Cybersecurity: Amplified And Intensified

Episode 31 - Security and compliance guidelines with Vince Crisler

September 27, 2021 KONTINUUM
Cybersecurity: Amplified And Intensified
Episode 31 - Security and compliance guidelines with Vince Crisler
Show Notes Transcript

Vince Crisler has more than 20 years of IT and cyber security leadership within the Department of Defense, federal civilian government, and private sector. He is the CEO and Founder of Dark Cubed, a cyber security product company focused on innovative solutions for small and midsize companies. He is on the IT Security Executive Council for CompTIA, the Executive Committee for the CompTIA ISAO, and a member of Embry-Riddle Aeronautical University's Worldwide Industry Advisory Board.

Prior to founding Dark Cubed, Co-Founded Fortalice Solutions, an innovative cyber security consulting company that supported Fortune 500 and Government Agencies.  Crisler previously supported the Department of Homeland Security (DHS) and Sandia National Laboratories in the development of cyber security protection programs to defend the networks of Federal Departments and Agencies, as well as those belonging to critical infrastructure and key resources (CI/KR) owners and operators. Crisler was the primary author for the five-year technical vision for the National Cybersecurity Protection System, a $3B cyber security program within DHS.  He was also a co-author of the DHS Enhanced Cyber Services (ECS) Program, establishing a critical cyber security information-sharing program, which was formally announced in Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.  

Crisler also served as the CISO for the White House's Executive Office of the President and was responsible for the creation of the first ever cyber security operations center to protect White House networks.  

Prior to the White House, Crisler served in the United States Air Force in organizations to include the White House Communications Agency, the National Military Command Center in the Pentagon, and Ramstein Air Base in Germany.  Crisler earned a Bachelor of Science in Computer and Information Science from the Ohio State University and a Master of Science in Management from Embry Riddle Aeronautical University.  He currently lives in the Washington D.C. area.

 Vince Crisler
https://www.linkedin.com/in/vincecrisler/
https://darkcubed.com/

Eric Taylor
https://www.linkedin.com/in/ransomware/
https://twitter.com/barricadecyber
https://www.barricadecyber.com

Shiva Maharaj
https://www.linkedin.com/in/shivamaharaj
https://twitter.com/kontinuummsp
https://www.kontinuum.com/

Shiva Maharaj:

Good morning, welcome to another episode of cybersecurity amplified and intensified with your host, Eric Taylor, myself, Shiva Maharaj. And once again, we're joined by Vince kressler of dark, cubed supplements. Hey, guys, good to be back.

Eric Taylor:

Good to have you back.

Shiva Maharaj:

So I know Eric is in a tizzy about some farming infrastructure on kicked off, Eric.

Eric Taylor:

Yeah. What's going on? Gentlemen, it's good to see you again, events. So yeah, like was talking a little bit, you know, black matter has essentially hit some sort of us farmer cooperative. And the cooperative is coming back, according to some of the screenshots that were posted on Twitter, you know, hey, we're infrastructure you set on your website, you're not going to hit the infrastructure. So they'll, Why are you hitting us what you know, give us our keys back, you know, help us out you we're, we're not gonna pay you. Cece is going to ask for, you know, answers in about 12 hours, things of that nature. And it really seems like a big escape scapegoating type of data they're using, you know, this, what I want to pose to the group to start this whole conversation off is, are businesses really taking the stance that, hey, we are under a certain class of industry. So ransomware folks are not going to come back to us. Because, you know, that's affecting the supply chain.

Vince Crisler:

I love it. Like you're a criminal, and you're not going to attack me because you said you wouldn't. And I expect you to honor that. Like, I just Is that really the state that we're in today? That's what I see your defenses like, I'm off limits. I don't have to save like 30.

Eric Taylor:

Yeah, I mean, even they are most of them will say, if not all of them. Yeah, not all of them. But most of them will say, if you're a hospital, we're not going to attack you. Right. So I think that leaves a guard down like, Oh, well, you know, yes, we're insecure. But we don't have to worry about ransomware quite so much. Because 90% of them said they're just gonna leave the EFF alone. This is a figure out where a hospital? Yeah, but history has shown that that doesn't work. Right. You know, it's the same concept is, okay, an arson comes into your house. And as long as you're, you have Jesus posted up on your wall, they're not going to burn down your house, because they don't want to make Jesus upset. It's the same concept. There's a fucking arsonist. They're paid to burn shut down.

Vince Crisler:

I appreciate the honor among some well, quote, unquote, honor among some of these ransomware groups, but they're not everybody. Right, then I think if you're a critical infrastructure company, if you're a hospital, you know, in a major ransom, where a group says they're not going to attack you, I think that's fine. But that doesn't mean somebody else won't. Right. I mean, it just to rely on that as your security strategy is pretty ludicrous.

