May 26, 2020

The word forensics usually makes us think of homicide, but it applies to computers, too.

Computer forensics is really just a way of telling the story of what happened on a computer.

In this episode, I interview Brian Dykstra, President and CEO of Atlantic Data Forensics, about who needs computer forensics, when, and why.

What we talked about:

  • The need for computer forensics is widespread and underrecognized
  • It gives you protection against future litigation, especially in IP and employment cases
  • 50% of CISOs graduated at the bottom half of their class… and what that means
  • 3 free, easy ways to reduce your attack surface

To hear this episode, and many more like it, you can subscribe to Virtual CISO here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Announcer: (00:06)
You’re listening to The Virtual CISO podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry: (00:25)
Hey there and welcome to another episode of The Virtual CISO podcast. As always, I’m your host John Verry and with me is a Robin to my Batman, Jeremy. How are you, Jeremy?

Jeremy Sporn: (00:35)
It’s a good day, Batman.

John Verry: (00:36)
Out fighting crime?

Jeremy Sporn: (00:42)
Yeah. Got to keep Gotham safe, right? That’s our job.

John Verry: (00:44)
Did you have a chance… Well, you better have had a chance to review the podcast that I did with the interview that I did with Mr.Dykstra with regards to forensics. What were your thoughts?

Jeremy Sporn: (00:55)
Very, very interesting conversation coming from a very non-technical standpoint. He mentioned one comment that really hit home for me. It was this whole idea of, that forensics is the story of what happened on a device. And I just thought that was a really simple way of explaining what it is. Because a lot of times I think for people who aren’t in the weeds of the technical information security practices, forensics can seem like this FBI shows up, pulling the hard drives out of computers. It seems like more of a NCIS thing than a reality. I thought that was a great way to explain it simply.

John Verry: (01:34)
Yeah, and I agree. I think it’s actually an elegant description. The only challenge is of course that sometimes the story can’t be told, let’s say it’s written in disappearing ink. So yeah, that’s the only thing I always caution people on in forensics. Because that’s a lot of people’s first response. Like, we should do forensics, and I’m always like, great. A, It’s going to cost a lot of money. B, you might not actually get the information that you’re hoping to get. Are you okay with that?

Jeremy Sporn: (01:55)
Yeah. And the cool part about Brian, he’s very practical person. In fact, the conversation steers that way towards… For a CEO of a data forensics company who makes his living off it, he really understood the bottomless pit that forensics could be and didn’t want it to be that. A quality human being who was looking at it for his client’s best interest, not necessarily his own, which I thought was really cool.

John Verry: (02:23)
I mean, I’ve known Brian a bit, I’ve known Patrick who works with him quite a bit longer. And honestly, we wouldn’t have either had him on or we wouldn’t recommend them occasionally to our clients if they didn’t live the same mutual benefit, win-win perspective that we live life from. So yeah, I agree with that. They’re a pretty good organization to work with. I think they are looking out for your best interest when you do engage them.

Jeremy Sporn: (02:45)
Very cool. Well, for anyone who enjoyed what Batman and Robin talked about enough to keep on listening, this is what you can expect from Brian, the CEO of Atlanta Data Forensics. Very, very bright guy, expect a very clear understanding of what forensics is, how it should be used, when it should be used. The when was a huge surprise to me. I’ll leave everyone on a cliffhanger there because I think there’s a lot to learn from John and Brian’s conversation. I hope everyone enjoys it.

John Verry: (03:14)
All right. Anything else?

Jeremy Sporn: (03:16)
Batman, you’re off to the races. Save Gotham one more time please.

John Verry: (03:21)
I will, and you’re welcome. All right guys, let’s get to the show.

John Verry: (03:26)
Brian, good afternoon. How are you?

Brian Dykstra: (03:27)
Afternoon.

John Verry: (03:29)
Good to catch up again. Thanks for agreeing to appear on the podcast today.

Brian Dykstra: (03:33)
Yeah.

John Verry: (03:34)
As we talked about a little bit, forensics is one of those areas that I think people don’t fully get. But before we jump right into that, why don’t we start easy. Tell me a little bit about who you are and what it is that you and Atlantic Data Forensics do.

