Cybersecurity Unicorns with Bryson Bort

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm your host, Joe Carson, chief security scientist from Delinea. And it's a pleasure to be here with you, and I'm really excited about today's episode. As always, we try to find really entertaining, really fantastic, amazing, knowledgeable guests. And we definitely have one here for you today. So I'm going to pass it over to Bryson to introduce yourself. I've seen you in fantastic costumes and outfits over the years, and definitely the one today is fantastic. So you're always a white unicorn. So Bryson over to you to introduce yourself, things about your background, how you got into the industry, and what things you enjoy doing.

Bryson Bort:

Yeah, I can't speak to knowledgeable, but I'll let the audience be a judge after the next 30 or 40 minutes goes by. But I will be entertaining, I promise that. Today is the summer unicorn because I just moved to Florida and it's warm. I'm required by law to brag about the weather and be obnoxious about it. As I told you, I get points on my license if I don't. So, oh me, former army officer, did time in the intelligence community. 10 years ago started my own company named GRIMM, which was my nickname in the IC. GRIMM is still around. It is, I'd like to say, a classic pen testing company, but when I think of classic pen testing, I think most folks go to web app and network penetration testing, whereas GRIMM does that and more. Literally try to stump us with the technology that we have not done security research on. I don't know what it would be at this point. We've done it. The story jumps to the future, the present, you got me off on the Estonian and no future. English is technically not my first language.

Joseph Carson:

That's what people ask me. People go, English is pretty good for your second language. And then I get sometimes embarrassed to go, well actually, technically this is my first language. Well, being from Belfast, it does get complicated.

Bryson Bort:

Yeah. Well I think you just summed up the Irish. It's your first language, but it sounds like a second.

Joseph Carson:

Exactly.

Bryson Bort:

2016, Target came to me, asked me to build them a tool. I was surprised that there wasn't anything already on the market for that. And I went back to them and said, well, what if I built you a platform of unlimited threat emulation? You could scale it to your scope, your risk appetite, your technical ability, whatever you want. And most importantly, you will never be beholden to a third party again, because particularly with the time I've seen in the intelligence community, we see the military industrial complex reach up and grab around the throat and be like, it's going to be this way forever. Good luck. And I didn't want them to be that way. They thought that was great. I thought that was great. Co-developed with them for two and a half years. Realized I knew absolutely nothing about commercial software sales and development.

So at the end of 2018, we spun SCYTHE out of GRIMM with the help of Ron Gula from Tenable, Dmitri Alperovitch from CrowdStrike, and then Palate and Capital was the other big VC with us. So I've now learned a lot about venture capital and commercial software sales and development and all of those pieces. The gaps between everybody talks about how to raise money and then it's a bunch of D and E round or IPO founders later who all brag about how smart and successful they were. It's so easy, just do that. Nobody ever talks about the middle, about how much it sucks and it's really hard. And co-founded a nonprofit, a 501(c)(3) because I don't apparently have enough free time called the ICS Village with Tom Van Norman. You can catch us, we have been perennial parts of DEFCON and the RSA Conference.

And then we do a number of other conferences throughout the year, including our sixth annual Hack the Capital, which takes place in Washington DC. So we'll have members of Congress, we have a couple of agency directors, and then just tons of folks throughout industry and government in different parts, all coming together for two days in McClain, Virginia, May 10th and 11th. That's Hack the Capital, our sixth one. I'm on the board of the Army Cyber Institute. Just announced today, I'm now a fellow at the C²-Ai Control Systems. I don't remember what it is, but I probably should learn how to pronounce the organization. Yeah, I know its C²-Ai, because it's C squared AI, and that's with Banked and Derek Harp I'm also a senior fellow at the National Security Institute. I think that was the things I do, and I'm probably affiliated with things that I don't remember and can't pronounce the name. So whatever.

Joseph Carson:

And you love to travel and good for you

Bryson Bort:

I don't necessary love to travel. I live on airplanes because it's the job, not because I love to be in the middle, row 17B, going, well, this is great. Aren’t I executive platinum, shouldn’t I be upgraded? Ok, that's cool.

Joseph Carson:

Yeah, absolutely. For myself as well, I travel quite often and it gets to the point where it's like people, oh, it's a luxury thing. You're really enjoying it. It's like, what? One thing that very few people know that actually I'm afraid of flying and heights.

Bryson Bort:

I did not know you were afraid of flying. So, afraid of heights. That's very common, but being a frequent flyer to be afraid to fly, that's something else.

