Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Joe Kingland - CEO at Blue Team Alpha
78 Plays10 months ago
Joe Kingland - CEO at Blue Team Alpha
Recommended
Transcript
Introduction to Podcast and Guest
00:00:03
Speaker
Your federal seemed to invent your conversations at the intersection of cyber security, risk management and cyber insurance.
00:00:19
Speaker
Welcome to the InsuresEC Podcast. You have your host here, Ryan Dunn. Abe Gibson is absent on this episode today. Today, we have a very special guest. He is the CEO and co-founder, correct? Yes. And co-founder of a great cybersecurity company called Blue Team Alpha. I'm very familiar with their firm and their team there. They have a fantastic,
00:00:48
Speaker
team and on the podcast is Joe Kingland. He is a bourbon lover, but also a man. If you would give him a hug, hopefully he wouldn't squeeze too hard because he'd probably snap you in half.
00:01:07
Speaker
It's great to have you on, man. We'd love for you to introduce yourself to everybody listening and would love to learn about your background. Where'd you start? How'd you get into what you're doing and where you're at now and what you guys are focusing on?
00:01:23
Speaker
Yeah, absolutely. Thanks Ryan for the introduction.
Journey from Navy to Cybersecurity
00:01:28
Speaker
Yeah, so I'm Joe Kingland. I'm the CEO of Blue Team Alpha. We started Blue Team Alpha back in 2018 to help companies prepare for and respond to and handle
00:01:41
Speaker
cybersecurity incidents. So we do a lot of incident response and a lot of other services since we started with the incidents. So my background is I started in the Navy. I was a submariner stationed in both Connecticut and in Washington state doing
00:02:05
Speaker
computerized weapons so i i was a fire control man i was enlisted i'm an enlisted man and and really got a good start in information security at uh you know at that time in the navy and then came out of came out of there and started consulting
00:02:25
Speaker
you know, long ago now. And then I ended up getting picked up by a company called Anytime Fitness, which at the time had about a thousand gyms across the United States. And we ended up building just a crazy
00:02:50
Speaker
a large conglomerate of companies. By the time I left, we had 4,000 locations in 30 countries. I was the chief security officer for all the brands, including headquarters. Did you get a free gym membership with that?
00:03:09
Speaker
You know, I did. I did. But we also had like a body waxing. And I got no free. What services? Yeah, no free waxing. Yeah, that's I don't know, man. I don't know how they recruit any talent if they're not gonna include that.
00:03:39
Speaker
We started doing a lot of really interesting stuff. We got into selling franchises and real estate and all sorts of things. I spun out of there in late 2017 and started Blue Team Alpha in 2018.
Impact of COVID-19 on Cybersecurity Needs
00:03:54
Speaker
Yeah. That's super interesting and great timing. It's a pretty COVID company, starting to focus on cybersecurity and COVID really, as we all know, COVID really
00:04:05
Speaker
brought out cybersecurity and cyber insurance. Yeah, that was a crazy time. 2020 was pretty wild with all the companies that were trying to figure out how to enable their workforce to work remotely. They literally couldn't have it in the office. And there are a lot of companies that did not do it securely. Even managed service providers that were doing work for clients that
00:04:33
Speaker
didn't do it securely. And there were a lot of hacks in 2020. That was a busy year for us. Yeah. Yeah. And that was the time when every MSP is like raising their hand like, oh, we do cybersecurity. We do cybersecurity.
00:04:55
Speaker
Then you come to kind of figure out that they've got some kind of a fractional chief information security officer who, when you look at their LinkedIn about six months ago, they were a salesperson.
00:05:14
Speaker
But yeah, they're a salesperson and a fraction of what they know is security. Yeah, they're really just an implanted sales guy. Yeah, that's interesting. That's crazy you're a submariner. I think you've told me that in the past. But I had a friend that was a submariner in the Navy and he told me that
00:05:39
Speaker
When he laid down, the bunk on top of him is like right on his nose. So is that true or was he just fooling with me?
00:05:46
Speaker
There's not a lot of room. I mean, it's not right on your nose, but you can't sit up. There's no way you could sit up in the rack. If you need to actually be upright, you got to get out. It's just not happening. There's enough room where you can roll over. I was almost envisioning it's like, so you get into your bunk and you kind of just pick a position and stick with it.