Brian Dykstra: (03:48)
Sure. Brian Dykstra, I’m the CEO of Atlantic Data Forensics. We just celebrated our 14th anniversary here at the beginning of the year, still hanging in there going strong.

John Verry: (03:59)
Time goes fast, doesn’t it?

Brian Dykstra: (04:04)
Yeah. It just doesn’t seem…

John Verry: (04:04)
Makes you feel old. [crosstalk 00:04:02].

Brian Dykstra: (04:04)
It is. We do computer forensics for civil and criminal litigation mostly through law firms and their clients. Not the law firms themselves, but the clients of law firms. We do ediscovery, which is basically imagine you had to do forensics on 400 mailboxes all at once. It’s a large scale search and that sort of thing. Then we do that and the associated functions with incident response, data breaches, all that sort of thing. Then maybe the piece that makes us a little bit unique amongst other cybersecurity companies, is we also testify on a regular basis, in state and federal court. All my director level and above employees testify on a four or five times a year basis. Some of them do four or five times a month.

John Verry: (04:57)
Would that be considered a certified expert witness?

Brian Dykstra: (04:59)
Yeah. Well, I don’t know certified necessarily is the term that would apply to it. But an actual court [inaudible 00:05:07] expert witness.

John Verry: (05:08)
Okay, because I was wondering if there was a certified because I testified recently as well. But I wasn’t certified, but they said I was somebody who knew a little something or something.

Brian Dykstra: (05:20)
Yeah. I mean, that can be anything from as simple as a deposition, which isn’t necessarily simple but as low key as something like that to actually a courtroom time in front of a jury or panel of judges or something like that. And we also do a lot of court-martial cases so, we’re often in front of court-martial boards and so forth.

John Verry: (05:40)
Cool. Sounds interesting. It sounds like you’re the right person to have the conversation with today. Now before we get down to business, we have this little tradition where we like to ask people, what’s your drink of choice? And you can answer that any way that you’d like.

Brian Dykstra: (05:51)
Oh, that’s easy. Balvenie 21 Portwood. I like a large cube and at least on a good day, three fingers worth of it. Don’t pour a lot.

John Verry: (06:01)
All right, Here’s the question. There’s a George Thorogood cut-over that happens and it says one bourbon, no scotch, one beer. Now Balvenie, I’m assuming that’s a peated whiskey.

Brian Dykstra: (06:17)
No, it’s actually a 21 year old scotch.

John Verry: (06:21)
Yeah. But you know, with scotch, some scotches [crosstalk 00:06:24] I was just going to say some scotches are peated heavily and some aren’t, right?

Brian Dykstra: (06:28)
Yeah.

John Verry: (06:28)
The ones that are peated I cannot drink.

Brian Dykstra: (06:32)
This is a speyside one, it’s not peated and it’s finished in a port barrel. So it’s got a little bit of that kind of a sweet sort of raisiney kind of undertone that you get from a port and that just happens to be my thing.

John Verry: (06:49)
Yeah. So it’s more towards the Irish whiskey side cause I can drink the Irish whiskeys, and I loved the bourbons.

Brian Dykstra: (06:55)
Yeah, Its older so it’s a little bit smoother maybe than the Irish is. But yeah, that kind of non-peated flavor, now I love a good peat too. If I could only have one for the rest of my life its definitely the Balvenie 21.

John Verry: (07:10)
Well yeah, we’re going to have to agree to disagree on that one. All right, so let’s go with that. So like I said, I mentioned when we were talking about prep for the podcast is I think forensics is one of those loosely used words. And I think it means a lot of different things to a lot of different people. And I think that’s cause there’s a lot more there to it than most people think. So let’s talk about that. Can we define it a little bit? Think about it in terms of incident forensics, network forensics, systems device level forensics. You talked about legal versus non-legal, kind of give us a sense of when we talk about forensics what are our options and what’s the right thing to be thinking about here?

Brian Dykstra: (07:44)
Yeah. So we use it for a whole variety of things, right? Most often probably in civil litigation cause civil litigation is the majority of the legal work in the United States, right? Folks from TV and stuff, getting a sense of criminals like this really huge thing. And the number of criminal cases are actually much smaller than the number of civil cases, which are a much larger amount of things. And it really gets applied across almost every type of law out there. So I periodically run into these attorneys and they’ll say Oh well, we don’t do any of that stuff. Really, you don’t have any clients with email or a cell phone. That’s, amazing. And of course then they’re like, Oh we did have that one big email. It’s terrible. And I’m like yeah, so.

