Free Choice with Jason Mar-Tang

Okay, so here we are. Adam, welcome again.

I'm glad to be back. I feel like you've been gone for about six months.

You know, that's really disturbing because I was I was on vacation for like a week and the fact that it feels like six months to you is just getting really weird. But okay, whatever. But yeah, don't get too weird because today we have a guest. We have yet another very interesting guest joining us and he's going to be bringing us some insights from a very cool conference that neither you nor I went to. So, you know, so we had to bring in someone from the outside to tell us what's going on. Also talk a bit about pen testing. So we have, we have Jason Martang from Pantera. So Jay, how are you doing?

Hey guys, so happy to be here. Thank you so much for having me.

No, glad to have you too.

Yeah. Hanging out in the studio.

Yeah. You have it. You have a real studio. You got like the sound deadening stuff on the side. And before this, Jay was all setting it up. I'm like, God, I'm like, I'm like embarrassed here. You know, you're like, you know, we got the cool mics. That's about it.

You know, I have a real studio. Also. I have a bathroom right here. I got a bedroom. I got a bed. That's what studios have.

I mean, you know, it's, it's, you know, you can't tell on video, but, uh, and your listeners can't hear if they're just listening, but I'm a small guy, so I have a very loud mouth. So I got to make sure that the, uh, the sound doesn't, doesn't leave this room and there's not a lot of echo. So that's why I have it set up this way. You can appreciate it. I'm from Staten Island.

That's right, man. Thank God. Another Staten Islander. I thought I wasn't born in Staten Island. I know you were, but. Whatever.

Born and raised, man. Born and raised.

I give you so much props. And I know there was a previous discussion about wild turkeys, but since you've left, we've gotten foxes and... Oh, really? Yeah, there's foxes walking around.

You gotta avoid the deer, too, because they mess up your car, man.

Those deer have it. Well, now I saw on one of these apps where people were discussing, which is more vicious, a statin on deer versus a statin on Turkey. So we might have to do an after hours podcast and put them together.

We should totally do that. No, no, no, that would be really illegal. We can't have like, you know, underground animal fights on this show. That's that's not what this is about. Come on.

Well, I might maybe I'll have somebody animate it. Is that okay?

Animated, I guess, is okay. Yeah, if it's fake, that's okay, you know. But yeah, so, you know, so I don't know if... I mean, actually, I've been wanting to talk to a true Staten Islander. you know, about this, because Adam, like, you know, calls me like, you know, five, six times a day, at least, and sometimes it just starts off with, hey, Joe, I saw another turkey, or I saw this. It's like, it's like I'm getting the report from, you know, from the zoo or from, like, you know, the field or something. Is there really that much wildlife creeping around Staten Island? I mean, come on.

There really is because there's a lot of woods. There's something called the green belt and it's basically, they can't touch any wildlife that's there. So you'll just see like random greenery, right? But deers hang out there. Apparently there's foxes, but the turkeys, I don't know how the turkeys got there. Cause that's, yeah.

The deer came here from Staten Island. They swam over. I mean, sorry, from New Jersey. They were like, oh my God, New Jersey sucks. Let's go to Staten Island.

No, they left because they weren't tough enough for New Jersey. I'll tell you that much. They had to get out. That's the thing.

Believe me, I live on the West Coast now. No one knows the difference between the two.

They all, they group us all together.

They really do out here, I'm telling you. As soon as they open my mouth, they go, you're not from here. I go, no.

So. Well, I was, I was just out of the country. I actually went to Europe for the, you know, on vacation while you were having fun at Black Hat. And, you know, people say, where are you from? I got to say New York, because if you say New Jersey, you just get this blank look. I'm like, I really don't feel like explaining this and not my native language, especially.

Yeah, and I don't know if they appreciate the accents that, for example, Adam and I have out in Europe, but they definitely do out here, especially, like I said, California, Vegas too. And Vegas, you know, at conferences like Black Cat, I'm sure we'll get into it momentarily, like, it really is a congregation of so many different people from all over the place, including all over the world, which is pretty wild.

No, I was gonna say, including three or four different attacking nation states, such as North Korea and, you know, like, They know who you are right away, but yeah. Well, you don't know. There's a lot of... Go ahead, Joe.

Well, my first job, I worked down in D.C. I was working for the government. Worked with a bunch of people, mostly from that area, a couple other parts of the country. And back then I had a real like, you know, Joycey accent, even more so than now. And so one of the guys I'm working with, he like takes his girlfriend up to New York, like for the weekend or something. And he comes back and he goes, Joe, I discovered the most amazing thing. I go, what? He goes, everyone up there talks like you.

I'm like, well, no kidding. I'm not a beauty fan, you know?

Guys clearly never been to Boston.

Oh, speaking of that, I went to, I went to the UK with Doug. Um, you don't know Doug, uh, Jay, but, uh, um, Joe and I worked with a gentleman named Doug and I, previous to this organization, I traveled with Doug around the country and around the world. And I went to the UK and I had an Irish woman in England, in the UK, making fun of me saying water, water. as if I was in Boston. I kind of told her to step outside, but I realized if we did, she was gonna kick my ass. So I didn't do it.

Exactly, you were the lost man. I'm glad you stayed safe.

And one other thing, we got stopped in Luxembourg. We were in Luxembourg and we got surrounded by about eight Germans who heard my accent and they said, where are you from? I thought we were gonna get our asses kicked. And Joe knows this story. And they said, where are you from? I said, United States. They said, where in the United States? I said, New York. They said, where in New York? I said, Brooklyn. I literally thought they would've hit me. They came over and hugged me and said, what's up Tony Soprano?

Oh God. Oh, that's some. I am triggered. They think Tony Soprano is from Brooklyn. And you didn't correct them and say Tony Soprano is a Jersey guy. Joe, come on, Joe.

Whatever. I think we should start transitioning to Black Hat because there might be a little bit.

