[00:25.300 --> 00:30.120]  Remember the message, the future is not set.
[00:57.030 --> 00:58.130]  All right.
[00:58.130 --> 00:59.950]  Good morning, everybody.
[01:00.830 --> 01:03.150]  Good morning, cyphercon.
[01:04.510 --> 01:05.070]  All right.
[01:05.070 --> 01:06.590]  Now i got your attention.
[01:07.310 --> 01:08.090]  All right.
[01:08.090 --> 01:09.930]  Well, i'm thrilled to be here with you today.
[01:09.930 --> 01:11.270]  My name is sheldon cuffee.
[01:11.270 --> 01:16.850]  I am the ceo of cream city cyber based right here in Milwaukee, wisconsin.
[01:20.960 --> 01:28.020]  Cream city cyber was founded about 18 months ago and Actually started up in earnest about six months ago.
[01:28.560 --> 01:31.900]  We brought quite a bit of our team with us here today.
[01:31.900 --> 01:35.140]  If you guys are here somewhere, if you'd like to Stand up.
[01:36.120 --> 01:36.620]  Oh, wow.
[01:36.620 --> 01:38.120]  They're all right in front.
[01:40.680 --> 01:53.180]  So just to introduce myself to you briefly, so before i Started cream city cyber, i was the cio, chief information Officer for american family insurance.
[01:53.460 --> 01:55.960]  I was the cso at mfam.
[01:55.960 --> 01:59.220]  The cso at dell technologies in austin, texas.
[01:59.220 --> 02:02.160]  And then the cso at northwestern mutual.
[02:02.940 --> 02:04.780]  Yeah, right?
[02:05.340 --> 02:14.000]  So many of my experiences have been formed over the past ten Years in some type of a role as a cso.
[02:14.580 --> 02:26.400]  And i don't know about you, but if you just even track back a Year , five years, ten years, and think about where you were at That time, you would say that life has changed dramatically.
[02:26.400 --> 02:27.860]  Things have changed.
[02:27.860 --> 02:33.320]  And then you throw in a global pandemic on top of that, things Get really interesting fast.
[02:33.820 --> 02:36.260]  And so that's where cream city cyber comes in.
[02:36.320 --> 02:38.000]  This isn't meant to be an advertisement.
[02:38.000 --> 02:46.820]  It's meant to be, you know, we really want to focus on the Mission of helping companies navigate risk confidently.
[02:47.100 --> 02:49.800]  Now, i know there are some competitors in the room.
[02:49.800 --> 02:52.580]  We're not competing with anybody in the milwaukee area.
[02:52.580 --> 02:53.780]  That's not our intent.
[02:53.780 --> 02:59.560]  We are actually operating as an international consultancy at This point.
[02:59.860 --> 03:07.680]  It's been just a really amazing growth story that, you know, Hopefully we'll share with all of you at some point.
[03:08.000 --> 03:13.440]  That being said, this topic is about cyber war.
[03:14.060 --> 03:17.840]  And you'd say, cyber war, wow, that's a little hyperbolic, Isn't it?
[03:17.840 --> 03:23.460]  Like, why would you start a, you know, have a keynote Presentation around cyber war?
[03:23.620 --> 03:33.480]  Well, i believe what i've come to understand over the years as A global ciso operating in international environments, There's a lot of risk everywhere.
[03:33.480 --> 03:35.440]  And the risks are changing.
[03:35.440 --> 03:36.620]  They're evolving.
[03:36.940 --> 03:40.300]  There are risks that will emerge that we haven't even thought of Yet.
[03:40.300 --> 03:45.700]  And so this is where we come Into the definition of cyber war.
[03:46.700 --> 04:04.620]  And as the dictionary identifies this, cyber war is the Intentional use of computer technology to disrupt the Activities of an organization, especially the deliberate Attacking of information systems.
[04:04.620 --> 04:10.440]  Now, i'll give you a different definition that was created During my time in financial services.
[04:10.440 --> 04:16.540]  And the only difference between hacking and war is intent.
[04:16.880 --> 04:27.060]  And if you intend to do harm to me, to my organization, to the Assets of my organization, that is the literal definition of War.
[04:27.300 --> 04:35.540]  And so i want to talk with you about the mindsets needed to Step into this type of environment.
[04:36.360 --> 04:49.940]  Something that i've really bemoaned and i don't like is in The corporate structures, we think of cyber security as Upgrade projects.
[04:50.460 --> 04:51.960]  Let's deploy another edr.
[04:51.960 --> 04:53.940]  Let's deploy another firewall.
[04:53.940 --> 05:02.160]  On average, the average company Has over 75 different tools in their cyber security arsenal.
[05:02.160 --> 05:06.060]  Most cyber security teams aren't even 75 people.
[05:06.240 --> 05:09.160]  But the average company has that many tools.
[05:09.560 --> 05:11.980]  So there's something wrong with this equation.
[05:12.580 --> 05:16.320]  And so before i go on here, just a little bit of housekeeping.
[05:16.520 --> 05:20.800]  As i talk through this, no part of this presentation endorses Hacking back.
[05:21.740 --> 05:23.400]  That is illegal.
[05:23.400 --> 05:28.400]  So just for my federal law enforcement buddies in the room.
[05:29.200 --> 05:41.920]  But this presentation does endorse how to evolve our Mindsets to proactively mitigate risk and properly defend against Ongoing threats.
[05:42.300 --> 05:51.100]  And so as we think about what This landscape looks like, i pulled up an old slide from 2023, this is momentum partners.
[05:51.100 --> 05:57.560]  Every year they identify and Outline all of the different cyber security technologies.
[05:57.560 --> 05:59.380]  Every year it gets smaller and smaller.
[05:59.380 --> 06:00.880]  So this is probably hard to read.
[06:00.880 --> 06:08.360]  The point is not so that you can read it, but you can see how Complex this landscape is getting.
[06:09.080 --> 06:11.620]  And so what do we do with all of these tools?
[06:12.000 --> 06:13.760]  We have more tools.
[06:13.760 --> 06:16.380]  We continue to experience more Breaches.
[06:16.900 --> 06:20.560]  Hacking is getting even more Difficult to defend against.
[06:20.660 --> 06:25.900]  And so my hypothesis is that the Tools are not what's important here.
[06:25.900 --> 06:36.440]  The tool, the mindsets that we deploy as offensive and Defensive security technologists is what's important.
[06:37.020 --> 06:45.940]  And so the question here is how much do you spend on cyber Security?
[06:46.160 --> 06:50.920]  well, as the rock would say, It doesn't matter how much you spend on cyber security.
[06:51.000 --> 06:54.700]  What matters is how you use those dollars.
[06:54.700 --> 06:56.580]  Are you using them efficiently?
[06:56.580 --> 06:58.700]  are they being used on the right risks?
