Navroop Mitter:

[00.00.03.21–00.00.32.00]

This is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of the Lock and Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site and listen to them on your favorite streaming channels. Be sure to give us feedback.

Matt Calligan:

[00.00.32.02–00.00.53.10]

All right, welcome to the latest edition of the Lock and Key Lounge. I am Matt Calligan, Director of Growth Markets at ArmorText. And I have actually two guests with me today, which we don’t do too often, but I specifically wanted both of them in the room together here because there’s a problem that they’re looking at.

Matt:

[00.00.53.11–00.01.32.01]

Same problem, but two different perspectives on this. Not in a disagreement way, but two complementary perspectives and angles. And it presents a picture that doesn’t usually get held up and viewed from these perspectives at the same time. So the fundamental framework here is that about a month ago we saw Anthropic project Glasswing where it used this restricted AI model called Mythos to surface over 10,000 high-severity vulnerabilities across more than 1000, I think, open-source software projects.

Matt:

[00.01.32.01–00.01.57.16]

And that’s a pretty big number. It’s also a stress test on nearly every assumption a lot of industries have been making about vulnerability management, automation, what it means to even run a security program in 2026. Then we have the Verizon data breach report. It tells us that the exploitation of vulnerabilities has just become the number one access vector for breaches.

Matt:

[00.01.57.20–00.02.29.02]

It’s up 55% in a single year. And that’s before Mythos existed. So with me today are two people who’ve been living inside this problem from these different positions. Tim Chase is the program director for the MFG-ISAC at the Global Resilience Federation. He helps manufacturing organizations share threat intelligence on these topics and build this collective defense community to bolster the security posture of the entire industry and make it higher.

Matt:

[00.02.29.03–00.03.07.05]

Brian Geffert is the VP of Cyber Defense. At 3M, the former global CISO at KPMG International, where he led Security Cross, about 120 member firms worldwide. And he is also a board member. And he’s been thinking hard about this. He has several perspectives of his own on this, which I think are really, really fascinating. So a lot of this is going to be walking into or reviewing how organizations lead, decide, even act when time is compressed, which is often what we’re operating in these kinds of cyber scenarios.

Matt:

[00.03.07.05–00.03.12.01]

So Brian, welcome to the show, Tim. Welcome back.

Brian Geffert:

[00.03.12.04–00.03.13.06]

Thank you. Thanks, Matt. Thanks for having us.

Matt:

[00.03.13.07–00.03.33.06]

Yeah, yeah. So I’ll give you I really do want to dive in quickly here, gentlemen. So let’s give a quick kind of give a quick a shape of things where we are today. And then we can just jump in I think I think glass one proved that this I guess we can call it AI scaled vulnerability discovery.

Matt:

[00.03.33.06–00.04.02.06]

Discovery is a real thing and it does work. The Verizon report proved that we’re already kind of behind the eight ball on the patch race, and that was before any of this automation. And you know, when you put them together, they’re really pointing at something I think a lot of folks aren’t saying plainly enough. And that’s there’s somewhat of a gap between the discovery and remediation and the and other components.

Matt:

[00.04.02.07–00.04.24.07]

Right. But the gap isn’t just a tool gap or a skill gap. There’s there’s some structural incongruities, right? It’s not a resource problem per se, as far as just while you just hire another human or get another piece of software for it. And there are two things really want to dig into with both of you. First is, you know what this looks like on the ground in manufacturing, right?

Matt:

[00.04.24.08–00.04.55.10]

This is a sector that’s heavy OT and IT interconnection some some legacy components in there. And most importantly there’s there’s really or I guess as important is there’s no NERC CIP right. There’s no there’s no TSA equivalent to really enforce the unsexy basics when it comes to security. The second is what it means for how for for organization to lead with with the right kind of culture.

Matt:

[00.04.55.10–00.05.22.17]

And Brian, your point is, is pretty sharp on this. You know, you’re if your security program is built on just trusting the tools but not verifying. Right. And your visibility doesn’t take into those effect into account. You’re really just looking at sort of the executive summary version of these, right. And the AI scaled kind of cyber attacks, they’re not just going to be exposing security gaps.

Matt:

[00.05.22.18–00.05.45.04]

There’s there’s leadership misses. Right. And areas that leadership can actually address that don’t need a new tool. And I think that’s I hope I summarize that well enough. But I really wanted to bring your perspective in on this pretty much here. So in to not delay this any further, I want to kick the first question off with some data here.

Matt:

[00.05.45.05–00.06.13.22]

Obviously the context matters. The 2026 Verizon report, you know, says the vulnerability exploitations really just became the top initial access vector for for a lot of breaches. It’s up 55% in a year. We’ve seen like 26% of the critical vulnerabilities even being fully remediated, which is down. And then the time to resolution has gone up right from 32 to 43 days.

Matt:

[00.06.13.22–00.06.33.12]

And this was before Glasswing. So before we even get into this AI scale discovery, we seem to be behind the eight ball on this. And this is kind of to both of you all. So Brian, I’ll let you kick this off. And then Tim for Brian what’s what is your read on this so far.