Shiva Maharaj:

But that's endemic across all industries, right? Everyone thinks they're never gonna get hit until they get hit. They will spend a lot of money shortly thereafter. But inside three months, they're back to tightening the burst strains on cybersecurity. Yeah,

Vince Crisler:

yeah, I think I'm getting hopeful that people are, are no longer have that mindset that like, it's not going to happen to me, because it's happened to so many people. But no, no, it's not.

Eric Taylor:

It's not because I can literally tell you that, you know, we have clients coming to us even today that were like, Oh, we thought we were secure. Oh, we thought we were not going to be affected? Because why would they ever had this? what you would call it freaking business? Right? That's they just don't understand. You're just a number. You know, they're running. So Dan scans are running in Mather there, yo, we actually have one, I can't go too deep into it. But it looks like it may be an Exchange Server, exploit the sysadmin says that they potentially patch the server, it doesn't look they actually did. They didn't potentially provide the remediation, but the sysadmin is claiming up and down. That Oh, yeah, we did that. We did that. So the owner is under the impression like that's been done. So, you know, it's there's no trust but verify there's no due diligence. See, there's nobody double checking to make sure crap is done. And I think that the besides not wanting to spend the money, the ones that are spending the money, I don't think are verifying shit.

Shiva Maharaj:

I have a question for events with what your product does dark cube? How many times have you been deployed and you were able to prevent a ransomware event because you blocked off access to the command control?

Vince Crisler:

I don't know if I have a number for you there. I know we have a number of our of the customers that we work with that deploy us in what they call hot environments, right? Like they get an IR that's ransomware or other and you know, speaking directly the words for one of our customers, that's like, the first thing we do on an IR as we drop in dark cubed, and things slow down really quickly. Right. And so, you know, we are we're not pretending to have a big SOC which is why we're not you know, 10s of 1000s of dollars. But, you know, we've been very effective at, you know, as people drop us in slowing down the bad stuff that we're seeing,

Eric Taylor:

as an IR company, I can vouch for that. Even in our runbook of engagement, it is part two, you know, getting CrowdStrike in there starting to pull logs starting to do the analytics and the forensics on all that we're dropping dark cube as well, you know, we want as much data as possible. So,

Vince Crisler:

yeah, you know, we were continuing to modify our processes behind the scenes in terms of, you know, the threat intelligence we're pulling in and the sources we're grabbing. I mean, we're now identifying things like cobalt strike servers, and adding those into the lists. And so you know, those sorts of things are in your environment, we're going to disrupt those commit that command and control. As soon as we're up and running. Now, you guys from our last discussion, you know, I'm not a marketing guy. So I'm not going to say, Hey, we're the solution. But what I can say is, based on the feedback of customers that are using us, we're very effective.

Shiva Maharaj:

As long as you're not telling me you're built on AI, I'm good.

Vince Crisler:

Ai ml?

Eric Taylor:

Yeah. I mean, let's just be honest, there's, you know, and this is going to be a poke at threat locker, because they, when the whole Kaseya crap came out, threat, Walker was like, Oh, we could have stopped this. No, no, shut the fuck up. No. Um,

Shiva Maharaj:

did you guys see anything related to that attack with your clients? with the, with the Kaseya attack on July 2, did you get anything,

Vince Crisler:

we were actively monitoring the indicators associated with that coming out of folks, man, we saw, you know, we saw no activity across our customers with those iocs. I mean, we saw one going like, one of them was active a year and a half ago. But, you know, in, we put out a notice to our customers, just a heads up, you know, here, the IOC is here, you know, as you may or may not remember, we launched a new notifications platform in January, February timeframe. And so you can actually drop those iocs into a notification and get alerted that they show up on your network. But, you know, in a lot of these cases, you know, we're not some of these some of these more sophisticated attacks, like we're not seeing as iocs in our customer base, which, you know, is is is interesting to me, right? It's either, you know, you know, these the the fear and uncertainty that's being spread in the marketing, or, you know, the smaller end of the market isn't being hit as much. But we're seeing a lot of activity from just this bulk commoditized scanning and attacks that are just targeting everybody. The other really cool. I was gonna say the other really cool thing we've seen lately is, we have an integration with grey noise. I don't know if I talked about that last time. Now we're like, great, heavy gray noise has an awesome kind of global infrastructure, where they're looking for people that are doing automated scanning, looking for zero days, like when a zero day gets released in the wild, they're seeing people scanning for pscs in like, minutes, two hours. And we're tapped into their API as part of our scoring process, we've absolutely seen examples of a new server get stood up gray noise picks it up, and we block it, which is pretty cool. What's, what's the turnaround time on that kind

