Task Force 7 Ep.184: The Inevitability of Being Compromised

Co-Founder and CEO of Sevco Security J.J. Guy joins co-host Andy Bonillo on Episode #184 of Task Force 7 Radio to remind everyone that compromise is inevitable and that we need to get back to the basics. J.J. dives into how the lack of IT hygiene is at the core of many of the cyber security problems we face today and the latest trend of CISO’s getting tasked with running IT Operations. He also talks about the genesis of NIST CSF and how it was influenced by the US Air Force phrase “protection, detection and response”.

Task Force 7 Radio features insights and analysis by preeminent cybersecurity professionals on the most important cybersecurity issues today.

You can listen to Episode 184 on VoiceAmerica.

The following is a transcript of the segment with J.J.:

***

Intro:

The next hour will inform you on how cybersecurity is one of the most significant threats to our national security, as well as the battle that cybersecurity experts are undergoing every day on your behalf to protect you, your families and your data. Welcome to Task Force 7 Radio with your host, the President and CEO of Task Force 7 Radio and Task Force 7 Technologies, George Rettas.

Andy Bonillo:

Hello everyone. Welcome to episode number 184, Task Force 7 Radio, the Voice of Cybersecurity. I’m Andy Bonillo, pinch-hitting for George Rettas. I want to emphasize that the opinions I express to the show are my own, not that of my present or past employers, I’ll never disclose any sensitive intelligence that promotes to as a result of my current employment, I’ll never normally disclose any classified information related to industry clearances, I presently hold or have held in the past with United States government. And nothing I say during the show shall be construed as legal or financial advice.

Before we get started, I want to remind everyone, you can go online to the Cyber Security Hub and get a recap of tonight’s show and get other up-to-date cybersecurity breaking news at the very cool website, www.cshub.com. Cyber Security Hub is an online news source for global cybersecurity professionals and business leaders who leverage technology and services to secure their networks.

The media professionals of the Cyber Security Hub are dedicated to providing the latest industry news, thought leadership and analysis in the cybersecurity space. So again, check out a recap of tonight’s show and get other up-to-date cybersecurity breaking news, go to the Cyber Security Hub at cshub.com, that’s the Cyber Security Hub at cshub.com.

Andy Bonillo:

Well folks, we got the Co-Founder and CEO of Sevco Security J.J Guy on the show tonight. J.J is the co-founder and CEO of Sevco Security, which is an enterprise security company helping IT and security operations teams operationalize asset management.

Before Sevco, J.J. Was a CTO of JASK, the first cloud native SaaS SIEM platform acquired by Sumo Logic in 2019. J.J. was also part of the founding team at Carbon Black, where they created the first endpoint telemetry platform, which Gartner later branded Endpoint Detection and Response, right? The EDR industry.

Carbon Black’s telemetry enabled the industry to operationalize detection and response as part of the day-to-day operations at a speed and efficiency not possible with traditional DFAR tools. Before Carbon Black, J.J spent 12 years with various federal teams doing offensive network operations, where he built his security foundation in vulnerability research, exploitation, enterprise networks, and software development.

He’s been preaching about the inevitability of compromise since 2002. He’s excited the rest of the world finally recognizes this problem so he’s no longer that crazy government guy. He’s got a bachelor’s in computer engineering from Case Western Reserve University and a master’s in computer science from Johns Hopkins University. It’s my pleasure to introduce Co-Founder and CEO of Sevco Security, J.J Guy. J.J, welcome to Task Force 7 Radio brother.

J.J. Guy:

Andy, thanks. Appreciate you having me.

Andy Bonillo:

Yeah, man. Look, I’m super excited to have you on the show. Your background is phenomenal and I always love seeing people coming out of the military or the government that have just been at the forefront of dealing with adversaries and then making that transition into the private sector and really killing it. And man, you’re a shining star example of that. So I can’t wait to dive in. I love for you to just start out with just, what were you doing in the Air Force, and what was that time? And how did it help you transition out and what were your big lessons learned?

J.J. Guy:

Oh yeah, that is not a small question there, Andy. Thanks for asking for me.

Andy Bonillo:

We got time.

J.J. Guy:

Man, I’m super lucky. I got to join, let’s see, I started in the Air Force in 1999 and then just happened to end up in a security position. And that was luck of the draw in the initial assignment coming out of the Air Force personnel world. But that was a time when the Air Force was in the broader DOD. They were grappling with what we now call the inevitability of compromise, and we were recognizing the fact that the targeted attackers that continue to exploit the DOD systems, we couldn’t stop them.