00:06:17
Speaker
Shout out to everybody, like, hey, are you rolling on your right side tonight or left? Like, what are we? Right? Yeah, well, and a lot of people, when you first get there, you don't get a bed, you know? Like, if you're lucky, you're hot-racking. But if you're unlucky and you're brand new, you know, you're usually sleeping on a really thin mattress on the floor.
00:06:45
Speaker
When I first got to my first submarine,
00:06:49
Speaker
Um, I slept on the floor, right. Um, forward of the Blackwater tank, um, in the bottom of the missile compartment right next to basically the first, what would be the first stage, um, rocket on the, on the intercontinental ballistic missiles. That's where I, that's where I slept. And you got woke up every hour when, you know, some, some roving patrol had to go and check a gauge, you know, to see how full the tank was.
00:07:22
Speaker
It motivates you. It motivates you to get your work done and learn how to operate the submarine so that you can earn your way into an actual belt.
00:07:40
Speaker
Thank you, sir, for the bed. That's wild. I have an uncle that was in the special forces. I always find people that were in the military and they had some competency around them end up becoming pretty successful leaders for companies.
00:08:05
Speaker
And so naturally I see that you're, you know, your CEO leading a cyber warfare company. Yeah. Really. And that's exactly what
Understanding Cyber Threat Tactics
00:08:15
Speaker
it is. And you know, you, you and I have, I've talked about some stories that you got. I mean, we were talking at the net diligence conference back in May and you were saying just wild stories about how these threat actors think and what they do.
00:08:36
Speaker
And I just, I think it's wild, you know, you brought the kind of the human side element out of how they think and operate, but yeah.
00:08:46
Speaker
Yeah, they certainly have their tactics and their strategies and what they're trying to accomplish and how to do that. We've got playbooks that they're running. And just trying to start to see where they're making their moves, how are they
00:09:15
Speaker
interacting with the information, the network, and those kinds of things while they're in. Because they really don't want to get caught. They want to surprise you when they want you to know that they've been there. They don't want to get caught midstream. They want to exfiltrate data so they can try to hold that ransom from you and lock all your systems up.
00:09:42
Speaker
At a time that they choose and usually a few if you find them before then they're not they're not overly pleased because We haven't likely haven't gotten everything done that they wanted to do so that they can get a good return on their effort Yeah, I'm so you know, I'm so surprised that they're pissed off. They got caught Yeah, yeah Joe's over here making friends
00:10:12
Speaker
Does that happen often where you catch them midstream? Most attacks are caught at some point. The earlier that they are caught, the less damage happens and the less they can do. If you think of a cybersecurity incident is really
00:10:40
Speaker
can be something just as small as some credentials leaking or somebody gaining unauthorized access somewhere. But if that is caught rather quickly, they haven't really done much. And so you're not going to hear a lot about those little what we would call bumps in the night.
00:11:04
Speaker
until they really become something big. But we have certainly worked on incidents where something happened and there were anomalies. They might have reset the phone server on accident.
00:11:27
Speaker
Everybody's desk phones all reboot at the same time, you know things that's noisy that catches people's attention and you know Then they can go and start looking at things but we've also had had instances where You know, they're in the middle of their attack where they're starting to you know pull some data out and some of those kinds of things and You know, they they start
00:11:55
Speaker
really flooding the internet pipe and it slows everything down. And again, that causes people to look and see, oh, well, let's go in and check the system and see what's going on. And then they really see, oh, there's
00:12:10
Speaker
There's a lot of data moving out of here. This isn't right. Yeah, exactly. It's going to someplace in Russia, right? Not many clients in Russia. Or even some cloud services, right? They'll upload them to some cloud services.
00:12:35
Speaker
Most of the time, the IT people know what cloud services should be in the building, you know, what people are using, so they'll find something there. Yeah. Now, when you guys are, you're predominantly operating with, like your clients are just like end user businesses, right? Or typical clients.
00:12:56
Speaker
Now, are you guys operating as just strictly like security provider or are you also like an MSP as well? Like where do you guys sit whenever you're working with companies?
Blue Team Alpha Services and Strategies
00:13:08
Speaker
Yeah, so we're not like an IT MSP.
00:13:14
Speaker
the people that do speeds and feeds and printers and all that kind of jazz. We partner with a lot of MSPs because we don't do that kind of work. And most of the MSPs don't do what we do either. They're not going to fly in a team of specialists on a ransomware case to go and bring everything back online.
