Whoever propagates the rumor that the goal of cybersecurity is to prevent all attacks deserves to be punched in the face.
The goal of cybersecurity is timely detection and damage control.
In this episode, I interview Dr. Eric Cole, Founder and CEO at Secure Anchor Consulting and author of, most recently, Cyber Crisis, about killing unprofitable cybersecurity myths.
We also discussed:
- Believing that you are a target
- Becoming aware of online danger
- The law of cybersecurity
- The 3 basic non-negotiable security rules
- Dr. Cole’s parting advice to CISOs
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (intro/outro) (00:06):
You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey, there! Welcome to yet another episode of The Virtual CISO Podcast. With you as always, your host, John Verry, and with me again is the Han Solo to my Skywalker, Andrea VanSeveren. Hey, Andrea.
Andrea VanSeveren (00:37):
Hey, John! Everyone. Yeah. I was going to go with Kirk and Spock. But then, I thought you’re probably both those guys. Then, yeah. We had Bones and Scotty, but then I’ve lost it all; so we’ll stick with that.
John Verry (00:50):
Yeah. Well, maybe for next time I could be. I think I’d rather be Spock than Kirk, but that’s another story. I can’t get the image of him singing Mr. Tambourine Man. If anyone knows that reference… What do you think of my conversation with Dr. Cole?
Andrea VanSeveren (01:11):
That was really interesting. Actually, he brings up some really important points. Among them that you’re really never too small to be a target. A lot of times smaller businesses think they’re not on the radar. But really, they can get hit much worse than a larger business that can recover, right? It’s important to understand your exposure, and to be diligent about your cybersecurity strategy.
John Verry (01:34):
Yeah. My takeaway was: How does a guy find the time to write eight books?
Andrea VanSeveren (01:38):
Yeah.
John Verry (01:40):
That was a lot, I wondered.
Andrea VanSeveren (01:40):
Yeah. Good point.
John Verry (01:40):
I find it hard to find time to write a blog. Yeah. We’re largely aligned with pretty much all of our views of what’s going on. I think the one thing which we both agree on is that too often small organizations, SMBs, SMEs, think that they’re not a target. He talks to the fact that they are a target now because of the fact that the larger companies have gotten better at being secure. The bad guys adapt, and go after the people who are less secure. I also made the point and I think it’s an important one. That some fairly significant percentages of successful attacks are not targeted attacks; they are what we refer to as opportunistic attacks. Somebody’s scanning the internet, every IP on the internet for a particular vulnerability that comes out. You happen to have that vulnerability that your team has not yet patched it, and suddenly you’ve been attacked. I think he does speak to the importance of being a small business of paying attention to security.
Andrea VanSeveren (02:35):
Yep. Yep. Yeah. Actually I shared some of those instances he talked about with my family this week. It’s just crazy. The things that come through, right? Yeah. To your point, what you’re saying, whether you’re large or small business, we’re all at risk for these opportunistic attacks. You really want to tune in to this episode, so you can hear more about best practices for managing your cybersecurity strategy; how to balance functionality versus exposure; and then some products you can get to help you manage your endpoint detection and responses.
John Verry (03:05):
Sounds good. With no further ado, let’s get to the episode.
John Verry (03:12):
Dr. Cole, thank you for joining us today. How are you?
Dr. Eric Cole (03:15):
I’m doing great. Thanks for having me.
John Verry (03:17):
Excited to speak with you. This is going to be a first for me. We haven’t had someone on with the core focus will be talking about a book you wrote. This is going to be fun and different for me. Just to get us going down an easy path, tell us a little bit about who you are, and what is it you do every day.
Dr. Eric Cole (03:32):
I work in cybersecurity for 30 years. I believe that everybody is put on this planet that have a very unique purpose. My purpose is to make cyberspace safe, to essentially end suffering in cyberspace. Because let’s face it, we live our lives in cyberspace. Most of the time when we’re ordering meals, when we’re talking with people, when we’re communicating. I started my career, if we go back 30 years ago, as a professional hacker for the CIA where I essentially learned that any system that’s 100% secure is useless. Any functional system is going to have vulnerabilities, which means any system is hackable.
Dr. Eric Cole (04:11):
After doing that for eight years, I got bored. I focused on defense and building, and selling companies. Since then, I’ve bought and sold several companies in the cybersecurity space. Now I’m really focused on just educating and helping organizations understand the dangers, recognizing that we are in the midst of a cyber crisis, and that we need to start making cybersecurity a priority. Otherwise, it’s going to negatively impact our lives, our business, and our country.
John Verry (04:39):
Gotcha. My first question is: This looks like it’s your eighth cybersecurity book, right? Cyber Crisis. It’s just out, I think, in hardcover. I think it’s coming on to Kindle next couple weeks, June 1st. There it is. There’s a picture of the book. My biggest question is: Where the hell do you find the time to write eight books? I’m very jealous. I can’t find the time to tie my shoes half the days. I’m walking around with my shoelaces untied. How do you find the time to write eight books?
Dr. Eric Cole (05:05):
Well, one of my philosophies always in life is time is never the issue. It’s the management of the time. I am one of those folks that I am a strong believer in scheduling out my day. I schedule out everything from when I wake up in the morning, to the gym, to my exercise. My wife doesn’t necessarily like when I schedule time with her especially when it’s to do certain tasks; that’s a little weird. But I’m a very big believer in scheduling.
