Understanding Cybersecurity Risks and Management: Insights from Harry Thomas

Episode 35 December 09, 2024 00:54:45
Understanding Cybersecurity Risks and Management: Insights from Harry Thomas
PrOTect It All
Understanding Cybersecurity Risks and Management: Insights from Harry Thomas

Dec 09 2024 | 00:54:45

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow dives into cybersecurity and risk management with guest Harry Thomas, CTO and co-founder of Freanos. This episode tackles the complexities of managing security risks in large organizations, from outdated systems to inconsistent cybersecurity postures across various sites.

Listeners will learn how companies leverage consultants and community support to bridge knowledge gaps and the importance of operationalizing cybersecurity tools. Harry Thomas shares his views on the evolving landscape of OT security tools, the role of AI in enhancing productivity, and innovative approaches to addressing vulnerabilities in critical infrastructure.

The episode also explores the advantages of hybrid cloud models for improved resilience and ROI and offers practical advice on risk management and adaptability. Get Harry's book recommendations and learn about Freanos' platform, which is designed to efficiently prioritize and mitigate risks.

Tune in for essential knowledge and strategies to "protect it all," whether you're an experienced cybersecurity professional or just starting out. This discussion is packed with actionable insights and innovative perspectives you won't want to miss.

 

Key Moments: 

04:07 Understanding comprehensive risk environments requires collective expertise.

11:43 Flexible onboarding for diverse technological infrastructures.

14:21 Tools are costly; operational transfer challenges value.

17:22 Replicated improves network security troubleshooting efficiency.

21:07 OT must embrace new technologies for growth.

25:17 Cloud's benefits outweigh outdated equipment's drawbacks.

27:12 Fast internet enables remote power plant operation.

30:46 Prioritize resources over patching 80,000 devices.

35:13 Patching insufficient in OT, unlike IT systems.

37:43 Different risk approaches for IT vs. OT scenarios.

45:41 All business involves people, adaptability, and growth.

47:42 Cybersecurity will shift focus to customer impact.

 

About the guest : 

Harry Thomas, a cybersecurity veteran with over a decade of expertise, specializes in offensive penetration testing and securing industrial and healthcare infrastructure. As CTO of Frenos, Harry leads the company’s strategic innovation, focusing on advanced cybersecurity solutions to safeguard critical systems against evolving threats.

 

An accomplished educator and speaker, Harry has taught “Hacking PLCs” at DefCon and BSIDES Orlando, spoken at BSIDES NH, and appeared on the Secure Insights podcast, sharing insights on cybersecurity challenges and advancements.

 

Previously, he served as Director of Product R&D at Dragos, where he strengthened security in industrial control systems, and at AWS, where he developed AI/ML-driven User Behavioral Analytics to enhance security. Known for his technical expertise and leadership, Harry is a prominent speaker at global cybersecurity conferences, offering strategic insights into threat mitigation.

 

Connect Harry:

https://frenos.io/

https://frenos.io/blog/atlas-advanced-threat-landscape-analysis-system

https://frenos.io/blog/proactive-defense-zero-disruption-why-frenos-won-the-datatribe-challenge

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]



Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crow expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crowe. All right, thank you for joining us today. I'm excited to have this conversation. Harry, why don't you introduce yourself to the guests and tell us who you are, what you guys do. [00:00:29] Speaker B: Yeah, no problem. Thanks for having me here. Harry Thomas. I'm the CTO and co founder of Franos. What Franos is, is a decision making platform that helps kind of people figure out what risks to work on today through the use of AI simulations and a digital twin network replica. [00:00:49] Speaker A: That's awesome. You know, we talk so much about AI and so many vendors are bolting AI on and all that kind of stuff, but actually seeing, you know, obvious, I know you guys and I know you and Brian, your CEO, so, you know, I've kind of seen some of the behind the scenes of, you know, what you guys, and the purpose of it. And it's really powerful to see all these new technology and capabilities that are coming out and what can we do? How can we be smarter? Right? We've only got a dollar to spend. Where's the right place to spend it? And many times, especially in ot, we don't always know where that is. Like, our environments are huge. You know, we're buying firewalls, we're spending money in these areas, but we don't always know where the best place and the most value add from a lowering my risk from protecting my environment. Where is it that I should point it? So how do you guys, how are you all tackling that as far as helping people make those decisions around where should I spend my focus? [00:01:43] Speaker B: Yeah, yeah, no, great question. I mean, so for me and you were you work in OT and all that stuff, vulnerabilities are everywhere, right? You can follow like CBSs and be like, what's the highest on CBSs for me to work on? How we're taking the approach is completely different. Focusing from like an adversarial point of view, not like breach and attack simulation, not like actual doing penetration tests, but like if an adversary were to get in and they had all the data that we have as defenders to influence their decisions, what's the most critical and efficient path would they take? To get to my substation to get to the oil refinery, right? And I find that taking that hacker mentality approach by combining your greatest like asset as a defender is your data really kind of does this purple team effect, right? Where now you have this automated. We call it, we call it Cyra, right? We personified our AI reasoning agent. But Sarah, she goes and, and tries to find all this stuff double backing within the network where it makes sense. Pulling data from certain assets that it needs to use for future events. That reasoning is what allows us to go, okay, this actually that Cyra found might be pretty critical because it's taking in effect or taking into account all of our other data sets. [00:03:24] Speaker A: Well, you know, it's one of the problems that we have. You know, again my career is, has been spread across, you know, critical infrastructure, power, utility, a lot of very large environments. So let's look at a, you know, Duke Energy or, or Coca Cola or FedEx or whatever big company you can think of that have sites all over the place. I have to go to every single site and there's a site expert, right? Control system owner, whatever, an ot, whoever that person is, whatever title they have, they know all the things about that site. But there's, there's rarely anybody that has that understanding at a higher level that understands those risks across their organization. Right? So it's, I have to get all those people in the room and say, okay, what's the risk at your place? Okay, how does this work at your place? What does the network look like here? Do you have any bypasses like all that type of stuff. And there's really no way one person, especially when you're talking these large organizations, but even at smaller ones can really understand all of those risks, all of those attack vectors, all of those, you know, vulnerable, vulnerable spaces. And it's not just the MBD score, right? It's, it's the, hey, this, this thing is dual homed and it also has a back leg VPN thing over here and there's a cell tower thing over here. And nobody has that understanding and, or at least can always remember it in the right moment. So having all that data that somebody can peruse, somebody being even an AI, is hugely powerful. [00:04:50] Speaker B: Yeah. I mean, and you're talking about talking to like the site owner, right, that site owner. Their knowledge of Data could be 10 years ago, right? Oh, it used to be like that, Right, right. And where we're pulling the data directly from your security fabric, we're getting, we're combining the art of the possible, which is like your firewall configurations, that's what's allowed. And then enriching everything with whatever asset data or vulnerability data you have, right. You have a Dragon, so you have a Nozomi. Cool, that's fine. Let's enrich it all and let's figure out, right, like how bad is bad, right? [00:05:30] Speaker A: And then what do you, what do you do with that? Right? And that's, that's the other piece. So as a consultant, a lot of times I'm brought in to do an assessment. So I'm doing an assessment of a site, maybe it's in multiple sites, an organization, whatever. And I turn in this report and always tell my team and my guys is just like, hey, I don't want to give a report that's like, you know, my 10th grade English, you know, paper that I turned in and just came back all red, like everything was red because I did all these different things wrong, right? Because that's not super valuable. Like if you just tell them your baby's ugly and everything about your baby's ugly and nothing, you're doing everything wrong. Like they don't even know where to start. Like, what do I do with that? Like if I'm starting at zero or wherever you're at, what is the most, like if I, if I could only do one thing tomorrow, what is that one thing? Like what is the most important thing that I fix? And then I move to the smaller holes. That snowball effect of go take care of these like five items in the next six months. If you only have six more, you know, so many hours work on these things and they'll bring the most value to your organization. [00:06:30] Speaker B: Yeah. So what Saira does, because she knows what assets you have, what she can get to, what vulnerabilities you have, she's able to then provide the risk reducing recommendations on the side for every attack step and for every attack path. So if she finds 100 attack paths and she finds that a common vulnerability is like you let RDP through everywhere, all over your network, right? [00:06:54] Speaker A: Sure. [00:06:55] Speaker B: That could be a recommendation that she gives saying, hey, you know what, you might want to look at this because based off of the proliferation of this management protocol I like to call management protocols that, you know, it could be a really bad day if somebody were to take advantage of that. I, I find that it's not. We have our, what we call the FRANOS exposure score, which is just another label with the FRENOS name on it. But what it really takes into account is everything, right? It's not just like network exposure, it's about asset exposure, it's about vulnerability exposure, it's about your firewalls and what's allowed. Taking into account all of this, we're able to come up with this score through, we'll get fancy with machine learning model that lets you know how bad that is. Right. So like, even if you have like a critical vulnerability that's CVSS 10 and you have EPSS score of 80%, does that translate to your environment? Well, with the FRENOS exposure score, that might not translate to your environment that actually might be not that bad. And we actually prioritize things in a now, next, later. So your first 10 could be all now. Hey, you need to look at these