Joseph Carson:

It was before that. Years ago I was perfectly fine. But then I had an event, actually two events in my time that were quite significant. One was where the plane was running out of fuel and we had to make an emergency landing in, I think it was Delaware, if I remember, which wasn't an international airport. And this is going back, this is maybe about early 2000s. And when we came down, there was really bad crosswinds and we had to land. So the pilot just basically crisis hard as possible into the ground, where the wing even hit the ground and the grass went flying up, all the luggage came out of the top. And for that point, for me, I got a bit iffy about flying. I started getting on edge, especially when turbulence on take off and landing. So I faced my fears quite often.

Bryson Bort:

Well Joe, so I've had worse. I have been on a plane that has been hijacked Frankfurt to, I forget where we were going, I think Dulles. And we did an emergency landing in Lockerby, Scotland for negotiations. And then when I was redeploying back from the Middle East after 911, our plane, we're up in the air for maybe 10, 15 minutes and then the plane goes. And there's a long story to how long we'd been stranded. And of course you can imagine where we were. It had already been lots of terrible sucky things and we're just like, please get us out of here. And this plane just goes, and I'm not making this up either. The pilot comes on the intercom, he's like, if you look out over the left wing, you'll see us dumping fuel over the pyramids. We had catastrophic engine failure and then the engine had actually basically blown up in the air.

Joseph Carson:

So for the audience, in this world where basically, when we travel, a lot of things happen. One addition to your fuel one. Might be about five years ago, it was a really good LinkedIn blog that I wrote about it, was when the plane actually had a fire in the fuselage. We just took off and all of a sudden the back of the plane, the tail of the plane, started getting smoke coming in and we had to make an emergency landing. And of course at that point you can't dump fuel.

Bryson Bort:

Nope.

Joseph Carson:

So we did a 30,000 down to the ground within about two minutes, and a heavy landing with a fire brigade and stuff. So for me, I'm very tense on planes. So you don't want to be sitting next to me because I'm the one sitting with hands gripping as hard as possible on the seats.

Bryson Bort:

Just like cybersecurity, I think we all have this perpetual anxiety. I embrace it with more of a nihilistic view of what's going to happen is going to happen. And just like on a plane, in cybersecurity, everybody is in the same position you are in. Whatever is going to happen is going to happen to all of us.

Joseph Carson:

Absolutely. When you started getting into cybersecurity, what was the first experiences? What was it like? What was the threats at the time? What were you interested in? What was the areas of interest?

Bryson Bort:

Well, first of all, at our age, we were around and doing this stuff before cybersecurity was a thing. It wasn't called cybersecurity, it was called, hey the Melissa virus happened, run around with the CD ROM and plug it into everything that will take it. That was it. Going back to that angst that I share is the perspective of how young this industry is. Until 2000, firewalls were not common. Think about that. The concept of your network is different from my network is 20 years old. I love bringing up Target because Target in 2012 was the bellwether for industry taking this seriously. Until that the C-suite, cybersecurity never heard of it, don't care. Nerd.

Joseph Carson:

Didn't even have anyone who was doing the job.

Bryson Bort:

Yeah. We had AVs and we had firewalls. We're good. That's it. In 2013, when the results of that happened, that the modern cybersecurity ecosystem became what it is. All of the products, all of the money that's been pouring into it is effectively 10 years old. So going back, my getting into it would be, I guess, the most common hacker origin story, which is when I was the threat, I was figuring out how to get access to anything I wasn't supposed to. I was really motivated to take the DRM off of games and modify the games to make them my way, because you know can only play civilizations so many ways before at some point, why don't I start creating my own units and doing my own things like that? I think where it really exploded for me was in high school. I found high school boring. My sophomore year we were given graphing calculators, and now I had my own processor with its own limited, I think it was Basic programming language.

Joseph Carson:

Oh, Basic language.

Bryson Bort:

I just started making video games on my calculator. I made street fighter, I made elaborate role playing games, and it was academic so I could be any class just making video games and I'd be left alone for the most part. I actually took that same skillset into college, and there'd be instructors who would test me a time or two because I don't look like I'm paying attention and they'd ask me a question and I'd answer it and they'd be like, they'd do that a few times and they realize, okay, whatever he's doing, he's not disruptive and he's paying attention in his way. So we're all good.

Joseph Carson:

I think when we've spoke previously, I always find that we've had very similar paths because I actually started the same way. I didn't have access to the coolest and greatest games, so I always try to find ways in order to get access to them, to copy them. I spent a lot of time, even in Basic, was typing programs. I had to wait for the magazine every month and then spend hours of my time typing in the program in Basic, ultimately to find out that there was some typo in the magazine that you had to wait for two, three months later with them do a reissue and say, oh remember in line 560 whatever, that there was a missing, was it a quote or something. I'm just like, ah. Enough for me was a kind of gaming and getting around it, even at school.