Dr. Eric Cole (05:37):
The way it works with me is I know that I can write about five pages in an hour; that’s probably about average. If we’re talking a 30-page chapter, that’s going to be six, let’s call it seven hours. If you’re doing a book that’s going to be eight chapters, that’s essentially eight days. You can write about a chapter a day. What I do is I go in, and I look at my schedule, just like you would schedule a vacation, just like you would schedule a doctor’s office, just like you would schedule important time with the client. The way that I like to write is for an entire day. Some people do half a day’s. I go into my calendar. I schedule out over a three-week period, the eight days that I’m going to write. Usually I’ll go away or go somewhere, so there’s no distractions. Essentially, you just do it.
John Verry (06:31):
That’s pretty amazing.
Dr. Eric Cole (06:32):
You just write and you avoid the procrastination.
John Verry (06:33):
Yeah. You’re a better man than I am. Maybe you’re right. It’s not time; it’s focus. I think one of the things that you and I would agree on, and I apologize, like I had mentioned to you, I went to download the book onto my Kindle over the weekend and couldn’t get to it. I didn’t have time to get the paper copy to come to me. But I did take a look at a lot of your talking points on your website because you do some speaking. I think I’m personally always amazed when I’m chatting with folks on the phone. How many times I hear, “No. No. You don’t understand. We’re too small to be a target.” I think that that aligns with one of your principles of the book, which is you are a target.
Dr. Eric Cole (07:07):
Yeah. To me, the two biggest problems you face with individuals and organizations, small, medium and large, is we are not a target, and cybersecurity is not your responsibility. To me, for smaller organizations, there’s two important points that they always miss. First, if I’m a billion-dollar organization, can you break in? Yes. But I’m probably spending millions of dollars a year on cyber, and I have a team of 40 or 50 people. Good luck with that. Right? You can do it, but it’s going to be pretty hard, pretty difficult and probability of getting caught. If you’re a small company, you’re probably spending maybe 20 or $30,000 on security, if that, and your security team is probably your niece, your nephew, your neighbor, or your kid who’s doing it-
John Verry (08:00):
Or an overworked IT guy.
Dr. Eric Cole (08:01):
Exactly.
John Verry (08:01):
He’s not a security guy; he’s an IT guy. You just don’t know the difference,
Dr. Eric Cole (08:05):
Boom! But nobody’s really watching. From an attacker standpoint, it’s much easier and simpler to break into a smaller organization, and not get noticed. The second important point is if a big company has a breach, they’re going to survive. We’ve seen that where these major companies have hundreds of millions of records, or entire infrastructure is taken down for a week. They’re going to survive because they’re big enough and have enough revenue to absorb it. But if you’re a small company, I see this all the time, and you have a breach, and you lose your customer confidence, you go out of business.
Dr. Eric Cole (08:41):
I know many local doctors’ offices, from chiropractors, to dentists to general practitioners that had a thriving practice. Their patient records got compromised. The entire community turned on them saying, “This person violated our trust. We now have identity theft. People’s banks accounts were wiped out because of the breach.” Nobody goes back to this person. Not only did they go out of business, but essentially they had to move out of the area because nobody liked them anymore. It’s crazy stuff. To me, the smaller your business, the more you should pay attention because the bigger the impact, and the bigger the exposure.
John Verry (09:20):
Yeah. I think those are really good points. The other thing which I always point out to folks is that there’s a difference between a targeted attack and an opportunistic attack. I think when people say, “We’re too small,” I think they’re thinking, “We’re too small to target”. I would say in a weird way. Yeah. There’s not a guy, a hacker on the Kavado network in France and saying, “Hey! I’m going to break into Bill’s Chiropractic Institute.” But he might be running a scan, looking for a WordPress form or a Joomla vuln and just happened to happen upon them. I think that’s how a lot of these attacks take place, these opportunistic attacks. I think that’s the other thing that they don’t realize is that opportunistic attacks are a large percentage of the attacks. An opportunistic attack can hit anyone who’s got any infrastructure that’s public facing.
Dr. Eric Cole (10:09):
Exactly. I hear all the time where people went to FedEx that morning, and they mailed a package. Two hours later, they get an email from FedEx saying, “Hey! There was some trouble processing your package.” They go, “Eric, I know you warned us. I know you said don’t, but this is legit. I just went…” Then, they click and they get infected. They go, “Eric, how did they know that?” I said, “Well, they sent that email to a million people knowing that probably 100,000 went to FedEx within 24 hours, and they’re just playing the odds. Sure enough, you got caught within those odds.”
John Verry (10:48):
Yeah. You know what? I teach this stuff like you do. Literally, I’m embarrassed to admit that there was one day I’d forgotten to order something for my wife and she was mad at me; so I placed the order. Five minutes later, I have a Amazon-problem-with-your-order. I clicked and I was like, “Oh. Damn it!” I’m trying not to let the mouse up. Because I had clicked and-
Dr. Eric Cole (11:09):
Because you knew. Yes.