first 10 findings that we have. And when you handle these, let's move on to the next. [00:08:22] Speaker A: Right? Yeah. I mean, prime example of that, and we see it all the time in these spaces, is you may have a Windows XP machine that's going to give you very high risks on all of the databases and it's just going to blinky light everywhere. But if it's disconnected, it's not on the network. Like it's air gapped, it's sitting in a physically locked room. Like it doesn't matter that all those risks are there because the attack vector and how to get to them are so small that it wouldn't be the first thing I would work on when I have something with a lower CVSS score but is sitting on the edge of my network directly connected to corporate and. Or the Internet. Right. [00:08:57] Speaker B: Yeah. It's like it's all about that attack vector. It's all about that attack vector and the attack surface. If you have something that's. We'll just keep talking about vulnerabilities. You have something that's a lower CVSS score but is spread across your environment that an adversary could just hook onto this one vulnerability and go from asset to asset. That's pretty bad. [00:09:19] Speaker A: Yeah, yeah. I mean, it's so impactful because again, going to these large organizations and I've been to very big ones and very small ones, even within these large organizations that have a more mature cybersecurity posture. Even in these OT spaces, you go from site to site and they're different. Right. I take the same, you know, process, but I implement it a little bit differently at all of these places. So there's no, there is a standard, but the standard adjusts per site. So what that means from a, from a defender's perspective, like if I'm the OT head of the OT or the ciso, I'm. I'm struggling because every side is a little bit different. In my, my security posture, my risk is a little different. The devices that I have in my environment. My level of, you know, competence in those spaces are all different. And I'm just depending upon my, my experts that are in the field to your point, going off of sometimes an old understanding, maybe 10 years old. And that's the, that's the playbook they're playing by. So they're defending against something that was true 10 years ago, but that play, that playbook hasn't been updated. I can't tell you how many times I've walked in like, oh yeah, we've got 10 assets and these are the, you know, these are the devices that are there. And then when I go look at it, there's 200 assets. Most of them, they had no idea they were there or what they do or how important it is to their, their business and why they're even there. Right. But they're too afraid to do anything about it because it's there. So it's got to be there for a reason, right? [00:10:51] Speaker B: Yeah, well, they're afraid to do anything with it is because sometimes they just don't know what to do. Right, Correct. Yeah, I got this. What's my tactical recommendation? And that's why they hire consultants and such that come in and be like, hey, maybe you should think about this as your direction of cybersecurity strategy. You know, really, really trying to call upon the community to help bridge this knowledge gap. Because if you think like most companies, I mean, yeah, you have a security organization, but you have network administrators, you have security architects, you have ot passive monitoring architects or something along the lines of that everybody's siloed and there's no single place where all the data is being analyzed that somebody can be like, okay, so this is the ground truth today. [00:11:43] Speaker A: Well, so walk me through. What does it look like as you're onboarding a new place? Let's say that it's a medium sized place, maybe it's just a single site, whatever that may look like. How flexible are you guys to be able to what you can plug into versus maybe you don't. They don't have as many tools. I mean, I guess there's kind of two spectrums. There's the more advanced, the Dukes, the FedExes, those folks that have all these security fabric things that they can send you data from all over the place. And you have the other side a wastewater. They may have nothing, right? They may have nothing. But here's my self spreadsheet of assets. That's the best I know. What can you do with both of those different types of things? To show value. [00:12:24] Speaker B: The great thing one, the fairness platform is an on prem deployment, your data never leaves on premise. Even our AI model, language models, machine learning models, they're all there. You can unplug us from the Internet, no problem. But the cool thing about what we're doing is we understand that juxtaposition between the most cybersecurity mature organizations to the least, and we have built features and capabilities to support both. You just have firewall configurations and a CSV of your assets. Cool. Send it in. We're good. Oh, you have Dragos whatnot deployed 90% of your network, and you're utilizing Panorama to control all your Palo Alto firewalls. Bring that in. You have to start from somewhere. Brian and I always have the conversation of when we're getting ready to design a new capability or feature for the platform. Who is this for? We ensure that our roadmap follows a standard cadence of two capabilities being developed right now are for everybody, and then one capability being developed right now is for the least mature cybersecurity organizations. [00:13:47] Speaker A: Sure. [00:13:48] Speaker B: So we ensure that we're. We're helping out everybody within the community, not just your FedExes and your dukes of the world. [00:13:56] Speaker A: Sure, yeah. I mean, it's easy. Obviously they have the bigger budget, so a lot of the, A lot of the tools are really built and focused on that more advanced use case. But that doesn't help the wastewaters that, you know, which is awesome. Like, companies like Dragos are going and saying, hey, you know, we'll give this away for free. But even a free product is not free because I have to implement it and I have to support it, and all those things come with it. And I love Dragos, I love Nozomi, I love all of these tools. But sometimes just the overhead and the operating of it is pricey and getting value out of it. Right. It's one thing to implement a tool, and this is one of the things, again, as a consultant that deploys stuff like this at large and small places. That's some of the big. The hardest part of the project sometimes is not the implementation. It's more the transfer to operations after I've stood it up, teaching them how to use it, maintain it, and then get value out of it so that it doesn't just sit in a data center running with nobody looking at it. Right. The tree falls in the forest and nobody sees it. Did it actually fall? [00:14:58] Speaker B: Yeah, it's so true. And like Brian and I both worked at security matters. I worked at Dragos. I felt that stuff and what's really great about coming out with now the next generation of OT security tools is we've learned from the stuff in the past. Like our deployment is three command lines on whatever VM you want or laptop. And the Kubernetes cluster stands up operationalize. We had one customer, had an intern use the platform. They're like, here's the poc and they hand it off to the intern. And the intern found stuff that consultants, some consultants took like a month and a half to find. [00:15:44] Speaker A: Right. [00:15:45] Speaker B: And we found it in a day. So like that time to value, that time to implement and stuff we've learned from. I wouldn't say they're necessarily past mistakes, but we've learned from history of deploying those first generation products. I mean, think about even in the IT perspective like we followed, you can say that ICS is somehow following the timeline of IT just a decade ago. Right. Starting with intrusion detection systems, migrating to stuff that's a little bit more endpoint focused and with even an IT that has