Will You Accept “My Bad” As Our Breach Response?

We know we’ve got to say something about this breach, but geez, the details are really sordid and it would just be easier if we could just wrap it up with one giant “oops.” You cool with that?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Matt Radolec, senior director, incident response and cloud operations, Varonis.

Got feedback? Join the conversation on LinkedIn.

Thanks to our episode sponsor, Varonis

Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform.

Full transcript

Voiceover

Ten second security tip. Go.

Matt Radolec

Control your blast radius. A lot of organizations think about their attack surface. Things like web servers and applications and the DMC, it could be targeted by anyone, but they don’t think about what would happen if any one user or device got compromised, and what that detonation would look like, what the impact would be, the blast radius.

Voiceover

It’s time to begin the CISO Security Vendor Relationship Podcast.

David Spark

Welcome to the CISO Security Vendor Relationship Podcast. My name is David Spark. I am the producer of the CISO Series, and joining me most always is Mike Johnson. Mike, the dulcet sound of your voice, let’s hear it now.

Mike Johnson

I’m here, I’m caffeinated, I’m ready to go. Let’s do this.

David Spark

It’s, kind of, late in the day to be caffeinated, Mike?

Mike Johnson

I might have had too much today.

David Spark

The Coke is Zero, but that doesn’t have caffeine does it?

Mike Johnson

It does.

David Spark

I thought the Zero was zero caffeine?

Mike Johnson

No, that’s calories. If you keep drinking them you get more caffeine, and I might have had too many.

David Spark

Less or no calories, alright. We’re available at CISOseries.com, and all our programming is available there as well, plus our wonderful Friday video chats, which are a ton of fun. Please come attend those. Our sponsor for today’s episode has been a phenomenal sponsor of the CISO Series. We’re so thrilled they’ve been sponsored across tons of our programming, for that matter, and we’re thrilled to have them again. It is Varonis. Varonis, thank you so much for sponsoring, and they’re also responsible for bringing our guest today. That person in just a moment. But, first, I don’t think I’ve mentioned this, and this is a hidden feature, an easter egg if you will, within the CISO series podcast. Did you know, on both this show and on Defense and Depth, we have chapter markers, meaning you can skip to segments back and forth with your podcast app.

Mike Johnson

I did not know that, especially the, being able to go back and take another listen to that same section.

David Spark

Yes, so, say, for example, you’re listening to a segment, and you’re two minutes, you go, I cannot stand this any longer.

Mike Johnson

[LAUGHS]

David Spark

It’s going to go three more minutes. I couldn’t bear to listen to three more minutes of this segment. I must go to the next one. You can skip it or jump. Or, say you’re a big fan of What’s Worse?, and you just want to listen to the What’s Worse? Game. Boom. You can skip right to What’s Worse? Right away. So, take advantage of it if you would like to re-listen or skip around. We don’t care, to tell you the honest truth.

Mike Johnson

[LAUGHS]

David Spark

Just listen to our show. We greatly appreciate it. But, in addition to that, if you go to our blog post, we have full transcripts as well of an entire episode, with the time code markers as well, so if you’re looking on a browser, and you go, I want to go to this point, you can see the time code marker and jump to that segment as well. So, we’re trying to make this more user friendly for our audience.

Mike Johnson

It’s multi media. It’s a multi media experience, David.

David Spark

That’s the idea. Let’s bring in our guest, right now, because I don’t think anyone wants to hear any more about chapter markers because that’s not exciting.

Mike Johnson

[LAUGHS] Fast forward.

David Spark

[LAUGHS] Yes, they’re trying to fast forward to this part right now.

Mike Johnson

[LAUGHS]

David Spark

Our sponsor guest for today’s episode is Matt Radolec who is the Senior Director, Incident Response and Cloud Operations, for Varonis. Matt, thank you so much for joining us.

Matt Radolec

It’s great to be here. Thanks for having me.

Here is some surprising research.