Brian:

[00.06.33.14–00.06.52.17]

My read on this is really clear. You know we’ve been dealing with vulnerabilities for the longest time. It goes at it. We’ve been dealing at them getting larger because of the more technology we’re using to execute against. We’re doing, you know, and that’s just the case of it. You know, particularly in manufacturing, you’re dealing with an OT side.

Brian:

[00.06.52.17–00.07.13.04]

They have a different patching base and how they do things. We’re dealing with information technology. We’re starting to do with how do we interconnect the to having more seamless from order to shipping to production to getting out and tracking, the more interconnected you become is again, those attack vectors are there. But there’s the pros and cons of that, right?

Brian:

[00.07.13.04–00.07.30.06]

You do the attack. You do that connection so that you can get better, reduce your margins, do that. So I think when when people you earlier about NERC CIP and these other things and many to me what drives us to do the right thing is margin. You know we’ve got to be able to ship. We’ve got to be able to get product out.

Brian:

[00.07.30.06–00.07.47.06]

We’ve got to get it in the hands. And so what you’re seeing though is that, you know, it’s tough to continue to move forward where you start dealing with legacy technology. You’re doing brand new technology and you’re driving at that. What really is the issue I think on most of this is, you know, the reports bring out that idea.

Brian:

[00.07.47.06–00.08.09.03]

It’s there, it’s going on. Right. How fast, though, can we start to bring the visibility, prioritize those to really go after what threat actors are trying to exploit right now? You can’t always fix every vulnerability across the environment, but which ones do you want to hit? Because in the essence, you want to drive threat actors to the ground.

Brian:

[00.08.09.03–00.08.24.14]

You want to fight on, not the ground they want to fight on. So really what this becomes is that effort of visibility, prior appropriate prioritization, right. And that remediation. And that to me is the game of speed right now.

Matt:

[00.08.24.16–00.08.31.03]

Yeah. Tim, from your perspective, how do you how do you find the signal in the noise at speed? Well, luckily, unlike.

Tim Chase:

[00.08.31.03–00.08.48.12]

Brian, I don’t have to own the product. The problem at the end of the day. But I do get to help other manufacturers kind of think about some of these ideas and provide some of that information. We do reports weekly. I think, you know, to Brian’s point, and you bring up the DBIR, which all the GRF communities participate in providing data to.

Tim:

[00.08.48.13–00.09.08.00]

The trend lines are all going in the wrong direction and the speed and scale that, you know, people like Brian have to figure out how to do and remediate is only exponentially going up. I looked at a graph that showed since since the beginning of the CVE program, sort of the number of vulnerabilities each, each, each year.

Tim:

[00.09.08.00–00.09.32.06]

And I don’t think you’d be surprised that it is like a hockey stick kind of growth. So I think basically to what Brian’s point was saying is that, like prioritization has to be part of the equation. I think what we’re thinking about now, if if Mythos is becomes not only on the in the hands of the good guys, which, you know, we know that they’re going and reviewing code right now.

Tim:

[00.09.32.08–00.09.56.18]

And regardless of how many vulnerabilities it’s found, it’s finding them a lot quicker than people. And and it also has the ability to not only find the vulnerabilities, but right custom codes to execute, vulnerabilities to move laterally, privilege escalation, etc.. And and the UK’s AI kind of government agencies tested that in their own labs and found that this is not like magical.

Tim:

[00.09.56.18–00.10.15.20]

It’s like a it’s like a 15 to 20% increase over the last models ability to sort of code and understand. But I think that the concern is that where we were already sort of, you know, struggling to keep our heads above water in terms of vulnerability and patch management. Now, it could be a complete, you know, drowning of organizations.

Tim:

[00.10.15.20–00.10.46.22]

So how how are organizations going to going to get ahead of this. Well, like to Brian’s point, prioritization, appropriate prioritization, where incidentally, enough AI can actually help play a role in trying to which vulnerabilities are likely to be used, and not just right now. As you know, the MFG-ISAC is reporting about threat activity, you know, ransomware organizations, not just by human actors, but increasingly going to be AI actors as well, which they might take a very different path than than a human agent would.

Tim:

[00.10.47.00–00.11.16.19]

So that’s part of the equation as well. I’m assuming that it’s some point in the future we are going to have to have, you know, AI automating some of the vulnerability remediation, because it’s going to have to be at a speed and a scale to make that happen. But in the meantime, I think what we’re looking at is trying to understand what a much more permissive edge looks like and how to move a little bit more from security to resilience, because they’re going to get in.

Matt:

[00.11.16.21–00.11.31.17]

Yeah. As a follow up question to you, Tim, with, you know, you’re seeing across the manufacturing as a sector, do you do you see that all size organizations are experiencing the problem the same and approaching it the same way?

Tim:

[00.11.31.22–00.11.39.07]

No, it’s I’ve learned my lesson that I you can’t with manufacturing. You can’t generalize.

Matt:

[00.11.39.10–00.11.41.01]

But rule is.

Brian:

[00.11.41.07–00.11.42.11]

Yeah generalize.