changed progressively change where now majority of IT tools themselves are just agents running in the cloud. That's it. [00:16:29] Speaker A: Yep. [00:16:30] Speaker B: So like there's going to be a point where we're shifting to more flexible deployments. Even for us, it's all about rapid iteration. The benefit of having, if you're a SaaS vendor, the benefit of being a SaaS vendor is that you can deploy all you want. You deploy 15 times a day if you really want to. [00:16:52] Speaker A: Sure. [00:16:53] Speaker B: We saw that and we're like, okay, how do we take that SaaS deployment CICD pipeline and translate it to something that's on prem. That's why we partnered with a vendor called Replicated, which manages our embedded Kubernetes cluster. Because we can push out updates as much as we want. We can control. Some customers want to be on bleeding edge, other people want to be on two versions behind Stable. Being able to control all of that and understand same thing. Deployments was always really hard with network security monitoring. The other thing was troubleshooting. Troubleshooting was always hard with network security monitoring. For us it's like, all right, well we've partnered with Replicated. They have an ability to troubleshoot where you can send your files redacted automatically to somebody within our customer success organization to examine what went wrong. And it has all the logs of all the containers. That is like we're going from doing finances with pen and paper to using Excel with like automated algorithms to add up a column. Like that's how big of a difference that we're starting to see in a shift of next generation OT security tools. [00:18:15] Speaker A: Well, and the other thing to that, that really excites me. And you know, we work with Clint and Threat Gen, which I know you guys are talking with them as well, but, you know, think about a tabletop, right? A tabletop exercise last year, two years ago, right? It was a physical thing. You know, they bring in a consultant, you do this physical static process, and you do it one time and then you do another one next year, right? And it's not iterative. It doesn't adjust to your, you know, really, it's not super customized. It's customized to a point, but it has limitations in how customized it can be. Whereas processes like this, what you just talked about, I can learn from that. So in theory, I can do this tabletop or I can run through freenotes, right, and do those findings, go make a change and then do it again, right? And it's going to find different things. And then, okay, now what do I want to focus on? Okay, I got rid of the top three. Now what are my top three? Now that all these things are fixed, it may adjust the numbers based on other things because those top ones knocked other ones off and they were pivot points to other ones. And like, it's huge in how you can pivot and understand and almost run it like a daily. What should I work on this week? Okay, well, we've made these changes. Let's rerun this thing and see what my new things are. [00:19:32] Speaker B: Yeah, it's funny that you bring up Clint and his Auto Tabletop from Threat Gen. We're actually in conversations trying to figure out how franos and Auto Tabletop can merge together. Because like you said, you know, you're doing tabletops like once a year. Like, that's not good enough to stay up with snuff. Like, we all know from like, even sports, like, repetitive practice is how you ingrain everything. And Clinton and I were sitting, having a beer. I think we were actually having margaritas one day and we're like, hey, maybe because the Franos platform adapts to the customer's environment, we can utilize that to influence the tabletop. Build a scenario based off of your environment. Much to your point about every site being different. Something very site specific. [00:20:23] Speaker A: Yep. [00:20:24] Speaker B: Do the tabletop. And then if you find issues within the tabletop, you're like, oh, we actually have a compensating control for that. Or, oh, we actually have a security tool for that. Go back into frenos, add that data, rerun simulations Pump out a new scenario for your tabletop. [00:20:40] Speaker A: Right. [00:20:41] Speaker B: Being able to do things like that. And really, you know, me being an engineer, always wanting to have some sort of automated continuous improvement, continuous delivery, you know, being able to transition that into security itself. Not just software, but actually security workflow and processes. I think that's where we're going to get the biggest bang for a buck as far as a community. [00:21:07] Speaker A: Oh yeah, it's huge. I mean, these tools and OT is like you said before, it's been lagging behind the IT world, you know, at least 10, sometimes further behind. You know, we're just now getting to, you know, virtualization, which, you know, I've been deploying virtualization in ot, but widespread, it's, it's pretty far out. But, you know, I had a conversation the other day with a guy and there's, there's not much difference between, you know, having a thin client on your desk with a server in the room and bumping that stuff up to the cloud and all the benefits that you get from those things. Right. So we have to stop being afraid of these technologies and find a ways that we can use these, these technologies to enhance and grow faster, knowing that we have to be careful. I'm not saying that we should put all of our control room or our substations directly to the cloud, but I also don't think that it's never going to get there because I do believe that we will get to where we're running power plants and substations in the cloud. But I'm not again saying that we should do that today. But we can't just say we're never going to do that. Which that has been the mindset for so long is we've always done it this way. We're never going to do that. And then all this technology got brought in by the vendors and now, and that's part of the reason, in my, my perspective, why we've been kind of behind the eight ball in the OT world is up until now, fairly recently. We always look to that, you know, that, that vendor, the Foxboroughs, the, you know, ge, Siemens, Emerson, you know, Yokogawa, like all these guys, we, we just looked to them and they did everything, including the cyber stuff when they started labeling those things. But they only know their stuff and they don't necessarily have the right idea for my entire organization. They're just controlling their control system. And they're probably not even the best at doing that because they don't have the experience or the right people involved necessarily to really understand what they're missing even. [00:23:03] Speaker B: Yeah, definitely. And actually, so it's funny, a lot of people are like, hey, I think we're going to be moving to the cloud for a lot of operations and such. [00:23:13] Speaker A: Yeah. [00:23:13] Speaker B: I think actually different. I don't think everything is going to go to the cloud. I think the stuff that needs to have like high availability will go to the cloud. [00:23:22] Speaker A: Yep. Right. [00:23:23] Speaker B: But I always, I, for some reason, like I worked at aws, I worked at AWS because I'm like, things are moving to the cloud, I need to learn a little bit more about it. And after working at AWS and after working for vendors deploying to the ICS community, I think there's going to be this hybrid environment. I'm saying it right now. Anybody who wants to build it, build it. I think there's a way for us to build almost like connectors that encrypt the data that need to go to the cloud rather than relying on the vendors to implement certain things. You can build an end to end encryption type, data transfer. I think that's going to be really cool. So anybody out there, if you want to build this and test this out, I will gladly give you all my ideas and thoughts behind this. [00:24:19] Speaker A: Sure. Well, and to your point, I agree. I think there'll always