What are the tell tale signs you’ve got ransomware before you receive the actual ransomware threat?

Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our sponsored guest Brian Vecci (@BrianTheVecci), field CTO, Varonis.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, Varonis

What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment.

Full transcript

David Spark

Hello fans of the CISO series. If you are listening to this episode of Defense in Depth the day it drops, which is September 30th 2021, tonight we are having a party to celebrate the three-year anniversary of CISOSeries.com. All of my CISO Series co-hosts will be there and we want you there too. Go to CISOSeries.com, look for the blog post at the top that announces this very anniversary. Look inside, you will see a registration link for Eventbrite, click on it, register. We want to see you there tonight, it’s going to happen at 7PM Eastern time. We’re going to have fun, we’re going to have games, we’ll just have a meet-up. Just be there, we’ll have a good time.

Intro

David Spark

What are the telltale signs you’ve got ransomware before you receive the actual ransomware threat?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series, and joining me as my co-host for this very episode is Geoff Belknap, the CISO of LinkedIn. Geoff, thank you so much for joining.

Geoff Belknap

Thank you for having me, and hey everybody, going to have an awesome conversation today.

David Spark

This is going to be a good one, I’m looking forward to this because this is getting to a level that we have not got to yet. I’m looking forward to it.

Geoff Belknap

We’re going to push the boundaries of depth today.

David Spark

Yes. I want to mention that our sponsor for this very episode is Varonis, and they’ve been a phenomenal sponsor this CISO Series, and so thrilled that they are sponsoring this episode, and also brought our guests as well. But I want you to help me set up the topic here, Geoff. Ransomware leaves a lot of breadcrumbs before the actual encryption of your data and ransomware threat happens, so according to our guests, it looks a lot like the modern-day APT kill chain; ransomware, when it happens, follows that same pattern. Do you believe it is possible to catch the threat earlier?

Geoff Belknap

Absolutely, I do. In the industry we’re having a lot of conversations about ransomware, and one of things that I think we don’t talk about enough is that five years ago ransomware was effectively malware. You found it on a laptop and you went “Oh, we’re going to have to pay for that laptop” and move on. Today it’s really moved to a set of tactics. Ransomware is now part of a criminal enterprise, it’s a business, and most of what happens today is a full breach like any other kind of breach, but at the end of the breach there’s a ransomware component that helps them monetize that in a way that most actors never did before. So I think there are a lot of things that people could be looking for that are indications that you’re compromised and that ransomware might be happening soon, because there’s a lot of ways to identify breaches. So I’m really excited to talk to our guests about that today and get into that.

David Spark

Yes, and I am looking to my eyes being enlightened on this very subject, with our sponsored guest, Brian Vecci, who’s the Field CTO of Varonis. Brian, thank you so much for joining us.

Brian Vecci

Thank you so much for having me.

How do I start?

00:03:22:13

David Spark

Joshua Copeland of the Pinnacle Group said, “If you have a SIEM and configure with the right CTI and correlation, your analyst should be picking it up,” – “it” being ransomware – and Rebecca Harness, CISO at St Louis University, who we had on this very show talking about ransomware, said, “Abnormal disk and processor utilization on critical assets, or those connected to them, is the first thing that comes to mind. Really there’s no greater detection than a good SysAdmin keeping tabs on their environment.” So is this really just about creating a good SOC, Geoff?

Geoff Belknap

No, I think it’s obviously more complicated than that. I think our good friend Rebecca is along the right line of thinking here, in that if you are running an effective security program, there are a lot of signs that you can be looking for that will tell you there might be a breach here that you haven’t detected yet, and certainly I would be worried if abnormal disk and processor utilization was the first hint of it because then it’s a little too late; the encryptor is already running. But I think to Joshua’s point; yes, if you’ve got a SIEM, if you’ve got an effective security team, if you know what your environment looks like and deviation from that environment looks like, you have a chance to catch a breach in process, and I think that’s what this is really all about.

David Spark

So going to Joshua’s comment here, if you’re just setting up your SIEM and watching it well, how much of the problem are we solving at this point, Brian?