One of the things I was able to do was I made a ton of money because I knew where the IT team kept the passwords. We had Apple Classics at the time, and I basically would go around all the computers at the start of class and I would charge people to put games on them so they would pay me. I was the gaming admin going and reinstalling the games, and then in the evening the IT guys would be like, who installed all these games? And they'd go and remove them all. So the next day I would go and recharge them all to install them back on again. And that actually was paying for my gaming hobby in the evenings, being able to pay for the cartridges and stuff. And definitely I was always finding out.

So the point is I always say hacking is a curiosity, it's a mindset, and I think from a very young age, just like yourself is that we get into this curiosity, but what things can we do either to gain access or to gain knowledge or to do the things that we are passionate about, whether it being gaming or whether it being just ripping things apart and understanding about how it works. And that's why I think, I always hate the term that in the media they use hacking as a very malicious activity, but it's not, it's something that we are just curious people that want to know how things work and there's different motives. I think it comes on to the misinterpretation of motives sometimes into what it is we're really trying to do. How are we using that skill and is it really for good or for malicious purposes? And sometimes I think that always gets lost in some of the narrative as well.

Bryson Bort:

I'll be honest, so I'm an advocate for an organization called Hacking is Not a Crime, and that's a lot of what we've been pushing has been trying to change that narrative, but I almost feel like we've reached the point that I'm not as worried about that anymore. The concerns about the FBI breaking down your door to pummel you with CFAA. When you look at the conversations and the fact that cybersecurity is even mentioned by the White House, the level of leadership and talent at CISA, the National Cybersecurity Directorate, which is now a thing, the fact that the funding is there, the last 10 years when you look at bug crowd and Hacker One and Synack and all of the democratization of penetration testing with bug bounties where companies are now saying, Hey, we want to invite these folks with a limited scope to do these kinds of things.

I think we're past that where, not that there's a negative perception to it, but that there are negative consequences to that being in the narrative. So I'm not as worried about that piece anymore. I still have the, I think, where we all do, which is recognizing where cybersecurity is in the risk matrix of any person or organization. And I always pointed out from a Maslow's hierarchy, the average person does not care about cybersecurity. Why would they, when they have to worry about eating and drinking and staying alive and staying married or getting married or getting to a job on time and all of these other things? And then somewhere maybe 30 or 40th down the list is cybersecurity.

And we have the same challenge with organizations. And going that back to where hacking really was initially a counter cultural approach, it was driven by passion and curiosity. Well now it's tied to money and that passion and curiosity is no longer enough. We have to be driving business and business driven results with what we are bringing from security. And so offensive security is not there to be, can I continue to find the edge of what's possible, it's what's most relevant to the business and how do I assure that and show that? It's more communication, reporting and organizational management?

Joseph Carson:

Yeah, it definitely always reminds me of years ago when I was doing a pen test in a par station and ultimately the goal at the time, this is 2015, 2016, was to show the risks, but from a security perspective, not from a business perspective. And it was the CFO and CEO, after me and the CISO, we sat down and we showed them, we went through all this FUD and fear and scare tactics, which you typically did back then, unpatched systems and default credentials and access can go here. We had this whole list of things and we scared them, because ultimately the goal the CISO wanted was to get budget, and they wanted more money to pay for more security solutions in order to do the things that they wanted to do. But ultimately the CFO and CEO sat down and said, Hey, you scared us and great presentation, but you didn't say any of the things that we understand.

You didn't speak our language, you didn't show us about return on investment. How is it making the business better? How is it helping employees? And that was my turning point for me in my whole outlook and how I looked at things was that my job... That was a defining moment where I thought my job was security, but I realized that actually security is the skill and technique and how I apply things. But risk is ultimately what my job was. It was to listen to people and understand about what their job is and how they actually do their job, to the point where what things I can do to help them to make their lives better. But without putting security as a blocking part, as an enforcer, but what things I can do that point them in the right direction and actually makes security better than their previous experience of what they were doing before without security was.

So it was a realization that it's all about risk. And everything we had to do, to your point, is it's all about business outcomes. What we do with this technique or this automation or this solution or these security or penetration testing or blue team, however, all of those things, how does it make a difference to the business? How does it help them be successful? How does it help the employee? To your point, how does it help them eat healthier or get to work on time, or how does it better their life? How does it make them much more secure socially? I get worried, because one of the things that, even just last week, I play football, so soccer for the American audience, sometimes not very well. I try my best. I do get injured quite often these days, which takes a lot longer to heal unfortunately. But-

Bryson Bort:

That's called getting old Joe.