[06:58.700 --> 06:59.920]  Do you understand your risks?
[06:59.920 --> 07:05.700]  are they being utilized to Deploy the right personnel, talented folks?
[07:05.700 --> 07:08.300]  Are you training individuals appropriately?
[07:08.500 --> 07:19.820]  And so this is where i borrow a few metaphors and analogies from My time in the military to just talk about what it means to Operate in this new environment.
[07:21.520 --> 07:23.180]  Number one.
[07:24.040 --> 07:30.060]  I have a belief that we are all Operating in degraded environments now.
[07:30.420 --> 07:32.260]  What's a degraded environment?
[07:33.220 --> 07:38.600]  degraded environment means that The environment is not normal.
[07:38.600 --> 07:41.760]  There's something adverse Occurring in this environment.
[07:42.000 --> 07:47.340]  In this case, you have a Helicopter kicking up a lot of dust, so we have a lack of Visibility.
[07:47.340 --> 07:49.280]  We still need to be able to run The mission.
[07:49.280 --> 07:51.860]  We still need to be able to Operate.
[07:52.560 --> 07:59.760]  And so as we think about Degraded environments, i've come to a conclusion that every it Network is a degraded environment.
[08:00.300 --> 08:11.500]  There are too many technologies, too many ways to configure Solutions and tools, too diverse of skill sets to actually run Those tools.
[08:11.940 --> 08:20.540]  And so wrapping our head Around we are operating in a degraded environment from a Cybersecurity standpoint is imperative.
[08:21.140 --> 08:31.600]  If you can't start with that as your starting point, then you Don't quite get the adrenaline to step up to what needs to be Done in this space.
[08:32.280 --> 08:37.920]  And so the next item i want to Go through here is hope is not a strategy.
[08:38.620 --> 08:49.680]  I don't know about you, but i've worked in a number of Places, none of the ones i mentioned, but i've worked in Enough places, i've worked for seven different companies over 30 Years.
[08:50.680 --> 08:51.680]  Including the u.s.
[08:51.680 --> 08:52.540]  Military.
[08:52.900 --> 08:56.200]  And believe it or not, there Are people in the military that still believe hope is a Strategy .
[08:56.200 --> 08:57.060]  It's not.
[08:57.100 --> 09:01.180]  You need to understand what the threat landscape is.
[09:01.620 --> 09:05.520]  And not just within your four walls, but outside your four Walls .
[09:05.800 --> 09:08.420]  We call that bringing the fight To the enemy.
[09:08.980 --> 09:13.720]  We need to have continuous External reconnaissance of what's going on.
[09:13.720 --> 09:17.900]  How is our name being utilized in public spaces?
[09:17.900 --> 09:24.040]  Are there typo squatting domains being stood up routinely around Our brand?
[09:24.040 --> 09:27.240]  are they actively being used to Attack our customers?
[09:27.280 --> 09:34.180]  this is stuff that i know some Cyber security folks have said, ah, it's just really basic and It doesn't matter.
[09:34.180 --> 09:35.920]  Why do you care about that Stuff?
[09:35.920 --> 09:37.700]  because the basics matter.
[09:38.020 --> 09:41.220]  If you don't have visibility, you can't fight.
[09:41.220 --> 09:45.180]  And so we want to stalk the threat.
[09:45.300 --> 09:54.620]  We want to, again, this is not hacking back, we want to Understand what's happening around the perimeter of our Network and within the internet.
[09:56.020 --> 09:59.180]  And then we also have to utilize deception.
[09:59.860 --> 10:06.480]  In some cases, we'll want to do things intentionally to evade an Attacker, to throw them off, to confuse them.
[10:06.480 --> 10:14.460]  So, for example, don't put the name of the product in your Server name or your internet address name.
[10:14.460 --> 10:16.020]  Not a good idea.
[10:16.460 --> 10:20.560]  It just gives the attacker Quick access to understand what's happening.
[10:20.560 --> 10:29.180]  If your internet url says octa.Com, that's not a very good thing.
[10:31.370 --> 10:36.970]  Number three, we train in peacetime as you would fight in war.
[10:37.930 --> 10:38.870]  Cool?
[10:41.340 --> 10:43.880]  well, we're not fighting, we're training.
[10:43.880 --> 10:48.940]  Well, we're not fighting, we're getting ready for what might Come our way.
[10:50.060 --> 10:57.540]  And so if you don't like the War analogy, how many folks have kids that play basketball, Football, or soccer?
[10:58.560 --> 10:59.820]  a lot of people.
[11:00.680 --> 11:09.220]  So i was a soccer coach for many years as well, and what we told Our players was that you practice the way you play.
[11:09.900 --> 11:13.060]  So that when you get to the game, you're ready.
[11:13.060 --> 11:14.840]  You have the intensity.
[11:15.040 --> 11:18.460]  Now, you have some players that Don't practice well.
[11:19.680 --> 11:21.600]  That's par for the course.
[11:21.660 --> 11:23.920]  I was one of those players that didn't practice well.
[11:23.980 --> 11:24.540]  It's okay.
[11:24.540 --> 11:29.220]  But that's where we really need To ensure that we're training our folks.
[11:29.220 --> 11:33.040]  Sometimes we're deploying cyber security personnel, i.T.
[11:33.040 --> 11:38.920]  Personnel, infrastructure, et cetera, to do a job they have not Been trained for.
[11:39.200 --> 11:44.800]  And then we wonder why we spend So much money on tools and we end up with adverse consequences.
[11:45.300 --> 11:48.500]  So train in peacetime as you would fight in war.
[11:52.310 --> 12:00.250]  Number four, all cyber security programs are risk management Programs first.
[12:00.570 --> 12:02.210]  They are not technologies.
[12:02.210 --> 12:06.810]  They are enabled by technology, but they are risk management Programs first.
[12:07.150 --> 12:15.750]  So how can you defend a network, How can you proactively deploy controls if you don't understand What your risks are?
[12:16.650 --> 12:32.830]  if you've deployed technologies That are not informed by a risk assessment of what the degraded Conditions might look like, what the adverse consequences might Look like, you might be deploying the wrong controls.
[12:33.610 --> 12:36.750]  And so this is where, you know, the army is great for this Stuff.
[12:36.750 --> 12:37.590]  So this is from the u.s.
[12:37.590 --> 12:40.510]  Army resilience doctorate directorate.
[12:40.870 --> 12:55.430]  And one of the things, and, you know, at least a couple of the Companies here that i've worked for, know that the first things That i did when we came in to deploy a new program was we Deployed risk management professionals first.
[12:55.710 --> 12:58.570]  Because we want to understand the risk.
[12:58.570 --> 13:04.170]  We want to be able to identify the hazards that we're Experiencing or may experience.
[13:04.510 --> 13:07.350]  Assess the impact or likelihood Of those.