Shiva Maharaj:

of thing? Typically,

Vince Crisler:

minutes, two hours, it just depends on like, whenever somebody sees it, like, less than,

Shiva Maharaj:

you know, a day, I think that's the quite honestly,

Vince Crisler:

yeah. And I, I've started to use automated intelligence instead of artificial intelligence, internally to our company company, because we found like, you can take smart thinking around some of these processes and automate it with code across all of our customers, which is really cool. Like, the benefit that our customers are seeing by some of this work we're doing behind the scenes, they're not even aware it's happening, which is good and bad, right? Like it's, you're protected without having to think about it,

Shiva Maharaj:

are you guys doing anything for the work from home slash work from anywhere thing with maybe an agent coming out, for those not behind a firewall,

Vince Crisler:

it is a it is a big priority for me. And for us, you know, any any growing company that you have to choose between following the market and focus, like right now, our core focus is making the product work as effectively, as efficiently as we can, in our core areas, we grow and scale. And we are in the middle of fundraising discussions now. And a key part of our roadmap is solving that that we built, we built a PLC that, you know, made some progress where we integrated wire guard. So if you mess around with wire guard, but they have a nice agent that comes out with wire guard, it's integrated in the Linux kernel now, but it's instead of using instead of using credentials for a VPN, you use a public private key. And so we built a capability early in COVID, where we said, you know, let me deploy a wire guard agent on all the endpoints and then have all that traffic route through a server in the cloud and then deploy DNS protection and dark cubed on top of that, and we had some good success there. The challenge just ends up being like that market is swamped, right like in terms of VPN and protection and and what's the right price point and how do you get the right scalability so we had some success on that to see it's just how do you scale that in the market is hard.

Eric Taylor:

So our is dark queue? is dark you with an agent or possible agent deployment Are you going to be essentially just pulling a bunch of Windows event logs to sis logs or sis Mon and PowerShell logging for reporting back for a complete picture or what's your end goal there?

Vince Crisler:

I think in the near term, and we're talking 12 to 18 months, it's strategic partnerships with people that already have endpoints, right? There are a lot of endpoints that are deployed out there that are already seeing network telemetry, so integrating with those endpoints to pull in the telemetry and augment. So you may have endpoint x deployed on your, across your, your customers already. And now you can just kind of get a single pane of glass between your firewalls and your remote workers. Like that's the near term view. Like we don't, we're not going to get into the endpoint market. Like there, there are too many endpoint companies that are focused on security. We'd like to augment that.

Shiva Maharaj:

And what are the firewall brands you guys work with right now because I know you dropped unify just by the nature of how they operate, not that unifies a firewall, at least to me.

Vince Crisler:

Yeah, unifies a funky example, like we had emailed them about doing some better integration. And you know, when you poke around what's going on behind the scenes there, it's it is not friendly for integration at all. But it's just crazy what they've done it unify, and there's no, there's no security. I don't know if it's no security, but little security. There's like the block lists, like, this is something that was funny to me, and I'll put a disclaimer that maybe they've updated it. But you know, when I went when I was actually doing some of the integration testing with with ubiquity, and you look at their block list, and they update daily, so it's like you're subscribed to all these block lists, but it's only updating once a day, right? Not even not even every hour. So it's like, it's just like, it's just bizarre. It's too little for me. I think that for us, like the ones that are super fast and easy. You're talking like Meraki Sonic walls, Palo Alto is four to gates. Some of the more challenging ones, depending on the behind the scenes stuff, you're talking the Cisco aasa, we, you know, with those asase being phased out. So foce there's some some trickiness to get the blocking working pf sense, you know, works pretty well. On the logging side, there can be some some trickiness, in terms of of how the PF sense itself is configured. And then with watch guards we can do kind of logging and scoring and visualization. But the auto blocking isn't isn't up and running on the watch guard.

Eric Taylor:

Yeah.

Shiva Maharaj:

What are the emerging threats that you guys are seeing these days? You know,

Vince Crisler:

you know, across the board, you know, we're all into that two ways. You know, one is just the bulk scanning for vulnerabilities and PLCs. And looking for exposed ports. Like, that's what we're seeing a lot of people are just getting hammered. I've always said like, if you're connected to the internet, you're getting hammered. Like, I don't care if you're a dentist office in Hoboken with two employees, like if you have a public IP, you're getting hammered. And then, you know, on the threat intelligence side, kind of we're watching a whole assortment of stuff. You know, we're watching forum spam lists, we're watching block lists, we're watching malware command and control lists. And, you know, the way we think about these sources is not necessarily, you know, I don't care if some if an IP shows up on a forum spam list or, or a malware command and control list, but I care about is like it's doing something bad, and how confident are we that it's doing something bad? And that confidence comes from how many different sources have told us how much we trust those sources? And how recent it's been, right? So if a bunch of sources say and IP is bad yesterday, we're pretty confident, that's bad, I don't care what it's doing. I'm just gonna block it. Right. And one source said it was about a month ago, you know, I'm pretty, I'm not very confident it's bad anymore. So you know, our whole mindset is like, how do you how do you take this human analyst element out of it, and stop focusing on exactly what the bad guys are doing? and more, what infrastructure are they using? And how can you be as quick at making this decision as possible? So you can block it.

