Tackling Tech Troubles: Inside the DFW Airport Cyber Incident and Wider Industry Challenges with Evan Morgan

Episode 22 August 19, 2024 00:51:29
Tackling Tech Troubles: Inside the DFW Airport Cyber Incident and Wider Industry Challenges with Evan Morgan
PrOTect It All
Tackling Tech Troubles: Inside the DFW Airport Cyber Incident and Wider Industry Challenges with Evan Morgan

Aug 19 2024 | 00:51:29

/

Hosted By

Aaron Crow

Show Notes

In this episode of Protect It All, titled "Tackling Tech Troubles: Inside the DFW Airport Cyber Incident and Wider Industry Challenges with Evan Morgan," host Aaron Crow explore the complexities of widespread tech issues, focusing on a recent cybersecurity incident at DFW Airport that affected over 1,000 machines. Guest Evan Morgan, founder of Cyber Defense Army, discusses the challenges of resolving such large-scale incidents and the importance of standardization and AI in cybersecurity.

 

Evan shares his journey from an Air Force aircraft mechanic to a cybersecurity expert, highlighting the benefits and challenges of running a small consultancy versus a large firm. The episode also covers recent cybersecurity incidents involving CrowdStrike and Microsoft 365, emphasizing the need for preventive measures and trust in business and technology. 

 

Practical tips for everyday cybersecurity and insights into industry-wide challenges make this episode a valuable resource for listeners across all sectors.

 

Key Moments: 

00:10 Entrepreneurship brings freedom and awesome transformations.

03:54 Recent tech outages are gaining mainstream media attention.

07:52 Adapting existing tech for enhanced security measures.

10:48 Over-the-air car updates are complex and uncertain.

14:01 DFW airport machines, recovery time, and problem.

18:39 How do we improve efficiency and learning?

21:26 Customers validate goods, test, streamline, feedback.

25:10 Cyber enables business growth and protection.

28:52 Cyberattack halted gas sales, risking pipeline operations.

32:55 Challenges in the multi-faceted role, regulatory changes.

35:35 Commonalities in cybersecurity, despite differences in industry.

39:33 Robotics and AI revolutionize future human roles.

40:42 AI would bring trust, speed, and efficiency.

44:38 Defense technology, both funny and scary.

47:59 Distance tech carries risk, needs personal vigilance.

 

About the guest : 

 

Evan Morgan is the Founder of Cyber Defense Army, a cybersecurity consultancy and services firm that incorporates geopolitical risk in their cybersecurity practices.  He is a service-disabled Veteran of the United States Air Force and served in the post-9/11 campaigns, as well as remote tours to the Republic of Korea.  He holds a Master's degree in Information Systems (Computer Security Management specialization) and a Master of Business Administration (Information Systems Management specialization), both with honors from Strayer University. Post his military service, he has led cybersecurity functions for Fortune 100 organizations, was a global leader for a worldwide consultancy, and has been honored with multiple cybersecurity awards for his efforts in protecting the organization he was a part of previously.

 