[13:07.470 --> 13:11.050]  And then deploy controls that Could mitigate those risks for us.
[13:11.290 --> 13:13.610]  Proactively thinking ahead.
[13:14.670 --> 13:15.210]  All right.
[13:15.210 --> 13:16.730]  So this one is from army.
[13:18.410 --> 13:22.530]  If you don't like the army, i've Got a prettier picture from the air force.
[13:24.010 --> 13:25.150]  Sorry about that.
[13:25.150 --> 13:26.370]  I just had to do that.
[13:26.370 --> 13:28.310]  Rob, i had to do that for you, buddy.
[13:30.690 --> 13:32.370]  They'll get me back for that.
[13:32.590 --> 13:32.890]  All right.
[13:32.890 --> 13:34.050]  Number five.
[13:35.010 --> 13:42.350]  If we're operating in degraded Environments, one of the best things we can do is prepare for that.
[13:42.630 --> 13:47.190]  When it snows, we're prepared for that already.
[13:47.410 --> 13:48.370]  We have salt trucks.
[13:48.370 --> 13:49.670]  We have plows.
[13:49.770 --> 13:54.410]  Sometimes you might put snow tires on your car ahead of the Winter.
[13:54.750 --> 13:58.430]  But degraded environments call For different things.
[13:58.930 --> 14:04.590]  And we can do this proactively Where we create protected routes through our network.
[14:04.890 --> 14:11.870]  So if you think of a forest and everything around you, right, in This picture, everything around you, we're on a road.
[14:11.870 --> 14:17.490]  Everything around you is green and lush and you really can't See through the forest.
[14:17.490 --> 14:21.050]  And if you're looking down on It, you can't see through the canopy either.
[14:21.190 --> 14:28.750]  If you've ever been in a forest during the day, in fact, i'll Ask the question, has anyone been in a forest during the Middle of the day?
[14:29.370 --> 14:30.810]  a lot of hunters, right?
[14:31.170 --> 14:33.690]  What's it like in the middle of the day?
[14:34.150 --> 14:36.050]  Just shout out something.
[14:36.530 --> 14:37.630]  It's awesome.
[14:37.630 --> 14:38.710]  All right, it's quiet.
[14:38.710 --> 14:40.990]  Yeah, there's that.
[14:41.310 --> 14:44.810]  Anything else about the forest in the middle of the day?
[14:45.590 --> 14:46.930]  It's dark.
[14:46.930 --> 14:47.970]  Exactly.
[14:48.510 --> 14:54.210]  You can't see very far in the forest, even when there's Blazing sunlight above you.
[14:54.210 --> 14:55.470]  It's also cooler.
[14:55.470 --> 14:59.230]  It's about 20 to 30 degrees cooler in some instances.
[14:59.910 --> 15:08.650]  So what we want to do is, if we don't have visibility, we need To create protected routes where we can operate safely.
[15:09.250 --> 15:12.410]  In a military context, i can run trucks down this route.
[15:12.410 --> 15:14.530]  I can fly helicopters over it.
[15:14.570 --> 15:18.010]  I can put folks on the side of The road to protect this route.
[15:18.490 --> 15:26.690]  So this helps us keep hackers Out of this route as well, the ones that want to do us harm.
[15:27.150 --> 15:32.370]  And we can operate safely through this environment, even Though everything around us is degraded.
[15:32.550 --> 15:37.130]  I'll come back to this later in the presentation, because There's another use case for this.
[15:37.770 --> 15:48.750]  I like to use this example when i talk with executive audiences, With boards, with folks that are not tech savvy.
[15:48.750 --> 15:54.070]  They're smart people, they're lawyers, they're economists, They're ceos, they're running companies.
[15:54.170 --> 15:56.670]  They just don't understand cybersecurity.
[15:56.690 --> 15:59.570]  It's kind of a magic box for them.
[15:59.570 --> 16:05.350]  So i use metaphors and analogies like this to really help them Understand a little bit better.
[16:05.690 --> 16:09.250]  For this audience, you'll Recognize this as zero trust.
[16:10.090 --> 16:27.910]  We want to allow traffic for Known identities, assets, server-to-server in some cases, We want to allow traffic for certain devices, and we want to Deny access for everything else.
[16:27.910 --> 16:30.610]  So that's all we're talking about, zero trust.
[16:30.610 --> 16:32.530]  Just a different way to say it.
[16:33.190 --> 16:35.130]  Number five.
[16:36.410 --> 16:40.470]  My favorite slide, unfortunately.
[16:41.830 --> 16:58.170]  Two years before my company at the time experienced a breach, We spoke with our senior leadership team, and we said we Can no longer protect our networks from ransomware.
[16:59.170 --> 17:00.710]  This is happening.
[17:01.390 --> 17:04.350]  We're going to do our best to Mitigate the risk.
[17:04.530 --> 17:09.990]  That doesn't mean we're laying Down our arms and throwing our hands up and saying, woe is me.
[17:10.030 --> 17:11.950]  There's nothing we can do about this.
[17:13.270 --> 17:16.310]  But what we can do is we can get ready.
[17:16.310 --> 17:25.670]  We can get ready for whatever is coming our way in whatever Form it comes our way, and oh, by the way, six months from now, That threat is going to change.
[17:26.090 --> 17:27.970]  It's going to evolve.
[17:28.970 --> 17:32.070]  And two years later, we were breached.
[17:34.210 --> 17:40.030]  And so the thing to do here, the only thing i want to share Here with you is the mindset.
[17:40.510 --> 18:02.670]  The mindset is when you feel Imminent danger, and i would say everybody in this room, if You thought there was imminent danger to someone you cared About, something that you've paid for, a vehicle, a home, Whatever, or your own life, you would do whatever it takes to Defend that.
[18:03.850 --> 18:12.230]  And so we were fortunate to Have really good senior leadership that supported us, And they say, yes, go do what you need to do.
[18:12.230 --> 18:15.030]  Here's millions of dollars to get ready.
[18:15.250 --> 18:16.670]  And so we did.
[18:17.870 --> 18:40.390]  So one of the things that you Will have to account for, and this is for almost any breach You will experience in the modern age, and that's right now, So i'm working with a company that as we were talking, and i Could kind of feel my blood pressure rising a little bit,
[18:40.390 --> 18:46.070]  And i thought, and they said, well, nothing bad ever happens To us.
[18:47.030 --> 18:51.050]  And i thought, okay, when's the Last time you've had an incident?
[18:52.210 --> 18:55.070]  And they said, oh, 2019.
[18:55.850 --> 18:57.390]  And i said, oh, okay.
[18:57.390 --> 19:02.530]  Have you been following the news of what's happening to Companies over the past five years?
[19:03.050 --> 19:07.450]  They're like, yeah, we're aware of that stuff, but we don't Think that will happen to us.
[19:07.450 --> 19:12.150]  We're in the middle of nowhere And we don't have a huge name.