Joseph Carson:

I know. Everyone keeps telling me, but I will continue to do it as long as I can. But I was sitting with the team, the team that I was playing with and I was asking them about the whole TikTok issue, and I was asking them about getting into, their kids were all using TikTok and they were asking, they're saying to be honest, the kids are at this point where they don't care. And this is the point where you're saying, people don't really, it's not their forefront and it's not the things that they really worry about.

To the point where the kids, I don't get worried the next generation, the kids coming in that they're like, oh, why do I care? I'm actually being able to communicate with friends, I can share things, things are funny. They're enjoying and to the point where how do we make it where they can actually get, where security can be in the background or that they can get it for organizations as well to the point where it will work for them, it will help them be better? Because I get worried to the point where we're in this crossroads of people don't care at all.

Bryson Bort:

I don't think it's that they don't care. Down to the individual person, one, I think there's an nihilism. When's the last time your credit card's been stolen? It gets stolen all the time, but we're protected. That's the most common access we have as individuals to being breached. And it's like, eh, it's going to happen. I'm good. There's nothing I can do. It's this amorphous thing that happens and it strikes and Cthulhu reaches its tentacle through and I'm taken. And then the organization, I think everybody gets, again, going back to Target as the canary in the coal mine. Everyone gets it at an organization, but where do I start? What do I do?

And it's not like I don't have the resources immediately available as a small and medium-sized business. This is where I've really pointed the finger for federal government. And CISA has such a tough job because again, going back to the youth of all of this, CISA for the United States is four years old. Chris Krebs, now Jen Easterly, are responsible for building this thing almost from nothing. I mean it was a department before it had some folks, but the scope of the requirement is gargantuan. And where do you get the resources? We all are short on resources and the government's supposed to do that. And so I point the finger is, well one, all critical infrastructure can't be critical.

We need to create categories of criticality and consequence so that we can start to narrow the problem. And then where can government, being a central function, provide the most help to that? And my recommendation has been we need some kind of a solutions catalog where I don't need to threaten you with paper and sticks because you're not going to read the paper. You can't even access it. Doesn't mean anything to you. It's like, oh, a CDE, I don't know. Or I need to be compliant with what? How? Instead, the carrots of opt into this program and we'll do this stuff for you. We will provide these configurations, we will maintain this stuff. We'll do all this threat intelligence. Don't worry about what threat intelligence is. We got it right. That's the level we need to get to.

Joseph Carson:

Shared security model.

Bryson Bort:

Shared security model.

Joseph Carson:

So it reminds me of one thing I did, it was for a large transportation company, it was the same thing. We went in and we did security in the silos, and ultimately we found out basically the risk were everywhere. It was all over the place. We tried to then put in enforcement, we tried to put security policies and enforcement in place, but employees were just finding ways around them. We were actually creating friction. We were creating lots of problems between the employees and security by trying to do better security. And ultimately, I remember we're sitting with a bunch of... Give you the background is that it was bring your kid to work day. So you had all these kids sitting around in one of the office meeting rooms, and we were actually getting to the point where we didn't know what to do, and somebody came up with the idea and says, why don't we ask the kids, they might have a better solution than us as a joke.

And we thought, you know what, let's go ask the kids. So we got permission to go and basically sit with the kids for about an hour, and we went through and we asked them about how did they see things. And one of the things was that if we were to send communication to you, we were doing it through email and intranet sites and so forth and policies and getting people to sign these things. And the kids were like, huh, why don't you put it in cartoons? Because then it will make more sense to me. Because we're used to reading comics and that will actually tell us a story rather than just giving loads of text. And we're just like, oh that's really cool. We never thought about that. Exactly. And the next point was, pictures makes a big difference.

How do we actually get to the point where we communicate it? Because email wasn't working, intranet site wasn't working, it wasn't the best way. And they said, huh, was it we're all humans. We all need to go to the bathroom at least once a day. So why don't you put it in the back of the bathroom door? And it was amazing that for that point was the kids taught us more than what we've been doing in six months. Six months we've been trying to do that. And the kids basically, in one hour, give us a solution that was really effective. And then the next thing we realized was that it was the point where, to the social secure sphere, is that the organization then decided that they were not just going to give security to the devices they were giving to employees, but they actually said that security starts at home because the kids are home.