Connect with Evan via LinkedIn:  https://www.linkedin.com/in/evanmorgan/

Cyber Defense Army's website:  https://www.cyberdefensearmy.com/

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Hey, welcome to the show. Evan, why don't you introduce yourself, tell us who you are. Tell the audience, like, what is your background? All that kind of stuff. [00:00:25] Speaker B: Thanks, Aaron. So, Evan Morgan, I founded Cyber Defense army about a year ago. We're a cybersecurity consultancy and services firm. My background, I started in the air Force section. Aircraft mechanic. Wasn't in cyber back in those days. Worked on hydraulics. C joined right after 911. So kind of just took the first thing going versus waiting a year for cyber. And then I got out and ultimately have had a few different roles in different industries, retail, financial services department, homeland Security, into consulting, where we first meth back in July. But, yeah, my background has pretty much been technology engineering, cyber since then, and that's what I do today. [00:01:05] Speaker A: That's awesome how. Just really quick side note, how is it launching a cyber firm and doing something, going out on your own and kind of launching this new thing? [00:01:15] Speaker B: It's awesome and scary and all the. All the different emotions. Like, I mean, when. When you kind of get into that moment of wanting to do something different, like, it's just like, you know, you know, you're there. Like, I've been in inside of corporate America for almost two decades at this point. Nothing wrong with. With that type of role, but I just kind of wanted to be the captain of my own ship, so to speak, and just go off and do my own thing and then kind of grow from there. So we're. We're about eight folks now within cyber defense army, so. So we're continuing to grow. I have a couple really, really good clients that have been really supportive and ultimately have had awesome and transformations that we've been doing. So, you know, from a day to day type thing that you would do inside of a corporation. I'm lucky enough to be able to do that across multiple clients, multiple organizations, and have a lot more freedom to do things like this. Right. Like, you don't have as many barriers when you're running your own company versus being inside another company. But, yeah, I mean, there's definitely the moments of, oh, wow, like, this is all on me, right? Like, you know, the things that inside of the big organizations, you know, you complain about the processes or lack of processes, all this other stuff, and it's like, wait, all this is on me now? Like, I don't have any of these partners to potentially work with and, you know, complain about waiting for this, that and the other thing. Like, it's on me. It's either happens with me or it doesn't happen. So it's, it ebbs and flows, you know, take the good with the bad. I've really, really enjoyed it, to be honest. [00:02:46] Speaker A: Yeah. I mean, obviously, we work for one of the largest firms, you know, in the world, and there's a lot of pros and cons to that. Right. And it's just like with anything, like, I love that firm. I still have a lot of friends there, and I still, you know, refer them a lot, lot and get referrals from them a lot. But there's definitely a difference between the things that we could do inside that bubble from a, you know, obviously sec audit restriction and just that kind of thing. But even beyond that, just a big company versus a small company and the things that you can do from a liability perspective and just the size of, you know, it takes a long time to steer a large ship versus a smaller one. You can be more nimble and you can do a lot more and be intentional about the things that you do. So that's exciting. Yeah. You know, I've, I've got a lot going on as well. And, you know, the difference between working for a small firm and a big firm, you know, doing things on my own and all those things, it's, it's definitely a different perspective depending on which seat you're sitting in. But all those are valuable ads to our customers because they all benefit from all of those perspectives that we've seen through all those different seats that we've sat in. Right. [00:03:52] Speaker B: Totally. Lots of learning. [00:03:54] Speaker A: So there's so much going on in the world these days, obviously the latest being the crowdstrike thing and actually just saw another thing come up today on Microsoft 365 and Xbox and all that being down. Let's talk a little bit about, because I know you've got some firsthand experience in this, but with all this crowdstrike stuff, it's amazing how we're starting to see more and more things in the mainstream media. All these things have happened for years, and you and I have seen it firsthand, and we've dealt with outages that have probably been as large or larger, maybe not as large or larger, but still really large. Right. But they weren't public. Right. They weren't as forward facing the normal normies, people that are not in technology and cybersecurity and consulting they never heard of it. Right. It didn't impact them in the same way. So why is this one so much bigger and different? [00:04:51] Speaker B: Yeah, I think that as an industry, when I really think back over my career, a lot of teams have always focused on detecting and responding to things. And then as the threats continue to evolve and became more advanced, that really wasn't enough anymore. Things were faster. Especially we talked about leveraging AI in the more modern day. Ultimately, you need more preventative protections versus just ultimately knowing something happened and then responding after the fact. I think that that is a little bit of a bledsome, you know, like, you want that you want to be able to put in the protections immediately, as fast as you possibly can. And, you know, Crowdstrike definitely does have a level of testing, validation in the release management processes that I've seen firsthand as a customer multiple times over and multiple other firms, like, I actually, you know, hold them in high regard as far as their, you know, effectiveness there. But, you know, everybody does make mistakes and do help them. Right? But Crowdstrike definitely became a, became a household name after that. Talking about folks that ultimately have never seen or heard of some of these things. I had some friends that texted me and they're like, hey, what's this crowdstrike thing? I can't get on my flight. So, yeah, that was interesting to see all that kind of unfold. But when you see how tools that hook into such a deep aspect of, of our systems, right, when you hook into the kernel, I mean, that's the power, right? But that's the double x orb that comes with it. So one misstep in that scenario, you have all these systems that ultimately go down, and we don't realize how interconnected, or most folks don't realize how interconnected we are these days compared to what you see in the movies. Like, we truly are at the point where minor things like that can bring down full industries, full regions of the world. I broaden this a little bit. Like, I think about how adversaries can ultimately use that against us from a nation state perspective, right? Like, even if there was no, you know, you think about the solar winds hook in and Russia and everything there. This is kind of similar in the sense that, granted, there's, there's no attribution to any, any actors outside of Crowdstrike. Not trying to imply that, just simply saying that if you look at how the dominoes fell, ultimately others are watching that, too. They're looking at going, how do I leverage that? How do I leverage that from not just crowdstrike, but also others that play in the same space where I can hook in and ultimately send out some malformed updates and take everybody out that I want to in a certain region. That's interesting times, for me, at least. [00:07:24] Speaker A: Yeah, I mean, it ultimately is. And as we start bringing all of this technology and we expand it, and I've said this a million times, but the reason we're in these places is because of the technology that we brought. We brought the commercially off the shelf stuff and brought it into OT. We're using it in our kiosk, in our airport. We're using it to do booking. And why