[19:12.410 --> 19:14.190]  And i thought, okay.
[19:16.270 --> 19:17.830]  So mindset.
[19:18.270 --> 19:22.690]  If you don't believe you'll be Breached, you will be breached and you will be run over.
[19:23.690 --> 19:26.310]  And here are the things that will happen.
[19:26.710 --> 19:30.610]  You will have multiple attackers advance on your network at once.
[19:31.190 --> 19:40.670]  So you're not just trying to protect the front door, you're Trying to protect the back door at the same time and a window That they've come through.
[19:42.950 --> 19:46.850]  They will have lightning speed Automation.
[19:47.590 --> 19:52.450]  They will be able to identify All of your identity stores within minutes.
[19:52.730 --> 19:58.310]  They will throw a power shell at multiple parts of your network All at once.
[19:58.710 --> 20:04.510]  They will attempt to encrypt Your storage frames all at once.
[20:04.510 --> 20:09.030]  So these are things that we really have to shift our mindset from.
[20:09.030 --> 20:11.450]  We have an incident response playbook.
[20:11.450 --> 20:14.110]  We've practiced it a couple of times.
[20:14.470 --> 20:18.490]  You need to understand that it's not good enough.
[20:19.270 --> 20:23.950]  So usually i do these presentations and i try not to Scare the heck out of anybody.
[20:23.950 --> 20:25.790]  This is a little bit of a Different audience.
[20:25.790 --> 20:29.490]  You guys know the risks Associated with this stuff.
[20:29.810 --> 20:42.990]  You're on the front lines of Understanding the latest and greatest in deception Technologies, how to defend against this stuff, and also Identify vulnerabilities.
[20:44.290 --> 20:56.370]  But on the defender side of Things, we have to be aware that the advancements in hacking are Outpacing our projects.
[20:57.550 --> 21:00.330]  And as i like to say, hackers Don't care about your budgets.
[21:00.590 --> 21:04.790]  They don't care about your Portfolio planning process.
[21:04.790 --> 21:11.150]  They don't care about what time of The year you do budget planning and you take it through your Corporate planning process.
[21:11.530 --> 21:13.170]  Things have changed.
[21:13.530 --> 21:17.830]  If you are not adapting every few months, you're falling Behind.
[21:18.570 --> 21:23.870]  And so edr bypasses, i've been Studying this for years now.
[21:23.870 --> 21:24.650]  It's fascinating.
[21:24.650 --> 21:39.450]  So we started to deploy edr, xdr technologies to help mitigate The threat of malware, ransomware, and so the hackers Decided, okay, well, let's think about how do we turn that off.
[21:39.950 --> 21:42.750]  And there are a multitude of ways to do that now.
[21:42.870 --> 21:44.850]  And so we have to have something else.
[21:44.850 --> 21:46.690]  We have to keep evolving, right?
[21:47.050 --> 21:50.430]  Identity, identities, and domain takeover.
[21:50.430 --> 22:07.010]  If you have multiple identity stores, multiple identity Domains, and we all have them because we're supporting legacy Applications, your attack surface is significantly larger Than you want it to be, and hackers will take advantage of That.
[22:07.250 --> 22:10.750]  So you have to think about This in terms of how you're defending.
[22:11.290 --> 22:23.830]  And now my favorite, when i worked, one of the companies i Worked at, we were responsible for converged physical and Digital cybersecurity.
[22:24.270 --> 22:28.130]  And we were also responsible for Protecting supply chains.
[22:28.290 --> 22:40.270]  So you'd have equipment being Shipped on trains, on semi-trailers, airplanes, you Name it, so now you're thinking about the converged risk of Physical and digital security.
[22:40.530 --> 22:49.050]  And lo and behold, the hackers Decided a threat of physical violence is a good way to Handle things now as well.
[22:49.330 --> 23:03.170]  And in one case, the company Experienced an event where they texted the ceo directly and Said, unless you give us your credentials, we're going to kick Down, shoot down your front door.
[23:03.530 --> 23:05.230]  So this is real.
[23:05.230 --> 23:06.330]  This is happening.
[23:07.770 --> 23:18.890]  So the mindset, we have to lock into understanding the monetary Motivations of attackers are different now.
[23:19.170 --> 23:23.510]  They will compel employees to give up their credentials.
[23:23.990 --> 23:25.870]  And i don't blame folks.
[23:25.870 --> 23:33.090]  If you threaten to kick down my Front door, well, if you come to my front door, you're going to Have a different problem on your hands.
[23:35.550 --> 23:37.550]  But i understand.
[23:37.550 --> 23:38.970]  I get it.
[23:39.750 --> 23:42.890]  That the normal person is going to give up their credentials.
[23:45.250 --> 23:52.210]  So we have to think about that as cybersecurity technologists.
[23:53.270 --> 23:57.070]  And i don't know about you, but i will always fight on my own Terms.
[23:58.050 --> 24:02.830]  i will always ensure that i Have an advantage.
[24:03.590 --> 24:04.990]  I'm not going to be on the Ground floor.
[24:04.990 --> 24:07.170]  I'm going to be in an elevated position.
[24:07.730 --> 24:16.170]  And so this is where we have to utilize some of the defensive Tactics that militaries around the world utilize to defend Themselves.
[24:16.730 --> 24:18.850]  So we want to create choke Points.
[24:18.930 --> 24:20.870]  We don't want to fight them all Over the map.
[24:20.870 --> 24:24.670]  We want to get them into a Ground space to fight them.
[24:25.390 --> 24:31.410]  We want to reduce the number of Ingress and egress points into and out of our networks.
[24:31.830 --> 24:35.170]  If i have two or three doors to protect, great.
[24:35.170 --> 24:37.550]  If i have 20, that's a problem.
[24:37.930 --> 24:42.770]  You can't amass a force, Especially in the corporate context, to defend that.
[24:43.230 --> 24:47.010]  Most attacks nowadays, they don't bring anything to the Fight.
[24:47.370 --> 24:48.930]  It's like gilligan's island.
[24:48.930 --> 24:52.530]  They land on the island, they figure out what's there, they Use it, they build huts.
[24:52.630 --> 24:55.290]  In this case, they use it Against you.
[24:56.310 --> 25:04.250]  So if you have powershell Enabled, you've got all kinds of tools laying around, you've got Passwords in clear text, yeah, why not?
[25:04.250 --> 25:05.590]  I'll use that against you.
[25:06.210 --> 25:08.010]  You made it easy for me.
[25:09.450 --> 25:14.090]  The other thing we have to think about is what we call a honey Comb formation.
[25:15.250 --> 25:17.090]  So think of this as a grid.
[25:17.570 --> 25:20.170]  I'd like to use the example of a navy ship.
[25:20.170 --> 25:23.150]  Any sailors in the room?