00:13:42
Speaker
But we do have some managed services. We have a managed SOC service. We have a managed service that we call Alpha defend, where we basically help companies write their plans or instant response plans and their policies. Then we actually will actually do tabletops with them, coach them, teach them, walk them through events and teach them how these things go. Who has to do what? So if it ever does happen,
00:14:12
Speaker
The response is very timely. That's super important speed is speed is absolutely critical in these events. That's so true. I I can't stress enough. I don't know why
00:14:26
Speaker
People don't talk about this more, but I think tabletop exercises are absolutely crucial. I don't know if it's the word that doesn't hit. I just feel like it's not done as much as it should be done by a lot of companies. Maybe they'll do it once every few years.
00:14:48
Speaker
You need to be doing it and you need to be incorporating the insurance policy in that tabletop exercise. Absolutely. People should absolutely be doing tabletops and their instant response policy needs to also call out their insurance and their insurance carriers and when
00:15:10
Speaker
you know when in an incident is it appropriate to call your insurance company it's not number one it's not always appropriate to call them you know smaller things or or um you know you certainly don't want to call them first like that you know a lot of a lot of the carriers out there are going to tell you well call us first if you get an incident right but that's like that's like calling your insurance broker when your house is on fire like you know
00:15:38
Speaker
That doesn't make any sense. If you have a real incident, call the cyber security professionals. They're going to come in and help you. Hopefully, in the perfect world, you've got some money on retainer. And you know who you're going to call. And they're written into your plan. And then you practice that plan. Practice that plan at least once a year, just because these things are
00:16:08
Speaker
way more common than natural disasters. This is way more common than people realize and think. I mean, Veeam did a survey of like, I think it was 1300 or 1500 organizations. And of the, this is a wild statistic, but of those that were surveyed and they were asked point blank, have you had a ransomware attack? And 85% of the respondents
00:16:37
Speaker
said yes. Now, that could be because people after they have a ransomware event
00:16:46
Speaker
figure out how critically important backups are. It happens to be a backup company, right? You know, so we have the back and backups are huge. They're an absolute, they are a business saver. When you do have actual real backups, I think about the time we were talking,
00:17:11
Speaker
in May, we were working with a company that thought that they had backups.
00:17:18
Speaker
Um, but in all reality and they were, you know, it was supposed to be on and automated and all this stuff. And in reality, I mean, there was a cloud backup service and it hadn't run in months and months and months. And it also had a, hadn't like a time limit. So after so long, those backups were deleted. So they literally had.
00:17:43
Speaker
No, no backups at all. And even we ended up we did have to get the decrypter in that in that case, you know, so you're paying, you're paying basically cyber terrorists to get a decrypter. But because of how the criminals encrypted all of the data and the computers, even with the decrypter,
00:18:11
Speaker
uh, they were not able to get their data back with just a decrypter. So even though they paid for it, the decryptors were, were, it would bomb it. I was just about to say bombing or like actual data was the actual data was corrupted to the point where the decrypter wouldn't wouldn't work. And they, they, how much does that run for typically on those decryptors? Is that like a,
00:18:38
Speaker
In terms of money? Yeah. Oh, well, I mean, that's what they're setting the ransoms to, right? I think, you know, if you look at average ransoms, you know, today, you're, you know, in the hundreds of thousands. They're starting, even for small companies, the initial ransom amounts are normally, like, it's not uncommon to see them in, you know, millions.
00:19:04
Speaker
Yeah, this is yeah, obviously negotiate that down. You know, and that's that's what firms like us do is well, you know, we'll start removing leverage and and really negotiate the price. But PSA
00:19:21
Speaker
back up your data, make sure it's backed up, make sure it's your data to make sure it's backed up. Make sure people test their backups. Yeah, make sure that they test those like this every once in a while, just go in and and pull and pull a pull a backup because at the end of the day, you're you're looking to bring the business back online, right? These events that the business is is usually completely or
00:19:47
Speaker
or partially offline. It cannot serve its customers. So the real thing to focus in on is making sure that you can restore these services, even if it's not perfect. We do a lot of instant management, which is looking at the problem holistically. So you're looking at the business is down,
00:20:13
Speaker
We need to get the business back online right so that they can service their customers. We're going to use, we're going to use technology and and and maybe tweak some processes or procedures in order to do that, but really, they
00:20:30
Speaker
if they are testing their backups, if they have, you know, if they're doing some tabletop exercise, do, you know, a tabletop exercise, like once a year, those kinds of things that that's going to save that business so much time. I'm talking, you know, you can go from, you can have the business back operating and functioning in a couple of days, or you can have the business back online and functioning in like three to four weeks.
