1 00:00:00,040 --> 00:00:02,040 That was another one that I thought was surprising. 2 00:00:02,040 --> 00:00:04,440 And there were a few things underlying that one. 3 00:00:04,440 --> 00:00:06,840 One is the nature of ransomware attacks has changed. 4 00:00:06,840 --> 00:00:10,840 It used to be, you know, sort of like not Petcha, we're just 5 00:00:10,840 --> 00:00:13,280 going to encrypt all your machines and then we we'll sell 6 00:00:13,280 --> 00:00:18,760 you the decryption keys. But now what's happening is, is 7 00:00:18,760 --> 00:00:23,040 attackers are exfiltrating sensitive data or data that they 8 00:00:23,040 --> 00:00:26,560 can get their hands on anyway and holding that for ransom. 9 00:00:26,560 --> 00:00:30,080 They're, they're saying things like we're going to publicize 10 00:00:30,080 --> 00:00:34,880 all this information and, and if you don't pay US money for the, 11 00:00:34,920 --> 00:00:37,040 for the data. So you've got two things you 12 00:00:37,040 --> 00:00:40,320 have to buy now. You've got decryption keys and 13 00:00:40,520 --> 00:00:45,400 the get rid of my data key if you will. 14 00:00:45,840 --> 00:00:47,760 But how do you really know that they're deleting the data? 15 00:00:48,000 --> 00:00:49,720 Well, yeah. Is there, is there such a thing 16 00:00:49,720 --> 00:00:53,920 as honor to say, OK, well, I promise as as you're, you know, 17 00:00:54,760 --> 00:00:58,800 assigned criminals that I will, that I will delete the data that 18 00:00:58,800 --> 00:01:08,120 you get that you paid me for. This is identity at the center 19 00:01:08,840 --> 00:01:11,920 if it has anything to do with IAM. 20 00:01:11,960 --> 00:01:18,480 This is the go to podcast now your hosts Jim McDonald and Jeff 21 00:01:18,480 --> 00:01:26,280 Stedman. Welcome to the Identity at the 22 00:01:26,280 --> 00:01:27,880 Center podcast. I'm Jeff, and that's Jim. 23 00:01:27,880 --> 00:01:30,040 Hey, Jim. Hey, Jeff, how are you? 24 00:01:30,520 --> 00:01:32,720 Oh, not so bad yourself. Good. 25 00:01:32,720 --> 00:01:34,560 I'm excited to talk about ransomware. 26 00:01:34,560 --> 00:01:36,840 How about you? It's always a good time to talk 27 00:01:36,840 --> 00:01:39,600 about ransomware and that's why we that's why we do this right, 28 00:01:39,600 --> 00:01:41,840 is to protect people from ransomware, hopefully mitigate 29 00:01:41,840 --> 00:01:44,600 the risks associated with it. So yeah, let's get into it. 30 00:01:45,080 --> 00:01:46,560 We've got a sponsored episode today. 31 00:01:46,720 --> 00:01:48,320 This one's brought to us by Semperis. 32 00:01:48,560 --> 00:01:53,560 You can visit them on the web at SEMPERI s.com. 33 00:01:53,720 --> 00:01:56,680 And I want to welcome back Gil Kirkpatrick. 34 00:01:56,680 --> 00:01:58,440 He's the chief architect at Semperis. 35 00:01:58,920 --> 00:02:01,200 Gil, welcome back to Identity Center 'cause you've been with 36 00:02:01,200 --> 00:02:02,720 us before. Yeah. 37 00:02:02,720 --> 00:02:04,000 Thanks, Jeff. I really appreciate it. 38 00:02:04,000 --> 00:02:05,080 It's good to see you again too, Jeff. 39 00:02:06,000 --> 00:02:08,520 So we were talking before we hit record and it was like, Oh yeah, 40 00:02:08,520 --> 00:02:09,759 it was just on like maybe a year ago. 41 00:02:09,759 --> 00:02:11,280 And then we looked it up. I was like, oh, it was actually 42 00:02:11,280 --> 00:02:14,520 three years ago, September of 2021. 43 00:02:14,520 --> 00:02:16,600 So, you know, people can go back and list of that. 44 00:02:16,760 --> 00:02:19,480 I'm not sure where this episode will be 315, somewhere in that 45 00:02:19,480 --> 00:02:23,200 area maybe, but you were on episode 110 like way back in the 46 00:02:23,200 --> 00:02:24,680 day. So people can go check that out, 47 00:02:24,720 --> 00:02:26,880 see what's changed. But let's talk a little bit 48 00:02:26,880 --> 00:02:28,720 about, you know, you and the identity space. 49 00:02:29,200 --> 00:02:31,560 Rick, Bruce Lee, how did you get into the identity space? 50 00:02:31,560 --> 00:02:34,720 Because I don't even know if we asked that questions back then. 51 00:02:34,720 --> 00:02:36,240 Yeah. I don't remember if we talked 52 00:02:36,240 --> 00:02:40,160 about it or not, but it it. So I've been in, I've been 53 00:02:40,160 --> 00:02:43,960 building commercial software products for just about 50 54 00:02:43,960 --> 00:02:45,840 years, which is kind of a long career. 55 00:02:47,880 --> 00:02:55,160 And my first, the first platform I really worked on in the PC 56 00:02:55,160 --> 00:02:58,800 networking environment. So in the, in the, you know, 57 00:02:58,800 --> 00:03:03,040 late 80s, early 90s was, was Banya, Banya networks. 58 00:03:03,560 --> 00:03:07,680 Now not too many people remember Banya, but it was the, the only 59 00:03:07,680 --> 00:03:12,680 legitimate enterprise scale PC network at the time. 60 00:03:12,680 --> 00:03:15,640 There was no bell and Microsoft was sort of off on the side. 61 00:03:16,360 --> 00:03:19,320 By the few lines. Yeah, exactly right. 62 00:03:20,960 --> 00:03:25,640 And the the interesting thing about Banyan Vines was it had an 63 00:03:25,640 --> 00:03:30,800 integrated directory, distributed directory for griebs 64 00:03:30,800 --> 00:03:33,760 and users and I think computers as well. 65 00:03:34,440 --> 00:03:37,600 And that was a concept that nobody had really thought about 66 00:03:37,600 --> 00:03:39,640 before, or at least not commercially anyway. 67 00:03:39,640 --> 00:03:44,840 And it was largely invented by Jim Altchin, who later became 68 00:03:45,720 --> 00:03:50,480 AVP in the technology side of Microsoft and drove a lot of 69 00:03:50,480 --> 00:03:54,840 what became Active Directory. So that's, that's really where I 70 00:03:54,840 --> 00:03:58,040 started. I build products to help people 71 00:03:58,080 --> 00:04:03,680 manage their Banyan Vines environment and then did similar 72 00:04:03,680 --> 00:04:07,760 kinds of things for Netware NDSE Directory. 73 00:04:08,600 --> 00:04:11,840 And then that's sort of when Microsoft came out with Active 74 00:04:11,840 --> 00:04:14,240 Directory. I was at a company called 75 00:04:14,240 --> 00:04:15,680 Netpro. And in fact, we've been working 76 00:04:15,680 --> 00:04:19,120 with Microsoft for several years before they shipped Active 77 00:04:19,120 --> 00:04:23,440 Directory in 2000. And we had, we built management 78 00:04:23,440 --> 00:04:26,440 and yeah, management products primarily for for Active 79 00:04:26,440 --> 00:04:30,560 Directory. And then since then it's, it's 80 00:04:30,560 --> 00:04:34,080 been, you know, Active Directory related stuff. 81 00:04:34,880 --> 00:04:38,760 And then I was the CTO at identity management company in 82 00:04:38,760 --> 00:04:44,040 Australia that built sort of industrial scale X500 83 00:04:44,040 --> 00:04:47,400 directories. We did a fair amount of work 84 00:04:47,400 --> 00:04:51,960 with Open ID Connect and Oauth and those those newer web 85 00:04:51,960 --> 00:04:56,200 protocols. And then came to some Paris in 86 00:04:56,200 --> 00:05:01,680 2017, I think it was twenty. Yeah, that sounds about right. 87 00:05:02,880 --> 00:05:04,520 So do you consider yourself an I? 88 00:05:05,240 --> 00:05:07,960 Do you consider yourself an identity person or a software 89 00:05:08,200 --> 00:05:09,800 developer or somewhere in the middle? 90 00:05:10,680 --> 00:05:12,000 Yeah, somewhere in the middle, I would say. 91 00:05:12,000 --> 00:05:15,320 I, I, I'm, yeah, I mean, definitely a software guy. 92 00:05:15,320 --> 00:05:19,400 I think my, my sweet spot is in software design and development, 93 00:05:20,280 --> 00:05:23,360 but my focus has been on identity related issues for the 94 00:05:23,360 --> 00:05:27,600 last 20 years, you know, something like that. 95 00:05:28,440 --> 00:05:34,520 So I'm, I'm very in tune with all of the issues around 96 00:05:34,520 --> 00:05:39,040 managing enterprise identity and in the last, you know, four or 97 00:05:39,040 --> 00:05:45,040 five years on all of the ways that identity can be attacked 98 00:05:45,040 --> 00:05:48,520 and misused. So I've become, you know, 99 00:05:48,520 --> 00:05:51,280 pretty, pretty knowledgeable in that area as well. 100 00:05:52,480 --> 00:05:53,640 Well, I'm glad you're here with us. 101 00:05:53,640 --> 00:05:55,480 And you know, this is a sponsored episode. 102 00:05:55,480 --> 00:05:57,280 So Sempress is sponsoring this episode. 103 00:05:57,280 --> 00:06:00,520 So make that very clear. So let's learn more about 104 00:06:00,520 --> 00:06:01,960 Sempress. I know we we just had an episode 105 00:06:01,960 --> 00:06:03,520 not too long ago where we talked with Eric Woodruff. 106 00:06:03,520 --> 00:06:07,160 But let's get your take on, you know, tell us what Sempress is, 107 00:06:07,160 --> 00:06:08,680 what it does and and that good stuff. 108 00:06:09,280 --> 00:06:11,480 Sure. So, so Sempress builds products 109 00:06:11,480 --> 00:06:16,480 for enterprises to improve the security and resilience of their 110 00:06:16,480 --> 00:06:19,920 hybrid identity platform. So typically that's Active 111 00:06:19,920 --> 00:06:29,000 Directory and Azure, our entry ID now And the, the basic idea 112 00:06:29,000 --> 00:06:32,520 is if, if you've seen the missed cybersecurity framework, you 113 00:06:32,520 --> 00:06:37,600 know, you got those five phases of, of managing a cyberattack of 114 00:06:37,720 --> 00:06:41,000 identify, protect, detect, respond and recover. 115 00:06:41,880 --> 00:06:46,920 We try to cover all of those activities related to the 116 00:06:46,920 --> 00:06:52,680 identity system. So we've got as an example and 117 00:06:52,680 --> 00:06:56,840 identify and protect, we have a free tool called Purple Knight, 118 00:06:57,480 --> 00:07:01,000 which is people love this thing. It's astounding how how many 119 00:07:01,000 --> 00:07:03,080 people have downloaded it and use it all the time. 120 00:07:03,680 --> 00:07:07,200 But it does a comprehensive analysis of your Active 121 00:07:07,200 --> 00:07:11,680 Directory environment and your security posture along with 122 00:07:11,680 --> 00:07:16,240 entry ID and gives you a really easy to use report card about 123 00:07:16,240 --> 00:07:19,280 how you're doing in different segments of configuration and 124 00:07:19,280 --> 00:07:24,160 management and gives you suggestive remediations and all 125 00:07:24,160 --> 00:07:26,120 of that. So people end up, they download 126 00:07:26,120 --> 00:07:29,520 it, they run it, a lot of people run it monthly. 