January 11, 2021

The Cyber Rants Podcast

Episode 11 - Implementation Models

Zach, Lauro, and Mike welcome 2021 by diving into one of their favorite topics, Cybersecurity Implementation Models. They discuss the different ways companies build cybersecurity programs and considerations to find right method for your organization. Whether you're considering a DIY approach, hiring a cybersecurity firm, or getting a vCISO, this episode rants about the types of cybersecurity along with the pros and cons of each.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber security criminals and now here's your hosts mike rotondo zach fuller

and lauro chavez hello and welcome to the cyber rants podcast this is your co-host zach fuller

joined by mike rotondo and lauro chavez a lot of interesting things happening in the world won't go

too in-depth into that right now but needless to say it's a new year i think we have a lot to look

forward to i'm optimistic about it i know there's a lot of craziness especially in politics right

now but there's a lot of good things happening as well most of which the media doesn't cover

but with that said why don't we hand it over to mike rotondo for the news good day and welcome to

2021. here's the headlines some bad news for zyxel secret backdoor discovered inside of firewalls

and ap controllers and then the companion story hackers start exploiting the new backdoor in zyxel

devices apparently there was a hard-coded credential in there that was used for ftp um that

hackers are using to exploit zyxel's firewalls so if you got one patch it gen x pharmacy ransomware

attack resulted in a data breach gen x and i'm sure we've all seen those commercials our gen

rx i should say we've all seen those commercials they've been hacked some patient data was stolen

but they were able to fend it off pretty quickly hey remember ticketmaster guess what they did they

hacked a rival business hired an employee from another business and then used them to go ahead

and hack into that formal business so that's all cool they did get a 10 million dollar fine for it

paypal users targeted a new sms phishing campaign so if you're using paypal and you get an sms

be careful malware is using the wi-fi bssid for victim identification they're using this to

geo-locate you and give you an idea give them an idea of where you're actually at and then

tailoring muller for you i didn't want to do a whole lot of solar winds but there are two pieces

of solar winds i wanted to talk about today solar winds hit with a class action lawsuit following

orion bridge i think it's fair to say that solarwinds is going to be suited to oblivion at

some point here and it's uh too bad fbi assistant odni and nsa blame russia for the solar ones hack

uh that's gonna happen as well um so there'll be more investigations into that hopefully

major gaming companies hit with ransomware linked to apt-27 apt-27 is a chinese apt and apparently

they like playing video games most public sector victims refuse to pay ransomware games which is

actually really good news it found 86 percent of public sector respondents targeted with ransomware

refused to pay which yeah which is great news unfortunately non-public companies are paying

out at a much higher rate almost 69 so and lastly iot cybersecurity act successfully signed into law

uh this is gonna help the federal government from deal with vulnerable iot devices

uh as they go forward so that's the headlines for today and uh lauro anything you want to add well

welcome to 2021 right so as we go as we as we start from the bottom moving upward not a lot of

major vulnerabilities to be patching for this last week just a lot of gentoo linux oracle is still

having some issues so if you're running the world to check that if you're running gen2 linux check

that if if also if you're running wordpress there's a new shell upload that's just been

published as a working exploit i think it probably it's probably good to go ahead and make sure that

you don't have the wp discuss plug-in running and that's that's the plug-in to

do discussion board type stuff the version 7.04 is vulnerable and previous is vulnerable to this

to the shell upload uh which is um pretty serious and then you're gonna get your uh you're gonna get

the rest of the server compromised uh just by that one wordpress shell upload so if you got wordpress

make sure you look at that and uh that's that's about it hope everybody had a great holiday season

what are we talking about today zach take it back today we have one of my favorite topics which is

implementation models around cyber security and so let me back up a little bit and talk about

why that matters we get a lot of companies that will reach out especially business to business

technology companies software as a service system integrators companies like that they're emerging

and mid-market companies are growing things are going well they're getting new clients

have good revenue coming in and then all sudden boom they hit this cyber security growth ceiling

i call it and what that is is when eventually they start to get the point where they're trying

to land more and more large enterprise contracts they're going after the fortune 500 fortune 1000

companies and they got a big fish on the line there's their sales people are all

spun up and and excited ready to go and there's this million-dollar contract sitting out there

and then comes the cyber security questionnaire from that prospect right it's something that

they're not prepared to answer could be 100 150 detailed questions about their cyber security

practice and it's at that point they realize wait we've never actually formalized a cyber security

program i mean yeah we have firewalls we do some patching here and there and that sort of thing

but we don't actually have a formal program in place so what do we do now and so they come to us