00:20:57
Speaker
It's a massive, massive difference.
00:21:07
Speaker
People need to soak that in a little bit. Imagine not being online or completely operational for weeks at a time. Weeks. The average service disruption due to a ransomware attack is 21 days. Talk about you're not able to operate for 21 days, so 21 days of gap, but then the repercussions from that
00:21:33
Speaker
or i mean think about that if you know that it's it's insane that's not our average our because of how we attack this we our average is five but even but even be even with five days like five days is still a pretty
00:21:49
Speaker
a pretty sizable disruption that most of the time you have to explain to your board, to your customers, those kinds of things, and really try to save the organization's reputation.
00:22:04
Speaker
Yeah, and I think this is something that you guys talk about at Blue Team Alpha a lot, but something that can also bring down that response time. Response time is huge as you've iterated. It goes from
00:22:26
Speaker
Hey, you're trying to, if you do have an incident that happens, it goes from, Hey, we need to bring in this IR firm that the insurance carrier is asking us to bring on. Right. And they have to get up to speed on everything and learn every single technology that you actually have implemented because you've probably not accurately described your stuff on your insurance application. So there's a discovery period. Um, and, but you guys at blue team alpha have this, uh,
00:22:55
Speaker
theory that like, hey, put us in the IR on your insurance policy. Yeah. Yeah, absolutely. Through scenarios, they can get access to retainers, whether they're paid retainers or even zero dollar retainers, where we can come in
00:23:19
Speaker
at least get some documentation and understand the company in very basic terms, but also provide you with all of the letters and documentation to be able to talk to the carrier and say, hey, we took the time to pre-select a company to help us in the event of a cyber incident.
00:23:48
Speaker
You know, it's blue team alpha and if it's scarier that knows us and and uh, we know we've already had approvals with you know Usually that's all it takes and then and then you can actually call us directly, right call directly right away Uh when when there's when there's an issue whether it's small or big. Yeah, you know it simplifies it simplifies kind of the response 100 and I think that's a big differentiator of what you guys are doing, you know for everybody listening like
00:24:17
Speaker
I have talked to Blue Team Alpha a lot about this. They're on panel for several carriers. And if you're an insurance agent and you're selling the cyber insurance policy to your customer, one thing that you really want to get in front of is their cybersecurity response team, if they have one. Most likely, they just have an MSP.
00:24:46
Speaker
If they don't have a security team, then working with a team like Blue Team Alpha that's on the IR panels of carriers and getting them on retainer ahead of time is a huge value add to your customer that no other agent's doing right now. And so I try to educate agents on, hey, get the incident response team aligned with the insurance policy. And a good way to do that is to contact one that's already on panel with carriers, carriers, no.
00:25:15
Speaker
They trust, but I think that's a huge differentiator that you guys have and that you guys are preaching that I think insurance agents should be adopting more often.
00:25:29
Speaker
Yeah, absolutely. I mean, think if your business is offline, everybody's in the office, none of the computers are working, or most of the computers aren't working.
Fast Response and Military Insights in Cybersecurity
00:25:41
Speaker
Everybody's supposed to be working, but they can't.
00:25:47
Speaker
you know, people start to figure out, oh, well, we got to, you know, we got to call in and get some help. I'll give you I'll give you a scenario from somebody that has
00:26:01
Speaker
you know, somebody like Blue Team Alpha already selected and ready to go versus someone that calls in to insurance, right? And then we get assigned via the panel. We had this happen in one day, we got two calls. The first call was from an insurance carrier and they had a client and insured that needed a response.
00:26:32
Speaker
So they said, this was, it was around noon. So they said, well, we'll, we'll get a meeting lined up with you guys and reach coach. Um, you know, if you guys can take it and, uh, and, you know, I think we'll have that, you know, either, either later tonight or, uh, you know, in the morning, this is at noon. He's talking about, he's talking about scheduling and call the next morning. Now.
00:26:59
Speaker
About an hour later, we got a call in from a retainer customer, and they had essentially the same thing. It was another ransomware case, the computers were off, it was all broken, but they had us on retainer.