are we doing that? Because it's so expensive. It doesn't make sense to build these custom systems and isolate them the way that we used to. It's way cheaper to just take something off the shelf and convert it and make the code, the application run on top of it, which means we're bringing all those technology concerns into these spaces. Why do we have a product like Crowdstrike that's dealing with the kernel? Most people may not. May not even understand what that means, but that's like the. The lowest level of the operating system in everything. It has to touch every other part of the, of the applications and the user experience. Like, as a user, you're not really getting into the, the kernel itself. The operating system does that in the background. But Crowdstrike has to do that because it has to be able to detect if a bad actor or malware or a virus is in there and doing things that are weird. So Crowdstrike has to be able at that level, but by having that capability, it causes all these problems. And we've brought those needs to be able to detect malware and be able to detect anomalies in these ot spaces because of the technology gap and how we want more data and we want to be faster, we want to have all these new capabilities, and all those things are good. I've never been a component to just go back to 1950, do a completely isolated air gapped system that, you know, we took to the moon and just stay there like we're good. Right? Because it's not the same. Yes, it can work. You look at a nuclear power plant, and a lot of the technology in there, at least one of the triple redundant systems, is that. But even on those system, they're putting in newer capable systems in one of those tertiary systems, because they need more data. We need more efficiency, like, we want to run these things more efficiently. And by bringing these tools in. It's not just a matter of, you know, I get blinky lights and pretty things like I have behind me, but it's also about, I can run these things, 1015, 20% more efficient, which means better costs, better recovery, better for the environment. Like, all the things are better, but there's also risks that we have to bring in and understand what those risks mean. [00:09:56] Speaker B: Yep, exactly. Did you hear any impacts within the, like the nuclear space from your ics IoT kind of connections? [00:10:04] Speaker A: I have not. I mean, I've seen some, most of the folks that I've reached out to, they aren't using it in the space. And the ones that I have that are using it did not have auto updates on, so they did not have those updates done. And that really leads to, you know, the bigger piece of what the issue was with the crowdstrike. Right. And to your point, nobody is beating up on crusher. I know, I'm not, like, I think it's a great product. I think it's a great company. Things happen though. Like, we've seen this, you know, go back to take the company away. But just look at Microsoft. Like, the OS, like it. We get patches on windows every patch Tuesday, right? How many of those break a system every week? It breaks a system. Like, it just does. It inherently does. It's going to happen. Like you, it's, there's too many variables to change, which is why for me, like, when Tesla started over the air, updating their cars, to me, it was just like, I can't even imagine the complexity of that because I'm not sure I want auto updates on my car when I'm driving it down the road. There's just too many. Too many things that can happen. But that's a side note. But ultimately, I think the big issue with these is that update process and how do we do this? And that's not a Crowdstrike problem. We have to assume that even if CrowdStrike did everything that they possibly could to test these patch releases and updates, there's no way you can know if that will impact your system because you have different software installed, it's configured a different way, it's got different hardware. You know, everything about it is different. And again, this is not a new problem. We've been dealing with this problem my entire career. I've been doing desktop support and systems administration and deployments and architecture and all these things I never deploy. Like when I, when I ran a, when I was a asset owner at a power company, a power plant in Texas, right. I had a team and I always told them we don't patch unless we're sitting in front of the computer and you don't patch on Friday like those, those are my rules. You're gonna go patch at this power plant that's 3 hours away, get in your car and drive over there because ultimately it's gonna break and then it's down for 3 hours waiting for you to get there. And then I'm getting the call because you sent something remotely because you didn't want to get over there. So if it's really that important, then we need to be in person and that's just the difference when ot and it really, in these, in these spaces. [00:12:23] Speaker B: Yeah, yeah, totally. And you mentioned Patch Tuesday and you're like, oh, there's so many systems that go down. I mean immediately. My thought was, yeah, if Patch Tuesday doesn't get them exploit, Wednesday does. Right. About the whole process, it's like, I really appreciate Microsoft with the focus on trying to make sure we get vulnerabilities out, but at the same time, just the approach kind of makes it kind of predictable on, all right, well, I know what the latest ones are and I know I'm going to be able to pop a few folks with some of these along the way that aren't going to patch immediately because of the concern on resiliency. So it's always like this kind of double edged sword where, you know, you got to weigh out the particular risk in your organization, your particular operations, and to your point, certain aspects of, hey, we need people locally that can support these when things do go down, you need to be there when you ultimately try to push these patches versus just, hey, we're in a big corporate environment. Everything's kind of the same from a laptop perspective. Push it out. You solve the few things remotely. You're, you know, in an IoT and ICS heavy environment. It's, it's definitely different. Definitely different risk posture. [00:13:22] Speaker A: Well, and that's what we saw with this crowdstrike issue. Right. Is it wasn't that it was that hard to recover from. It's that there were so many systems and they were spread out at every airport in the country. Right. How do I get a person? And for the most part, the recovery meant I had to be at the computer to get it out of safe, you know, boot into safe mode and go through this process. The process wasn't that complex. It wasn't that hard to recover. You know, Crowdstrike came out really quickly and said, here's how you recovered. But the biggest problem was, how do I do it? Right. If you don't have a way to get into safe mode remotely, which a lot of these desktops probably don't have the capability, or at least it wasn't configured, then you have to have a person in front of that machine. And how many machines are at DFW airport that had that problem? Thousands. I mean, I don't know the answer. It's more than five and it's less than a million. It's somewhere in there, and it's just a domino effect. Like, how long does it take to recover each one of those things? Let's say that it's 15 minutes, right. You know, but then I have to finish up, test it, make sure it's all up and running, do all that kind of stuff. So maybe it's 30 minutes, and then I have to walk to the next station. Maybe it's the one right next door. So maybe I can bundle five of them together, but then I have to walk, you know, so again, it's just a time problem of. And I. How many people do I have to throw at the problem? You know, I know a lot of, a lot of customers were reaching out to consultancies like me and you saying, hey, I need bodies, like, I need people that I could throw at this problem, because, again, we know the solution, we know how to fix it. But I don't have enough people to get to it in the timeframe that I want to be able to do it. I can't throw enough people at it because I don't have enough people to do it. Did you experience some of that as well? [00:15:01] Speaker B: A little bit. So, thankfully, the clients that I'm supporting, most of them do not have crowdstrike, and