I might want to actually talk about security. You know, there was a very interesting event last week. One of the most, you know, biggest, you know, trade shows or pair of trade shows or whatever we want to call this whole enterprise out in Vegas maybe last week and Adam and I weren't there but but Jay you were so yeah so

What's going on out there or what's going on out there? Yeah, yeah, yeah. So I would say it's actually, there are two separate events that bleed over into one giant event. So the first is, is Black Hat. So for anybody listening, right, Black Hats is typically what is referred to as different types, different types of hackers, right? You have Black Hat hackers, you have White Hat hackers, and then Gray Hats, right, where Black Hats are typically doing more malicious things. White hats are more ethical, and gray is somewhere in the middle, right? You can think of it as Jedi, Sith, or whichever. But the conference is called Black Cat, and it is really a congregation of almost everybody in the professional security world, and sometimes the non-professional world too. But it is an event that you have to go and actually buy tickets for or get sponsored for. I work for a company, Pantera, so we had a giant booth there. Um, and, and it's a, it's a trade show, right? If you've ever been to something like comic-con, you could think of it as comic-con for cybersecurity and there's load and same way. Comic-con has sessions related to shows or fandoms. Black hat has sessions related to cybersecurity topics. So, uh, for example, someone in, in, um. One of my leads here at the company had a speaking session about that was called deadly defaults, which is essentially leaving defaults with technology the way it is. Why is that bad? What's the risk that is inherent in doing that? So Black Cat is, like I said, a congregation of all different companies, different people, and there's a lot of parties. And of course you're in Vegas, right? So there's already a buzz in the city and people are there to hang out and there's parties. And that, after Black Cat ends, it stems directly into DEF CON. DEF CON is the second part of the week, the end of the week, but it is actually a separate event. So some people just go to DEF CON just to go to DEF CON. And what's different about DEF CON is that it's, how do I say this? It's not as, it's not company focused or technology focused as it's more.

Grassroot, right?

Yeah. Like really that bits and bytes of what's happening. Like you want to learn or you want to really get into specific hacking topics. That's where you go. You go to DEF CON and DEF CON is where you'll find. a ton of weird stuff and there could be things there that you need to be careful of, right? So the joke is you go to DEF CON, turn your phone off, just turn it off. Don't even have it on. Yeah, just don't have it on. I saw a pic. I saw one picture. Someone went into a bathroom and there were just phones sitting on the urinal. Don't ask me why, I'm not sure what was going on there, but that was literally something. So, and there's stuff like lock, there's lock picking, there's all bunch of stuff, so.

That immediately makes me think someone maybe wasn't hacking, but like they had some kind of pool going of like, you know, how many people will pick up, will be dumb enough to pick up the phone and try to use it or do something, you know?

Yeah. It's, it's really, um, the, the two are, it's a good man. And if, oh my gosh, you know what I mean? If you do both, you're spending like potentially nine, 10 days in Vegas, which I don't know about you guys, but. Even after two, three days, I'm like, oh, I need to get out of here.

Yeah. I've heard it's exhausting. And I've, and I've seen this stuff on LinkedIn, you know, everyone's posting the goal and it's great and all this stuff, but they're like, I'm exhausted. And they tried to get out and do some other event, you know, to be cool. Cause they're out there in the desert or they're doing whatever. And they're like, I'm even more exhausted now. It's.

It's a long, it's a long week. I mean, but it's, it's good. I mean, if you, if you're fortunate enough to work for a company that will sponsor you to go, um, it's excellent because you get, uh, you can definitely get some, some nice training in. If you have industry level certifications, you can get, uh, CPEs, right? So, so, um, uh, you know, credits to renew certifications. And it's a great way to just network. I mean, it's, you know, working for a vendor, working for a company, being in the industry for about 13 years, it's always a lot of fun because it's, everybody's together, even people from overseas. So it's literally, you're walking by, you're walking in the halls of Mandalay Bay and someone will be like, Jay, and you haven't seen this person since the last Black Cat. It's like, oh, how's everything going? What have you been up to? Oh, you know, things that and the other thing. And it's just, it's just really fun. So it's as equally as fun for actual practitioners as it is for those of us on the vendor side.

So Jay, nobody's ever gotten arrested a black hat, but they've gotten arrested at DEF CON. Think about that.

Uh, well, it depends. It depends on how much fun you have.

So if you get arrested, what I mean by like, so I, I, so I, when I met a previous, one of our previous guests, Chris Roberts, he was in sky talks and I was laughing because you know, at a, at a subsequent, um, sky talk, they arrested somebody coming back, uh, that they were looking for, had a warrant for his arrest for, um, doing some unethical things, but typically I know the FBI goes there and they're looking for some of the people, whether it's a foreign nation state threat actor that's gotten to the country somehow, that's going to these talks, or if it's somebody who has done something controversial or exercise some vulnerability or for lack of a better things, Zero Day, where they used that exploit and proved it online. So people have gotten arrested. I'm not saying it's like partying and drinking or drunk and driving, but they were known for an exploit and that's where they got them. It's happened at least three or four times in the last 10 years, I think.

Well, there's that, but I'm sure it's still Vegas and it's still a trade show. I'm sure there are still a non-zero number of attendees in the regular drunk tank.

Well, that's true too, but one of the games at DEF CON is identify the Fed.

Yes. Do they still do that? Yeah. Oh yeah.

Oh yeah. I mean, like luckily I don't have the shaved head anymore, but when I did in my younger years and people would ask, oh, are you in the army? And I'm like, No, I mean, now I've grown it out. I have a quaff now, right? Type of thing. But, uh, but no, it's definitely something. Oh, thank you. It takes a lot of, it takes a lot of product, man. It takes a lot of product.

Yeah, me too. I guess I look like the Fed.