And how do we make the kids more safe, that they said that we will give, actually in the home, all the security solutions that they had in the office, they would expand it to the actually employee's home so they can actually benefit from them. And they realized that we're only secure as the social sphere we have around us. And the more we can bring people into that social sphere of security, the more we can actually make our social sphere much more projected, much more resilient. So I really love the shared security model because it allows you to opt in and benefit from things that you may have not had access in the past to, it may provide your solutions that might be sometimes out of your reach and resources. So for me, absolutely, I think that's one of the ways we can definitely make at least the small medium businesses being able to get the protection that the large organizations sometimes have the luxury of.

Bryson Bort:

Well the reality of the interconnected supply chain is you're in the same boat whether you realize it or not, you're in the same plane whether you know it or not.

Joseph Carson:

Exactly. At some point in time we're going to have problems and we all want to make sure that we all work together to solve those. I think one of the important things you mentioned was around decision and stuff. And I think that was it for me when Chris Krebs took over and started creating and became much more proactive, much more providing best practices, much more sharing of information. And that was amazing. It was the first time where I've felt that government was actually starting to really care and start doing more proactive communications and sharing intelligence, sharing threats and showing best practices. And to the point you were just talking about Hack the Capital, how important do you find it is to collaborate and to share between governments, companies and researchers? How important is all of that collaboration? How do you find it? Is it working today? Can we do better? Where's the direction going?

Bryson Bort:

So I'm not going to be yet the 10 millionth time anybody has heard information sharing is the answer. I will note this. Our purpose with hack the capital was realizing that industrial control systems and critical infrastructure are not a well understood thing because it's not the kind of thing where I can just get a PLC on my desk, whereas it's easy for me to walk over to a store and get a laptop. So everybody sort of gets that. And then the second part was more about the relationship building. These staffers, these folks, have to build actual policy and legislation, which turns out is really hard to do. And the most common access point for help in the Washington DC area are the K street lobbyists, who have an agenda that they get paid for. So what better way of trying to get directly to, I'm not prescribing that one person or the other person or a researcher or research in the community is the answer, so much as giving a democratic access to you decide who whom you like for whatever reasons and that they can be there.

And I've always found, while security researchers may not understand policy and legislation well they are for the most part really willing to help and to educate. And that was the big thing. That being said, to your broader question, I think information sharing is still abysmal in this space for lots of reasons for the really, really juicy stuff. Well that's all classified. So good luck. And also I don't think it's what drives most of the intelligence we see. I think the gray space is primarily being dominated by commercial. Google and Microsoft have done tons on their own to fight the fight at the edge.

So again, and then yeah, actually let's pivot to this and why I think our intelligence is failing us. So threat intelligence is about 10 billion dollars annually as a global industry. Almost all of that is ephemeral indicators or compromise. I get bad hash, bad domain, bad IP address. And when you start to break down the process for that, there's a reason why that is. And I'm not criticizing EDRs and AVs and MDRs and all of that. There's a reason why we are in the ecosystem that feeds the groundhog day we're in in cybersecurity. I learned yesterday to get through today and rediscover tomorrow. And so when you look at what it takes to produce that indicator of compromise that's machine-readable, which is where the customer love it because I don't have to think about it to automatically employ it in my environment.

Well neither does the attacker. Six months ago an analyst picked up something, correlated it to multiple campaigns, determined that that is in fact a positive signal. There's not a false positive in here. And so that's six months of work to get to that point to then be the table stakes for Groundhogs Day. Any EDR could be put into a configuration setting that would stop any attack. Your computer just wouldn't be usable. And that's that's the hard part. I get asked all the time, which vendor do I like? And what I would say is there's two qualities to choosing a vendor. The first, trust, whatever I think I'm being sold, whatever I am being sold, and I actually think most salespeople are not trying to screw you. Most salespeople are really trying to do a win for you.

They just don't necessarily know everything and they don't know your environment. And so assuming that we take the bad apples out and the trust part is the salesperson makes the sale, it's mostly what I think it is and there's going to be something that isn't what I need it to be. Can I trust that that vendor will be there to help me when that happens? Then the second part is the part I never see anybody talk about. You have to invest in making that technology yours. Your security, in its particular moment, is literally a unique snowflake. There is no other organization that has your exact mix of people and technology and requirements at that moment. And it's always changing. And so if you can't invest to make a tool yours, well there's a reason that 75% of tools are either not installed or improperly configured because you haven't invested to make it yours.

And that's what you need to do. And that interestingly, or ironically, is what I found myself starting from offensive security, and now is mostly what I do with SCYTHE. That's essentially all we do. Security is defined by the threat and the assurance and the tuning, the detection engineering, the making the tool yours, is being able to drive a functional signal reliably at scale through an environment, so you can tailor all of your components around that. And it's not just the technical components because when you break that down into it starts with visibility. Visibility is can I see something on a host? Can I see something on a network?