John Verry: (08:33)
So is this analogous to like eDiscovery, the idea that there’s a case or some type of litigation, you need to gather evidence off of these devices?

Brian Dykstra: (08:39)
We do a lot of forensics that doesn’t involve eDiscovery. A lot of the forensic stuff is around what happened, when did it happen, how did it happen? Tell me the story of what went on, on this computer. Who took the files are the files on here? Did they send the files to somebody? Did this ever exist on here? Did they run this? Did they delete that? That sort of thing. It’s all about kind of like what’s the story of what went on, on this particular device, whether that’s a cell phone or a computer or something, things like that where the eDiscovery stuff tends to be much larger in scale. Usually forensics, we’re looking at a few systems, maybe a dozen at the outside or something like that, whereas in, eDiscovery, like I said before, maybe 400 mailboxes. But you’re just doing a lot of keyword searching and D duplication of files and things like that. You’re less telling a story than just pulling out everything that’s responsive to a set of search terms and things like this and making them available to the attorneys.

John Verry: (09:44)
Gotcha. So this computer level forensic stuff that you typically involved in, that’s happening usually posts what I would call, what I would call like network forensic. So they bring in a security firm, they start to look at this and they say, Hey, it looks like some malware came in. You know, they’re looking at firewall logs or IDs logs. They’re going to target and say, this particular system seems to be propagating. It looks like it came in this way. When that system’s taken off network and frozen, that’s when you’re called in at that point.

Brian Dykstra: (10:08)
Yeah. So we’re typically handling both sides of that. So we’re typically getting the log is from firewalls and sims and whatever other devices that they’ve got on their network, some end point or something like that. And quite often times we’re also identifying here’s the machines that we’d like to look at. We’re going out and acquiring those machines, whether they’re physical machines or VMs or cloud instances or whatever they might be, and making good decisions about what to collect versus what we don’t need to collect. There’s a real tendency in the industry to over collect, if you will, especially in data breach situations. Companies that come in and, we were going to collect all the instances or in all the computers. We could do that and you can do that pretty rapidly and you can run up a large bill.

Brian Dykstra: (11:03)
But quite honestly, you can’t analyze all that. And any kind of meaningful timeframe. So, if you have, let’s say you have, ransomware or something, which is almost like why collect it at all, but let’s say you had some form of malware and it was widespread through your network. And your endpoint logs or something told you about this, I don’t need a hundred copies of that malware, right? I need one or two samples of it so I can do some malware analysis on it generate some biopsies and stuff like that. So it doesn’t really make sense to collect at each and every machine. So you might end up doing partial collections. Maybe just the event logs from those machines or what was on those machines, things like that.

Brian Dykstra: (11:44)
So it could be a very nuanced sort of situation. They’re very fluid, got to make good smart decisions as you’re going along. What’s going to get me the biggest bang for the buck? Because there’s always a concern. How much does it cost?

John Verry: (11:59)
And I don’t think most people don’t understand that you can spend an awful lot of money and not get the information that you’re hoping to have be there just based on the nature of the beast. I do like your approach in that start small focus on where you’re going to get the most value. So from a value perspective. So you’re doing this forensics on these machines, what’s the typical, give me typical examples of why you get called in. There’s a potential breach and then… Real quick, the second thing is what are the specific objectives that you have, you know, what road are you looking for on that machine? What’s the goal of, of what you’re trying to accomplish?

Brian Dykstra: (12:33)
So we do a lot of intellectual property theft cases and employment law cases, things like this where you really are trying to tell the story about the computer. So your average intellectual property cases, two engineers and the sales guy decided they could compete with their current employer. Which you’re totally allowed to do. You just have to walk away, leave everything behind, and then go set up your own company. But people miss some of those steps in the middle of the cleanly walk away portion so the two weeks before they decided to go the sales guy downloads everything in Salesforce and the engineer’s grab every contract and template document [crosstalk 00:00:13:17].

John Verry: (13:17)
Any of the marketing materials. Yeah. It’s amazing.

