1 00:00:05,280 --> 00:00:10,480 This is identity at the center. If it has anything to do with 2 00:00:10,520 --> 00:00:17,960 IAM, this is the go to podcast now your hosts Jim McDonald and 3 00:00:17,960 --> 00:00:23,040 Jeff Stedman. Welcome to the Identity at the 4 00:00:23,040 --> 00:00:24,800 Center podcast. I'm Jeff and that's Jim. 5 00:00:24,800 --> 00:00:26,400 Hey, Jim. Hey, Jeff, how are you? 6 00:00:26,840 --> 00:00:27,880 Not so bad yourself. Good. 7 00:00:27,880 --> 00:00:30,720 I'm trying to hold back my giggles because what I wanted to 8 00:00:30,720 --> 00:00:34,720 say was I was surprised you showed up for the podcast today 9 00:00:34,960 --> 00:00:39,200 and you don't have the new Apple Vision Pro on your face. 10 00:00:39,520 --> 00:00:41,120 That's what I was expecting, man. 11 00:00:41,360 --> 00:00:44,200 I have one on order. It will arrive in three to four 12 00:00:44,200 --> 00:00:45,120 weeks. Allegedly. 13 00:00:45,120 --> 00:00:47,040 We'll see. I'm curious. 14 00:00:47,040 --> 00:00:50,040 I've read, I've, I've probably watched every video, you know, 15 00:00:50,040 --> 00:00:52,640 review. I'm cautiously optimistic. 16 00:00:52,640 --> 00:00:55,360 I got to be honest, it's going to have to really blow me away 17 00:00:55,880 --> 00:01:00,440 for me to part with $3400 of this thing on my face, but it 18 00:01:00,440 --> 00:01:01,320 looks. Really cool. 19 00:01:02,760 --> 00:01:04,760 Yeah right. I can see you sitting at 20 00:01:04,920 --> 00:01:09,120 Chili's, having your chips in queso, wearing your headset and 21 00:01:09,120 --> 00:01:12,120 looking all over the place, maybe getting getting some work 22 00:01:12,120 --> 00:01:15,400 done. I mean, you are the early 23 00:01:15,400 --> 00:01:19,680 adopter of early adopters. I am an early adopter, but it's 24 00:01:19,680 --> 00:01:22,480 more like in secret. I don't like. 25 00:01:22,480 --> 00:01:26,600 I don't want to be like that guy out there wearing Vision pro 26 00:01:26,800 --> 00:01:30,000 skating around New York City like Casey Neistat from from 27 00:01:30,000 --> 00:01:33,360 YouTube or anything like that. I'm more of a subtle kind of 28 00:01:33,480 --> 00:01:35,960 early adopter. At home I'll nerd out all day 29 00:01:35,960 --> 00:01:38,840 long, but in public I try to keep it to a minimum. 30 00:01:39,320 --> 00:01:41,280 I'm enough of a nerd. I don't need to amplify it any 31 00:01:41,280 --> 00:01:44,800 more than I already AM. So what I wanted to to ask you 32 00:01:44,800 --> 00:01:50,080 about early adoptership, does that carry over into your IEM 33 00:01:50,080 --> 00:01:52,120 life? In other words, are you an early 34 00:01:52,120 --> 00:01:57,560 adopter of IEM technology? Like if you think ITDR is like 35 00:01:58,280 --> 00:02:04,920 it, are you in and are you an early adopter of vendors? 36 00:02:04,920 --> 00:02:09,240 So in other words, maybe there's a a dominant vendor or two. 37 00:02:09,520 --> 00:02:12,840 Do you consider the ones that are not the dominant? 38 00:02:12,960 --> 00:02:15,520 Or maybe they're new? Or you don't have a whole lot of 39 00:02:15,520 --> 00:02:16,760 reference points? Yeah. 40 00:02:16,760 --> 00:02:19,440 And it's a really good question. I would say no, I'm not 41 00:02:19,440 --> 00:02:21,520 typically an early adopter. I think I'm approached a little 42 00:02:21,520 --> 00:02:25,680 more pragmatically. I have to separate my thought 43 00:02:25,680 --> 00:02:27,720 that, oh, that's a really cool piece of technology. 44 00:02:27,720 --> 00:02:30,640 I really like that with the business side of my brain. 45 00:02:31,080 --> 00:02:35,360 That is what is, does it make sense, You know, what does it 46 00:02:35,360 --> 00:02:36,720 cost? How does this fit into my 47 00:02:36,720 --> 00:02:39,760 current stack of technologies that are going to be? 48 00:02:39,840 --> 00:02:41,960 I have to separate that from the boy, that's really cool. 49 00:02:43,440 --> 00:02:47,520 So I I would say I'm not an early adopter in in the real 50 00:02:47,520 --> 00:02:50,600 world when it comes to identity, but it's not because I don't 51 00:02:50,600 --> 00:02:53,880 appreciate the technologies. It's more of a fiscal, you know, 52 00:02:53,880 --> 00:02:56,560 responsible saying, OK, great, if I had a limited budget, sure, 53 00:02:56,560 --> 00:02:57,840 I'd throw stuff in price all the time. 54 00:02:57,840 --> 00:02:59,680 I don't. Most people don't. 55 00:02:59,880 --> 00:03:03,760 There's limited time, limited resources and there's just not 56 00:03:03,760 --> 00:03:05,680 enough time in the world to try and keep up with every single 57 00:03:05,680 --> 00:03:08,560 Technet that's out there. Some I think are better than 58 00:03:08,560 --> 00:03:11,480 others, or at least more media like ITDR has been hot for the 59 00:03:11,480 --> 00:03:15,200 last couple years. Yeah, I think if you've got, you 60 00:03:15,200 --> 00:03:17,880 know, everything else solved seems to be like a a natural 61 00:03:17,880 --> 00:03:19,600 evolution to go that way. What do you think? 62 00:03:19,920 --> 00:03:23,440 Well, I think when it comes to new technology, well, well, 63 00:03:23,440 --> 00:03:26,440 First off, I just think it's like a personality trait. 64 00:03:26,920 --> 00:03:29,160 I lean toward being more conservative. 65 00:03:29,160 --> 00:03:32,040 I think both of my grandfather's were accountants, right? 66 00:03:32,040 --> 00:03:34,960 And the accountants are about as conservative as you can get. 67 00:03:35,520 --> 00:03:39,440 I spent most of my career working in more conservative 68 00:03:39,800 --> 00:03:41,760 organizations. But since I've been in 69 00:03:41,760 --> 00:03:46,720 consulting, which is over a decade now, I've seen a lot of 70 00:03:46,720 --> 00:03:48,680 technologies come to come and go. 71 00:03:48,960 --> 00:03:52,520 I've also seen where certain technologies, when they hit, 72 00:03:52,520 --> 00:03:58,480 they just hit and address a problem that the industry has. 73 00:03:58,680 --> 00:04:04,280 So I think in my oddly enough, in my old age, I think I'd learn 74 00:04:04,280 --> 00:04:07,480 more toward being a little more experimental and new 75 00:04:07,480 --> 00:04:11,280 technologies. When it comes to new vendors, I 76 00:04:11,280 --> 00:04:16,800 feel like you've got to be a little more adventurous. 77 00:04:17,560 --> 00:04:22,160 You have to look at those mainline like, you know the the 78 00:04:22,360 --> 00:04:26,000 saying like nobody got fired for choosing IBMI. 79 00:04:26,000 --> 00:04:28,400 Don't buy into statements like that. 80 00:04:28,400 --> 00:04:32,040 But at the same time and no rail against them might kind of think 81 00:04:32,040 --> 00:04:36,200 like OK, you need to look at that quote UN quote IBM, but you 82 00:04:36,200 --> 00:04:39,040 also need to look at some of the up and comers. 83 00:04:39,240 --> 00:04:43,120 So I think if you are an earlier adopter, you can get in at a 84 00:04:43,120 --> 00:04:46,680 better price position, you can do things for your organization, 85 00:04:46,680 --> 00:04:51,920 you can use your logo for clout in terms of becoming more or 86 00:04:51,920 --> 00:04:54,920 less a premier customer. Whereas some of those like 87 00:04:54,920 --> 00:04:59,560 flagship products, the you know, entrenched vendor, your logo may 88 00:04:59,560 --> 00:05:01,560 not provide as much value to them. 89 00:05:01,560 --> 00:05:04,800 I mean obviously depending on your, your organization it. 90 00:05:05,040 --> 00:05:08,800 Surprises me a little bit. I guess only for do you have 91 00:05:08,800 --> 00:05:11,200 money that you're carrying around for the just in case you 92 00:05:11,200 --> 00:05:14,520 find something cool on the shelf at Best Buy of Identity. 93 00:05:14,520 --> 00:05:16,800 Yeah right. I don't know many organizations 94 00:05:16,800 --> 00:05:18,000 that do. I mean some do, right. 95 00:05:18,000 --> 00:05:20,520 And that's great. I just it's interesting that 96 00:05:20,520 --> 00:05:22,120 we're a little bit opposite in that regard. 97 00:05:22,440 --> 00:05:24,560 Like I'm not, I'm not afraid to go all in with it if I have the 98 00:05:24,560 --> 00:05:27,240 money to do it, but I generally don't have the money or the 99 00:05:27,240 --> 00:05:29,440 resources. I feel like I'm in the majority 100 00:05:29,440 --> 00:05:31,800 in this case. Yeah, You're probably in the 101 00:05:31,800 --> 00:05:37,480 majority, but you also say something somebody that's kind 102 00:05:37,480 --> 00:05:40,440 of like one of those flagship products now sale point, they 103 00:05:40,440 --> 00:05:43,600 were the young up and Comer at one point, right. 104 00:05:43,880 --> 00:05:48,360 Enough people had to kind of buy into that story and kind of like 105 00:05:48,360 --> 00:05:51,120 that's what they leverage growing up. 106 00:05:51,120 --> 00:05:54,480 Now if you're one of those early ones in, those are probably 107 00:05:54,480 --> 00:05:57,960 still the customers that have influence that know the 108 00:05:57,960 --> 00:06:01,640 executives at the top of the organization that you know, I 109 00:06:02,560 --> 00:06:05,400 can't say that they're they're bossing them around or anything, 110 00:06:05,400 --> 00:06:08,120 but we're getting a lot more respect than they would get if 111 00:06:08,120 --> 00:06:10,520 they were just buying it now. Yeah, I can see that you get to 112 00:06:10,520 --> 00:06:13,240 wield a little more influence. I wonder if there's a little bit 113 00:06:13,400 --> 00:06:17,880 of a back in my day, you know, X product cost $20 and now it's 114 00:06:17,880 --> 00:06:21,680 like you know, $400.00 or like you know what you know, where 115 00:06:21,680 --> 00:06:23,840 did all this this price increase come from? 116 00:06:24,560 --> 00:06:30,280 Yeah, exactly. So I think we should mention, 117 00:06:31,760 --> 00:06:35,320 mention conferences. You know we got Identity Week 118 00:06:35,320 --> 00:06:38,440 America, I guess that's the summer, but really need to be 119 00:06:38,440 --> 00:06:40,720 planning for these things in advance. 120 00:06:41,080 --> 00:06:45,960 So Identity Week, Europe and Amsterdam, June 11th and 12th, 121 00:06:46,240 --> 00:06:50,280 Identity Week America which you and I are going to play an 122 00:06:50,280 --> 00:06:54,960 active part personally in that's going to be in DC September 11th 123 00:06:54,960 --> 00:07:00,160 and 12th and then Identity Week, Asia and Singapore, October 22nd 124 00:07:00,160 --> 00:07:04,880 and 23rd. And our listeners get 30% off of 125 00:07:04,880 --> 00:07:09,960 these, the IDAC 30 conference or I'm sorry, discount code. 126 00:07:10,720 --> 00:07:13,200 Yeah, it's a pretty sweet deal, that conference code or discount 127 00:07:13,200 --> 00:07:14,160 code. And you got me saying it now 128 00:07:14,800 --> 00:07:16,720 works for all of the conferences around the world. 129 00:07:16,720 --> 00:07:19,720 So whether you're going to Europe, America, Asia, IDAC 3 130 00:07:19,720 --> 00:07:21,680 zero, 30% off. Very. 131 00:07:21,680 --> 00:07:23,080 Cool. I was at last year's. 132 00:07:23,080 --> 00:07:24,280 We talked about the last episode. 133 00:07:24,760 --> 00:07:25,920 I'm looking forward to again this year. 134 00:07:25,920 --> 00:07:28,000 I think like you said, we'll be active participants. 135 00:07:28,000 --> 00:07:30,400 I think I'm going to host the panel again of some sort. 136 00:07:31,200 --> 00:07:35,240 Last year's was awesome, so we had like a real who's who of 137 00:07:35,280 --> 00:07:38,480 identity and looking forward to doing something somewhere. 138 00:07:38,480 --> 00:07:41,960 And of course we'll be doing podcasty things while we're 139 00:07:41,960 --> 00:07:43,720 there that are still to be determined. 140 00:07:43,720 --> 00:07:45,760 I. Think that's one of my favorite 141 00:07:45,760 --> 00:07:49,040 parts about doing the podcast overall is just you know being 142 00:07:49,040 --> 00:07:51,840 part of the conference circuit, bringing the conference to 143 00:07:51,840 --> 00:07:55,160 people who can't be there, interacting with people who are 144 00:07:55,160 --> 00:07:58,280 there and bringing that to the podcast community. 