Then can I have proper alerting where that goes to somewhere? Does my SIM actually collect that stuff? Then we get to the human part of response, which is where does an alert happen to a person? And that's where we have dwell time to detection time to the actual human response. And the response is am I resourced properly? Are we trained properly? Are the tools even correlated correctly to our people? If you're not looking at that stuff, you're missing how you're actually defending yourself because you're doing it wrong.

Joseph Carson:

Absolutely. And that's where you're really getting into a point where I couldn't agree more is that you're moving from a static security approach where you're just basically hoping that everything you put in place today is going to protect everything tomorrow, and you're moving to much more if you start doing more interoperability. And, to your point, you don't invest in products, you invest in basically solutions. And that doesn't mean just putting something in software in place and hope that it's going to catch everything. You actually have to invest in people, you have to invest in actually make sure that you understand how it applies to your business, and connecting them together to your existing sensors and existing information logs and seams and so forth.

So I will say it's almost like when you get into it, interoperability is a key important, but getting towards security is almost like an orchestra, a symphony, all working together, all basically in tune and you've got a conductor who understands what's happening and what's coming, and ultimately getting to the point where it becomes more dynamic, more adaptive, it's flexible. It's almost like a living organism in the business and you can tune it as your business changes and as the threats change. So we really got to get away from the static approach, hoping that, to your point, by putting an AV in place or an EDR and just leaving it and hoping that the default configuration to protect your business is not going to happen. We talk a lot about security by design, but unfortunately we don't have security by default and a lot of those solutions put in place.

A lot of the really cool stuff is turned off, because, to your point, it makes the devices become unusable because when you put too much on, the user can't do the things that they need to do in order to make their job. So a lot of times it's off, and you have to practically go and understand about what those things do, what those figurations enable, and how to get the right balance, how to fine tune it. So I couldn't agree more, it's not just putting a product in place, it's investing in ideas, it's investing in resiliency of your business, because ultimately that's the measurement that we should be looking at. How resilient are we making an organization that one disaster does happen that you can't continue and survive post incident?

Bryson Bort:

Yeah, that's where I'm hoping this all goes and I haven't seen really any organization get there yet, but controls validation is part of GRC and so it's existential, but we know that's not security. So being able to simplify and make that more efficient to do that, that's great. But where security comes in is the time aspect of this because there's a direct correlation to dwell time and activity for a threat and the impact on your business. Direct correlation. The longer they're there, the more they get to do, the more bad things are going to happen. You very intuitive, but nobody is focusing and nobody can measure on that time. That's one of the differentiations we see in our tool is we can do that, but most folks aren't there yet from a maturity perspective. Because if tools don't solve problems, tools help bridge divides.

Joseph Carson:

Correct.

Bryson Bort:

You can't just point, oh problem solved. That's not going to work. You have to have the maturity, the process, the commitment to saying this is how we're going to use it in this thing. And here's the neatest part that I think really it's funny. So I came up with this idea back in 2017 and I was told do not say that out loud because no one's ever going to buy it because of that. And it's the fact that you can be courageous enough to actually cut tools out of your portfolio.

Joseph Carson:

Absolutely.

Bryson Bort:

No it's not absolutely. Nobody does that because no CISO is incentivized to cut. I get forced to cut, but there is no way I'm going to my company and going, you know what? I figured out how to save 13% on my budget because we don't need these tools because I know we don't need these tools. Instead, breach happens. Well that tool would've caught it. You're fired. So the courage to do that means you better have the data to drive that piece. I was told back when I realized my tool could do that, do not lead with that.

But I think now with things like several banks failing in the United States to all of the economic uncertainty in the tech world in the last year, and we've started to see yet another one of the hiccups before, of course, I'm sure we'll J curve again before another hiccup that money is not forever. It does not grow on trees. So we do have to behave like the rest of the business that we look so hard to do. Why can't we have metrics like finance? Well we're still trying to figure that out. Why can't we actually be intelligent about our spend? Well we're still trying to figure that out. We can be. We can do that. We can be equals with the business.

Joseph Carson:

No, I completely agree. I think I've seen it in some instances. It's not common, it's not frequent. I have seen some CISOs and security leaders looking, even my job, years ago in the data center, was infrastructure tools. My job was to reduce the tool set as much as I possibly can to consolidate, to remove things that were not adding value or to find other ways of doing things. So that was one my roles and that was a complicated time when HP acquired Compaq, we incurred a lot of duplication of tools. So to go through and try to find what the way forward, you're absolutely right that not all organizations are taking that approach.