the ones that did ultimately weren't impacted. Right. So there was a little bit of saving grace there. But, yeah, I mean, when you're talking about having people to throw at the problem, to your point, it wasn't a difficult change, but it's not like every person that's available can go solve some of these problems. Like, even with step by step instructions, the average person may not even understand how to access some of these things to remove that file. So it is interesting that it's been, what, two weeks now? A week and a half now. At this point, I'm wondering if there's still some systems that are down that are still in the kind of blue screen of death right now. I wouldn't be surprised if there, if there are. You know, folks are probably going to focus on the revenue generating systems first. But I'm not doubting that there's, that there's some that are still out there that they have to resolve, you know, various organizations. [00:15:57] Speaker A: Yeah. And, you know, so we talked a little bit about the deployment. I've seen it. I've seen some conversations through, from cisos and such as, well, around diversification, you know, having a one thing across, you know, and I fought this battle for a long time, and I can argue both sides. You know, let's look at a firewall. Right? Should I use vendor a in these places and use vendor b over here? Because, you know, a vendor a has a vulnerability, then that vulnerability is spread across my entire organization. Whereas if I split it and kind of, you know, hodgepodge it across, then you know, that vulnerabilities and all the place, which is true, but then you have to have a support team that supports two different types of hardware and two different products, and licensing is different. And like, there's, there's all these other problems that go with that as well. So I was never, I didn't really like that, especially in a larger organization, because I felt that, yes, it was a, you're reducing one risk vector or one attack vector, and you're gaining way more that you, you're, you're less efficient in so many other ways. I didn't feel it was as beneficial, but I hear that talked about a lot, and maybe it's a, an over correction because of how big the problem was and how painful it was for them. But I see, I could see people pushing that in their, in their architecture or their budgets in these next coming years. [00:17:18] Speaker B: Yeah, I think that's, that's an interesting perspective there. Like, I definitely still see people that still do that. Right, where they look to have some variety within their product sets for the same capability. Like, I've mostly been in very large organizations throughout my career, typically run the security engineering function. So, like, architecture engineering, kind of blending those two together. My job has always been like, hey, we've got a ton of tools. We're getting very little value for these things. Help me unscrew this situation, for lack of a better phrase there. And that's what I've always done, is really transforming organizations. Like laying out what are the capabilities we need, not just from a regulatory standpoint, but really to protect our organization. Like, what do we need? And then start mapping tools to those and then going, all right, we've got one of the prior companies that I used to work at. I'll forget the name now. But they had seven different laughs when I got there. And when I mean different, I mean different vendors and products, seven different, four of them weren't even really being used at all and they were just continuing to pay the bill. And the other three were very, very light usage. We got them down to the point where we only had a few, right, and we had some ones that were focused specifically on cloud. And then one that was on prem that really did everything was the full toolbox, so to speak. But that was really our focus was how do we get more efficient out of use of these tools? How do we increase the fidelity of our actual alerting? Because even in the scenario of just firewalls, you have two different firewalls vendors. That's, that's pretty good. Just have two. Some companies have three or four. But then you're going, how do I actually respond to these in an effective and consistent way? Right? Like that's a lot of work that goes into just the data engineering of plumbing. All of those, all those logs into a central sim or at least data lake, something along those lines where you can review them from, from a ops perspective. And then you have different telemetry that you're getting. Then you have this mash up. What will this from? This one means? This versus this. Let's, these actually mean the same thing. And then you start doing all this other magic, data magic on the top of that to try to figure all that out. That's when you hire the data scientists and all these others. And to your point, all of that additional legwork just so I can have two different vendors versus one and basically unify my platform. I do think that there's a lot of value in standardizing your tool sets. Like a lot of value. But I do see that there's some value in, hey, we have some level of belt suspender approach, so to speak, if we split into two different product sets. But I really don't think that outweighs the benefits or the losses that you get, so to speak, from having multiple for the same product capability. [00:19:58] Speaker A: With all that we see coming up in the news, like I said, with crowdstrike and all the Microsoft things, and we're constantly seeing vendors with releases. And again, the fact that it's more forward facing, do you have, do you see any change in customer conversations, et cetera, of their willingness, their budget lines opening, their desire to do more or their understanding? What are you seeing from a customer understanding as these things continue to come out? [00:20:29] Speaker B: So this is the big new event but I think that a lot of these are very similar. They come up in the same way. The reactions from folks are very similar, in my opinion, which is, hey, I want to be as secure as possible, but I don't want to impact my business. You're constantly doing that scale of like, all right, well, how much can we put over here versus over here to kind of balance this out? So I definitely have folks that are talking to us about I don't want to be in that situation where my systems are down like other folks are in my industry. How do I avoid that? Right? So we're talking about how do we pull back some, some of the posture that they have to make it so that they do have some level of internal validation versus just relying on their third parties, because that is a pretty common thing, too, where folks go, hey, I have a contract with you. I'm expecting this thing and ultimately it's going to be perfect every time. Well, there are accidents that do happen, just like we saw with Crowdstrike, and now you have folks that are going, wait, this shouldn't happen. You're right. But also it's on you as a customer to still validate that you want the things that you're getting and that it's a good bill of goods. Right. And if it's not, don't apply that update. And that's where, you know, testing and isolation and all those other types of things happen. But there's a cost to that, right? You have to add additional people, most likely. And then once you get to a good point where you really start to fine tune that, then you can start automating some of those things. But there still needs to be some level of feedback loop with a human where you go, hey, does this pass the sniff test or not? Should we let this out into all of production or not? And then you start talking about smaller environments where test and production is kind of the same thing. So you even have one less environment for them to even try to test stuff out in the sandbox versus larger organizations that have, you know, multiple, if not up to a dozen potential different test environments for different scenarios. So yeah, it's definitely, it's woken folks up, I think, as far as the impact and the importance. But, you know, this, this, if you've been in this field for a long time, you know that the news cycle is pretty short and you know the next thing's going to happen where folks are going to go up. I go from here to over