[25:23.150 --> 25:24.010]  veterans?
[25:24.610 --> 25:26.450]  Thank you for your service.
[25:27.270 --> 25:34.710]  Many of our navy ships can Withstand blasts up to a certain point and keep floating.
[25:36.470 --> 25:45.610]  And so what happens is that part of the ship is walled off, Water can flood a portion of that ship, and it will be just Fine.
[25:45.610 --> 25:48.410]  It's degraded, but it can still Operate.
[25:48.410 --> 25:49.730]  It can still run.
[25:50.210 --> 25:53.290]  So this is what we have to think about in the corporate context.
[25:53.410 --> 26:00.170]  We like to talk about this as isolation, segmentation, and This is where this really matters.
[26:00.730 --> 26:09.850]  If you can create a honeycomb formation in your network, you Can jettison the rest of the network when you're breached.
[26:09.910 --> 26:12.650]  And you can fight them in a contained space.
[26:12.650 --> 26:14.510]  So this is a strategy.
[26:14.510 --> 26:18.230]  And it's been successfully used Numerous times now.
[26:19.110 --> 26:22.810]  And while you're doing that, You're going to activate your threat hunt.
[26:23.030 --> 26:33.290]  You're going to send your navy seals out into the network, and You're going to have them be your eyes and ears while you're Defending and trying to mitigate the situation.
[26:35.070 --> 26:36.570]  Number seven.
[26:37.930 --> 26:40.910]  We talked about isolation and Segmentation.
[26:41.670 --> 26:46.430]  The honeycomb formation so that You can wall things off.
[26:46.650 --> 27:01.910]  If things get really bad, and I've only had to do this once in a corporate context, so i was Fortunate for about six years as a ciso, i didn't experience any Breaches.
[27:01.910 --> 27:06.670]  Nothing of significant, you Know, where the network was being overrun.
[27:08.370 --> 27:19.790]  But i do believe in the current context that the attackers are So fast, they're so savvy, so sophisticated, in some cases, You may have to blow up your own bridges.
[27:20.270 --> 27:24.830]  And what that means is you're going to degrade your own Identity stores.
[27:24.830 --> 27:26.970]  You're going to take down your Own networks.
[27:27.890 --> 27:36.070]  You're going to drop firewalls Where companies will not have to run, they're not able to Conduct business.
[27:36.350 --> 27:48.370]  This is the new normal of What cisos, cios, and other leaders, many of you as Incident responders, in some cases, are dealing with.
[27:48.590 --> 28:02.370]  In the case of one of the incidents, it was the incident Responder who, because of their quick thinking and because they Acted promptly, mitigated a lot of damage for the company.
[28:02.490 --> 28:12.410]  It came down to the person in the platoon doing the work that Needed to be done that day to prevent a domain takeover.
[28:13.290 --> 28:22.730]  And so if we're going to create a honeycomb formation, we're Going to create choke points, we're going to reduce our Egress and ingress, we're going to fight them in a contained Space.
[28:23.770 --> 28:26.490]  Once we do that, we're going To clear and hold.
[28:27.090 --> 28:32.330]  We have to go through that Space, we have to clear the attackers, and we're going to Take some ground, we're going to hold that ground.
[28:32.330 --> 28:35.110]  We're going to take more ground, hold that ground.
[28:35.110 --> 28:41.830]  And these are the defensive tactics that we have to deploy At cybersecurity professionals.
[28:43.050 --> 28:55.290]  And so the last one, well, there's three more here, but the Last defensive maneuver here that you're going to deploy, i Learned this from the CISO of adobe, actually.
[28:57.170 --> 29:01.530]  And you have to be able to slow down the attack.
[29:01.870 --> 29:04.830]  They can move a lot faster than you can.
[29:05.370 --> 29:12.690]  So what you're going to do is, but you have to be prepared, you Can't do this with three different types of firewalls.
[29:13.090 --> 29:18.250]  You can't do this with, you know, multiple domain controllers That aren't connected.
[29:18.530 --> 29:21.730]  You have to be able to do what i Call a barrel roll.
[29:22.130 --> 29:28.650]  You have to be able to cycle Your firewalls, cycle your domain controllers so that you Are destroying persistence.
[29:29.470 --> 29:38.010]  The attacker is resident on one Of those boxes, potentially the firewall, potentially multiple Domain controllers.
[29:38.010 --> 29:40.690]  You're going to drop the Connection.
[29:40.950 --> 29:44.890]  You're going to kill their Ability to talk to that device.
[29:44.930 --> 29:47.490]  Now, they're going to booby trap That system.
[29:47.870 --> 29:49.770]  Once it reboots, they're back.
[29:49.910 --> 29:55.030]  It just takes them a little while to reconnect and get right Back on your network, but you're slowing them down.
[29:55.030 --> 29:59.150]  Every time their connection connects, oh, suddenly it's gone Again.
[29:59.330 --> 30:03.630]  You're slowing them down while You continue to remediate.
[30:04.470 --> 30:21.210]  So the other mindset, and most importantly, is we have to Better understand and appreciate Let me ask this differently.
[30:21.210 --> 30:28.970]  How many of you have a recovery Point objective or recovery time objective of 48 hours?
[30:30.010 --> 30:31.990]  Nobody wants to admit it now.
[30:32.790 --> 30:34.690]  Yes, i have that struck out.
[30:36.370 --> 30:38.550]  It depends on which system, exactly.
[30:38.830 --> 30:40.070]  Okay, even better.
[30:42.370 --> 30:43.450]  They cut my mic.
[30:43.450 --> 30:45.310]  They're like, we don't want you to talk about this.
[30:47.130 --> 30:50.410]  How many of you have an rto of four hours for e-mail?
[30:50.410 --> 30:54.830]  That's your most important application in any company.
[30:54.830 --> 31:02.510]  The mindset i want to share with you today is 48 hours is no Longer good enough.
[31:02.550 --> 31:09.710]  Unless you're investing millions Of dollars to be able to get yourself back up and running, There are technologies that help you do that.
[31:09.850 --> 31:14.170]  There are great resilience experts that know how to keep Things running as well.
[31:14.170 --> 31:17.910]  It takes you two days to clear A network of attackers if you've been breached.
[31:18.070 --> 31:21.090]  So how are you going to be back up and running in 48 hours?
[31:21.090 --> 31:22.250]  It's not possible.
[31:23.170 --> 31:26.150]  So this is a mindset that we Have to understand.
[31:26.350 --> 31:32.050]  And in order to recover Promptly, i purposely didn't use the word quickly here.
[31:33.730 --> 31:38.970]  Promptly means to the level of your capability that you've Prepared for.
[31:38.970 --> 31:50.490]  If you have not prepared to Recover other than tabletop exercises and the business Continuity plan that you update on paper every now and then, You're not going to recover quickly.