Yeah. Forget it. Especially, you know, and, and it's, it's, but, but, but to be fair, right. Uh, and, and there's nothing wrong with, with, uh, you know, shout out to, um, to anybody who's serving, Um, serving the government in our military, whichever, but, um, but it's, um, you could definitely tell cause they have a presence at black hat too. Now, like he said, they're there, which is interesting because they, they weren't in the past, but now they are. And I think they're either looking for talent, um, or they're just looking to, to, you know, state what they're actually doing, which is, you know, you know, this is what, what's so crazy about our industry. that no one really understands is that there's a battle, there's a battleground going on 24 seven. So when people ask what I do and I go, this is, this is where it's at now. I mean, the next, the next big war, you know, obviously there's hot wars in Ukraine, everything that's going on, but there are things happening day in and day out that the general public is not even aware of. Um, whether it's North Korea, China or Russia or whatever, um, it's ongoing. And, um, there's a lot of work being done by our military and service people to help mitigate some of that as well. So I think it is pretty cool that they're there and they have a presence at the shows.

Yeah, there were some discussions, I think, before I went on vacation, which I guess was two weeks ago, about supposedly the Chinese having infiltrated a lot of critical infrastructure, water, power, whatever, probably not to disrupt it, but maybe in case they wanted to, that they were in there. And, uh, yeah, that's a scary thought. I kind of assume we're doing the same thing too, that we're in a lot of places in case it ends up, we need it. Something starts happening.

I wrote a, I wrote a paper on that for, for my masters and it's all about ethical warfare. And basically the idea here is, um, how far is a country willing to go? And in a way, you know, uh, cyber warfare was kind of like the idea behind chemical warfare. You know, chemical warfare does not destroy infrastructure, keeps infrastructure in place. However, you can wipe out people and still win while keeping the infrastructure in place. And with ethical warfare, are you willing to blow up a nuclear power plant, or are you looking just to turn the power off, and then there's a cascading effect, or are you looking to open up a dam? So how far are you willing to go to take it to that next level? And that's what's scary, because I think every major cybersecurity power in the world has logic bombs in other organizations, either private or public infrastructure, that they'll utilize if they have to in a time of war?

Yeah, it's hard to say and it's very scary. And I think the challenge that we that we as Americans, right, as an American-based podcast that we face is that, you know, the government doesn't mandate anything, right? We have standards like NIST and that sort of thing where we highly encourage best practices, but we can't, you know, at the moment, we're not saying do X, Y, Z. And being in the consultant world now for 13 years, I've seen all different types of environments. Everyone has different types of controls. Some are more locked down than others. And it's challenging. Cybersecurity in general is a challenge. It's a challenge to get funding. It's a challenge to just develop a program because it's not black and white. There's a lot of gray. There's a lot of implications that come along when you're trying to secure your environment and how it affects your business. And this all goes to what you were saying, Adam, where, yeah, I mean, it's tough because if you have those logic bombs or anything, how are you going to affect people and businesses and that sort of thing? And I would agree with you. I think that there, It's hard to say what's out there, because no one really knows, unless you're in the governments. But I would tend to agree, and I would hope that it wouldn't be too terrible on either side, because who wants to affect civilians in the days of, or the lives of everyday people like you and I? But I think it could definitely happen.

Yeah, well, we have these powerful capabilities, and you gotta hope that if they're used, they're used. somewhat judiciously and with a degree of restraint. But then again, you know, I went and saw Oppenheimer and had to go on a three-day bender after that, just like, you know, shows what people will do. It's scary stuff potentially. And I think you're right. We haven't really seen it yet. No.

Cyber warfare is almost like a drone attack or something like that. You're far removed from the actual physical presence of being there. It's a kinetic attack versus a cyber attack. Kinetic, you're in there. You're feeling that pain. You're actually using your weapons. You're seeing the results of your attack. Cyber attack, you're sitting behind a keyboard in a building that's probably air conditioned or heated, and you're committing that attack without seeing the effects of it so much physically within front of you. And that's what gives some people that capability to carry out such attacks. In a way, I kind of support a cyber attack. In a way, I don't, right? A cyber attack might be able to squash something that might become bigger and more ominous or deadly. But at the same time, somebody with that weapon in their hands, that cyber attack, can cause damage that would not be able to be fixed for many years to come. Can you imagine shutting down an electrical grid that doesn't come up for maybe six to eight months? You get sanitation issues, you get famine, you get all that, which is why Black Hat and Defcon also brings that sometimes to the forefront. There's conversations about that. And you were talking about deadly defaults. If you have some kind of, you know, internet device that has a deadly default and you move laterally from that device because it was a default on it, not knowing it, that was facing the public. And then you can get all the way inside, move laterally. You can do some really bad damage. Sorry for that rant.

No, it's not a rant. I think it's, I think everything you're saying is correct. I agree with you. And it brings up a topic that I'm very closely related to in my day to day profession, which is understanding. how attacks can happen and what exactly are you vulnerable to? And it's a challenge because when you go to these conferences, you go to Blackout, you go to Gafcon, you're surrounded by really smart people. And if you're fortunate enough to have the funds and the talent to have an offensive security program, And I think it's important to distinguish the difference between offensive defensive, right? Red team and blue teaming. When typically we talk about security for the longest time, the cool stuff is red teaming, talking about cyber attacks and that sort of thing. But in reality, the day-to-day profession of many security professionals is trying to protect what's critical. And that criticality is gonna depend on, of course, your line of business, right? If you're in healthcare, it's gonna be, protected health information. If you're in retail, it's going to, it's probably going to be credit cards, or if you're in critical infrastructure, it's going to be the infrastructure itself. Um, but how do you really know what you're susceptible to, right? Cause you're talking about you went, Oh, how do I move ladder? How do you know what you're not only what you're susceptible to, but how quickly are you going to find a malicious actor inside your environment? And that's a, that's a challenge that, um, is, is not easily answered. And it's something that I. And again, I'm fortunate enough in my profession to try and help individuals and organizations do that.