Shiva Maharaj:

Speaking of infrastructure, and this might trigger You are so sorry, not sorry? All these cloud SaaS applications out there? Are they doing anything remotely? Like what let me phrase this properly? Take Salesforce, for example. They should be scanning, or they should be looking at the IPS coming in and out of their systems. I would say they probably have a security team. And they're spending resources in the correct way to help them but the smaller guys like maybe the datto rmws, the casinos, SAS platforms or enable or threat locker for instance, can these guys use your product on their systems? Because let's remember, the cloud is just somebody else's computer, right? So it's not like this ephemeral thing up in the sky.

Vince Crisler:

So you know, as a as a tech, technical founder and entrepreneur, like my mind goes in lots of places. And I've had some, we've actually done some private side projects, one of them with a very, very large publicly traded data company. Which one they're

Shiva Maharaj:

telling me is a palantir. No, it can't tell us I don't know, he paused. It could be.

Eric Taylor:

Let's not try to get our buddy in trouble now come on.

Vince Crisler:

And the whole idea here was like they have a massive API infrastructure. And people are globally using that API infrastructure. And they, they're pretty confident that bad things are happening. But how do you do that at scale? Right, and like, and so we did some, some proof of concept around the ability to, you know, look at that traffic, identify anomalous bad stuff, using our scoring as a front end. And I think we're pretty effective. The challenge just becomes, you know, how do you price and prioritize that amongst the other products? And, you know, again, going back to, like, one, I'm one of them. For anybody out there that's, that's in the startup world or thinking of doing a startup? Like one of the biggest challenges is focus, right? You've got to pick, pick an area and focus and dominate that area. And the more widespread you get, the less effective you get. So I guarantee you like if we, if we shut down everything else we're doing and said, we want to focus on like API security protection, like there's a product there for us. But it's like, Where, where do we focus our time and energy as a, as a fast growing team here? So

Eric Taylor:

is it possible to start? Is there anything on the roadmap to start ingesting AWS logs, right, like that into your system?

Vince Crisler:

We can do that today? Awesome. With cloud trail cloud watch. Yeah, we have a, we have a couple of companies we've worked with in terms of ingesting those logs? in processing? Yeah, to be to be blunt, like, I think, I don't know, if it's five years or 10 years, you know, I think this concept of a firewall goes away. Right? And so, you know, for me, you know, we are focused on this segment today. And it's an important segment, but wait, strategically, we have to be focused on cloud and endpoint, right? Like, that's where that's where the world is heading? What is the firewall

Shiva Maharaj:

really going to go away? When all these cloud solutions are still going to use some form of firewall or Azure front door?

Vince Crisler:

It depends on you know, if you're using like a load balancer in AWS, like, what do you put in front of that load balancer like your car? Do? You have a you know, you put you kind of break the idea of a load balancer. And so like, if you have there does have to be the ability to monitor incident. And the biggest challenge today is like an AWS and these other infrastructures, to put that in places is expensive. Like the keep launching all these cool tools and talking about like, these are great, that's going to improve security, but you start pricing those things out, and the cost goes way up. And I don't think that's something that you know, folks are prepared for in general is like, you move to the cloud, you start to get all this infrastructure up there, the cost to monitor it, and then store those logs is going to be higher than you think.

Shiva Maharaj:

So Oh, 1,000%. I don't think that monitoring is I don't think the pricing for monitoring has scaled enough for the SMB. I think, if you're Bank of America, you know, you're gonna spend a billion dollars on cyber, right? But you know, the company in the DB, that's still in 20 30 million a year, they're not looking to spend a million dollars on security, even though they should probably be spending five.

Vince Crisler:

Did you know they can get it for free? Tell me what the dip company can get dark cubed for free.

Shiva Maharaj:

Oh, that's right. Because you guys have your thing with the Pentagon that you mentioned the last time, right?