be a hybrid model because at the end of the day, if something happens and I lose my Internet connection and my backup, I need the plant to continue to run. So I need to have a local option that can keep me running, at least even in a manual process way that obviously the control processors, all that kind of stuff being local, all that stuff will still run. But as an operator, I need to be able to see what's going on and control it. So I can see where I have some physical things on site. So, you know, break glass in case emergency, okay, I move over to this machine that's sitting in the corner. But the rest of my stuff can be automated and it can be in a hybrid cloud. And it doesn't need to be in necessarily AWS's cloud. Maybe it's in a Duke Energy or FedEx cloud. Right. That they own. They own the iron. It sits in their data centers. Like that cloud. Word doesn't have to mean Google or Microsoft or aws. It can mean a lot of different things. But bringing that technology and those capabilities into this space to make it more redundant, like we're missing, like we talk about the negative things of it many times and then sometimes people forget to think about all the positives and all the benefits and the redundancies and the, and the capabilities, the compute power and all of those things that are so much more powerful than having a, having old iron that sits in the corner and gets dust and nobody's maintaining it or updating it, which is more secure. Right. The box that hasn't been updated in 10 years, that's been, that's. It's sitting in my room or the one that's in the cloud that gets updated constantly, is backed up constantly, can be snapped back or rolled anywhere. I want it to be at the drop of a hat. But yeah, it happens to be in somebody else's data center. You're right. From that perspective that mitigating that risk, you know, attack vector is worse. But how many others are worse in the first version that we just talked about? [00:26:05] Speaker B: Right, exactly. And I foresee also like a critical infrastructure cloud environment only where it's not. Where it has different security controls that are up to snuff for like NERC SIP and TSA pipeline and stuff like that. Where. Wow. Now GE and Siemens can deploy this hybrid model where they can utilize cutting edge technologies like large language models or machine learning models up there where they have the compute power but still allow their customers to switch manual or. [00:26:45] Speaker A: Right. [00:26:45] Speaker B: I'm actually, I'm going to say it's going to be cloud. And on prem no longer is manual, it's just cloud or on prem. [00:26:55] Speaker A: It's not that far off again because the technologies that we have today, we're already using thin clients, we're already using remote, we're already using containers. But right now, especially in power utility, a lot of those are just sitting in my data center or they're sitting in the control room. Right. They're right there. There's really not that much difference to take that thing elsewhere. Like with the satellite technology and communications that we have 5G and all that, that's so fast. Fiber optic going everywhere. These power plants in the middle of nowhere. Used to, you couldn't get fast Internet. That's just not the case anymore. Right. You can usually get that pretty easily. So you can do this stuff with existing technology that we have already and get all these extra benefits and obviously there is some risk. But you know, you put this in a NERC SIP or a, in a, you know, infrastructure, a critical infrastructure that is U.S. based. It's, you know, it's locked down, has different controls and security and you know, only my people can get to it. Like all those different types of things. It's like instead of Saying no, say how. Right. Ask the question of, okay, how could we do this? What would make me comfortable? How could we do it in a safe way? How could we lock it down so that nerc sip is happy, so that, you know, my, my board is happy so that, you know, we're not allowing, you know, nation states to gain access. Obviously that would be a bad idea. Like all these things, they can be challenged, but we've got to stop just avoiding it, saying we're not doing those things. [00:28:22] Speaker B: Yeah, I mean think about it like even the federal government themselves, they have a cloud, they have gov cloud and stuff like that where they can put their data. So like if, if the federal government can do it, why can't critical infrastructure? [00:28:36] Speaker A: Correct. Absolutely right. And you know, power plants are power plants. Like manufacturing is manufacturing all these things. Most of the stuff is not brand new technology. We've been now power plant technology for the most part, how we do control systems, all that kind of stuff. We haven't really innovated all that much in that space in a long time. But by doing some of these things, we can make. One of the problems that I've seen in, in bringing on all this, this OT and cybersecurity stuff is we've, we've added a bunch of complexity and a bunch of cost onto these environments. And they haven't necessarily. If I spend a million dollars on this cyber program, I'm not, I'm not more efficient or making more, my ROI isn't necessarily there, it's just cost. But you start doing things like this and then I'm more, I'm more reliable, I'm more resilient, like I'm able to see more data and there's, there's a lot of, there are some things that make me more efficient now. My costs are lower, I'm more efficient, then I can actually start seeing value add on the ROI side instead of just being a negative cost center. That cyber, that is one of the reasons why most plant people are manufactured that those types of folks, they don't, they don't get excited for cyber because it's just a cost and complexity thing that they don't necessarily like, they understand it, but it's like I'm having to do this or I'm going to do my boiler tube failure maintenance, like which I only have budget for one of them and that's a struggle. [00:30:02] Speaker B: Yeah. That complexity thing is you hit the nail right on the head. Right. For some reason we've made it harder on ourselves as cybersecurity professionals. [00:30:13] Speaker A: Right. [00:30:13] Speaker B: Like, I'll say it, you know, exactly as it is. Like, I definitely have probably recommended some stuff when I was a consultant that just blew up the complexity of a security program that I probably shouldn't have recommended. Right, yeah, it's just, it's, it's. How can we take something that we can barely get our arms around and, like, bring it down closer. Right. Focus on what we really need to work on. [00:30:46] Speaker A: Yeah. I mean, to use your use case, though, you know, I had a customer and they were, they're large manufacturing and they had, I think it was 80,000 endpoints and they were all Windows based, Linux based, whatever. But they had this large list and they did really well with asset inventory. They had all the tools. But they said the problem was that they had 80,000 devices and there was no way that they could keep up with patching them. So, like, okay, I can't patch 80,000 devices. I'll be constantly doing that and nothing else. And does it really. Is it really the right use of my time and effort to just patch systems? Right. So they were looking for that answer. Very similar to what we've been talking about is the what should I do? Like, if I only have X number of hours or X number of dollars and X number of people, where should I focus them? Right. Because it can't be go patch them all. Because once I get to the end, I'm just starting over again constantly. It's never done. So being able to understand which are critical, which are critical updates, which are critical to my process and which are the most important from a, from a risk. Understanding the true risk, not just the MVD score, but the actual true risk to my environment, not generically, but to my