start to ask or or other certainly other other companies all over the country right

cyber security service providers and they try to figure this out right the first thing is

that they're kind of in this infinite sea of options right there's a lot of hype in the

cyber security industry right now there's a lot of there are a lot of people selling snake oil

and there's a lot of good stuff too but for the people that don't have a background in

it how do they weed through this kind of mess of stuff that's available out there

so today we'll talk about the different models when it comes to building a cyber security program

what are your real options right the first obvious one place where a lot of organizations especially

the the small organizations start is the diy model right the do-it-yourself uh there are a lot more

there are a lot of platforms and things coming up that are making this a little bit more realistic

for companies and and some companies that's their only choice right if you have three or five people

in an office and you need to need to get there and build build something a lot of times you got

to get down and just do it yourself may not have the the money and resources to know how to find

the right people to bring to do it so a lot of a lot of people go after the do it yourself approach

and there are certainly pros to that right you could save you potentially save money but the

problem is what's your time worth right if you're building your security program uh what what's your

time worth but a lot of times it's better to do this and start here than just do nothing all right

so a lot of people end up doing a little bit up front the do-it-yourself model and then eventually

bring somebody in because it does take your your team's approach from from the their core business

activities into trying to figure out cyber security which is probably not their their issues

so i wanted to cover that part first just get that out of the way the do-it-yourself model i think is

pretty obvious but the next comes into the hiring in-house security professionals i know mike and

lauro you both wrote a lot and spoke a lot about bringing people in-house um certainly beneficial

and i think every company should try but what are your thoughts what are the struggles companies are

are running into when it comes to that approach but if they're going to bring people in house how

should they go about doing that well the number one challenge with that is simply scarcity of

resources i mean finding a cyber security resource that would be one to come to a small shop full

time is going to be minimal because and the other thing is are you going to be able to find someone

who is senior or who knows the strategy but is also willing to most likely in a small shop have

to shoulder the burden be it assist with the network assist with the servers assist with you

know do the end work that they they're going to need to augment and most small companies aren't

going to be able to do that so scarcity and then you know finding that actual resource and finding

someone with an actual skill set that will satisfy that but when you do find that person i mean

they can be great they have to be supported but they have to be paid as well and that's the other

challenge that small businesses find i mean we see that all the time right yeah absolutely

it's i i think there's nothing nothing can truly replace having somebody in-house but

chances are most companies aren't going to be that jack be able to find the jack-of-all-trades the

the kind of savant genius that can do everything yeah i know i completely agree with what what

mike's saying and you know the other challenge is you know knowing your environment and so

in the case of the small business it's like you know you've got budget for one person

you know are you gonna be able to get like like what you know mike and zach are talking

about one individual that's gonna be able to to juggle all of the cyber security tasks and

actually want to do it when they know most of the time he or she will know that they can go

to a large organization and play as a member of a larger team and then not have to shoulder such a

burden right in a more organized organization that may be more of attractive to them than

maybe making you know 10 or 15 grand more having to shoulder the majority of the work at a small

organization because they just don't they don't have the support and then that may be a question

you know also for for the security professionals out there you know is that something you wanted

to do because there's certainly a lot of organizations out there that could benefit

from a jack of all trades that you know wants to come in and and manage that program and the

organization is you know the size that's adequate and with the technology that is simplistic enough

yet mature enough to warrant defense and depth and be able to to sustain a model in such with

one human or two humans involved in the majority of the cyber security work it's certainly possible

especially with the tools and technologies we have today but the mindset from the individual

is gonna be right and that's gonna be something they really wanna do because some organizations

don't realize the amount of work and the amount of burden that it's going to take especially if

you're not going to support the individual they're going to realize that it's it's a

more common talked about topic i think these days that cyber security professionals don't sometimes

get the support from leadership internal that they need uh especially to be successful at their job

so they they'll understand that's a fact and they may ask you the interview process

like do we do we have a budget dedicated for this and you know i expected to get

extra help in a certain amount of time i'm going to be able to hire a team in the next year

what is the vision of cyber security if the question doesn't get answered you might not

know that you may lose a talented individual because they realize they may be getting um

you know set up to kind of walk off into the off the end of the dock if you will yeah absolutely

another consideration for this particular model of bringing an in-house security professional

or or multiple security professionals first i would certainly encourage it right nothing

nothing beats the human element boots on the ground right so that's with that said

it's not always the right option for for every organization but organizations that are a little

bit larger more sophisticated maybe have uh maybe have an i.t team of of seven to 12 or 15 people

they might not have a security professional in the house well in the interim at least