00:27:17
Speaker
We did a scoping call 15 minutes after that to Try to get understand what was going on. So we knew what we needed to do to respond we had flights booked within an hour and Our people were like landing on the ground and working You know later that night, you know overnight right they started working and
00:27:43
Speaker
immediately remotely. So we started getting access to systems remotely. We had people in the air that arrived in the wee hours of the morning directly to the client site, walked through their door. And
00:28:01
Speaker
Um, and they already had, and it started the response, the actual onsite response. The remote response was going, you know, at, uh, about, about an hour after our scoping call. And then the onsite response was about 12, 13 hours later.
00:28:19
Speaker
And then we ended up having the scoping call for the insurance carrier, you know, that following morning. Yeah. And then, and then did all the same stuff, basically for them, then you got to do the paperwork, you got to get signed, right? The
00:28:34
Speaker
the breach coach's got to sign, the carrier's got to sign it, the client's got to sign it, right? And so you get all the paperwork done. We still, you know, we got out there pretty quick on the insurance case too, but it was a solid 24 hour delay. Yeah, and that is crazy.
00:28:56
Speaker
Yeah, that is a lot of freaking time when it comes to cyber incident. I mean, any incident really. Can you imagine being the insured and being the client and sitting there and you're just twiddling your thumbs going, well,
00:29:10
Speaker
They're going to call some people and we're going to get this going at some point here. That is so crazy. I think if I'm an agent listening to this right now and I'm thinking of the retainer scenario, I'm a lot more comfortable
00:29:33
Speaker
you know, knowing that my client is going to have boots on ground, people on phone right away rather than having to go through carrier to get response time through that. I mean that, you know, that is a crazy long way to get something done when it comes to incident response.
00:29:49
Speaker
The other thing to note too is a lot of times the carriers aren't, they're not going to prefer that we fly out and get out there and get face to face with the clients. It's more time, there's expenses involved. You got hotels, you got airplanes, all that stuff.
00:30:10
Speaker
I'll tell you, we did remote only for a while during COVID. And we can still do remote only. We still do that for a lot of incidents for insurance carriers that don't want us to go on site. But the experience is so much better for everyone when you can look the people that are
00:30:36
Speaker
coming to help you in the eye and have real conversations in real time. And for the response team, it's so much more effective because you're able to use all of your senses. You can see, you can touch, you can go and follow things. You're not trying to talk somebody that may or may not be technical
00:30:59
Speaker
into, you know, take, show me the firewall. Let's do a FaceTime or something. And what's that cable there? And where does that go? All that stuff, right? Very, very slow, very inefficient. It's so much faster. It's such a better experience for everybody involved when you actually do go on site. And I find when I'm on site,
00:31:23
Speaker
People are able to pull me aside. I'm a business owner, right? Our incident commanders that go on these big ransomware cases all have business experience. We're not just technologists, we're technologists, but we also have business acumen and we can have real conversations about how to
00:31:45
Speaker
help the company get back to doing what that company does. And that is very difficult to do when you're not there. Very difficult. I don't know why, but I am fired up right now. Like that excites me so much to the fact that, you know, because I just can't agree with you more.
00:32:13
Speaker
You know, I think that's, you're trusting your heart and your brain on that approach when it comes to getting face to face with the client. They can see you, they can see that you're working, right? And it's more comforting that you have people there working late hours trying to get you going, get you back to life.
00:32:38
Speaker
And then, you know, not to make it heroic or anything, but it kind of is where, you know, we're out here protecting American businesses. Exactly. Yeah, that's our mission. And that's that exact thing. I mean, that that's what we're here to do. We know that the threat actors are most likely not American. You know, sure, some of them are.
00:32:58
Speaker
Very rare. I'm sure you've talked to many where you're like, you are not from America.
00:33:12
Speaker
You know, it's like, uh, it's not just, Hey, this is a business we're running. It's, you know, we're trying to, uh, stick our middle fingers up at the, at the threat actors from, uh, overseas and tell them not to mess with us literally.
00:33:31
Speaker
It's always good to have ex-military people in cybersecurity because it's almost like it's hardwired into your circuits. It is. And to be honest with you, about 70% of our operators, and actually I probably need to rerun the math on that because I think it's even more our ex-military folks.
00:33:55
Speaker
We recruit directly out of cyber commands. We recruit directly out of three letter agencies that that do nation state warfare. That's exactly who we go and get and target because.