And that was back in like ’99, 2000, 2001, 2002. In the commercial sector, we started to recognize that here, and I don’t know, call it 2010, 2012, somewhere along that kind of timeframe. And we were learning those lessons there 10 years before. That launched me on to a security path and I’ve never left.

Andy Bonillo:

Yeah. But it’s funny, right? Once you get that bug, he had how you, you latch onto it because the mission is just so great. Well, look, man, the work that you guys were doing back then, early on, before Mandiant was created and all this stuff, you guys are all in the Air Force doing different things. What was some of the big takeaways that you guys had in terms of whether technology or mindset or methodology that you took from your time there that you created, or folks you’re working with created and pull it out into the private sector?

J.J. Guy:

Right. The one that… Of course, there’s a ton. The Air Force is huge and there’s a lot of folks that are in industry today on the commercial side that came out of that same period of time of early 2000s Air Force. The one that may be as top of mind today for us is the continuous process of protection detection and response.

That was codified for most of us publicly, and what was that? 2014 when NIST published a cybersecurity framework? I first heard those words in 2006. I still remember that it was Greg Rattray. I think he was still active duty at the time in ’06. And what struck me and why I remember that is because we had spent the prior five years trying to articulate the challenge of operating a network when compromise is inevitable, and how do you even think about it, right?

That we were still in the mindset of static protections where security is a noun and coming to understand security is a verb. And that simple moniker of a continuous process of detection and response just tied it all together. And now, on the commercial side, I think we are still embracing that and coming to recognize it.

Andy Bonillo:

So you bring up a good point around the private sector being behind in this space. And I think there’s probably two parts to that I’d love to get your take on, one is the private sector, just like private sector security teams, and then there’s the executive leadership teams of companies that are making business decisions, as cybersecurity as a data point to drive their business. What are you seeing in the shift around executive leaders having to think about security differently, even when their security shops are now probably still behind? How we bridge that gap?

J.J. Guy:

So a lot goes into that. I think one of the major shifts is to recognize first inevitability of compromise. It’s not a matter of if you will be compromised, it’s a matter of when. And there’s a transition in here as well from… In the early 2010s, we’ve been doing security as an industry, as a commercial industry for a long time.

But in the early 2000s, it was mostly opportunistic attackers. Their motivations were scale of access. They were monetizing their access based off of stealing your bandwidth or compute cycles on your computer. They were running click fraud operations, spam operations, whatever. But the impact to those compromises was not to the business itself, but to third parties. Economists call that a negative externality and to the business, it was mostly an annoyance. And the level of investment in security reflected that well.

What’s happened somewhere around the 2010s, well, cyber criminals recognized it was cheaper and lower risk to steal credit cards digitally than it was to run drugs. And they started shifting their operations to cyber crime. Well now, they were figuring out how they could monetize that digital access and the impact of those compromises targeted businesses directly, and that’s changed the dynamics across the board.

Andy Bonillo:

So look, you’ve had a lot of success in your government time and you’ve come out and you’ve had a couple successful companies. Talk to me a little bit about how you got started when you transitioned out of the government and started your first private sector venture.

J.J. Guy:

Yeah. That was mostly luck and timing, man. By that point I was in DC working for a defense contractor, doing a bunch of spooky computer stuff with an awesome team. That was a very talented team that has spawned a whole lot of other companies, not just my own thread. I think of it all as the family tree and we got a big trunk there, and that was part of the trunk.

I ended up though, as the boss and the bridge between the defense contractor and the awesome team and it wasn’t very fun. I ended up getting married and moving away from DC, trying to figure out what the hell I was going to do with phase two of my career. And that transition between federal life and commercial life is really tough. I’ve helped a number of folks through it, if anybody’s listening to this and trying to go through it, reach out. I’m happy to help you figure out how to think through it.

But I ended up getting real lucky because a couple of guys that I’d worked with previously in that same team, Mike Viscuso and Ben Johnson, had left a couple years earlier and gotten something going called Carbon Black. And they were at the point where they were going to get some venture funding for it. And they knew I was in transition, we’d worked together before and they called me and asked me if I wanted to be a part of it.