145 00:07:58,880 --> 00:08:02,680 I I just think the whole thing is like it's it's really, I 146 00:08:03,760 --> 00:08:06,720 don't know I feel like we're we're providing a service to the 147 00:08:06,720 --> 00:08:10,280 community if you will. The man on the street, the man 148 00:08:10,280 --> 00:08:14,400 in the field, you should get like one of those like reporter 149 00:08:14,880 --> 00:08:16,960 flak jackets. They have a press on the front 150 00:08:16,960 --> 00:08:20,080 and like a helmet and then like go into like Identiverse or 151 00:08:20,280 --> 00:08:21,960 Identity Week America or something like that with old 152 00:08:21,960 --> 00:08:23,760 microphone. Yeah. 153 00:08:23,880 --> 00:08:26,680 Oh, you're not supposed to. If you're in a war zone like 154 00:08:26,680 --> 00:08:28,800 that, you're not supposed to shoot the person with that 155 00:08:28,800 --> 00:08:30,280 jacket on. So you're safe. 156 00:08:30,400 --> 00:08:32,880 That's why you need the big press logo, like on your chest 157 00:08:32,880 --> 00:08:34,360 and on your back, so people know. 158 00:08:35,080 --> 00:08:37,919 Yeah, absolutely. So what are we going to talk 159 00:08:37,919 --> 00:08:40,159 about today? We're going to talk about the 160 00:08:40,159 --> 00:08:44,000 role of a systems operation center or a SoC as it's commonly 161 00:08:44,000 --> 00:08:46,040 referred to when it comes to identity security. 162 00:08:46,200 --> 00:08:49,400 So I think this is an area that we really haven't touched on yet 163 00:08:49,400 --> 00:08:52,240 on the podcast. I think people have probably 164 00:08:52,240 --> 00:08:55,160 heard about it, but they're not really sure maybe what it is or 165 00:08:55,160 --> 00:08:57,760 what goes on in there. As Jim must say, what would you 166 00:08:57,760 --> 00:09:00,760 say you do here when it comes to a SoC perspective? 167 00:09:01,240 --> 00:09:04,560 So we're very fortunate that we actually have experts that we 168 00:09:04,560 --> 00:09:07,440 work with on set every day as part of our SMS team. 169 00:09:07,440 --> 00:09:10,200 So I want to welcome from the RSM managed security practice. 170 00:09:10,480 --> 00:09:12,720 First up, we've got Steve Kane, Managing Director. 171 00:09:12,720 --> 00:09:15,440 Welcome to the show, Steve. Thank you guys. 172 00:09:15,520 --> 00:09:18,640 Thank you. And we've also got Todd 173 00:09:18,640 --> 00:09:20,440 Willoughby. He's a director with the same 174 00:09:20,440 --> 00:09:21,920 practice. Welcome to the show, Todd. 175 00:09:22,960 --> 00:09:26,720 Glad to be here guys. So before we get started, I'm 176 00:09:27,400 --> 00:09:29,440 going to ask a bunch of questions around this and we 177 00:09:29,440 --> 00:09:32,120 kind of want to build expertise and knowledge in this. 178 00:09:32,120 --> 00:09:35,520 But before we do that, I always like to hear origin stories of 179 00:09:35,520 --> 00:09:39,400 how people got into infosec and identity and just things at 180 00:09:39,400 --> 00:09:41,480 large. Steve, we'll start with you. 181 00:09:41,600 --> 00:09:44,080 How did you get into the Infosec space? 182 00:09:44,400 --> 00:09:46,960 I guess when did you realize you were in the Infosec space? 183 00:09:46,960 --> 00:09:50,280 Sometimes that's a question too. Well, it's actually a really 184 00:09:50,280 --> 00:09:54,000 good question because sometimes you end up there and you don't 185 00:09:54,000 --> 00:09:56,480 even realize that you were headed down that path. 186 00:09:57,520 --> 00:10:02,480 For me it really started about 25 years ago. 187 00:10:03,000 --> 00:10:06,920 I have always been an IT person at heart. 188 00:10:06,920 --> 00:10:09,640 You know when I was younger I was always the the go to person 189 00:10:09,640 --> 00:10:13,800 in the family to go figure out things, computers obviously 190 00:10:13,800 --> 00:10:19,920 being newer back in my day it was always a an interesting 191 00:10:19,920 --> 00:10:23,520 dilemma and conversation with with friends and family. 192 00:10:24,640 --> 00:10:30,320 But I started in IT really at healthcare facility. 193 00:10:30,320 --> 00:10:35,000 So we were in an elder care situation where I was working at 194 00:10:35,000 --> 00:10:38,160 the health guys and I was fielding all the calls initially 195 00:10:39,400 --> 00:10:43,440 and that kind of grew into understanding more about 196 00:10:43,440 --> 00:10:47,160 applications about health systems work and from there 197 00:10:47,240 --> 00:10:50,960 ended up moving in the direction of financial services. 198 00:10:50,960 --> 00:10:57,120 So I ended up at a large regional banking provider where 199 00:10:57,120 --> 00:11:02,560 I ultimately was responsible for managing all of the application 200 00:11:03,160 --> 00:11:07,800 technology components, software updates and security updates. 201 00:11:08,840 --> 00:11:12,400 We had to deal with a lot of audits and everything else, so 202 00:11:13,000 --> 00:11:16,160 security really started to come into focus at that point. 203 00:11:16,800 --> 00:11:19,000 Then moved back into the healthcare space, which is 204 00:11:19,000 --> 00:11:23,080 really where I have a yes, personal passion for. 205 00:11:25,360 --> 00:11:31,040 So from there I was responsible for not only the IT components 206 00:11:31,040 --> 00:11:35,440 of several hospitals, but also I was the HIPAA Privacy and HIPAA 207 00:11:35,440 --> 00:11:38,480 Security Director for those facilities. 208 00:11:38,840 --> 00:11:41,680 So before I knew IT, security was part of everything that I 209 00:11:41,680 --> 00:11:46,400 was doing and then subjectly ended up for the last 15 years 210 00:11:47,960 --> 00:11:54,640 managing clients and SoC and growing business etcetera. 211 00:11:54,640 --> 00:12:00,400 So here I am now, you know helping RSM kind of grow into 212 00:12:00,400 --> 00:12:05,960 that space as well. And really, it's ever changing, 213 00:12:05,960 --> 00:12:09,560 ever evolving and constantly keep showing your toes. 214 00:12:09,800 --> 00:12:12,040 I bet. I think one of those things is, 215 00:12:12,360 --> 00:12:15,920 do you consider yourself an infosec person now at this point 216 00:12:15,960 --> 00:12:18,160 with your experience and kind of grown to that, or do you still 217 00:12:18,440 --> 00:12:21,040 see as like a specialist in a certain area? 218 00:12:21,640 --> 00:12:25,400 I I have to consider myself an into a sick person with this 219 00:12:25,400 --> 00:12:27,880 many years in one discipline like that. 220 00:12:29,360 --> 00:12:31,920 But you'd never really forget the the roots. 221 00:12:31,920 --> 00:12:35,680 You still want to tinker around every now and then on some, you 222 00:12:35,680 --> 00:12:39,880 know home equipment or friends or family that might have stuff 223 00:12:39,880 --> 00:12:42,760 laying around. Or if you happen to get extra 224 00:12:42,760 --> 00:12:45,880 time working on something, you know within your organization 225 00:12:45,880 --> 00:12:49,440 where there's test environments and stuff, so you still want to 226 00:12:49,760 --> 00:12:54,280 to work things and and actually hands on keyboard and be the 227 00:12:54,280 --> 00:13:00,520 intelligent hands like that more so than just monitoring, doing 228 00:13:00,520 --> 00:13:02,240 incident response activities etcetera. 229 00:13:02,240 --> 00:13:08,880 So definitely more of a infosec person than an IT person at this 230 00:13:08,880 --> 00:13:10,560 point, but you never forget your roots. 231 00:13:11,440 --> 00:13:14,040 Todd, how about yourself? How did you get into this space? 232 00:13:15,320 --> 00:13:16,680 That's a long, that's a long story. 233 00:13:16,680 --> 00:13:18,320 I'll I'll try to give you the abridged version. 234 00:13:18,760 --> 00:13:24,280 But much like Steve, you know I started working at a ADSL help 235 00:13:24,280 --> 00:13:27,560 desk in college. It's pretty old technology but 236 00:13:27,560 --> 00:13:30,320 still out there. It exists for a large DSL 237 00:13:30,320 --> 00:13:32,160 provider. And then from there I went into, 238 00:13:33,400 --> 00:13:36,760 you know, it's not, you know, pay your bill or turn off your 239 00:13:36,760 --> 00:13:39,840 route or turn it back on again type of deal literally that to 240 00:13:39,840 --> 00:13:44,040 doing acceptable use policy violations and helping fulfill 241 00:13:44,040 --> 00:13:46,600 subpoenas and warrants from local law enforcement agencies 242 00:13:46,600 --> 00:13:49,680 for people doing nefarious things, you know, with our 243 00:13:49,680 --> 00:13:51,440 services at the ISV at that time. 244 00:13:51,880 --> 00:13:56,600 And then from there I went into a large early stage of my career 245 00:13:56,600 --> 00:13:59,640 doing government contracting mainly around computer network 246 00:13:59,640 --> 00:14:02,520 and defense for various government agencies, the Army, 247 00:14:02,520 --> 00:14:05,080 the Navy, working intelligence as well there too. 248 00:14:05,600 --> 00:14:09,280 And then where I met Steve all these years ago, Steve and I, 249 00:14:09,480 --> 00:14:12,360 Steve and I have been together for a long time, almost a decade 250 00:14:12,360 --> 00:14:15,320 now. And you know we were at a large 251 00:14:15,880 --> 00:14:18,800 BIG4 and Steve and I ran that practice there. 252 00:14:18,800 --> 00:14:22,600 Essentially we had 200 sock analysts, threat hunters, sock 253 00:14:22,600 --> 00:14:26,600 managers running that operation from large Fortune 50 clients. 254 00:14:27,080 --> 00:14:30,840 And then Steve and our friend Daniel convinced me to leave 255 00:14:30,840 --> 00:14:33,200 everything that we built over there and do it all over again 256 00:14:33,200 --> 00:14:34,840 here from scratch. So here we are. 257 00:14:35,960 --> 00:14:37,200 Sounds like a very similar story. 258 00:14:37,200 --> 00:14:38,600 You guys have worked together for a long time. 259 00:14:38,600 --> 00:14:41,480 Jim and I have worked together for a long time and now the four 260 00:14:41,480 --> 00:14:43,640 of us have worked for a much shorter time, I think probably a 261 00:14:43,640 --> 00:14:47,760 year and a half year roughly. For those who aren't familiar 262 00:14:47,760 --> 00:14:50,160 with what RSM brings to here, I don't want to turn this into a 263 00:14:50,160 --> 00:14:53,880 commercial for RSM, but give us the elevator pitch for what does 264 00:14:53,880 --> 00:14:55,240 the managed security practice do? 265 00:14:55,240 --> 00:14:56,880 What are some of the things that come out of it? 266 00:14:56,880 --> 00:14:59,680 I know we've you we we've had internal conversation around 267 00:14:59,680 --> 00:15:02,520 those things like RSM Defense and Unit 26, but tell us a 268 00:15:02,520 --> 00:15:05,360 little bit about what those are for sure. 269 00:15:06,640 --> 00:15:11,520 We not only focus on you know the low level monitoring 270 00:15:11,520 --> 00:15:16,400 aspects, what we're trying to do for our clients is provide a end 271 00:15:16,400 --> 00:15:20,920 to end security stack of solutions that meet clients 272 00:15:20,920 --> 00:15:24,200 where they need to be met right now in their journey. 273 00:15:24,760 --> 00:15:30,200 So for us it's as simple as having the the conversations 274 00:15:31,200 --> 00:15:34,040 with our clients to really understand where what their 275 00:15:34,040 --> 00:15:38,360 needs are because as a consulting firm we have the 276 00:15:38,360 --> 00:15:42,720 ability to expand and and pull in the right resources at the 277 00:15:42,720 --> 00:15:44,960 right time. But from a managed security 278 00:15:44,960 --> 00:15:50,560 perspective, what we want to do is take the burden of day-to-day 279 00:15:50,560 --> 00:15:55,120 operations in various stages of our clients so that they can go 280 00:15:55,120 --> 00:15:59,800 focus on more high value, high demand type of activities. 281 00:16:00,880 --> 00:16:05,480 And we have everything from doing security monitoring all 282 00:16:05,480 --> 00:16:08,040 the way up through instant response activities, all the way 283 00:16:08,040 --> 00:16:14,120 through DC service services etcetera that are all related to 284 00:16:14,120 --> 00:16:16,400 what we do from a a managed security perspective. 285 00:16:16,400 --> 00:16:21,480 So we're really trying to help meet the clients where they are. 286 00:16:21,600 --> 00:16:24,640 So the name RSF Defense is that basically our term for the 287 00:16:24,640 --> 00:16:28,920 managed SoC. Yes, that is the the trademark 288 00:16:28,920 --> 00:16:32,200 name of our managed security or managed SoC, yes. 289 00:16:32,360 --> 00:16:34,760 I can appreciate a trademark name as we have trademark RN as 290 00:16:34,760 --> 00:16:36,800 well. How about unit 26? 291 00:16:36,800 --> 00:16:38,520 Where does Unit 26 fall into this? 292 00:16:39,320 --> 00:16:43,200 I'll let Todd give that story, but it's it is tied to the RSM 293 00:16:43,200 --> 00:16:46,800 history a little bit, but I'll let Todd give that one. 294 00:16:46,840 --> 00:16:49,440 Yeah, so you're not, you're not really a cool security team if 295 00:16:49,440 --> 00:16:50,920 you don't have a cool, witty name, right? 296 00:16:50,920 --> 00:16:53,720 That's that's pretty much a industry standard. 297 00:16:53,720 --> 00:16:57,600 But no, it it really came, you know, the team wanted to, you 298 00:16:57,600 --> 00:17:00,720 know, we have a big team aspect of what we do here and making 299 00:17:00,720 --> 00:17:03,480 sure that we recognize that and the team themselves picked that 300 00:17:03,480 --> 00:17:07,119 name right. 