Vince Crisler:

Yeah, there's a group within the defense cybercrime center DC three called dice. And they've funded a program called dice, three for dark cube, where they're giving away dark cube for free to these companies. And that's been that's been a fantastic piece of work for us where, you know, we're not only are we doing what we're doing in the commercial world, we have a standalone environment for them in AWS. gov cloud. And the government's giving, they're giving us their secret sauce indicators to protect those companies. So we've taken that business process from the government giving them a CSV file, of which most people had no clue what to do with, to being automatically protected by having those incorporated and archived. So that's been, that's been a lot of fun. And it's personally it's part of like one of those key missions I set out to solve when I started this company. So it's very gratifying to be doing that work.

Eric Taylor:

That's pretty cool. Now you're married, talking about that last time was on this. On your last meeting with us. The one thing I want to see if we can try to pivot to because we're always talking about security, and let's just leave CMMC in a dumpster fire that that shit is out of the equation. But

Shiva Maharaj:

before we go on, I will say that our last call was nents taught me that compliance is an absolute waste of time in its current incarnation and just go towards security and leave the compliance regimes to themselves.

Vince Crisler:

So for the most part, yeah.

Eric Taylor:

So when a company is new, or a company wants to start looking at cybersecurity from a hole, just taking some compliancy out of the whole mixture. What would be their events as a person or dark you'd say is the top three things that folks need to be looking at and And then if we start folding back in compliancy, where does those three things line up in a compliancy? standpoint?

Vince Crisler:

Right. I guess the way I always talk about this is, you know, I think the punchline at the end of joke first, at the end of the joke for cybersecurity for all of us geeks, is it risk management? It's just boring old risk management. It's like, what are the threats and vulnerabilities and consequences? And what resources do you have to solve them? So in terms of like, what are the couple of things you do? Like, the first question is, how many resources do you have? Right? Do you have $1? Do you have $100? Do you have $1,000? And then how do you prioritize that against kind of the threat and vulnerability and consequence infrastructure you have, and the first couple of things are really simple, like, two factor like, you got to have to factor in place because users are domande are going to give people their password, right? Second is, you can't have users be admins on their machines, right? Like, it makes it really simple to install malware if the user is an admin, right. And if you don't have any visibility into that machine, nothing else matters, right. And then the final point is, you know, this is a little self serving, but I believe, believe it in my heart of hearts is, you know, you need to have some sort of ability to know when something bad is happening. And that's where kind of instrumenting your firewall with something like dark cube to say, hey, I've been I've seen zero threats for the last two months, and all of a sudden, I see 1000, bad things on this network, something has changed, right. It's like a smoke detector, something bad's going on. And

Eric Taylor:

that goes one of the key points. So one of the things I always talk about is lag aggregation and being able to go through those logs. Being able to say, you know, I'm looking at my firewall logs, I'm looking at my Windows system on PowerShell logs, and I'm looking at my cloud logs. And being able to parse all that information together, and being able to say what the hell's going on, we just find that so many people are not doing that, or don't have the ability to these think one or two people in an internal team or, you know, an MSP of under five is able to get the same type of things accomplished. And they're not as

Vince Crisler:

well, same thing respectfully, like you and I are geeks that enjoy that, and can do that. And most people like you tell them to go through those logs and look for something that matters. And it's like, they might as well be like, reading the one of the fan script, right? Like, like, I don't know what it means, right? And so, you know, for me, like, I like to simplify it and just say, like, you know, how do you know when to pick up the bat phone and call for help, right? Like, what's, what's the indicator that something bad is going on? And it really is as simple as like that smoke detector analogy, like, you know, it drives me insane, like on the Microsoft side, like how many office 365 instances have been nailed by a phishing attack? And you go in for IR and see, like, 50 IPS from Nigeria, right?

Eric Taylor:

Yes.

Vince Crisler:

And like, how is that possible? Like that's, it's so freakin obvious that something bad is happening there. But nobody raised the flag until something bad happened

Shiva Maharaj:

is dark cube doing anything to parse the logs, the 365 logs for IDs? Not yet that's coming up soon. Okay. I'd be interested in that, because I've gone through most of the managed Sox in channel and they're all not for me as nicely as I can.

Vince Crisler:

Well, the fundamental issue with the Manage SOC is price to value, right? Like if your model is I'm going to have tools and automation and humans, there's a price to operate that, right. And then I'm going to charge somebody the money to do it. So if I charge you for a full time person, right, and some of those tools, you're like, that's way too freakin expensive. If I charge you 15 $100 a month, you're only getting a fraction of time out of that person. And they're there. From a motivation perspective, they're motivated to give you enough information to make you feel like they're taking care of you, but not overwhelm themselves with time and energy that they lose money.