Brian Vecci

Well, a couple of things: first of all I don’t disagree with either of those comments, but a couple of things to keep in is that a SIEM, just by its very nature, is often very noisy. It takes an extremely mature security team to separate out the signal from the noise. The other thing to keep in mind is SIEM is often not looking at data access, because a lot of times those logs don’t even exist. And to Rebecca’s point, if you’re looking for CPU and disk activity, that can be an indicator, but it’s an indicator of lots of different things, not necessarily just the encryptor running. And Geoff, you said it yourself: once the encryptor’s running, you’ve kind of already lost the battle, and in a lot of these more advanced attacks the encryption is step 30 along the kill chain, and in fact, the data may have already been exfiltrated. It doesn’t even matter if you have back-ups, your attacker might say, “Alright, pay me to get your keys to your data back, but pay me to not release all your data on the dark web, and also pay me not to let the press know that we’ve been in your network for the last six months.” So an effective SIEM is one part of a Defense in Depth strategy, but I think you need to also be cognizant of what your SIEM is not looking at, and how much time you’re spending chasing ghosts, and Rebecca hits on it: there are things you can look for, there are certainly indicators all along through the kill chain, but Geoff, you said it yourself – a modern ransomware attack is really just a modern data breach where one step is the encryption of data.

David Spark

So if I’m understanding correctly, and either of you pipe up here, really the first step is being is really, really familiar with the kill chain; understanding all those steps.

Geoff Belknap

Yes, like anything the real first step in any security program is going to be have as much visibility and observability of your environment as you can, and then the next step is learn what that means to you. Don’t just flip on every button and switch to get observability and hope that insight will just come to you. There’s no easy button for finding bad guys – if there was, one of us would be a billionaire by now. The hard part is really learning your environment and what that signal means to you, and where it could mean something malicious is happening. But the rest of it is, you’re just doing the job of a smart security program.

Brian Vecci

Two things actually come to mind for that too: one, Geoff, you said it yourself, just turning all of the switches doesn’t necessarily solve the problem. A lot of times, with an advanced attack, we’re looking for a needle in a haystack, and when you want to find a needle in a haystack, throwing more hay at it doesn’t actually work. And second, you also want to put enough barriers in place that an attacker has to go through. One of things that we haven’t mentioned, and I think we will at some point, is that ransomware attacks data, and it attacks a particular kind of data that’s often not properly protected. We do a data risk report and the average new employee has access to 17 million files in the first day that they start. Files are what get encrypted in a ransomware attack. Pick a random user in your organization; do you know what they have access to? What data is open to all authenticated or domain users? And what steps are you making that an attacker does not have to jump through? Do they not have to escalate privileges, do they not have to do anything tricky to get access to that data? Those are also things that you can do for the prevention of a ransomware, or making it easier to detect because of the number of hoops that somebody has to go through. If somebody has to Kerberos an account to get access to data before they encrypt it, you’re much more likely to detect that because the kill chain becomes more complex.

There must be a better solution.

00:08:15:18

David Spark

From Rich Mason of Critical Infrastructure, who started a discussion of his own about this issue, “If we distill it down, what are the individual capabilities we need in the full anti-ransomware stack?” And he listed a bunch: anti-phishing, network segmentation, awareness and training, back-up and recovery, IR services, PR services, legal services, insurance. It seems, and I’m going to throw this to you first, Brian, that you need the physical stack of the technology, you also need the people there, but also going back to this kill chain, you said everyone needs to have understanding in playing in the kill chain, yes?

Brian Vecci

True, and Rich does a good job of breaking things down, but I think there’s some significant gaps here because anti-phishing; sure, phishing is the most common injection point, that’s important. Network segmentation is important. But what about access control? What about data protection? Just because you’re segmenting a network, if data’s open to everybody, suddenly it’s going back to the point in the previous segment, you’re making it so much easier for an attacker to get access to data. Awareness and training, that’s important but it’s never going to be 100%. Back-up and recovery, that’s great, but what if your data has been exfiltrated before it’s encrypted? You might be able to restore it from back-up, but you’re still going to have to pay an attacker to prevent them from releasing it to the dark web, and in many of the more sophisticated, real cyber criminal group ransomware attacks that we’ve seen, your back-ups are gone anyway; they’re spending time in the network, they’re going to blow away the back-ups before they do the encryption. Of course, incident response services and having a depth of IR services and expertise is important, and insurance is important too, although we’re finding that the insurance companies are just as hard to deal with as the attackers sometimes in getting payment.