127 00:07:29,680 --> 00:07:32,960 They make that part of their monthly reporting activity to 128 00:07:33,840 --> 00:07:37,400 either IT or security that shows how they're doing as far as 129 00:07:37,400 --> 00:07:41,480 securing their Active Directory. So that's that's one end of the 130 00:07:41,480 --> 00:07:43,520 spectrum. Then we have a product called 131 00:07:43,520 --> 00:07:49,720 the Directory Service Protector DSP, which has that same sort of 132 00:07:52,240 --> 00:07:55,360 evaluation of your Active Directory configuration, but it 133 00:07:55,360 --> 00:07:59,560 does it continuously. So you know immediately if 134 00:07:59,560 --> 00:08:02,720 there's some aspect of your security posture that's degraded 135 00:08:02,720 --> 00:08:04,960 in some way and you can respond to that. 136 00:08:06,520 --> 00:08:10,040 And it also logs, it keeps track of all of the changes that have 137 00:08:10,040 --> 00:08:11,600 made been made to your Active Directory. 138 00:08:11,600 --> 00:08:15,520 And it does it in a way that doesn't rely on the logging 139 00:08:15,520 --> 00:08:18,480 system because the event logs are one of the things that 140 00:08:18,480 --> 00:08:20,960 attackers turn off almost the first thing. 141 00:08:21,840 --> 00:08:25,040 It actually monitors the replication activity in AD and 142 00:08:25,040 --> 00:08:29,920 uses that to essentially construct a timeline of of your 143 00:08:29,920 --> 00:08:33,039 Active Directory history so you can see what things are being 144 00:08:33,039 --> 00:08:36,840 changed and roll those changes back if you want to do that. 145 00:08:37,760 --> 00:08:42,480 And then in the most recent version of DSP, we've added 146 00:08:43,880 --> 00:08:48,040 activity monitoring. So it's actually tracking 147 00:08:48,640 --> 00:08:51,960 authentication of users and computers against AD and what 148 00:08:51,960 --> 00:08:56,480 services they're referencing and detects things like brute force 149 00:08:56,480 --> 00:09:00,320 attacks or password spray attacks or any kind of anomalous 150 00:09:00,640 --> 00:09:03,920 authentication behavior. Again, with the idea of trying 151 00:09:03,920 --> 00:09:06,800 to detect attacks that are in progress so that you can then, 152 00:09:07,840 --> 00:09:10,680 you know, start your incident response and, and remediate to 153 00:09:10,720 --> 00:09:14,200 isolate the machines or, or disable the users, that sort of 154 00:09:14,200 --> 00:09:18,280 thing. Then finally we have a product 155 00:09:18,280 --> 00:09:20,920 called ADFR, Active Directory Forest Recovery. 156 00:09:21,520 --> 00:09:25,680 And this is, this is probably the product that most customers 157 00:09:25,680 --> 00:09:30,080 start with, or this is the, this is the product that most 158 00:09:30,080 --> 00:09:35,360 customers come to us about because recovering Active 159 00:09:35,360 --> 00:09:39,760 Directory, the entire forest for backup is really, really hard. 160 00:09:41,560 --> 00:09:45,560 And the likelihood of success if you're just following the, the 161 00:09:45,560 --> 00:09:49,640 Microsoft playbook is less than 20%. 162 00:09:49,880 --> 00:09:53,280 I used back in the day, I used to run a workshop where we would 163 00:09:53,280 --> 00:09:56,600 walk people through the recovery process for AD. 164 00:09:57,640 --> 00:09:59,680 It gave them a virtual environment with four domain 165 00:09:59,680 --> 00:10:03,600 controllers and two domains and a a checklist of every single 166 00:10:03,600 --> 00:10:06,120 command you had to type in to actually make that happen. 167 00:10:06,880 --> 00:10:11,760 And it was a sort of a 2/3 of a day, 6 hour kind of thing. 168 00:10:12,600 --> 00:10:15,480 And the success rate was about 20%. 169 00:10:15,480 --> 00:10:18,320 Even with all of the commands that you need to know that you 170 00:10:18,320 --> 00:10:22,320 have to type in, sometimes it just doesn't work and you don't 171 00:10:22,320 --> 00:10:23,840 know why. So you have to start over again. 172 00:10:24,160 --> 00:10:29,440 So that recovering AD from backup is hard and 84 automates 173 00:10:29,440 --> 00:10:32,960 that whole process. So it turns what might be a a, 174 00:10:33,200 --> 00:10:37,560 you know, a many day recovery process for a, for a larger 175 00:10:37,560 --> 00:10:41,920 enterprise into a couple of hours and six clicks. 176 00:10:43,400 --> 00:10:45,480 So I think now you're now hopefully people listening are 177 00:10:45,480 --> 00:10:48,320 starting to understand why we're talking to you and specifically 178 00:10:48,320 --> 00:10:50,320 about ransomware, right? Because these are these are 179 00:10:50,320 --> 00:10:54,480 typically the things get broken during that kind of of attack. 180 00:10:55,080 --> 00:10:57,360 I know we want to go through a ransomware report that you guys 181 00:10:57,360 --> 00:11:01,120 have, but I have, you know, my own questions around Sempress. 182 00:11:01,920 --> 00:11:04,600 Where does the company name come from like came up with Sempress 183 00:11:04,600 --> 00:11:06,040 and what does it mean? Does it mean anything? 184 00:11:06,760 --> 00:11:11,200 Yeah, so, so it, it, I think so. I was a part of the conversation 185 00:11:11,200 --> 00:11:16,440 that led to that name. But it came from, you know, the 186 00:11:16,440 --> 00:11:19,080 Latin, you know, always, always watching. 187 00:11:20,200 --> 00:11:23,120 And that's, that's sort of the ideas is that that our products 188 00:11:23,120 --> 00:11:25,320 are always watching your environment to make sure it 189 00:11:25,320 --> 00:11:28,040 stays safe. And it also sort of relates to 190 00:11:28,040 --> 00:11:31,080 the Semper Fi and the Marine Corps and, and, and all of that. 191 00:11:31,440 --> 00:11:36,200 It's, it's not an explicit DoD reference, but it's, it's 192 00:11:36,200 --> 00:11:38,720 definitely trying to convey the fact that we're, we're always 193 00:11:38,720 --> 00:11:40,600 there and always faithful and always watching. 194 00:11:42,120 --> 00:11:45,400 So what is it that you think makes your solution unique in 195 00:11:45,400 --> 00:11:47,240 the space? Because I imagine you probably 196 00:11:47,240 --> 00:11:50,960 run into a lot of, you know, jaded IT security people out 197 00:11:50,960 --> 00:11:52,360 there that are like, Oh yeah, great. 198 00:11:52,360 --> 00:11:54,840 Another tool right In this type of cyber security space. 199 00:11:55,160 --> 00:11:57,360 What is it, do you think, that keeps, you know, people coming 200 00:11:57,360 --> 00:11:58,840 back and why you've been so successful? 201 00:12:00,080 --> 00:12:05,400 It's our focus on the identity system. 90% of cyber attacks go 202 00:12:05,400 --> 00:12:08,920 through the identity system in one way or another, either 203 00:12:08,920 --> 00:12:14,360 through stolen credentials or otherwise compromised account 204 00:12:15,680 --> 00:12:20,360 session hijacking, doing reconnaissance in Active 205 00:12:20,360 --> 00:12:23,600 Directory, trying to find potentially sensitive resources 206 00:12:23,600 --> 00:12:26,640 or, or privileged accounts, elevation of privileges. 207 00:12:27,240 --> 00:12:29,360 All of that goes through the identity system. 208 00:12:29,440 --> 00:12:32,520 And for 90% of the world that's Active Directory. 209 00:12:34,960 --> 00:12:40,720 And we have a, a, you know, a complete focus on securing and, 210 00:12:40,720 --> 00:12:43,200 and improving the resilience of Active Directory. 211 00:12:43,600 --> 00:12:45,040 I think that's why we've been successful. 212 00:12:45,040 --> 00:12:53,840 That combined with we've managed to build a ridiculously good and 213 00:12:53,880 --> 00:12:56,880 smart team of Active Directory experts. 214 00:12:57,600 --> 00:13:00,880 I mean, I, I think somebody, somebody calculated this Sean 215 00:13:00,880 --> 00:13:06,000 Doobie who who runs our, our hip hop podcast and is one of our 216 00:13:07,080 --> 00:13:10,640 technical experts, I think he calculated we have like 200 217 00:13:10,640 --> 00:13:14,920 years of Microsoft MVP experience, you know, something 218 00:13:14,920 --> 00:13:16,840 like that, all focused on Active Directory. 219 00:13:16,840 --> 00:13:20,720 Plus we've got several guys who came from Microsoft, you know, 220 00:13:20,720 --> 00:13:24,760 the PFE professional field engineer or Premier field 221 00:13:24,760 --> 00:13:28,360 engineer environment. So we have lots of very, very 222 00:13:28,360 --> 00:13:31,440 smart ADP. So 200 years, that's either one 223 00:13:31,440 --> 00:13:36,640 really old guy or a couple, a couple of old couple, sort of 224 00:13:36,640 --> 00:13:41,800 old hogs. What is it that you know, the 225 00:13:41,800 --> 00:13:43,440 question we get a lot is, OK, well, that's great. 226 00:13:43,440 --> 00:13:45,120 I've got a tool. How do I get the return on 227 00:13:45,120 --> 00:13:46,880 investment on it? Like what's the way that you 228 00:13:46,880 --> 00:13:49,640 measure success? Is it, I guess, how do your 229 00:13:49,640 --> 00:13:53,800 customers measure the success of of the of the purchase of the 230 00:13:53,800 --> 00:13:55,280 investment that they've made in your tools? 231 00:13:56,320 --> 00:14:00,760 So, so a really easy description or easy way to explain that is 232 00:14:00,760 --> 00:14:06,360 with ADFR and forest recovery and you just the simplest way to 233 00:14:06,360 --> 00:14:12,760 measure it is how, how long does it take you to how much effort 234 00:14:12,760 --> 00:14:14,400 do you spend backing up Active Directory? 235 00:14:14,400 --> 00:14:17,360 How long does it take you to recover from backup in a new 236 00:14:17,360 --> 00:14:20,640 environment? So as if you had a cyber attack, 237 00:14:21,880 --> 00:14:23,200 how long does it take you to do it now? 238 00:14:23,200 --> 00:14:24,640 And how long does it take you to do that? 239 00:14:24,960 --> 00:14:29,800 And now reliably after you have ADFR and it's, you know, the, 240 00:14:29,840 --> 00:14:35,200 the differences start. Mostly organizations have never 241 00:14:35,200 --> 00:14:41,040 recovered AD from backup or the ones that have did it in sort of 242 00:14:41,040 --> 00:14:44,760 a test environment or they did it by taking virtual machine 243 00:14:44,760 --> 00:14:48,640 snapshots and then, you know, resetting to those which, you 244 00:14:48,640 --> 00:14:51,840 know, none of those are effective when you're recovering 245 00:14:51,840 --> 00:14:56,000 from a cyber attack. So that's really all it takes. 246 00:14:56,680 --> 00:15:02,600 And when we demo ADFR for people who have had the experience 247 00:15:03,120 --> 00:15:06,720 trying to recover AD from a cyber attack and they just see 248 00:15:06,720 --> 00:15:10,360 it happen sort of automatically, that's, that's the value 249 00:15:10,360 --> 00:15:14,400 proposition right there. If you look at something like 250 00:15:14,400 --> 00:15:19,640 purple lighter directory service protector DSP, you get a, a sort 251 00:15:19,640 --> 00:15:24,440 of continuous feedback of your security posture in AD. 252 00:15:25,040 --> 00:15:28,320 So it, it provides you a way of measuring how well you're doing 253 00:15:29,160 --> 00:15:32,120 and you can use that to basically measuring your 254 00:15:32,120 --> 00:15:33,520 success. So a lot of people say, well, I 255 00:15:33,520 --> 00:15:37,400 used to be my authentication security was AD and now it's AB. 256 00:15:37,640 --> 00:15:42,200 So you know, that's awesome. So I think that's that's another 257 00:15:42,200 --> 00:15:45,360 way that customers use to to measure their success. 