John Verry (11:10):
Yeah. Because I knew. It can happen to anybody. I think those are two really good examples on top of what you just said, the fact that you’re less likely to to be able to recover. You have less resources helping you minimize the impact, right? Now you’re an equal risk for these opportunistic attacks. I think those are three good reasons why small businesses need to pay a lot more attention.
Dr. Eric Cole (11:34):
Yup. Then, the last one since we’re doing a little confessional booth. I’ll confess, too. Everybody makes mistakes.
John Verry (11:39):
Of course.
Dr. Eric Cole (11:40):
Just two weeks ago… I’m a morning person; so I usually go to bed by about 9:00 or so because I’m up by 4:00. I had to do a meeting request for the next day. At 9:30, I’m on my computer going to GoToMeeting and I forgot the second O. Instead of G-O-T-O meeting, I typed GoTMeeting. Many people don’t realize that’s registered to an attacker. As soon as the same thing, as soon as I hit GoTMeeting and I hit it the thing, and I’m like, “Oh! Here we go. I’m not sleeping tonight.” Right?
John Verry (12:08):
Here we go. Yeah. Exactly.
Dr. Eric Cole (12:09):
Yeah. Everybody makes mistakes on this front, and they’re just waiting for you to screw up.
John Verry (12:14):
Yeah. No question. Another thing that I noticed you talk a lot about is what you refer to as “online danger”. I think what you’re referring to, and I don’t think most folks understand how the line between online personal and online business risks is blurred especially with the concepts of credential stuffing, and things of that nature. Can you talk a little bit about what you mean by online danger, and what folks should be aware of there?
Dr. Eric Cole (12:36):
Sure. When you go online, a lot of people believe there’s a level of security that doesn’t exist. For example, when you receive an email, there are some people that honestly believe that email is verified and validated when it’s not. You and I both know you can spoof an email from anybody to make it look legitimate. Same thing with social media: when you sign up for a social media account, they don’t verify your identity. They don’t check it out. You could find a picture of me. You could find out my general interests. You can go and create an account for Eric Cole on social media. There’s just a lot more dangers online that people just don’t realize. Many of these attacks are just very, very simple.
Dr. Eric Cole (13:23):
I’ll give a simple example. Back in February, I did an experiment where I took 50 people from 50 different companies. Just randomly put out a request saying, “Hey. If you’ll play along with my experiment, I’ll give you a free 30-minute awareness training session that I normally charge a lot of money for.” I had a lot of people signed up; I picked 50 of them. We spent 30 minutes going through the dangers online, what you have to be careful of, and you can’t trust anything. If you’re on Facebook, and you see an iPad for $79, don’t click. They don’t verify. They don’t validate it.
Dr. Eric Cole (14:00):
Then at the very end, I purposely spent five minutes talking about COVID phishing threats. I said, “If you get an email that says either a student in your child’s class, or a co-worker tested positive for COVID and say, ‘Click here to see if you came in contact and need to quarantine,’ don’t click on it. Don’t go there. It’s not valid. It’s not legitimate.” Five minutes going through the exact example. Two hours later, I sent all 50 people that same exact email. I know you’re laughing because you know the answer. Forty three of the 50 people clicked on it. Forty three. That’s the online danger.
Dr. Eric Cole (14:43):
Now it’s funny when you said you clicked on the mouse, and you didn’t want to release the button because you knew. Thirty seven of the 43 people told me, “Eric, within 10 seconds of doing it, it was like, ‘Oh, man!'” As you’re clicking on it, they knew it was wrong. But these attackers understand your weakness; they understand psychology. They know if they can get you emotional, time-based and reactionary, they’re going to get you to make mistakes, and take advantage of you. It’s really this concept that when you’re online, you’re being targeted. It’s not a safe place. There’s dangers all around you. Most people just aren’t properly trained on those dangers.
John Verry (15:27):
But you just point that out. I think this is an inherent problem I don’t know if there’s a solution to, is that we all need to be vigilant at all times, that we all have lapses in attention or focus, and make that mistake. Because you said 43 people, right after training from an expert… They had one-on-one training with an expert. Within two hours, they failed the test. Fundamentally, that says that… I think this speaks to something else that probably rolls right into the next thing, right? Perhaps that’s what you mean by the myth of cybersecurity because there really is no state of being “truly secure”. It just doesn’t exist.
Dr. Eric Cole (16:05):
Right. What I always tell folks is 100% security only exists with zero functionality.
John Verry (16:12):
That’s right. You got to disconnect your systems from a network, and they’re secure. Well, they’re not even secure unless they’re in a locked vault or in an appropriately secured room. You’re right. Then, you have no functionality. Talk about that. You use the term myth of cybersecurity. What do you mean by that?
Dr. Eric Cole (16:29):
What I mean by that is just like the law of gravity. Whether you acknowledge it or not, the law of gravity is there and will impact you. The law of cybersecurity, whether you want to acknowledge it or not, is anytime you add functionality, you’re decreasing security. Anytime you’re adding functionality, you’re increasing risk. There’s always exposures. The trick is the balance. Now the problem is most people only ask one question when they’re making a decision: What’s the value and benefit? If there’s a value or benefit, they’re going to do it.