00:34:09
Speaker
They're the ones that understand cyber warfare the best. And that's exactly what this is. And then we take those folks to cyber warriors and then we pair the onsite infrastructure team. And a lot of them are ex-military as well. So we're all used to working around the clock. We're all used to
00:34:29
Speaker
going until the mission is fulfilled, right? It's about accomplishing the mission. The mission is to do everything you can to minimize damage and save the organization. Save that American business. Yeah. I love it. That's really good stuff. Now, have you guys had any recent incidents that you've, you know, that are interesting at all or crazy?
00:34:58
Speaker
Oh, they're all interesting. They're, you know, they're, they're all, they're all interesting in their, in their own ways, you know, but we have
00:35:08
Speaker
We have some where they were able to recover extremely quickly because of sand snapshots and those kinds of things. Taking an entire business offline for the threat actors takes a while for them to put together. But when you're able to, say,
00:35:31
Speaker
bring everything back from what we call a sand snapshot or a really fast backup recovery solution. And you can have that company back online within a day or two. Man, that really gets their goat. Because they know if the company comes back up, they lose leverage on how much they can try to, you know, try to juice you for further. Right. And then once the company's back up, then they're just talking about, well, we took all your data and what's that worth?
00:36:01
Speaker
You know, we don't pay for the deletion. Nobody pays for that because there's no honor amongst thieves. You could pay them, but there's nothing out there saying that they're actually going to delete it.
00:36:14
Speaker
So we normally recommend we don't do it. So those are great examples. We've had cases recently where the threat actor is found. They go looking for the insurance policies. They go looking for bank account statements. They go looking for these things that are usually on the network that they've infiltrated.
00:36:39
Speaker
So a lot of times when we start negotiating with these folks, they know how much money is in the bank. They also know what your cyber policy limits are.
00:36:53
Speaker
And I bet you guys can all figure out about where they set their ransoms. But they know the numbers. They end up knowing the numbers on that. So that's happened.
00:37:14
Speaker
you know, fairly recently as well where they they've run across the policy and they they're even they're even kind enough to send us a copy of it when we ask for it. Yeah, so we know that they have it.
00:37:31
Speaker
Yeah. If you're an insured out there, don't ask your agent for a copy of your policy. Just ask for the guy that's probably infiltrated your network. Exactly. Can you speak to them through the terminal of your computer?
00:37:48
Speaker
Yeah, you might even get it back faster. Yeah, you might get a better return. I suppose we're talking to agents here. I won't get too far into that. Yeah, right. But yeah, no, it's pretty wild. Just like that company
00:38:11
Speaker
Backups aren't the end all be all, by the way. Really, really, really interesting case that we had. It was a, it was a ransomware. It was a smaller office, like a 20, 25 person, little mortgage, little mortgage shop. And they basically got ransomed. They called their MSP. The MSP said, Oh, it's okay. We have great backups for you.
00:38:40
Speaker
And they, which they did, they came in, um, you know, the, the, the MSP, the, the IT guys, they all came in and they, and they, they worked, you know, for several hours, restored all the backups, kind of got everybody up and running again. Right. And then, so there you go. You got, you got, you're all set up, you're ready to go. You guys can get back to work doing your mortgage stuff. And we're, you know, we'll call us if you have any issues, we'll, we'll help you out. And, um,
00:39:11
Speaker
about a week later, they got hit again. But this time, they got into the backups, and they posted the backups too. Because they were upset, first off, that they didn't get paid on the first go around. But when the IT folks restored everything, they never actually got rid of the threat actor.
00:39:36
Speaker
he was still, they were still in there. So when they were logging into all these backup systems, they were stealing all the credentials to get into the backup systems. So then they could just walk right back in.
00:39:50
Speaker
Right. And then now they had additional access into the backup systems and, you know, have the ability to, uh, to remove those too. So, you know, backups, backups, while we talk about them being critically important, they're also not the end all be all, you know, you still, if something happens like this, you still really have to have cyber professionals, uh, come in and help and make sure everything is sanitized. Uh,
00:40:17
Speaker
You know ninety nine point seven. I just made that sis a cup of MSPs Don't do not have cyber professionals. Yeah that are capable of really Giving you a clean bill of health. Yeah, it's so true
00:40:34
Speaker
You know, that's just like, you know, we can't do a lot of the things that they do. If you want somebody to go and help you set up your ERP system, we're not the people to call for that, right? You know, a lot of the MSPs will have really, really good folks that can help with those kinds of things. You know, but it's just really, really critical that
00:41:00
Speaker
that even in those instances that you get another party in there, you get specialists in there to really help take care of it. MSP, if there are any people here that have MSPs as clients, that MSP lost that customer.