[31:50.610 --> 31:55.610]  You will be down for days, weeks, and even months as we're Starting to see.
[31:57.030 --> 31:58.230]  All right.
[31:59.630 --> 32:00.930]  Number ten.
[32:02.010 --> 32:10.270]  So after you go through all of That, after you go through all of that, there's a new normal.
[32:11.290 --> 32:20.210]  You don't get to go back to feeling safe and secure and That nothing bad is going to happen to you because your Mindset has shifted.
[32:20.210 --> 32:23.170]  You understand bad things will Happen.
[32:23.170 --> 32:31.790]  I always love to read the Newspaper, see the news when something bad happens somewhere And the person is like, oh, i never thought that would happen Here.
[32:32.430 --> 32:34.230]  Yeah, well, it did.
[32:34.250 --> 32:35.950]  Now there's a new normal.
[32:36.650 --> 32:39.730]  Now we have to lock our patio Doors more often.
[32:39.770 --> 32:42.430]  Now we have to make sure the Front door is locked more often.
[32:42.990 --> 32:44.810]  Let's not leave the keys in the Car.
[32:44.810 --> 32:45.970]  That kind of thing.
[32:46.270 --> 32:53.650]  I use that one just for my wife who's in the audience because i Seem to like to leave my key in the car for some reason now.
[32:53.650 --> 32:55.310]  I don't know what that's about.
[32:56.330 --> 33:00.130]  But it's an insecure activity on My part.
[33:00.130 --> 33:02.310]  Maybe i just feel a little too Safe.
[33:02.650 --> 33:04.310]  I shouldn't do that.
[33:05.350 --> 33:05.990]  All right.
[33:05.990 --> 33:17.230]  So this is where now if my car is Ever stolen with the key in the car, the insurance company, i Don't know if they'll still pay for it or not, but i need to Assume an elevated defense posture.
[33:17.890 --> 33:20.790]  Things are not the way they used to be.
[33:20.870 --> 33:24.950]  And usually after a breach, you are retargeted within six Months.
[33:24.950 --> 33:26.750]  If you pay the ransom.
[33:27.790 --> 33:33.190]  If you don't pay the ransom, it's more like 12 to 18 months.
[33:33.190 --> 33:35.470]  They assume you're a tougher target.
[33:35.470 --> 33:37.570]  You've raised the cost for the attackers.
[33:37.570 --> 33:42.070]  But if you pay the ransom, the bully will come back for your Lunch.
[33:43.270 --> 33:46.270]  And so my advice is don't pay The ransom.
[33:46.270 --> 33:52.930]  But depending on business Decisions and what needs to be done, obviously, it may be Appropriate.
[33:53.790 --> 33:54.530]  All right.
[33:54.530 --> 34:06.110]  So what i have on screen, and just so you can partially read It, it's from the european union, and it is a threat map of What they believe cyber risk will look like in 2030.
[34:09.290 --> 34:28.750]  And as we know, the war that we prepare for and ramp up our Projects for, by the time we get done with the project, it Takes 12, 18, 24 months to segment the network properly, Get all kinds of, you know, defensive tools in place, hire People to do that work,
[34:28.750 --> 34:32.490]  to run those capabilities, hire Vendors to run those capabilities.
[34:32.850 --> 34:36.110]  By the time you get through with the project, you have to start A new project.
[34:36.410 --> 34:38.410]  Because the threat has evolved.
[34:38.410 --> 34:41.450]  It's already moved from what you designed for.
[34:41.450 --> 34:45.790]  So this is where i'd like to talk about continuous Adaptation.
[34:45.990 --> 34:47.670]  Continuously evolving.
[34:47.730 --> 34:50.930]  To meet and understand the threat.
[34:51.010 --> 34:53.350]  You should have at least one person.
[34:53.710 --> 34:59.430]  Now, i have come across a one-person security team now in The past six months.
[35:00.590 --> 35:05.150]  Well, they're one person Everything in the organization.
[35:05.510 --> 35:09.290]  But there should be some time devoted to threat intel.
[35:09.290 --> 35:12.410]  Understanding what's happening in the environment.
[35:12.410 --> 35:14.770]  In the external environment.
[35:14.870 --> 35:16.370]  It's not that hard.
[35:17.090 --> 35:24.130]  In my case, hashtag cyber on twitter slash x, pretty darn Good.
[35:24.150 --> 35:31.010]  It will tell you sometimes four To six hours ahead of publicly reported news what's happening.
[35:31.050 --> 35:34.870]  Just an easy item, doesn't cost you a thing, right?
[35:34.870 --> 35:36.370]  Just a little bit of time.
[35:36.650 --> 35:43.590]  So you have to elevate your Defense posture, and you have to understand the emerging Threats that are on the horizon.
[35:47.210 --> 35:49.850]  So it's a little cliche, right?
[35:49.850 --> 35:52.010]  It can feel this way.
[35:52.910 --> 35:58.130]  I almost never use, you know, That the world is changing in a powerpoint presentation.
[35:58.130 --> 36:00.910]  Yes, got it, sheldon, the world is changing.
[36:02.550 --> 36:05.390]  But the world is really changing.
[36:06.090 --> 36:12.250]  Just this week, right, stock markets are being turned upside Down.
[36:12.250 --> 36:12.850]  Wow.
[36:12.850 --> 36:22.830]  I don't think i would have experienced, i would have Thought i would have experienced that level of stock shock in my Lifetime at least.
[36:23.150 --> 36:24.690]  So this is war.
[36:24.690 --> 36:26.650]  This is how we need to think about this.
[36:27.190 --> 36:34.310]  And the question is, how do we get the other folks in our Organization to understand what we're really dealing with?
[36:34.310 --> 36:47.650]  And so the question i'll pose to you is, are you going to Shift your mindset so that you can adapt, so that we can win?
[36:48.150 --> 36:52.090]  And i don't know about you, but i like to be on the winning Side of things.
[36:52.470 --> 36:57.290]  I wake up every day thinking About how can i provide value today?
[36:58.010 --> 37:05.490]  Someone at work heard me say this, and i still have not Identified this individual, but there are pictures everywhere.
[37:05.490 --> 37:06.690]  Create value daily.
[37:07.110 --> 37:08.730]  Like, wow, that's really good.
[37:08.730 --> 37:10.270]  They even put one up in my office.
[37:10.270 --> 37:11.570]  I don't know what they're trying to say.
[37:13.530 --> 37:22.890]  Yeah, how are you providing value today as it relates to Cyber security for your company, for your industry, for your Family?
[37:23.390 --> 37:29.530]  not just the people that live In your house, but the extended family that you have, that you Care about.
[37:30.010 --> 37:32.570]  So with that said, that is the End of my presentation.
[37:32.850 --> 37:39.050]  I really thank michael getzman For inviting me to cyphercon this year.