Dr. Eric Cole (17:04):
A great example, one of my favorite ones, is when Alexa came out. Everyone’s like, “This is so cool! I can have a device in my home where I could say, ‘What’s the weather?’ and it will tell me.” My response is, “How big a home do you live in that you can’t just look out the window?” I’m like, “My homes aren’t that big. Then, maybe yours are.” People love the value or benefit, but the problem is they don’t ask the second question. The second question is this: What’s the exposure or risk? What’s the impact by doing this? Now people will always go, “Eric, is Alexa secure?” I say, “Let’s look at the data. Here’s the value and benefit. Here’s the weakness and exposure. Is the value and benefit worth the weakness? If the value is worth the risk or exposure, then do it. If it’s not, then don’t do it.”
Dr. Eric Cole (17:55):
But to me, it’s that balance and that’s the myth where people think things are secure by default. Then, as soon as people started realizing that Alexa was listening in, which I always loved that debate… People are like, “Eric, Alexa isn’t listening into my conversation.” I’m like, “If it’s not listening, how does it answer you?” I wait for him to like, “Oh! I never thought about that.” It has to be listening. Otherwise, how can it respond. It’s just a crazy argument. But then when people realize that it’s listening and recording a conversation, and they realize the value and benefit, the risk and exposure, they go, “Wait a second. This value is not worth it.” They disconnect it. Now some people still have Alexas today when they know the risk because to them the value and benefit outweighs the risk. But it’s always making an educated decision on: Is the benefit or is the risk, which one is greater? That ultimately drives your decision-making process.
John Verry (18:52):
I’m sitting here listening to you. I’m thinking about something funny, is that the same people that have the Alexa in their house on one side are the people that refuse to have an easy pass on the other because I don’t want the government watching what I’m doing. You know what I mean? I agree with you. Quick question for you. Are you a a strong risk assessment advocate then? How formal do you think risk assessments need to be? Or do you think that if businesses are using just that fundamental risk versus return ratio in a less formal way, you’d still be good with that?
Dr. Eric Cole (19:30):
Yeah. I am very big on cybersecurity equals risk.
John Verry (19:36):
Of course.
Dr. Eric Cole (19:36):
Like when people say, “Oh. We don’t want to do that.” To me, that’s crazy. Now I think there’s two levels. I do think one of the big roles of the chief information security officer is to work with the executive team and say what is acceptable risk because it’s different for different people. I love doing extreme sports. I love base jumping and skydiving, and all that crazy stuff. I have other friends that are like, “Dude, you could die doing that.” I’m like, “Yeah. But what a way to go.” Right? To me, the clarity I get from being away from the computer and the rush is worth it for the risk, but other people don’t. To me, there has to be different risk tolerance. You just need to understand for the organization what that is.
Dr. Eric Cole (20:26):
The cybersecurity team is all about setting the bar. Now with that, I believe you should have a culture. This is the other big job of the CISO, is to make risk-based thinking a casual part of what everyone does. To me, every manager, every VP, every person that makes a decision should subconsciously be going, “Okay. What is the value and benefit? What is the risk and exposure? Are we willing to take that risk? Are we willing to balance that?” That has to drive all of our decision-making process. We do this throughout our physical lives all the time. When we go in and get in a car, we are accepting a certain level of risk. When we get in an airplane, we’re accepting a certain level of risk. But it’s so ingrained and physical that in cyber, we just forget to do that. We assume that everything is safe by default, which is what’s really dangerous.
Dr. Eric Cole (21:20):
To me what I really try to go is listen, everything has a risk. You always need to think about the risk and the benefit in everything you do. I guess to answer your question, it’s both. Security should formally define what acceptable risk is for the organization, but then it should be an informal part of everyone’s management style and decision-making process.
John Verry (21:41):
Right. I agree completely with that. Now what do you think? Because one of the challenges that I think I find that in organizations that have a CISO, or a fully-fledged security group, you’re going to have a higher likelihood of them taking that type of an approach. But a significant percentage of the companies that are under, let’s say, 500 people, don’t really have a CISO. If they do, they might not be the same level of CISO that you’re referring to, right? Somebody that’s more formally trained, and taking that type of approach. What do you recommend there?
Dr. Eric Cole (22:14):
To me it becomes even more important that when you’re going in and having people make decisions where there is no CISO, or there is no security department, that it’s really ingrained within that thinking. But what I do with those small or medium-sized organizations is you have non-negotiables. You just go in and make it simple. It’s not really hard. I’ll break it down for you. It really just comes down to two or three basic rules.
Dr. Eric Cole (22:40):
First rule. Any system that is accessible from the internet, any system that you’re going to allow people from the internet to access, whether it’s a web server, or an email server, must always be fully patched and up to date, non-negotiable. Second, any systems that are accessible from the internet never contained critical data. Critical data is never directly accessible from the internet. The third non-negotiable is all of your critical data is always stored and protected, and secured in a location that’s approved from the organization. To me if you follow those three basic non-negotiables, most of the problems go away. If we want to take all of the major breaches over the last four years, I will argue and debate that every single one of those breaches were caused because a company broke one of those three rules. I always say security doesn’t have to be hard if you understand the exposure.
John Verry (23:37):
Right. I would agree with that on a organization that’s largely hosting their own stuff. But I would add to that multifactor authentication if you’re using cloud services because I’ve been involved in a number of breaches that were breaches or credentials to, let’s say, Office 360. I don’t know if it’s Office 365 account takeover without MFA. I think MFA would be a good addition to that list.