258 00:15:46,040 --> 00:15:48,360 It's nice to have like, that tangible, tangible scorecard, 259 00:15:48,360 --> 00:15:49,400 right? Look, mom, I got an A. 260 00:15:49,440 --> 00:15:50,920 Yep. Yeah, exactly. 261 00:15:50,960 --> 00:15:53,480 It's, it's exactly right. You'd think it it's kind of 262 00:15:53,480 --> 00:15:58,320 silly, but if if you're in the identity space or in IT security 263 00:15:58,320 --> 00:16:03,120 and you need to explain to senior management, you know, how 264 00:16:03,120 --> 00:16:06,080 are you doing now and how would you improve things like kill 265 00:16:06,080 --> 00:16:08,400 card's first and and people get it right. 266 00:16:08,400 --> 00:16:12,800 They they they can understand that AD is bad and AB is, you 267 00:16:12,800 --> 00:16:14,080 know, not too bad, but it could be an A. 268 00:16:14,160 --> 00:16:16,520 So yeah, maybe work a little harder that sort of let. 269 00:16:17,880 --> 00:16:19,720 Me ask you a side question here because I want to talk about hip 270 00:16:19,720 --> 00:16:22,800 comp next, but is it realistic to get an A? 271 00:16:23,440 --> 00:16:25,640 Because I, I see a lot of times it's like there are risk 272 00:16:25,640 --> 00:16:28,080 decisions that get made and maybe something gets sacrificed 273 00:16:28,080 --> 00:16:30,840 in the name of like a user experience or, you know, a 274 00:16:30,840 --> 00:16:33,040 business process and there's like risk acceptance. 275 00:16:33,040 --> 00:16:36,560 But do you think it's realistic to say yes to get all A's on 276 00:16:36,560 --> 00:16:41,680 that sort of analysis? Probably not I I'd say probably 277 00:16:41,680 --> 00:16:45,400 not A's across the board probably doesn't make sense 278 00:16:45,400 --> 00:16:51,440 because the the cost to do that probably not worth the risk that 279 00:16:51,440 --> 00:16:54,720 it it mitigates. Meaning like the remediation 280 00:16:54,720 --> 00:16:56,760 steps to like get to that pay on that next level. 281 00:16:56,760 --> 00:16:58,080 Yeah. Yeah, exactly. 282 00:16:59,760 --> 00:17:03,200 But I think it's, it's really important to understand where 283 00:17:03,200 --> 00:17:05,440 you're at. And that way you can make those 284 00:17:05,920 --> 00:17:10,040 trade off decisions cautiously and say, yeah, we could. 285 00:17:10,560 --> 00:17:14,240 This this application is kind of a risk because of the way Java's 286 00:17:14,240 --> 00:17:17,280 handling credentials. But we know that we've protected 287 00:17:17,280 --> 00:17:19,359 the server. It's on an isolated network. 288 00:17:19,359 --> 00:17:21,319 So you know, that's OK. We'll, we'll do that. 289 00:17:22,119 --> 00:17:24,800 Yeah, other layers right to help descend whatever it may be. 290 00:17:25,440 --> 00:17:28,240 Exactly. Let's talk about hip comp 291 00:17:28,240 --> 00:17:31,640 because this is something that's taking place in November, 292 00:17:31,800 --> 00:17:35,240 November 13th of 14. It's in New Orleans, so that's 293 00:17:35,240 --> 00:17:36,920 exciting. We actually have a discount code 294 00:17:37,320 --> 00:17:40,440 IDAC POD. We'll get you 20% off of that. 295 00:17:41,520 --> 00:17:44,400 I've never been to hip comp and it stands for Hybrid Identity 296 00:17:44,400 --> 00:17:47,400 Protection Conference. What's it like to be there? 297 00:17:47,400 --> 00:17:51,680 What is it and how many chicken and waffles can I get in New 298 00:17:51,680 --> 00:17:54,120 Orleans? So I'm going to, I'm going to 299 00:17:54,120 --> 00:17:55,720 come back to the chicken question because there's 300 00:17:55,720 --> 00:17:57,560 actually more to that question than you might think. 301 00:17:58,560 --> 00:18:02,960 So Hip Conf is a conference that we've been sponsoring for 302 00:18:02,960 --> 00:18:05,800 probably four or five years. We organize it as well. 303 00:18:06,880 --> 00:18:12,040 It's non, non vendor specific. It's this is not a Sumperas user 304 00:18:12,040 --> 00:18:14,280 group, it's not Sumperas product pitch. 305 00:18:14,960 --> 00:18:20,120 It's really all about educating practitioners on the insurance 306 00:18:20,120 --> 00:18:23,000 and outs of securing your hybrid identity infrastructure. 307 00:18:23,720 --> 00:18:27,080 And that primarily is Active Directory and and, and try deep. 308 00:18:28,280 --> 00:18:36,000 We get the the speakers are all either highly experienced 309 00:18:36,280 --> 00:18:41,360 managers of technical teams in our actual practitioners. 310 00:18:42,320 --> 00:18:45,520 But the goal is for all these sessions that you go in, you 311 00:18:45,520 --> 00:18:48,720 learn something and you can take it home and use that's, that's 312 00:18:48,720 --> 00:18:50,560 sort of what we're shooting for all the sessions. 313 00:18:51,800 --> 00:18:54,520 Some of the people we've got. So we have a couple of people 314 00:18:54,520 --> 00:18:58,600 from Microsoft. So Alex Weiner too, runs their 315 00:18:58,800 --> 00:19:04,760 identity security effort for Azure or well, Azure and enter 316 00:19:04,760 --> 00:19:10,840 ID is going to be keynoting it. Marty Mobgian's a guy, He's a 317 00:19:10,840 --> 00:19:16,600 simperis guy now, but he runs our a lot of our incident 318 00:19:16,600 --> 00:19:18,440 response. He used to run incident response 319 00:19:18,440 --> 00:19:24,800 for healthcare at CDW and so he has a lot of background on what 320 00:19:25,080 --> 00:19:28,120 what recovering from a real ransomware attack looks like. 321 00:19:29,520 --> 00:19:35,320 And other people are we got like Joe Kaplan from Accenture who 322 00:19:35,680 --> 00:19:39,640 has, he's done everything with identity and Accenture starting 323 00:19:39,640 --> 00:19:45,800 from, you know, ADFR Active Directory, not the ADFS Active 324 00:19:45,800 --> 00:19:50,960 Directory federation services through rolling out passwordless 325 00:19:51,280 --> 00:19:54,760 authentication and etcetera. So you're talking about 809 326 00:19:54,760 --> 00:19:58,040 hundred thousand people. So managing those kinds of 327 00:19:58,440 --> 00:20:01,120 transformations of large enterprises, he's got great 328 00:20:01,120 --> 00:20:04,920 insight into how that process works and where all the, all the 329 00:20:04,920 --> 00:20:09,880 potholes are. So that's the kind of material 330 00:20:09,880 --> 00:20:12,480 that we're, we're presenting at hip hop. 331 00:20:13,760 --> 00:20:18,640 As far as the experiences, it's, it's, it's very technical, you 332 00:20:18,640 --> 00:20:22,320 know, we, we like to say. You know, 304 hundred level 333 00:20:22,520 --> 00:20:28,080 kinds of kinds of stuff. It's very welcoming in the sense 334 00:20:28,080 --> 00:20:33,480 that we've built a great cadre, a great community around hip 335 00:20:33,480 --> 00:20:35,680 conf. And if you're in the identity 336 00:20:35,680 --> 00:20:39,840 space, it's not sort of like all the speakers are over there and 337 00:20:39,840 --> 00:20:42,920 you're sitting over here. It's very it's a very engaging 338 00:20:42,920 --> 00:20:44,520 atmosphere. So you get to talk with all the 339 00:20:44,520 --> 00:20:46,640 speakers. We make lots of time for, for 340 00:20:46,640 --> 00:20:51,400 networking, finding, finding peer groups and, and talking 341 00:20:51,400 --> 00:20:53,400 with them. And of course, a place like New 342 00:20:53,400 --> 00:20:57,120 Orleans has a few places that you can go to afterwards, you 343 00:20:57,120 --> 00:20:59,480 know, and, and after you've met a few people that you want to 344 00:20:59,480 --> 00:21:02,200 get to know a little bit better so that, that, that works out as 345 00:21:02,200 --> 00:21:04,720 well. Hey Gil, I'm going to transition 346 00:21:04,720 --> 00:21:08,760 us into the discussion around the ransomware report, but we've 347 00:21:08,760 --> 00:21:11,120 talked a lot about Active Directory. 348 00:21:11,320 --> 00:21:15,360 It's in my perspective that theoretically is true. 349 00:21:15,360 --> 00:21:19,240 And unfortunately I've seen this in the real world as well, which 350 00:21:19,240 --> 00:21:22,640 is that Active Directory is kind of the honeypot. 351 00:21:22,640 --> 00:21:26,360 That's what, you know, getting full control over the Active 352 00:21:26,360 --> 00:21:31,080 Directory is what the ransomware actors are looking for. 353 00:21:31,080 --> 00:21:34,280 Or you could say it's they're, you know, it's the chicken and 354 00:21:34,280 --> 00:21:38,480 waffles recipe all in one. Don't take my chicken and 355 00:21:38,480 --> 00:21:42,720 waffles, man. Come on, Gillard. 356 00:21:42,720 --> 00:21:48,640 I mean, why is that true? So for a couple of reasons, what 357 00:21:48,640 --> 00:21:52,440 is you know, I mentioned earlier that cyber attacks invariably, 358 00:21:52,440 --> 00:21:57,640 well almost invariably have to compromise the identity system 359 00:21:57,640 --> 00:22:00,640 in some way. You have to either pretend 360 00:22:00,640 --> 00:22:06,320 you're someone who you're not and you're be able to get the 361 00:22:06,320 --> 00:22:08,440 privileges of someone who you're not. 362 00:22:09,040 --> 00:22:12,360 And it almost doesn't matter which identity platform it is. 363 00:22:13,040 --> 00:22:15,520 Whichever 1 you have is the one that you have to compromise to 364 00:22:15,520 --> 00:22:22,160 get unfettered access. The other other reason is Active 365 00:22:22,160 --> 00:22:27,240 Directory isn't just a catalogue of users, it's it's got 366 00:22:27,240 --> 00:22:32,120 information about all of the computers and services that are 367 00:22:32,120 --> 00:22:34,560 running on your network. So it's a great reconnaissance 368 00:22:34,560 --> 00:22:38,040 tool. So first thing an attacker's 369 00:22:38,040 --> 00:22:40,880 going to do once they land on somebody's machine that happens 370 00:22:40,880 --> 00:22:44,440 to be domain joined is is run a query on AD get all the 371 00:22:44,440 --> 00:22:48,320 computers outlook for all the ones that say, you know, top 372 00:22:48,320 --> 00:22:50,720 secret sequel server or something like that, you know, 373 00:22:50,720 --> 00:22:53,200 because that tells them the machine they want to go after 374 00:22:53,200 --> 00:23:00,000 next. And then the third thing, and 375 00:23:00,000 --> 00:23:03,680 this is this is something that is kind of interesting, but 376 00:23:03,680 --> 00:23:06,560 Active Directory is actually a great malware distribution tool 377 00:23:08,080 --> 00:23:11,280 using using group policy in SYSFALL. 