00:41:22
Speaker
Yeah, I bet in short in short order, because they did not follow the proper processes to actually, you know, get the threat actor out and secure them. And, you know, we partner with a ton of MSPs, where lots and lots and lots of MSPs rely on blue team alpha to come in,
00:41:44
Speaker
in these incidents and help out their customers. It's not the MSP's fault that this stuff happens. I think it speaks to the tried and true statement of like, hey, there's two separate houses
00:41:59
Speaker
When it comes to your infrastructure, you got the MSP side of the house, the IT, and then you got the security side of the house.
Specialization and Business Approach in Cybersecurity
00:42:08
Speaker
It's two separate functions. It's two different specialties. For agents out there, it's like being a property specialist versus a cyber specialist. If you run a company,
00:42:25
Speaker
don't say, oh, I got a guy, you know, for 20 years, I'm good. Like, no, that's not true. No, you need to have a site, you need to have a cybersecurity specialist on, yeah, that and some shape, you know, shape or form.
00:42:45
Speaker
Yeah, to your point, I mean, they're, they're two different houses. And, and even, you know, even in just cybersecurity, there are specialists in cybersecurity. You know, we have people that are forensics, you know, experts, we have threat hunters, that all they do is hunt threats, we have people that gain initial access, you know, penetration, penetration, experts, and
00:43:14
Speaker
We have infrastructure experts. We have people that do policies and procedures. We have GRC. These are all just specialties just inside of cyber. And that's like a small handful. There's an entire cybersecurity ecosystem that companies like ours interact with and are a part of.
00:43:39
Speaker
MSPs, they all have their specialties too. You have people that are, uh, workstation people, people that do virtualization, people that do storage, people that do network, like they all have their specialties too. Absolutely. Yeah, that's so true. You know, people that specialize in networks and networks is a whole other topic that we can go into. I, I love networks because, uh, it's super intricate. It's, uh, it's very difficult. Um,
00:44:07
Speaker
And so I love networks. I have a friend whose dad specializes in networks. He does some work for one of the three letter agencies. It goes over to the Middle East a lot. And I find it just fascinating. But we could save that for a bourbon on a cube or something. Absolutely. Absolutely. But yeah, man, I just find
00:44:36
Speaker
this topic and what you've been describing, super fascinating. I love that you guys are kind of shaping a new way of having companies think differently about their incident response. Don't just lean on the insurance policy for your incident response.
00:44:58
Speaker
an incident response team, just talk to them on the phone and get them on retainer in some form or fashion so that if something does happen, you have a team to point to that specializes in this, sees this every day.
00:45:15
Speaker
Yeah. And really, I mean, when you're talking to folks, make sure that they've got the perspective that you need them to have. Are they only focused on what the threat actor is doing and how to get the threat actor out and that kind of thing? Or are they focused on what the business objectives are? Are they taking a mission-based approach or an objective-based approach where you
00:45:42
Speaker
They actually take the time to understand what the business is, what it does, and how it operates so that in the event that you do have an issue, they can help build the strategy to not just recover the technology,
00:46:00
Speaker
but to actually recover the business. Technology is great and all. I'm a cybersecurity company, but at the end of the day, it's serving a function. It's supporting the business. What you got to make sure that you're focused on is the actual organization.
00:46:25
Speaker
and the people, the processes, and the technology that it takes to operate that business. Yeah, that's a great point. The technology is just the foundation. That's just the foundation of getting the company back up, but there's a lot of other factors and items that
00:46:45
Speaker
need to come into play to get it fully operational again. Right. I mean, just payroll, right? How payroll is processed. How do you navigate those challenges? Most instant response firms are not going to help you understand how to handle that. We got hit on Friday and we got to ship out payroll on Tuesday. We got that many days to figure out how to make payroll happen.
00:47:15
Speaker
right i think people really need this cuz it's like. Shit does everybody just need to get it like a minor attack to understand like how much digital.
00:47:26
Speaker
infrastructure they rely on to operate their business? A simple exercise of, you know, like what do you use? And when everything ends in dot com, you rely on it.
00:47:46
Speaker
Right. Oh man. I just, you know, I tried to use, I've said this in other episodes, but it's phone or the wallet example. Like what would you rather lose your phone or your wallet? I'd rather lose my wallet any day. For sure. I'll walk off this podcast and throw my wallet onto the canal.