Dr. Eric Cole (23:59):
Oh, absolutely. Great. For this call, I’ll give you credit after that. I’m gonna say those four rules. I’m going to steal because you’re right.
John Verry (24:07):
But that would mean the really critical part there is well… Then, there’s so many subtleties to see the crap.
Dr. Eric Cole (24:14):
Yeah. Exactly.
John Verry (24:14):
Because they were like, “Okay.” Also don’t have RDP exposed to the internet, right? But, yeah. I like your thought process. I think the more that we can make security simple for people, the better off we are because I think we have a tendency to overcomplicate it. I know you’re another advocate of the concept of you can’t prevent every attack. At some point, you’re going to be compromised to some level. We move from a purely preventative world to a world that has some level of focus on detection and response. How would you lay out those priorities? What is the right ratio from your perspective of preventative versus detect and respond?
Dr. Eric Cole (24:59):
To me the way I look at it is… For some reason, and I don’t know who started this rumor, but if I find them… I’m a pretty calm, non-violent guy, but I’ll probably start beating on them if I find a person that basically said the goal of cybersecurity is to prevent all attacks.
John Verry (25:16):
Yeah.
Dr. Eric Cole (25:17):
I don’t know who came up with that. That’s crazy, right? The goal of cybersecurity is timely detection and control the damage. I would argue that all the major breaches failed in those areas. If somebody broke in and stole 10 records, and you control the damage, it wouldn’t have been all over the news. If somebody broke in and took control of one computer, and you control the damage, it wouldn’t have been all over the news. To me, it’s all about the timely detection, response and control of your data, and your information.
Dr. Eric Cole (25:49):
Now you go in and say, “Okay. What are the percents?” That’s hard because you say in a perfect world you’d balance it 50/50. But the way I look at it with most of our clients, most organizations over the last 3, 5, 7, 10 years have focused mainly on preventive measures. Firewalls are pretty commoditized, IP’s, correlation data, all those things. I would say most of our clients, “You know something? Keep doing what you’re doing. Keep doing what you can on the preventive side, and you’re probably doing as much as you can; so maintain that.”
Dr. Eric Cole (26:26):
But the bigger focus has to really be on the outbound detection. Inbound prevention, outbound detection, that’s the other piece because most of our clients that are doing detection, they’re still focused on the inbound. When does data leakage occur? When does exfiltration occur? When do command and control channels? Outbound, outbound, outbound. I’m always amazed. I will go to a client. This can be a small, a medium, even a large. I just did this for a $1.3 billion credit union where we go in, and we look at the outbound traffic. I geolocate map where it’s going. Let’s say they’re based in Denver. I put a star. It’s an automated tool, and I just show where the data is going in the world. The thicker the line, [crosstalk 00:27:14] the more data that’s going there. This is a regional credit union. I just show it to the team. I say, “Hey. Here’s your outbound data flow.” Immediately they’re like, “Why is-
John Verry (27:27):
“Why is it going to China?”
Dr. Eric Cole (27:27):
Yeah. Going to China. Going to Russia. We also see a lot more Venezuela now. I don’t know if you’re seeing that.
John Verry (27:35):
I have not noticed that, but I’m not looking at those charts all that often anymore.
Dr. Eric Cole (27:37):
Yeah. But they look at me and they’re like, “Eric, you’re a genius. You found that we were compromised. We go in and we find the computers that were compromised. The compromise occurred at 18, 24, 36 months ago.”
John Verry (27:54):
The timely detection is terrible.
Dr. Eric Cole (27:55):
They think I’m this brilliant guy and I’m like, “I used the free tool to look at the outbound traffic.” All I did was change the perspective. You’re looking here; I looked here. This isn’t hard. I can’t understand why more organizations aren’t just monitoring and tracking outbound communication, doing basic geolocation.
John Verry (28:16):
Yeah. Two questions for you. First is: What’s the name of the tool? Because that would be something good for people to look at.
Dr. Eric Cole (28:22):
Well, one of the ones that I like is Etherape, E-T-H-E-R-A-P-E. Now you can break up the words differently. People give them different weird, but it’s basically E-T-H-E-R-A-P-E. Also, Ethereal has an add on for that.
John Verry (28:36):
Yup.
Dr. Eric Cole (28:38):
Some of these commercial tools, I can’t say it now because it’s a dirty word, but SolarWinds has that capability and a couple of the others.
John Verry (28:44):
Yeah. Yeah.
Dr. Eric Cole (28:45):
Most day-
John Verry (28:46):
You can do a Panorama, I think, from Palo Alto.
Dr. Eric Cole (28:49):
Yeah.
John Verry (28:50):
Yeah. That’s really interesting. The other thing which goes the opposite direction, is I’m always amazed how often we’ll stop monitoring environment and looking at environment, and look at the firewall logs. It’s like, “You guys said you don’t do any business overseas.” “No. No. We don’t.” I’m like, “Well, 30% of your firewall logs are from Bulgaria and the Kavado Network in France.” We’re like, “Is there any reason you should be committed?” “No. Not at all.” “Why haven’t you geogated your firewall?” One of the simplest things anybody can do is geogate your firewall. I say, “Look. Drop all connections from these 262 countries that we have nothing to do with.” Right? Suddenly your risk profile just went down in order. I understand we’re going to have people that are running VPN and other types of devices to hide where their traffic’s really being sourced from. But what percentage of the noise that you just get rid of? I couldn’t agree with you more. I think the idea of geo in either direction is fantastic.