Tim:

[00.11.42.15–00.12.07.22]

Yeah. So because I’ve seen I’ve seen really small organizations that have really impressive programs, I’ve seen really large programs and really large organizations that are just trying to get their heads around some of this. But I would say in general, manufacturing is kind of unique in the exposure that it has as Brian’s laid out, because it has both in it and an OT environment.

Tim:

[00.12.07.22–00.12.30.11]

And as you mentioned, Matt, unlike other OT focused businesses like in energy or whatnot, there isn’t the same compliance, which doesn’t set it doesn’t. That’s not magical for them. I mean, it sets sort of a floor on what the controls you have to have are, but there would be a standard or a reference. And that is, Brian said, is really just focused on on at the end of the day, the economics of the organization.

Tim:

[00.12.30.11–00.12.57.15]

I will say that since taking this role on, I have noticed and it has improved over time. But I have noticed that the executive leadership is making decisions based upon, you know, the financials. But I think that oftentimes they are not understanding large baskets of risk that exist. So they’re not appropriately weighting them in the overall context of what that business looks like.

Tim:

[00.12.57.16–00.13.03.03]

I don’t know, Brian, if if you’ve seen that in your time, both in the consulting world now manufacturing.

Brian:

[00.13.03.07–00.13.19.05]

Yeah, it’s you know, it’s interesting when you when we started doing scanning back in the days and I really got led a lot of global ones back in 2015. So you run the scan, you do this stuff, you hand it off, you run the scan, you do the stuff, you protect the edge, this skittle approach, all that kind of fun stuff.

Brian:

[00.13.19.06–00.13.41.22]

I think that was which a much simpler time to do it. I think now where it’s hard to determine where your edge is, it’s hard to determine how third parties are in your environment. And I think what we’re really trying to come down here, though, is to your point, we haven’t been able to raise and aggregate the risk into something leaders can understand because in the end, this is this is not just a security problem.

Brian:

[00.13.41.22–00.14.00.15]

It’s a business problem. It’s a business risk. You know, we have to use AI. We have to improve our decision speed because that decision speed helps us with resiliency. Right now I’m about resiliency in the organization. Like you said, Matt, threat actors are going to come in great. How do we get them to where we want to go?

Brian:

[00.14.00.15–00.14.31.18]

but how do we make those decisions to say these are our tolerances in this level for these types of areas of our vulnerability and cloud? This is our type of vulnerabilities in this segment. Here it is. We’re we’re willing to settle with this. Right. And I think now if you want to take the flip side of this story and say we actually have solutions to help us do that, prioritize and present a business case on why that prioritization based on being able to try to exploit it ourselves when we do it and saying, hey, these ones aren’t that way, right?

Brian:

[00.14.31.19–00.14.54.01]

So you really start to narrow down highly exploitable, highly risk and then say, this is what the focus has to be now, it doesn’t take away that you start the long term deal with technology degradation over time and sun setting and going on, but it allows you to do that pattern of pace versus this exploitation at speed, where you’re dealing with the threat actors from speed.

Brian:

[00.14.54.01–00.15.11.19]

So you’re dealing with two speeds here, one taking care of business, the other one is dealing with how threat actors are driving at exploitation. But we kind of have the same tools they can. So let’s start using them for the reason we need to, is to show that can or can’t be exploited, why we should go and fix it now, right?

Matt:

[00.15.11.20–00.15.29.21]

Right. So when you say you, I think you say visibility is a maybe summarizing here, but a precondition for speed. But you’re not talking about visibility at a technical decision making level. You’re you mean more at a like an actual organizational business priority level?

Brian:

[00.15.30.01–00.15.55.20]

Both, both. Here’s the thing. Right. When you look across the technologies, it’s being able to keep those in concert with each other. Right. If they’re deep infrastructure vulnerabilities is one thing. If it’s on the edge, it’s another. So one is just knowing where they are and knowing what the exploit ability is, but then actually being able to take that data and bring it up into something that’s digestible for a decision maker, right.

Brian:

[00.15.55.21–00.16.10.17]

You know, a lot of times our, you know, I’m talking about myself and my brother and FUD was a way for where we did it. If we don’t fix this, it isn’t. You know, you’re going to be in trouble. There’s going to be a breach. You’re going to. Yeah. Right. And we’re smarter now. We’re not like we were back in the early days.

Brian:

[00.16.10.17–00.16.32.23]

Right? We have the tools. We you know, we have to treat a security like a business. We have to help people make decisions like a business. And so what we have now is we prioritize these need to get fixed first. These need to get second these need. And we have additional budget get to here. So it’s us working with those folks to help them make those decisions in that timely manner.

Brian:

[00.16.32.23–00.16.43.17]

In a business concentrated understanding. We’ll bring the technical side, but we need to translate it into what is so what, how fast and what does it really mean.

Matt:

[00.16.43.19–00.17.16.21]

Yeah, yeah. With do you think that do you see that there’s a lack of do you see a lack of trust creating friction between that handoff, between the technical analysis and, and the business decision making component of this. Like how does it affect the business component of it? Do you do you see that there’s to business maybe phrase it differently is from a business decision making standpoint as far as how these risks impact the operational side.