chances are one of those it professionals maybe have been maybe some background in security or

has been studying security or wants to make that transition so that may be that may be another

approach we've certainly seen that done in uh with client organizations that we serve successfully

and that way you already have somebody that has experience with the organization

but now you get to kind of pull them off and and start allowing them to work on building

the security practice now just keep in mind the main thing with that if you go with that approach

you're still going to need outside help so when it comes if you're thinking about budgeting and that

sort of thing you're still going to need people to come in and do the third party risk assessments

and penetration testing evaluations they're going to need to fill in the gaps where that particular

professional that maybe you pulled from the it team or maybe a newer security professional

that you hired can't handle uh internally they just they just can't do they they don't

not necessarily just because they don't have have the skill set or tools but but also some of those

things you you need to have a third party do to make it really valid and hold weight like

penetration testing audits that sort of thing so when you're when you're thinking about budget

if you're going to br do the in-house approach just keep in mind that there's going to be an

additional side needed to that and and more than just hiring the person which brings us to the

next kind of the next model that people follow right which is that that managed

service provider or managed security service provider so mssp or msp approach that people

that people take and so they're like anything pros and cons msps can be tremendously valuable

for a lot of organizations and offload a lot of the burdens but i would go ahead and say that

it's not necessarily a full solution most time at least from what we've seen

in the marketplace you guys seen anything or have any examples you want to share

if not i'll dive right into kind of some of the pros and cons that i i know right off the bat when

it comes to msps so one of the downsides right we'll start i guess we'll start with that is that

when you have a truly a third party an msp or mssp generally the you have to look at the business

model right what what is that what is their their business model look like well more often than not

and there there are certainly exceptions out there there's good ones and bad ones just like every

in every industry in every business but generally as a rule of thumb most msps and mssps are focused

on reselling products and tools and the services side is more of a management of the outputs of

those from a remote sock or something like that from their their office location with their team

right so when you when you look at that what the tools really consist of it's not so much the it's

not so much a holistic security program right it's great to have tools and technologies but they're

certainly not everything you still need the human element somebody still needs to go through

and actually build out the security program formalize it with all the corporate governance

and and whatnot to make it actually hold right because tools and technologies are not we i won't

beat a dead horse because we've talked about that a lot on previous episodes but the uh one

of the pros of course is that they have a lot more uh resources available that they're using

on a on a wide scale across multiple clients so generally you can get in and you can get something

done a little bit more in a more cost effective manner than you can with trying to build out those

capabilities on your own so i think there's a good blend there as far as mssps or msps with

in-house or other out outside third parties right it's not kind of one or the other

i i would i would think you'd be hard-pressed to find somebody that's really going to just

do all the cyber security for you it just doesn't work that way

ah normally not and also the thing to consider when you're using mssp services like security

operations center or sim as they're calling it these days right and then incident monitoring

and management you've got to ensure that that business model as zach was talking about a sound

because you're going to be sending all of your logs and kind of sensitive information about your

technologies to that organization in order for them to triage that data like they have to know

a lot about you and you also have to understand how is that data being stored on their end

um is it you know obviously probably going to be a multi-tenant environment how do we ensure that

that organization doesn't get breached because it would give a lot of information to an attacker

so it's just one of those risks you have to throw in when you're looking at outsourcing some of the

services what specific services mean the most to you and what specific services also present risk

as well as reward because there there is a lot of reward to that event incident management response

uh but it doesn't come free there is a level of risk that you have to accept in order to to have

a mature service in that particular aspect when you're looking at risk too a lot of a lot of the

to kind of move into the next approach that people so let me comment real quick just keep in mind

that um you can never wholly transfer risk right you have to continue to accept risk regardless of

whether you transfer a third parties manager or not you still own that risk to a certain extent

maybe a lesser degree but you still own the risk absolutely yeah because you made the decision to

outsource right right i can't tell how many times we deal with people that are like what's in the

cloud it's fine it's like no it's not i mean cloud's great security and cloud can be great

but that doesn't mean you've offloaded all of your risk and all your concerns to the cloud you

still have your own piece that you want i i hope that paradigm of thinking is starting to sunset

but yeah you're initially that was the every every leader in the in the world thought that that was

the acceptable move was to transfer risk to the cloud technologies yeah they're they they don't

seem to think that their their customers gave their that company their data they don't care if

that company's cloud service got breached or not their data's still exposed they're going to blame

you know who they trusted with their data so yeah that's going to be that's what it's all

cloud is just somebody else's computer that's right that's right well another option of course

is the virtual cso or cso as a service goes by different names and that's become very common