John Verry (29:47):
Question for you. You sound like you’re very interested in detection. I think that the thought process that you had for that one time event is good. Are you a SIM guy? Are you a DLP guy? What would be the next level beyond that? Okay, now we see this. Yup. We got crap that’s going outbound. We’ve got communication outbound to CNC. If you were going to advise a client, would you advise them to put a SIM solution in place? Would you advise them to put DLP in place? Both of those things? What will be the next steps you would take?
Dr. Eric Cole (30:15):
To me, the first thing I would have them do is a SIM. Then, the second thing I would have them do after that is a DLP. But a couple things I always like pointing out. I know to you it’s obvious, but I run across this all the time. I tell a lot of my clients, “Listen, you need a SIM. I’ll recommend a few, but you need a SIM. You need visibility. You need to know what’s going on.” I’ll come back six months later. They’ll be like, “Eric, you gave us bad advice. We went and got a SIM. We put it in place, and it’s not doing anything. It’s not catching anything.” I’m like, “Okay. Show me the use cases that you have for the SIM.” They go, “The what?” I said, “The use cases. What you probed in.” They’re like-
John Verry (30:54):
You have to tell the SIM what to look for.
Dr. Eric Cole (30:56):
Yeah. They’re like, “We weren’t given any use cases.” I’m like, “Let me get this straight. You bought a tool. You didn’t tell it to do anything. It’s not doing anything, and you’re mad.” They’re like, “When you say it that way, it makes us sound stupid.” I’m like, “I’m not. I’m trying…” But they don’t realize that it’s only as good as what you tell it to do; that’s first thing. Second is a SIM requires a response. The other problem I see all the time, and you see this after the breaches where these vendors come out and go, “Our tool detected the attack. The company failed.” It’s like, “Wait a second. You tuned your SIM with all these use cases. It’s generating 20,000 alerts a day, but your team can only handle 200.” Well, it doesn’t take long to show that that’s not going to work for very long.
Dr. Eric Cole (31:52):
My other thing is if your team can only handle 200 alerts a day, then you should program your SIM only to alert on the highest, most critical. Now people come and go, “But, Eric, if you’re only alerting on 200, you’re missing some attacks.” Yes. But my counter is if you’re alerting on 20,000, and your team can only get to 200, you’re missing all of them. This idea of don’t let good enough get in the way of perfection. Catch the high priority items. Catch the really, really big stuff first, and then worry about the noise later. But don’t over tune these and understand what the big threats are, and make sure you have appropriate use cases.
John Verry (32:34):
Yeah. I think that’s great guidance. The other thing you can do is limit the scope of the coverage on your SIM. Because the other problem I see with SIMs is someone gets a SIM, and what’s the first thing they do? They point every device, every application, everything in the network to this. It ends up being just a giant log consolidation tool, which is great for incident response, but not for incident detection. Right? You’d be much better off saying, “Okay. I’m not going to listen to 500 devices. I’m going to listen to the 30 that are the most important in my environment where the crown jewels are kept.” That way I’m maximizing my signal to noise ratio, which I think you’d agree is the key to a SIM.
John Verry (33:14):
I know you talk a lot about cybersecurity playbooks. I think in a weird way we’ve been talking about that. When you talk about a cybersecurity playbook, you’re talking beyond what we’re talking about now?
Dr. Eric Cole (33:25):
No. It’s essentially tied to what we’re covering here where it’s essentially… What is the critical data? What are the threats that have the highest likelihood? What are the vulnerabilities that have the biggest impact? It’s really understanding the business. How do you make money? Where are your biggest profit margins? Where do you need to protect and secure the organization? Because to me, one of the things I noticed a lot is not all. I have a few CISOs; I don’t want them get mad at me. Not all, but most CISOs, it’s often viewed as a technical career track. You work at the company for 10 or 12 years. They don’t want to lose you, so they give you the CISO title, but you’re a world class security engineer. You’re not a world class CISO. They’re too focused on tech.
Dr. Eric Cole (34:10):
To me, a world class CISO, I can figure it out in two minutes. Here’s what I’m going to do. I’m going to go in and say, “What’s your name? Where do you live? What’s your phone number? What business are you in? What’s your revenue for last year? What’s your profit margin and who’s your biggest competitor?” If you can answer rapid, fire, boom, boom, boom, and you pause, you hesitate for those last three questions, you’re not focusing correctly on the business. That’s what I refer to as the business playbook, is from a business standpoint. Where is most of your money being made? What is your competitive advantage? And how do you utilize cybersecurity as a business enabler?
John Verry (34:52):
Yeah. I know. You and I are very much aligned in the way we view the world. The other way that I think you can figure out a bad CISO or a person who shouldn’t be sitting in it, when you ask them for your security strategy, and they come back with a product strategy. Right? “Explain to me your cybersecurity program.” “Well, we have product A for this and product B for this product.” “No. No. No. That’s not a strategy. Those are products that are intended to fulfill a strategy. What was the strategy that shows the choice of those products?” When you get the blank look at that point, you got the same issue.