They're not looking at can I get rid of firewalls or can I go and reduce VPNs and use something else? They're always accumulating and not really looking at what is that continuous value. And I learned, actually, one of the valuable lessons here in Estonia was they actually put in a seven-year life cycle. All systems had to be reviewed every seven years in order to be reevaluated whether they have continuous purpose and value. I think businesses should always take that same, maybe seven years is a bit long. Maybe they can do it shorter for businesses. That's a government to do that, is more complicated. But I find that absolutely you always have to question what the value is and is there a better way of doing things.

I have seen some organizations being brave enough to go and take that step to the point where you know, can use your personal device, but we'll find a way in order to provide the same security level without actually having AV running on it and looking at different where the protection starts and stops. So I think it's a progression. I do agree with you that we do have to start making those harder decisions to consolidate to, because I think one of the things is the more tools you have, the less effective you become, the less efficiency or the more challenging it is to get visibility. How many resources we need to be able to even maintaining those?

Bryson Bort:

That's great investment that ties into I have to invest. The more things I have to maintain, the more I have to invest. But I think it's that second part, the maintenance that I really take the other talking heads to task on. Oh, just segment. Problem solved. Oh, zero trust. No problem. The maintenance of those things is what's so hard about them. Zero trust, great idea. Completely agree with it. I take an assume compromise and assume breach perspective. Zero trust says take assume breach and apply it everywhere. You're right. Absolutely. It's why I always win. But when you look at the configuration management to set it up at the level of users, assets and data, okay, and again, a tool can't solve that for me, a tool can make it easier. But that's what's so hard about these things. Same thing with segmentation. It's like, well I have to do it in such a way that I'm not breaking operations and then I have to maintain it.

Joseph Carson:

The maintenance is the biggest overhead in security is just keeping the lights on. And that's something, when you look back-

Bryson Bort:

Nobody wants to say that. Nobody wants to admit that.

Joseph Carson:

Even back years ago we used to look at, I think it was 20% was the actual cost of the product, 80% was the cost to basically implement and maintain it. A lot of that, the difference is sometimes historically it came out of capital and operational expenditure. So it was very different financial buckets, and that's why some organizations were probably able to get away with it because the capital expenditure, products were going in there, operational was over here. But now as more organizations move into more SaaS and subscription base, that maintenance is coming a lot more to the visibility because it's all coming out of the same bucket now. It's all accumulating and you're getting much more central visibility.

So I think absolutely is that we have to start looking at that. The cost of security cannot be more than the profit of the business. And we have to get into the point where it's all about what's the business willing to accept? What's the risk they're willing to accept? And of course they can offset it with insurance, they can offset it with people, they can offset it with segregation, they can offset it with financial coverage, cyber captives, whatever it might be. But ultimately it's about finding the right balance.

Bryson Bort:

Yes.

Joseph Carson:

Any final words of wisdom? What would organizations be the first step they should take? Or what should people on the episode listening in, what's some of the things that they can do right now that would get them on the path to consolidation, to take in those brave steps, to really take in the hard decision and the tough decisions sometimes?

Bryson Bort:

Yeah, so configuration management is 80% of security. So okay, great. Thanks, that's helpful. I'm still not going to get a CMDB. Brilliant idea. Also segment and zero trust. Thank you for talking head that you just criticized. But here's what you can do that's a lower lift. So Sunil Yu, he just published a book last year called the Cyber Defense Matrix. And in 2017 at RSA he released the concept as a talk. And what he did is he took the five phases of the NIST CSF, identify, what do I got? Protect, how do I prevent access? Detect, respond and recover. And then he mapped them on the Y access to the different categories of assets and users. And what you should do, as a security organization, is just take the five, 10 minute paper exercise of going, what do I got against what works in these spaces?

Immediately you'll identify overlap, and you identify if you have a gap. Then the second part is operational visibility. So that's telling me what I got, what's the structure, now operational visibility. What is my visibility on what's there and what's happening there. And this is where it's hard for security because what an attacker does is masquerade like normal things. I try to look like a normal user on a normal host doing normal traffic. I don't jump in and bring some 007 triple encoded protocol because that's going to stick out. That's not what you've used. I use what you got. And so visibility is driving that functional signal in that space to go, what's my visibility on what I've got against what that might look like, and where I see people failing and doing that? So I always start with free, Atomic Red Team has built a great retool, but here's what you're missing.

