This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Executive Interview: Maximizing Security with the Tools You Already Have with Frank Duff

partnering with top technology providers, Carahsoft offers cutting edge cloud services, cybersecurity, and data management solutions to help you optimize operations and secure patient data. With their extensive partner ecosystem, Carahsoft is dedicated to driving healthcare, IT innovation, and digital transformation.

Visit thisweekhealth. com slash Carahsoft today and discover how Carahsoft can elevate your healthcare systems performance.

Speaker: I'm Drex Deford, president of Cyber and Risk here at this week, health and the 2 29 Project. Our mission is Healthcare Transformation powered by community. Welcome to this executive interview on the UnHack Channel. Real conversations about managing risk at the highest levels.

Let's dive in.

Frank Duff: Absolutely. And I think that all kind of actually goes together, right? So my background, uh, I came from Mitre, 18 years. Um, the last half of it was all centered around the Mitre ATT&CK framework. I was working with ATT&CK since before it was called ATT&CK.

Drex DeFord: Yeah.

Frank Duff: Um, so I was doing detection, engineering, and threat hunting.

We needed a way to communicating with. The CTI team with our executives who are sponsoring our research, and so we created the ATT&CK framework. As ATT&CK spun off, I started becoming a, what I would call more or less, a chief evangelist, right, about ATT&CK, going off and engaging the vendor, community, private industry on how to adopt it.

Um, and then in that process I then took over the ATT&CK evaluations framework. So got to see the red side, uh, the how to test, how to use it to, to test things. And so it's a very diverse background, uh, especially the last half. It was all centered around ATT&CK. Amazing. Um, and it was that reason why. I left to go start tidal, um, and become Chief Innovation Officer over here.

And so there's a lot of. Just continual evolution of this is because the space continues to innovate. Absolutely. So we need to have a way of, of having designated thought processes around that.

Drex DeFord: help me understand a little bit more about, um, tidal Cyber and what you do. Are you a reseller of products that people buy?

Are you an integrator of those products and services? Tell me, tell me what, what, what do people need to know about, about the, the company?

Frank Duff: Absolutely. So, so tidal is a platform company at the end of the day, right? And so, uh, think about us as trying to fuse your threat intelligence along with what we would call your defensive intelligence.

So if you think about it from my prior days working at Mitre, working with ATT&CK. Became very aware of what the community was doing, both from the vendor perspective as well as community research, all those analytic repositories and things like that. Yeah, so this is using all of that to its advantage so that we can connect the dots for people so that they don't have to be an expert.

They don't have to go off and monitor InfoSec Twitter, or go off and monitor all these GitHub repos and go. Talk with all their vendors to understand what the mapping out. We'll do all of that and we'll connect the dots for them so that they can focus on, okay, well am I actually quote unquote covered?

Or what could I do to improve my security posture? And so that's what the platform's really intended to do, and that's what we do.

Sometimes those tools overlap and they've chosen one. Capability over another and as, a part of that tool, and then the threat environment continues to evolve and change. And so yeah, drawing the lines and helping them understand like, here's where the bad guys can come in. This is something that's happening right now, that you don't have a tool, you don't have a process or the people, you're not defending yourself against this.

Pretty cool. And do, do you see that conversation a lot? Are there more gaps than we think

Frank Duff: It is, and it's one of those things that was really interesting when we started the company. We generally wanted to go in this direction, but we quickly realized that there was this need for just a broker of information.

What I mean by that is we would deal with a lot of our prospective customers when we were kind of validating the idea and they're all saying like, yeah, but my tools aren't protecting me. My, this tool isn't protecting me. Yeah. I buy all these best of breed things, but I'm still vulnerable.

Drex DeFord: Mm-hmm.

right? People think that like. They're getting frustrated that they don't have everything that was in the ATT&CK evaluations, that they don't get their a hundred percent coverage. And it's like, well, you could have tuned it differently and gotten that greater coverage.

Right? And maybe a hundred percent doesn't make sense for this person or all of the capabilities. That's fine, but at least let's make it transparent. So what we saw is that there's this need to just kind of be that, honest broker to say, vendors, what can you do? How do you do them? How does the customer know that they do them that way?

And. then For the customers, making sure that they get that surface to them so that they can actually say, okay, I have turned these things on. This is the coverage I have, or these are the things that I could do, and maybe I'm intentionally not, but that's risk, I'm assuming.

Drex DeFord: Yeah.

There just, uh, isn't that expertise, right? People don't have the ability to really speak at that common language.

Drex DeFord: Mm-hmm.

Your experience with the ATT&CK framework and then, um, thinking about how sometimes vendors sell products to customers, customers don't use them well, and the vendor gets a bad reputation.

Even though the product is working perfectly, it's just not been, you know, they not rung it out. Yeah. Um, you, that's a special kind of interesting sauce that you've created here to be able to kind of say. No, no. You know, you need to turn up the fire on the, on the back right burner. That's the problem right now.

It's not, it's not that the stove doesn't work, it's that you're not using it. Right.

Frank Duff: Yeah. And, and I mean, I, and again, I think that goes to the configurability. Um, and, and right vendors get punished if they set things overly secure and it suddenly makes a system inoperable. Right. I mean, that, I completely understand why vendors have to release that way and why.