environment, is priceless to organizations. Being able to point, you know, the tip of the spear. It's the difference between, you know, general, army and special Forces. Right. I want to be able to point them at a particular thing and go attack that one thing and then come back. Right. I'm not sending the entire army. I'm sending five guys. Where should I send those five guys? [00:32:23] Speaker B: Yeah, exactly. And I believe, you know, I saw something on LinkedIn, I think, last night where somebody's like, AI for like, coding and development is like having a junior engineer. And there was a comment that said, yeah, but for $20 a month I have unlimited junior engineers. I would take that any day of the week, 100%. I see this motion of like, how can we do more with less? [00:32:55] Speaker A: Sure. [00:32:56] Speaker B: And I think that cybersecurity tools Any vendors out there building capabilities need to think about how can I do more with less? Not like less resources as in, like less money, but how can I do more with less? Like senior cybersecurity professionals, right? [00:33:17] Speaker A: Yeah. And that's the thing. Yeah, I agree. That's the thing, right? That's the hard part. Like, I can have one person, my expert, but there's not that many of them. And imagine if I empowered that one, you know, really senior person with, like you said, unlimited number of junior people that I could fire at this problem. Then he can solve a lot more problems because he's only focusing on the thing, the cream that rises to the top instead of all of the small level things that a junior person can take care of. I don't need him to focus on those things. I need him to focus on things that they can't figure out, right? And that's the power of using AI for something like this or, you know, junior engineers, because I don't want him to focus on them all. The churn. [00:34:04] Speaker B: Yeah, exactly. And even like patching, we're going on tangents now. I blame the harsh word, but I can't come up with a better one. I blame vendors for saying just patch this, right? You see their advisory reports, everything down to the recommendation. You have 17 paragraphs talking about the description of the vulnerability. And you have three sentences that all just tells you it's just a patch. And like, there, we have compensating controls for everything, right? Why, why aren't we taking those into account when we're coming up with things like advisory reports, right? [00:34:48] Speaker A: Well, you know, it's, it's like you go to the doctor and you say, you know, my arm hurts. And the doctor's like, well, don't, don't move your arm. Like, okay, that's one option. There's other options, like maybe, you know, strengthen your arm, go to physical therapy, get surgery, take some medicine. Like there, there's gotta be more than just patch, right? And, and it's like the, you know, every ham, you're a hammer. So all you see your nails, all they see is patch. It's just patch, patch, patch, patch, patch, patch, patch. Which, you know, it's worked for them in it because that's how you do everything. You just patch everything. But you can't, as we know that that's really difficult. And I mean, crowdstrike, I talk about this very regularly. But the whole crowdstrike incident, right, is there's an example of something that was pushed and, and caused issues and it shows the complexity of OT and how it's different than it. Because I, you know, Delta is a prime example of that. Right. Is. Is they had to. The biggest struggle they had was getting people in front of the boxes to be able to reboot it, to recover from it. Right. It wasn't a. They didn't know how. They didn't. They had a backup recovery plan, but it was just a number of bodies because of where the devices were located and, and they were up on kiosks and they were not easy to get to and all these things just compounded to make their recovery time that much more difficult. Which is why we don't patch at scale and just send it and hope for the best in OT because of all of these problems. [00:36:14] Speaker B: Well, we're even working with, like, banks and stuff like that. Right. And healthcare, where it's not true ot. It's OT adjacent, I like to call it. And they're still having troubles with patching. Like, if you think about it like, Microsoft pushes out, like, updates every week. I know there's, there's at least one point in time where you're one to two weeks behind your patch cycle. Come on. [00:36:46] Speaker A: Yeah. In an ot, it's way worse than that, as we know. [00:36:50] Speaker B: Yeah. Oh, yeah. I mean, we got patches. We got patches dating back to early 2000s sometimes. [00:36:58] Speaker A: Well, yeah, I mean, we. You're gonna have old equipment and that, that goes. I think the whole thing we're harping on here, or from my perspective, if I were. If you're a listener and you're hearing. Yeah, we've, we've talked about these things. I've talked about this stuff a lot. But you have to look at problems differently. And that's one of the biggest things that, that I, I talk about in OT specifically is I have, I have a lot of experience in IT as well. I spent a lot working on, you know, active directory and large organizations like taiko electronics and AT&T and, you know, GE and other places on the corporate side. And all of that knowledge has been valuable as I approach problems in ot, but also working in power plants and understanding how the processes are different. I have to merge those two things together. Right. And I see a problem and I put my IT hat on and I may solve it by patching, isolating it off the network, you know, forcing them to do a reboot. Like a lot of different things, and I have to approach it completely different. Same problem, same risk, maybe a higher risk or lower depending. But the way that I attack it is going to be different. Like, you know, if I'm a SOC analyst and I see a vulnerability or alert come in. In an IT world, I may just kick the device off the network. In an OT world, my response is probably going to be pick up the phone and call the control room and say, hey, I see this thing going on. Do you guys, is this something you're doing? Like, I'm not going to kick it off. Because the example I always give is, you know, if you, if you're able to do that and you, you shut down the, I don't know, the avionics in an airplane as it's flying because you saw a vulnerability, what's more vulnerable? The fact that you just turned avionics off on a plane that's flying or the fact that it may have a vulnerability that hackers may get to but haven't done anything with? So maybe you should just let the freaking plane land before you do anything about it. [00:38:46] Speaker B: Yeah. And to that it's like, zoom out. Like, stop looking at everything under a microscope. Like, yeah, it has vulnerabilities or has misconfigurations or whatever, something found. But is it reachable? Are there active adversaries coming after your sector? There's so many other factors that you need to consider before you even go to the point of coming up with a remediation. I mean, that's like why, that's why consultants are considered, like continually hired. It's because consultants, you have a almost unbiased view of what's happening and you have time to, I mean, how many times, I mean, you tell me, Aaron, like you're sitting there writing a finding and you're like up to the, like the mitigation and remediation. And you're just sitting there and you're like, what is the best way to remediate this? Right. I feel like everybody's so quick to just jump to do something. Just take a second, take a second and think. [00:39:56] Speaker A: Well, you're right. And I think the industry has gotten to a place where it's almost like, you know, an attorney or a legal, you know, a generic legal statement they put in, like, they have to put, they have to tell you to patch it. You know, just like you go to Discount Tire and you get a nail in it. They're like, well, we got to tell you, you