John Verry (35:29):
It’s funny. I don’t know if you’d agree with this. But oddly, some of the most secure and best information security management systems that I’ve seen are not operated by technical security folks. They’re operated by a very intelligent, but people that like to dot i’s, cross t’s, almost project managers, like technical project managers. I think a technical project manager in a large organization would be a very good CISO because they’re focused on the process, and information security is just a collection of processes.
Dr. Eric Cole (35:57):
I would agree completely. A lot of people because I’m doing a lot now on really CISO training and awareness. To me, once again, I always have to say, most, not all because there’s always exceptions. But most of the really good CISOs typically only work in security for two or three years. They understand the foundation, but they like the bigger picture. They don’t like all the techie. They don’t like all the hands-on. Because let’s face it, if you’ve been a security engineer for 10 or 12 years, that’s what you love to do.
John Verry (36:29):
Yeah.
Dr. Eric Cole (36:30):
Or you’re insane, and you like torturing yourself, which I don’t think the case. If you do that for 12 years, and I now try after 12 years, this is your life; this is your DNA. I now put you in a CISO position. The probability of you being able to change and morph into somebody else is very, very low. It does happen. There are some world class CISOs that do that, but like I said, most, not all don’t. Yeah. I want somebody two or three years, so they understand the language, but they’re really much more strategy and program management focus. You put them in the CISO, and they really, really excel. Because let’s face it, what a CISO really is a translator. You translate from technical to business, and you have to be really good at that translation. Or as I always joke, and we do a lot of the visas at work, you’re a marriage counselor because the executives think one way, tactical others, and you got to work out and differentiate the challenges between the two.
John Verry (37:28):
Yeah. COBIT has the concept of value creation versus value preservation. I think the problem is with so many CISOs is they are value preservation especially technical people growing up because everything you’ve done to that point is intended to reduce risk, that is to preserve value. But a good CISO creates value. He’s a business enabler, but they don’t think about it from that perspective. I think what you’re saying is that unless you’ve got the value of a guy that didn’t live his life in that side is that he understands the value creation. He understands the business value of information security.
Dr. Eric Cole (38:11):
Exactly.
John Verry (38:12):
Cool. Yeah. We do. We see the world a lot the same.
Dr. Eric Cole (38:15):
Yeah.
John Verry (38:16):
I’m sure I’ll be reading your book on. “Yup. Yup. Oh, yeah. He’s right there. Yeah. Absolutely.”
Dr. Eric Cole (38:20):
I love it.
John Verry (38:21):
Any other issues you want to chat about? Anything else you want to put out on point? Anything else that we missed that would give some people some perspective on your book?
Dr. Eric Cole (38:30):
I know you and me, and some of the listeners know this, but we have a problem that’s been brewing for a couple of years. It’s starting to boil recently, which is we are ignoring security. Organizations are doing crazy, crazy things. I know after the recent pipeline breach, they tried to do various PR campaigns. But let’s face it, it’s pretty obvious that what happened at the pipeline was they took operational technology that had known vulnerabilities and connected them to the internet. There’s no other way like that could have happened. Don’t tell me it was because the billing system wasn’t where… Come on. You can’t snow the snowman. To me, we’re just making a lot of fundamental mistakes, and it’s being ignored.
Dr. Eric Cole (39:22):
We, as cybersecurity professionals, need to do a better job of explaining it to executives. Because I was just talking to somebody the other day, they were security engineers, and they’re like, “Eric, we have the same exact problems like Colonial and what happened at these others. We have systems that are missing patches. They’re vulnerable.” I know we are on the brink of disaster. I know we’re going to have a major ransomware attack, but the executives aren’t doing what they’re supposed to. I looked at him and said, “Okay. There’s one of two scenarios. Either one, your executives really are just idiots.” I said, “Do you really believe that the executives at the pipeline actually said, ‘Okay. We know that the computers that control the pipeline are connected to the internet. We know that they’re vulnerable. We know that these attacks are easy. Let’s do that. That’s a good idea.’ Do you really think the executives truly understood and knew the problem and accepted that crazy risk? Or maybe, just maybe you didn’t do a good enough job explaining it to them?”
Dr. Eric Cole (40:32):
With love in my heart, I said, “I’m not trying to get you a vendor,” but maybe that’s the issue. To me, we have a cyber crisis because I personally believe we haven’t done a good enough job explaining the risk to executives in a way they can understand. That’s why companies have accepted ridiculous risks because there’s a disconnect.
John Verry (40:54):
I agree with that. But I think in fairness to the folks on the security side because I live this everyday like you do. I’ve seen times where I think we’ve gone in fairly clearly communicated to management as well as we could something. I think that they don’t necessarily believe our measure of the risk, or their measure of the risk. I think one of the challenges that we have is that there’s not enough actuarial data or data that a business person can look at, and a make good, sound judgment on, right? Because if you think about it, in the business world, generally speaking, you’re working off of financial data. Data that’s almost actuarial in nature. It’s a clear versus the security guy coming in. Is he just overblowing this risk? Or is that the real risk? I have nothing. I come in to communicate a risk to you, I can’t tell you whether there’s an 80% chance… There’s no true equation for them to look at. Is that part of the problem?