1926 is when RSM was initially founded. 301 00:17:07,880 --> 00:17:09,599 Unit 26, unit being a team, right? 302 00:17:09,599 --> 00:17:12,200 That's what we went with. That's where it came from. 303 00:17:12,200 --> 00:17:13,400 It's really the long and short of it. 304 00:17:14,040 --> 00:17:17,400 So when we're talking about socks, we're not talking about 305 00:17:17,400 --> 00:17:20,359 Sarbanes-Oxley. We're not talking about those 306 00:17:20,359 --> 00:17:24,520 things you put on your feet. We're talking about SoC. 307 00:17:25,359 --> 00:17:29,720 So Steve, what does SoC stand for and what is it like? 308 00:17:29,720 --> 00:17:31,880 Make it as simple as so people. Everyone can. 309 00:17:31,880 --> 00:17:35,680 Understand. SO SoC stands for Security 310 00:17:35,680 --> 00:17:40,400 Operations Center. Its primary purpose is to 311 00:17:40,520 --> 00:17:46,160 provide infrastructure, people, process, technology surrounding, 312 00:17:46,520 --> 00:17:52,120 monitoring your infrastructure in your client's environment, 313 00:17:52,120 --> 00:17:57,760 your in your particular environment in a secured fashion 314 00:17:58,320 --> 00:18:05,840 with let's say refined processes and procedures and executing 315 00:18:05,840 --> 00:18:08,800 against those processes and procedures. 316 00:18:08,800 --> 00:18:15,080 So it's about having a softening unit of professionals that are 317 00:18:15,080 --> 00:18:20,040 there watching when when nobody else is. 318 00:18:20,040 --> 00:18:22,960 And I think Todd uses this phrase quite often. 319 00:18:22,960 --> 00:18:27,640 But a lot of times the people that are in the sock are the 320 00:18:27,640 --> 00:18:29,560 smart people in the basement type of thing. 321 00:18:29,600 --> 00:18:34,680 That when there's an incident that's that's coming or has 322 00:18:34,680 --> 00:18:37,920 occurred, these are the people that you want on your side 323 00:18:38,200 --> 00:18:43,280 defending you and trying to understand where patient zero is 324 00:18:43,280 --> 00:18:47,360 and and take all the necessary steps to respond and recover 325 00:18:47,400 --> 00:18:50,040 from a security incident to cybersecurity incident. 326 00:18:50,520 --> 00:18:53,320 Yeah, I mean, it's funny. Use the term patient zero. 327 00:18:53,320 --> 00:18:58,960 Sound fault very much like like a military term in a lot of ways 328 00:18:58,960 --> 00:19:03,720 but I I know, I know it's not military but more like OK versus 329 00:19:03,720 --> 00:19:08,400 virus or sickness starting. But it's I mean the the amount 330 00:19:08,400 --> 00:19:10,480 of attacks that are happening today right. 331 00:19:10,640 --> 00:19:14,560 I mean, Todd, tell us like, you know, is, is it like a new ball 332 00:19:14,560 --> 00:19:18,520 game now than it was maybe a decade to go with like, you 333 00:19:18,520 --> 00:19:22,240 know, instead of being attacked a couple of times a week, you're 334 00:19:22,240 --> 00:19:25,880 getting attacked 24 hours a day. What's the deal? 335 00:19:26,680 --> 00:19:28,440 Yeah, Jim, that's a great question. 336 00:19:29,520 --> 00:19:32,520 Business is movement if you have somebody of questionable moral 337 00:19:32,520 --> 00:19:38,000 ethics, right? No, I mean and frankly the the 338 00:19:38,000 --> 00:19:40,240 IT hasn't changed all that much in my opinion, right. 339 00:19:40,240 --> 00:19:42,520 I some people will think so and I'm sure there's some, you know, 340 00:19:42,520 --> 00:19:45,720 larger edge cases that support that the volume of them and the 341 00:19:45,720 --> 00:19:50,840 ease of them have certainly increased their be made easier 342 00:19:50,840 --> 00:19:53,040 over time, right. Since the, you know, the last 15 343 00:19:53,040 --> 00:19:55,480 years, correct. There's more connected systems 344 00:19:55,480 --> 00:19:58,440 than ever where things are, you know, out there unsecured than 345 00:19:58,440 --> 00:20:00,240 ever. There's more applications, your 346 00:20:00,480 --> 00:20:04,200 identities are controlling a lot more of this access to the data, 347 00:20:04,200 --> 00:20:06,840 right than they were ever before and distributed systems that 348 00:20:06,840 --> 00:20:09,400 people particularly don't have visibility around. 349 00:20:09,400 --> 00:20:13,240 So yes, there's also a lot of things around, you know, 350 00:20:13,280 --> 00:20:15,000 fishing. Fishing is still one of the. 351 00:20:15,680 --> 00:20:19,120 The top three ways that cyber attacks occur, breaches occur, 352 00:20:19,120 --> 00:20:21,560 right and we've had Fishing point solutions out on the 353 00:20:21,560 --> 00:20:24,080 market now for the last 20 years and nothing has seemingly got 354 00:20:24,080 --> 00:20:25,680 better. It's only gotten worse or made 355 00:20:27,160 --> 00:20:30,600 made more easily and readily accessible to threat act, right. 356 00:20:30,600 --> 00:20:33,000 So I think the answer is yes and no there Jim. 357 00:20:33,000 --> 00:20:36,600 I think the other the other things that you know help 358 00:20:36,600 --> 00:20:40,400 establish those ease of attack factors is again 359 00:20:41,000 --> 00:20:43,000 vulnerabilities. Now back in the you know I say 360 00:20:43,000 --> 00:20:47,040 back in the day or what I can date myself but you know usually 361 00:20:47,040 --> 00:20:49,520 when you would patch things right you're 30 days right. 362 00:20:49,520 --> 00:20:51,880 You know deployed to a non product system test it right. 363 00:20:51,920 --> 00:20:56,120 That's that's sadly not the case anymore patching around high you 364 00:20:56,120 --> 00:20:59,640 know CVE related vulnerabilities almost needs to be a tier one 365 00:20:59,640 --> 00:21:02,000 security institute right. I mean, there are threat actors 366 00:21:02,000 --> 00:21:05,200 developing capabilities faster than ever before to turn around 367 00:21:05,200 --> 00:21:09,360 vulnerabilities and exploits and maybe weeks, days instead of, 368 00:21:09,480 --> 00:21:10,160 you know. Months. 369 00:21:10,360 --> 00:21:15,160 You know, I always thought that SOCKS SoC would focus on 370 00:21:16,160 --> 00:21:21,120 activities like our network is being scanned, there's a DDoS 371 00:21:21,120 --> 00:21:23,720 attack. Is there more than that? 372 00:21:23,720 --> 00:21:28,800 I mean you mentioned phishing, is the SoC also important in in 373 00:21:28,960 --> 00:21:31,160 those types of attacks? Yeah, absolutely. 374 00:21:31,960 --> 00:21:34,840 Phishing is one of the I got the biggest vectors on breaches and 375 00:21:34,840 --> 00:21:36,760 how they occur in incidents in general. 376 00:21:37,000 --> 00:21:39,680 Business e-mail compromise is another big one on that list. 377 00:21:39,680 --> 00:21:41,880 I didn't get involved in e-mail, just like phishing does. 378 00:21:41,880 --> 00:21:45,360 But also what they're doing, the threat actors, is subverting the 379 00:21:45,360 --> 00:21:48,120 trust models of these companies and corporations. 380 00:21:48,440 --> 00:21:51,160 And they're going after the, I would say the weakest links of 381 00:21:51,160 --> 00:21:54,200 those change, right? Why would I, as a threat actor, 382 00:21:54,200 --> 00:21:57,200 try to breach your, you know, $1,000,000 firewall solution, 383 00:21:57,200 --> 00:21:59,960 right, When I can just send an e-mail and ask you for a pass, 384 00:22:00,160 --> 00:22:01,120 right? It's a lot easier. 385 00:22:01,400 --> 00:22:02,720 Same thing goes with animals, right? 386 00:22:02,720 --> 00:22:05,320 You're I'm a I'm a hunter. I like going hunting things like 387 00:22:05,320 --> 00:22:07,280 that. Animals don't walk straight 388 00:22:07,280 --> 00:22:09,560 uphill, they walk up on angles. They take the paths of least 389 00:22:09,560 --> 00:22:12,320 resistance. They may escalate to those more 390 00:22:12,640 --> 00:22:15,480 sophisticated types of attacks, but they're definitely going to 391 00:22:15,480 --> 00:22:18,040 try the low hanging fruit 1st to get in right. 392 00:22:18,040 --> 00:22:22,600 So it's it's become a a game of kind of cat and mouse too, 393 00:22:22,600 --> 00:22:26,360 especially the way once they do get in the way, they move around 394 00:22:26,360 --> 00:22:27,560 inside. They're using legitimate 395 00:22:27,560 --> 00:22:30,800 applications and programs that you already used today to 396 00:22:30,800 --> 00:22:34,040 administer your systems. So it's being able to find out 397 00:22:34,040 --> 00:22:36,160 what the anomaly is. And you know some of them are 398 00:22:36,160 --> 00:22:39,240 pretty tall tale signs. EDR certainly got a lot better 399 00:22:39,240 --> 00:22:41,560 and changed the game in that sense about making detections 400 00:22:41,560 --> 00:22:44,240 around endpoints. Sure, you know the users use 401 00:22:44,240 --> 00:22:46,160 endpoints, right. So that's that's where we want 402 00:22:46,160 --> 00:22:48,720 to focus a lot of the attention, not all of it, but most of it, 403 00:22:49,320 --> 00:22:51,560 yeah, it's it's gotten I would say easier enough. 404 00:22:51,760 --> 00:22:55,840 And I've got to think that the identity based attacks are, I 405 00:22:55,840 --> 00:22:59,720 mean you've you've got to be focusing on on that at some 406 00:22:59,720 --> 00:23:03,280 degree, right, Because really it's about getting in the front 407 00:23:03,280 --> 00:23:07,200 door, moving laterally, escalating privileges, seeing 408 00:23:07,200 --> 00:23:12,680 how far you can get right. How is identity affecting or 409 00:23:12,680 --> 00:23:16,520 fitting into what the SoC does? Its core. 410 00:23:16,760 --> 00:23:18,760 It's absolutely core. We have to have identity 411 00:23:18,760 --> 00:23:21,880 information to be able to do a a good job at what we do every 412 00:23:21,880 --> 00:23:24,160 day. You know, you know identity is 413 00:23:24,240 --> 00:23:26,240 evolving, right? I mean I think you guys talk 414 00:23:26,240 --> 00:23:29,640 about that every week on here. You know, not only do people 415 00:23:29,640 --> 00:23:32,880 have identities, but devices have identities, applications 416 00:23:32,880 --> 00:23:35,280 have identities, services now have identities. 417 00:23:36,240 --> 00:23:39,000 So the identity space, in that sense, the attack, the attack 418 00:23:39,160 --> 00:23:42,240 space is growing, right? So we have to we have to know 419 00:23:42,760 --> 00:23:44,840 how those identities are being used to be able to detect 420 00:23:44,840 --> 00:23:47,640 anomalies, to be able to start incidents and detect breaches. 421 00:23:48,520 --> 00:23:52,560 Steve, when would I? I know whether or not I can do a 422 00:23:52,560 --> 00:23:58,240 better job of doing my own security operations first when I 423 00:23:58,240 --> 00:24:01,800 would outsource it. And is it black and white or is 424 00:24:01,800 --> 00:24:05,000 there Shades of Grey? As with everything, there are 425 00:24:05,000 --> 00:24:10,480 Shades of Grey in different areas, but in general terms, 426 00:24:10,560 --> 00:24:17,000 it's an expensive proposition to build a a sock for your own 427 00:24:17,000 --> 00:24:21,480 organization by yourselves. You're looking, you know to do 428 00:24:21,480 --> 00:24:25,200 it the right way 24/7, have the right controls in place, have 429 00:24:25,200 --> 00:24:27,560 the right technologies in place to support that. 430 00:24:28,200 --> 00:24:32,280 You know you're generally looking north of 1,000,000 to 431 00:24:32,280 --> 00:24:35,280 $2,000,000 just to even kind of get started. 432 00:24:35,960 --> 00:24:38,400 Now obviously there are certain organizations that have 433 00:24:38,400 --> 00:24:42,800 compliance regulations or you know specific personnel 434 00:24:42,800 --> 00:24:46,720 requirements that that mandate that they must go and make this 435 00:24:46,720 --> 00:24:48,520 investment. And then you know they are 436 00:24:48,520 --> 00:24:52,920 obviously controlled and governed by frameworks such as 437 00:24:52,920 --> 00:24:55,640 NIST and and fed ramp and and everything. 438 00:24:55,640 --> 00:25:01,440 So there are different needs for different companies in in their 439 00:25:01,440 --> 00:25:07,560 different states but nine times out of 10 it is not a worthwhile 440 00:25:08,120 --> 00:25:11,560 cost efficiency to to go and build your own socket. 441 00:25:11,560 --> 00:25:15,360 You want to leverage the the scalability and the cost 442 00:25:16,120 --> 00:25:19,080 favorability of a of a managed solution in that spot, Jim. 443 00:25:19,240 --> 00:25:22,600 Yeah, I would imagine that it's, you know, I, I think from a 444 00:25:22,600 --> 00:25:26,320 business standpoint, the way to look at insource versus 445 00:25:26,320 --> 00:25:32,040 outsource is I want to direct my own personnel to areas that 446 00:25:32,040 --> 00:25:35,640 provide business differentiation, business 447 00:25:36,320 --> 00:25:39,400 advantage or value versus my competitors. 