David Spark

Geoff is laughing at the last one.

Geoff Belknap

It’s true.

David Spark

First of all, have you had to deal with an insurance company?

Geoff Belknap

I have not, thank God, but I definitely have talked to a lot of people that are dealing with insurance on a regular basis and it’s not easy. I think if anything it’s just an indication that the marketplace right now is really struggling to deal with this kind of prevalence of attack, and it’s successful. So the thing I was going to say, that I think Brian is already saying, and the way that I talk about it with my executives and some other peers is along a very similar line: if you haven’t mastered data protection or data access controls, you’re really in trouble. If one engineer, or one data scientist has access to every bit of data in the organization, and they could theoretically, with the right tooling, download all of it and sell it on the dark web, then a bad guy can too. Twenty years ago, yes, a threat actor might not have an account, maybe they’re brute-forcing something, maybe they’re stealing a physical disk, but today an active threat actor in your environment just looks like one of your employees, but maybe they look like your employees accessing more than they should, where they’re using multiple employee accounts. So what you’re really talking about is what we used to call insider threat, but in this case every successful breach just looks like an insider that exceeded their permissions. Yes, anti-phishing matters, but really what matters more is strong authentication, strong segmentation of data, strong separation of duties, because all of these things are easy for these guys to get in, and once you’ve made it easy for them, once they’re in you’re hurting. So what I tell people to start with, if they’re very concerned about ransomware, is what are all the things that would make it easy if you sat a malicious actor down at the keyboard? What would be making their job easier or hard? Focus on that.

Brian Vecci

I haven’t said this in a few years, but I still think it’s true: ransomware is the noisiest insider threat, because you’re talking about a threat actor who’s leveraging internal credentials. Look at SUNBURST and SolarWinds; they were leveraging system accounts, proxy log-on, you’re leveraging the exchange accounts to access data. But ransomware, the actual encryption, that’s just the part that lets you know that it’s there. Everything else is really an insider threat exercise: what could a sophisticated actor do, once they’re in the network? Once they’re past your perimeter, whether it’s the endpoint or they get past a gateway, they get past an infrastructure, they traverse the Cloud on-prem; once a threat actor is in the network, how would you know if an account started accessing data that that account has never seen before, whether it’s in volumes that would trigger a threshold-based alarm or not? Are they authenticating the systems they’ve never seen? And don’t forget about data sensitivity; one of the stories that we’ve been hearing over and over for some of the more malicious ransomware groups over the last year is that they’ll spend time in the network, they’ll get access to really sensitive information, and then when you’re trying to negotiate the actual ransom – “I can’t pay you, threat actor, I don’t have enough money,” – they’ll turn around and say, that’s not true, we have access to your financial records and we know exactly how much money you have in a bank account, so pay us this much.”

If you looked at the problem this way…

00:13:15:14

David Spark

Sandy Wenzel of VMware, who we’ve had on the show as well, said, “If you start seeing anomalous behaviors, like someone logging in who no longer works for the company” – like you referenced, Brian – “or a host using applications and services they have not before, it’s worth raising the flag.” And Roger Delph of Oxford Industries mentioned the use of honeypot files, although Chris Patteson of Archer Integrated Risk Management said deception is one of the best tactics; early tripwares for odd activity. But Sandy, again, from VMware said honeypots can be fun but they can have a narrow field of use since they only see activity when it’s directed at them. So I’m going to go back to a comment that you said earlier, Brian, looking at the Rich Mason list: “All of these things are good, but they’ve all got holes,” and that’s a theme that we constantly run into; yes, it’s good, but it’s got a hole.

Brian Vecci

I couldn’t agree more, and all of these techniques are useful, but they don’t necessarily solve some of the core problems that makes ransomware so costly. One of the things that isn’t mentioned in these quotes, and while I agree with all of them, is what assets are we watching? Are we watching the data itself and how quickly would we know about that? Geoff said it up front: we’re talking about sophisticated kill chains – they’re really data breach kill chains that involve at one point the encryption of data and taking it for ransom, and there are so many financial incentives now for a threat actor to do that, but are we watching the asset itself? Nobody breaks into a bank to steal the pens, nobody’s breaking into a network these days unless they want to get access to data, and are we watching the data itself?