00:03:30:11

David Spark

Since the pandemic the insider threat has morphed. According to a recent insider threat report from Forrester, we’re witnessing three significant changes in insider threats. One is, insiders are responsible for almost a quarter of data breaches. Insider threats are not a technology problem. And, the Covid-19 pandemic created a perfect condition for insider threats. Now, in past research we’ve actually quoted that malicious behavior for breaches is just a small portion of overall insider risk. But, according to Forrester’s survey, malicious insider intent has consistently been the majority of breaches used since 2017. Mike, since the start of Covid have you seen these shifts as described in insider threat behavior?

Mike Johnson

This was an interesting report, and it took me a while to really digest the fact that it’s giving very different conclusions than the Verizon Data Breach Investigation Report. That’s my bible, and so, this is another view, another perspective that says maybe there are more malicious insiders that are causing breaches than what we’ve seen before.

David Spark

And, Forrester is no fly by night organization?

Mike Johnson

Absolutely not. I think it might come down to the fact that this was survey information versus instant responder data, and, maybe, people, the types of things that they’re willing to answer on surveys, they’re not what they would bring in an incident response organization for. So, I think it’s a different perspective than what we’ve seen before with the Verizon report. So that was interesting to me. But, back to your question, I haven’t, personally, seen change in my org.

David Spark

But, your org, being unique, not a lot changed for you because you were already set up for this.

Mike Johnson

We were already remote. So, it wasn’t really that people now thought, woo ho, I work from home, I’m going to change my behavior, it was very similar and normal to what we’d had before, but I have spoken with a few fellow CISOs, they have had malicious insider events. I’m not sure that Covid factored in to those particular ones, but, certainly, malicious insiders are a thing. I’ve talked with CISOs who’ve seen them before, and I think time will tell if it’s Covid related or not.

David Spark

I throw this to you, Matt. This would be for yourself and your clients, would you say that this research that Forrester is claiming or quoting, whatever way you want to say it, has borne out of what you’ve seen?

Matt Radolec

Absolutely, and the rise of collaboration has driven that a lot.

David Spark

Collaboration in what way?

Matt Radolec

External sharing. I think, pre pandemic, some organizations used solutions like Box to collaborate with outside parties, but, by and large, it was rarely governed and controlled, but with the explosion in Microsoft Teams and Office 365, we’ve seen more accidental data breaches, and I think that’s what the Forrester Report catches the light of better than the DBIR, and, what I mean by that, is that if someone that doesn’t know unwillingly, accidentally shares treasure troves of sensitive data to unauthorized third parties, which would create that duty to report, that obligation to note that you had a data breach, that may not have had a malicious intent, and I differentiate these things as insider threats versus insider risks. Every employee is an insider risk, and an accident waiting to happen. They just have bad training or bad coaching. We saw a lot of a rise, especially in the beginning of the pandemic as well, with the classical insider threat. We think a lot about the Edward Snowden type, the amassing of information to, maybe, sell, exfiltrate, for political or personal gain, and, when the pandemic came and people had job uncertainty, we saw a lot of organizations dealing with internal employees who were hoarding data. They were accessing a lot more information and copying a lot more information to unauthorized places than they were pre pandemic. So, our research and the incidents that we’ve seen, which we did about just shy of 1,000 in 2019, and a little bit over 1,200 in 2020, would be in more line with the Forrester Report.

David Spark

And, so, you definitely, yes, because we’ve done reporting and heard from, actually, some past sponsors, and they said, “The malicious attacks, they only account for a very small percentage of the risk,” but you say that you’ve seen it a lot more?

Matt Radolec

Yes. I think that, in terms of the most common insider risk, the first one is the accidental, I call it the pure, “I just didn’t know that I was doing something wrong.” The second one, less common but still common, would be the internal employee that’s stealing information for personal gain. The last one would be the malicious intent, like, I want to disrupt, destroy or cause harm.

Are we having communication issues?