378 00:23:11,960 --> 00:23:17,360 So you can as an attacker, if you're trying to deploy 379 00:23:18,720 --> 00:23:22,320 ransomware, you know, globally on the network, one way you 380 00:23:22,320 --> 00:23:25,800 could do it is drop it in SYSFALL and change everybody's 381 00:23:25,800 --> 00:23:28,520 log on script to download the the malware. 382 00:23:30,680 --> 00:23:33,480 So that's, I mean, those are sort of the primary reasons that 383 00:23:33,480 --> 00:23:36,240 people go after AD. It's it's the keys to the 384 00:23:36,240 --> 00:23:37,320 Kingdom. It's a great. 385 00:23:37,320 --> 00:23:40,960 Description without going into all the details and there's many 386 00:23:40,960 --> 00:23:45,880 ways that people can conduct an attack, but a lot of times 387 00:23:45,880 --> 00:23:50,360 they're trying to laterally move into different accounts that are 388 00:23:50,360 --> 00:23:52,480 more powerful. I think they've helped us 389 00:23:52,520 --> 00:23:55,960 counts, I think service accounts. 390 00:23:56,360 --> 00:23:59,360 That seems to me to be a major vulnerability. 391 00:23:59,560 --> 00:24:04,120 I love the idea of somebody listening to the podcast, 392 00:24:04,200 --> 00:24:08,280 hopefully not driving their car and listening and taking notes 393 00:24:08,280 --> 00:24:12,160 as they're listening to Gil. So what maybe is a take away of 394 00:24:12,160 --> 00:24:17,280 something someone can do today to, you know, take a step toward 395 00:24:17,600 --> 00:24:21,680 being less vulnerable? Tell you the truth, the very 396 00:24:21,680 --> 00:24:24,800 first thing I would do is download Purple Night. 397 00:24:25,160 --> 00:24:30,000 It's free and rather than in your environment and I'm, I'm 398 00:24:30,000 --> 00:24:33,000 going to guess that since most well, your audience is all 399 00:24:33,000 --> 00:24:35,880 interested in identity, that good number of your audience has 400 00:24:35,880 --> 00:24:38,800 done that already. Does it require any special 401 00:24:38,800 --> 00:24:40,800 privileges? You just put it on a workstation 402 00:24:40,800 --> 00:24:44,960 that's domain joined and run it and get your report card and 403 00:24:45,240 --> 00:24:48,320 take a look at the, the grades that it it assigns to you. 404 00:24:48,320 --> 00:24:49,560 I mean, they're just grades, right? 405 00:24:49,560 --> 00:24:53,640 They're just, you're out there. A is sort of an evaluation that 406 00:24:53,640 --> 00:24:55,280 we made-up that sort of makes sense. 407 00:24:55,880 --> 00:24:59,080 But then look at the, the details underneath that about 408 00:24:59,080 --> 00:25:03,080 things that that purple like found about like delegations, 409 00:25:03,200 --> 00:25:07,840 insecure delegations. That's a favorite one that would 410 00:25:08,760 --> 00:25:12,800 enable an attacker to elevate their privileges by compromising 411 00:25:12,800 --> 00:25:14,560 a member of a group, for instance. 412 00:25:17,080 --> 00:25:18,720 You know, there's all kinds of things in that report. 413 00:25:18,720 --> 00:25:20,440 It's it's, it's pretty impressive. 414 00:25:20,440 --> 00:25:22,120 I'm I'm really pleased with that product. 415 00:25:23,280 --> 00:25:26,760 You know, one other thing I think about with when it comes 416 00:25:26,760 --> 00:25:35,200 to why takeover, if an Active Directory is such a beneficial 417 00:25:35,200 --> 00:25:39,840 thing for a ransomware actor, is that it's so hard to restore 418 00:25:39,840 --> 00:25:44,160 Active Directory, right? And a lot of times ransomware 419 00:25:45,000 --> 00:25:49,120 accounts can be taken over, you know, before the event. 420 00:25:49,120 --> 00:25:54,400 So not having a good backup and restore methodology, like I'm 421 00:25:54,400 --> 00:25:58,120 not trying to just serve things up easy to you, but this is just 422 00:25:58,120 --> 00:26:02,000 the basics of running an IT environment is you need to be 423 00:26:02,000 --> 00:26:06,640 able to have backups that you can rely on at a restore policy 424 00:26:06,640 --> 00:26:10,920 that you can test on a periodic basis so that you're sure it's 425 00:26:10,920 --> 00:26:15,640 going to work when you need it. I mean, this could literally be 426 00:26:15,640 --> 00:26:19,960 the ability for your business to do business the next day. 427 00:26:19,960 --> 00:26:23,280 I mean, that's exactly right. Control of the Active Directory, 428 00:26:23,440 --> 00:26:27,440 you can wipe out the e-mail system, You, you can do all 429 00:26:27,440 --> 00:26:29,600 kinds of things. I mean, there have been real 430 00:26:29,600 --> 00:26:36,520 world examples of companies unable to operate for a week. 431 00:26:36,960 --> 00:26:39,760 I mean, Can you imagine your organization being unable to 432 00:26:39,760 --> 00:26:43,440 operate for a week? So I'm not trying to just make 433 00:26:43,440 --> 00:26:48,160 it fear, uncertainty and doubt, but these are real risks and if 434 00:26:48,160 --> 00:26:51,920 they happen on your watch, it's going to be a very uncomfortable 435 00:26:51,920 --> 00:26:54,600 position. Yep, it's you. 436 00:26:54,640 --> 00:26:57,960 You pretty much nailed it. It's not. 437 00:26:57,960 --> 00:27:00,880 Not only is Active Directory a great thing for attackers to go 438 00:27:00,880 --> 00:27:06,760 after because of what it lets them do, but if they compromise, 439 00:27:07,920 --> 00:27:11,040 for instance, if they flatmile your domain controllers, you've 440 00:27:11,040 --> 00:27:14,480 got a real projection on your hands because recovering AD from 441 00:27:14,480 --> 00:27:18,600 backup is hard. And you can't just, you can't 442 00:27:18,600 --> 00:27:21,040 just go back to the last backups, right? 443 00:27:21,040 --> 00:27:23,360 Because those are probably compromised as well. 444 00:27:24,720 --> 00:27:27,600 You know, they're, they're going to have changes in ACL's, 445 00:27:27,600 --> 00:27:29,400 they're going to have changes in grid membership. 446 00:27:29,400 --> 00:27:31,360 So I'll have back door, back door accounts that have been 447 00:27:31,360 --> 00:27:35,640 added. And you have basically you have 448 00:27:35,640 --> 00:27:39,160 to do the and even be other changes in Active Directory. 449 00:27:39,160 --> 00:27:42,320 But there's going to be malware on the servers in Windows. 450 00:27:42,520 --> 00:27:46,920 They're going to be hacked DLLS and executables that sit on 451 00:27:46,920 --> 00:27:49,560 those backed up backup images as well. 452 00:27:50,240 --> 00:27:53,240 So you'd need to recover in an isolated environment on fresh 453 00:27:53,240 --> 00:27:55,520 installs of Windows that you know are good. 454 00:27:56,480 --> 00:27:59,040 And you have to be able to recover just the data of Active 455 00:27:59,040 --> 00:28:02,960 Directory, not the entire binary environment of Windows. 456 00:28:04,400 --> 00:28:07,440 And if you can't do that, then you can't really rely on the 457 00:28:07,440 --> 00:28:11,280 system that you recovered. So let's talk about the 458 00:28:11,280 --> 00:28:14,000 ransomware risk report. We'll finally get to that and 459 00:28:15,280 --> 00:28:18,280 it's available on some Prince's website, but we'll have a link 460 00:28:18,280 --> 00:28:23,720 to it in our show notes. And I made, you know, I kind of 461 00:28:23,760 --> 00:28:27,280 made notes for some of the statistics that really jumped 462 00:28:27,280 --> 00:28:31,160 out at me. The first one was ransomware 463 00:28:31,160 --> 00:28:34,960 attacks are frequent and severe. Organizations are facing a 464 00:28:34,960 --> 00:28:39,480 constant threat of ransomware attacks, with 74% of victims 465 00:28:39,760 --> 00:28:43,120 experiencing multiple attacks sometime within the same day. 466 00:28:43,480 --> 00:28:45,320 Tell us a little bit more about that one. 467 00:28:46,160 --> 00:28:51,080 So the the I shouldn't have been shocked, but when I read it the 468 00:28:51,080 --> 00:28:56,520 first time, I was. But essentially all 469 00:28:56,520 --> 00:29:00,320 organizations are being attacked by ransomware a couple of times 470 00:29:00,320 --> 00:29:01,840 a year. I mean, it just happens 471 00:29:01,840 --> 00:29:04,880 continuously. It's not, it's not a notable 472 00:29:04,880 --> 00:29:07,040 event anymore really. It's just one of those 473 00:29:07,040 --> 00:29:12,360 continuous things that security teams are dealing with, which I 474 00:29:12,360 --> 00:29:15,040 didn't quite, I hadn't internalized that before. 475 00:29:15,040 --> 00:29:19,440 So that was surprising. The the other one about, you 476 00:29:19,440 --> 00:29:23,680 know, suffering multiple attacks in a day was a new one. 477 00:29:23,760 --> 00:29:26,320 And and then there's also the, you know, paying, paying 478 00:29:26,320 --> 00:29:30,000 multiple ransoms as well for a single attack, which we can talk 479 00:29:30,000 --> 00:29:32,280 about. What does that mean to have 480 00:29:32,280 --> 00:29:33,640 multiple texts? Can you explain it? 481 00:29:33,640 --> 00:29:35,800 Is it is it literally like different? 482 00:29:35,920 --> 00:29:38,680 Is it different attackers or is it part of the same attack as 483 00:29:38,680 --> 00:29:40,040 just multi stage or something like that? 484 00:29:40,040 --> 00:29:45,600 So it's, it's, it's both. So I know we, we did, we helped 485 00:29:45,600 --> 00:29:49,040 the company with their incident response and they had four 486 00:29:49,040 --> 00:29:52,440 separate threat actors in the environment that were attacking 487 00:29:52,440 --> 00:29:55,520 them in their AD. It was a, it was a disaster. 488 00:29:55,520 --> 00:30:00,080 It was a complete mess, but I think what happens now that, 489 00:30:00,080 --> 00:30:05,440 that, that, that, you know, raise aware and, and cyber, the 490 00:30:06,560 --> 00:30:10,040 cyber attacks in general have been commoditized and 491 00:30:10,040 --> 00:30:12,880 commercialized. You, you know, as soon as an 492 00:30:12,880 --> 00:30:16,160 endpoint gets compromised or, and, and there's some back door 493 00:30:16,160 --> 00:30:20,280 inserted on, on that, on that machine, that IP address gets 494 00:30:20,520 --> 00:30:24,360 published and sold to whoever wants to buy it to insert their 495 00:30:24,360 --> 00:30:26,880 own, you know, for another attacker to insert their own 496 00:30:26,880 --> 00:30:31,280 software. And I think that's, that's one 497 00:30:31,280 --> 00:30:33,960 of the reasons why you see multiple attacks is, is that 498 00:30:33,960 --> 00:30:37,440 same IP address has been purchased by, you know, half a 499 00:30:37,440 --> 00:30:42,200 dozen attackers and whoever gets around to doing it will be in 500 00:30:42,200 --> 00:30:43,800 the network. And you have multiple attacks 501 00:30:43,800 --> 00:30:48,600 going on simultaneously. There used to be that I think a 502 00:30:48,600 --> 00:30:50,960 company would report a ransomware attack or some sort 503 00:30:50,960 --> 00:30:53,720 of a cyber attack and it'd be in the news and then all the 504 00:30:53,720 --> 00:30:56,080 attackers would pile on once they saw that in the news 505 00:30:56,080 --> 00:30:58,960 because you figure, oh, they could compromise and we we 506 00:30:58,960 --> 00:31:01,920 probably can't too. But now I think it's because all 507 00:31:01,920 --> 00:31:04,360 that stuff's just being sold, not on the dark web. 508 00:31:04,360 --> 00:31:06,760 You can. You could buy a 10,000 IP 509 00:31:06,760 --> 00:31:08,800 addresses and start working on it. 510 00:31:10,720 --> 00:31:15,000 Yeah, and it also seems to me like, so the, there's a, a sub 511 00:31:15,000 --> 00:31:18,240 plane that which was around paying multiple ransoms. 