Yeah, well, that's super important because, you know, one of the things that we focus on and, you know, defense, you know, we're really primarily defenders. And, you know, as you're saying, Jay, even if you're using tools to test your defenses, it's unless you're a bad guy, those offensive tools are in the service of building your defense. And yeah, you know, getting some insight into, uh, You know, just how well you're doing is so important, because in particular, you know, it used to be back years ago, I think before you even got into the game. I got as much hair as you, but it's a lot grayer. We used to think that we could stop all or most attacks. We gave up on that maybe, I don't know, 15 years or so ago when a lot of things happened, or before then, realistically. But that's when it really hit home. But the idea, the game today is very much knowing with your defenses. How can we slow people down? How can we trick them, even trip them up and try to get them to make mistakes or expose themselves, you know, to tempt them to do something that's going to make them more detectable. Because if we can't stop them, we need to at least slow them down and detect them as fast as we can. Because it's not like a lot of people, a lot of people think something like ransomware is boom, you get it and it's done. It's not like that at all. These things take time to develop. That's the opportunity to catch it.

It's such a cat and mouse game. I've been fortunate enough to work with incident responders and with different technologies in my career. And there's been times where you might find a threat actor inside your environment. And then we go, all right, wait, do we wanna cut them off right now? Or do we wanna observe what they're doing? Because they might be disclosing more or other indicators of compromise that will help later on. And it's a hard call because now you've, I mean, I don't know. Have you guys ever been part of a breach like yourselves?

I have not been part of it. If you can disclose, I don't know.

You may not be able to disclose.

Okay. I haven't, but, but I, but I, but I know what you're saying and I can tell you that, um, well. It's also relevant if you have a department, big breach, because I personally have always worked in very sensitive organizations that have said, if you find something, stop it. They go, you know, this is not a, you know, we're not, we're not doing research here. We understand that there may be some valuable things, but, you know, stop it and, and clean it up. And you're right that sometimes doing that a little bit too aggressively, you not only lose an opportunity to learn and do a bit of research, but you also may not see some of the other things that they're up to, that they're not going to reveal that maybe they have some other ways and maybe they've compromised some other things, et cetera. So yeah, that's a, it's a super tough call, um, sometimes, but fortunately or unfortunately in a lot of places, uh, you know, the business will say, stop it now. Got to cut it off.

So second rant, right. You know, um, part of, uh, Part of any of these breaches or tabletop exercises is you start going through that whole entire plan. Oh, wait, I can't make that. I can't make that call. Do we need to bring the external attorneys in to have that conversation? What's the disclosure? What is the disclosure? When we observe them and when we found them or when we cut them off? And it gets to be a whole bunch of legal discussions and C-level discussions and then third party discussions and oh, okay. We think that was a breach, but we're not 100% sure. We saw data exfiltrate. Was there a threat actor in there? Was there a threat actor not in there? So one of the things that we had with David, which was one of our previous people, who was an incident responder, we talked about the health and the mental state of any incident responder and what they have to deal with. So I realize it's very exhausting, but the question is, Do I do a knee jerk reaction and pull that cable out? Do I isolate the machine? Is there more machines? So you really... is never a right answer. It's what you think is the best correct answer, because you're never gonna know whether or not you really did do the right thing. You might've stopped the bleeding, but I've heard of stories where six months later, that incident, that threat actor went back to life. He already had a backdoor, she had a backdoor, or whoever it was. You don't know.

100%, right? And I don't, I completely agree, right? And I think that's what it is. It's not, it's me. Sympathizing and empathizing with anybody in the line of work. It's easy for me. I'm a vendor, right? And I'm not downplaying my role here in the security industry, but what I'm saying is, is that It's very challenging. I know it's challenging to run an organization and try and protect assets and understand risk. It's not black and white, like you said, Adam, right? There's a lot going on, but to that effect, right? And even in my own personal life, I try and follow the maxim of an ounce of prevention is worth a pound of cure. So, yeah. what I try to evangelize now is we should understand like even the things you mentioned right these are all valid topics maybe we should talk about it because if we move forward with the assumption that we're gonna be breached at some point, we should have an understanding of what we're going to be doing in the time of a disaster. And that disaster, of course, if you're out here in LA, it could be earthquake, fire, or whatever. If you're in the Midwest, it could be tornadoes. If you're in the Northeast, it could be hurricanes, not really snow as much, but the point is, right, in those included disasters, ransomware should be one of them. And if we're trying to mitigate risk and we're trying to understand how we're gonna respond, it would be really great if we could or get some initiative to try and run this risk profiling as if this were real. And penetration testing, tabletop exercises, that all is a part of that.

Well, what's really challenging is, you know, the idea of, and we have spoken about this in the, in the past on the show is that, you know, you can, you can do the tabletops, you can have your plans, you can have all these things that, and you can say like, well, in this case, this type of thing, we're going to want to, uh, you know, observe things, maybe let it play out a little bit, try to get a better feel for what's going on, ascertain just how serious it is. Um, you know, the problem though, is that in an incident very often, uh, you know, For lack of a better term, people start freaking out and everything changes.

Oh, no, of course.

Yeah, yeah. And ransomware really did that. People may not realize it, but incident response, believe it or not, it used to be before ransomware, a lot more relaxing. It actually took, in many cases, would take a lot of time. You'd investigate. There was nothing immediate, but ransomware and back maybe 10, 15 years ago, the APTs and everything, um, you know, injected the element of time into it where we need to act very, very quickly. And that really changed everything and made that whole thing, you know, difficult. And you're right. You have to make, you not only have to make tough calls, you have to make them very quickly and these sorts of things.

But there's so much tools now than there was before. Like, and let me tell you, like, you know, this jar, right. in a really good offensive, defensive cybersecurity program for an organization, it's in the millions of dollars, right? You need micro segmentation. You need, you know, EDR. You need enhanced SIM or XDR or MXDR. You need so many tools with so many levels of deception technology. If you have all that, you will mitigate the risk, but you'll never stop the risk. It always goes down to that education, the social engineering issue. And, uh, and for those who do or don't like, uh, Kevin Mitnick, God rest his soul. Sorry to, you know, he was still a name in the business. If people liked him or didn't like him, but you know, a good social engineer can destroy a multimillion dollar security program and get right in there and getting to give up everything and you're right in. So. You really have to have that multiple levels of security.