here, which is totally normal human nature, but I'm hoping that we'll see a positive change as an industry where, you know, just in general, folks take. Take resiliency and testing and make that more of their day to day. But I think, you know, time will tell on that one. [00:22:48] Speaker A: What are some of the more difficult conversations that you have on the cyberspace? You know, whether it be, you know, convincing a customer. Convincing is not the right word, but, you know, helping them justify the need or really understanding the risks to their business and how to. How to remediate that instead of, you know, because I know ten years ago or so, everybody was like, well, I've got cyber insurance. I don't need to, you know, have cybersecurity. Right? But I think we've seen cyber insurance changed in that. That's not good enough. Like, yeah, you can have insurance. It's like insurance on your car, but, you know, if you. If you run it into a poll, your insurance gonna be like, yeah, that was your fault, buddy. You know, they're gonna be hesitant to, you know, pay. Pay you for things that are outside of their scope. So they're. They're stretching down, you know, budgets are hard. Cybersecurity is a cost. That's. That's a difficult thing that we consistently fight. So what are some of those hard conversations that you're having with customers and, you know, again, validating a justify or justifying the cost and the implementation and the time and the people. And it's not just technology, it's people process and technology that it really goes into. [00:23:58] Speaker B: Right, yeah, great question. So, like, when I think about the crowdstrike event in particular, it was like 5.4 billion lost in a single day. Right? So that's what I'm seeing in the news. As far as the latest cyber instrument. From everything I've seen, it's only between, like, ten and 20% of what you actually, you know, your impact was is what they'll pay you back for. So to your point, it really isn't enough. It's more of like, hey, this gives me a little bit of cherry on top, but where's the rest? Right, so. So some of the more difficult conversations are more around the business value, right? So everything costs, right? Whether it's talking about software, hardware, people, professional services, all the different things, there's always a cost associated with some of that. So the harder conversations are, how do I get value out of cyber? Like, I invest money. How am I getting. Getting it back? Right. And we think about it in purely financial terms, I think it becomes really difficult because ultimately, you're trying to calculate out risk, and there's so many different variables and there's so many different ways and perspectives to measure it, too. You know, some are great, some maybe not so great, but it's, I think there's a different flavor for everybody. But I think it's more important to think about the enablement of what cyber can bring to your business. Right. So when you look at modern organizations or actually more modern countries, I should say ones that have more of a digital infrastructure, the amount of revenue that we generate, that these businesses generate by having all this digital infrastructure, that's when you start to help people understand, like, hey, it's part of the cost of doing business. Like, you don't want to invest in something that doesn't make you money, right? But you also want to protect the things that do make you money. And that's really what cyber is about. It's just like, you know, when you have traditional banks, brick and mortar banks, you have security guards there. Now, granted, like, this isn't maybe the best analogy or ultimately the best way to spend your money, but you definitely have a lot more bank robberies back in the day if you didn't have security guards at least trying to mitigate some of the attempts to rob those banks, right? And it's very much, much the same thing. If you don't have basic cyber controls, basic technology, hygiene, and cyber hygiene, you're just leaving yourself out on the wire to easily get popped and easily get exposed, have a breach. I mean, especially if you're talking about small medium business. Breaches really can bring them down to the point where they are out of business. So, I mean, the big headlines where it's like x number of millions, tens of millions, hundreds of millions in fines for lack of cyber protections for the big organizations, small ones don't have that to even remotely throw at the problem. They just close up shop, which is really detrimental for so many folks. Their customers, their employees, the owners, everybody. So cyber is really, really, truly important. It's just whether or not folks can understand that. And that's where I think you have to start talking about the risk to the business, the operational risk, the business risk, all those things, versus just, hey, cyber, hey, firewalls, hey, you know, ids, ips, stuff like that that we talk about. And it's really true. Truly understand at a deeper level, the average person is like, I don't understand what that means. Help me understand it in my terms. Come meet me where I'm at, which is I'm owning a business, I'm running a business. Help me understand why do I need that? Right. You talk about in a different set. [00:27:05] Speaker A: Of terms and they understand well. And it's, you know, one of the things Idaho national labs is working with this concept of cyber informed engineering. Right. And really designing from the ground up and adding on, you know, from a cyber perspective, when I'm designing a process, I shouldn't aim, I should cyber should inform that engineering. Right. It's a lot easier to do that design in the beginning, just like if anything, right? If I'm designing a car, it's a lot easier to design it with seats from the beginning than build a car without seats and then come back and figure out how to put seats in it after the fact. Right. It's a lot more expensive. It's a lot more difficult. Right. It's the same thing with this. Right. And it's cyber. You know, we talk about these small companies, we talk about these startups, and a lot of times I see, and some of the conversations I'm having is around that, right. It's around these startups get going. They're building a product. They don't have a lot of money to allocate towards cyber. And it's always a, I'm going to kick the can down the road and I'm just going to, I'm going to, I'm going to take the risk right now and accept that risk. I think too long, too many organizations are accepting that risk, and they don't necessarily understand the risk that they're accepting. And part of that is, I don't think it's malice. A lot of that is just because I don't think enough people really understand truly what can happen. And I think that goes back to this crowdstrike issue. I think it goes back to so many issues that we've seen over the years where something happens and they didn't. You look at colonial pipeline and you look at the target attack and you look at all these different things, and it's not like these companies are doing bad things. They just, or not doing anything. They were, they were trying to do all the right things. Like target had all of their security in their system done, but it came in from a vendor, right, and they had a backdoor, and they just basically went around all of those cyber controls. You know, colonial pipeline, like, it didn't impact their OT environment, but it stopped them from being able to sell gas and sell their product in those pipelines because they couldn't determine how much money you know, how much they were sending down the piece. Um, and it's the same thing with a lot of these things. Right. It's, you know, another analogy I always give is, is it's like you, you buy a new car, you never change the oil because it's expensive to change the oil. And you drive that car for ten years and you've never changed the oil, and you're, every day that you drive it, right. You know, it's, but it's a risk. You know, you're tearing your engine up. Eventually it's going to bite you and it's going to be way more expensive than it would have been if you just change the oil along the way like you're supposed to, instead of, you know, at five years or whatever, the engine just seizes and you've got to replace