512 00:31:18,920 --> 00:31:21,560 I'm wondering is that you're paying multiple ransoms to 513 00:31:21,560 --> 00:31:25,120 different people or is it just that you can't really trust you 514 00:31:25,360 --> 00:31:28,240 the the people that are holding you for ransom? 515 00:31:28,640 --> 00:31:31,000 Give us $100,000. You give it to them. 516 00:31:31,760 --> 00:31:35,360 No, we want more. We want $200,000. 517 00:31:36,320 --> 00:31:38,920 So there there that was another one that I thought was 518 00:31:38,920 --> 00:31:41,560 surprising and there are a few things underlying that. 519 00:31:41,560 --> 00:31:44,280 One, what is the nature of ransom where a tax has changed? 520 00:31:44,280 --> 00:31:48,400 It used to be, you know, sort of like not Petcha, we're just 521 00:31:48,400 --> 00:31:50,720 going to encrypt all your machines and then we, we'll sell 522 00:31:50,720 --> 00:31:56,240 you the decryption keys. But now what's happening is, is 523 00:31:56,240 --> 00:32:00,480 attackers are exfiltrating sensitive data or data that they 524 00:32:00,480 --> 00:32:04,040 can get their hands on anyway and holding that for ransom. 525 00:32:04,040 --> 00:32:07,560 They're, they're saying things like we're going to publicize 526 00:32:07,560 --> 00:32:12,320 all this information and, and if you don't pay US money for the, 527 00:32:12,400 --> 00:32:14,480 for the data. So you've got two things you 528 00:32:14,480 --> 00:32:17,760 have to buy now. You've got decryption keys and 529 00:32:17,960 --> 00:32:22,840 the get rid of my data key if you will. 530 00:32:23,280 --> 00:32:25,200 But how do you really know that they're deleting the data? 531 00:32:25,400 --> 00:32:27,280 Well, you mean. Is it, is it such a thing as 532 00:32:27,280 --> 00:32:31,360 honor to say, OK, well, I promise as as you're, you know, 533 00:32:32,200 --> 00:32:36,240 assigned criminals that I will, that I will delete the data that 534 00:32:36,240 --> 00:32:39,040 you get that you paid me for. And that's, that's, I think the 535 00:32:39,040 --> 00:32:41,840 thing that companies are maybe missing, I think the, the hit 536 00:32:41,840 --> 00:32:46,640 rate on, on the decryption keys is I think those either fail to 537 00:32:46,640 --> 00:32:50,960 work or they don't actually get keys like 30 or 40% of the time 538 00:32:51,040 --> 00:32:54,240 roughly. So already you have to add a 539 00:32:54,240 --> 00:32:56,960 premium to whatever ransom you're, you're paying for that. 540 00:32:59,160 --> 00:33:03,120 And even if the attacker say, OK, well, we, we deleted the, 541 00:33:03,120 --> 00:33:06,960 the data that we had stole it, they've sold it to somebody 542 00:33:06,960 --> 00:33:09,640 else. And then so now somebody else 543 00:33:09,640 --> 00:33:10,800 has it. So maybe they're not going to 544 00:33:10,800 --> 00:33:13,480 publicize it, but somebody else will or somebody else would use 545 00:33:13,480 --> 00:33:16,280 that and spend more time grinding through it to see 546 00:33:16,280 --> 00:33:18,160 what's interesting in there and then sell that data. 547 00:33:18,240 --> 00:33:22,640 It's there is is no honor in this in this scenario. 548 00:33:24,040 --> 00:33:27,200 So, Gil, I was going to ask about that issue of decryption 549 00:33:27,200 --> 00:33:29,160 keys. You mentioned that sometimes 550 00:33:29,160 --> 00:33:32,240 they don't work. I've heard that a lot of cases 551 00:33:32,800 --> 00:33:36,840 they start they they actually work, but they operate so slowly 552 00:33:37,120 --> 00:33:40,880 that performing the decryption would take months. 553 00:33:40,880 --> 00:33:44,800 And so if companies fall back to some other way to get their data 554 00:33:44,800 --> 00:33:47,240 back. Yeah, there it takes, it can 555 00:33:47,240 --> 00:33:50,280 take a long time. And the other thing is that in a 556 00:33:50,280 --> 00:33:54,400 lot of cases when binaries have been encrypted, the way the 557 00:33:54,400 --> 00:33:59,400 encryption works is it it can actually add a bunch of random 558 00:33:59,400 --> 00:34:03,480 bits to the end of the file. And when it's decrypted, those 559 00:34:03,480 --> 00:34:05,800 random bits are still there, they've just been decrypted. 560 00:34:06,520 --> 00:34:09,520 And so you've got binaries that you've quote decrypted, but they 561 00:34:09,520 --> 00:34:11,239 still don't load, so you can't run them. 562 00:34:12,560 --> 00:34:16,560 So even though you've you've unransomed your your your 563 00:34:16,560 --> 00:34:20,840 Windows machine, it won't boot. OK, so now that we've figured 564 00:34:20,840 --> 00:34:26,120 out there's no honor amongst thieves, the second, the second 565 00:34:26,159 --> 00:34:28,440 point that it kind of jumped out to me was I'm going to read it 566 00:34:28,440 --> 00:34:30,199 off. Business disruption is 567 00:34:30,199 --> 00:34:33,440 widespread. Ransomware attacks cause 568 00:34:33,440 --> 00:34:38,280 significant business disruption with 87% of attacks leads to 569 00:34:38,280 --> 00:34:41,880 disruption like data loss or system downtime, even when 570 00:34:41,880 --> 00:34:45,800 organizations have disaster recovery and backup systems in 571 00:34:45,800 --> 00:34:47,600 place and IT. So what is the? 572 00:34:47,840 --> 00:34:50,320 What is the case is that they have the backup systems in 573 00:34:50,320 --> 00:34:52,840 place, but they can't restore them. 574 00:34:53,639 --> 00:34:56,920 Yeah, a lot of times the backups themselves have been encrypted. 575 00:34:58,560 --> 00:35:01,720 That's, that's one of the mistakes that companies still 576 00:35:01,720 --> 00:35:06,120 make to this day as they store their backup images on a server 577 00:35:06,120 --> 00:35:09,440 someplace. And that's, if not the first 578 00:35:09,440 --> 00:35:12,000 thing the attackers go after, it's maybe the second or third. 579 00:35:13,760 --> 00:35:16,480 So that's, that's kind of a fail when people do that. 580 00:35:17,360 --> 00:35:23,440 The other thing is, is a lot of times IT orgs have not gone not 581 00:35:23,440 --> 00:35:25,960 thought carefully through the process of recovery. 582 00:35:27,560 --> 00:35:31,360 They think, OK, I've got a backup of the SQL Server so I 583 00:35:31,360 --> 00:35:34,200 can recover it. Well, it turns out it's not just 584 00:35:34,200 --> 00:35:37,240 the SQL Server, but there's a whole file system on another 585 00:35:37,240 --> 00:35:39,920 server that's necessary for this application to run. 586 00:35:40,480 --> 00:35:43,080 And you don't back that up very often, or you back that up on a 587 00:35:43,080 --> 00:35:45,240 different schedule. So you've got a database for one 588 00:35:45,240 --> 00:35:48,360 day in a file system from a different day, and now the 589 00:35:48,360 --> 00:35:50,240 application's confused and it doesn't work. 590 00:35:50,840 --> 00:35:54,240 So the whole whole problem of, of recovery from the sort of an 591 00:35:54,240 --> 00:35:58,480 attack is, is hard. And you, you, you have to work 592 00:35:58,480 --> 00:36:02,000 through it and work out all the details and actually and 593 00:36:02,000 --> 00:36:05,080 actually test it. So I think that's another reason 594 00:36:05,080 --> 00:36:10,280 that people can't recover. So the next one I found was was 595 00:36:10,800 --> 00:36:12,680 I found the other one that was really interesting. 596 00:36:12,680 --> 00:36:16,160 Gil, if I could, most companies pay the ransom. 597 00:36:16,560 --> 00:36:23,840 So 70 and 78% percent end up paying the ransom, 32% paid it 598 00:36:23,840 --> 00:36:27,080 four or more times. So here's my question. 599 00:36:28,200 --> 00:36:32,840 Should companies pay the ransom? I I think we get this idea that 600 00:36:33,160 --> 00:36:36,400 when a ransom is being held because a human being is being 601 00:36:36,400 --> 00:36:41,320 held hostage, the advice is and I've never been. 602 00:36:41,480 --> 00:36:45,080 In, of course no. No, don't, don't. 603 00:36:45,080 --> 00:36:48,840 Screw the hostage. I think what I see on TV is they 604 00:36:48,840 --> 00:36:54,040 say don't pay the ransom, right. And from what I've heard, most 605 00:36:54,040 --> 00:36:58,160 public sector organizations don't pay the ransom and receive 606 00:36:58,160 --> 00:37:01,920 less ransomware attacks maybe because of that. 607 00:37:02,480 --> 00:37:05,520 But can we really blame companies for paying the ransom? 608 00:37:05,800 --> 00:37:10,160 I heard there were two casino, large casino operators in Las 609 00:37:10,160 --> 00:37:12,840 Vegas. I think it was last year the 610 00:37:13,000 --> 00:37:18,760 faith were hit by the same and I it was more like a social 611 00:37:18,760 --> 00:37:20,600 engineering. I think it ultimately led to 612 00:37:20,600 --> 00:37:24,080 ransomware, but one paid the ransom, the other did not. 613 00:37:24,200 --> 00:37:28,040 The one that paid the ransom never suffered any downtime or 614 00:37:28,040 --> 00:37:31,000 issues. The one that that did not pay 615 00:37:31,000 --> 00:37:36,960 the ransom got owned and had a lot of very public side effects 616 00:37:36,960 --> 00:37:42,400 because of that. So are companies wise or unwise 617 00:37:42,400 --> 00:37:47,040 to pay the ransom? It's, it's a, it's tough if you 618 00:37:47,040 --> 00:37:52,960 try to judge it as a, as a mural decision because you can argue 619 00:37:52,960 --> 00:37:55,480 both, both sides pretty effectively, I think. 620 00:37:56,040 --> 00:38:00,560 But if you look at it from an economics point of view, what's 621 00:38:00,560 --> 00:38:06,000 the most effective response for the, you know, the life of your 622 00:38:06,000 --> 00:38:09,320 company? That's maybe a little easier 623 00:38:09,320 --> 00:38:13,800 decision to manage because if you have an idea of what it's 624 00:38:13,800 --> 00:38:17,000 going to take to recover from backup and you have an idea of 625 00:38:17,000 --> 00:38:20,880 what what the ransom is and what the risk is or what the 626 00:38:20,880 --> 00:38:25,960 likelihood is that the the threat actors will actually give 627 00:38:25,960 --> 00:38:29,960 you valid, you know, decryption keys and get rid of the data 628 00:38:29,960 --> 00:38:31,560 that they stole. Yeah. 629 00:38:31,560 --> 00:38:34,000 Then you can sort of, you have a framework to make a decision. 