Drex DeFord: Yeah.

Frank Duff: Right. If you think about it in today's financial climate, right, like people can't just go buy another tool. The cost to change your EDR is significant. Not to say that you shouldn't do it or.

Anybody shouldn't from time to time, but it's just an so much cost to change a security product. And you can't just keep buying and buying and buying.

Drex DeFord: Yeah. So

Frank Duff: how do we become more effective with the money we have and if we just try to figure out are we squeezing, we like to call them oranges, right?

Squeeze more juice outta the oranges. You have start out with the lemons, but then you, that that's too negative of a competition. But if we can do it with the oranges, right. Squeeze more out of it. Make sure that you're using them to the fullest.

Drex DeFord: Well, what's the hottest issue right now? You talked to?

Customers all over the country. I'm tra I travel all over the country. What do you think one of the hottest issues is, or a couple of the hottest issues right now in cybersecurity?

Frank Duff: I mean, they, they're, I'll avoid the obvious ones like AI, because that is just a completely different subject, and we can go in if you really want to, but yeah,

Frank Duff: Exactly. I, I would say like the, the bigger thing with me really co does come down to what I just mentioned in terms of the financial impact of everything.

Drex DeFord: Mm-hmm.

Frank Duff: Right. It, it's just a very constrained environment that everybody's working in. Um, the threats are evolving faster than ever, probably because of AI and things like that.

Mm-hmm. Um, there's a greater amount of intelligence out there, which is on one hand great, but on the other hand, it's just a lot

Drex DeFord: to

Frank Duff: deal with. Right. Um. So how do you keep up with all of that, and how do you understand, okay, in my restricted budget that's not growing at the speed of everything else, how do I ensure that I'm still maintaining positive movements, that I'm still progressing?

Um, and I think that's great that the Mitre ATT&CK framework in general is becoming, I mean, it, it's well known at this point. Mm-hmm. Right? It's not just the tippy top of the financial pyramid that understands at this point. Right. We, we are even seeing a lot of forward progress in places like retail sector, which historically have a lot more limited capacity.

Drex DeFord: I think the ROI thing is a really important one too, because it's not just ROI. When you buy a new product, you have to show the ROIA big part of the, I don't know, being a good steward of the dollars that I've been given for the products that I've already purchased is also showing. Your fellow executives, how you're ringing the ROI out of the stuff that you've already purchased and installed and how you're using it.

Um, that ability to compare it to specific threats that the organization is up against and how I'm using the tools to, that I already have to prevent that, um, sets them up to make a better case for anything new they might wanna buy too.

Frank Duff: Absolutely. Because if you can make, what we like to do is, uh, communicate around risk, right?

We can talk about your threats, we can talk about your defenses, and now it's moving your needle, right? You can justify your investment. Not that other per That other person may make completely sense with that other tool over there, but we are in this pile with these other tools. You know what? Now we can talk about are we positioned effectively?

And that last procurement we had, it reduced our risk this much, or we ripped that tool out. This is the risk that we're taking on. Mm-hmm. But now we've got this extra budget to make this other purchase we have, right? And so to be able to really have that as an informed decision based off of an organization, by organization, by organization level versus just a hey.

Drex DeFord: Yeah, I like the way you're thinking about that. Um, I've heard folks refer to that as, um. Security theater, right? The how do I get to the turn everything green, even though that might not really mean that I'm, I'm more secure. So this idea of actually building a custom benchmark for your own organization based on what you have and what you can do is probably a better, uh,

Frank Duff: yeah.

Drex DeFord: Communicator.

Frank Duff: Absolutely. Absolutely. I mean, if you think about it, it is like, it's, it's a little bit, I think. ATT&CK suffered in some of the early days from it's, there was that whole mindset of compliance. And not to say compliance is bad by any means, but people got very much into a checkbox mentality, right?

But it's not really taking into effect all the hows and all of the specifics about how you're configured. And so I think that's really what advances it forward is getting people to think more. Um, how they're gonna continually evolve their, their, their defensive ecosystem alongside the threats so that they can continue to out pay some.

'cause it's not a static thing, right? It's not about a, Hey, I'm gonna do my checkbox once a year and be good. It's like, no. The threats are continuing to evolve. Defenses are continuing to evolve. We need to always make sure we stay abreast of what those changes impact us.

Drex DeFord: Yeah. Hey, listen, I think we could go on.

I mean, I think I get to sit here and have a conversation with you for probably a couple hours about this, and maybe we will at another time. Um, how do folks get ahold of you if they want to reach out and, and say hi and kind of learn more about what you guys are doing?

Frank Duff: Absolutely. So you can definitely find, uh, me on LinkedIn.

Always love a good conversation.

Drex DeFord: Yeah. Thanks Frank. I appreciate you being on. Um, and uh, hopefully our pass will cross soon on the road somewhere.

Frank Duff: Absolutely. Look forward to it.

Thanks for joining this executive interview on UnHack with me Drex Deford here this week. Health, we believe every healthcare leader needs a community to lean on and learn from. Build your network at this week, health.com/subscribe and share this with a colleague because together we're stronger.