an engine. That's an expensive day, right? You're throwing a car away. You're throwing an engine away depending on the vehicle. And that's a really expensive day. And a lot of these companies, in my experience, are doing that. Like, they are just avoiding it. They're, they're putting it off and they'll say, I'll accept that risk without understanding how much it's going to cost them on that day. And it's not just a technology perspective, loss of business. You know, their product line goes, how many, how much did Delta and American and all the airlines lose on that day because of this crowdstrike issue? Millions. You already talked about 5 billion. Right. It's a huge number. A smaller company. They wouldn't, they'd just close up shop. Like they couldn't pay their payroll. Those are really, really large companies. But still, the impact to these is huge. We're playing with big numbers. We're playing with big impacts. It's also a reason why there's a difference between pushing a patch to a windows that my, my emails running on. If that goes down, I can find a workaround. I've got my phone. Like, there's other ways that I can check my email. Whereas, you know, the, they couldn't book people on airlines. Like the, you, you saw the graphic with all that, all the planes in the air that day and how it went down. I think they were like, like nothing. There was almost like no airplanes in the air, which is like, I think it's the lowest, the lowest amount of airport airplanes in the air since, like, 911. It was crazy. And that just shows the level of impact. It's insane. So, I mean, again, how do we continue to have these conversations. I struggle with the fear selling that a lot of vendors do where they're just going out fire and brimstone like the Baptist preachers of the nineties or whatever. This guy is falling. You've got to buy my thing or else it can't be that. But also, it can't just be, you're fine, you know, you don't have to do anything. It can't be either of those. Maybe the SEC ruling on, you know, actually holding, you know, the C suite and the CISO specifically accountable can help, but I think in my experience, most of our cisos don't even have the, the authority to make, make decisions that they need to change anything anyway. So what do you think on those? [00:32:00] Speaker B: Yeah, well, I think the, the SEC comment at the end there, I'm hopeful to see the positive change because I agree, going through this with multiple large organizations, multiple different industries, it's not an industry specific problem. It is an organizational problem. Unfortunately, some organizations even kind of pigeonholed the CISO to be ultimately the fall guy or gal, and it's really nothing more than that, which is really unfortunate. And thankfully, there's nothing too many of those that I've seen. But, yeah, like, it's ultimately these impacts that I think folks are going to start seeing firsthand from. Ultimately, the SEC change is ultimately going to drive broader conversation and broader change as an industry. If the sea level, if the CISO is going to be a c level role, then it needs to be able to have the same responsibilities and same accountability and ultimately the same purview to be able to drive change like other sea levels, because today it's been more of like Taskmaster extraordinaire across the board, a negotiator, like engineer, Ops, ops person, risk person, compliance person, a little bit of legal in there. It's just, it's a, it's a mixed bag of all different types of operations, which has made it extremely difficult for folks to be successful in that role and ultimately sets the organization up for failure on top of it. So I'm hoping that the CSO role will get elevated for a lot of organizations, at least ones that are, you know, in scope for the SEC. But I think. I think time will tell on that one. But, but, yeah, I mean, we're already starting to see some, some activity in the news related to some of the changes, and I've definitely heard that, you know, eight ks and some of the other disclosures have increased, which is a good, good sign. Right. I do think that there is a level of secrecy and kind of cloak and dagger in our industry that shouldn't be there. Ultimately, you gotta have some level of privacy with the organization. But at the same time, like, we are all interconnected. And now with, with the crowdstrike example, it couldn't even be more blatant in people's faces that we are very interconnected. So when you talk about like, oh, you know, threat intel for my industry versus your industry, we talk about the isacs and things like that. I love that we have those. But I also think it's really short sighted to go, well, hey, it's only relevant to my industry, not your industry, right? Like, like we're all in the same region, we're all on the same planet. We all have the same exposures. Whether or not, you know, attackers are really going after you versus me, sure. But we should still be all aware. We should still have all the same intel, we should still have all the same protections we're sharing with each other because it's really, it's about protecting us as a species and all of our digital infrastructure that supports us day in and day out of how we operate. Right? [00:34:34] Speaker A: Yeah. And if you look at the difference between organizations and the same, when you look at, you know, a power utility versus, you know, a cell phone manufacturer or, you know, just a bank, when you look at the tech stack, you have to get pretty low in the tech stack before the real changes happen. Right? They're going to have stuff in the cloud. They're going to have windows based machines. They're going to have printers. They're going to have it Microsoft Exchange. They're going to have office 365. Like, all of those things are the same in any of those. It's not until you get down to like the OT product level that really the things start changing. Are they making, you know, widgets in a warehouse? Are they, are they just a financial company? And obviously there's some regulations on top of that, but, but ultimately we have, it's just like, in general, like the difference between you and I. Like, I have no idea how you vote or, you know, what religion you are or any of that stuff, but we have way more in common than we don't. Right, because we're both humans. We both live in America. Like, we both have jobs. We're both in cybersecurity. There's a lot of commonalities that we have, you know, more than we don't. And it's really easy to focus on, you know, just like with politics and religion and race and all the things, it's easy to focus on the things that we have different and think that's the biggest thing in the world. And I'm not saying those aren't important, but we all have a lot more in common in this space. Again, from the top down, you got to get pretty low in that tech stack before things really start changing between a power company and a bank. Right. We still have to make money. We still have officers, we still have employees. Like, what's our biggest risk to, to environment? It's people. Right? People are always, the thing is going to bring somebody in. I have people at a power plant. I have people at a bank. Right. I'm still dealing with people. Yep. [00:36:21] Speaker B: Totally, totally. [00:36:23] Speaker A: Yeah. [00:36:23] Speaker B: And, you know, talking about people like you, you said something earlier. I did. I forgot to touch on, which was like the approach to kind of selling and fear mongering and stuff like that. Like, you know, being in this industry for like two decades now at this point and being an executive, you know, over engineering for a long period of that time, it's constantly getting sold. Like my phone was ringing left and right. Constantly email just deluge all day long with, with, you know, you got to buy this. You got to buy this. I mean, there were some were extremely aggressive. The more we had plans and we didn't loop them in and they're like, we're going to call your ethics hotline. It's like additive. [00:36:57] Speaker A: Have at it. [00:36:58] Speaker B: Like, we're allowed to buy whatever we want. Like there's some crazy folks out in the world, but ultimately that fear mongering approach, like, I just, I can't, I can't move somebody away from me faster when