Matt:

[00.17.16.23–00.17.44.05]

Do do you see a high level of trust between the technical and that business decision component of the organization, like is it is it a or does a does trust impact that? Does it, does it does it just like here’s the data or do they have to do business owners have to be engaged in a way that they can act faster because they can trust the individuals who are reporting to them that they know what they’re doing, and they have a good grasp of it.

Matt:

[00.17.44.06–00.17.45.16]

Does that make sense?

Brian:

[00.17.45.18–00.18.05.00]

It does. And I think the word trust is difficult. I try not to use that with my leadership. They trust me because I never want you to trust me, okay? I want me to show you the data behind what we’re doing. What we couldn’t do before is we couldn’t show the data. You know, now that we have the visibility, we were able to correlate it.

Brian:

[00.18.05.01–00.18.24.23]

We’re able to, you know, quasi exploit it on our own versus saying, well, you could exploit it this way. Well, let’s try to exploit it. Right. And if we can we get there. So it’s doing that. It’s actually getting the data behind it. But then actually trying to meet non-technical people where they are and saying, how do I explain the risk?

Brian:

[00.18.25.00–00.18.46.06]

Okay, if we don’t do this, we expose this. We potentially have downtime on shipping, right? If, you know, if you take down shipping across the country for 6 or 8 hours, that has downstream ramifications, right? Okay. Right. And so what you want to be able to do is to say if we don’t patch this, this system needs to be resilient.

Brian:

[00.18.46.06–00.19.03.15]

It needs to stay up and it needs to be doing that. So we’re patching it right. Helps us so that if it goes down and we’re out for 12 hours, you’re pretty much. I use the example of sort of that Lucy. Lucille Ball show right where she’s eating the chocolates on the conveyor belt and she’s stuffing and picking it up.

Brian:

[00.19.03.16–00.19.31.11]

That’s what happens. There’s only so much room in plants, right? So they have to stop production. And that has a stream. So it’s trying to make sure you’re understanding chokepoints and being able to meet business people or meet legal folks where they are. Right. And the risk folks, I think that’s that’s a big one of the biggest things for us on a security side is we’ve really got to get better at speaking business terms consistently, and understanding the risk is what’s going to make the difference here.

Matt:

[00.19.31.13–00.20.08.18]

Yeah, yeah. With I forget I’ve been talking to both of you all and I one of you made a comment, I believe about the with the Mythos in the Glasswing baseline there the edge is disappearing, so to speak. Maybe it was Tim. I think it was you who commented on that. And it’s my, my, my take on that when you said that was that, you know, a sufficiently resourced threat actor with something like Glasswing, I mean, obviously we can we can assume that something like The last things like Glasswing are going to pop up and be easier to get access to.

Matt:

[00.20.08.18–00.20.27.19]

That’s kind of the trend in general with with an actor with that kind of discovery. What’s I guess, what does that future state look like to you from, from your perspective? Like when when that tool is in the hands of both, you know, the good people and the bad people, the, you know.

Tim:

[00.20.27.21–00.20.51.10]

And that’s an inevitability. And, you know, like we’re talking about Mythos, but Mythos is only one product from one company. And they’ll all have them and they’ll be iterating all the time. And, you know, and the bad guys will start, actually, I mean, the foundation model creators have some ability to provide some safeguards on their tool, but that’s not stopping the bad guys from making their own tools externally with some of the base models that they’re training.

Tim:

[00.20.51.10–00.21.15.23]

So right, there will be a proliferation of tools. That’s not the issue, I think. I think we’ve talked a little bit about the fact that the edge is sort of disappearing, and it has been for some time. This is just kind of like just speeding up that, that, that softening. And it’s kind of like there was some meme where there was like a raccoon that got a piece of cotton candy, and raccoons loved to wash their food.

Tim:

[00.21.15.23–00.21.36.12]

And it’s a video of this raccoon dipping the cotton candy in this like, water and then not understanding it just disappeared. And and I feel like that’s sort of like our, our edge is sort of disappearing in front of our eyes. There’s a number of reasons, but one of the things that I think is that because and this is no one’s fault, it is not like malicious or anything.

Tim:

[00.21.36.12–00.22.05.08]

It’s just that we’ve struggled with securing organizations for a long time in a number of different ways, and we have providers of technology that have come to the rescue sort of providing platforms and tools, right, to sort of help secure organizations. But the platforms and tools are primarily all software based. And so instead of getting some of the fundamentals right and some of the network architecture right, we sort of got to Band-Aid over with, you know, with the tools.

Tim:

[00.22.05.08–00.22.28.13]

But if the tool itself and I’m not going to name any names, but if the tool itself becomes the entry point it’s supposed to be, you know, your, your perimeter and what’s defending you that becomes problematic now as it pertains to like manufacturing particularly, I think one of the things that it’s going to be it’s already one of the at least from my perspective, Brian can have his own perspective.