Yeah. The layer, I completely agree, right? Because I think that is the name of the game. Risk is never zero. You can try and mitigate as much as you can. And you do that, right? By having all these different layers. What I'm advocating now with all of my clients and customers or anybody that I speak to is, if you can get the funding and build the layers, great. But you have to test them because having them there, it's like, well, what happens then? How do we know they're working right? Here's a great example of what just happened within the last two or three days. So I'm really paranoid and I have like life lock. So I monitor identity. I opened up a new card, a new credit card because I travel a lot and I wanted some of the benefits and perks and I got a notification. Hey, did you open up a account?" And I was like, this is good. I'm paying for a service or whatever to monitor my identity. At least I know that it's working. This is excellent. And I said, wow, this is such a good example of validation and why validation is so critical because I don't want to be paying something or doing something if I don't know it's working as it should be. Um, and we're talking about all these different layers. We want to make sure that, all right, is layer one going to work? Okay. If I get past layer one, is layer two going to work? If I get past that, is layer three going to work? And not only are they going to work, but are we going to see responses and escalation and processes as well? Follow what we expect to happen or God forbid it hits the fan. Are we going to be running around? And of course, like I completely, this goes back to what I was saying. I completely empathize and sympathize with anybody who's a defender because it's not easy when something happens, you're in the, the, the, oh crap moment. And, and there's emotions and there's time of the essence and you know, you're not going to be thinking logically, but. Having drilled it enough, hopefully you're in a better place than if you were, that if you never tested or you never validated, at least you say, well, we've done X, Y, Z. You're as prepared as you can be in that type of an attack or that type of an incident.

I think you're talking about two things there. The first is, you know, preparing the team, doing drills, getting ready, how to do it, which you got to do. You got to do red team, purple team exercises, that kind of thing. That's important. Very important. and the tabletops and all. But you know, the other thing you mentioned is something that's become a big challenge lately, which is making sure that everything is happening, that, you know, validating that the systems are working, that everything's being monitored and you know, in enterprise environments, but people may not appreciate it. They're, they're complicated. And there's a lot of moving parts and making sure that everything is being covered and you're getting all the data and all the security mechanisms are working is very hard, especially now that, you know, people may or may not be aware that in security, there are so many products and so many vendors and so many things just, keeping track of them and managing them and making sure that they're all working the way they're supposed to. And they're still not perfect then. It's a tremendous, tremendous, tremendous challenge that we can't deal with in the so-called real world of securing things.

So when I was leaving my last employer and I was looking for another job, And I was being interviewed, I probably got myself out of three or four different jobs because the interviewers were asking me, well, what do you do for this? What do you do for that? And I'm like, the only way any program is successful is if you implement. the controls in reverse or the backups in reverse and go through the whole process. And what I mean by that is you can't just start testing one component of your plan and each one separately. You literally have to restore large amounts of data to make sure it works. And I said, you have to go through a whole disaster recovery or business continuity process. And that can take three or four days and everybody on hand. If you don't do it, it does not work. I don't care what you tell me.

I agree.

Nobody wanted to hear that.

The problem is how realistic it is. I mean, I haven't done BCP for a while, but back when disaster recovery kind of first came out, I remember working for like a big bank or an insurance company like this weekend, we're doing a full DR cut over everything. Playing like, you know, data center got taken out and we're going to bring everything up and do it here. The banks have to do it, but it's tremendously expensive and time. And it not only costs, it not only costs money, but people have to, you know, all your people have to spend the time doing it instead of.

Absolutely.

Well, it's a big commitment.

but it's even more expensive when the incident or issue happens and the ransomware takes effect and you can't restore it. And this is how I look at it. All rise, somebody walks into the court, they go into the litigation. Did you do this? Did you do that? Would a like-minded person do the same thing? And when you get sued for tens of millions or hundreds of millions of dollars, your organization, of course you lost all those people's data and you have to pay for all their, credit checks and everything else, it gets to be prohibitively expensive when you get to that point. So risk versus reward, right? We know that Joe, right? Risk versus reward.

Yeah. Well, it depends on the business and you hit it there. This again, we brought up before is risk management. How much do you do? What's going to be sufficient? No matter how much money you have, you can't do everything. So let's

It's, it's, it is, it's challenging, but you need to, and that's what I've, I've noticed a paradigm shift. Again, I've been in the industry 13 years where when I first entered the industry talking about this was exponentially, I would say harder where the boards, they. Not that they didn't care, but they were more laissez-faire about security. And don't get me wrong, we still have to do a lot of evangelizing and budgets are very tight and that sort of thing, but it is better than when I started.

Well, I would suggest to you that, you know, people, you know, we used to say they don't care that everything, now they're doing it for a little while. They did not understand the risks back then. Now it's not perfect, but, you know, executives, board members are much more aware of the risk. Actually, even if they don't understand that they know there's something bad there, at least that they have to deal with.

So I hope I never have to look for another job and I hope where I am now, I have a job because I'm sure. If anybody listens to these podcasts are like, man, we don't want Adam, but we went when when you're involved in a program like this, the only reason why major companies. medium to large companies put compensating controls in place is because their clients forced them in order to do business. A lot of the other ones are checkboxes and the smaller companies, and this might not be a popular statement, a lot of the smaller companies, like Sal we spoke to about Chaos Jim Joe, they do not have the money to put in programs. Most companies that are like three to five to seven to ten people can't even afford EDR. So having the antivirus is good, but EDR is hard.

Well, remember too, Sal was the gym owner we had. We talked about small business security. My friend, yeah. He was worried about certain security. He was worried about credit card fraud, but at the same time, the existential risks to his business were more like a Staten Island deer getting in his gym and trashing the place.

How'd you know that happened?

Or someone having a slip and fall or an injury.

You're 100% right. You're 100% right. But when you're, when you're the small insurance company, I don't even want to mention where I was. I saw a company that was breached. It was a company that was doing insurance. It was a small brokerage company, like, you know, like 10, 15 people. And I told the guy I worked for that we did the managed services for, I'm like, they've been breached. No, they haven't. I go, yeah, they have. No, they haven't. I go, yeah, they have. He goes, no, they haven't. Leave it alone. I'm like, Oh. So my point I'm making is that when you start getting to where you're doing other people's data and you have access to PII, then you need to get to that point. Now, I know PII is not really big in the gym, but- What's PII? You know, you say PII.