I get sold, when I try to get sold that way. Like, I just don't like that. I don't do that myself. Right? Like there's got to be, to your point, like a healthy level of understanding of the risk. And ultimately, what does this mean? So there's, there's some level of awareness for raising for folks, but you gotta, gotta do it in a, where you're not trying to be like, you gotta buy my product or ultimately you're gonna get popped. Right. Because that's just b's. And, you know, there are, there are companies that do that. Like when something happens, you'll see like the stock emails that come out from all the companies in that space that are like, boom, boom, boom, this happened. You got to buy my product. We'll save the world for you. It's like, yeah, if you've been through some of these implementations, you know that that's not true. You know, be more realistic, be more transparent, be more genuine with, with your customers on your prospects. And I think you'll get a better return than trying to do the short term fear mongering approach of, hey, buy it, and then ultimately next renewal. No, no, you're out. Like, that's ultimately the end result for that type of, that type of salesperson. [00:38:03] Speaker A: So if, and I'm going to, I'm going to swing this on you. I didn't prep you for this. If you could solve one problem in cybersecurity, like you were God for a day and, or you had three wishes or what? One, let's just go with one, and you could solve one cybersecurity issue that you see. What's the one that you think would be the most impactful that you'd pick? [00:38:25] Speaker B: That's a great question. I think actually, it kind of ties into what we've been talking about with crowdstrike, that with the resiliency aspect, the ability to actually have some level of guaranteed high fidelity on all of our changes, our implementations, our rollouts, all that type of stuff. I think that I've seen a lot of, you know, things over the years where, you know, you do one step forward, three steps back. If ultimately things get rolled out in a, you know, too aggressive state, and ultimately you cause impact of the business, then ultimately, you know, you not only go back, but you ultimately go further back than you were before it even started. [00:39:06] Speaker A: Right. [00:39:06] Speaker B: So I think, I think as we, you know, this has become a buzzword that's also, like, that put bad taste in your mouth almost. But like AI, right? Like, so we've had AI in our space for a lot of spaces for over a decade, you know, two decades to a degree, when you start talking about scripting and some other things, you know, generative AI is what made it really interesting for folks. Sorry, they really ringing my doorbell like crazy. Did I cut that, cut that, cut that. So, you know, generate AI is what people really talk about. And, you know, they're like, oh, the buzzword of the day. But, but I see a lot of things with robotics these days that are just like, amazing. Not to give props to anybody in particular, but Boston Dynamics is an amazing company. I see a lot of stuff come out of it. There are a couple others, competitors are similar to them. When you start looking at their ability to ingest so much information and leverage AI in that space to perform so many actions that are literally changing by the millisecond that's pretty astounding. And you start thinking about where we're going, we start talking about androids and other robotics in the future and how they can help us as the human race basically distance ourselves from having to be in the grind every day and actually kind of more orchestrate all of those actions. That's I think, really, really interesting. But really like how long winded way to go back to leveraging that same type of capability in our ability to protect our organizations with our controls, with being able to have extremely high fidelity with all of our releases as far as their ability to be sound versus not so sound is really kind of my point. I think that would be astounding. I think that we would have so much more trust and being able to go fast and we wouldn't have 30 meetings to try to have a conversation about are we going to maybe do this thing possibly at some point this year? It would just be let's, let's go. It makes sense. We understand the why, the how and the what really are we're totally on board with because we know guaranteed it's going to work. And I say guaranteed. I mean, you have so much, so many different aspects of AI hooked, hooked in from the standpoint of truly ensuring soundness of those releases, thoroughly testing them, and so many different perspectives, all those different permutations of the stack you were talking about earlier. It could potentially test against all of those and validate that they all work the way that they should. And you wouldn't have kind of that blue screen of death scenario. And I know there's a lot that goes into making that happen, but if I had one wish, I think that would be, that'd be amazing. [00:41:34] Speaker A: Right? [00:41:34] Speaker B: Because you could just have so much guaranteed return on your investment when it comes to your time, your effort and really your, you know, your assets that you're investing in. [00:41:42] Speaker A: Yeah, absolutely. And it's, it's, it's funny to me as I say this a lot now, and you said something there and we really move at the speed of trust. Right. What is the biggest problem that we overcome? It's not, you know, it's getting a product, it's understanding that we need it. It's understanding that's going to work. It's building connects trust between me and you, me and the customer, me and the asset owner. Like as soon as we build that trust, then it's easier for us to move on to the next thing. Like I trust you now can I trust the technology? Okay, now I trust the technology. Now let's do that. Like, we have to move down those things that I trust that this thing is accurate. It's true. It's gonna work. I can break things. Like, you know, your cost is accurate. You're. You're not lying to me. Like, all those types of things and all the different scenarios, whatever that trust environment is. But as soon as we check that trust box, then we can move on to the next one. But until we trust, until we check that trust box, you can say anything in the world, and I don't take it as fact, and you can tell me, your product is great. You know, we've all seen demos of product, and then we've gotten it in hand and been like, what did you show me? Because this is not that lipstick on a pig, whatever your demo world is like, that's like a video game, and this is not that. I don't know what happened. We've all been there. Like, it's. It's the test drive of the car. Like, it looks, you know, you. You look at a car on. On Carzilla or whatever online, and then you go look at the car in person. You're like, where did all these scratches and dents and the dirt? What did you do? Or the filters people put on Instagram and stuff. It's just like, just take a picture. I'm old. I've got wrinkles. It is what it is. [00:43:34] Speaker B: I still need to get one for this. All this gray, right? [00:43:37] Speaker A: Exactly. I've got gray coming in, too. Yeah. It just is what it is. Well, so that leads me into, it's our wrap up question, but on that same line, like, you know, the next five to ten years, what's one thing that you see coming up over the rise and that maybe you're excited about and maybe it kind of goes along with some of the things you've already said, but maybe what's one thing that. That also is concerning, that we, we definitely need to make or adjust or see that can cause an impact if we don't do something about. [00:44:10] Speaker B: Great question. Yeah. So I would piggyback off of kind of where I was going with leveraging AI and more, the robotic side, less so, sure. I just see so much potential in that space with some of the more leading firms. I see the ability to really, truly change kind of how we operate as a. A species on the planet. Right. We were talking about our systems, but also, like, all the things that support us, our support infrastructure, our scaffolding around how we operate, but also there's double edged sword. Again, sorry to use that term one more time, but, and, like, some of the things