Tim:

[00.22.28.13–00.22.51.23]

But I think one of the biggest risks to manufacturers right now, I was just reporting on this last week to members, the West Pharmaceutical ransomware attack. They had, you know, production down. But it’s not because of OT intrusions. It’s because of dependent it in a, in a in an attack or a ransomware or whatever is brought offline.

Tim:

[00.22.51.23–00.22.54.13]

So it’s like an ERP system or something else like that.

Matt:

[00.22.54.18–00.22.56.09]

So pipeline all over again.

Tim:

[00.22.56.11–00.23.18.18]

Yeah. There’s a number of ways that an operation can be brought down. Brian was talking about logistics, and usually the ERP is central to that logistical process as well. So there’s a lot of ways that, you know, manufacturing specifically can be disrupted that are not as common necessarily if you were in the insurance business or something and it was entirely basically in OT or in IT environment.

Matt:

[00.23.18.20–00.23.47.12]

Yeah. Brian, with with the way that these you talked about sort of how a lot of these processes without that, that visibility, you’re kind of reduced to sort of the speed of a PowerPoint, you know, process with, with the AI driven vulnerability discovery, which is kind of the word, I guess we’re kind of using for, for the term right now, as that becomes more widely available to good and bad folks.

Matt:

[00.23.47.13–00.24.13.13]

How I mean, the disclosure and patch process is a bit of, you know, already, a little bit behind the times as far as the speed of things. Right. We’re already it still is kind of power pointy, right? How does that how does that process generally how does it need to evolve to operate in this sort of reality with with these these scalable tools that anybody with, even without the skill sets can, can start to use?

Brian:

[00.24.13.17–00.24.33.12]

You know, sometimes it’s not. Again, I’m going to go back to it’s not about the tool. It’s about the process which flows everything down is the who gets to make the decision. What is the risk tolerance we’re willing to do when we when we when we look at and we’re always making one off decisions about them, it just bogs everything down.

Brian:

[00.24.33.12–00.24.57.23]

So what we have to do is stand back and start to say, great, what’s our tolerance? What’s our risk tolerance on these things? Because, you know, you’re never going to get something down to a specific number. Great. This is an area we’re concerned about. We’re going to focus patching here. This is an area that we want to assure if we’re going to patch here again what you’re trying to do is close off attack paths so that if they do come in you want them where you want them.

Brian:

[00.24.57.23–00.25.20.01]

And so I think it’s the thing it’s always an arms race. On finding a vulnerability. And that’s just that’s how it’s going to continue to be. The question is how do you defend or at least decide how you want to work your environment because you talk about the edge is gone. Okay, great. Well, then if they’re going to come in this way, let’s make sure we get this protected.

Brian:

[00.25.20.01–00.25.35.18]

And these will just have to take a risk on. It’s no different than an organization saying, hey, we’re going to go into this market. We’re going to ignore this market, right? Because how are we going to do it? You have to take the same approach here, because you’re never going to win this game when you’re a defender all the time.

Brian:

[00.25.35.18–00.25.56.22]

If you watch, even if you watch like American football, right when the offense is churning, right, and you’re on the defense on the field, they get really tired. They start to suck. When do that right. We’ve got to stop doing that. As defenders. We got to stop being on defense all the time. We have to go on our own offense and our own offense is how do we basically say these are the areas we’re going to stand our ground.

Brian:

[00.25.57.02–00.26.15.10]

These are areas where we’re going to bring them in, but we’re going to contain them. And I think that’s the only way you’re going to battle this, right, versus trying to be perfect. We’re trying to discover everything. Knowing where to hold your ground becomes the issue because you’ll get tired and you’ll be chasing. And that’s not where you want to be.

Matt:

[00.26.15.12–00.26.48.11]

Yeah, yeah. Do you? This is kind of a debate that’s going back and forth. Obviously it you know, events and you know, cyber events vastly outnumbered OT. And and people across various industries have different opinions on this. But with this sort of AI scaled discovery, do you do you anticipate OT findings increasing like do you do you see that scaling up the vulnerabilities that have been overlooked on the OT side?

Matt:

[00.26.48.13–00.26.56.04]

Or do you see that sort of the pendulum shifting more to wear attacks focused more specifically on OT as opposed to it?

Brian:

[00.26.56.10–00.27.15.08]

Well, and I’ve always had this this theory about threat actors, they’re like electricity when they go to the path of least resistance. And so what you try to really do is as long as those other attack paths, Tim referenced it, legacy technology is in tune. That’s plugged into a device. Why do you have to go after the vice?

Brian:

[00.27.15.08–00.27.30.12]

You can stop it through the tech, through the Windows 7 laptop that you’re running that allows auto, auto start and all the other things going on. Right? So you think about that in at some level. So how do you do those are the things that they’re going to go after. Right. Because you can still get the bang for the buck.

Brian:

[00.27.30.13–00.27.48.02]

Right. You don’t have to stop the OT piece of it. You can really work on the technology side. So for me, until that becomes so hard, why go after electricity rules, go to the path of least resistance and you’ll still get into what you want to accomplish. Because in the end, there, trying to accomplish something doesn’t matter how you do it.