should replace all four of your tires, even though the other three are brand new and this one just as bad. But they tell me that you need to have all four tires at the same time. Great. I'm not doing that. Right. [00:40:26] Speaker B: No. [00:40:26] Speaker A: I just bought these tires two weeks ago. I'm not replacing all four just because you want me to. Right. I get that it's a liability. I get that my car is all wheel drive or whatever the reason is, but I'm not going to just replace the tire, all four tires. Right. You have to be intelligent about it. And it can't be. Go replace all Windows XP and never have Windows XP on your environment. Like that doesn't work in ot. [00:40:49] Speaker B: No, no, it doesn't work in ot. And quite frankly, sometimes it doesn't work in it. Like you're running legacy applications on an old CentOS box and you're like, what do we do with this? And it's not patch it and it's not replace it. It's add in. You know, I think because we're all engineers, we think like engineers. Everything has to be somewhat black and white, Right? [00:41:15] Speaker A: Sure. [00:41:16] Speaker B: There is a lot of gray area. And back when I used to be a hacker, I lived in that gray area. You give me a little sliver of gray area, I'm staying right there. And if you think like a hacker or think about the gray area, just be a little bit more creative with your decisions. [00:41:34] Speaker A: Yeah. [00:41:35] Speaker B: I. We can go a lot farther. [00:41:37] Speaker A: Yeah. And look at the problem. And that's a good point to think about. Right. Is not everybody has the background that we have that others have. You know, not everybody's been in these spaces. You may not come from cybersecurity, you may not come from a hacking background or even a support background. So know that, know your limitations, bring your expertise, and reach out for other opinions. Right. The biggest thing that. And it goes across more than just cybersecurity. It goes in all things. But don't be tied to your ideas. I guess is my biggest piece. Right. I have these assumptions based on the things, the knowledge and the information that I have. But when I speak to somebody like you, you're going to have different experiences and experiences than I have. It behooves me to have very smart people around me. If I'm the smartest person in the room, I need to be in a different room. Right. I need other smart people around me that are willing to challenge me, not just say, oh, Aaron, you're the smart. You know, I believe I'm very good at what I do. I'm very. I'm very smart. Do I think I'm the smartest person in all areas? No. I love to surround myself with other people and also be Willing to admit their idea is better than mine. [00:42:47] Speaker B: Yeah, I. There's a saying that I like is I hope I don't butcher it too much. Just because you spent a long time making a decision doesn't mean you have to stick with it. [00:42:58] Speaker A: Right. [00:42:58] Speaker B: I use that in every aspect of my life. Right. We get. So where, as we grow older, my medical field is now coming into the play. As we grow older, our skills become less fluid and more crystallized. That's why when you talk to somebody that has wisdom or something like that, everything they say is surrounded by one central topic or category that happens with everything we do. And I believe that if we take away our initial assumptions, take away how long, it's like a. What is it? Cost, loss fallacy or something like that. I just spent so much time making this decision. We have to do it. You don't have to do it. No. [00:43:47] Speaker A: Well, and sometimes it's actually more costly or the wrong decision. Like if you get to the place and you get to the end, you're like, wait, this wasn't. It sucks that we spent three weeks or three months or three years getting here, but we're still in the wrong place. And if we, if we continue to move forward, you know, you're putting good money after bad. Like, you've already spent it. That's fine. I'm sorry. But if it's time to pivot, it's time to pivot. Be okay to stand up and say, hey, things have changed, or my, my understanding has changed. Or this really smart guy named Harry came in and he showed me the error of my ways and some things I wasn't thinking about. And now that it really changes the equation, I don't think we proceed in this path. I think we have to pivot over there. And that's okay. Like, it's a hard conversation to have, but it's the right conversation to have. This, this gets down to having organizations that are willing and okay with that, that, that, that mindset, because that's a hard mindset to have. And so many. You see it in the military a lot. But, you know, even in organizations where you're punishing people for making mistakes, and if you're in an environment that you're punishing people for mistakes, they're never going to raise their hand after they've been spent three years doing, or three months or whatever doing something, even if it's not the right decision, they're just going to continue to go forward because they don't want to get in trouble. Right. They're more afraid of the ramifications of admitting, hey, we spent all this time and effort and we were going the wrong direction. I think we need to change then it's detrimental to your organization. [00:45:16] Speaker B: Yeah, that's one of the things I learned from Amazon is Jeff Bezos. He said you have two way door decisions and one way door decisions. If it's a two way door decision, just step back out, it's fine. Yeah, we spent time, we lost some money doing this but it's better to acknowledge and identify it sooner than later if it's a one way door decision. Let's spend a little bit more time on this decision making process. [00:45:43] Speaker A: That, that, that's good. I hadn't heard that that it, it goes to cyber security. It, we really get tied into the, as engineers especially, you know, we get tied into the technology side of it. Right. It's really, you know, the product, the capability, the understanding on the technology side. But you know, one of my mentors told me a long time ago, all business is a people business. Right. So I have to, I have to be able to have conversations and I have to be, you know, not tied to my ideas, willing to change, willing to learn, willing to grow, willing to admit defeat and failure and get back up, dust myself off and go at it again. Right. And, and it's no different in the cyber field as it is in IT or business or sales or HR or any of the other marketing, anything else. It's all I have to talk, I have to prove to you and explain to you why my idea, I think I'm right and then, and we have to talk about it and figure those things out. Like those interpersonal soft skills as they say it in consulting. Right. Those are more powerful than the smartest thing I've ever done on the technology side because it doesn't matter how smart I am on the technology side, if I can't convince you that this is what I think we should do and why, then it doesn't matter that I have the best idea. If you don't like me or my idea doesn't make sense to you, then you're never going to say, yeah, we should do what Aaron said. [00:47:00] Speaker B: Yeah, definitely. I like the fact that you said those interpersonal skills that are necessary, you know, if you don't understand people theoretically, you don't understand business because business is made up of people. [00:47:14] Speaker A: Yep. That's all it is, 100%. So all this we said, we're talking about some really cool bleeding edge next generation type things capabilities and Ways to do things, things differently in OT in the next five to 10 years. What's, what's one thing that you see come up over the rise and that maybe is concerning and on the other side may be exciting. I'm guessing it's probably going to be related to AI, seeing as all that you're doing. But you know, you could throw a curveball out there too. [00:47:41] Speaker B: So let's see. Let's start