that you see from a more defense industry perspective with, with some of that. Right. Even, like, some of the robotic dogs, like, it's just kind of, it's, it's funny, but it's also kind of scary. You know, you see some of the ones that are coming out from other, other nations, and they just hop a, you know, pop an m 16 right on the back of it, and they're just running around. And ultimately, it's like, that's, that's our usage of some of this amazing technology we just built. Really. Let's just strap an m 16 to the back. Now, granted, there's, there's a lot of really cool, like, law enforcement kind of leveraging or use cases for, for that and things like that, you know, sweeping buildings and whatnot, but there's. There's a lot of change coming to our world. I think in the next few years, definitely the next, you know, 510 15 years, I think that we're going to see it just at least in the more developed parts of the world, we're going to see a drastic change where, you know, robotics become more of a day to day. It's not going to be your roombas anymore. It's going to be, you know, live in house assistance types of stuff, which really starts to transform into, hey, this is like movies that we, we kind of live in, which is crazy. So, I mean, it's exciting. It's amazing. Also, it's kind of scary to some degree. Right? Because, you know, robots don't have feelings. They process logic, and that's it. And, you know, if the person that's behind the, behind the scenes developing that brain for them has different intentions or misunderstands the situation by what it's processing with its sensors, you can put somebody in a really bad spot in a lot of ways. So, yeah, I. It's awesome. It's amazing. It's also kind of scary. That is cyber, I think, as well, though. [00:46:22] Speaker A: It is. I agree 100%. And it's so exciting to be, you know, I don't know how old you are, but, you know, I grew up. I was born in the seventies and went, you know, I started out before Internet, and, you know, I got my first computer, and then I remember the start of AOL and online and dial up and all the things. And, you know, now I have gigabit speed to my house, and we're streaming this, and my kids are playing video games, and my wife streaming YouTube and, like, all the things are happening all at the same time and we're not even, you know, having an issue or buffering on this thing. I remember it take hours and maybe even days to download a picture from early, early Internet. Yeah, I mean, hit download and go to eat and then come back and see if it may be done when you get back. It may not be right, depending on the size of the file. But, you know, so much has changed in such a small amount of time when you really think about it and it's just happening faster. Like that hockey stick of the amount of things that are happening and how quickly it's happening is just, I mean, our cell phones, like, again, I remember the first iPhone I had, and I remember now, like, we can FaceTime, like, we can have video calls with people as we're walking around and we just take it for granted. Like, everybody has this. I sent my friend a video message earlier today. I just did a video real quick and sent it to him. Like, it's, it's before I'd had to call or send a text message. Maybe I could send an audio, but I can send a full 4k video across the Internet, across the air, and he gets it on his little computer, in his phone, in his hand, and he can play it like it's an, it's amazing. My, my family lives in Dallas. I live in Austin. They can facetime with my kids. Like, it's, it's a big difference between distance and all these technologies are great, but we have to be careful about them because there's also people that take advantage. I've had family members that have been, had phishing attacks and have given money away because they thought it was an investment or this or that, and they've gotten access to bank accounts. So all these things come with risks. But that doesn't mean we throw the baby out with the bathwater. It just means we have to start being intelligent about it. And it's not just enough. It comes naturally to you and I and folks like us because this is what we do for a living. But the normal people, everyday people, have to be thinking about cybersecurity more. Again, not as much as we do, but they can't just, they can't just assume that somebody else is going to take care of it for them. Right? You've got to take personal responsibility. You got different passwords. You got to, you know, do some of those basic hygiene type things so that you're not impacted in your personal life because of all the things that's coming out because it's cool, but it can also impact you. [00:48:55] Speaker B: Totally agree. Couldn't agree more. [00:48:57] Speaker A: So. So call to action. Why don't you tell people how to get a hold of you, like a little bit about what you guys do and the services you guys provide and all that kind of stuff and anything you want people to know. [00:49:09] Speaker B: Sure. Thanks, Aaron. Yeah. So cyber Defense army. We are a cybersecurity consultancy. My background is very much engineering, architecture. So a lot of the customers I help are more helping them look at their entire stack end and figure out what works, what doesn't work, and then kind of help them work through that transformation. I also have a VCISO service that I have with a few different clients where I ultimately help them from a lot of different kind of compliance framework perspective. Right. So not just things like sec, but ultimately Finra, ultimately GDPR, ISO Soc, two, all those types of things. We have an AI enabled platform that ultimately takes it. So you can select the compliance frameworks you want to align to, and then we run through all the assessments, technical and kind of risk based, and then it basically generates all the tailored policies for that organization based off their industry as well as a remediation plan. Don't we comply with all of those to get their certifications? So that's kind of our newest piece where I've tied up a product in with a service versus just being a peer services organization. [00:50:13] Speaker A: Right. [00:50:14] Speaker B: But yeah, so my organization, we're about eight of us, about to go to nine, still growing. So things are, things are good. As far as how you want to get ahold of me, feel free to check out my website, cyberdefensearmy.com. we're going through a little bit of a revamp, so you'll probably see a little bit of change over the next few days, next few weeks. But. But all the things are still the same. It's just more of a better, better window dressing versus what I built originally. And then also, I'm pretty active on LinkedIn. You can check me out on LinkedIn. Evan Morgan, you'll find me. Find me on there. [00:50:46] Speaker A: Awesome. And I'll put all those in the show notes here. So people, you can definitely click on that. Find his LinkedIn, find the website, all that kind of stuff. So, Evan, thank you so much for your time today, man. I appreciate it. It's good catching up. I'm sure we'll cross paths many times again, but definitely thanks for your time and until next time, sir. [00:51:03] Speaker B: Awesome. Thank you. [00:51:05] Speaker A: Thanks for joining us on protect it all. Where we explore, explore the crossroads of it and ot cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
Previous Episode
Next Episode

Other Episodes

Episode 13

June 24, 2024 01:00:58
Episode Cover

Unlocking the Future: Hands-On Learning and AI's Role in Cybersecurity Education with Philip Huff

Welcome to Episode 13 of Protect It All! This episode features Philip Huff, a professor at UA Little Rock and a cybersecurity expert. He...

Listen

Episode 9

April 19, 2024 01:09:10
Episode Cover

From Basics to Quantum: A Comprehensive Dive into Cybersecurity Trends

Summary The conversation covers various topics related to cybersecurity, including offensive security, IoT devices, hidden threats in cables, advanced hacking devices, privacy concerns with...

Listen

Episode 23

August 26, 2024 01:06:59
Episode Cover

Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville

In this insightful episode of Protect It All, titled "Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville," host Aaron...

Listen