[37:39.290 --> 37:46.610]  In my many roles, i've never made it to cyphercon, so i Finally made it, and it's an amazing experience.
[37:46.730 --> 38:04.170]  So if you need help with any of that stuff, if you'd like to Just talk through any of that, we're also available to talk With boards, with senior leaders, sometimes hearing the Questions that you might have to stick around can be helpful.
[38:04.790 --> 38:06.850]  Cream city cyber, we're out in the hallway.
[38:07.310 --> 38:08.610]  Again, thank you so much.
[38:08.610 --> 38:09.730]  I appreciate the time.
[38:19.460 --> 38:24.960]  I believe we have time for questions, if anyone has...
[38:24.960 --> 38:27.080]  Okay, yep, i'm getting the thumbs up.
[38:27.800 --> 38:30.040]  Are there any questions from the audience?
[38:34.600 --> 38:35.740]  Yes, sir.
[38:43.870 --> 38:44.610]  Yes.
[38:44.610 --> 38:47.450]  So thanks for asking.
[38:47.450 --> 38:58.270]  So the example i'll give you is Think of a multinational corporation, you have multiple Operating subsidiaries, and they're connected via networks.
[38:59.110 --> 39:20.250]  So basically you would... we'd put... i don't want to say Vlans in this case, but basically we'd create virtual Networking connections between these so that via software Programatically we have a script ready to go that someone Is authorized to run, they run that script,
[39:20.250 --> 39:26.570]  and it disconnects Basically the virtual nix from the rest of the network.
[39:27.330 --> 39:29.770]  Now, sounds good.
[39:30.030 --> 39:39.350]  As we describe this to many Of our partners, some of the biggest names in the country, They said, wow, that's amazing, we wish we could do that.
[39:39.350 --> 39:42.570]  Yeah, you know, okay, we did pretty well.
[39:42.570 --> 39:48.950]  The problem is you need to make sure you can still manage the Parts of the network you jettisoned.
[39:49.350 --> 39:56.050]  So you can make the mistake of disconnecting and now losing Control of those parts of the network.
[39:56.050 --> 40:04.810]  So it's really important to have some kind of a break glass Capability or protected route that you've already set up to be Able to access those locations.
[40:05.690 --> 40:06.610]  Yeah, thank you.
[40:06.610 --> 40:07.830]  Great question.
[40:07.970 --> 40:09.390]  Yes, sir.
[40:09.810 --> 40:12.630]  Thank you.
[40:27.530 --> 40:28.930]  Yep.
[40:39.680 --> 40:42.100]  I love this question.
[40:42.100 --> 40:48.100]  So, yeah, do i think the threats Are evolving based on the technology?
[40:48.100 --> 40:52.660]  So in this case, identity attacks have been going on for Decades, right?
[40:53.360 --> 41:14.100]  yes, the threats are Evolving, but i'll start with identity-based attacks are the Norm, and because of the firepower that can be utilized To advance those attacks quickly, and the rise of sites Like linkedin, by the way, your identity engineer shouldn't put In their title,
[41:14.100 --> 41:15.470]  i'm an octa engineer.
[41:15.960 --> 41:17.200]  Great.
[41:17.200 --> 41:21.840]  You're the one i want to come Talk to, or i'm a sale point engineer.
[41:21.840 --> 41:23.240]  Now , i know why we do that.
[41:23.240 --> 41:29.580]  I did it when i was an active Directory guy and i want other companies to find me in case This thing doesn't work out.
[41:30.060 --> 41:39.300]  But the threats are evolving Because they're able to automate these threats so much now.
[41:39.380 --> 41:41.240]  So i'll give you an example.
[41:42.040 --> 41:44.420]  I talked about the live off the Land attacks.
[41:44.420 --> 41:50.020]  I basically need to be able to Create a connection to your network that i can obfuscate.
[41:50.260 --> 41:51.880]  And this is the new normal.
[41:51.940 --> 42:02.400]  And i can make everything look Like it's reversing, but you're actually looking for traffic Exiting, but as it comes through the firewall, you don't see Anything.
[42:02.820 --> 42:12.360]  And this is the genius of Where we've evolved to, and i'm sure many folks in this room Study this stuff and have tried it out.
[42:12.360 --> 42:19.840]  If i can obfuscate my activities more, i can bring More automation to the fight through that remote connection.
[42:21.160 --> 42:24.940]  Yeah, i can hunt around my network all i want for a Compromised host.
[42:24.940 --> 42:26.640]  But it's not on my network.
[42:27.180 --> 42:32.760]  And so that's why destroying that persistence, doing those Barrel rolls come in handy as well.
[42:33.640 --> 42:35.000]  So thank you.
[42:35.520 --> 42:37.380]  Was there... yeah.
[43:02.410 --> 43:03.850]  Right.
[43:05.110 --> 43:19.650]  So the question is, i talked About barrel rolls for domain controllers, but they didn't Talk about analyzing the data from those potentially Compromised hosts before they're taken down.
[43:20.310 --> 43:25.470]  Ideally, those logs are flowing to a sim in realtime.
[43:25.630 --> 43:26.850]  Ideally.
[43:27.110 --> 43:29.930]  Now, i know there are some Instances where that's not possible.
[43:31.950 --> 43:37.330]  If you know you have attacker on network, it doesn't matter at That point.
[43:37.990 --> 43:44.450]  So in this case, if you've got a Fleet of 100 domain controllers, we don't know which domain Controller they're on.
[43:44.510 --> 43:48.930]  We know they're on one of them, And we have to roll these, we have to do barrel rolls on These .
[43:49.370 --> 43:53.750]  That being said, in a breach Situation , well, let me back up for a minute.
[43:53.750 --> 43:58.790]  Proactively, i advocate this as a preventative measure as well.
[43:59.570 --> 44:02.330]  Back in the day, we used to just use the at scheduler.
[44:02.330 --> 44:03.950]  I don't know if anybody still does that anymore.
[44:04.210 --> 44:15.410]  And you can just do a quick reboot in the middle of the Night, and you can do your even numbered on monday, you can do Your odd number on tuesday, and just keep switching.
[44:16.090 --> 44:18.670]  So it gives you a little bit of a preventative control.
[44:20.870 --> 44:23.730]  Until you know if you have an attacker on the network.
[44:23.730 --> 44:27.670]  And in the breach scenario, destroying persistence.
[44:27.990 --> 44:31.910]  But the real answer to your question is, the logs have to Get to a sim.
[44:32.010 --> 44:51.210]  So one of the things that i Mentioned early is, and i probably didn't touch on it as Much here, is operating in a degraded environment also means That you lack visibility.
[44:52.330 --> 45:02.170]  And i can tell you, a good Majority of companies do not have complete coverage of logs Coming to a sim in their company.
[45:02.430 --> 45:03.590]  It's too expensive.