Matt:

[00.27.48.04–00.28.10.18]

Yeah, yeah. The incentive it’s it seems to be really coming down to the incentive. A lot of folks like, do they want money? Well then it’s probably going to be an IT based attack. Do they want to cripple a nation? Well then it’s probably going to be more ot focused or something to that to that effect. Brian, I have a question for you about the resiliency.

Matt:

[00.28.10.19–00.28.37.04]

You’ve said, you know, resiliency is the goal versus security. I take that as meaning resiliency versus prevention, right. Like working with the assumption that these things are going to happen, as opposed to assuming you can keep a security posture that prevents it. Right? So you know, the cyber the idea is assume you’re always operating in a compromised situation from your perspective.

Matt:

[00.28.37.05–00.28.56.05]

I mean, I think most I mean, my sense is most cyber folks have kind of kind of adopted that for the most part. Maybe I’m wrong there. Correct me there. But how does an organization actually behave differently at that, you know, at that operational level that you’ve mentioned before, when it internalizes that idea?

Brian:

[00.28.56.11–00.29.01.12]

Well, again, it’s not that security people, but got to believe it. It’s the rest of the organization have to believe in.

Matt:

[00.29.01.12–00.29.01.21]

Right.

Brian:

[00.29.02.00–00.29.25.12]

Right. You know, we are you know, we keep talking about security and security. But remember, resiliency takes a village. Everybody’s got to be involved in the process. And so there’s a couple of things I think you do. Number one is you work away from this point in time test to continuous testing. Because response you don’t want people to react in something, you want them to respond.

Brian:

[00.29.25.12–00.29.42.00]

And so basically people need to know when this happens. We do this where our backups how do we go after right now, actors are going after backups because they know that your play card, right. So how do we make sure we do that? How do we make sure we’re able to cut off parts of the network? If we can do, how do we make sure we know where we get the data?

Brian:

[00.29.42.00–00.30.00.00]

And that’s not always a security issue. You know, we’re fighting finding the threat actor trying to do that. But the other part is how do you keep and actually keep it moving, right. We talk we talked a little bit before previous about ship self-defense. Right. So how do you take a missile into the ship. Right. And still get it back to port with the missile hit in it?

Brian:

[00.30.00.01–00.30.25.07]

That’s what you’re trying to do here. So, you know, do people know where the backups are? Do people know where the equipment is? How can they fail over. Right. So you can keep the system running. So running while an incident is happening. And that’s why it just takes a different mindset of all hands on deck, right? Not just the security folks, but people who know how to keep equipment up, keep it running, failover, and move to a new platform as quickly as possible.

Brian:

[00.30.25.07–00.30.34.01]

And those things have to be practiced all the time, not just periodically. And that’s where I think it’s important from a readiness perspective.

Matt:

[00.30.34.04–00.30.56.14]

Yeah, yeah. The how do you how do you convey that kind of a passion? I mean, there’s a lot of exhaustion. You know, I rolling from security, you know, these recommendations from security. And you know, well we need to make sure we’re always thinking this way. But like, how do you position that offensive readiness as a business argument?

Brian:

[00.30.56.20–00.31.12.20]

Well, it’s this right. Identities. Everybody needs identities these days. Right. And that’s an attack vector. If you’re going to come in and hit something, you turn the lights out and you cut off people’s access and identities. You can go at it, right. So how do you make sure you can you can restore identities. How do you go through that?

Brian:

[00.31.12.21–00.31.31.22]

Right. I think the second part is around around the data and data backups and restoring. Right. You can have operational outages. So it’s the same thing as an operational outage. You have to restore it. So you try to align it to things they already do. Right. It’s not just hey, it’s cyber incident. It can be an outage. Something else can happen, right?

Brian:

[00.31.31.23–00.31.51.05]

You could you can have a you can have a platform service provider go out. What do you do. I never a cyber incident. Somebody tripped over a router somewhere in upstate New York. All right. Those types of situations. So that to me is the idea of resiliency. What I consider the side effect of it is you’re actually good in a cyber response.

Brian:

[00.31.51.06–00.32.05.19]

Right. So that’s that’s what I’m trying to shift it to. You know you have to keep going because we’re very interconnected. Here’s what we do. You know how much we maybe rely on third parties, other products and data use that process to help you with cyber event.

Matt:

[00.32.05.20–00.32.31.00]

Yeah. For the for the industry itself. Right. That is sort of barbell. One end is the larger industry players that tend to have the resources and human capital to deploy into the more forward leading strategies, and then the smaller end of that industry, who tend to complain about the fact that they can’t implement these things because they don’t have those resources.

Matt:

[00.32.31.02–00.32.50.15]

From your perspective, you see kind of across the industry as a community, what kinds of things do the smaller organizations who see these ideas as unattainable because they, you know, have these constraints? What do you recommend? Or they start at where where do they go with these kinds of with these kinds of ideas?