in the industry you see a lot of people that are are security professionals from

you know maybe maybe they're retired or maybe they've started their own consulting practice and

they do the virtual cso approach which i think can be a good thing for a lot of companies and uh it's

important though to understand the limitations right because again as we talk through each of

these we want people to understand that there are there's there's not necessarily a right answer it

depends on the company but there are limitations to each so that when you're thinking about this

think about it from a more holistic perspective right and understand where one organization

or one company one vendor cuts off and you have to fill in a gap with another right so

virtual cso is great they're going to come in give you time and support to mostly around

strategy for the the organization figuring out a framework and that sort of thing to get aligned to

they might do some some high-level gap analysis against those frameworks maybe uh compliance

work to help you get aligned with compliance maybe even some some of the uh the corporate governance

side of it but where the where the limitation what most companies run into is that they're

they're most of your your vcso type services are going to be structured in a way that is

set up to basically tell you what needs to happen and then you need to make it happen right so a lot

of the hands-on technical work and the the support that a lot of mid-market organizations need that

they don't necessarily have resources for in-house are are a lot of times not covered for a virtual

by a virtual cso by themselves now a vc so should have different vendors right for for these

different areas to cover down on what they can't do themselves but again back to budgeting back to

planning take that into consideration when you're out there you're looking at different

organizations to work with different services and such make sure that you're you're looking

at it holistically not just hey they're going to charge me this much and everything is going to be

good across the board all right make sure they're they're filling in the gaps and telling you what

they're not going to cover what else you're you're going to likely need in order to have a

a security program any other comments on vc so well yeah i mean the other

you know all good stuff zach and you know i think the other thing to mention is that they

they're not empowered to make change um you know i can't stress that enough

um you know they they're gonna you know if they if they conduct a gap assessment

and they create a roadmap and they've got a list of action items that need to be

conducted in order to close those gaps and maintain a more compliant state with the framework

they can't they can't conduct those activities those activities may include something that

you need a technology for right like centralized logging or vulnerability scanning

um they can't just set up a scanner in their garage and scan you right it's going to have

to be a service you purchase so there's going to be certain orders stand up yourself right there

there's going to be certain activities that are going to be coming out of that report that the vc

so is going to say okay here's your list of action items let me know when you've got some stuff done

number two that vc doesn't mean be security engineer but in the seat

yeah v for everybody out there wondering it's virtual so i mean it's very important to make sure

that that's defined and and not the expectation of well because vc so he's here sitting with me

yeah yeah so but no i mean it's also it's not a cso it's not a security engineer he's not

going to be he's not going to be monitoring things for you he's not going to be you know

that all could be negotiated but the expectation has to be set properly

with whoever you choose as a vendor i need my viso and vc so in the corner office

monitoring logs yeah right yeah i mean that but we've seen that right i mean

the expectation is oh well it's you know you've recommended these architectural changes you're

going to go ahead and implement them right and it's like no we that's not what we do you know so

great so you're the vc so now so we'll see you uh five days a week for lunch

yeah all right exactly on zoom the final model i'll talk about maybe maybe some others will

come to mind but really the the primary one is really a combination of both now this

this talk about it from a lens a little bit larger more sophisticated organizations that

maybe have a couple a couple security people in maybe they're they're new

security professionals and they're handling some of the fundamental activities but again

the organization still lacks a formalized cyber security program we call this a partnered security

service provider model or pssp that's kind of our own term that we coined but there

are different ways to go about doing it there's other some organizations offer staff augmentation

different levels of support needless to say it's basically a combination to of having your in-house

professionals uh at a minimum and i t team but but maybe a few security professionals and then

having a third party come in either remote or or even maybe on site on occasion to help build

out the program and mature the program and really make sure that you have that going uh that is it's

important to realize it's not the same as like it's not truly the same as staff augmentation

and that these people are maybe in and out even if they're inside or in on-site at all but it it can

certainly help to augment bits and pieces with with people again i think the common element

here is is the human element right it's not about plugging more technologies in buying more stuff

it's about putting those resources toward the right people with the right expertise

to to cover your security posture another another thing that we'll touch on briefly today

is the age-old question of oh well we have an i.t company can't they just do our cyber security

right so i don't know you guys want to comment on that as well but uh it's it's very very

prevalent especially in the uh small business world which in many small business cases that

um yes a lot of times their it companies will handle some some level of cyber security whether

they build a formalized program or not um i'd say that's more of the exception rather than the rule

but that can be a a option for small business now as soon as they start

to get into kind of mid-market emerging a little bit more sophisticated organizations