00:08:18:01

David Spark

Having a public incident response plan when suffering a very public breach. We’re recording this episode just a little over a week after the Kaseya ransomware attack. While a lot has come out about warnings and preparedness of the Kaseya platform, many in the cyber security community are applauding the public response made by the company’s CEO, Fred Voccola. He gave a ten minute video message outlining the facts. What we do know. What we are doing. And, how we are going to help. Now, I’ll start with you, actually, Matt on this, what was right about this message? Was there anything you felt was missing? And, outside of classic table top exercises, is there anything a company can do to prepare to be able to deliver the same kind of message?

Matt Radolec

I really want to focus on the first question that you asked, David. Which was, “What was right about this message”? I think that the fact that the company has came out and said, “This happened”, “We’re aware of it”, that they didn’t shy from it or come out and say, “No comment”, is one of their strengths. I also think that, coming out and saying, “This is what we know and we don’t know everything”, because, a week after an attack like that, you’re not going to have all the answers. I think that’s another thing that they got right about the message. I think one of the things that was missing though was acknowledgment about why it happened in the first place. An acknowledgment about the particular weaknesses that were excluded. How they could have been better or done better, though I’m a little bit concerned that they, likely, didn’t discuss those things due to potential liability associated with making those statements in the public domain. But, the third question you asked, that got me really thinking. Other than a table top exercise, what could you do to prepare for something like this? How could you deliver that kind of message? And, what I often recommend, outside of table top exercises, is actual attack simulations. Let someone commandeer your network and unleash a full blown attack. Be prepared. Actually go through it and make a statement about it. You don’t need to have your PR firm in there to be able to actually give it to the press, but do everything up to actually releasing it to the public, so that you can go through a full blown exercise of what it’s like to be attacked, and also test your systems, trying to prevent this from happening all together, especially if you’re someone that’s in the managed services business, or in the supply chain.

David Spark

Alright, Mike, I’ll take this to you as well. I was quite impressed with just also the way the CEO spoke. It didn’t seem that he was reading fully a script. Like it was coming from him honestly. What was your take?

Mike Johnson

I agree with you on that. I think there was talking points, but he was, generally, speaking his mind, and I think there’s advantages and disadvantages to that. So, the advantage, I do appreciate that he talked to the facts, and I think that’s good. This is what happened. These are the facts. He talked about their incident response plan and how they executed that. One of the interesting things that he mentioned that I thought people should really take notice of, was he said they made the hard decision to shut off all customers in order to save the rest of them. So, there was an impact to a subset of their customers. If they didn’t shut them all down it could have gotten worse, it could have gone further. But, that was painful for those customers, and so, they acknowledged that, they acknowledged the difficulty of making that decision, but mapped it back to that was part of their plan. This is part of what we intended to execute and it worked. At the same time, and, again, I think this was him speaking his mind, I didn’t hear an apology. I want to hear, “We acknowledge that there is pain here, and we acknowledge that we had a part of that”, and that’s where, again, it came through that he was speaking his mind, because it felt like he was personally attacked, and he was really talking about, “This happened”, rather than, “We had a party to it or we were party to that.”

David Spark

I can understand why he would deliver the message like that, because he wanted to make it clear, these were criminals who attacked us, that affected you, but never, at one point, saying, “We had a failed point here and that was on us.”

Mike Johnson

By no means am I blaming the victim here. The fact of the matter is, if they weren’t attacked they wouldn’t have been compromised, period. But, like Matt was saying, they didn’t talk about what failed, what they could have done differently, or what they’re going to do in the future to prevent this kind of thing from happening. It was all very situational and in the moment, and I think that would have helped make customers feel a little bit more confident in what’s to come.

It’s time to play, What’s Worse?

00:13:08:18

David Spark

Matt, you know how this game is played. We, essentially, have two awful situations and these, by the way, are guaranteed awful situations. Well, and, sometimes, we have two good situations, one’s less good than the other. That happens every now and then, but these are two awful situations, and, as a risk management exercise, you have to determine which one’s worse. This one, I just recently came up with and I just thought it was humorous and funny and, sadly, I wouldn’t be surprised if one of these, potentially both, have actually happened to one or both of you.

Mike Johnson

[LAUGHS]

David Spark

Get ready. What’s worse, Mike, and, by the way Matt, I always make Mike answer first, but feel free to disagree with him, because I love it when people disagree with him. Here we go. What’s worse, Mike? Drowning a laptop or setting it on fire?