So you've heard MITRE ATT&CK, Joe, I'm surprised you didn't make us say it earlier because I'm pretty sure we get fined by MITRE if we don't say it, is how MITRE ATT&CK is being abused on this concept. Okay. MITRE ATT&CK is like a periodic table of elements that describes all of the physical world that could exist for attacks. Now that's not completely true cause there are attacks and techniques that are in it, but just as a concept, that's what it is. And what Atomic Red Team does, which is a good starting point, but this is where it's being abused, not necessarily Atomic Red Team, but the idea of how MITRE is being abused is it's a periodic table of elements, I'm testing hydrogen and then I'm testing oxygen.

Well, you're going to build very simple controls if you test that way. And the problem is the attack shows up as water because it's a chemical equation. I didn't do hydrogen as an attacker because I just thought it was fun to steal credentials, I stole credentials because I'm this user at this asset at this time, and I'm going to use those credentials to inform the next step. That's water. That's the level of complexity I need to be driving in my environment. Whereas if I'm just doing these individual checklists, yeah, it's a great starting point of visibility, but you're going to quickly outgrow it and then don't be surprised when you get wet when a breach happens.

Joseph Carson:

So it is so fantastic hearing you saying that because, for me, when I was doing instant response, it's always finding, it's like a puzzle, it's like a complete jigsaw puzzle. And the attackers basically, they will segment, they change their path, they will augment, they will try to look at what other things they can capture in order to stay hidden, stay stealthy. And, to your point is that you shouldn't be looking at the MITRE ATT&CK framework as basically a checkbox of things like we've done with other types of controls and appliance. It's about understanding about what is the path and how does it all connect and interlink. How is it all associated? Just like we talked about earlier with security solutions, the interoperability, but the attack path is also the same approach. It's about if I have access to one thing, where can it lead to?

And I think one of the things that's missing, the idea, is the different paths you can go along that attack framework. If I'm here on this piece of the table, where can this take me to, and where's the possible places I could have came from to get here? And I think that'll be a great way to really bring it together to show the evolution, have it not just as a map, but actually as a journey. What those different journeys look like? So maybe we're not going to solve everything today, but we've given definitely the MITRE ATT&CK framework some food for thought for the next revision.

Bryson Bort:

Well, you can ride a mule on your journey or you can ride a unicorn.

Joseph Carson:

Exactly. I think that's a great way to bring us to a close today. I would rather be riding a unicorn rather than actually taking a mule, because to be honest, the unicorn will be taking you, the mule, you'll be dragging it. It will not want to go where you're going. But it's been fantastic having you on, and definitely the final thoughts and wisdom. I think definitely the audience will get a lot of great ideas and of where they can start and take a look, and even maybe redefine some of the things they've been doing historically to the point where they can really make significant improvements. So Bryon, it's always fantastic having you on. I can't wait for the next time we catch up. And definitely we should make sure that it's not too long. And we forgot the selfie the last time. That was the one thing that we didn't do.

Bryson Bort:

We did forget the selfie. Yes. I really love taking selfies with everybody that I become friends with because it's fun years later being able to reference these pictures. It's cool.

Joseph Carson:

Absolutely. And as we get older and grayer we can always look back at those youthful days.

Bryson Bort:

Speak for yourself?

Joseph Carson:

Your beard has a little gray.

Bryson Bort:

Oh yeah. My beard is completely gray and white. Cyber Gandalf. Cyber Gandalf. Absolutely.

Joseph Carson:

That's your new nickname, the Gandalf rather than Grimm.

Bryson Bort:

Well, the Cyber Gandalf was that character. Until I grow a beard again, I'm just Bryson.

Joseph Carson:

Fantastic. So I'm looking forward to catching up again in the near future. We'll have to have something because I know you're a big foodie, so we'll definitely have something good to eat. And again, many thanks for joining me today. I'm pretty sure the guests have had such a valuable amount of information. You are a knowledgeable person. Every time I speak to you, I learn something new. I become know more knowledgeable after. And that's the whole purpose, to be honest, with these podcasts, is that it's not just for me to bring and guests and share knowledge, but also it's a great way for us to connect and to share knowledge and for me to gain knowledge as well, to talk to great people, great minds and great friends. So thank you for coming on and hopefully we'll see each other again soon. And so for the audience again, hopefully this has been valuable. What ways can people connect with you before we leave?

Bryson Bort:

I'm very easy to find. Bryson and Unicorn, but on Twitter I'm @brysonbort. I'm easy to find on LinkedIn. I don't think I'm shy or hard to find.

Joseph Carson:

Absolutely. Okay, I think we'll definitely make some links in the show notes for sure then, and make it easier for people. So again, thank you. For everyone, take care. This is the 401 Access Tonight podcast. Tune in every two weeks, and everyone out there stay safe, take care, and have fun. So thank you very much. All the best.