Personally Identifiable Information.

I'm not saying anymore. I'm not that smart. Remember the audience, Adam. The audience knows. Sorry. I'm sorry if you don't know. I apologize. I was afraid I was gonna get it wrong.

But um, but seriously, I didn't realize that that was not supposed to be a hard quiz.

No, I know. I know. I blanked out. I was afraid. And we got Jay here. I don't want to look bad in front of Jay. But in all seriousness, the point I'm making is that there's a certain level of responsibility when you get to a certain point where you're handling people's, if you're a doctor's office, let's be honest, right? Doctor's offices, some of them are not big these days. They're like two, three, four people. It's the wife in the front or the husband in the front and the wife in the back doing the stuff. And they have physical folders, even though they're supposed to be doing EMR, electronic medical records, and people still have film and they are transferring it in. How do you protect against that? How much money do you have? Doctors don't make the money they used to make. And some of them have half a million, billion dollar insurance policies they have to pay for. They're doing OBGYN and other stuff. So it's really hard. It's not what it like, it's not like what it used to be where, you know, you can have a clipboard on top of the counter, have the paper, they're filling it out and then you have to put it in the folder.

I think the challenge is that most people, we're security professionals, so it always boils down to risk. But if you're a regular person, a doctor or even a retail, right? You're in retail, let's just say you're selling, I don't know, let's go with the gym analogy, because I love gym. You're selling barbells, you're selling weights, right? Okay. And I'm setting up an online store and I'm doing great. At some point, right, I should have a vested interest in my business to say, if I lose the ability to sell weights, or I lose the ability to process credit card information, that could spell certain doom for my business. And, but I don't, I think that it's, most people don't even think that it could happen to them. Cause when you hear the large scale breaches, you think these large companies, but I've known even like local businesses out here through friends who got hit with ransomware and they didn't have to pay like 80 Bitcoin, but they still had to pay tens of thousands of dollars. That's still tens of thousands of dollars that someone somewhere overseas is going to get in their pocket. And it can happen, it can happen to anybody. And I don't think that enough people, people think that cybersecurity again is, it's not gonna affect them even though they don't run this big business. But to your point, Adam, I think it can affect anybody. And I try and make people aware as often as I can. I go, hey, do you have multi-factor on your Gmail or on your email? And they go, what's that? And I go, oh boy. I'm like, are you only using passwords to get in your email? Yeah. OK, you know, you could turn on a token so that someone, even if your passwords, no, a lot of people just they don't know. Right. And it's just ignorance. And it's not I'm not saying I'm not faulting people, but no one does not commercials online or on the radio or anybody on TV saying, hey, by the way, turn on multifactor. Like I think it's professionals. Podcasts like this are very important because it brings forth even these little issues that can go a long way. to protect people and regular what I call civilians, people not in the cybersecurity industry, right? Protect their everyday information, right? It can go a very long way.

Two things to add to that, right? You know, like you saw those commercials online about smoking and the person can't breathe, stop smoking. Otherwise, you might not be able, you'll have CLPD or CHF, you know?

Yeah.

But can you imagine that? If you didn't turn on your multi-factor authentication, your data could be all over the internet. And then you see some guy walking around, you know, with a bikini and he bought with your credit card. But the second part is the gym information. Yeah, I know. Not that there's anything wrong with a man in a bikini, of course, but anyway. I'll send you my picture later, Joe. So the second thing is... The gyms, so forget about barbells. What gyms are doing these days is gyms have got more boutique. What they do is they have you stand on something and they take pictures of you. And they have your chest size and your thighs and how many inches you have. And they see whether or not you lost weight, you have muscle mass. They have a lot of really specific details about you, whether it's your height, your weight, chest size, you know, pants size. They have it all because they want to detect, did you gain muscle mass? Did you lose muscle mass? And I see that you go to the gym. I know you work out. So you want to stay in there. Joe hasn't been to the gym in 35 years, but he does run. So he calls that working out, but meanwhile, he's a better ship than me. And I have a, I have a belly. Um, but the point I'm making is seriously, you're the one who's always working out, but anyway, you're right. So, so the point I'm making is PII is very different these days. What, you know, it wasn't that you can walk into, yes, we have right aids and we have CBSs, but we still have a lot of mom and pop pharmacies that literally are putting the stickers on the things themselves. And. have the data for the, even though they use a computer to get the information from the doctors, there's still a lot of non organized ways of privacy for smaller business owners. It's just too hard.

Yeah. And what's, what's interesting too, I think though, is that It's hard for small business owners, and it's even hard for large organizations. I mean, let's be honest. One of the reasons we keep having these breaches and all is that security is not easy, and it's expensive. It's expensive for the big corporations. You guys, you're doing great. No, but the products are expensive because they are, you know, They're complicated. The people are expensive because this is difficult work. You need smart, highly trained people to do it. And, you know, forget about them being available to small businesses or smaller enterprises. They're very difficult for the larger ones too.

Jay, let me, let me put you on the spot for one quick second. Let me, let me call you out. I'm sorry. So Jay, if you had to take a lucky guess, I don't want you to give like, you know, do you think that most breachers these days are happening because of user error or defaults or things like that, or do you think they're complicated and more sophisticated? Your guess.

No, I think, I think, I think most of them are, are because of misconfigurations and just lack of hygiene. Don't get me wrong. There's a small percentage that, you know, if you're, you will be targeted if you have a, you're in a very specific industry and you, you know, a nation state's trying to get your whatever, right? Supply chain or something. But I think most breaches are preventable. A good portion of them.

And look, Joe makes fun of me. I still use LastPass. I've changed everything, but look what happened with LastPass.

You were owned years ago, anyway.

