.
Speaker:This was fun.
Speaker:And Mike, it's been great chatting.
Speaker:It's been a while.
Speaker:So glad to have you back on.
Speaker:For sure I missed you.
Speaker:Yeah.
Speaker:And, uh, thanks to the, uh, our listeners, uh, we'd be nothing without you.
Speaker:That is a wrap.
Speaker:The backup wrap up is written, recorded and produced by me w Curtis Preston.
Speaker:If you need backup or Dr. Consulting content generation or expert witness
Speaker:work, check out backup central.com.
Speaker:You can also find links from my O'Reilly Books on the same website.
Speaker:Remember, this is an independent podcast and any opinions that you
Speaker:hear are those of the speaker.
Speaker:And not necessarily an employer.
Speaker:Thanks for listening.