David Spark

That is the line: nobody’s breaking in to steal the pens. Then you’d have the chain attached to it and nobody wants that. Yes, there is the need to have that dual understanding of watching the crown jewels and watching individual activity at the same time. Do you configure that beforehand? Is there an understanding that you have where you can see those together, Geoff?

Geoff Belknap

Oh, I think you can, but I think really if I zoom out of this conversation a little bit, if you’re just starting your security program, and ransomware is the impetus for you to spend more money or give more budget or whatever might happen; if this is your organization waking up and saying, “Hey, please get us ready to defend against ransomware,” I would say don’t start with any crazy SIEM deployment. Yes, you should have all those tools and that should be on your road map, but step one: just deploy a FIDO-based authenticator, deploy a YubiKey, use Microsoft Authenticator, something like that. Harden your authentication, and then take a hard look at the inventory of data that you have to protect. What is the thing in your environment that somebody could disrupt your access to, that would be a target for a ransomware attack? And just start at those two places. You can spider out from all of those things, but those are the best places to start. The authentication is a really good place because, yes, there’s phishing and a lot of people buying access from compromised accounts on the dark web. They’re not even running phishing campaigns; it’s cheaper to just buy credentials. So start there, make that really hard, make it difficult for them to get in, and then while you’re making it difficult for them to get in, focus on what data you have to protect. I think Brian’s exactly on here, in that most people aren’t thinking about that. In fact a lot of security programs get comfortable when they get to the point where they have a very hard outside and this beautiful soft, creamy center, and it’s that soft, creamy center that these guys are making money off of, that we need to make a little more challenging for them. So start there.

David Spark

Brian, maybe this question is a complete misnomer, so speak up if it is, but are there any spots in the kill chain that are easier to spot than others?

Brian Vecci

Yes, and Geoff just hit on it. I used to call it the candy bar defense; the hard outer shell and then a creamy middle, and we’ve spent – and by “we” I mean the security community, IT organizations in general – we spend so much time and energy hardening the perimeters. Every corporate laptop is locked to heck and back these days; everything is white-listed: the firewalls, the perimeter; it’s very difficult to get in, especially if you use good practices like multi-factor authentication. But any threat actor with enough time and motivation is going to get past your perimeter, so it’s easy to focus on the perimeter. The hard thing is then to focus on what would something get access to, how would they maneuver? Especially if they were going low and slow. We often rely on threshold-based alarms, honeypots can certainly be useful, but again, they give us just a very narrow view into what somebody might be doing. The easiest things to focus on are the endpoints and the other perimeters; the hardest thing to focus on is the creamy center of the network, and another thing to remember, and Geoff, you said this right up front, is ransomware used to be encryption of a laptop, blow it away and restore it; these days, laptops are much more like your phone; there’s not a lot of data stored in there. All my data is sitting in Cloud repositories; it syncs so I’ve got access to it, but the devices these days are really just access points. The data itself, the stuff that is going to take down a business if an actor gets access to it and encrypts it, is the shared repositories, it’s the shared data stores. A number of CISOs have told me it’s the wild, wild west, we have no idea what’s there, we don’t have any idea who’s got access to it, what’s important. That kind of data, by its nature, is cross-functional, it’s often open to everybody, there’s no good way to segment it or lock it down; that’s why we’re still talking about ransomware, because that’s the data that gets encrypted.

Is this problem solvable?

00:19:21:15

David Spark

Daniel Goldenberg of nference said, quote: If you have a DNS RPZ setup, or DNS firewall, and the ransomware can’t phone home to start encrypting, do you really have a ransomware threat or is it just another Tuesday? And I’m going to ask both of you, and we’ll come back to this because I have one more quote, but is it really this simple? Do we have any “cut off the supply” methods here? Geoff is nodding his head; I’ll go to you first, but I also want to read Vaughn Hazen, CISO of CN’s, comment: “shouldn’t we start with how ransomware works? What does ransomware exploit? Security awareness training won’t solve someone with access being bribed to install a USB key. Phishing protection won’t prevent use of leaked and reused credentials. Patching won’t work against zero day vulnerabilities being exploited.” So two issues: Daniel claims there is a cut-off point, and Vaughn says you really need to understand the different methods to be able to work on building security and/or following patent within them. Geoff.