448 00:25:39,680 --> 00:25:44,520 It seems like this kind of fits more into the infrastructure at 449 00:25:44,520 --> 00:25:47,720 some level and below, but that there is some business 450 00:25:47,720 --> 00:25:50,880 differentiation at some point where you know it does make 451 00:25:50,880 --> 00:25:52,920 sense to have some of your own people. 452 00:25:53,240 --> 00:25:55,680 Is that what you're seeing a lot of organizations doing? 453 00:25:55,680 --> 00:25:59,720 In a perfect world, you definitely have some of your own 454 00:25:59,720 --> 00:26:05,440 folks, especially on the, I'll say a Level 3 triage incident 455 00:26:05,440 --> 00:26:10,000 response side of the house because you want your own people 456 00:26:10,000 --> 00:26:15,000 to know exactly where to go, what to do, and be able to react 457 00:26:15,000 --> 00:26:17,480 in a split second. And while a managed security 458 00:26:17,480 --> 00:26:21,800 team can do, you know do that well for most organizations, 459 00:26:23,040 --> 00:26:25,760 you're never going to be as intimately familiar with your 460 00:26:25,760 --> 00:26:31,280 own, with an external entity as you would be on your own 461 00:26:31,280 --> 00:26:35,480 internal side. So there's definitely where we 462 00:26:35,480 --> 00:26:43,040 find the the best examples of successful security teams is 463 00:26:43,040 --> 00:26:47,720 where there is a blend of pulling in you know managed 464 00:26:47,720 --> 00:26:51,480 security or external help in the appropriate areas while still 465 00:26:51,480 --> 00:26:56,760 maintaining your own, you know small core security team to help 466 00:26:56,760 --> 00:27:00,200 out. So definitely and something back 467 00:27:00,200 --> 00:27:07,320 to to add to Todd's notices. So from where we sit, the 468 00:27:07,960 --> 00:27:12,960 avenues of how threat actors get in are still the same ways. 469 00:27:13,400 --> 00:27:17,560 Meaning it's still the low level tasks that need to be done, the 470 00:27:17,560 --> 00:27:21,440 patching, making sure that users are not clicking on things. 471 00:27:21,440 --> 00:27:25,480 It's the basic hygiene that will stop the majority of the 472 00:27:25,480 --> 00:27:27,520 threats. And Todd talked about all that. 473 00:27:27,520 --> 00:27:32,920 But being a little bit older than the rest of you all can 474 00:27:32,960 --> 00:27:38,640 call it still goes way back to to early times in in watching 475 00:27:38,640 --> 00:27:42,120 and managing security. It's checked your front door. 476 00:27:42,120 --> 00:27:47,320 Make sure there's you know as little gap as possible and you 477 00:27:47,320 --> 00:27:50,520 know, make sure that you use armed your own personal team, 478 00:27:50,520 --> 00:27:56,280 your your staff and all the business partners to understand 479 00:27:56,520 --> 00:28:00,040 where the risks come from and set that priority accordingly. 480 00:28:00,040 --> 00:28:03,120 But at the end of the day it's it's always the basic hygiene 481 00:28:03,120 --> 00:28:05,240 stuff that that gets a lot of our clients. 482 00:28:06,080 --> 00:28:08,680 I'm the master of analogies here, and one of the things I 483 00:28:08,680 --> 00:28:12,400 like to accord you back to is, you know, look it, if you were 484 00:28:12,400 --> 00:28:14,280 going to, if you were going to commit a criminal act, right? 485 00:28:14,280 --> 00:28:16,480 Especially like breaking and entering or something like that. 486 00:28:16,480 --> 00:28:18,320 Would you rather break into a house and has a bunch of 487 00:28:18,320 --> 00:28:21,840 security, lighting and fences around it, or would you have to? 488 00:28:21,840 --> 00:28:23,840 Or would you be more advantageous to break into a 489 00:28:23,840 --> 00:28:26,520 house that's got a bunch of overgrown bushes, no lighting, 490 00:28:26,520 --> 00:28:27,600 perimeter lighting, things like that? 491 00:28:27,600 --> 00:28:30,480 Well, that's obviously going to be the the target of opportunity 492 00:28:30,480 --> 00:28:33,240 there at that point. And I I I've written several 493 00:28:33,240 --> 00:28:35,080 times about this on our RSM blog. 494 00:28:35,080 --> 00:28:37,960 But you have to make yourself just sometimes unattractive 495 00:28:37,960 --> 00:28:42,640 enough to waste time so that they move on to easier targets 496 00:28:42,640 --> 00:28:45,160 sometimes. And doing those small things is 497 00:28:45,200 --> 00:28:47,400 a big piece of that. Yeah, we've talked about this 498 00:28:47,400 --> 00:28:49,600 where you have to you don't have to be faster than everyone else, 499 00:28:49,600 --> 00:28:51,320 just faster than your friends when the bears chase. 500 00:28:51,320 --> 00:28:54,320 That's right. Exactly that, that that is true 501 00:28:54,320 --> 00:28:56,280 for a lot of us. I mean to be be honest, like it 502 00:28:56,280 --> 00:28:58,840 does seem kind of cliche and funny, right? 503 00:28:58,840 --> 00:29:02,800 But that is you know, if you're if you have a a semblance of 504 00:29:03,040 --> 00:29:06,080 roadblocks or making it difficult for threat actors to 505 00:29:06,080 --> 00:29:07,720 achieve their goals on objectives. 506 00:29:08,560 --> 00:29:11,200 I mean, time is money to them just like it is time is money to 507 00:29:11,200 --> 00:29:12,680 us in the business world sometimes, right. 508 00:29:12,680 --> 00:29:16,160 So you move on to deals that are more lucrative and going to, you 509 00:29:16,160 --> 00:29:17,600 know, return your investment. Super, right? 510 00:29:18,520 --> 00:29:21,080 I think it's probably worth calling out that there's 511 00:29:21,440 --> 00:29:22,680 different types of attacks, right? 512 00:29:22,680 --> 00:29:26,560 If you are, you know, a random recipient of something like 513 00:29:26,560 --> 00:29:29,000 that, that might be. But if you're a target, somebody 514 00:29:29,000 --> 00:29:30,920 is literally targeting your organization. 515 00:29:31,240 --> 00:29:33,200 Now we're talking about a different level of threat, 516 00:29:33,200 --> 00:29:35,400 right? Really doesn't matter how much 517 00:29:35,400 --> 00:29:38,920 faster you are because they are looking to specifically get into 518 00:29:38,920 --> 00:29:43,000 your place. How does that play into the work 519 00:29:43,000 --> 00:29:45,560 that the SoC does? They become aware that, oh, 520 00:29:45,560 --> 00:29:48,040 there is a target, you know, that there is specific target on 521 00:29:48,040 --> 00:29:49,440 someone's back when it comes to this? 522 00:29:49,440 --> 00:29:52,160 Or does that get discovered as you go through this process? 523 00:29:52,160 --> 00:29:53,120 Walk me through what they're like. 524 00:29:53,640 --> 00:29:55,440 Absolutely. So one of the components of our 525 00:29:55,440 --> 00:29:58,920 service, we have a, you know, a very good threat intelligence 526 00:29:58,920 --> 00:30:02,240 apparatus in our team. We have people that spent years 527 00:30:02,440 --> 00:30:04,520 doing threat intelligence for the government, things like 528 00:30:04,520 --> 00:30:06,040 that, right. Yeah. 529 00:30:06,040 --> 00:30:09,680 We do run across through some of our open sources of 530 00:30:09,760 --> 00:30:13,720 investigation that or a pending attacks clients are trying to 531 00:30:13,720 --> 00:30:16,240 purchase and broker access into these certain client 532 00:30:16,240 --> 00:30:17,280 environments and things like that. 533 00:30:17,280 --> 00:30:20,320 And we do get heads up on those. Hey, you're correct Jeff. 534 00:30:20,320 --> 00:30:22,800 The and the one thing I'll say is you know once you do have a 535 00:30:22,800 --> 00:30:25,400 target on your back and you're not a victim of I would say some 536 00:30:25,440 --> 00:30:29,040 commodity drive by malware, right, or ransomware, you have a 537 00:30:29,040 --> 00:30:33,200 serious problem on your hands. Because if depending on the data 538 00:30:33,200 --> 00:30:36,200 that you have and what you have and what they want right is good 539 00:30:36,200 --> 00:30:39,240 enough or great enough, like they will continue to come back, 540 00:30:39,280 --> 00:30:40,400 right. And they will not continue to 541 00:30:40,400 --> 00:30:42,200 come back and just attacking you directly. 542 00:30:42,200 --> 00:30:45,640 They'll come at your compliances or regulatory bodies. 543 00:30:45,640 --> 00:30:48,120 They will come at you through third parties and vendors, right 544 00:30:48,720 --> 00:30:51,320 to try to gain access and the the attack surface just 545 00:30:51,320 --> 00:30:54,640 continues which if you have somebody that is confirmed 546 00:30:54,640 --> 00:30:58,440 action targeting you or the data that you have at that point you 547 00:30:58,480 --> 00:31:00,000 have seriously. Steady. 548 00:31:00,000 --> 00:31:01,600 I mentioned a long history in this, and that's something I 549 00:31:01,600 --> 00:31:05,760 want to ask you before is, have you seen the evolution of how a 550 00:31:05,760 --> 00:31:09,000 sock operates change over the years or is it still 551 00:31:09,000 --> 00:31:13,040 fundamentally? The same the demands and the 552 00:31:13,040 --> 00:31:21,280 stress on a sock nowadays is I'll say tenfold just because of 553 00:31:21,280 --> 00:31:25,720 the expansion of where the the threat sources can come from, 554 00:31:25,720 --> 00:31:27,440 where the threat actors are targeting. 555 00:31:27,880 --> 00:31:34,440 And as we have progressed moving from on Prem equipment to the 556 00:31:34,440 --> 00:31:40,120 cloud back to on Prem back to cloud and cloud really taking a 557 00:31:40,120 --> 00:31:43,680 hold right now with everything we do, you know with SAS based 558 00:31:43,680 --> 00:31:48,840 platforms etcetera. The, the number of 559 00:31:48,960 --> 00:31:53,840 investigations and the number of sources of potential threats is 560 00:31:53,840 --> 00:31:57,680 exponentially larger than it was even 10 years ago. 561 00:31:58,520 --> 00:32:03,640 So that evolution will continue until there's until the threat 562 00:32:03,640 --> 00:32:05,960 actors are gone, which is never going to happen at this point 563 00:32:06,280 --> 00:32:10,480 because again, they're driven, they're a a business just like 564 00:32:10,680 --> 00:32:14,080 anything else. And as long as they have some 565 00:32:14,080 --> 00:32:17,360 motivating factors whether it be political, financial or 566 00:32:17,360 --> 00:32:21,920 whatever, it's still going to still going to happen At the end 567 00:32:21,920 --> 00:32:25,360 of the day we're we're human for right now until AI takes over at 568 00:32:25,360 --> 00:32:28,800 some point. But we're we're human right now, 569 00:32:28,800 --> 00:32:35,440 and things are going to be accessible and all the good 570 00:32:35,440 --> 00:32:39,160 intention that we can possibly do is not going to prevent every 571 00:32:39,160 --> 00:32:41,080 single attack. One thing to expand on there 572 00:32:41,080 --> 00:32:44,000 real quick is you know I think Steve had a a big point there 573 00:32:44,000 --> 00:32:47,240 right is we on the defensive side of the house and this was 574 00:32:47,240 --> 00:32:49,080 even true. You know back in the day we're 575 00:32:49,160 --> 00:32:51,800 working out the government stuff like that was we have to get 576 00:32:51,800 --> 00:32:54,600 right all the time, right. And we have levels of, say, 577 00:32:54,640 --> 00:32:57,560 bureaucracy that we have to go through to plug in a proverbial 578 00:32:57,560 --> 00:33:00,000 Ethernet cable, right. They, these people don't have 579 00:33:00,640 --> 00:33:02,520 that level of bureaucracy. They're very agile. 580 00:33:02,520 --> 00:33:05,960 They're very, again, motivated. They don't have to ask for 581 00:33:05,960 --> 00:33:07,560 permission and they just have to get it right once. 582 00:33:07,720 --> 00:33:09,040 Right. So the stakes are high. 583 00:33:09,440 --> 00:33:13,000 And also what Steve mentioned too is, you know, at the ongoing 584 00:33:13,000 --> 00:33:15,440 relation to data, right. There is so much data out there, 585 00:33:15,440 --> 00:33:16,920 right. And that's that's one thing I 586 00:33:16,920 --> 00:33:19,360 try to stress their clients is, you know, you know, they want to 587 00:33:19,360 --> 00:33:21,360 collect this data source. They collect that data source. 588 00:33:21,360 --> 00:33:23,000 And sometimes you have to ask, well, why? 589 00:33:23,320 --> 00:33:24,600 Because now we have to secure it. 590 00:33:24,600 --> 00:33:26,960 There's, there's some good use cases for that, right. 591 00:33:26,960 --> 00:33:29,040 And there's some good use cases for not collecting. 