So look at LastPass. What was their last big issue? What happened there? It was a configuration issue. Somebody made a mistake, got an email, was on the security team and made a mistake. Now, I don't know the whole story because I never went into complete details, but I wonder how that person feels. I'm not calling the person out for being bad. They might've made a mistake. I don't know, but it's usually a social engineering or default issue or something that you did that could have been prevented. And it's a shame because those are always going to happen from now to eternity. So the day I die, it's always going to happen.

Yeah, because we're humans. That's the thing. There's people behind the technology. People are the perimeter. That's the biggest challenge in any organization are the individuals. And it's easy to say, oh, well, whatever. Like, it doesn't matter. Right. I'm one person. But when you have a collective of people saying, it doesn't matter what I do, my choice. you have a bigger problem, right? And it's refreshing every now and then to see organizations that are very security-minded, they might have posters up or whichever, and they do that user education because I think it does go a long way. And when you make it personal, like I used to work with DLP technology, DLP standing for data loss prevention, right? And what I used to love is that there were ways, gotcha, there were ways to educate folks, like if they're trying to send sensitive information out over an email or put it on a thumb drive or send it to a website, a pop-up would happen and say, hey, by the way, you're out of policy. And there would be some education that could happen. And it makes people go, oh, right. And, but also at the same time, it's like, all right, I won't do this again. And you've done some education there, right? That can go, like I said, a very long way.

So I'm not going to tell you where I was, but I did participate as the person managing a DLP solution. And I had people calling me that were the end users saying, how come this DLP doesn't work correctly? How come it doesn't identify that I'm sending an email to my personal email? It should know that it's legitimate. And I'm like, just the opposite. You should not be sending personal emails from your work email. And what you're doing is you're normalizing it. And that's when it really knows that it shouldn't be done. Well, it should know at this point, if I've sent five or 10 emails, it's okay. Yeah, good idea. And if I told you the profession, which I'm not going to tell you, you would say what the

They're supposed to be smart. I've seen the gamut. And I think it goes back to what we were saying. It's not easy. You need executive buy-in from business leaders to acquire funding, to build the program. And we can evangelize all day, but it really has to come from the top down. And when I say top down, it's gotta come from your CEO, your CIO, your CISO, chief information security officer. Like it's gotta come from, higher level executives to start the initiative. And we've seen, even in the consulting world, right? When we've seen that there is buy-in, it's very much easier to get a project going. And when there's not, it's tough.

Good luck. That's right. Okay. So we covered a lot already. Did you want to talk a little bit about pen testing in particular? Yeah.

I mean, yeah, no, sure. I mean, so, um, I guess, you know, with a little bit of time we have left, right. I said, I was fortunate enough to work for a company now on, on, uh, the red team. Right. So red teaming being challenging and launching attacks and thinking like the attacker is, is really paramount. Um, and I work for a company, Pantera, and that's what exactly what we do. We enable organizations to think like the attacker, but not necessarily needing to have the expertise. And what's really great. Cause we talked about all different types of organizations and I think of it as type of a, like a, a progressive line, right? You could be more immature where you're maybe mom and pop. You don't have. anyone in IT, let alone security. You might have an IT department, but maybe you only have one or two people in security. And then maybe you're up here where you have 30 people in security. And out of those 30 people, you have six penetration testers. So what is penetration testing? Penetration testing is actually going about and testing all these controls, like we were mentioning before, being able to launch ethical. And I think it's very important to say ethical attacks, meaning you're not doing it maliciously. At that point, when we were talking about black hat and white hat, you might be the white hat. You're actually going to make sure that all the controls you put in place are actually responding and working correctly. And those penetration tests or those penetration testers may run these tests on a basis of could be once a year, could be once a month, could be once a quarter. What we're looking for here at Pensera is to enable organizations to do it at scale. If you're doing it once a year, we want you to do it once a quarter, once a month. If you're doing it once a month and you have a team, we want you to be doing it once a week. The most mature customers, I could tell you right now, are running red team exercises and testing their controls daily. And it's very hard to get to that point. Yes.

Yep.

I can tell you with confidence, I know.

Go ahead. I was going to say, to give everyone a little perspective, penetration test, it's breaking into your own stuff, basically. And it's something that's been around for a long time. It's one of the basics. And it's one of the things that when you get audited, they say, do you do a pen test? Are you pen testing? And you probably don't realize it, but before a lot of e-commerce sites and things you may use to release, they do a pen test. Or if they do a big update, there's a pen test. And companies generally, once a year, at least, it's sort of a quote, unquote, best practice to say, test your perimeter, hire someone to try to break in from the outside and do some other things. But, you know, the thing is, there's software and tools to help, but it has to be done manually. It has to be done by expensive people. And it's even more expensive because, you know, as Jay was saying, if you may have a large security, you know, group But unless you have a large security group, hiring your own in-house pen testers is very difficult because they're expensive and they get bored, frankly, and they'll leave and go to other, you know, consulting companies that will pay them better and give them more interesting work to do. And so it means, you know, then you have to go and hire consultants and that makes it even more expensive and it limits the amount of testing you can do. So there has for a long time. So it's something that's, very mature in the industry, but it's something that's been, until recently, very mature, but as a manual and kind of costly process. And, you know, I can tell you, believe me, I'm not pitching anything. I've not worked with Pantera, but You know, I can tell you that when you're building, when you're a security manager and you're building your budget, you know, it's something you have to do. And you have to think very carefully about, gee, just how much money do I want to spend on this? Now, if you're a huge bank and you're Amazon or something, you know, they have scads of money to do it. But, you know, if you're in a more, more modest environment, it becomes, it becomes tough. It's like, how much do I want to invest in this? Because every dollar you put into that, you say it's so great. That's a dollar that's not going into some of the other things. So finding the right mix of that can be really challenging.

Jake, Jake can tell me I'm wrong. I'm doing this unscientifically. I don't, if I think in my mind to how many people have red team, uh, I have not seen an organization have, uh, at least one red team person sitting on an organization, even as a liaison to other red team, third parties under a billion dollars, but maybe I'm wrong. I I'm thinking about outside my mind. Is that something wrong, Jay?