Shiva Maharaj:

My problem with the Manage socks that I've experienced in this channel, are they don't work at all? Like, I have specific examples where they miss things. Yeah, they will blame you for misconfiguration, despite sending out emails a few weeks prior to an incident, saying, yep, we're getting all the proper telemetry, everything's working, you're good to go. We're here to protect you. So I've seen it all. And I've heard all the excuses. And that's why I like something like a dark cube. It's because it's very simple. And I don't mean this in a bad way for whoever's listening. It's a very simple product. We look at your logs, we tell you if they're bad, you set thresholds if you want to automatically block it or just be alerted or both. And I think if you start with something like that, you can build your own security practice, not necessarily a sock, but as a provider or an internal it. It puts you in a much better position because now you're being actionable as opposed to having the illusion of security because you're paying a managed SOC My second question there is, are you guys going to integrate with any of these managed socks or SOC platforms so they can see the alerts you're generating to create some type of remediation or automation.

Vince Crisler:

That remains to be termed, did to be determined? I think it's clear that part of our roadmap has to be integrations and partnerships. And we've had feedback from a number of our customers, you know, whether it's perch, whether it's other platforms that we really need to look at integrating into those for, you know, MSSP that may support up and down the stack, like the ability to integrate with those platforms is something that people are asking us about

Eric Taylor:

what I thought was an all encompassing SOC, why would they need somebody like dark cube, because they don't work? Dude, sorry, I just got a heart off of Burj and the crap that it is,

Shiva Maharaj:

just to put it in perspective, for events, I was a purge customer we did I did a PFC with them for about six months and part of that PLC, Eric was banging on the front door on the door of a firewall as loud as can be. And they never knew they never said anything. They never did anything. So it it

Eric Taylor:

went on for days. Like if at first we try to do a little bit of covert and we're gonna get a little ADHD and a little bit off topic here. But But you never knew what's new for us. Right? But we were, we tried to do a little bit of COVID stuff, you know, hey, would they pick up this where they pick up that? And after a while there was no alerting at all going on. I was like, Alright, I'm just gonna go like a Mack truck with a Jake brake going down the interstate. Let's see what they find. You know, the baker doesn't know it, you know, here at a dinner that I go down. Yeah. everybody hears that. So I went at that for over 24 hours. Not a peep and I was changing my VPS I was coming from the Korea Japan. I became from my home residence. At one point I'm like, whatever fire up three, Cali VMs. Attack, you know, just so much so much noise. And yeah, it was just crickets. I'm like, why? Really?

Shiva Maharaj:

I would I would, I would venture to guess if I had guys on there. And correct me if I'm wrong here with proper Learning Center bother to my PSA or email? I would have seen him come in at some point. And I would, it would have either automatically been blocked, or I would have been given enough time to block him.

Vince Crisler:

Yeah, I would, I would probably put money on the fact that some of the VPN infrastructure he was using had been used for attacks before those things would show up as nines and gets blocked. Right? Right, you would see that he would see indications of that happening. Now, I'm pretty clear in saying like, if if somebody stands up a brand new infrastructure that's never been used for an attack and targets you like our methodology is not going to pick that up. Like we're not looking for no one a zero based activity. Right? no one know the IP scanning. Yeah, most of these attacks that are that are being successful are just these people are not hiding, because they don't have to write like they're just coming from known bad infrastructure all the time.

Eric Taylor:

This actually brings up a good question for you it is dark cube blocking Tor connections, or is there an option in the portal to start blocking any inbound Tor connections,

Vince Crisler:

it's another feature request we've had, we are using that as a source of data and flagging those, you know, the early iterations of our product, were built on this idea, like, let me take another step back. When I when I started dark cubed, I was supporting the department Homeland Security. And I just built this program called enhanced cyber security services, which was designed around this concept of taking TSS ci indicators from like NSA, cyber comm and other places, sending those through the Department of Homeland Security, sharing them via an agreement with at&t, Verizon, CenturyLink, and others to protect critical infrastructure from nation state acts. Right? So just kind of built this infrastructure. And so when I first built our cube, it was around the idea of, you know, I wish there was a way that we could protect 10s or hundreds of 1000s of companies from known bad infrastructure, but not reveal sources and methods. So that heritage is why there's not a lot of data between in our UI around, you know why it's a nine why it's a seven, right? Because we wanted to say we wanna be able to take sensitive indicators and not reveal how or why we know it's bad. Now, as we've evolved, it's become important to start to add in kind of some better context there. So just to give you a little bit of a background of kind of why we think about this, the way we're thinking