630 00:38:34,000 --> 00:38:38,600 And I certainly wouldn't blame anybody for making the decision 631 00:38:38,600 --> 00:38:42,920 to pay the ransom, but I think they also don't aren't looking 632 00:38:42,920 --> 00:38:46,720 carefully at the costs that they're going to incur either 633 00:38:46,720 --> 00:38:50,040 way they go. And the, and the solution, you 634 00:38:50,040 --> 00:38:52,320 know which, which is an idealistic solution, but I think 635 00:38:52,320 --> 00:38:55,840 it's the way it's the way forward is you need to be able 636 00:38:55,840 --> 00:39:01,120 to recover your systems. And so if somebody you know, 637 00:39:01,120 --> 00:39:04,280 attacks your environment, well, you just thumb your nose out. 638 00:39:04,280 --> 00:39:06,720 I mean, you just recover from knowing good backups and, and 639 00:39:06,720 --> 00:39:08,640 off you go. I mean, if you think about it, 640 00:39:08,640 --> 00:39:12,880 if you could, if you could recover your entire IT estate in 641 00:39:12,880 --> 00:39:17,120 15 minutes by pushing a button, well, ransomware is totally 642 00:39:17,120 --> 00:39:19,120 irrelevant. Then you know who cares, right? 643 00:39:19,120 --> 00:39:20,160 You don't care. Who cares? 644 00:39:21,720 --> 00:39:24,240 So I think that's that's the direction you want to move in as 645 00:39:24,240 --> 00:39:28,120 you want to make your, and this is and this actually brings in, 646 00:39:29,400 --> 00:39:31,240 this is where the term resilience comes in. 647 00:39:32,400 --> 00:39:34,680 You can't prevent the attack. I think we're, we're pretty, 648 00:39:34,800 --> 00:39:38,960 pretty clear on that. But you can make it harder for 649 00:39:38,960 --> 00:39:44,080 the attack to take on full sort of network wide scale and you 650 00:39:44,080 --> 00:39:47,400 can make your environment more resilient, which means you can 651 00:39:47,400 --> 00:39:50,320 recover from that attack more easily and more quickly and more 652 00:39:50,320 --> 00:39:52,920 effectively. So I think that's how I tend to 653 00:39:52,920 --> 00:39:54,920 look at that, that decision making process. 654 00:39:55,600 --> 00:39:58,200 So I wanna, I wanna pick on the second part. 655 00:39:58,200 --> 00:40:01,920 I mean, 78% paying a can of get. And I think there might be even 656 00:40:01,920 --> 00:40:04,280 something in the US from like a government, either policy or 657 00:40:04,280 --> 00:40:07,400 even a law that that they're not allowed to pay. 658 00:40:07,400 --> 00:40:12,160 And maybe that helps. But 32% paid it four or more 659 00:40:12,160 --> 00:40:14,640 times in the past. How bad is your security if 660 00:40:14,640 --> 00:40:18,040 you're like, oh, this is our 4th ransomware event of the year. 661 00:40:18,320 --> 00:40:21,520 I mean, one is bad enough. Yeah. 662 00:40:21,520 --> 00:40:23,480 I mean, are these just repeat things? 663 00:40:23,520 --> 00:40:25,760 I I mean, how do you, how do you quantify something like that? 664 00:40:25,760 --> 00:40:28,200 Is it the same attack or is there a way to? 665 00:40:28,200 --> 00:40:31,440 Is it really separate attacks that kind of weak that number? 666 00:40:32,000 --> 00:40:34,920 I have to look at the at the details of that question and the 667 00:40:34,920 --> 00:40:37,480 responses because I don't understand that really myself. 668 00:40:38,240 --> 00:40:42,680 I, I know there are cases where the threat actors are asking for 669 00:40:42,680 --> 00:40:45,080 multiple ransoms. I know that happens, but I 670 00:40:45,080 --> 00:40:49,760 didn't think it happened that often and it's mind boggling 671 00:40:49,760 --> 00:40:54,600 that the same company would be paying multiple threat actors 672 00:40:55,360 --> 00:40:58,400 for what looks like the same, you know, multiple attacks at 673 00:40:58,400 --> 00:41:01,640 the same time. That line item, the budget, oh, 674 00:41:01,640 --> 00:41:04,640 that's our ransomware budget. We know we're going to get hit, 675 00:41:04,640 --> 00:41:06,160 so we're just going to put money into it. 676 00:41:07,240 --> 00:41:09,520 Geez, we could, we could spend some time talking about cyber 677 00:41:09,520 --> 00:41:12,000 insurance and, and how that all relates to this as well, because 678 00:41:12,000 --> 00:41:13,960 that's, that's part of the story too. 679 00:41:16,040 --> 00:41:19,840 This next point that I pulled from the report, I thought it 680 00:41:19,840 --> 00:41:24,640 was interesting it gets into organizations like Active 681 00:41:24,640 --> 00:41:28,360 Directory Specific Protection. I just wanted to highlight a 682 00:41:28,360 --> 00:41:35,480 point which is if you are using non AD or non Microsoft systems 683 00:41:35,520 --> 00:41:40,680 for IGA or privilege Access management or an IDP, but you 684 00:41:40,680 --> 00:41:44,160 have Active Directory in your environment, perhaps your e-mail 685 00:41:44,160 --> 00:41:47,800 system is tied to it. You, you know, you still have 686 00:41:47,800 --> 00:41:51,120 the same risk. So it goes on to say, while many 687 00:41:51,120 --> 00:41:55,960 organizations have identity recovery plans, only 27% have 688 00:41:55,960 --> 00:42:00,120 dedicated systems for recovering AD and prime targets for 689 00:42:00,120 --> 00:42:04,680 attackers. So to me, you know, this is one 690 00:42:04,680 --> 00:42:08,000 of the points that I've kind of felt for a long time is that 691 00:42:08,240 --> 00:42:13,640 when you're doing your disaster recovery plan, you not only need 692 00:42:13,640 --> 00:42:17,320 to think of it in terms of, OK, an asteroid, his heart data 693 00:42:17,320 --> 00:42:21,280 center or there's some kind of fire that that takes us out of 694 00:42:21,280 --> 00:42:23,360 business. You really need to be thinking 695 00:42:23,360 --> 00:42:28,200 about the intentional targeting of your organization and bring 696 00:42:28,200 --> 00:42:32,240 down your IT systems security. Your Active Directory, Yep, 697 00:42:33,040 --> 00:42:37,200 that's, that's something that I think IT orgs are getting their 698 00:42:37,200 --> 00:42:41,280 heads or have gotten their heads around that the, you know, the 699 00:42:41,320 --> 00:42:45,280 the classic data center fire or, you know, ran a backhoe over the 700 00:42:45,280 --> 00:42:49,400 fiber kind of disaster recovery scenario. 701 00:42:49,400 --> 00:42:51,840 That's that's one class of of thing. 702 00:42:51,840 --> 00:42:54,320 But but cyber attacks are entirely different. 703 00:42:54,320 --> 00:42:57,000 They're not they're not defined by physical boundaries. 704 00:42:57,000 --> 00:43:00,000 They're they're it's a logical attack essentially. 705 00:43:00,680 --> 00:43:03,880 And once you know, even if you're a globally distributed 706 00:43:03,880 --> 00:43:08,680 company, you know what's I laying on a domain controller, I 707 00:43:08,680 --> 00:43:10,520 can get rid of all the domain controllers. 708 00:43:10,520 --> 00:43:13,640 I can do it pretty quick. So it's a different is the 709 00:43:13,640 --> 00:43:15,400 nature of the attack is entirely different. 710 00:43:17,040 --> 00:43:18,680 Yeah. And Gil, what I wanted to wrap 711 00:43:18,680 --> 00:43:24,480 up with was, I kind of feel like from a, if you watch the news, 712 00:43:24,480 --> 00:43:27,920 we're hearing less about ransomware attacks than maybe we 713 00:43:27,920 --> 00:43:30,560 were hearing about in previous years. 714 00:43:31,320 --> 00:43:34,240 Is that the case? I mean, why is that? 715 00:43:34,240 --> 00:43:36,800 Why do you think it's less than the headlines? 716 00:43:37,200 --> 00:43:41,720 Yeah, I'm, I'm not sure I, I know why that would be the case 717 00:43:41,720 --> 00:43:46,920 because certainly the number of attacks based on our survey has, 718 00:43:47,160 --> 00:43:49,440 has gone up. It's not gone down at all. 719 00:43:50,880 --> 00:43:55,560 Part of it, it probably has to do with the, the, the, the 720 00:43:55,560 --> 00:43:58,560 detrimental PR around it that you would rather not say 721 00:43:58,560 --> 00:44:00,160 anything about it if you don't have to. 722 00:44:00,960 --> 00:44:03,200 But I think also that's that's going to change in the near 723 00:44:03,200 --> 00:44:07,560 future because there there's there's some regulations that 724 00:44:07,560 --> 00:44:13,800 are that have come out of seesaw that effect a broad swath of 725 00:44:13,800 --> 00:44:15,160 verticals. So I mean, there's probably 726 00:44:15,160 --> 00:44:19,320 about 15 different vertical verticals for companies that 727 00:44:19,320 --> 00:44:21,120 that are affected by these regulations. 728 00:44:21,760 --> 00:44:25,280 What's it called? Cersea the the cyber, Yeah. 729 00:44:26,120 --> 00:44:27,600 There's like a notification law, right? 730 00:44:27,600 --> 00:44:28,760 Yeah. So notification if it's a 731 00:44:28,760 --> 00:44:31,080 certain number of users and certain number of financial 732 00:44:31,080 --> 00:44:32,360 impact if. You're in a certain industry, 733 00:44:32,720 --> 00:44:36,560 Cersea, Yeah. And so I think we're going to 734 00:44:36,560 --> 00:44:40,680 see a lot more reports coming out because of that when that 735 00:44:40,680 --> 00:44:44,640 regulation goes into effect and that's coming up imminently, I 736 00:44:44,680 --> 00:44:49,120 think you know, pretty soon. But to ask you to answer your 737 00:44:49,120 --> 00:44:51,360 question, I, I don't really know why we don't hear about it. 738 00:44:51,360 --> 00:44:52,920 Maybe it's just not interesting anymore. 739 00:44:52,920 --> 00:44:55,040 So that's what. I was thinking, that's my 740 00:44:55,040 --> 00:44:58,000 theory. And you know, I want, I'm, I'm 741 00:44:58,000 --> 00:45:00,440 glad that Jimmy asked this question because my theory is 742 00:45:00,440 --> 00:45:03,520 this is we've become desensitized to it. 743 00:45:03,760 --> 00:45:06,320 Oh, it's ransomware. And unless it's like a major 1, 744 00:45:06,320 --> 00:45:09,800 like, you know, a pipeline, a hospital or something that has 745 00:45:09,800 --> 00:45:13,000 like a major impact. I mean, there's clearly a lot of 746 00:45:13,000 --> 00:45:15,200 attacks happening. They're just not newsworthy. 747 00:45:15,640 --> 00:45:17,600 And it's like, kind of like, oh, who cares? 748 00:45:17,720 --> 00:45:21,760 You know, unless it affects me and it's a critical, you know, 749 00:45:21,800 --> 00:45:24,080 infrastructure thing that kind of makes the news. 750 00:45:25,120 --> 00:45:26,760 That's my feelings. Like, I feel like this we're 751 00:45:26,760 --> 00:45:29,600 just become desensitized. And it's just, it's not, they're 752 00:45:29,600 --> 00:45:31,560 not worth the 15 minutes of fame that they're getting. 