I think it's wrong. It's not scientific. It's not scientific at all. I'm just guessing that. Well, I see so many different organizations and I've seen plenty of organizations that do have a red team, but usually they're the more mature, their program is more mature. And to get to that maturity, you have to have funds. In order to have funds, you've got to have revenue, right? So what you're saying could absolutely be correct. I don't have, I should maybe Google, right? Or something right here on the fly, but. Put it this way, right? It's something that not everybody has. Talent is already hard to find in the security realm in general, which is why I think it's becoming such a booming industry because people realize that talent is slim. This is a very niche area within security. And it's challenging, like you said, to not only find the people, but get the tests done. So what we're looking to do is make it easier for everybody. For those people who don't have a red team and for those people who do have it, we want you to test more often.

Right. And it's interesting that your company is actually riding a bit of a general trend in the security industry of, it's come up in the past couple of years, of automation. Basically, you know, trying to automate many things because the people are so expensive. That's it. And, you know, otherwise a lot of stuff isn't realistic. From a manager's perspective too, very often it doesn't necessarily get your overall costs down, but it gives you more capability to do more things, provide more protection, do more testing that you otherwise wouldn't be able to do.

And just to put it out there, red team is a culture in itself. If you're a red teamer, you're expected to travel. You're expected to be up all hours of the night until the early morning. You're it's high, it's action packed. It's stressful. Um, one of our previous guests threatened to give me a job in, in red teaming. So you'll never see your wife again. He says your wife would probably love that. But the truth of the matter is not only do you have to be highly skilled and I don't consider myself to have that level of skills. You have to keep on keeping those skills up to date and you have to be prepared to leave at a moment's notice and travel anywhere within the region that you cover. and be gone for a week or two weeks or three weeks or a month or a day or whatever it is. That's why it's so hard to find people.

And not only that, everything you're saying is true. If you're fortunate enough, again, to work for an organization, maybe you don't have to travel. If you work for a big organization regionally, you can maybe stay in the area, but something else to add onto the level of skills, not just technical, you have to have soft skills. Because you've got to take the information that you then found, and you've got to present that back in a way that makes sense and articulate. two different business owners then as well. And that requires, you know, writing skills and things like that, that you also, that sometimes are taken for granted, but that is in itself generating reports can be another week or two. And again, for us, right, while that's a level of skill, we pride ourselves in being able to generate a report instantaneously after the test is done. Shameless plug, right, for Pantera again. But it's, it all goes to say that, that the talent is tough and what everything you're saying, Adam, is correct. And, um,

In my opinion, the OSCP or the Offensive Security Certification is a good certification because one of the things they make you do in order to pass is write a good report. I don't know if you agree with that.

Yeah, to give everyone context, you know, the, the result, the things that pen testers do and the results they get are very technical and very complicated. If you want to go and Google stuff, like how some of these attacks and exploits work, they're not simple. This is very, very pithy stuff very often and translating that. into language that different audiences, and even IT audiences, most IT people don't understand this very well, much less when you take it to a manager executive level. It is a real challenge, and I can tell you having managed Um, consulting engagements doing this also, you are often delivering news that people really, really don't want to hear that something is way more broken than they thought it was so that they're going to have to spend a lot of money to fix it. That that's a bit of the art of it also.

There was a time when if you were subject of a breach. that there was a really good possibility that you can go out of business. Now I know things have changed, but some breaches do put companies out of business or put them in so much of the red that it takes them a long time to recover and they have to take away from other resources.

Yeah. That's why everyone is trying to get cyber insurance. And that's why also cyber insurance is, they're getting tight on... Oh, it's hard to get. Expensive now. Yeah. Yeah. Yeah. Yeah. Just because they know. They've had to pay out too much. That's basically it. Yeah. Yeah. Yeah. A hundred percent. A hundred percent. Okay.

Well, on that cheery subject, I think that kind of brings us up towards last call. Um, you know, I, I have been drinking out of the official security cocktail, our flask. Oh, I need one of those that we're very proud of. You've got the cool red cup there.

Uh, Jay solo cup. Yeah. Like I'm still in college things.

And, and that, and Adam has, uh, something that's probably going to give us a copyright strike on, on your cup there. Um, yeah, I know it's a legitimate cup, but you know, do you see which. What corporation has got that? They're vicious. They're like ransomware operators, those guys.

Speaking of that corporation, hey, Jay, and be honest with me. Do you know Ryan Reynolds?

I don't. I don't. I don't know Ryan Reynolds. I thought you were going to ask if I look, if I'm related or to someone, a D-list celebrity that I get mistaken for all the time. Do you? Well, not Ryan. It's not Ryan Reynolds.

No.

People think, people think I look like Bud Bundy from, from Married with Children. Dude, I've been getting it my whole life. I literally had somebody, I was, I moved, I just moved out to LA and I went to a doctor's appointment. He was in the parking lot and the guy came out in his scrubs and he was like, hey man, were you on Married with Children? And I was like, no, no, I'm not Dave Faustino. It's not me. Yeah. Yeah. All the time.

I haven't gotten mistaken for anybody except maybe a fed. I don't know.

It's the hair.

Yeah, it's the hair, lack thereof. So the second thing is, send me your address and we'll get you one of these official flasks. And I think we're going to end up having to make some shirts soon, Joe, too.

Excellent. That's right. I appreciate that. So everyone knows, if you're a guest on this podcast, you not only get to listen to the wit and wisdom of Adam, but you get an official flask that one day will be a collector's item, I'm sure. And don't sell it on eBay right away, please. We'll be checking with you. All right. But seriously, thank you so much for having me. I really appreciate it.

Thank you very much. We really appreciate it.

Thank you for joining us. It's, it's, it's been a, it's been a blast and hopefully next year we'll, we'll actually make it out to Black Hat. We'll be able to meet you and stay, stay out of the drug. I have a live podcast live. Yeah. Live.

Yeah. Live from DEF CON. Yeah, that's right.

That'd be cool. Okay. Thanks a lot, everyone. We'll see you. Thanks everyone.

Until next time.