Brian Dykstra: (13:18)
Right. And they head off and they either try and form their own competing company. Sometimes people actually formed their own competing company while they’re working for their employer, which is also a no, no, don’t do that. Remember Brian said, don’t do that… Type of thing. Or sometimes it’s actually the gaining employer. So the person that hired them, the next places person shows up with slide decks and materials and client lists and they’re like, Whoa, Whoa, Whoa. You weren’t supposed to bring any of that stuff with you. So now you have this situation, oftentimes companies do the right thing and they will inform the previous employer like, Hey, we didn’t want anything to do with this, but this individual brought a bunch of your material and and so on to the situation.

Brian Dykstra: (14:07)
And in employment law cases, that’s wrongful termination, sexual harassment, also workplace environment, things like that. We work with a lot of employers on that sort of thing. Unfortunately there’s a lot of, we call it specious claims out there, but that’s a good term.

John Verry: (14:24)
If I knew what specious was, I’d probably say something intelligent at this point, but without Googling it, I have no idea.

Brian Dykstra: (14:35)
Falsifying [crosstalk 00:14:35] Exactly true. So in any state in the U S you have about three years after your terminated or left your employer, whereas you can go back and sue them for any one of the number things or multiple things that are off the termination, sexual harassment, hostile workplace, all these sort of things. Typically what happens in those cases is an employment attorney will wait about a year, just long enough for you to get rid of the computer and the email accounts and everything else for that former employee.

Brian Dykstra: (15:02)
And then you’ll get sued and there’ll be a dozen emails that make it look like you’re the devil. And most of the time when the company that has to defend themselves against that, they’re like, Oh geez, does anybody know? Do we still have that mailbox? Of course you go to IT. And they’re like, why would we have a mailbox where a person that was fired a year ago and where’s this computer? I don’t know if [crosstalk 00:15:27].

John Verry: (15:29)
Joe in accounting is using it.

Brian Dykstra: (15:30)
Everything cast off. We reformatted it and gave it to somebody else, you know whatever it is. So you’ll lose a lot of that data. So we ended up doing forensics on those, those situations too. And try this.

John Verry: (15:44)
I’m sorry, I need to pick up, two questions here. So when somebody leaves a high value proposition position.

Brian Dykstra: (15:52)
Sure.

John Verry: (15:52)
Vice president of sales and a major organization or someone [crosstalk 00:15:56]. We typically advise our clients that, especially if it ends on a unusual way that it’s not a bad idea to actually freeze those drives. So even if you want to repurpose the laptop, if you take that drive you either directly forensically image it or you keep it in an evidentiary way. Is that a recommendation that you make and do you see a lot of people starting to do that now? Especially with the high cost of eDiscovery and you want this ability to protect yourself during litigation?

Brian Dykstra: (16:25)
Sure. So yeah. So much so that we actually have a program just for this, how would I say programming like a process, not a thing. It’s called safe departure a service mark on that and all that. So it actually started with our work with a big multinational at any given time. This multinational had about 300 employment law cases going on. Cause they’re huge. So it’s, 300 out of a giant company is not that abnormal. And what we had was a pattern developed in these things, which was they were commonly sued by people that were director level and above. So again your SVP of sales and things like this. And then the other area where they were commonly sued was by people that had been terminated for cause.

Brian Dykstra: (17:12)
Right. There’d been some sort of dust up and they’d been terminated and then frequently in their most senior executive pool the executive VP of sales or global sales or whatever it might be. They tend to be getting into some hard feelings when those people would leave about where they were going and, customers and things like this. So there tends to be a lot of litigation around those. So we actually put together a program that we now use with HR directors and stuff all over the place where as soon as you know somebody is going to be terminated, ideally before they’re terminated we just stop in make a forensic image of their laptop. We collect up their mailbox any network shares. They have if their social media accounts associated with their job, we’ll go ahead and pull all that material too.

Brian Dykstra: (18:02)
So we kind of have the entirety of the collection of the data that person works with and we store it. Nobody looks at it, nobody does anything with it. It goes into evidence, storage, gets bagged, tagged, all that sort of stuff. And it gets stored away for that three year period. And hopefully nothing ever happens. We never hear from it again. Everything’s fine. We all go about our business, but we find about every 20th one.

John Verry: (18:28)
there’s somebody that’s up to no good. [crosstalk 00:18:32]. We all have those stories we can tell.