Tim:

[00.32.50.17–00.33.09.12]

Yeah. I mean, that is that is one of the central issues. And I’ve been sort of dealing with that kind of in the collective defense Isaac world for over a decade now. And that’s kind of how every industry is. I mean, there’s the largest firm sort of set the direction for the industry itself, some of those best practices, how they do what they do.

Tim:

[00.33.09.14–00.33.32.04]

But then it really quickly you get the mid-size. And even in manufacturing, especially a lot of small organizations, I mean, if you think how many different very small organizations, maybe up to a few mid-size, are suppliers to Brian at 3M, right? I mean, it’s for for every three M, there are tens of thousands of sort of mom and pop manufacturers.

Tim:

[00.33.32.04–00.33.56.19]

And what I would say to them is probably, maybe a little bit different than what I would say to the largest firms, which is for them, actually moving to cloud is probably much better, where they can have a smaller team sort of administrate in one environment versus like some of them are literally just kind of hosting locally. And then we have what we call our essential controls.

Tim:

[00.33.56.19–00.34.28.09]

And that’s just a place to start with. The most basic like kind of cyber hygiene and how you need to set up, you know, and secure your, your local, you know, your land and you know, your Wi-Fi, what you can do that’s free or low cost, basically wherever you can enable MFA, things like that. That’s what I would say for the midsize, because it’s difficult when we’re talking about some of this data and like vulnerability and patch management, if you’re going to do automated vulnerability patch management, that’s not going to be something for them.

Tim:

[00.34.28.10–00.34.49.00]

I mean, I’ve been dealing with this for years. The largest firms are taking automated feeds from the ISACs. The smaller firms need it, you know, PDF email to them. So you know, what we’re sort of telling them is consistent across organizational size, but how they need it and how it needs to be digestible definitely changes between organizations.

Matt:

[00.34.49.03–00.35.32.00]

Yeah. Brian should I mean, obviously I’m not asking you to speak for the big size ones, but in industry, community sharing communities like this, a lot of times that sort of contention between the different sized organizations is more, you know, it only exists because they believe it does. From your perspective, maybe you can tell me if you agree with this, what I’ve seen with larger organizations in other industries, utilities and energy and such is that the larger organizations actually want to participate in these communities with the smaller organizations because the, you know, it’s a kind of a rising tide lifts all boats.

Matt:

[00.35.32.00–00.35.57.19]

Do you see from your perspective? Do you see that culture reflected culturally reflected inside organizations the size of three? I’m not asking you to speak for three, but does that, does that does that kind of flow through for for folks in your position as well? Like, are you getting involved in these communities to also kind of lift the broader awareness in the security posture in the industry as a whole?

Brian:

[00.35.57.21–00.36.16.02]

Definitely. I mean, I think right now it’s getting out there, working with them, knowing what they have, right, and trying to come up with ideas, you know, because in the end. Right. You said it right. We’re I hate this term, but as strong as our league is, wing are strong as our league is weakest link and that’s perspective.

Brian:

[00.36.16.03–00.36.33.20]

And but really what it comes down to is we’ve got to take away attacks. I’m going to go back to attack surfaces and I’m going to go back to fighting on the ground. I want to fight on. Right. I need to make sure that the groups that are working with us are doing their best so that we can say that part we’ve got.

Brian:

[00.36.33.21–00.36.48.07]

Okay. And if somebody wants to come after us, they’re going to come after us where we’re going to push them to. So that to me is just it’s the same strategy that we want. We want them as strong as possible. You know. You know, we do a lot with SaaS products now. So it’s not always just about suppliers.

Brian:

[00.36.48.07–00.37.12.10]

Right now I think you talks about these small groups, but we’ve everybody’s gone to this sort of SaaS connected model. That’s a heck of a threat vector. Everybody went through some OAuth problems back in the fall, right. So you know, again, I think we need to be thinking in terms of attack vectors and where people will go, not sizes of organizations.

Brian:

[00.37.12.15–00.37.31.20]

Remember threat actors are highly adaptive. Fail fast, try anything. Right. Which is a much different mentality. The defenders who are like, oh, I’m going to blog this, blog this or like, I don’t care, we’re going to go. So, you know, I think it’s just trying to understand that better where your risks are. Size doesn’t matter in this case.

Brian:

[00.37.31.21–00.37.32.12]

My perspective.

Matt:

[00.37.32.13–00.37.54.11]

Yeah. yeah. That’s that’s a really good that’s a good way to put it I like that a lot. I will in interest of time I’ll ask I’ll ask you all one kind of the final question here. And this isn’t this isn’t a technical one or cyber one. This is more just along the lines of personal preferences. I, you know, Lockheed Lounge has this theme.

Matt:

[00.37.54.12–00.38.15.06]

You know, the lounge theme. So the question I have is and I frame it a little differently than the group does our CEO. But Brian, I’ll say this to you and Tim, you can you can, you can follow along. Then imagine you’re at a bar and it’s one of those nice ones where, like, you don’t actually have to yell right to talk to each other and you’re at one end.