Eric Taylor:

now, what some anybody who's listening to this, to really take a step back and really take a moment to think about this, what we're talking about, you know, Vince in the advancement of dark, cubed, and even you know, as much as we hate, we pick on perch a lot. cybersecurity is always advancing topic is advancing landscape. If you are not taking yourself in advancing your methodologies, your knowledge a or partnering with somebody who does, you're being left behind and you're going to be open for breaches. That's the biggest thing I think people need to take away from this conversation. So far. It's Yo, I want to stress that as much for a company like purge or a buddy else who has Amanda SOC, and you're like, Okay, we may have a glaring hole here, and let's partner with dark, cute or somebody else, maybe that's a kudos to them to say, Hey, we need to advance even our skills, I don't know. But you always got to be looking at the next level, you got to be looking at how to adjust and learn and grow to become more secure. Because by nature, United States as a whole is so far massively behind on cybersecurity. That's why they attack us, right. And, you know, the math is group, the the post, all the hack said they go in and, you know, they talk, they either come out and say they target us, because the US companies or would rather insure a liability than protect from a liability. It's cheaper

Shiva Maharaj:

for the end customer. But going back to what Vince mentioned about darky, I like the fact that your sources are anonymized. Because once you start talking about two degree ttps, and how you get that Intel, these guys will adapt and change. So the title lead you can keep on that stuff means that you are going to be far more effective product for me and my clients for a longer period of time. And that's what I don't like about a lot of vendors out there, they like to give you their day by day play by play. And I always thought that compliance was a really neat way for hackers to put together targeting packages against industries and companies, because it's all laid out there. That's the barrier. From a company standpoint, compliancy is the bare minimum they have to do to not get fined. So typically, their security is going to be the bare minimum required. And that's ideal targeting, in my opinion. Yeah. And

Vince Crisler:

it's, you know, hackers are smart, they're in this to make money. They're in this like, I think, in a lot of ways, they have a much easier job than the defenders, right? Like, how hard is it to go by CrowdStrike, and silence and hunters and all these other tools and instrument a bunch of VMs with those tools and run your exploit packages by it, right? Like this is happening. And so this is part of like, part of this better mouse better mousetrap world of like, you know, are you trying to detect the behaviors or signatures? are you just saying like, whatever infrastructure they're using, we're gonna block as quickly as possible and make it more expensive and harder on them to do it. Right. And I think that's, you know, it's a key part of the of our philosophy here is like, you know, if we can make it harder and more expensive for them to have to keep spinning up and changing infrastructure, we're going to slow them down a little bit, we're going to raise the floor on what it takes to be successful. And then I think, you know, we go back to like some of those basic things you'd implement, you know, if we, if we're able to kind of detect some of these phishing sites, if we're able to detect some of these command and control sites, it makes some of your basic controls more efficient, and gives you more time to focus on some of these other capabilities. Where do

Shiva Maharaj:

you see dark cubed in two years,

Vince Crisler:

in two years, you know, I think we will be fully embraced kind of a partnership integration model, where, you know, different endpoint agents will have dark cubed integrated in, right. So you know, I think about, you know, let's let it take name, your endpoint, then you're doing kind of detecting malicious events, responding to them, kind of an IR perspective, but then you also need to have the higher level view of what's coming in and out of your network where your data is going, right. And so we're going to complement that we're in me, like, I think if you're a company with a big budget, and a team of analysts go go for a sim tool, like, that's great, like, have fun. Most of the market doesn't need it, what what, what people are trying to use sim tools for is to get visibility, that things are changing, and things are going on their environment, like we want to be that product where you don't have to have analysts to be more secure. We can rely on automation, we can rely on the technology that exists to make people more secure.

Eric Taylor:

The where does dark cube see themselves in the hierarchy of compliancy as a, as a whole? And does dark cubed really see themselves being a part of the CMMC auditing process coming forward? or working with auditors to help make sure they're doing any sort of compliancy?

Vince Crisler:

Absolutely, you know, most compliance framework has have some element of network monitoring, threat, intelligence, integration, threat sharing, you know, and those are some of the boxes that we tick and we do it in a way that, you know, frankly, is more affordable than anything else in the market. Right. And so when you're thinking about the the n number of things you have to do to be compliant, whether it's you know, whether you're you know, in Australia and you're thinking about things like ISO and some of these other emerging government frameworks, or you're here in the US and you're looking at CMMC like you got to check the box on the network monitoring piece. You got to check the box on the on the detection piece, you got to check the box on no are you actually consuming threat intelligence to protect those networks and you know, we help we absolutely help check that box as part of a of a more comprehensive approach. I think what's interesting not to go down kind of another, another rabbit hole. But like, I don't know if you guys have seen some of these reports that have come out of sissa, around managed service providers in this framework, these frameworks that they've published for msps. Like they're publishing a bunch of guides, I don't know. laughs at it,

Shiva Maharaj:

it's all bullshit. I mean, yeah, it is Gods aren't.