Geoff Belknap

Yes, I’d really just reinforce that there is no single silver bullet here, and if there was, everybody would just be telling you to do that. What you would hear from CISA, the US Defense Agency, is, “Do this thing; ignore everything else,” and you’d be seeing a billion dollars allocated to pay for this one thing for all US companies. But we’re not. If it was that easy we’d be doing it. The reality is, a DNS RPZ set-up is actually very valuable. It’s expensive from a resource and talent perspective; you’ve really got to know what you’re doing, it’s not just plug and play; but it’s an effective component of defense. We talked about this in the last segment: honeypots, honey files and honey tokens, they’re all super valuable as a part of a broader strategy, so I would absolutely use, to Vaughn’s point, security awareness training; it’s fantastic. Phishing protection, excellent; patching is way more important than most people understand. But altogether they’re really important and effective, and the way that I would tell a Board or somebody who’s asking for advice is, if all of these things are implemented, and they’re all working at a relative effectiveness level, you should be fairly comfortable about your defense against ransomware, because, to Brian’s point, ransomware, at this stage, is really just the last step monetizing a breach for a criminal enterprise actor, and in order for them to monetize a breach, they’ve got to get in and feel comfortable in the way that they can operate in the environment, otherwise they’re not going to get to that stage. If you can disrupt them enough that they show up to your defenders, then you have a great advantage against that.

Brian Vecci

Yes, you don’t have to have the best bike lock, you’ve just got to have the better bike lock than the guy next to you. You don’t have to be the fastest guy in the forest, you’ve just got to be faster than your buddy or the bear’s going to get him. So yes, to Daniel’s point, I don’t think there is a silver bullet at all, and DNS is one command and control vector, it’s not the only one. But that certainly doesn’t mean that it’s not useful. Vaughn’s quote was actually my favorite: shouldn’t we start with how ransomware works? Yes, so understand that ransomware is the last step in the kill chain, make sure that you understand what the kill chain is, use the Mitre Attack framework, use whatever framework you want for understanding the depth of your defenses. Don’t forget what ransomware attacks: it attacks data, and if your access controls are lax or wide open and you’re not monitoring data usage, and you can’t connect something, like somebody authenticating to a system and then accessing data that they’ve never touched before, and then maybe exfiltrating it and then maybe behaving like a piece of encryption, the depth of your defense might be shallower than you think.

David Spark

Have either of you shifted programs, or seen clients that have shifted programs, because of the way ransomware is behaving? For example, we are definitely seeing more cases of ransomware extorting, even if the people do have back-ups; like, “Sure, you can restore it but we’re going to release all this data to the public,” and that adds a new wrinkle of how do we build a defense here to deal with that kind of level of extortion? How does the business shift as the ransomware models shift is my question, Geoff. It’s not just security, it’s the business I’m going to shift.

Geoff Belknap

You mean the business that’s the target of the ransomware attack?

David Spark

The target, yes. The organization that is the target; knowing that the business of ransomware is shifting, your business, not just security, but how you play defense, has to shift as well.

Geoff Belknap

First of all, yes, they should be shifting the way they operate their business. They shouldn’t be shifting necessarily what their business model is, but–

David Spark

No, no, but shifting the defense side, I’m saying.

Geoff Belknap

100%. And the reality is I just haven’t seen it, and maybe Brian, where he sits, sees it more, but the reality of this is defending against ransomware is not unique and special; it is unique and special only in the way that it means your security program has to be at least at a minimal level of maturity and effectiveness, otherwise you have no chance – it’s just a matter of whether you get targeted or not. I think we’re coming to a really interesting perfect storm of there is this threat out there that is really effective and easily monetized so that there’s a lot of incentive to execute the attack. It’s not something that necessarily has to be sponsored by states, so there are no nation states that are worried about the impact of this attack, necessarily, and there are some companies that are susceptible to it that haven’t invested enough in what real security means for their organization. So I think this is going to be the on-ramp to seeing more regulation and then seeing more accountability outside of just what shareholders do a stock, and I think it’s a really interesting time. It’s awful because it means, again, normal people’s data is the target for this, and there’s nothing that you, or I, or Brian can do to protect our data once it’s in somebody else’s hands, so we have to depend on companies that are executing their program well. But I haven’t seen enough people really shift their program as a result of this. I’ve seen a ton of marketing shift as a result.

David Spark

Oh, that’s good. Brian, have you seen a shift?