Mike Johnson

[LAUGHS] Wow. Drowning a laptop or setting it on fire? I, honestly don’t know what is more damaging. I guess there’s two different ways of What’s Worse?, here. If your intention is to actually destroy evidence, then I think setting it on fire is actually the better solution, because I do think you can recover something that has been drowned. I think there’s the opportunity, if you do it quick enough.

David Spark

Let’s just say it’s been fully submerged for a minute or so.

Mike Johnson

It’s been hanging out there for a while.

David Spark

It went for a dip. Kids threw it into the pool. They went diving for it to pick it out. [LAUGHS]

Mike Johnson

I think that, again, from a recoverability perspective, if it’s been torched it’s gone.

David Spark

I know some drive savers. Those guys, they’ve been able to pull data off of burnt drives.

Mike Johnson

But, I think the technicality there is, they’ve been able to pull them off spinning metal versus solid state drives. We’re used to recovery from spinning metal and that’s actually easier.

David Spark

So, you could answer both ways. If it’s a spinning metal drive versus a solid state?

Mike Johnson

I think, in reality, the drowned one is still more recoverable, regardless.

David Spark

So, burned is worse?

Mike Johnson

Burned is going to be the more difficult one, so burned would be worse. Please don’t burn your laptop.

David Spark

In both cases, whether it’s a hard drive or solid state?

Mike Johnson

Correct.

David Spark

OK. Alright, Matt, I throw this to you. And, by the way, I could probably agree with the solid state because I have put iPods through the washing machine, and they’ve played fine afterwards. Alright, Matt, which one’s worse to you?

Matt Radolec

The burning is definitely worse, for almost the exact, same reason. I want to disagree with you on the physical drives, because corrosion, it really depends on how long it’s going to be submerged, but solid state drives, I mean, let’s toss one into the bottom of the ocean and re-visit in the show next year, and see if we can get some data off of it.

David Spark

[LAUGHS]

Matt Radolec

As long as the drive itself stays in tact, we’re probably still going to be able to get all the data off it. Same thing with like a flash card, but for the physical media, as soon as it starts to corrode, I think you’re going to have too much data corruption for even the best to be able to pull files or anything of importance off that, besides meaningless bits and bytes. So, I’m going to go with drowning for the physical disk, or the metal disks, and fire for the solid state drives.

David Spark

Alright. A split decision even on your answer, but I’ll take that because we didn’t specify what kind of drive was in the laptop.

Please. Enough. No. More.

00:16:27:18

David Spark

Now, as I mentioned, we’re recording this episode in mid July, and the topic is ransomware. Now, this is going to air in August, and the fear is that all ransomware will be solved and we’ll look like fools.

Mike Johnson

Yes.

David Spark

Do you think that’s going to happen, Mike?

Mike Johnson

I’m terrified that that’s going to happen.

David Spark

Terrified. We’re going to look like idiots talking about something.

Mike Johnson

We’re going to be talking about ransomware, and it will no longer exist in a month.

David Spark

I know. They’ll be, like, “Oh, that’s so early August. Please.” [LAUGHS]

Mike Johnson

Yes, that’s going to be terrible.

David Spark

Mike, here’s what I want to ask you. It’s the Please Enough No More segment, where we ask you want you’ve heard enough of and what you want to hear more of. What have you heard enough about with combating ransomware, and what would you like to hear a lot more?

Mike Johnson

There’s really two topics that I hear talked so much about, related to ransomware, and the first is the debate over whether or not you should pay the ransom. That’s, almost always, what people go to first, and the second is they just recover from backups, and that’s all you really hear about today, with regards to ransomware, and I’ve heard enough. And, what I’d like to hear more of, is actually the prevention side. What can you do to actually prevent ransomware from being a problem for your organization? Rather than what we see today which is solely on the response side.

David Spark

I agree with you. Alright, Matt, I’m throwing this to you. What have you heard enough about, when it comes to combating ransomware, and what would you like to hear a lot more?