592 00:33:29,160 --> 00:33:31,600 But you don't have to secure it. Steve, I want to make this 593 00:33:31,600 --> 00:33:34,560 actionable for our listeners, something that they can take 594 00:33:34,560 --> 00:33:38,840 away and maybe something that if they are responsible for 595 00:33:39,080 --> 00:33:42,880 security operations that they can do something to improve 596 00:33:42,880 --> 00:33:45,280 their world. And I started off the question 597 00:33:45,280 --> 00:33:49,920 of when should I build my own sock and when should I go to the 598 00:33:49,920 --> 00:33:52,680 manage service route. It sounds like there's this, 599 00:33:52,840 --> 00:33:55,440 it's really a shade of Gray in a lot of cases. 600 00:33:56,560 --> 00:34:00,800 But I also want to know like what are the economics? 601 00:34:00,800 --> 00:34:05,920 And putting it to the point like, OK, maybe I have a soccer 602 00:34:05,920 --> 00:34:08,639 ready. It's something I run in house, 603 00:34:09,840 --> 00:34:13,080 maybe it's partially I'm using some managed services. 604 00:34:13,400 --> 00:34:17,120 How do I look at that? But also like if I'm Greenfield, 605 00:34:17,120 --> 00:34:21,040 I don't have this today, you know, how do I approach this 606 00:34:21,040 --> 00:34:25,600 from, you know, whether or not to start from scratch and built 607 00:34:25,600 --> 00:34:29,280 on my own versus going to manage route. 608 00:34:30,000 --> 00:34:34,560 So a a lot of things to consider, Jim, in that question 609 00:34:34,639 --> 00:34:40,040 and for the listeners on this podcast, it's it's imperative 610 00:34:40,040 --> 00:34:44,440 that you understand there's no right or wrong way to do this. 611 00:34:44,560 --> 00:34:49,199 At the end of the day, as long as you are meeting the security 612 00:34:49,199 --> 00:34:53,040 objectives of your organization, you can do this in whichever way 613 00:34:53,040 --> 00:34:56,960 makes the most sense to to achieve those objectives. 614 00:34:57,640 --> 00:35:01,880 But the first thing you need to do is understand what is 615 00:35:01,880 --> 00:35:06,360 governing the outcomes from your security perspective. 616 00:35:06,360 --> 00:35:12,800 Meaning are you compliance driven, are you driven by merger 617 00:35:12,800 --> 00:35:16,720 and acquisition targets? Are you driven by your own data? 618 00:35:16,920 --> 00:35:21,040 Are you driven by your intellectual property? 619 00:35:21,040 --> 00:35:27,080 Like there are various ways that you could be governed by and 620 00:35:27,080 --> 00:35:32,400 once you understand what that is then come back and say OK, I 621 00:35:32,400 --> 00:35:36,080 have a team of three people currently they're doing you 622 00:35:36,080 --> 00:35:40,760 know, some IT, some security and you know some running around 623 00:35:40,760 --> 00:35:44,880 field service type activity. You don't have a full-fledged 624 00:35:44,880 --> 00:35:47,640 stock because again, three people are not going to cover 24 625 00:35:47,640 --> 00:35:51,680 hours a day and the misnomer that threats only happen 8 to 5 626 00:35:52,360 --> 00:35:57,840 long time out the window. So organizations that only that 627 00:35:57,840 --> 00:36:02,600 think they're protected just because they are doing it while 628 00:36:02,600 --> 00:36:05,240 they're working. Most of the time your threat 629 00:36:05,240 --> 00:36:10,200 actors are ten time zones over and they are just getting 630 00:36:10,200 --> 00:36:12,360 started. Oh, it's imperative that you 631 00:36:12,360 --> 00:36:18,520 also realize that if your environment, if your business is 632 00:36:18,520 --> 00:36:23,880 doing any kind of digital transaction of any kind, then 633 00:36:23,880 --> 00:36:27,280 you're susceptible. No matter how small or how large 634 00:36:27,280 --> 00:36:31,280 you are, and a lot of times the smaller organization don't 635 00:36:31,280 --> 00:36:36,520 realize how susceptible they are because they're they could 636 00:36:36,720 --> 00:36:43,000 affect companies upstream based on how many you know what third 637 00:36:43,000 --> 00:36:44,840 parties are involved in the process. 638 00:36:45,560 --> 00:36:51,520 So once you identify what your objectives are, what your 639 00:36:51,520 --> 00:36:56,360 current basis is, at the end of the day it comes down to people 640 00:36:56,360 --> 00:36:58,720 and or technology to support the effort. 641 00:37:00,000 --> 00:37:03,120 While you can do this with you know traditional Sims or cloud 642 00:37:03,120 --> 00:37:07,400 based services or XDR or you know pick your acronym of 643 00:37:07,400 --> 00:37:11,280 choice, you still need to make investment in people to 644 00:37:11,280 --> 00:37:15,520 understand what that is. Right now, there are things that 645 00:37:15,600 --> 00:37:19,120 AI is going to help with certainly down the line as that 646 00:37:19,120 --> 00:37:23,200 gets smarter and adapts to threat active models etcetera. 647 00:37:24,520 --> 00:37:29,400 But for right now, it still needs to have some level of 648 00:37:29,520 --> 00:37:33,800 human involvement to to make the right executions for the 649 00:37:33,800 --> 00:37:38,440 business at hand. A lot of times, you know, like I 650 00:37:38,440 --> 00:37:41,000 said you you're going to need north of $1,000,000 probably 651 00:37:41,000 --> 00:37:44,400 just to get started between having enough staff, having the 652 00:37:44,400 --> 00:37:50,880 tools to do it and writing and training all of the people 653 00:37:50,880 --> 00:37:54,840 writing the policies for all the folks constantly updating and 654 00:37:54,840 --> 00:37:58,000 training to stay abreast of current threats. 655 00:37:58,000 --> 00:38:02,040 So there's a lot of things to really consider that I want the 656 00:38:02,880 --> 00:38:06,520 the audience to understand that it's not, this is not you turned 657 00:38:06,520 --> 00:38:09,560 it on tomorrow and then you're ready to go. 658 00:38:10,600 --> 00:38:14,040 We want to make sure that, you know, folks are successful 659 00:38:14,040 --> 00:38:17,240 wherever they are in whatever fashion they want to do. 660 00:38:17,320 --> 00:38:19,440 That's a great answer. You covered a lot of ground 661 00:38:19,440 --> 00:38:22,120 there, Todd. I was kind of like keying off of 662 00:38:22,120 --> 00:38:26,240 some of the technologies that Steve mentioned there early on. 663 00:38:27,120 --> 00:38:30,880 I guess one of my fundamental questions is you know when you 664 00:38:30,880 --> 00:38:32,760 look at a sock, what are you doing? 665 00:38:32,760 --> 00:38:37,120 Are you like doing that, that SIM function like pulling in the 666 00:38:37,120 --> 00:38:42,440 logs from systems is it that plus some walk us through that 667 00:38:42,440 --> 00:38:45,440 what you know more or less it's kind of like how do I get 668 00:38:45,440 --> 00:38:50,000 started but it's more just explain to folks like how's the 669 00:38:50,000 --> 00:38:54,040 SoC thing done. Yeah, Jim, that's a good 670 00:38:54,040 --> 00:38:55,880 question. There could be a long answer 671 00:38:55,880 --> 00:38:58,240 that could be a short answer. And the short answer I'll give 672 00:38:58,240 --> 00:39:03,160 you is as a General practitioner in the SoC, I would want as much 673 00:39:03,160 --> 00:39:06,360 data backing up my analysis and investigations as possible. 674 00:39:06,360 --> 00:39:10,960 So data from whatever disparate sources or systems or stack 675 00:39:10,960 --> 00:39:14,520 tools that you may have, you know, including Identity, even 676 00:39:14,520 --> 00:39:17,880 tools that people wouldn't think would be relevant to security 677 00:39:17,880 --> 00:39:20,840 operations. I can assure you it's 2:00 in 678 00:39:20,840 --> 00:39:23,440 the morning and something's going on, They are 100% 679 00:39:23,440 --> 00:39:26,520 relevant. If I if it requires me as the 680 00:39:26,840 --> 00:39:30,280 the operator there to make a determination to bring down a 681 00:39:30,280 --> 00:39:32,640 domain controller because something's weird going on or 682 00:39:32,640 --> 00:39:35,480 disable AVIP user in the middle of the night, right. 683 00:39:36,360 --> 00:39:37,840 The more context is better, right? 684 00:39:37,840 --> 00:39:40,120 That's one of the things that Identity is helping doing is 685 00:39:40,120 --> 00:39:43,320 bring context to a lot of the security alerts, right, 686 00:39:43,320 --> 00:39:46,160 especially around what the roles are, the permissions that may be 687 00:39:46,160 --> 00:39:50,280 in the organization. Identity is is key to bringing 688 00:39:50,280 --> 00:39:52,760 along that context in that we need to make those decisions 689 00:39:52,760 --> 00:39:56,560 ultimately sometimes within 15 minutes and less depending on 690 00:39:56,560 --> 00:39:58,040 what SLA's are and things like that. 691 00:39:58,040 --> 00:40:02,040 But you know again at the other side of that, you know Jim is 692 00:40:02,680 --> 00:40:05,480 you know what we're doing is monitoring, detecting. 693 00:40:05,800 --> 00:40:09,120 Responding and trying to prevent threats, rights, and monitoring 694 00:40:09,120 --> 00:40:10,720 requires bringing in all that data, right? 695 00:40:10,800 --> 00:40:12,880 We don't have the data, and especially if you don't have it 696 00:40:12,880 --> 00:40:16,080 brought in into a normalized taxonomy, you're also going to 697 00:40:16,120 --> 00:40:17,840 have a problem there from a stock perspective. 698 00:40:17,840 --> 00:40:20,880 So a lot of the SIM systems do a lot of good job with that today. 699 00:40:22,480 --> 00:40:25,240 And then the detection piece is also hard to do right just 700 00:40:25,240 --> 00:40:28,480 because you go out and spend a bunch of money on a SIM system. 701 00:40:28,720 --> 00:40:30,880 It's just a framework, right? Same thing with a bunch of EDR 702 00:40:30,880 --> 00:40:33,640 tools. You can go get the new shiny EDR 703 00:40:33,640 --> 00:40:35,200 that's off the shelf and Black Hat, right? 704 00:40:35,200 --> 00:40:39,440 And it's still not going to really do all that good for you, 705 00:40:39,440 --> 00:40:40,960 right. I mean there are it had gotten 706 00:40:40,960 --> 00:40:43,920 better but if you don't have a threat detection engineering 707 00:40:44,040 --> 00:40:46,800 team or something like that writing rules for what is bad or 708 00:40:46,800 --> 00:40:50,280 what known is known bad environments, it's going to make 709 00:40:50,280 --> 00:40:51,800 that tool less and less effective, right. 710 00:40:51,800 --> 00:40:53,920 And less ROI and you're end up going to ripping it out and 711 00:40:53,920 --> 00:40:56,800 replace it for another blinky shiny box, right. 712 00:40:58,000 --> 00:41:00,600 So yeah, there's a lot of work as Steve said going into that, 713 00:41:00,600 --> 00:41:03,840 right. And but yeah, I mean those the 714 00:41:03,840 --> 00:41:05,600 data is the most important thing, right? 715 00:41:05,600 --> 00:41:08,720 And having the data normalized, when we're searching username or 716 00:41:08,720 --> 00:41:11,920 source ID, it's searching across all of those systems in these 717 00:41:11,960 --> 00:41:15,440 these taxonomies so that we know what we're applying to and we 718 00:41:15,440 --> 00:41:19,080 see all the whole context. Yeah, to add to what Todd's 719 00:41:19,080 --> 00:41:22,520 saying because he's 100% correct, but being that this is 720 00:41:22,520 --> 00:41:25,400 an identity podcast, we want to make sure that we keep bringing 721 00:41:25,400 --> 00:41:31,000 back the role of not only the user, but the asset that ties 722 00:41:31,240 --> 00:41:37,280 everything together as well. The understanding what is normal 723 00:41:37,280 --> 00:41:42,320 behaviour from abnormal behaviour is such an important 724 00:41:42,360 --> 00:41:44,320 piece of what the SoC is monitoring. 725 00:41:44,880 --> 00:41:49,800 Knowing that they ordinarily a person accesses these five 726 00:41:49,800 --> 00:41:54,040 applications every single day, well, all of a sudden on day six 727 00:41:54,040 --> 00:41:57,080 they access something that they have never done before and it's 728 00:41:57,080 --> 00:42:00,520 not in their business context to do so. 729 00:42:01,280 --> 00:42:04,840 That should send up a red flag immediately, and it does. 730 00:42:04,880 --> 00:42:09,840 If you're configured properly in the underlying systems, it will 731 00:42:10,200 --> 00:42:13,840 raise a flag as far as changing the risk score of that 732 00:42:13,840 --> 00:42:18,320 particular user. A lot of alerts come from 733 00:42:19,760 --> 00:42:23,680 identities logging in from remote locations that they're 734 00:42:23,680 --> 00:42:27,600 not usually coming in from, and a lot of it is noise because of 735 00:42:27,600 --> 00:42:30,480 VPNs and people are travelling. We're, you know, we're global 736 00:42:30,480 --> 00:42:33,840 society at this point, so a lot of it is noise. 