That was late 2012 when we got that going and of course that was a great ride, we ended up getting acquired by what was then Bit9 in February 14, about 15 months after that initial venture round. We called ourselves Bit9 + Carbon Black for a couple of years. I’m sure you all remember that the brand guys called that forced reconsideration, to force anyone who was familiar with either brand to reconsider the new entity and the light of both, and eventually just became Carbon Black and IPO’d there in 2018 before getting acquired by VMware.

Andy Bonillo:

That’s a good run right there, brother.

J.J. Guy:

Yeah, it was awesome. The company just put some numbers to it. When Bit9 acquired a Carbon Black in February of ’14, that company was 120 people post acquisition. And when we IPO’d in ’18, I think we were about 1200 employees.

Andy Bonillo:

Good for you. So I’d love to… Look, we’re going to transition to another segment here a little bit, but I do want to give you a chance to chat a little bit about your current venture, Sevco Security. What problem are you solving there?

J.J. Guy:

We’re still trying to figure out what label to put on it. Asset management is the most generic thing that’s in the right direction, but that triggers up all the wrong kind of baggage associated with it. Fundamentally, I have long thought the next big thing and IT security is going to be an improvement in basic IT practices.

The more and more breaches we have where root cause analysis shows that it’s a failure to follow best practices of basic user and device management, the more and more pressure we’re going to see on doing a good job with the basics of user and device management. However, one of the things I’ve learned as a startup guy is that it doesn’t matter how right your ideas are, unless there’s critical mass of industry that agrees with you and is ready to invest money in solving those problems, you don’t have a business.

And I’m tickled because I think the window is opening on organizations being ready to invest in improving their discipline around something as simple as knowing where their devices are. We moved the needle once with Carbon Black on the industry, by allowing folks to operationalize detection and response in a way they couldn’t Encase and Volatility. And I am super excited to be able to do that same thing again, as an organization to operationalize asset management.

Andy Bonillo:

Yeah. And I think you’re a hundred percent spot on, and I got tons of questions for you around this space, because it is continuously coming up. So we’re going to hit that next, but all right, folks, we’re going to transition to a commercial break. So hey, if you’re a social media junkie, don’t forget to find TF 7 Radio in your favorite social media platform. Follow us on Twitter, LinkedIn, Facebook, and even Instagram, searching at TF 7 Radio. You’ll be connected to the extended team of seven family in your favorite social media platform.

Welcome back to Task Force 7 Radio, the Voice is Cybersecurity. We’re back with Co-Founder and CEO of Sevco Security, J.J guy. I got to tell you brother, that name is fun to say on the radio, bro. That really is awesome. Good for you. We’ve got to have you back just so I can say it more. I love it. So look, man, Sevco and what you’re trying to dial in, I’ve had this conversation with a few other folks in industry, and I think you are onto something here.

The basics are just so fundamentally important and companies are moving so quickly. But the fact that they just don’t know what they have is still such a big problem and so, how can we fight a battle when you don’t know what the landscape looks like? Right? We’re flying completely blind. And so I think you’re onto something here. What are some of the challenges you think you’re really solving for folks, and how are you guys tackling it at Sevco?

J.J. Guy:

It’s mostly a problem of complexity, Andy. We’ve been doing asset management as an activity in the IT shop for 20 years, it hadn’t changed. And the tools we use mostly haven’t changed. Meanwhile, the phase of enterprise computing has changed pretty dramatically. The tools we use today in the IT shop for getting an inventory of our assets and the ones we use for the compliance functions to point to the auditors, whether you’re regulated by the NIST Cybersecurity framework or the CIS Top 20 or ISO 27001, they all include asset management and have for decades, as a critical function.

And we point them to our vulnerability scanner or Active Directory, or some record like that. And say, here you go, we’ve got a good answer. But one of the things, those of us in the trenches recognize is that the data’s always wrong. No one believes the data in their CMDB, you always hear it’s somewhere between 40% and maybe 80% accurate. Nobody has confidence greater than that. And they all know that whatever inventory system they look at is reporting a subset of the whole.

Over the course of the last 20 years, we’ve had dramatic shifts in enterprise computing. Increase in mobile devices, 20 years ago, everything was a big beige box on a desk. Today, it’s all laptops, mobile devices, multiple devices per person, et cetera, et cetera, et cetera. You’ve got the degradation of the enterprise perimeter, the SaaSification of enterprise applications and all of these have dramatic… And in the cloud computing, right? I forgot cloud computing. They are dramatically changing the kinds of assets and the shape and motion of those assets across the enterprise, and the tools have not shifted.