Brian Vecci

I’ve seen a shift insofar as it makes more organizations have more of an incentive to have a more mature security program. There isn’t a silver bullet for ransomware defense, but a mature security program with defense in depth, with strong access control and authentication and all of the other controls we’ve talked about, is the best defense against ransomware.

David Spark

And that’s a good button for our conversation. Now I ask both of you, and I will start with you, Geoff: your favorite quote here, and why.

Geoff Belknap

I’m going to steal because I know Brian has already flagged this, but I think Vaughn’s roundabout way of saying we should think about how ransomware works, and what does it exploit, and you should focus on security training and phishing protection and patching. Really this is a roundabout way of saying your holistic defense is what’s important to focus on, not any one solution. All these individual solutions that the commenters have flagged are all really good, but they all only work if they’re part of a holistic defense.

David Spark

Alright, Brian, are you sticking with that quote as being your favorite?

Brian Vecci

Yes, I am, because you start with how ransomware works and what does ransomware exploit. Gone are the days where it’s a phishing email and then your laptop’s encrypted. Ransomware is the last step in a complex kill chain that can take advantage of all sorts of exploits and zero days and techniques, you really need a defense in depth strategy to do it, and if you’ve got gaps on the data protection side and data monitoring, you’re always going to be blind to some extent. As Geoff said, visibility is everything as long as you’re not creating noise.

Closing

00:27:05:23

David Spark

Good point. Now let us wrap this up. I’ll let both of you have a final word, and by the way, Brian, we always ask our guests, “Are you hiring?” so please be able to answer that question. Second, have you got any offer for our audience or any pitch you’d like to make about Varonis and what you’re doing around ransomware? Please speak up. But first, I want to say thank you to your company, Varonis, for sponsoring this episode, and Geoff, any last words on the topic?

Geoff Belknap

I think I’ll just do my usual reminder: please, if you haven’t already, enable 2FA for your organization, or even better, enable strong 2FA using a FIDO key or something like it. And I’ll just remind you, if you have really cool ideas about how to defend an environment against something like ransomware, LinkedIn.com/jobs, we’re always hiring, and so are a bunch of other people.

David Spark

That’s a good place to find cyber security jobs. Brian:, are you hiring, and what is Varonis offering in the ransomware world? To prevent it, not to distribute it!

Brian Vecci

Yes, we are not distributing ransomware, we are hiring as fast as we absolutely can, and if you’d like to be on the front lines of what it’s like to deal with organizations that have to deal with ransomware and are trying to prevent it, detect it and respond to it, that’s exactly what we do. Varonis is a data security platform – it was built from the ground up, because solving the problems of making sure that the right people have access to the right data, and watching how it’s used and knowing when something goes wrong, it’s really difficult on file system data, and we were created to solve that problem. If anybody’s interested and wants to see more about what I’m talking about, we do absolutely free cyber resilience assessments, which include a ransomware risk assessment. We’ll look at your data and we’ll tell you exactly where data is, where it’s exposed, where sensitive data lives that you might not expect, how people are using it, who’s got access to it, and that even gets you access to our instant response team, which is also free. So if you want a free set of hands for taking a look at your environment, monitoring what’s going on, we’re happy to help. So Varonis.com; apply for a job if you want to get into the cyber security world, or if you’d like to have us do a risk assessment, reach out.

David Spark

I know a lot of companies offer different kinds of assessments; has anyone after an assessment said, “Oh yes, I knew all of that?”

Brian Vecci

I’ve been at Varonis for 11 years; not a single time. I have been kicked out of the room where it’s said “You can’t see what you guys just found.”

David Spark

You know we can look at it later–

Brian Vecci

No, actually we make sure everything’s very confidential.

David Spark

Yes, it’s like going to the doctor and getting a body scan; you know there’s something wrong you but you don’t want to find out.

Brian Vecci

Five years ago I would hear that from a CISO every now and then: if I do this assessment you’re going to show me things that I don’t have the time to solve right now. I don’t think we live in that world any more.

David Spark

No, I agree. I look at it as similar to our personal health sometimes; people have that same attitude. Thank you very much, Brian; thank you very much, Geoff. Thank you to Varonis, thank you to our audience as always. We appreciate all your contributions, keep them coming, and we appreciate you listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.