753 00:45:32,120 --> 00:45:36,800 Yeah, and I, I think there's a lot to that because, you know, 754 00:45:36,800 --> 00:45:39,760 the the news that gets published is the news that gets clicked 755 00:45:39,760 --> 00:45:43,880 on. And you know, Joe's Animal 756 00:45:43,880 --> 00:45:48,360 Hospital in in Salt Lake City being ransomware, it is not 757 00:45:48,360 --> 00:45:51,240 something people are going to click on unless you happen to 758 00:45:51,240 --> 00:45:54,560 have a pet that you take to Joe's Animal Hospital, you know, 759 00:45:54,680 --> 00:45:57,520 so that. Even then, I think I like I get 760 00:45:57,520 --> 00:45:59,360 desensitized like, OK, another breach. 761 00:45:59,360 --> 00:46:01,440 My data was in it. What am I going to do? 762 00:46:01,440 --> 00:46:04,320 Change my Social Security number, you know, change my 763 00:46:04,320 --> 00:46:09,560 name, you know, it's just it's it's some place like, OK, cool. 764 00:46:09,560 --> 00:46:12,720 Like I'm sure, you know, at this point I would, I would find it 765 00:46:12,720 --> 00:46:15,840 very hard to believe that at least in the US that no American 766 00:46:15,840 --> 00:46:19,800 has never been had any of their data in any breach and ever, 767 00:46:20,000 --> 00:46:21,920 right. Like I think something has been 768 00:46:21,920 --> 00:46:23,160 leaked. Yeah. 769 00:46:23,160 --> 00:46:27,280 And what can you do about it? And so much of your data is, is 770 00:46:27,280 --> 00:46:30,600 owned by, by marketing companies now in some way or another. 771 00:46:30,760 --> 00:46:35,640 Anyhow, it's, you know, it's, you're probably not saving 772 00:46:35,640 --> 00:46:39,800 yourself a lot of grief if you, if you go through that, you 773 00:46:39,800 --> 00:46:41,600 know, try to hide my identity stuff. 774 00:46:42,320 --> 00:46:44,000 So nobody wants to give the answer. 775 00:46:44,000 --> 00:46:47,720 So nobody wants to give the answer that enterprises have 776 00:46:47,720 --> 00:46:53,800 invested in reducing the risk of ransomware attacks and that's 777 00:46:53,800 --> 00:46:57,200 why they've gone down. OK, they have spent a truckload 778 00:46:57,200 --> 00:47:05,680 on it and the problem is that it's it's sort of you know, the 779 00:47:05,680 --> 00:47:09,000 attackers are are, are evolving at the same rate that the that 780 00:47:09,000 --> 00:47:12,680 the defenders are. It's, it's, you know, and you if 781 00:47:12,680 --> 00:47:18,920 you look in the future with with the introduction of AI based 782 00:47:18,920 --> 00:47:23,160 attacks and AI based defense, that at some point we're just 783 00:47:23,160 --> 00:47:25,920 going to sit back and let the AIS do Duke it out and, and 784 00:47:25,920 --> 00:47:27,120 we'll see who wins the. Argument. 785 00:47:27,120 --> 00:47:30,120 Tell me who won. Yeah, and and the and the 786 00:47:30,120 --> 00:47:33,600 winners will be either NVIDIA or the the power generating 787 00:47:33,600 --> 00:47:36,880 companies. Yeah, that's a circles down to 788 00:47:36,960 --> 00:47:40,960 basic blocking and tackling in identity access management. 789 00:47:41,400 --> 00:47:46,200 It's fishing, it's social engineering of the help desk to 790 00:47:46,840 --> 00:47:50,440 get me in the front door, reset someone's cred so I can come in. 791 00:47:51,000 --> 00:47:55,960 And I I sometimes shake my head that we're still here. 792 00:47:56,880 --> 00:48:00,360 The blocking and tackling thing is, is really, really important. 793 00:48:00,360 --> 00:48:04,280 I've, I've been saying this for years that if you just do the 794 00:48:04,280 --> 00:48:08,560 basics well and and diligently, that gets you a long ways. 795 00:48:09,360 --> 00:48:12,480 You know that that makes it much harder for for you either to get 796 00:48:12,480 --> 00:48:15,000 compromised or for the attackers to do anything once they've 797 00:48:15,000 --> 00:48:20,400 compromised an account. That's also one of the things 798 00:48:20,400 --> 00:48:23,160 that purple light can help you with because it's it's 799 00:48:23,160 --> 00:48:26,360 essentially a catalogue of all the block, blocks and tackles 800 00:48:26,360 --> 00:48:29,040 that you need to make. Yeah, here's what you should do. 801 00:48:29,080 --> 00:48:30,920 Do this. It's like literally a playbook, 802 00:48:31,480 --> 00:48:32,160 right? Exactly. 803 00:48:32,160 --> 00:48:33,640 I mean, you really don't have an excuse at that point. 804 00:48:33,640 --> 00:48:34,800 It's like, well, I didn't know what to do. 805 00:48:34,800 --> 00:48:36,480 Well, here's a free tool that will tell you that. 806 00:48:36,480 --> 00:48:38,440 So we'll have a link to that in our show notes. 807 00:48:38,840 --> 00:48:41,760 I got one thing I want to wrap up on before we shift to 808 00:48:41,760 --> 00:48:45,280 piloting because I want to ask you about piloting is do you 809 00:48:45,280 --> 00:48:47,680 think so? I remember which one you guys 810 00:48:47,680 --> 00:48:50,680 said it, but just now was the investment, there's huge 811 00:48:50,680 --> 00:48:53,520 investment being made in cybersecurity and specifically 812 00:48:53,520 --> 00:48:56,920 against this. Is this a case where may not 813 00:48:56,920 --> 00:49:00,880 everybody's investing in it? So does a big company who makes 814 00:49:00,880 --> 00:49:04,240 a big splash to say we're going to spend $10 million or $10 815 00:49:04,240 --> 00:49:08,280 billion skew a number like that to say, oh, yeah, there's more, 816 00:49:08,400 --> 00:49:10,000 there's more investment that's ever been made. 817 00:49:10,000 --> 00:49:13,800 But are there, I guess, are there big companies that have 818 00:49:13,800 --> 00:49:17,400 massive investments that sort of drive that into a false sense 819 00:49:17,400 --> 00:49:20,600 of, of a rising tide lifts all boats? 820 00:49:21,040 --> 00:49:22,160 I'm just curious what you guys think. 821 00:49:24,360 --> 00:49:27,120 'Cause I can't imagine. The the veterinarian, right that 822 00:49:27,120 --> 00:49:30,080 you, that you use an example, right, The pet hospital, they're 823 00:49:30,080 --> 00:49:33,160 probably not spending $10 million on cybersecurity tools. 824 00:49:33,600 --> 00:49:37,600 But for sure a large. Company is, you know, does the 825 00:49:37,640 --> 00:49:40,600 spend equate to the overall risk reduction to the? 826 00:49:40,600 --> 00:49:46,760 Industry, it might, it might, you know I mean, I, I, I don't 827 00:49:46,760 --> 00:49:50,040 think I know enough about the, the the economics of 828 00:49:50,800 --> 00:49:54,400 cybersecurity spend enough to really say for sure, but that's 829 00:49:54,400 --> 00:49:58,920 entirely plausible that that some, you know, a relatively few 830 00:49:59,560 --> 00:50:02,880 companies have spent a truckload of money and that sort of skews 831 00:50:02,880 --> 00:50:04,680 the, the numbers. Yeah. 832 00:50:04,680 --> 00:50:06,800 That's that's, I would say likely. 833 00:50:07,560 --> 00:50:11,880 I do believe that it could be somewhat a case of you don't 834 00:50:11,880 --> 00:50:15,560 have to be the fastest, you you just have to not be the slowest. 835 00:50:16,840 --> 00:50:18,440 You have to be faster than the other guy. 836 00:50:19,040 --> 00:50:20,320 Right. I mean, we both live in the 837 00:50:20,320 --> 00:50:22,360 mountains, Gale, right? It's it's to outrun the bear. 838 00:50:22,360 --> 00:50:24,920 You don't have to be the fastest 1, you know, just be fastest 839 00:50:24,920 --> 00:50:26,240 with your friends that you're camping with. 840 00:50:26,600 --> 00:50:29,160 Exactly right. Yeah, there's there's something 841 00:50:29,160 --> 00:50:32,280 to that, I imagine. All right, let's talk piloting 842 00:50:32,280 --> 00:50:34,640 because you mentioned before we hit record that you've got a 843 00:50:34,640 --> 00:50:36,680 Cessna bird dog for the idea of piloting. 844 00:50:36,680 --> 00:50:39,600 I would love to get a pilot's license and just fly all over 845 00:50:39,600 --> 00:50:40,840 the place. I'm a big fan of it. 846 00:50:41,240 --> 00:50:43,080 So you're doing what I hope to be doing. 847 00:50:43,080 --> 00:50:45,200 So if we get more sponsored episodes, we need a whole lot 848 00:50:45,200 --> 00:50:47,160 more for me to get a 20, that's for sure. 849 00:50:47,800 --> 00:50:51,000 So I'm gonna, I'm gonna fanboy out over here and say, OK, tell 850 00:50:51,000 --> 00:50:54,280 me about what it's like. Like you've got a plane, how did 851 00:50:54,280 --> 00:50:57,480 you get into it? How often do you fly? 852 00:50:57,480 --> 00:50:59,800 Like what's I think the range of that's probably what, a couple 853 00:50:59,800 --> 00:51:01,880 100 miles, maybe 3 or 400 miles or more than that. 854 00:51:01,880 --> 00:51:05,360 Yeah, it's so the. Cruising, it's holding back up a 855 00:51:05,360 --> 00:51:08,760 little bit. The the bird dog is is a 856 00:51:08,760 --> 00:51:13,240 military airplane that was designed to built really in the 857 00:51:13,240 --> 00:51:16,400 Korean War, but used extensively in Vietnam. 858 00:51:17,240 --> 00:51:20,600 And it was built for forward air control and reconnaissance. 859 00:51:20,600 --> 00:51:25,120 So it was built to fly low and slow so that pilot and observer 860 00:51:25,120 --> 00:51:27,640 could see what was going on on the ground and report back 861 00:51:27,640 --> 00:51:32,360 either to direct an air strike or to direct artillery or just 862 00:51:32,360 --> 00:51:34,760 to report back on on enemy troop of that. 863 00:51:34,760 --> 00:51:39,280 So that that was its mission. It's not what you would call a 864 00:51:39,280 --> 00:51:41,360 travelling airplane. Like it's not going to, you 865 00:51:41,360 --> 00:51:43,800 know, if you, if you need to make a week weekly commute from 866 00:51:44,320 --> 00:51:47,080 North Carolina to Dallas, that's not the airplane you'd want to 867 00:51:47,080 --> 00:51:49,160 do because that would be true. Is that what you're saying 868 00:51:51,440 --> 00:51:55,080 exactly? But what? 869 00:51:55,080 --> 00:51:57,600 Actually one of the reasons I moved to Idaho is Idaho is 870 00:51:57,600 --> 00:52:01,760 really well known for the mountains and rivers and the 871 00:52:01,760 --> 00:52:05,520 fact that a lot of the rivers have almost no access to them 872 00:52:07,160 --> 00:52:10,360 either by well, no, no Rd. access for sure. 873 00:52:10,360 --> 00:52:13,200 But they do have lots of little grass strips that have been 874 00:52:13,200 --> 00:52:18,160 built either by the Forest Service or BLM or Idaho Fish and 875 00:52:18,160 --> 00:52:22,040 Game, so that those people can go out and service the areas. 