At the same time, the business world has changed. Security has become a more important part of IT. As a result of the targeted attackers starting to target data that is critical to business function, and IT has become more and more important part of every business. That’s the whole digital transformation line. And all of that is continuing to put pressure on basic IT practices. And it effectively means what we did 20 years ago that was good enough then is not good enough any longer.

Andy Bonillo:

So look, there’s a few different ways to kind of solve that, right? If the assets that… The systems that are there are either not up to date or don’t have the right coverage. There’s, a few ways to kind of solve for that. And I’d love to get your take on how you guys are thinking of solve for it. But are you guys looking to, from an agent perspective, kind of leverage the data that exists within the company and aggregate it in a one place to figure out the asset inventory, or how are you guys thinking about it?

J.J. Guy:

So it all starts with first knowing something exists and having a good record, a comprehensive record in the aggregate that makes sense. This is not a new requirement, and this kind of building we see in the industry to the point where we’re ready to invest in asset management tool again, is also not new.

We were getting feature requests at Carbon Black, as far back as 2015 from clients asking us to do stuff like, “help me import all the list of machines from Active Directory and then make sure they’re running the Carbon Black agent on them because Carbon Black is a critical part of my overall security controls. And I want to make sure that if it’s in AD, it’s running Carbon Black,” and guess what we found out that that’s hard to keep the CB agent running on everything that’s in AD.

Well, that presumes that AD is correct. Every other endpoint vendor started to get those same requests. That’s why you see today, Tanium has their asset management module, CrowdStrike has one, SentinelOne has one, et cetera, et cetera, et cetera. All the end point vendors are putting in neighbor discovery features that will report up the other machines on the local LAN segment. And those are great platforms, right?

Similarly, Armis had gone in to start and solve the medical device problem.That’s a huge challenge in healthcare, because those medical devices are so terribly implemented from a technology perspective, you can’t scan them with your vulnerability scanner. They can’t run active scans because they’ll fall over. Everybody in healthcare has a situation where somebody fat-fingered in something in Qualys and killed a NICU device. While there was an infant attached to it; it’s absolutely terrible.

And Armis emerging in that space, he has a passive network sniffer because that was the only tool you could use for that job to help build an inventory of those devices. Now, those are all great platforms and they’re great pieces of technology and sources of data. But the challenge when you think about it from a broader perspective, is there a subset of the whole.

And in order to answer this asset management problem, you need tools to be able to go get a view of the whole, regardless how your organization is configured, structured, and where your resources are. If you’re a totally distributed enterprise with few or no centralized resources, you’re a cloud-native company, and everything’s up in the cloud, or you have the big on-prem office, 40-story high-rise building downtown, or you’ve got 150 satellite offices scattered across the globe with 50 people each, we’re taking the approach of API integration into all your existing systems.

That allows us to pull rich metadata from all of those sources of inventory and ensure complete coverage. The magic there is, that aligns our product promise with customer problems. As a client having to manage your network infrastructure, you don’t have the privilege of saying, I don’t have to worry about those devices because I don’t have a way to measure it. If the organization owns it and it’s processing corporate data, you got to deal with it. And you need a tool to be able to go take a look at it. There’s very few products out there that align their product promise of complete, naturally, truly comprehensive asset inventory from a source with those problems.

Andy Bonillo:

And I love it. So that then starts to blur the line a little bit in the CISO responsibility of infrastructure. I can’t tell you how many times I’ve had the conversation where people are like, “man, you’ve got all this aggregated data into your SIEM, why don’t you… Or in the data lake, why are you on the asset inventory insecurity? Because you have probably a more comprehensive view of it than IT does.”

J.J. Guy:

Right. Yeah. Andy, it’s a fascinating topic. We’ve been going with Sevco for about a year now and we’re still very much in the discovery mode. Building good products is really tough in the IT ecosystem because we’re so diverse. And even having lived in this world for so long and having such strong domain knowledge, it’s tough to get it right.

So we’re very much in a listening mode and asking every CISO we talk to, how does this work in your organization? And in general, everybody’s having the conversation. In general, security teams right now, they are recognizing there’s a problem. I think that’s because they’ve invested very heavily in their detection and response procedures over the course of the last 10 years or so, have matured those to the point where now they recognize that they’re not getting popped anymore because their endpoint security tools aren’t good enough.