737 00:42:33,840 --> 00:42:40,440 However, unless somebody is visiting Nigeria or Japan or 738 00:42:40,440 --> 00:42:44,600 China or whatever, like why would somebody be locking in 739 00:42:44,600 --> 00:42:47,360 from those places? And your VPN's are not going to 740 00:42:47,360 --> 00:42:53,120 be sourced in those countries. So that's the time that you want 741 00:42:53,120 --> 00:42:55,880 to at least investigate. Well wait a minute. 742 00:42:55,960 --> 00:42:59,520 You know, Joe Smith has never left the country while 743 00:42:59,520 --> 00:43:05,160 somebody's locking into here, so it is super imperative and has 744 00:43:05,160 --> 00:43:12,440 been an increasingly necessary data source for any suck at this 745 00:43:12,440 --> 00:43:16,960 point given the proliferation of of how identities are used. 746 00:43:17,080 --> 00:43:19,840 And just to lay on to that, even a more tactical perspective, 747 00:43:19,840 --> 00:43:23,360 right, a lot of these, it's good to know that Joe is logging in 748 00:43:23,400 --> 00:43:26,480 from Laos, right, or Vietnam or something like that. 749 00:43:26,480 --> 00:43:30,120 But what user agent he's using to do so, comparatively to the 750 00:43:30,160 --> 00:43:33,280 old ones he's seen on the environment, what Windows device 751 00:43:33,280 --> 00:43:36,480 or what operating system they're using, things like that are in 752 00:43:36,480 --> 00:43:39,320 very important context that these identity systems are 753 00:43:39,320 --> 00:43:43,040 bringing in from the SoC. So help me understand this from 754 00:43:43,400 --> 00:43:45,800 a step by step process. Can you kind of take me through 755 00:43:45,800 --> 00:43:49,000 with the anatomy of a breach would look like where does 756 00:43:49,000 --> 00:43:53,240 what's the SoC doing to to prevent this or to mitigate the 757 00:43:53,240 --> 00:43:55,960 chances of this happening? Todd, I don't think you were 758 00:43:55,960 --> 00:43:58,280 kind of talking about maybe putting some examples together. 759 00:43:58,720 --> 00:44:01,040 I'll hand it over to you. Yeah. 760 00:44:01,040 --> 00:44:04,040 So great question. I mean, there is going to be a 761 00:44:04,040 --> 00:44:07,560 couple phases that are always absolutely every, I guess breach 762 00:44:07,560 --> 00:44:10,080 or incident, right, or cyber attack, however you want to lay 763 00:44:10,080 --> 00:44:12,360 it out. There's going to be some level 764 00:44:12,360 --> 00:44:15,000 of reconnaissance that the adversary is going to do against 765 00:44:15,000 --> 00:44:17,400 you, right. They're going to use that to 766 00:44:17,400 --> 00:44:20,200 determine weaknesses, vectors of infection, right, attack 767 00:44:20,200 --> 00:44:22,280 surfaces that they can go after, right. 768 00:44:22,800 --> 00:44:24,240 It's like any good research, right. 769 00:44:24,240 --> 00:44:26,760 I mean, you know, and you know, Jim brought this up earlier, 770 00:44:26,760 --> 00:44:29,920 like a lot of it sounds military because it's kind of like that, 771 00:44:29,920 --> 00:44:31,920 right? The the methodologies behind it, 772 00:44:31,920 --> 00:44:35,880 they certainly were like in a lot of ways that's why you see a 773 00:44:35,880 --> 00:44:39,120 lot of, you know, typically ex military, ex government people 774 00:44:39,120 --> 00:44:42,040 in, you know, cybersecurity, things like that as well. 775 00:44:42,040 --> 00:44:44,880 But I digress. But yeah, so there could be some 776 00:44:44,880 --> 00:44:47,960 sort of a constant stage that they're going to go after to try 777 00:44:47,960 --> 00:44:50,440 to probe you, essentially or figure out what you're about, 778 00:44:50,440 --> 00:44:51,880 right? That could be social engineering 779 00:44:51,880 --> 00:44:54,280 attacks, phishing emails, right? Things like that. 780 00:44:55,120 --> 00:44:57,600 And then there's going to come a phase of initial compromises 781 00:44:57,600 --> 00:45:00,040 when they're going to make their vector an infection, right? 782 00:45:00,040 --> 00:45:02,200 They're either going to exploit some sort of software that 783 00:45:02,200 --> 00:45:04,640 phishing e-mail they sent. It's going to be successful, 784 00:45:05,040 --> 00:45:06,440 right? They're going to take advantage 785 00:45:06,440 --> 00:45:08,600 of, you know, a vulnerability or something like that. 786 00:45:10,600 --> 00:45:12,840 The third phase of that is really going to be, you know, 787 00:45:12,840 --> 00:45:15,000 maintaining persistence. Once they got a slip holding 788 00:45:15,000 --> 00:45:17,160 machine that the next thing I'm going to do is a threat. 789 00:45:17,160 --> 00:45:19,160 Actors make sure I don't lose access, right? 790 00:45:19,720 --> 00:45:22,800 And that's where we're also seeing a lot of the monetization 791 00:45:22,800 --> 00:45:25,040 of attacks nowadays. That's where some people stop, 792 00:45:25,040 --> 00:45:27,120 right? There's things out there in 793 00:45:27,120 --> 00:45:29,480 industry, initial access brokers, but that's all they're 794 00:45:29,480 --> 00:45:31,920 doing, going and getting access and selling that apps. 795 00:45:31,960 --> 00:45:35,520 They're not actually, you know, encrypting anything, stealing 796 00:45:35,520 --> 00:45:38,680 anything per SE, right? But they're compromising the 797 00:45:38,680 --> 00:45:41,320 systems to then send it to somebody or self somebody who is 798 00:45:41,320 --> 00:45:42,960 going to take that, that next step, right? 799 00:45:43,040 --> 00:45:45,400 So once they have a foothold in your system, and at this time, 800 00:45:45,400 --> 00:45:48,080 they're usually either creating new accounts, creating new 801 00:45:48,080 --> 00:45:51,520 identities, you know, just maintaining access, right, 802 00:45:51,520 --> 00:45:53,840 creating back doors, web shelves, whatever it may be that 803 00:45:53,920 --> 00:45:55,520 they're going to use to maintain access. 804 00:45:55,800 --> 00:45:58,080 They're going to try to move around laterally in the network, 805 00:45:58,080 --> 00:45:59,640 right? That, you know, expands their 806 00:45:59,640 --> 00:46:01,440 access to the network. They'll start trying to figure 807 00:46:01,440 --> 00:46:03,040 out where they are. One of those systems they can 808 00:46:03,040 --> 00:46:06,520 hit, you know, because you get into a network, you don't really 809 00:46:06,520 --> 00:46:08,040 know where you're at sometimes, right? 810 00:46:08,040 --> 00:46:11,200 Or if you're on an an end user machine, you want to get more 811 00:46:11,200 --> 00:46:14,520 access to see if you can get admin rights, things like that, 812 00:46:14,640 --> 00:46:16,440 right? There's usually that's going to 813 00:46:16,440 --> 00:46:19,480 get followed by some sort of like initial attack payload or 814 00:46:19,480 --> 00:46:23,840 installation of attack, right, installing like exfiltration 815 00:46:23,840 --> 00:46:26,680 tool tools or remote desktop softwares that we're seeing now 816 00:46:26,680 --> 00:46:28,680 like this is recording now any guests. 817 00:46:28,880 --> 00:46:32,600 The incident just happened the other day, things like that, 818 00:46:32,600 --> 00:46:33,600 right? Or they could be using your 819 00:46:33,600 --> 00:46:36,200 infrastructure to support their observations for like crypto 820 00:46:36,200 --> 00:46:39,360 mining and things like that. Usually some sort of malware is 821 00:46:39,360 --> 00:46:43,640 involved in that in that stage. The last two stages are probably 822 00:46:43,640 --> 00:46:46,080 the most important ones, right? Is the actions and the 823 00:46:46,080 --> 00:46:48,080 objective, right? So the actions that they're 824 00:46:48,080 --> 00:46:50,200 going to take is ultimately stealing the data, disrupting 825 00:46:50,200 --> 00:46:53,160 your operations, which is also there for where there's a lot of 826 00:46:53,240 --> 00:46:56,240 this organizations out there that just want to bring down 827 00:46:56,240 --> 00:46:57,640 services and nothing else, right? 828 00:46:57,640 --> 00:46:59,880 But this is their actions on objectives, to their goals. 829 00:47:00,520 --> 00:47:02,960 You're going to start seeing the data getting X filled, right? 830 00:47:02,960 --> 00:47:05,040 Deploying ransomware, things are going to start getting 831 00:47:05,040 --> 00:47:07,240 encrypted, right? Mile of service attacks are 832 00:47:07,240 --> 00:47:10,760 going to start happening. And then finally, the last, the 833 00:47:10,760 --> 00:47:12,600 last bit of it is the escape plan, right? 834 00:47:12,600 --> 00:47:16,080 Is getting out right? Destroying evidence, avoiding 835 00:47:16,080 --> 00:47:19,120 detections, right? And usually that's where a lot 836 00:47:19,120 --> 00:47:20,960 of breaches and incidents are detected. 837 00:47:20,960 --> 00:47:23,880 And that's where we don't as a defensive operator, right? 838 00:47:23,880 --> 00:47:26,600 That's not where we want to catch things when things are 839 00:47:26,600 --> 00:47:28,880 going off at the end of the day. And essentially at that point, 840 00:47:28,880 --> 00:47:31,880 you've lost, right? This is where they're erasing 841 00:47:31,880 --> 00:47:35,640 your evidence, coming to tracks, clearing audit logs, disabling 842 00:47:35,640 --> 00:47:38,160 other security tools, right, things of that nature. 843 00:47:38,160 --> 00:47:41,440 That's the general 30,000 foot overview of the Anatomy of 844 00:47:41,440 --> 00:47:44,040 attack. And you can see there in just 845 00:47:44,040 --> 00:47:46,480 some of those things I mentioned where identity would play a 846 00:47:46,480 --> 00:47:49,560 large role in helping provide context and stocks attacks as 847 00:47:49,640 --> 00:47:50,720 well. Yeah. 848 00:47:50,720 --> 00:47:53,760 I was thinking as you're going through that, that there are 849 00:47:53,760 --> 00:47:57,640 certain steps along the way that probably have a certain 850 00:47:57,640 --> 00:48:01,600 signature or footprint to them where it's like, OK, I've got, 851 00:48:01,600 --> 00:48:04,400 I'm on a laptop, I've got administrative access. 852 00:48:04,800 --> 00:48:10,800 Now I connect to a download site on the dark web, quote UN quote 853 00:48:10,800 --> 00:48:15,920 or in Russia or wherever you're like, Now you go out and connect 854 00:48:15,920 --> 00:48:20,040 to that site. That's a pretty hot indicator, 855 00:48:20,040 --> 00:48:21,080 right? Well. 856 00:48:21,560 --> 00:48:25,200 Jim I I think that's the The thing is like it's even easier 857 00:48:25,200 --> 00:48:27,600 than that, right? That's what you think is 858 00:48:27,600 --> 00:48:29,200 happening. That is not what's happening. 859 00:48:29,640 --> 00:48:32,480 What is happening is they're using the same shared services 860 00:48:32,480 --> 00:48:34,960 infrastructure that everybody's using. 861 00:48:34,960 --> 00:48:39,320 If I'm a threat actor and I'm ex filling data to some tour node 862 00:48:39,320 --> 00:48:42,080 in Russia, like that's that's some rookie level stuff in my 863 00:48:42,080 --> 00:48:44,640 opinion. Like that's to be serious, 864 00:48:44,640 --> 00:48:46,320 right. I'm going to spin up a new 865 00:48:46,320 --> 00:48:49,400 Amazon EC2 instance attack you from infrastructure that's not 866 00:48:49,400 --> 00:48:51,600 listed on any list. It's not showing out in any 867 00:48:51,600 --> 00:48:55,240 country using Azure services, right. 868 00:48:55,240 --> 00:48:57,800 Things like that to pull data to known good IPS. 869 00:48:57,800 --> 00:49:01,840 And this is how they're good at blending in or provide, you 870 00:49:01,840 --> 00:49:03,640 know, a back end to a bulletproof hosting 871 00:49:03,640 --> 00:49:05,440 infrastructure where they can't get taken down. 872 00:49:05,440 --> 00:49:08,000 They're hosted out of contentious regions like 873 00:49:08,480 --> 00:49:10,280 Ukraine, South southern Ukraine, right. 874 00:49:10,280 --> 00:49:13,200 No one's going to go serve a subpoena to take down a server 875 00:49:13,200 --> 00:49:15,320 and Don stock right now, right? It's just it's just not 876 00:49:15,320 --> 00:49:18,000 happening. But yeah, I mean, it's even it's 877 00:49:18,000 --> 00:49:20,800 even simpler than that, right? I mean we've even seen attacks 878 00:49:20,800 --> 00:49:25,720 where you know we had a a regionalized hospital that was 879 00:49:25,720 --> 00:49:29,080 based in the Northwest of the United States, like all the 880 00:49:29,080 --> 00:49:33,120 attacks came from Seattle like where they're located. 881 00:49:34,000 --> 00:49:36,480 So the adversary again during that reconnaissance phase knows 882 00:49:36,480 --> 00:49:37,720 where their infrastructure's hosted. 883 00:49:37,720 --> 00:49:40,640 So that would blend in better to say sending something to 884 00:49:40,640 --> 00:49:41,920 Nigeria. I mean if that go, if that's 885 00:49:41,920 --> 00:49:45,320 going to Nigeria or you know Russia, like we're going to pick 886 00:49:45,320 --> 00:49:49,560 up on that immediately and shut that down making it harder by 887 00:49:50,160 --> 00:49:52,120 blending in with what is known good, right. 