00:48:03
Speaker
Yeah. I'll still be able to operate for weeks without my wallet, but my phone, if I lose this one day of me without my phone, I've been off the grid. I'm lost. I've, you know, I haven't been able to make phone calls, my cards, nothing.
00:48:20
Speaker
Yeah, exactly. And, uh, even, even things like, like multifactor authentication, you know, to get a code or to receive a text message so that you can just log into your email. Right. By the way, everyone should have multifactor authentication on as many things as they possibly can. Cause that does stop a major amount of attacks. I mean, 90 plus percent of attacks can be thwarted just with multifactor authentication.
00:48:50
Speaker
But, you know, so I'm not saying don't do that, but it really does make your phone so incredibly critical in your life and how you operate, you know, but not only in work, but also just your personal life. Personal. Yeah, digital infrastructure. I think that payroll example really hits home because, you know, you have people relying on you and you're shut down and you
00:49:17
Speaker
Yeah, you start to realize like, damn, we really have a lot of dot com things that we rely on to get shit done. And I mean, you walk in a lot of times, we've walked into, you know, into organizations, I mean, like, the people are scared, you know, they're scared, they don't, the computer, all the computers don't work. You know, they don't, they don't know if the
00:49:42
Speaker
If the business is going to make it, they don't know if they're going to have a job. They don't know if they're going to get paid. There are so many unknowns and it's scary. The threat actors want them to be scared. They're doing that on purpose.
00:50:00
Speaker
They'll call into the main lines. They'll call people's phone numbers. We've had instances where we unplug someone's internet in their organization and the CFO gets a text message from the threat actor telling them to go and plug it back in or else. So it's that they want people to be scared.
00:50:26
Speaker
That's, you know, that it's really, it's really hard when you go, when you first get there, because everybody's, everybody's so worried, you know, even the people that we work with, you know, they're, they're concerned that because they got breached that, you know, they're,
00:50:42
Speaker
They may not have a job. People are maximum stress level. It's usually the worst day in their careers when you get to see my face. But it is what it is. And a lot of what I do and what our instant commanders do is we focus on the people.
00:51:11
Speaker
right? And make sure that they understand that we've done this hundreds and hundreds of times. And, you know, we have yet to lose an organization.
00:51:25
Speaker
we are really there to help them and to get them back on their feet and get them back going. And a lot of it is just working with people in very, very stressful environments. Yeah, that's huge. And then you give them a big hug at the end. Or they give you a big hug and they're like, holy shit, thank the Lord that you exist.
00:51:52
Speaker
Yeah, and the MSP, you know their internal IT is like shit, maybe we weren't all good Yeah, and it's it a lot of times yes and
00:52:06
Speaker
They, there's a range, you know, some of them kind of blame themselves and some of them, um, you know, can, can see it a little bit more objectively. Um, and, and the reality is that a lot of times could they have done things better? Of course everybody can all the time. Right. But, but everybody also understands that.
00:52:30
Speaker
in IT and especially in cybersecurity, we can do anything, but we can't do everything. And there is no silver bullet. There's not budget to do every single thing that a company would want to do. That's just not realistic. And talking to CIOs and CTOs and even CFOs and CEOs,
00:53:00
Speaker
When you kind of explain that, as long as they have their main detection systems and their main response systems in and configured and ready to go,
00:53:17
Speaker
they're already well down the road. And by the time we leave, those things are always in place. We bring that stuff with us, and if they don't have it, we highly encourage them to keep it. So at least it helps going forward. Yeah, and I think you brought up something there, being prepared for the attack. I know we've been talking about that, and I know that's
00:53:44
Speaker
something that you guys help a lot of companies with. Like you're not just on the response time, response side, but you're also on the, on the, yeah, the prep side. And you guys do that through insurance and through not just, you know, correct.
00:54:01
Speaker
Yep, yeah, we yes through for both. You know, we have some insurance carriers that that that ask us to consult with their insurance and and and just, you know, give them some guidance and some advice. So we have, you know, some carriers that do that. But but even just
00:54:28
Speaker
organizations that come to us either because they know somebody or otherwise, they can also work with us to really get a good handle of where they're at and where they can improve.
00:54:47
Speaker
get their policies set, practice their playbooks, walk through, do those tabletops, do those things that are easy to put off. But man, do they help a ton when it's game time. Thank you. Yeah, I appreciate it. Thanks for having me. It's been fun.