Brian Dykstra: (18:33)
Six or eight months later or sometimes it’s as little as three or four weeks later where they’re like, Oh my gosh, you still got that right? They’re like, yeah, we’ve got it all right here. And they’re like, all right because, and then they tell us some crazy story.

John Verry: (18:45)
So it’s so funny you should say that because you know I mentioned earlier that I had once been an expert witness in a case and the case was exactly that. It was the vice president of sales drained the Salesforce took all of the intellectual property all the marketing materials and went elsewhere and went to a key competitor. And it was interesting cause they had all of the forensic information, someone like yourself had done all that work for them. And our role was to show that they had done such a poor job of protecting the information. So literally there was like 50 Salesforce administrators with full access to the entire sales, worldwide global database. So it is an interesting thing. Interesting stuff. So where is the potential value props? Like someone listening to this, they’re just running a small to medium size enterprise, where would it be potentially valuable for them to… When would it be potentially valuable for them to engage a forensic person?

Brian Dykstra: (19:45)
I mean, ideally nowadays you want to know me in advance, so because 50% of the time it’s going to be litigation type stuff. You’re in business for any period of time and there’s just no way of avoiding it. Right. Sooner or later it’s going to happen, but the other 50% of the time it’s going to be some sort of data breach or a third party data breach or whatever that that ends up affecting you and things like that. So, it’s good to know, a computer forensics answer response provider ahead of time. More importantly, it’s important to, bring us on board with your insurance carrier as more and more people are starting to have cybersecurity insurance that’ll take care of a lot of these sort of problems. Also DNO and Air and emission insurance and stuff like this will cover for some of these investigations, things like this.

Brian Dykstra: (20:37)
So it’s a matter of just going, okay, well we know the dynamic data forensics and they’re going to be our chosen provider and while there’s nobody’s hair’s on fire and there’s no incidents going on or anything else, letting them know, Hey, we’re going to use these folks in the future if there is a problem, we’ve talked to them, here’s their rates, all that sort of stuff we worked out the [inaudible 00:20:56] So you’re just sort of prepared and you know when it makes sense, what you should do. Like I said, for folks that are doing safe departure with us. The HR department knows about it, the IT department knows about it, and it just becomes a standard thing they do. It’s just a standard part of somebody leaving the company.

Brian Dykstra: (21:12)
It’s things like that. So it just work into the normal process. The other things, those are kind of a one off thing. The subpoena shows up in the mail or you know, delivered,

John Verry: (21:23)
No, no, please I’d rather not talk about that.

Brian Dykstra: (21:27)
Right. You know, or, the FBI knocks on your door is like, Hey, we’d like to look at a couple of things. It happens.

John Verry: (21:35)
Yeah. I’m going to call the attorney before I call you at that point, but I’m going to call you a second. I hope you don’t mind that.

Brian Dykstra: (21:41)
No, no. But I mean it’s good to have that prior relationship with us because obviously, in all those scenarios we can help protect the company. Yep. Which is the goal.

John Verry: (21:49)
Yeah. I agree completely. We usually, when we write an incident response plan, we’re trying to get all of that information into there and we would like you to look, you need to know who your attorney is or who your attorney is going to be. In the event of a breach or a breach notification, that nature, who you are, who your forensics partner is going to be. And I do like what you said about the cyber liability insurance company because some of them are… Play hard and fast with this concept of authorized response agents. And sure, if they’re not either an authorized response agent or they haven’t been approved and they start the investigation, they can technically obviate the coverage. And I’ve actually had a client have that happen, when they did their own investigation and cyber liability insurance didn’t cover the cost.

Brian Dykstra: (22:32)
Yep. No, I’ve been there on that. We work hard with all the insurers to stay on their panels and it’s, I wish it was a much more organized process, but unfortunately it’s not. But like I said, if you go to your carrier or your broker, when, there’s nothing going on and go, Hey, we have a relationship. These are the people we’d like to use. We’re comfortable with them. We’ve talked to them, and all that sort of stuff in advance and you provide them our information names and the MLS sort of stuff and the rates. They’re usually very accommodating. Oh well you know somebody you want to use them, they’re near you, they fit into our [crosstalk 00:23:09] . Great. That sounds wonderful. They had the necessary experience to do this.