[45:04.230 --> 45:06.910]  And so we start to make risk-based decisions.
[45:07.110 --> 45:12.930]  Until the risk moves to the place where we made a risk-based Decision, and now we don't have logs.
[45:13.230 --> 45:23.430]  So always, always, always, you have to get telemetry moving in Real time to a place where someone can see that telemetry And analyze it.
[45:23.430 --> 45:25.150]  Really important.
[45:25.310 --> 45:26.730]  Yes, tina.
[45:58.980 --> 46:02.440]  Well, i love this question.
[46:02.960 --> 46:07.720]  Because, and my wife can attest to this, i've been having an Interesting week.
[46:08.440 --> 46:10.700]  I'm not a cso anymore.
[46:10.940 --> 46:12.740]  I'm not a cio anymore.
[46:12.740 --> 46:13.480]  I'm a ceo.
[46:13.480 --> 46:17.000]  I worry about things like meeting payroll now.
[46:18.060 --> 46:21.380]  It's just a different thing.
[46:21.680 --> 46:23.500]  I worry about employee experience.
[46:23.500 --> 46:31.920]  I worry about, we've recruited a lot of people in the past six Months, so i worry about losing talent, you know, to some other Company, right?
[46:31.920 --> 46:39.160]  all the stuff that maybe i Thought about, but someone else has taken care of it for me in Another life, right?
[46:39.700 --> 46:56.920]  so the way i answer that, tina, Is, and i've talked with a couple of medium-sized business Owners, i've seen actual attacks that have put businesses out of Out of, they've put them out of business.
[46:58.140 --> 47:10.760]  Whether they were an acquisition as part of a larger company, and They just didn't understand their risks, they're moving fast, They're a cool start-up, so we're not going to worry about That stuff, we'll worry about it later, because we've got to get The features out,
[47:10.760 --> 47:13.800]  we've got to make money, we've got to raise Our valuation, all that stuff.
[47:14.040 --> 47:31.200]  well, when the risk shows up for You, it shows up, and you don't know when, and so it's, i don't Know if i have a better answer for that, tina, but it's more About making sure the business is viable for the future, and It's just another risk that you have to account for,
[47:31.200 --> 47:35.200]  like Financial risk, like human risk, operational risk.
[47:35.200 --> 47:51.240]  So that's how we try to talk with customers about that, in Terms of, there are the five board-level risks you're always Thinking about, here's a six that is present within all of Those risks, and you need to manage that as well.
[47:51.600 --> 47:55.060]  You can coach me later on if that's a good answer or not.
[47:55.120 --> 47:59.760]  Tina's one of my mentors for a while, so i appreciate you.
[48:00.120 --> 48:01.820]  Anybody else?
[48:02.140 --> 48:03.280]  yes.
[48:10.620 --> 48:15.200]  What do protected routes look like in companies that are doing It well?
[48:15.720 --> 48:17.520]  i don't know if they're here.
[48:17.520 --> 48:25.160]  I don't know if i'm supposed to do any product endorsements, but In our case, we use silverfort, so it's an israeli start-up.
[48:25.520 --> 48:28.240]  I know there are other competitors to silverfort.
[48:28.240 --> 48:30.600]  I just know how silverfort works.
[48:31.000 --> 48:40.080]  The important part is that when an attacker breaks into your Network now, they can even unpatch vulnerabilities that You've patched.
[48:41.040 --> 48:42.040]  Right?
[48:42.040 --> 48:43.200]  Yeah, laughter.
[48:43.500 --> 48:46.780]  First time i heard this, i'm Like, really?
[48:46.940 --> 48:47.880]  oh, okay.
[48:47.880 --> 48:48.920]  That sucks.
[48:51.520 --> 49:04.660]  So you mitigated past the hash And, you know, the audit people are happy, and you went to the Board and you told them, yay, we mitigated this, and the Hackers are like, no problem, we'll just revert it back to its Previous state.
[49:05.880 --> 49:09.320]  So silverfort prevents that.
[49:09.320 --> 49:24.040]  It enforces a configuration on the domain controller, and it Ensures allow connectivity for identities and device.
[49:24.040 --> 49:32.760]  So now i have to allow the identity and the device to talk To the host, the target location.
[49:33.040 --> 49:54.880]  The other scenario here is, if i know my network is degraded, And i spoke to asiso last year, as they were being run over Essentially by attackers, they were monitoring everything he Was saying to the general counsel via teams.
[49:55.460 --> 50:02.580]  So they were in the network, they were in o365, and every Play they made, the attacker was ahead of them.
[50:02.580 --> 50:03.860]  They were like, how is that possible?
[50:03.860 --> 50:07.180]  Turns out they were compromised, they didn't have out-of-band Communication.
[50:07.420 --> 50:20.280]  So that protected route also Allows the remediation team to come in and operate safely and Start to clear and hold, get parts of the forest back under Control until we have the whole thing under control.
[50:20.920 --> 50:22.980]  So quite a few scenarios around that.
[50:22.980 --> 50:25.640]  There's somebody way back there under the blinding light.
[50:49.260 --> 50:50.400]  All right.
[50:50.400 --> 50:51.740]  That's the presentation.
[50:55.700 --> 51:06.480]  So what he said is how do you handle external stakeholders, Including vendors that are pressuring you to accept risk Instead of working with you to just fix it.
[51:07.120 --> 51:13.320]  That is probably the toughest part of any person's job that Works in cyber or risk.
[51:13.320 --> 51:15.820]  Like i said, these are risk Management programs first.
[51:16.840 --> 51:24.680]  One of the things that i've put In place over the years, and so watch out for the scapegoat, Right?
[51:24.680 --> 51:29.680]  so it's, oh, well, sheldon, Here's the issue, we need you to sign off on this risk.
[51:29.980 --> 51:31.600]  Yeah, no, i don't think so.
[51:32.800 --> 51:41.380]  What is the risk to the business Unit, and so the process we put in place is that the business Owner and the cso signs off on the risk.
[51:41.620 --> 51:49.580]  And the cso has the authority to veto that business, that risk Acceptance.
[51:49.680 --> 51:58.460]  Almost always that would put me In some kind of line of fire with someone who's trying to Roll out something by tomorrow or it's revenue facing, right?
[51:58.460 --> 52:04.300]  So those are the moments where it's important you do have to Challenge the status quo sometimes.
[52:04.300 --> 52:20.680]  This is mindset, of course, because in a couple of Instances where i have signed off on the risk and it went Wrong, i ended up in front of the board, not the business Stakeholder, and not the cto, right?
[52:20.780 --> 52:30.260]  So that's where you have to make sure you've got good processes In place, we all understand the process, and we understand what We need to do to sign off on those risks.
[52:30.660 --> 52:34.020]  So i think i'm out of time, so thank you very much.
[52:34.020 --> 52:35.960]  I hope you got something out of this presentation.