Matt Radolec

I think I’ve heard enough of, “My AV’s going to cover me.”

David Spark

[LAUGHS]

Matt Radolec

I’ve heard enough of the classic answer of, “My users aren’t going to fall for that.” “My AV’s going to cover me.” “I feel good in regard to ransomware.” Because I just think, however you give that answer, the threat actors are always advancing faster than you can defend. In the same lens, I think I’ve also heard enough about just pure, “We’re going to restore from backup”, and the main reason for that is, the ransomware actors, the game has changed a little bit. It’s extort and then encrypt, and not just encrypt data, so they’re going to weaponize your data against you, try to get you to pay from posting it online as opposed to just encrypting it. So, the backups aren’t going to save your data from being exfiltrated. The thing that I’d like to hear more about, and hear more people talk about, is everything that you can do, from a preventative side, but also what you can do in order to move detection of cyber criminals to earlier than the moment that they unleash encryption. I think that organizations are really focused on how can I stop the potential impact of an attack? How can I move that detection earlier in the attack story or the kill chain? Or, whatever techniques that you want to pick up earlier in that attack storyline. I want to hear more about that and more about all those preventative measures that you can take.

David Spark

I know ransomware is a big charge for Varonis, and where are you playing currently in the spectrum of, essentially, the ransomware problem? I’ll keep it open.

Matt Radolec

There’s really three main areas that we focus on. The first one, and it’s something that I mentioned at the beginning of today’s podcast, and it’s all about reducing the blast radius. We focus a lot on reducing the amount of information that’s exposed to any one user. Often times, we find about 25 percent of an organization’s data is accessible by every single employee, every user, and every computer, and that’s the low hanging fruit from a ransomware standpoint. These are the things that you want to limit. The second thing that we focus on is exactly what I just said, which is moving that detection to earlier in the kill chain. We want to be able to identify the cyber criminals when they compromise their first account, or when they escalate their privileges to their first service or admin account, and not just when they start to unleash the ransomware. But, at the minimum, when that ransomware gets detected, you should be able to automatically respond and contain it to prevent something like a business outage. That’s also what reducing the blast radius is all about, making sure that if the only thing that happened is one laptop got encrypted, or a handful of files got encrypted, you’re doing pretty good.

David Spark

Did I miss number three? One, was the blast radius.

Matt Radolec

Moving detection to earlier in the kill chain, and, three, is automated responses. So, being able to rely on automation, so that, when ransomware gets identified, it gets stopped in its tracks immediately.

David Spark

Working with your clients on stuff like this, what has changed in– this is very much geared towards ransomware, but I’m sure it’s also changed their security program in general to implement these three steps, which are, by the way, excellent ways to handle this issue. I think this is a real great plan of attack. What has changed with their security program overall?

Matt Radolec

I think the acknowledgment from the board that these things are going to happen is the biggest thing that’s changed. When I think of earlier this year when Darkside was the flavor of the month, organizations were actually afraid, they were scared, and executives were saying to CISOs and CIOs, “You need to do something about this, because I want this to be on you and not on me if this goes down. Are we safe? Are we protected?” and I think that’s changed the game in regards to how executives, even with, I would say, strong security programs, are reevaluating what their ransomware defensive posture looks like, and what we call their ransomware preparedness is, and I think everyone would benefit from doing an assessment. What would happen if ransomware was unleased on our network right now, today? What would the impact be, and what can we do in order to limit that or reduce that?

David Spark

Let me throw this to you, Mike. This seems like a pretty solid plan. Do you do something similarly? And, if so, what changes in your environment yourself when you do this? And how effective has it been?

Mike Johnson

For us, we are making sure we understand what the ransomware threats are. You can’t overreact, and, for us, I’m not saying that we’re safe but I’m just saying, as a general statement, if you think the sky’s falling then you’re not going to be able to get anything done. So, a good portion of a ransomware assessment, I think, should be understanding who your likely adversaries are related to your environment. Again, specific to your environment.

David Spark

So, let me pause you there for a sec. How do you actually know that? Is this just basic threat research?