888 00:49:52,120 --> 00:49:54,840 They're using Amazon, they're using GCP, they're using Oracle 889 00:49:54,840 --> 00:49:57,800 Cloud, right? Using those infrastructures 890 00:49:57,840 --> 00:49:58,760 against? Right. 891 00:49:59,400 --> 00:50:01,000 Yeah, that's cool stuff. I mean it. 892 00:50:01,000 --> 00:50:03,480 Well, cool from the standpoint, like, I didn't think of. 893 00:50:03,480 --> 00:50:04,440 I agree. But. 894 00:50:04,800 --> 00:50:07,600 It's all about not being detected, right? 895 00:50:07,720 --> 00:50:08,680 Yeah. And that's the some of the 896 00:50:08,680 --> 00:50:10,040 things. I mean that's where a, you know, 897 00:50:10,040 --> 00:50:13,040 a sock operator's job and an analyst job is harder, right? 898 00:50:13,040 --> 00:50:15,640 It is. I tell people, I've I've done a 899 00:50:15,640 --> 00:50:18,800 lot of sock analyst interviews in my time and I tell people 900 00:50:18,800 --> 00:50:22,160 like it is the most rewarding and thankless job at the same 901 00:50:22,160 --> 00:50:25,000 time, right? Because your job is difficult, 902 00:50:25,000 --> 00:50:26,720 right? If something, what one little 903 00:50:26,720 --> 00:50:29,760 thing gets through, it's coming down on you right to some 904 00:50:29,760 --> 00:50:31,000 degree. Hopefully you have leadership 905 00:50:31,000 --> 00:50:33,360 that'll help stable that for you. 906 00:50:33,360 --> 00:50:36,520 But you know, essentially right, you have to get it right all the 907 00:50:36,520 --> 00:50:38,040 time, right? And that's that's where they 908 00:50:38,040 --> 00:50:42,120 just have to get it right once. Equated to equate it to a 909 00:50:42,120 --> 00:50:44,120 football game, You're on defense. 910 00:50:44,120 --> 00:50:47,120 You have no idea what play is being called on the offense side 911 00:50:47,880 --> 00:50:51,480 and you asked to prevent them from getting to the end zone or 912 00:50:51,480 --> 00:50:54,320 scoring. That's in essence, the job on 913 00:50:54,800 --> 00:51:00,440 the sock side is to make sure that you've laid out all of your 914 00:51:00,440 --> 00:51:05,240 defenses possible to try and prevent them from staging 915 00:51:05,240 --> 00:51:09,920 forward. And it's it is never going to be 916 00:51:10,120 --> 00:51:14,720 100% effective. But it's your job is to keep as 917 00:51:14,720 --> 00:51:18,400 many of the the bogeys out of the end zone as possible. 918 00:51:18,600 --> 00:51:22,840 And Todd's right, it is a super rewarding job. 919 00:51:22,840 --> 00:51:28,880 It is super hard, but a lot of organizations don't, you know, 920 00:51:29,240 --> 00:51:32,280 they don't always provide the the backing and support for 921 00:51:32,280 --> 00:51:36,080 folks in that role. So it is a high burnout you 922 00:51:36,080 --> 00:51:37,480 know, type of. Role it's It's an easy 923 00:51:37,480 --> 00:51:38,360 apparatus. Yeah. 924 00:51:38,360 --> 00:51:40,560 It's an easy apparatus to blame when something goes wrong. 925 00:51:40,680 --> 00:51:42,920 Right. When there's, you know, systemic 926 00:51:42,920 --> 00:51:45,960 problems above that, right, From a program standpoint, you know, 927 00:51:46,200 --> 00:51:47,960 a maturity standpoint, things like that, right? 928 00:51:48,280 --> 00:51:49,920 Yeah. I hope you're picking up like 929 00:51:50,080 --> 00:51:54,440 our passion for what we do, because it doesn't matter the 930 00:51:54,440 --> 00:51:59,800 organization, it like this is a necessary item to protect 931 00:52:00,120 --> 00:52:03,560 yourself, your clients, your customers, etcetera. 932 00:52:04,040 --> 00:52:07,600 And unless you have some level of passion for it, it's not 933 00:52:07,600 --> 00:52:10,880 going to be done right. So that's when you you really 934 00:52:10,880 --> 00:52:14,880 need to look and say is this what we really should be 935 00:52:14,880 --> 00:52:17,880 spending our efforts on or do we rely on some experts to kind of 936 00:52:17,880 --> 00:52:20,960 help us with that. So you'll you'll get the sense 937 00:52:20,960 --> 00:52:23,520 of Pad and I probably should do our own podcast at some point, 938 00:52:24,200 --> 00:52:27,640 but you'll get the sense that we have passion for this topic 939 00:52:27,640 --> 00:52:31,600 because it is super important for us and and what we do. 940 00:52:31,720 --> 00:52:33,360 I got an idea. Sock at the center there. 941 00:52:33,360 --> 00:52:37,760 You go something like that. I got two final questions then 942 00:52:37,760 --> 00:52:40,720 we'll end on a lighter note. You kind of touched on my first 943 00:52:40,720 --> 00:52:43,080 one, which is what happens when things breakdown? 944 00:52:43,600 --> 00:52:47,560 Nothing is perfect. What happens when something gets 945 00:52:47,560 --> 00:52:49,520 missed? I mean it's got to happen in the 946 00:52:49,520 --> 00:52:52,920 real world, right? What's I guess, Steve, what 947 00:52:52,920 --> 00:52:55,600 happens when you know the service fails? 948 00:52:56,520 --> 00:53:00,760 So dependent upon the threat actor and the type of vector 949 00:53:00,760 --> 00:53:04,200 that they're getting in, it could be. 950 00:53:05,320 --> 00:53:09,000 Let me take a step back, This is why you don't have one layer of 951 00:53:09,000 --> 00:53:11,360 defence. You have multiple layers of 952 00:53:11,360 --> 00:53:14,400 defence. So if they get through the first 953 00:53:14,400 --> 00:53:19,200 layer then your secondary control should take into effect. 954 00:53:19,200 --> 00:53:24,920 So say an end user clicks on a fishing link, so they first 955 00:53:25,040 --> 00:53:27,240 first layer destroyed, they got through. 956 00:53:27,240 --> 00:53:34,000 But your second layer, your DNS, your endpoint, your your e-mail 957 00:53:34,000 --> 00:53:38,000 threat protection, that should be your second layer of defence 958 00:53:38,280 --> 00:53:40,960 protecting you from any further home. 959 00:53:41,000 --> 00:53:44,080 Well now if you have a third like they get through that 960 00:53:44,080 --> 00:53:46,520 somehow because your controls were not as effective. 961 00:53:46,520 --> 00:53:51,080 Now you have a third layer of defence where use isolated 962 00:53:51,080 --> 00:53:54,840 networks to control that. OK, so if somebody actually did 963 00:53:54,840 --> 00:53:59,040 get in, it's only going to affect these 20 assets right 964 00:53:59,040 --> 00:54:05,480 here. So it's important to implore or 965 00:54:05,680 --> 00:54:10,640 you know that perform a defence in in depth kind of strategy as 966 00:54:10,640 --> 00:54:14,280 it relates to protecting environments because no single 967 00:54:14,640 --> 00:54:18,280 line of defense is ever perfect and you want to make sure that 968 00:54:18,280 --> 00:54:22,520 you are at least isolating your critical assets away from 969 00:54:22,520 --> 00:54:27,560 anything that could be impacted. So that critical fountain jewel 970 00:54:27,560 --> 00:54:33,480 is defined by the organization as you know, IP formulas, 971 00:54:33,480 --> 00:54:35,480 secrets, trade secrets, etcetera. 972 00:54:35,480 --> 00:54:41,760 Like you need to keep them as quote, UN quote air gapped as 973 00:54:41,760 --> 00:54:45,880 possible such that they do not get exposed because ultimately 974 00:54:45,880 --> 00:54:49,560 that could be not only brand reputation but. 975 00:54:49,680 --> 00:54:53,240 You know, long term effects of of impact to the group. 976 00:54:53,280 --> 00:54:54,640 Yeah. Making catastrophic to the 977 00:54:54,640 --> 00:54:56,880 business, Yes. Trying to avoid that. 978 00:54:57,680 --> 00:54:59,200 All right. So you guys have sufficiently 979 00:54:59,200 --> 00:55:02,280 scared me. But what if I'm not scared and I 980 00:55:02,280 --> 00:55:05,520 want to become a sock analysts? What would you recommend for 981 00:55:05,520 --> 00:55:06,400 somebody who's listening out there? 982 00:55:06,400 --> 00:55:07,480 It's like, oh, that sounds interesting. 983 00:55:07,480 --> 00:55:10,840 How do I get into that world as a as a newbie or a beginner in 984 00:55:10,840 --> 00:55:13,040 the space? A Todd, I don't know. 985 00:55:13,040 --> 00:55:18,200 Maybe we'll start with you. Yeah, you got to you got to be 986 00:55:18,200 --> 00:55:20,040 curious. I think that's the thing, right? 987 00:55:20,040 --> 00:55:23,560 A lot of, and this could be a whole other episode on, you 988 00:55:23,560 --> 00:55:27,080 know, kids that are graduating out of the the education 989 00:55:27,080 --> 00:55:30,080 programs around Cybersecure. There's a there's a worldwide 990 00:55:30,080 --> 00:55:33,800 industry talent shortage. I can understand some of that. 991 00:55:34,560 --> 00:55:38,160 But a lot of them aren't coming prepared out of school to be SoC 992 00:55:38,160 --> 00:55:41,040 analysts. But you have to be curious, 993 00:55:41,040 --> 00:55:42,880 right? If you think you're going to sit 994 00:55:42,880 --> 00:55:47,240 back and wait for these tools to make detections for you and 995 00:55:47,240 --> 00:55:49,840 you're not going to understand the fundamentals of how those 996 00:55:49,840 --> 00:55:52,360 detections were formulated and made and things like that, like 997 00:55:52,360 --> 00:55:53,280 you're going to have a hard time. 998 00:55:53,840 --> 00:55:56,160 I think at least here at at RSM, you're going to have a hard 999 00:55:56,200 --> 00:55:59,120 time. But yeah, you got to, you got to 1000 00:55:59,120 --> 00:56:01,320 understand you also have to check your ego at the door, 1001 00:56:01,320 --> 00:56:02,960 right. There's things that you and 1002 00:56:02,960 --> 00:56:04,920 Jeff, you know, Jim know that I don't know. 1003 00:56:04,920 --> 00:56:06,800 There's things that I know that we, you know, you don't know. 1004 00:56:06,800 --> 00:56:10,280 We have that kind of mantra in the security operations center 1005 00:56:10,280 --> 00:56:13,200 here at RSM is, you know, everybody knows something, 1006 00:56:13,200 --> 00:56:14,400 everybody brings something different. 1007 00:56:14,400 --> 00:56:18,600 It's a real a real team aspect around that and we have to we 1008 00:56:18,600 --> 00:56:20,560 have to parlay off each other and you have to be OK with 1009 00:56:20,560 --> 00:56:22,840 getting it wrong. So as long as you're doing and 1010 00:56:22,840 --> 00:56:25,000 what your actions are doing at the time and your analysis to 1011 00:56:25,000 --> 00:56:28,120 justifiable and defensible you know trying to protect and do 1012 00:56:28,120 --> 00:56:30,440 what's right for the clients. I don't think you're ever you're 1013 00:56:30,440 --> 00:56:32,720 a problem out of me right. But it's when you're not doing 1014 00:56:32,720 --> 00:56:34,360 anything right that's the problems. 1015 00:56:34,360 --> 00:56:38,720 But yeah, I mean you got to again, this is another thing is 1016 00:56:38,720 --> 00:56:43,000 like I don't know what I would do if I had to do this job over 1017 00:56:43,000 --> 00:56:44,560 again. And like I I don't want to seem 1018 00:56:44,560 --> 00:56:47,320 like this is belittling or anything, but like if I had to 1019 00:56:47,320 --> 00:56:50,320 put steering wheels on that like a car manufacturing, like I 1020 00:56:50,520 --> 00:56:53,840 think I'd go insane like every day doing the same job over and 1021 00:56:53,840 --> 00:56:55,840 over. This job is very repetitive. 1022 00:56:55,840 --> 00:56:58,480 But what changes every day is the tactics and techniques in 1023 00:56:58,480 --> 00:56:59,800 there. So you're constantly having to 1024 00:56:59,800 --> 00:57:03,920 learn new ways to make detections, see the activity, 1025 00:57:03,920 --> 00:57:05,200 see the traffic you're going out. 1026 00:57:05,200 --> 00:57:08,880 So it's very exciting from that point that they're they're 1027 00:57:08,880 --> 00:57:11,440 always trying to game one up on your right, the red active, 1028 00:57:11,480 --> 00:57:13,840 right. So it's a constant learning 1029 00:57:13,840 --> 00:57:15,560 battle. Your learning never stops. 1030 00:57:15,960 --> 00:57:18,640 And you know, frankly, a lot of the, you know, if you're going 1031 00:57:18,640 --> 00:57:21,280 to get into the sock business, you know, understand like it is 1032 00:57:21,280 --> 00:57:23,480 a tough game as well too. There's rotating schedules. 1033 00:57:23,480 --> 00:57:25,480 Like we don't shut down, right? We're like 7-11. 1034 00:57:25,480 --> 00:57:29,400 We're always out. That's hard on people too, or 1035 00:57:29,400 --> 00:57:30,640 especially working overnight shifts. 