They’re getting popped because they’re simply not there. In last year’s Verizon data breach report, they made that point about patch management, that the evidence that they were polling shows that it’s not that our patch management tools don’t work, it’s that they’re just not there at all. And you continue to see that and like the breach reports, with Equifax, for an example, I would never have expected to see a U.S. Senator in congressional testimony railing against Equifax for a failure of their asset management program, but it’s right there, front and center.

It’s incredible. What’s super interesting is how the relationship between the CISO and IT operations plays out in the midst of that conversation, because while it’s the security teams that have the requirement, it’s generally the IT operations teams that have the responsibility for it. And the way that usually plays out is, a security guy will say, hey, I’ve got my endpoint agent deployed on 17,000 systems. And then he goes over the IT departments like, hey, how many should it be deployed on? What’s the total number?

And nobody knows, that’s not a question that has ever been asked toward the IT department. The closest thing has been the asset management functions, but asset management is truly a finance function. It’s capital expenditures until they depreciate off the balance sheet. Those are reports that go to accounting. Everything else has been mostly trumped by availability and if there’s not a person picking up the phone and calling to say something’s broken, then there’s other things to spend time on.

Andy Bonillo:

Yep. Totally fair. So where are you seeing that shift in, especially for smaller companies, they may be just starting out, what would be the advice of, would you hire a CIO that has a really strong security background or someone has comes out of the CISO world that can manage infrastructure? Where would you give your guidance right now at a smaller companies on that?

J.J. Guy:

Good question, for smaller companies too, especially. My perspective is biased, I’ll admit that straight up. I cut my teeth in the military, in the Air Force and of course we’re all the slaves to our upbringing here and our pedigrees. One of the things I think that is fascinating is, in the Air Force IT infrastructure, there is no such thing as a CISO as distinct from the CIO.

There was the IT executive and he owned IT operations and security operations, and those grew together. What’s fascinating here in the commercial sector is that one, that the CISO position was ever created. At some point security became important enough that a mid-level manager or director level function got promoted to a C-suite to properly represent the risk to the board.

Well, I guess that was because the CIOs at the time weren’t able to get their hands wrapped around it. And then we had this trend where they got moved out of the CIO’s organization and now we’re starting the beginning of another trend where there is a critical function, this operations function for core IT ops and all the infrastructure that has key security implications.

And what continued investment in security is providing diminishing returns because you have more critical problems in the underpinnings of the enterprise infrastructure. To circle back to your question, you actually asked, my thinking goes there. Those aren’t two roles, man, they’re not two separate seats. They’re one. You have your enterprise infrastructure inclusive of operations and security, and then you have enterprise applications that help the business run more efficiently on top of it.

Andy Bonillo:

It’s going to be an interesting thing because I think historically, people have viewed CIOs coming up from a tech background and CISOs coming in from some sort of security intelligence community, law enforcement background, and folks like you and I that come out of places where you get access to both are a little different than most folks, right?

So do you anticipate this trend of the silos that get created to some extent because of where you came from and if you’re born out of technology being in that CIO track, you’re born out of the law enforcement intelligence community, military background that didn’t have that kind of convergence in your operation, do you think that’s going to continue or do you think we’re going to get enough talent coming out of the government that has seen both of those? Or how do we bridge that gap?

J.J. Guy:

That’s not a question I’ve thought deeply about, so you’re going to get an off the cuff response here. I’m going to refute the premise of your question there a little bit, Andy.

Andy Bonillo:

Cool.

J.J. Guy:

Yeah, you’re tying to it a domain knowledge that is required for holding that executive level position. And don’t get me wrong, some of that is certainly true. But I think the key distinction there is more of a culture and a mindset and it’s operations versus administration. Like, are you running an operation with kind of day-to-day, you’re in the fight? Regularly increasing your discipline and steady execution cadence, or are you more of an administrative mindset thinking GRC, processes, procedures, governance, running tickets.

Andy Bonillo:

Hope I never hear the word ticket again.

Yeah, but I love where you’re taking that, right? Because I think that’s the fundamental conversation that not only do practitioners need to have about what they want their programs to be, but I think when people build the CISO function into their company, what’s the goal of security for you as a company?

And then that sets a tone from the top down in terms of that CIO-CISO relationship, is it converged and how does that all tie together for what goal? Right? To move the business in what direction and how does that get built out? Because if it’s just that compliance function, to your point, you start to just work on checking boxes, and the creativity of really smart practitioners get stifled. And they get bored and there’s no fun. So I think that’s a really cool way to think about it.