John Verry: (23:15)
If they see you here, this is what you do. I haven’t had any problem having to get anybody sort of approved to that process.

Brian Dykstra: (23:21)
Exactly. It’s a constant challenge though for a forensics and puzzle [crosstalk 00:00:23:30].

John Verry: (23:28)
Oh, we’re in information security, would you expect it any less than a constant challenge? Isn’t that the definition of this field.

Brian Dykstra: (23:34)
I feel like they ought to give us a letter that just says, remember you certified us. But they don’t. It’s even less organized than that.

John Verry: (23:43)
All right, so you’ve seen a lot of crap in your day. Like us where you get called into incidents. So think about this, you can analogize it to a fictional character or a real character who would make either an absolutely amazing or horrible CISO and why knowing what you know. Someone said Elon Musk recently because he was so open minded. What would be your answer for that?

Brian Dykstra: (24:09)
It’s weird because I have CISO’s that are all over the map.

John Verry: (24:16)
I think that goes without saying.

Brian Dykstra: (24:19)
I don’t think there’s, there’s any one perfect way to run an organization. What fits for your organization doesn’t fit for the next organization and stuff like that. And unfortunately folks think that well a company has huge revenues so obviously they’re super secure and stuff like that, which is not the case. Don’t care how many billions of dollars you make. You didn’t get that way through organic growth, they probably acquired hundreds of companies to get there and that causes problems. So that’s an interesting question cause I have some CISO’s that I work with, they’re very organized, compliance oriented checking the boxes, using lots of frameworks sort of thing. And that’s how they manage their operations and it’s successful. I have others that are, I would say come up out of the more SOC technical background environment. So they tend to focus on their specific control sets and things like this.

John Verry: (25:24)
So those are going to follow… So it’s so funny cause I can see the same people in my world. Right? You’ve done it with the people that come at it from the ISO 27,001 COBIT side. You’ve got the people that come in from the CIS critical security controls. They’re super techie guys. And then you’ve got the last one that I hope we’ll both agree is the worst CISO is the product collector. Like when you ask him what his information security strategy is, he tells you his product strategy. Okay. So we’re on the same page there.

Brian Dykstra: (25:52)
Yeah, We just handle a large, large, large breach during the holidays. And it was just again, multibillion dollar company, hundreds of thousands of employees, every product under the sun, none of them properly installed, none of them properly managed and, [crosstalk 00:26:16].

John Verry: (26:17)
Inadequate training on each of them. Not enough people to operate all the tools.

Brian Dykstra: (26:20)
Yeah. And IT staff that was a fraction of what it should have been for a company that size managed by frankly a CISO that thought he knew a lot more than what he actually did. And There’s plenty of stories out there about CISO’s that are utterly unqualified for their jobs and somehow rose up in the company just by virtue of being there I guess or knowing, so I don’t know how that happens.

John Verry: (26:44)
I mean we are 1.7 or 3 million people short depending upon which a which study you see. So you’re going to have… I love the old line. Anytime you go to a doctor, I’m always reminded that 50% of the doctors graduate in the bottom half of their class. Same thing for a CISO. So last question for you. So based on, You and I, same kind of people and we’re having everyday conversations, right? And this podcast is listened to by both some technical people and some people that are more on the business side that are trying to become good governance people. Good people to manage that risk. What would be an interesting topic or two you might think of for another episode, things that you see people struggling with things, questions that you’re being consistently asked.

Brian Dykstra: (27:27)
The two biggest pain points I have right now with companies, and maybe it’s three…

John Verry: (27:37)
And you think long enough it’ll become four.

Brian Dykstra: (27:40)
It’s definitely no more than three. So lots of companies talking about a two factor or multifactor authentication, much fewer companies actually implementing it then needs to be done. And that just that that eliminates everything from the danger of fishing to, account takeover, you just have so many excellent benefits. And, unfortunately I talked to CISO’s out there that are, Oh, we can’t do that here, it’s just way too complicated and our environment’s too unique. And it’s like, no, you’re not, you just running computers like everybody else.

John Verry: (28:19)
And anyone who’s in cloud, anyone… If you’re using Office365 and you are not using multifactor authentication, especially on the administrative level logins, you are in trouble.