Mike Johnson

There are companies out there who do all this research for you, and you can go and ask them, and, usually, they’re probably a company you already have a product of theirs of some sort, and you can reach out to them. They’re doing all the threat research. They can tell you, “These are the TTPs that we see for the active operating ransomware gangs. These are the things that you need to worry about. If you have X in your environment you should be extra concerned. If your environment is not at all connected, if it’s a small place, all running on Apple tablets, they you’re probably OK, and you don’t need to worry about it as much right now.” So, a lot of, from my perspective, the assessment is, what does our environment look like related to the current actors and trying to stay ahead of that. Trying to see what the themes are going to be, so that you’re prepared when they shift to paying attention to your kind of an environment.

Matt Radolec

Can I interrupt and challenge that a little bit and get your thoughts on it, Mike.

Mike Johnson

Please.

Matt Radolec

You said something there around like, knowing your actors, and I think one of the things that you have to be a little bit aware of is, in Darkside, was who came through to this, they had made a mistake. They actually openly admitted, “We didn’t mean to do that” with one of the victims that they have claimed, and a lot of people had felt the impact of. Is there some level of concern that those cyber criminals are so brazen that they don’t really care about who the target is anymore?

Mike Johnson

I think that’s a very good point, and especially if you look at Darkside, which has an affiliate type organization, and it’s very distributed on who’s doing what. The core operators of Darkside were not happy that that particular affiliate went out there and did what they did, but, at the same time, again to my example of, if none of the operators out there are targeting Apple iPhones, then if that’s all you have in your environment, then you’re probably OK for now. It’s not that they, necessarily, go after a certain profile of company, because they’re all opportunistic. They, generally, don’t target specific environments. Colonial Pipeline was not an explicit target. It was a target of opportunity, but if my environment looks different and is, perhaps, already at a certain level, then ransomware isn’t my number one threat and isn’t the number one concern that I have at the moment.

Close your eyes. Breathe in. It’s time for a little security philosophy.

00:25:18:18

David Spark

Over on BBC News, reporter Joe Tidy, has asked, “Should we make paying ransomware illegal?” Tip of the hat to John Haden of Trend Micro for bringing this article to my attention. Almost universally, we hear from security professionals not to pay the ransom, as it just fuels more ransomware. So, if that is the universal belief, why couldn’t we just make paying the ransom an illegal activity? That would take the burden off the recipient of the choice to pay, but, if it was made illegal, it would become a horrific game of chicken where criminals would focus on organizations that couldn’t handle downtime, like hospitals, water and energy providers? It seems extremely dangerous to make ransomware illegal, but, I’m going to start with you, Mike. Purely, as a thought exercise, what good do you think could come out of it?

Mike Johnson

Well, I’m with you. I don’t know that I agree that making paying ransom illegal is a good idea, but it’s a thought exercise, so let’s go with it. And so, the way I think about it is, ransomware is what it is because they make money. If they couldn’t make money off of it the theory goes that they stop. That’s the whole idea behind making this illegal, and if they’re illegal, then that cuts out the revenue, they go somewhere else. One of the problems that I think everyone continues to forget in the world of security and regulations, is the internet actually doesn’t care about borders, and you would have to make this illegal globally. You would have to make it so that, no matter where you are, that it’s illegal. Again, thought exercise, I get it, but that’s what would happen is, if you make it illegal in one place, they’re going to just pivot somewhere else because they make money. Now, again, turn it all off.

David Spark

This would have to be like a Geneva Convention?

Mike Johnson

Yes. And, that was easy to do, so we could just do another one of those.

David Spark

[LAUGHS] Sure.

Mike Johnson

But, they’ll go somewhere else. The ransomware gangs themselves, a lot of them came out of banking trojans. They will just go back to that. They would find other ways of making money. They’ll steal credit cards, steal banking information. They’re capitalists, at the end of the day. They’re going to spend the least amount of resources to make the most amount of money. Just full stop. So, right now, it’s ransomware, but, if they can’t make money there anymore, they’ll just pivot somewhere else, and maybe they actually go somewhere that we’re not ready for. We weren’t ready for ransomware when they pivoted from banking trojans into ransomware. They might go somewhere else that we’re not ready for. So, at least right now, we, kind, of, understand ransomware. This would force an evolution that we may not be ready for.