J.J. Guy:

Yes, that’s triggering the whole talk track of being compliant is not secure. That often times gets conflated when that’s the form over function thing, right? As you’re driven by policy and procedures those overtake the reality on the ground and you can go check all the boxes and still not be secure. And our world is certainly like that, anyone in the operations world will tell you that because the situation on the ground changes all the time.

There’s a difference here that for me as a guy who now builds security tools for a living, on the security shops, the value to the organization comes from the people. They’re managing the operation to ensure that the network is, and secure is a bad word here. Let’s stay resilient and agile. And the tools we build, the tools I build to provide to them, that’s a tool in their tool bag to help them do their job more effectively.

In the classic IT side, the value to the business comes from the product you buy. And the people are a tax on top. I can’t tell you how many times I’ve been asked in a conversation when talking to security buyers, oh, how many people does it take to administer your platform? As soon as that question comes across on, you get put in a bucket. And I recognize the culture of that security shop is still rooted in the administrative policy and compliance mindsets.

Andy Bonillo:

Yeah. What’s your take on when people ask you, what piece of technology can you displace? What can I get rid of if I bring you in, where’s your head on that question?

J.J. Guy:

Oh man. That’s too contextually specific maybe for me to give you a general answer. We certainly have a problem with tool sprawl today in the enterprise, especially on the security side. I think that some amount of the heavy investment and we’ve been moving very quickly to try to get our hands wrapped around this, there’s lots of redundancies and we need more maturity in the overall stack

That’s one direction with Sevco, for instance, that’s super interesting as we get our head wrapped around this more effectively. A principal for me and Sevco as a business, is to build an asset database that you can trust so that you don’t have this problem where all your existing systems, you can’t trust their completeness. And we don’t want to recreate the wheel though.

We often times get asked the question, okay, what now? What next? I got all this beautiful data, what do I do with it? And to me, that question sometimes is a little shocking because you have existing procedures to kind of fix the hygiene problems that we surface. They’re usually wrapped around your CMDB and, or ticketing system. Those teams, there’s no problem with those processes, there’s no problem with the teams that execute them, the problem is that data.

And if the data in that CMDB was just up to date, more effective, more accurate, well, then, those processes would be more effective as a result. And it’s that kind of mindset where we’ve got to stop thinking about layering band-aids on top of all these different systems and rethinking from brass tacks like first principles all the way up, how to make our existing systems and existing procedures more effective.

Andy Bonillo:

So if I capture it right, it’s basically, let’s get back to the basics. Let’s get back to the basics – start it over, right? And just start making sure we’ve got the right things in place so we can not try to make this thing too complex. Because I think that’s the speed of which we’re operating and the lackadaisical nature of keeping these systems up to date is creating a lot of gaps. Well, look, I got tons more for you, but we’re going to take another short break to hear from our sponsors. Don’t go away folks. We’re right back with more from Co-founder and CEO of Sevco Security, J.J. Guy. You’re listening to Task Force 7 Radio, the Voice of Cybersecurity.

Well, man we’ve been touching on your transition out of the government and all the cool stuff that you built in changing the industry the product space, but we talk, it all started in your first week on the job, right? When you found your first O day, what was that all about? What was that like?

J.J. Guy:

Right. Yeah. Dude, it was amazing, honestly. Talk about an endorphin rush, it’s like hunting for gold, you know it’s there, but if you just keep pulling and then all of a sudden you stumble across it-

Andy Bonillo:

In your first week dude!

J.J. Guy:

The first week, that’s right. And that was in Internet Explorer, which at the time was still one of the most popular browsers, that was probably ’05 in that role. That was an awesome team. That was a group of vulnerability researchers, exploitation guys, kernel developers and very much in the brass tacks supporting the U.S. intelligence community and the support of all those operations.

And if anything 0-Day, at the time we didn’t recognize was very real. Today, we’ve had much more evidence of that in the 15 years since. And I think we all take that for granted, but one of the things that we still, as an industry, I’m not sure, really fully internalize is if a targeted attacker is interested in coming after you and your organization, they will find a way. It’s all about the number of resources they invest and the focus and the time spent on your organization and all the different myriad of attack vectors that they could use to get into it.

Andy Bonillo:

So if you play that out, right? It’s like, we tell people all the time, it’s going to happen. And everyone’s like, well, when’s it going to happen to me? Well, it hasn’t happened in the week, months, six months, a year, why should I spend the money now? And I think too many people are still thinking about, it won’t happen to me, right? What do you tell people when they think that?