Matt:

[00.38.15.06–00.38.38.04]

And at the other end of this is someone in security that you’ve really wanted to bend the ear of or interact or meet with. And I’ve always found that the cocktail choice is sort of the was it the shock test? Right. So if you’re in this scenario, Brian, for you, what’s the cocktail you order? If you, if you, you know, go that direction.

Matt:

[00.38.38.08–00.38.43.05]

And who is at the other end of that bar. Who is it that you’d like to have a drink with?

Brian:

[00.38.43.10–00.38.59.17]

Wow, that’s a great question. First, you know, not a big drinker. So I’m always going to go with a tonic in line, you know, just to kind of go at it, you know, and I’m what I have to think about is at the other end. Wow. This is a great question, man. If I had to really think more about it, when you’re when you’re looking at it.

Matt:

[00.38.59.19–00.39.01.14]

I gotta the hard one for last.

Brian:

[00.39.01.18–00.39.22.03]

You know, I would sit here and think about the person who is at the head of cyber for the NSA, right? Because I’m, you know, I’m trying to live in a real world, not in make believe in what I read and sort of do all these things. And so part of it is let’s talk about that. Let’s talk about zero days, because we all know that.

Brian:

[00.39.22.03–00.39.44.13]

They know zero days. Right. Let’s talk about what the reality is out there, you know, and getting just a better perspective in order to manage expectations because we too much in my role I’m dealing with fear and I’m dealing with, you know, bits of something. I’m dealing with being blasted on whatever news station you’re getting with a clip of something and saying, God, can we exploit that is our problem, right?

Brian:

[00.39.44.15–00.39.51.10]

You know, how do we how do we get better to just get people to cope with the drama of sensationalism versus reality?

Matt:

[00.39.51.12–00.39.54.19]

Yeah, yeah. Tim, how about yourself?

Tim:

[00.39.55.00–00.40.15.21]

It is a great question. So I’m going to give you two answers. One is that’s work related. Okay. So the answer to what I’m drinking is probably something whiskey based. But who’s at the other end of the bar? If it’s work related, it’s probably going to be Sean Plankey, acting director of CISA, because I’ve got plenty of things I need to talk to him about, and it’s been a while since I have.

Matt:

[00.40.16.01–00.40.17.05]

And here.

Tim:

[00.40.17.08–00.40.27.21]

Yeah. And if it’s just a just friend and cool stuff, I probably just. Look, I haven’t talked to him a couple of months, so always a good one.

Matt:

[00.40.27.22–00.40.50.08]

Joe was a good. Yeah. Joe was always a good, good time. I wasn’t talking to him. Well, Tim, Brian this was this was what I was not. Not the Wi-Fi connection issues notwithstanding, this was the kind of conversation I was hoping we could have. I wish we could actually have it longer, but I do want to thank you both for coming together quickly and accommodating some of that stuff to jump on here.

Matt:

[00.40.50.11–00.40.54.01]

Any final questions or thoughts before we before we sign off?

Brian:

[00.40.54.03–00.40.57.11]

Matt, thanks for having me. This is good. Always enjoy these discussions.

Matt:

[00.40.57.12–00.40.59.21]

Good good good good and.

Brian:

[00.40.59.22–00.41.01.09]

Always good to see Tim.

Matt:

[00.41.01.11–00.41.05.22]

It’s Jimmy. You missed your chance to say that. It was Brian at the other end of the bar.

Tim:

[00.41.05.23–00.41.08.17]

Oh, yeah. No, I should do that.

Brian:

[00.41.08.19–00.41.10.05]

He doesn’t want to see me at the other end.

Tim:

[00.41.10.07–00.41.17.03]

No, Brian. Brian can see me anytime. He can summon me like it’s just to say my name three times, like Beetlejuice.

Matt:

[00.41.17.09–00.41.38.12]

Well, and to the listener, once again, thank you for taking the time to listen to another one of our episodes here at the Lock and Key Lounge. I know your time is valuable to you know, if you take one thing away today, it’s, you know, this, this Glasswing number where you have 10,000 high severity findings. It isn’t the story, right?

Matt:

[00.41.38.12–00.42.01.09]

The story is that it reveals assumptions underneath it and things that at a cultural level, we should be working to address. And clearly there are very smart people already working to address these things. And so we need to share this information and adopt this at a, at a, at a human level, not at a software or product level.

Matt:

[00.42.01.10–00.42.31.08]

Because, you know, Glasswing is, is just a number. It’s just a measurement. The reality is what we do with it at a human level in implementing these and doing the unsexy work and internalizing this stuff at a, you know, programmatic and cultural level across our organizations. If you have any ideas for what you’d like to hear in the next podcast, feel free to reach us at Lounge@ArmorText.com.

Matt:

[00.42.31.10–00.42.39.07]

And until next time, I am Matt Calligan. And stay curious, stay resilient and do good work.

Matt:

[00.42.39.09–00.43.12.07]

We really hope you enjoyed this episode of The Lock and Key Lounge. If you’re a cyber security expert or you have a unique insight or point of view on the topic, and we know you do, we’d love to hear from you. Please email us at Lounge@ArmorText.com or our website ArmorText.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.