David Spark

And, should I also point out that everything that’s made illegal has actually stopped.

Mike Johnson

Absolutely. 100 percent.

David Spark

[LAUGHS]

Matt Radolec

Even everything in the Geneva Convention, right? No one’s ever done anything in there before?

Mike Johnson

Good point, Matt.

David Spark

Matt, let me ask you, purely the thought exercise. I’m going to assume you think this is an insane idea, making ransomware illegal, but, what would be the net benefit if we did it?

Matt Radolec

I’m going to give you a little bit of a biased answer first. The net benefit is people would care a lot more about their data being stolen, because extortion has been known to be one of the techniques used by the ransomware operators, I think that would be the new, shiny thing. I’m taking all your data. You need to pay me to keep it from posting online. I’m going to find the juiciest, most important stuff, your intellectual property, your employee records, salary information, HR information, so, that would be good for business. It would be good for me if people, if data protection became an even more paramount problem. The other thing that I think would be good, is it would make people rethink whatever the next thing was, and these waves of security do have a trickle down effect. I think that, in large, ransomware has made almost every organization consider backups, and so, the next wave, the next big thing, would probably make every organization think of something new or different than we may take for granted as something that everyone should do, but the average organization does usually have backups these days, because they’re thinking about things like ransomware. So, it would drive the next evolution in cyber security for what the minimum would look like.

Closing

00:29:45:12

David Spark

And, that’s where we’re going to conclude today’s episode. That was awesome, Matt and Mike. Thank you very much for coming on and having your names alliterate. That makes things a lot easy for me. I want to thank our sponsor for today’s episode, Varonis. That’s your company, Matt. I’m going to let you have the last word, and let us know, A, if you’re hiring, and, B, any offer you’d like to make to our audience, or where to connect with you, or if they want to learn more about the ransomware offerings from Varonis, please let us know. But, first, Mike, any last words?

Mike Johnson

Matt, thank you for joining us, and what I really appreciated was just your expertise in dealing with ransomware. We talk a lot about ransomware on this show, and having someone who really understands it, is dealing with it, and can remind us that it’s not exactly what we think it is. I very much focus on the encryption aspect, and you kept reminding us, it’s also the extortion and the data leak aspect, so thank you for bringing that expertise, and I also wanted to explicitly call out your mention, when we were talking about communication, and you were talking about attack simulation versus table top exercise, and it’s a good reminder to focus that those are two different things. So, specifically, that nugget that people can remind themselves, that attack simulation and table top is not the same thing. But, also, really appreciate your expertise on ransomware and sharing that with our audience. Thank you for joining us today.

Matt Radolec

Thank you so much. First of all, the two of you, thanks for having me on the show. I hope I get invited to come back some day. This was really fun. As far as what message I have for our audience, first, it’s consider a free ransomware preparedness assessment from Varonis. It’s totally free. We will come in and help give you a prescription of what we can do to reduce your blast radius and increase your ability to detect and respond to a cyber threat, and, again, it’s provided totally for free. You just go to Varonis.com. Secondly, we’re hiring all over the world, so if you want a future in data security, you care about fighting cyber criminals, go to Varonis.com, check out our careers page, and consider a job with Varonis.

David Spark

Awesome. Thank you very much, Matt. Thank you very much, Mike. Thank you very much, audience. We greatly appreciate you. Stay safe from ransomware. That’s my tip.

Mike Johnson

Great tip, David. Everyone’s going to appreciate that. Thank you.

David Spark

Don’t get attacked by Ransomware.

Mike Johnson

Yes, thank you.

David Spark

Well, if they do, you can’t blame me. I gave them the tip. [LAUGHS]

Mike Johnson

Yes. You’ve covered that one.

David Spark

Thank you, everybody, for contributing and listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.