J.J. Guy:

Yeah, so I spent a number of years, since I was dealing with the targeted attackers 10 years before everybody in commercial industry, I spent a lot of years in the late 2000s, the early 2010s advocating for the inevitability of compromise, where we operate under the assumption of breach. And I could tell all this great stories since I spent 15 years at that point, breaking into computer networks, all the different ways that could break into your computer network. That’s a fun story, I’ll come back for another session and we’ll talk about attack vectors.

But what was so interesting is, at the end of that everyone would agree, wow, yes, you’re right. But it still wouldn’t translate into the sense of urgency to do something about it. And I spent a lot of… That was a disconnect. Their brains were firing on the reason of it, but their hearts weren’t. And I spent a lot of time digging into that, just asking why. And I finally figured out the common thread, everybody says, it won’t happen to me. This is a problem that, luckily your local philosophy professor knows and understands, they call it Hume’s problem, it’s a problem of inductive reasoning.

We, as humans are just naturally wired to give too much credibility to our own experiences, even when those experiences have little or no bearing on the likelihood of those events occurring in the future. And that happens in organizations with cybersecurity every single day. Despite the fact that in our heads, we say, yes, compromise Is inevitable, in our hearts, when it translates into action, we always tend to think it won’t happen to me.

There’s a great story of Bertrand Russell, he was a British philosopher, economist back in the early 1900s, talks about the story of the farmer and the chicken. The chickens got a pretty good life, he’s got food and shelter provided by the farmer. Their safety protects him from the wolves and all the other predators. The farmer comes out there every day and spreads food on the ground until one day it’s time for dinner. And the farmer reaches down, instead of providing food, grabs that chicken by the neck and rings it. Nothing in the life of that chicken could have prepared him for that moment. And that’s the situation we have with security folks every day.

Andy Bonillo:

So true. It’s so true. And then you’re in full crisis mode, the pocket book opens up, what do we need to do to fix it? And at the end of the day, it’s probably a result of, we didn’t work smart, we worked hard.

J.J. Guy:

Yes. That echoes the back to basics we talked about in the previous segment. What we opened with even earlier, my personal, just my philosophy that the next big thing in IT security is going to be basic IT practices. That as an industry, we have been focused for way too long on the sexy stuff, some fancy algorithm that’s going stop the attacker, more detection gadgets, this and that and the other. And we’ve made some great investments. I don’t want to diminish any of that, there’s some great products out there.

But we can’t continue to invest in all of those fancy technologies while continuing to ignore the basics. Every organization has got the material breach on their risk register somewhere. And every risk assessment comes down to likelihood versus impact. When it comes to estimating the likelihood of a material breach, how do you do it? What we tend to do is we look at all this investment we’ve made and all these security technologies and think, wow, there’s no way that we could ever get breached because look at all this work we’re doing.

But when you recognize that it’s way less about you and way more about the attacker motivations, and how quickly they can monetize the data inside your organization, and how much that’s worth to them, and how many resources they have to invest in their time or research for that 0-Day, define that to get that initial tool. And that has little or nothing to do with the amount you’ve invested in your security program. All of those fancy boxes, bells, and whistles and alerts and this and that and the other, they don’t do you a bit of good if you’re still not very effective on the overall basics.

Andy Bonillo:

That’s it, man. Stick to the basics. I love it. Well, brother, I really appreciate coming on the show and since you have such a cool name and you had a great background, we’re going to have you back because I got to say your name on the radio again because it’s just too fun.

J.J. Guy:

Andy, thanks so much. It’s been a lot of fun, I look forward to get the chance to do it again. Thanks for having me.

Andy Bonillo:

All right, brother. Appreciate you. All right, folks. It’s time for us to bounce out of here. Before we go, to remind our listeners to visit the Cyber Security Hub to get a recap of tonight’s show and get other up-to-date, sign up for your breaking news at www.cshub.com. That’s the Cyber Security Hub at cshub.com. Thanks for tuning in, you’re listening to Task Force 7 Radio, the Voice of Cybersecurity. Stay frosty out there.

Host:

Thank you for tuning in this week to Task Force 7 Radio. To learn more about Task Force 7 Radio, please visit our website at taskforcesevenradio.com. Be sure to join your host, George Rettas again next Monday at 8:00 PM Eastern time, 5:00 PM Pacific time, on the VoiceAmerica business channel.