Dr. Eric Cole (41:52):
That is because you look at it especially with some of the recent attacks. You have some folks that are starting to say, which I do not agree with, but starting to say that cybersecurity is a zero subgame. They’re like, “No matter what you do. You’re going to lose. You just can’t win now.”
John Verry (42:07):
I disagree.
Dr. Eric Cole (42:08):
I disagree because if managing risk couldn’t be done, insurance companies would have gone out of business. Clearly, insurance companies show us that you can manage risk. They have proven that historical data and comparative data are the best models for doing that. Now I do agree that insurance companies have a lot more data than we do. We don’t have 100 years of data on 50-year-old men that live in the East Coast, and really have those actual… Yes, we’re going in and using some limited data sets.
Dr. Eric Cole (42:46):
But when I always go in with the executives is I’ll go in with the conservative number. If we have a organization that’s doing COVID testing. We’re testing for the vaccine, and doing all that stuff. I think we could all agree. It’s probably higher. But at least, there’s a 60% chance of a ransomware attack, at least. Maybe it’s 70, maybe it’s 80, maybe it’s 90, maybe it’s 95. But I think just based on what we’ve seen out there with healthcare, timely access control, and foundation and visibility, then it’s going to at least be a 60%. I’ll give it a lower number, but to me what you’re really doing is that 60% is less what I’m concerned about. What I’m more concerned about are the two other data which is: What is the cost if it occurs; and what is the cost to fix it. Those I think we can do a better job.
John Verry (43:40):
That I agree with completely.
Dr. Eric Cole (43:43):
Yeah. To me, at least when I talk to executives, what they always struggle with is we don’t give that first number. We come in and say, “I need $500,000 to go in and prevent a ransomware attack.” They’re like, “Well, we haven’t had a ransomware attack. If we don’t spend the 500, nothing will happen.” But if I go in and say, “Hey. The average ransom of businesses our size is $2,000,000.” Whatever that percent is, it’s more than zero. Whatever that percent is, you can pay $2,000,000 if we get hit, or $400k to fix it. Which do you want?” Then, I think that starts to give them perspective, but we don’t give them both numbers, which I think is where some of the problems starts to get created because they don’t have a leverage point of saying how bad could this really be.
John Verry (44:30):
Yeah. I think that’s really good guidance. I think that’s part of that concept of communicating. I do think that you have some challenges. It’s probably like life insurance. There are some people who just don’t buy life insurance because they don’t think they’re going to die, or they don’t want to waste the money. I do think that there’s an insurance idea here, or that’s part of management style process. “Hey. This hasn’t happened to this point. Why would it suddenly happen now?” They’re coming unlucky for a while. I think one of the good things, if you will, about the increasingly common and successful attacks that get a lot of play is that I think when we go in, if we do a better job at communicating, I think we have a better chance of management listening to us now-
Dr. Eric Cole (45:16):
Yes.
John Verry (45:17):
… than five years ago. Anything else you want to cover?
Dr. Eric Cole (45:19):
No. A quick little story because you’ll appreciate this. I’ve been working on my book for a little over a year. We’re getting down, June 1st is when it comes out; so we’re really ramping up. I’m like, “There’s a problem, but we need a big cyber event.” I’ve been telling my friends when we’re grabbing drinks and going out for the last five or six weeks, “Listen. It would be so great if we had a really big cyber event within a couple of weeks of the book.” Then, we know just a little over a week ago, Friday night was announced with Colonial, and then Saturday. I kid you not. At least 30 of my friends, and it tells you how high they think of me. On Saturday morning, they’re like, “Dude, did you actually hack Colonial to promote your book?” I’m like, “Yeah. Because that’s what I’m going to do.”
John Verry (46:05):
I did SolarWinds before that.
Dr. Eric Cole (46:07):
Exactly, but I just thought that was so funny. I’m like, “Okay.” I don’t know if that’s a compliment that they thought I could pull it off, or an insult that I have that low ethics. But, yeah.
John Verry (46:18):
I think it’s a little bit of both.
Dr. Eric Cole (46:21):
Exactly.
John Verry (46:23):
Well, awesome. Very much appreciate you taking the time to come on. If anybody wants to get in touch with you, what’s the easiest way for them to do that?
Dr. Eric Cole (46:30):
If they want to follow me, I produce a lot of free content on social. I have a Life of a CISO Podcast on YouTube. It’s Dr. Eric Cole. D-R-E-R-I-C-C-O-L-E. If you want to reach me directly, [email protected]. Cyber Crisis comes out June 1st.
John Verry (46:49):
Excellent. Well, I’m looking forward to the book. It was fun to get a chance to chat with you. It was especially interesting because I think so much of our experience and so much of the way we view the world based on that experience is so damn similar. It was almost self-validating for me; I feel pretty good about myself.
Dr. Eric Cole (47:05):
Kindred spirits. I’m there with John.
John Verry (47:06):
I didn’t write any books. I don’t have the title Doctor. But damn it, I’m right there. I’m right there with this guy.
Dr. Eric Cole (47:12):
Awesome.
John Verry (47:13):
All right, man. It was awesome to meet you. Thank you.
Narrator (intro/outro) (47:17):
You’ve been listening to The Virtual CISO Podcast. As you probably figured out, we really enjoy information security. If there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. To ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.