1036 00:57:30,640 --> 00:57:33,880 When I first started doing this, I I, I worked in a sock full 1037 00:57:33,880 --> 00:57:35,440 time and went to college full time. 1038 00:57:35,480 --> 00:57:40,160 So I would work 5:00 PM to 2:00 AM every night, class the next 1039 00:57:40,200 --> 00:57:41,600 day. It's very rough, but you got to 1040 00:57:41,600 --> 00:57:42,880 want to do it. It's got to be a passion of 1041 00:57:42,880 --> 00:57:46,000 yours and we definitely see a a difference in the people that 1042 00:57:46,000 --> 00:57:48,120 have a passion for it versus people that want to do it. 1043 00:57:49,280 --> 00:57:51,080 So you have to be willing to be wrong. 1044 00:57:51,080 --> 00:57:53,400 You got to continuously learn and you got to put yourself out. 1045 00:57:53,880 --> 00:57:58,120 Steve, anything to add? No, he he stole my Thunder for 1046 00:57:58,120 --> 00:58:03,200 me the when I'm doing interviews and obviously Todd and I are yin 1047 00:58:03,200 --> 00:58:09,320 and Yang on on interviews. So what I'm looking for is I can 1048 00:58:09,320 --> 00:58:14,640 teach most people anything. So from a technical perspective, 1049 00:58:14,640 --> 00:58:19,560 unless worried about did you go to this SANS course or did you 1050 00:58:19,560 --> 00:58:24,400 learn this particular thing or did you get this, you know, SEC 1051 00:58:24,400 --> 00:58:28,920 plus certification, etcetera. Like we can teach people that if 1052 00:58:28,920 --> 00:58:34,440 you aren't a fast learner and curious about why a certain 1053 00:58:34,440 --> 00:58:39,400 thing happens, your success as a sock analyst will be difficult 1054 00:58:39,400 --> 00:58:44,360 because it's that curiosity that drives your thought patterns on 1055 00:58:44,360 --> 00:58:50,720 where to look for things. And once we would teach you the 1056 00:58:51,000 --> 00:58:55,560 the past to look for, then it's up to you to to put all of that 1057 00:58:55,560 --> 00:59:01,760 together and say OK, now A does equal BC and then I goes to a 1058 00:59:01,760 --> 00:59:05,680 letter that I don't know yet, but I know that it's not, it's 1059 00:59:05,680 --> 00:59:10,160 not something that is correct or a positive outcome. 1060 00:59:10,160 --> 00:59:16,920 So it really comes down to how curious you are about learning 1061 00:59:16,920 --> 00:59:22,160 and what the next thing is. So just like a a four year old 1062 00:59:22,160 --> 00:59:26,040 or whatever asking the constant why that's the that's the kind 1063 00:59:26,040 --> 00:59:31,000 of mentality that actually will do well as not only a sock 1064 00:59:31,000 --> 00:59:35,200 house, but as an Internet responder and as other areas in 1065 00:59:35,680 --> 00:59:39,600 the detect and respond side of the house you. 1066 00:59:39,760 --> 00:59:42,480 Got to have an investigation mindset, an investigation based 1067 00:59:42,480 --> 00:59:44,960 mindset, right? I I equivalent a lot of it too. 1068 00:59:44,960 --> 00:59:47,120 And I tell this to the sock team, especially the new people 1069 00:59:47,160 --> 00:59:49,680 that have never worked in a sock is you know, you're a police 1070 00:59:49,680 --> 00:59:52,720 officer you show up to a crime scene, there's it's just you and 1071 00:59:52,720 --> 00:59:54,720 whatever's in front of you and the crime scene, right. 1072 00:59:55,360 --> 00:59:56,880 What do you do? Well, you got to start asking 1073 00:59:56,880 --> 00:59:58,560 neighbor, right? I start canvassing the area, 1074 00:59:58,560 --> 01:00:00,360 looking for cameras, looking for evidence, right? 1075 01:00:00,800 --> 01:00:02,600 There's there's a bunch of things that in that 1076 01:00:02,600 --> 01:00:05,120 investigatory mindset that you have to have and it's the same 1077 01:00:05,120 --> 01:00:06,480 thing translates into stock, right? 1078 01:00:06,480 --> 01:00:08,680 An alert goes off. That's just the genesis and 1079 01:00:08,680 --> 01:00:10,960 where you need to begin. Like where do I need to go find 1080 01:00:10,960 --> 01:00:12,560 fire on logs? Who is this user? 1081 01:00:12,560 --> 01:00:13,680 What are they doing on the network? 1082 01:00:13,680 --> 01:00:15,520 What access roles do they have, right. 1083 01:00:16,120 --> 01:00:17,720 You got to go through all that very quickly too. 1084 01:00:17,800 --> 01:00:19,280 All right. So we're up over an hour. 1085 01:00:19,680 --> 01:00:20,880 We're going to start to wrap it up. 1086 01:00:21,000 --> 01:00:22,280 We got a little serious there at the end. 1087 01:00:22,280 --> 01:00:23,920 So we got to, we have to end on a lighter note. 1088 01:00:25,360 --> 01:00:28,240 Steve, you brought up a Super Bowl or football analogies. 1089 01:00:28,240 --> 01:00:29,320 We're going to talk about the Super Bowl. 1090 01:00:29,880 --> 01:00:32,160 Here's my my question for all of you. 1091 01:00:32,160 --> 01:00:34,960 So by the time people listen to this, it's going to be Monday, 1092 01:00:35,360 --> 01:00:38,280 February 12th. the Super Bowl would have taken place last 1093 01:00:38,280 --> 01:00:40,000 night. We're recording this a week in 1094 01:00:40,000 --> 01:00:42,080 advance. Who is going to win the Super 1095 01:00:42,080 --> 01:00:44,800 Bowl and why is it going to be the 49ers? 1096 01:00:45,320 --> 01:00:50,480 Todd, we'll start with you. Well-being a Philadelphia sports 1097 01:00:50,480 --> 01:00:52,960 fans, I hope none of them win. I'll say that. 1098 01:00:54,160 --> 01:00:56,560 But I think the I think the Chiefs are going to win. 1099 01:00:58,640 --> 01:01:00,520 I think their their offense is too potent. 1100 01:01:00,520 --> 01:01:03,320 Their defense has been stepping up recently in the last couple 1101 01:01:03,320 --> 01:01:05,000 of weeks here, especially in the playoffs. 1102 01:01:06,280 --> 01:01:08,640 I think equally could be said about the 49ers, but I just 1103 01:01:08,640 --> 01:01:11,000 don't think they have the the talent there on the offensive 1104 01:01:11,000 --> 01:01:12,160 side to get it. Done Boo. 1105 01:01:12,160 --> 01:01:13,920 Wrong answer, Jim. How about yourself? 1106 01:01:13,920 --> 01:01:16,880 Who are you picking between the 49ers and the Chiefs? 1107 01:01:18,440 --> 01:01:20,600 I was hoping not to even have this conversation with you, 1108 01:01:20,600 --> 01:01:22,720 Jeff, because obviously you're biased. 1109 01:01:22,720 --> 01:01:24,200 OK, but I. Don't know what you're talking 1110 01:01:24,200 --> 01:01:25,400 about. We're vendor neutral here. 1111 01:01:26,000 --> 01:01:31,280 Vendor neutral will accept. When it comes to NFL, I'm going 1112 01:01:31,280 --> 01:01:34,640 with the Chiefs and the reason why is Patrick Mahomes. 1113 01:01:34,840 --> 01:01:39,040 I mean look at all those Super Bowls that the Patriots won. 1114 01:01:39,040 --> 01:01:42,160 And I think it came down to Tom the GOAT. 1115 01:01:42,360 --> 01:01:47,440 And yeah, that's. I just think that Mahomes is 1116 01:01:47,440 --> 01:01:50,280 going to find a way to win. Sorry to tell you that, Jeff. 1117 01:01:50,280 --> 01:01:53,640 I don't think it's going to be a blowout, but I do think he's got 1118 01:01:53,640 --> 01:01:55,280 the edge. All right. 1119 01:01:55,280 --> 01:01:56,840 Oh, for two, Steve. All right. 1120 01:01:56,920 --> 01:01:58,240 So why are the 49ers going to win? 1121 01:01:58,240 --> 01:02:01,080 So everyone's. Ignoring the elephant in the 1122 01:02:01,080 --> 01:02:03,880 room, the reason the Chiefs are going to win is because of 1123 01:02:03,960 --> 01:02:06,400 Taylor. That is the reason that they're 1124 01:02:06,400 --> 01:02:08,400 going to win. At least that's the way the 1125 01:02:08,400 --> 01:02:12,480 media will have you believe. Finally, a real NFL analysis 1126 01:02:12,480 --> 01:02:16,080 getting done here. I think she just won a Grammy 1127 01:02:16,080 --> 01:02:18,440 last night. Obviously I'm I'm unfortunately 1128 01:02:18,440 --> 01:02:21,440 not in the United States so I can't see the the Grammys from 1129 01:02:21,440 --> 01:02:24,280 where I am and in El Salvador currently did win. 1130 01:02:25,640 --> 01:02:30,840 Besides the fact as a loyal Philadelphia fan and 1131 01:02:30,840 --> 01:02:34,120 unfortunately Jeff you're you've got three of us on the call here 1132 01:02:34,640 --> 01:02:36,800 on the podcast today. I don't know how you did that 1133 01:02:38,320 --> 01:02:43,280 and witnessing what happened last year when the Eagles should 1134 01:02:43,280 --> 01:02:48,560 have won that flipping football game in the Super Bowl, there's 1135 01:02:48,560 --> 01:02:51,600 no way Kansas City loses the game again. 1136 01:02:51,600 --> 01:02:57,800 It will not be a blue out, a blow out, but I I just they got 1137 01:02:57,800 --> 01:02:59,400 hot at the right time of the year. 1138 01:02:59,400 --> 01:03:02,840 They were really mediocre or horrible in the beginning part 1139 01:03:02,840 --> 01:03:06,280 of the year, but they turned it on at the right time and I think 1140 01:03:06,280 --> 01:03:09,200 it's it's just a matter of time to to complete that. 1141 01:03:09,200 --> 01:03:12,920 So, unfortunately, it will not be the 49ers. 1142 01:03:12,920 --> 01:03:15,760 It will be Kansas City Chiefs. You know, it's a real shame to 1143 01:03:15,760 --> 01:03:19,120 have so many smart people on this podcast and not be able to 1144 01:03:19,120 --> 01:03:21,760 to to pick the right team here. Ruin it in the last 30 seconds. 1145 01:03:22,600 --> 01:03:24,040 That's right. I'm going to cut this out. 1146 01:03:24,440 --> 01:03:26,640 Since I do all the editing, I'm going to make you guys say, Oh 1147 01:03:26,640 --> 01:03:29,240 yeah, the 49ers going to win. I obviously I'm going for the 1148 01:03:29,240 --> 01:03:33,480 49ers going to stand forever. It will continue to be so I 1149 01:03:33,480 --> 01:03:36,600 think they win 3528. I think it'll be a close game. 1150 01:03:36,600 --> 01:03:38,320 I don't want it to be a blowout. I want it to be a good. 1151 01:03:39,600 --> 01:03:43,880 I think that's yeah, the lock it in, get those bets in and don't 1152 01:03:44,040 --> 01:03:46,680 hold me accountable. This has been a great 1153 01:03:46,680 --> 01:03:48,120 conversation. We're going to leave it there. 1154 01:03:48,520 --> 01:03:50,360 I know that there's all kind of a lot to cover. 1155 01:03:50,360 --> 01:03:52,080 This is kind of the the beginnings of it. 1156 01:03:52,080 --> 01:03:54,280 But I'm glad you guys were able to make some time for us to talk 1157 01:03:54,280 --> 01:03:55,880 through this. I think this is an area that 1158 01:03:55,880 --> 01:03:58,000 again a lot of people hear about, but they don't really 1159 01:03:58,000 --> 01:04:00,840 kind of get to peel back and look behind the curtain 1160 01:04:00,840 --> 01:04:02,400 sometimes. So I appreciate you guys taking 1161 01:04:02,400 --> 01:04:04,440 the time with us. We'll have some links in our 1162 01:04:04,440 --> 01:04:05,800 show notes for people to check out. 1163 01:04:05,800 --> 01:04:08,160 You know, Todd, you mentioned some blog stuff that you've 1164 01:04:08,160 --> 01:04:09,760 written. So we'll get a a link to that in 1165 01:04:09,760 --> 01:04:11,040 our show notes if you want to check that out. 1166 01:04:11,480 --> 01:04:14,520 And then if you guys want to connect, we always put LinkedIn 1167 01:04:14,520 --> 01:04:18,080 profiles so you can connect with Todd and Steve as well as Jim 1168 01:04:18,080 --> 01:04:20,240 and myself as we go through that. 1169 01:04:20,400 --> 01:04:24,840 And then we're on the web, idacpodcast.com, Twitter at IDAC 1170 01:04:24,960 --> 01:04:29,680 Podcast, Mastodon at IDAC Podcast at infosec, dot 1171 01:04:29,680 --> 01:04:31,600 exchange. Still don't like the way Macedon 1172 01:04:31,600 --> 01:04:34,120 does their names, but nothing to be done about it right now. 1173 01:04:35,160 --> 01:04:37,360 Like subscribe to all that stuff, keep sharing with it. 1174 01:04:37,760 --> 01:04:40,560 I continue to see a Reddit thread that keeps talking about 1175 01:04:40,560 --> 01:04:43,160 how people enjoy the show. So hats off to the folks who are 1176 01:04:43,160 --> 01:04:45,080 in that thread. Not that I was checking or 1177 01:04:45,080 --> 01:04:48,160 anything while recording, but it was kind of cool to see that. 1178 01:04:48,160 --> 01:04:50,440 So with that, we'll go ahead and leave it for this week. 1179 01:04:50,600 --> 01:04:52,960 Thanks everybody for listening and we'll talk with you all in 1180 01:04:52,960 --> 01:04:55,640 the next one. You've been listening to 1181 01:04:55,640 --> 01:04:59,560 Identity at the Center. We hope you've enjoyed the show. 1182 01:04:59,720 --> 01:05:03,960 Make sure to like, rate and review and we'll be back soon. 1183 01:05:04,080 --> 01:05:06,400 But in the meantime, hit the website at 1184 01:05:06,400 --> 01:05:13,480 identity@thecenter.com and find us on Twitter at IDAC Podcast. 1185 01:05:13,920 --> 01:05:18,080 See you next time on Identity at the Center.