876 00:52:23,080 --> 00:52:25,800 And those are available for, for pilots to use. 877 00:52:25,800 --> 00:52:28,680 And the bird dogs, an ideal Backcountry airplane for that 878 00:52:29,000 --> 00:52:33,760 because it can get in and out of very short, unprepared strips 879 00:52:33,760 --> 00:52:38,680 very easily. And so that's, that's one of the 880 00:52:38,680 --> 00:52:41,000 reasons I'm here in Idaho. And one of the reasons I, I got 881 00:52:41,000 --> 00:52:43,320 the bird dog is, is to spend more time flying in the 882 00:52:43,320 --> 00:52:47,040 Backcountry, which is, is just wonderful. 883 00:52:47,200 --> 00:52:50,160 I mean, to answer your other question, I started flying in 884 00:52:50,520 --> 00:52:58,960 the 80s, but it started out in gliders and ended up doing a lot 885 00:52:58,960 --> 00:53:01,880 of commercial rides in gliders. So I'd fly people out over 886 00:53:02,560 --> 00:53:05,000 Massachusetts Bay in a glider. And then, you know, we were 887 00:53:05,440 --> 00:53:10,040 flying in and out of Plymouth at that time and I got my power 888 00:53:10,040 --> 00:53:18,920 rating in 95, I think, and been flying ever since. 889 00:53:18,920 --> 00:53:22,240 So I, I typically, I probably fly every other weekend 890 00:53:22,240 --> 00:53:26,440 somewhere not, I mean, generally it's maybe within an hour, hour 891 00:53:26,440 --> 00:53:29,320 and a half, something like that. But there are so many little 892 00:53:29,320 --> 00:53:32,600 Backcountry strips of Idaho. There's endless places to go 893 00:53:32,600 --> 00:53:37,960 explore and you land someplace there's nobody around. 894 00:53:38,400 --> 00:53:42,120 You have a, you know, you know, beautiful Creek, or maybe you 895 00:53:42,120 --> 00:53:45,480 have the Middle Fork of the Salmon River, the Snake River, 896 00:53:45,480 --> 00:53:49,080 one of those those kinds of wild rivers. 897 00:53:49,840 --> 00:53:52,200 You're a trout fisherman. You know, you're all set. 898 00:53:52,200 --> 00:53:56,280 You're set for life. And you can just you could camp 899 00:53:56,280 --> 00:53:58,320 or you could just hang out, stick your feet in the water and 900 00:53:58,600 --> 00:54:02,240 and commute with nature for a while and then wild. 901 00:54:03,160 --> 00:54:05,000 That sounds so so. Awesome. 902 00:54:06,560 --> 00:54:07,720 So you mentioned. Being able to like. 903 00:54:08,120 --> 00:54:10,960 Drop into like a scenario like that, I mean short runway you 904 00:54:10,960 --> 00:54:13,840 mentioned sort of the short landing and take off like what's 905 00:54:13,840 --> 00:54:18,920 the I guess give me a sense for like how many yards or feet or 906 00:54:18,920 --> 00:54:21,560 whatever it is like do you of space, do you actually need to 907 00:54:21,560 --> 00:54:25,360 take off and land in this plane? So so probably. 908 00:54:25,400 --> 00:54:33,280 If I'm on grass or gravel, yeah, sort of in the 500 to 1000 feet 909 00:54:33,520 --> 00:54:39,720 is plenty. If I'm on asphalt, it can be a 910 00:54:39,720 --> 00:54:42,240 little bit shorter, but none of the Backcountry strips are 911 00:54:42,240 --> 00:54:46,520 asphalt. So and and the the bird dog that 912 00:54:46,520 --> 00:54:48,960 I have has has had some modifications made to it. 913 00:54:48,960 --> 00:54:53,000 So as a, as a, as more horsepower and wings that have 914 00:54:53,000 --> 00:54:57,720 been specially modified for extra lift and, and for slow 915 00:54:57,720 --> 00:55:01,440 flight. So it can, it can get down like 916 00:55:01,440 --> 00:55:03,640 once the wheels touch the ground, I'm probably stopped 917 00:55:03,640 --> 00:55:06,640 within 100 feet. Wow. 918 00:55:07,400 --> 00:55:09,080 And a racing. Strike, maybe for speed. 919 00:55:11,280 --> 00:55:13,320 Aerodynamics. Yeah, there you go. 920 00:55:14,040 --> 00:55:15,880 That's pretty. Cool, What's the worst weather? 921 00:55:15,880 --> 00:55:20,560 You've flown in. Give me a hair raising, hair 922 00:55:20,560 --> 00:55:23,040 raising story. Let's ramp up the drama. 923 00:55:23,880 --> 00:55:29,360 OK, so the. I So I haven't had any weather 924 00:55:29,360 --> 00:55:33,200 related incidents other than once flying in a glider. 925 00:55:33,200 --> 00:55:37,640 I, I used to race gliders when I lived in Arizona and the idea 926 00:55:37,640 --> 00:55:40,640 would be that you, you launch a bunch of gliders at the same 927 00:55:40,640 --> 00:55:44,600 time and then you have a, a designated race course. 928 00:55:44,600 --> 00:55:49,520 So you go to Wickenburg and then go to Prescott and then go to, 929 00:55:49,520 --> 00:55:52,280 you know, some other place and then you come back and whoever 930 00:55:52,280 --> 00:55:54,760 goes around the fastest went. So that's the idea. 931 00:55:55,560 --> 00:56:01,360 And it was a day where there were some big cumulus build UPS 932 00:56:01,840 --> 00:56:04,560 that we were, we're, we're eventually going to turn into 933 00:56:04,560 --> 00:56:08,240 thunderstorms, but those also have amazing lift those big 934 00:56:08,240 --> 00:56:12,200 cumulus clouds. So I was cruising along in, in 935 00:56:12,200 --> 00:56:15,480 my glider getting closer and closer to the bottom of the 936 00:56:15,480 --> 00:56:17,200 cloud. And we have the regulations that 937 00:56:17,200 --> 00:56:20,160 say you have to maintain a distance from the bottom of the 938 00:56:20,160 --> 00:56:23,280 cloud. So I put the stick forward to 939 00:56:23,280 --> 00:56:25,000 start descending and going faster. 940 00:56:25,240 --> 00:56:27,280 But the thing just started sucking me up into it. 941 00:56:28,520 --> 00:56:31,520 And I was really struggling to not get sucked up into the 942 00:56:31,520 --> 00:56:33,280 cloud. And once you get into the cloud, 943 00:56:33,440 --> 00:56:36,640 you have no visual reference and you can't tell up from down or 944 00:56:36,640 --> 00:56:39,440 left to right. And you end up losing control 945 00:56:39,440 --> 00:56:41,640 within. Yeah, within 30 seconds or so. 946 00:56:43,760 --> 00:56:47,600 And I had I pulled the spoilers out to descend, I had the nose 947 00:56:47,600 --> 00:56:50,240 down. I was probably going 130 or 140. 948 00:56:51,720 --> 00:56:53,800 And it was just barely creeping down. 949 00:56:53,800 --> 00:56:57,240 And all of a sudden you hear this huge bang, No idea what 950 00:56:57,240 --> 00:57:01,280 that was. And I have this rush of ice cold 951 00:57:01,280 --> 00:57:07,360 water running down my back. And it turns out that it just 952 00:57:07,360 --> 00:57:09,680 started to rain. It was, you know, a thunderstorm 953 00:57:09,680 --> 00:57:12,160 that just started. The crack I heard was a 954 00:57:12,440 --> 00:57:17,080 thunder's clap somewhere. And that water was just leaking 955 00:57:17,080 --> 00:57:19,440 in through the canopy because it it hit so hard. 956 00:57:20,040 --> 00:57:23,400 It just poured in through the canopy and got sucked right down 957 00:57:23,400 --> 00:57:26,440 the back of my shirt. So the bang you're worrying 958 00:57:26,440 --> 00:57:30,040 about trying to get out of this cloud, the bang and the ice cold 959 00:57:30,040 --> 00:57:33,680 water running down my back all of the same time was terrifying 960 00:57:34,520 --> 00:57:36,440 for about 10 seconds. 15 seconds. 961 00:57:36,440 --> 00:57:40,640 Then I realized what happened and it was OK, so and then you 962 00:57:40,640 --> 00:57:43,400 got that one well. Enough to be out of the lift. 963 00:57:43,400 --> 00:57:44,960 From. The from the cloud, I basically 964 00:57:44,960 --> 00:57:47,160 just, you know, gunned it. Out from underneath the cloud, 965 00:57:47,160 --> 00:57:49,000 and once I got outside the cloud, it was fine. 966 00:57:49,960 --> 00:57:52,120 When did you fly again after that or yeah, that? 967 00:57:52,120 --> 00:57:54,200 Point was lighter, but like, did you like, all right, I'm going 968 00:57:54,240 --> 00:57:55,520 to take a break for a couple minutes. 969 00:57:55,640 --> 00:57:59,400 I, I I. Actually didn't fly for a couple 970 00:57:59,400 --> 00:58:01,160 of weeks after that. Yeah, OK. 971 00:58:01,480 --> 00:58:05,280 Yeah, Jim, can we? Get an IDAC plane like we'll go 972 00:58:05,280 --> 00:58:08,400 on it and like is, is that an appropriate business expense? 973 00:58:10,040 --> 00:58:10,960 I don't see. Why not? 974 00:58:10,960 --> 00:58:13,920 You'll have to check the. IRS guide for that though, Jeff, 975 00:58:14,480 --> 00:58:15,880 I have a feeling they wouldn't go for that. 976 00:58:17,440 --> 00:58:18,720 Sure. Come on. 977 00:58:21,440 --> 00:58:22,720 All right, Well, let's go ahead and. 978 00:58:22,720 --> 00:58:24,280 Write it off, though we probably couldn't find. 979 00:58:24,280 --> 00:58:26,040 That. So unless you do a lot more 980 00:58:26,040 --> 00:58:28,720 sponsors spotless, yeah, like one every day, that's probably 981 00:58:28,720 --> 00:58:29,960 the way we have to. Do that. 982 00:58:29,960 --> 00:58:32,000 So I'll, I'll, I'll talk to our marketing people and. 983 00:58:32,000 --> 00:58:33,240 And see what we can do to help you out. 984 00:58:33,640 --> 00:58:35,400 Yeah, Well, well, I'd say let's get let's. 985 00:58:35,400 --> 00:58:40,000 Get the plug in, then you know, semperissemperis.com, SEMPERI 986 00:58:40,000 --> 00:58:42,560 s.com. GAIL, thank you so much for 987 00:58:42,560 --> 00:58:44,120 spending time with us. We're going to have a bunch of 988 00:58:44,120 --> 00:58:46,320 links in our show notes. Definitely encourage people to 989 00:58:46,320 --> 00:58:47,520 go check it out. I mean, this is something that's 990 00:58:47,520 --> 00:58:50,520 almost like a no brainer. You need to have something to 991 00:58:50,560 --> 00:58:53,160 protect your environment and this is a good solution to do 992 00:58:53,160 --> 00:58:55,080 that. So with that, we'll go ahead and 993 00:58:55,080 --> 00:58:57,920 wrap it up for this week. You can find Jim and I on the 994 00:58:57,920 --> 00:59:00,480 web, idacpodcast.com. And of course, we're always on 995 00:59:00,480 --> 00:59:03,160 LinkedIn. And then, yeah, our YouTube 996 00:59:03,160 --> 00:59:05,760 channel, idacpodcast.tv. We'll take you straight to it. 997 00:59:05,760 --> 00:59:09,040 So want to thank everybody for watching and or listening. 998 00:59:09,040 --> 00:59:10,480 Gil, thank you so much for your time. 999 00:59:10,960 --> 00:59:13,040 And we'll talk with everyone else in the next one. 1000 00:59:15,520 --> 00:59:17,520 You've been listening to Identity. 1001 00:59:17,520 --> 00:59:20,640 At the Center, we hope you've enjoyed the show. 1002 00:59:20,840 --> 00:59:24,960 Make sure to like, rate and review, and we'll be back soon. 1003 00:59:25,200 --> 00:59:27,480 But in the meantime, hit the website at 1004 00:59:27,480 --> 00:59:33,840 identity@thecenter.com. See you next time on Identity at 1005 00:59:33,840 --> 00:59:34,760 the Center.