and that they need to answer what going back to the earlier point about these sophisticated

cyber security questionnaires coming down and requirements like sock 2 audits and such generally

your your i.t company is not going to do that you're going to need to have specialists to make

that happen totally the i mean you know to answer that question right i think we said it earlier on

everybody's part of cyber security all right everybody at the company is part of cyber

security so if you if you don't have a cyber security uh leader in your organization and you

may have a very smart person or working in network or in you know software engineering or

you know even in even in you know the server workstation area that really just has a knack

for the stuff promote them or promote yourself you know take leadership because again doing

something's better than doing nothing if you know what needs to be done and no one else is doing it

just take responsibility and do it again it's everybody's job right everybody's gonna play a

role in the organization the organization simply just needs a leader set now that's not gonna

tell you you're gonna get money for anything but documents are free right creating process is free

creating an organized method of understanding what risks are there that's all free that's stuff that

you can just do um so if you're one of those individuals um that has that capability then

i encourage you i think we all would encourage you to you know stand up in the organization and

go forth and create and fight the good fight now for reaching into the organization for

somebody to lead or telling i.t to to conduct to those types of services i t needs to a either go

back to what i first said and identify an individual that's strong in that area set

or again i think that's why the the pssp model was kind of coined by us because i think that

that partnership of expertise coaching creates a paradigm in the organization where

you don't have a com you don't have a firm that just comes in and does a job and leaves

you have a firm that comes in and instills some form of practice and procedures and training

for the individuals to then carry on that long after the organization is is the third party is

now gone and and working with other organizations there's valuable data and and roles and process

that are left behind for the organization to still live off of if you will right that mentality of

teaching teaching someone the fishing act as opposed to just hanging out the fish

i think the main thing too for organizations that are looking for outside help the main thing to

your point lauro is your service provider should never function in a bubble and unfortunately

that's that's too common in our industry your service provider should be like an extension of

your organization almost like part of your team yeah they may not transfer parents yes but yeah

it's go goes to that that train the trainer model right they should be empowering your organization

internally to uh get better and better at building out those that those defense and depth measures

right every level of the organization they should be working with your executive team

talking with the board they should be educating them on areas that they don't know why cyber

security is important what the real risks are to the company and at the technical level too

helping people understand okay why do we do this why do we look at security the way we do why is

this important right so that everybody has buy-in and that's going to be a good service provider

for you if they say okay yeah we're just going to take care of this we'll call you next month

that's probably not the right approach well and then going back to what you were saying

it's important to educate people on why cyber security is important the old adage of well i

don't have anything anybody want to steal or you know those kind of things that we still run across

yeah we're too small we don't have anybody want to steal we're you know what

we're just one location how are they going to find us blah blah blah blah

what they don't understand is that you know you have people out there just like that zyxel article

they're just scanning they're just looking for the ssh and then they're trying to brute

force it or they're looking for a specific vulnerability it's spray and prey and that's

how they're finding victims and if you're out there and you're on the internet i mean that's

why it's so important to educate and have someone who's dedicated to cyber security or at least

cyber security aware inside your organization and then augmented by someone who does know

cyber security uh just to ensure the safety i told my neighbor the other day that they need to treat

all their technologies connected to the internet of everything as if you look out your door once a

day and you know that the robber is going to walk down the street to see who's home and who's not

yeah yeah that's good good point well said well a quick recap there's really there's no right

answer for every organization right we talked about some of the pros and cons of the different

models and the different ways people go about building a cyber security program

fact of the matter is it takes people to do it and it takes time and resources unfortunately

there's no there's no way around that but nothing really beats the human element boots on the ground

and it's also important to know that nothing truly offloads risk like you were you're talking

about mike is not there there's no organization there's no company that's just going to basically

uh do everything and even if they even if they were able to it still doesn't offload right

the risk is still yours as an organization so fact of the matter is you need to build out a a

formalized cyber security program it's probably going to take multiple resources to do that but

the first at least my advice would be the first order of business is to find if you don't have

a good clear understanding of what it takes to do that find somebody who does find an organization

or service provider somebody that can that truly understands how to build a formalized

security program not just plug-in tools not just cover bits and pieces or just do the strategy

what not but actually the the the spectrum of both strategy and technical knowing that

okay your i.t people are also going to be involved you may or may not need additional tools or

technologies depending on what what you have today but there are additional aspects even if you get

even if you get both strategic and technical help so hope this i hope this supports you in your

endeavors and we thank you for listening join us next time take it easy we'll see out there

take care good luck happy hunting

Episode 11 - Implementation Models

Send Us Your Questions & Rants!