with. I think my, so the next five, 10 years. I think my idea is both concerning and it's going to be great. I think the general status quo of how we do cybersecurity is going to fundamentally change. Not because of AI, just because we're starting to think a little bit more about our customers and how we're impacting business and workflow. The ability for us as vendors right now that are working specifically within critical infrastructure going how does this impact your workflow? How does this impact things that you do? Is changing the game on how we build certain technologies. Changing the game on how or what we need to build. Right. I think there's going to be a disruption in the consulting market. Sorry, Aaron. And some other places where consultants or whatever are needed on a different basis. Not what we're used to, what we're used to. In my opinion, like consulting has been the same thing for the past however many years. I mean, things are going to change and what I'm excited about and feel concerned about is things are going to change. It's like I'm giving like almost a non answer right now, but that, that's, that's, that's what I'm excited about. I think, I think the general status quo is no longer going to be the status quo and we're going to have a lot of graybeards out there get pretty angry about it and we're going to have a lot of young bucks come in going, I can do this. Makes more sense to me. [00:49:31] Speaker A: And honestly, being a little bit of a gray beard, that's what we need. We need more fresh blood. We need more folks looking at things differently. And I can't tell you, you know, coming from being, you know, long ago in my career, I was all, I was usually the youngest person in the room, right. So I was constantly, well, what do you know, you're just a kid. Like what, you know, you haven't done this. I've been doing this for 40 years. I've been doing this for 50 years, whatever the thing is, right? So I was used to that. But, but as I, as I proved myself and under, you know, I earned those hard hats and working in those spaces. [00:50:04] Speaker B: Yeah. [00:50:04] Speaker A: And when they started trusting me, then they started listening to my ideas and like, wait, kid has some ideas here that are not horrible. Like, what if we did some of these and then we started doing some of them and they worked and they weren't the stupid ideas. And then they started understanding, like, wait, okay, that makes sense. Right? So, yeah, that, that's the, that's what's going to get, you know, the whole. There's a book I love. It's. It's what got you here. Won't get you there. Right. If you continue to do the same, it'll only get you where you're at. If you want to be the CEO, you can't do the work of a cto. Right. It's a completely different job. So if you want that job, you have to start doing different things to get there. Like, you know, I used to be 100 pounds heavier than I am. I was 350 pounds overweight, all that kind of thing. Right. If I continued showing up like the old version of me that I called Nacho dad, if I showed up like him, I was going to continue being that fat guy. Right. I had to do different things. I had to eat differently and exercise differently. I had to do all these different things because I wanted to be different. So I had to show up differently. So it's no different in business or technology or in your personal life. You have to do different things if you want to get different results. [00:51:06] Speaker B: Yeah. And I have book recommendation for you. If you haven't read it yet, I suggest reading. I'm reading it right now called ego is your enemy. And I think you have read it. Oh, it's so good. I feel it just, all of it just makes sense. But for people out there listening, ego is your enemy. Great book. And, and Aaron, your book recommendation, I've read that book too. I think that's a fantastic book. [00:51:33] Speaker A: Yep. Awesome. Well, so we talked a little bit about your. You guys company. How can people find out more information if they want to give you guys a shot, you know, bring you guys into their environment? Like tell, tell us about that kind of call to action for, for the listeners. [00:51:50] Speaker B: It's simple. Just go to our website. You can sign up for a demo, stuff like that. You can reach out to me personally if you want on LinkedIn or via email. Harryranos IO reach out. Do it. And to be honest, I answer questions all the time, just in general between, you know, people looking to get in the field or people trying to understand what they can do differently within their cybersecurity organizations, never hesitate to reach out. [00:52:18] Speaker A: Yeah. So I also want to bring up real quick because you guys just recently went through a thing that you just won. So why don't you tell us a little bit about the competition and the results that you guys just announced. [00:52:31] Speaker B: Yeah. So we were invited as part of five finalists for the Data Tribe challenge. Startup Challenge. If you're not familiar, Data Tribe was the seed investor, Dragos. They're a big cybersecurity investor based in the D.C. area. And Brian, Eric and I showed up and we really brought our A game and we actually won the competition, which is really great. We got got to drink very rare whiskeys and have fun doing it. Me and my co founders, we live across the country and it's always nice when we can get together, especially for a big event like this where we really put our nose to the grindstone and got what needed to get done in order to showcase Franos, in order to showcase our experience, our history, and the reason why we're the ones, the right ones to be the next generation of OT security tools. [00:53:30] Speaker A: That's awesome. Congratulations to you guys. Definitely check out the LinkedIn post for more details on that. We can include some of the stuff in the show notes here too, but it's always cool. Put your money where your mouth is, right? It's one thing to say we can do all these things vendors can show us all. Being a vendor in the past, being a CTO in the past, I can show you a lot of things in marketing and online, but actually putting the money where the mouth is and actually seeing results come from it is a different thing. So congrats to you guys. I'm excited to see. See what, what's next with y'all. Awesome. [00:53:57] Speaker B: Thanks for having me here. [00:53:58] Speaker A: Awesome, man. Hey, thanks for your time today, audience. Definitely reach out to Harry and Brian and learn more about freenos. They were actually a sponsor at our. At our event and our shooting event at Staccato Ranch not too long ago. So always excited to do things with companies that I. That I enjoy. And obviously, obviously this is a small environment, so I know these guys very well. So thanks a lot for your time today, sir. [00:54:19] Speaker B: Thank you. [00:54:21] Speaker A: Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field until next time.
Previous Episode
Next Episode

Other Episodes

Episode 11

June 10, 2024 00:52:31
Episode Cover

Cybersecurity and Safety Risks of Modern Vehicles: Understanding Vulnerabilities and Solutions with Kevin Walter

In this episode, host Aaron Crow interviews Kevin Walter, an expert in vehicle security, about the growing cybersecurity and safety risks in modern vehicles....

Listen

Episode 21

August 12, 2024 01:10:52
Episode Cover

Cybersecurity in Critical Industries: Lessons from Medical Devices to Automotive

In Episode 21 of "Protect It All," titled "Cybersecurity in Critical Industries: Lessons from Medical Devices to Automotive," host Aaron Crow is joined by...

Listen

Episode 20

August 05, 2024 00:28:31
Episode Cover

The Intersection of Cybersecurity and Personal Development: A Deep Dive with Aaron Crow and Neal Conlon at the Lone Star Cyber Shootout

In this episode of "Protect It All," hosts Aaron Crow and Neal Conlon discuss the upcoming Lone Star Cyber Shootout. Set to take place...

Listen