Brian Dykstra: (28:30)
Well, the thing is we commonly…

John Verry: (28:32)
You’ll be meeting Brian eventually…

Brian Dykstra: (28:36)
At my number. The common thing we hear is, we’re so large it will be too hard or we have so many [inaudible 00:28:45] It’d be so hard it isn’t. And the idea that like, Oh, the user base will never accept this. I actually had a CISO recently tell me, Oh the IT department will fight me on this. And I was like, Oh, the IT department. I was like, Oh, I would pick two of them, fire them and make an example of those two and then everybody else would get on board. But yeah, so you get all these weird things and, and the reality is people are much more accepting of a multi-factor, two-factor authentication department cause they’re, experiencing it, they’re experiencing it on Facebook and Gmail.

John Verry: (29:22)
I think there’s an expectation.

Brian Dykstra: (29:22)
There’s a gaming site now that require it like you can’t be on our site unless you do… So it’s just becoming a more standard thing. So, that right there would take care of a ton of things. Logs. Nobody has logs, nobody has logs and I don’t care if people are doing, like you don’t need to buy some fancy SIM and all that. If you’ve got the money to do it. Please do. That’s awesome. [crosstalk 00:29:48].

John Verry: (29:46)
But use Greylog or Kiwi, right? I mean, anything. Give me something.

Brian Dykstra: (29:50)
Anything that’ll collect some logs and I don’t even care if you look at it. I mean, I don’t care if you run, threatened, blah blah. Just let it sit there and never look at it. But you have it right. It’s better than not being able to tell at all.

Brian Dykstra: (30:04)
And then the last thing is kind of weird. It’s UIP fencing or blocking and there are a lot of buddies. So many intrusions could be prevented by simply enabling those little bits of rules in your firewall that say, Hey, I don’t only need data from China or Russia or I do no business in South America, so I just don’t need to accept packets from there inbound or outbound. Well that, that prevents just a whole lot of things from being successful. On people’s networks.

John Verry: (30:41)
Yeah, I agree with you completely. It’s funny you should say that because I think geo gating is one of those things that people just don’t… And we literally just went through this exercise in a law firm we act as the VC for, and it’s great cause their firewall allowed you to break it down actually with Mimecast allowed you to break it down by individual country.

Brian Dykstra: (30:59)
Yeah.

John Verry: (30:59)
And it was so cool. What we did was we just slowly, we just said, okay, let’s just start with the [inaudible 00:31:04] network and France. Let’s start with Bulgaria. Let’s start with the Russian Balkan areas that are known for hacking and we live in it just every week we would turn off two and we would just monitor complaints and literally I think we were able to get down to, we were able to cross off like 140 strange countries.

Brian Dykstra: (31:21)
When you actually look at your white list afterwards you go, Oh I have like 14 maybe 16 countries total [crosstalk 00:31:29] from. It’s like it’s going to prevent every attack ever. It’s just reducing the attack surface by so much. And it’s just the freest, easiest thing you could possibly do.

John Verry: (31:41)
The other thing I like too is that I like increasing… And I’m an engineer by trade. So you like higher signal to noise and really what you’re doing is you’re pushing 50, 60% of the noise off. So if there is signal, the chance that you’re going to catch it is going to be a hell of a lot higher. So all three good ideas. Actually two of them are already on the calendar and I’ll add the last one. So before we say farewell, how can folks who might want to get in touch with you, get in touch with you, what’s the best way to do that?

Brian Dykstra: (32:09)
You can call our main office number, which is (410) 540-9000 and you can leave your name there and we’ll get right back to you. We also have an emergency after hours number that you can get to right there. So if you’ve got one of those, Oh my God, Oh my God, my hair’s on fire sort of thing. You’ll be able to get to that right there by, by clicking on that. And then of course our website is, AtlanticDF.com and you can reach us through that. Email us we don’t hide, we’re easy to find.

John Verry: (32:45)
I’ve never had a hard time getting in touch with you and everyone.

Brian Dykstra: (32:47)
Yeah.

John Verry: (32:48)
So I appreciate that. Well Brian, thank you so much. I appreciate you coming on and kind of sharing your thoughts on forensics. I know this is going to be helpful for the folks that are listening, so thank you.

Announcer: (32:58)
You’ve been listening to the virtual CISO podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered or you need some help, you can reach us infoatpivotpointsecurity.com and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.