Vince Crisler:

I think when you look at this guidance, like, it's like, you know, multiple pages of detailed guidance around how a business should pick an MSP, like, I don't think a single business is going to read it. But I think the smart msps out there are going to say, you know, we have, we're paying attention to some of these compliance frameworks, we're making sure that we have a security stack that kind of covers the basis on on these things. And in my proposal, I'm going to, I'm going to attach this like this risk considerations for managed service provider customers, this guy, I'm going to attach that to my proposal and say, Hey, ask anybody else you're getting a proposal from if they're doing these things, like it becomes a great way to kind of go I like that.

Shiva Maharaj:

I'm gonna, I'm gonna copy that from today.

Eric Taylor:

This may have just raised the tide

Shiva Maharaj:

five the problem with and it's not really a problem with VSA than what they're putting out. It's the fact that they have to put out that single factor authorization. authentication is bad, like, as an IT provider, you should know this, you don't need a you don't need a government institution to come tell you not using MFA is bad. Yeah. Right. Like, that's where I have an issue with the standard of people in my industry, not necessarily the vendors. But you, if I recall correctly, you built a lot of the early systems and processes over at homeland. So

Vince Crisler:

I was mean, it's a very large team, there are lots of people

Shiva Maharaj:

will give you all the credit, because we don't know anybody else. So they don't tell Don't worry about

Vince Crisler:

it. I was I was in the room helping those folks that think through, think through those strategies. I actually one of my one of my projects back in like 2012 2013 timeframe was there, right? Like the five year technical vision for the Einstein program. Like that was such a cool project, you get to interview a bunch of people about where technology was going, what what the government should be doing around intrusion detection, intrusion prevention, everything? I'm not sure. I'm not sure it ever went anywhere. But it was it was a really cool project was government? Of

Shiva Maharaj:

course it did. It's not just a spending exercise. Of course, I want somewhere. But the reason I think, sorry, when you're

Vince Crisler:

with the cessa guys, and the homeland security folks, like you're, you've got a multi billion dollar budget in the cybersecurity program, right. And what that means in the federal government is, is you're a high priority program for Congress. And when Congress is like, looking down your shorts to make sure you're doing the right things, like, you're not going to be taking a lot of risks. And so like, part of it is like this fundamental issue we have in government where, you know, if you don't take risks, you're, you're you're safer and more secure than if you do. And when you have large, complex systems, it's hard. It's hard to turn that shit. But

Shiva Maharaj:

I think we should be taking more risks and trying to defend I do.

Vince Crisler:

But it's hard to like, how do you balance that with a dog with a large program where

Shiva Maharaj:

balance it turn that turn that tank or on a dime, and go after them hard?

Vince Crisler:

I mean, if I was in charge, and I probably wouldn't be in charge for long. But you'd make you know, there's, there are a lot of commercial companies doing a lot of interesting stuff, I'd spend, you know, I'd spend money on 10 endpoint providers and make them compete in the real world. And, you know, fail fast, right? Like, that's what that's what you can't do in government today is like, fail fast. You

Shiva Maharaj:

can't that's what you should be able to do, though, you should be able to. That's how you innovate. And that's how you create, you know, you get better. But the reason I asked about homeland is because recently they came out and said they wanted to create a new compliance regime in line, basically a civilian version of CMMC. Yep. Which I am pro because I like the CMMC level of having various levels. Personally, I think government and private sector should have that one compliancy various levels to identify maturity. And that's it, and then call it a day. What are your thoughts on that?

Vince Crisler:

I think if you're relying on a compliance security regime that is based on attestation, you're screwed, right? Because people will look at, they'll look at 801 71 and say, Oh, I'm not doing any of this. But I could say I'm doing these things based on some other stuff I have. So I'm going to test and you know, there's no Fallout. So I love I love this move to like, an audit based framework that says, we're going to check to make sure you're doing all the right things. The hard thing is how do you do that in a way that's affordable and effective and isn't riddled with all sorts of don't make it affordable room deals, don't make it affordable, raise the barrier to entry. And I think you need to get rid of the C three pianos and let the D od on it. You know, have the O g

Shiva Maharaj:

or some version of that do the audit for the government, right? But I always say by the God for the god. I do want to be mindful of your time and I can go on and on about shedding on compliance and loving CMMC But I know you have a hard stop any closing thoughts?

Vince Crisler:

No, I think looping back around to kind of a question you asked earlier, Eric around some of the basics, you know, I think if you haven't started up this journey, you know, if you are not doing two factor across the board, you're wrong, plain and simple. If you don't have control of your endpoints, nothing else matters, right? Like, users can't be admins on their machines, you have to be able to have access and visibility into what's going on those, you have to be able to have some visibility into, like, the amount of good and bad that's coming in and out of your networks. And then, you know, from there, you know, I think you focus on doing the best you can around patching. And, you know, I know, historically it folks, and, you know, I'm a part of this community, like, we've always thought of patching as a rough, bad thing, because you're going to break systems. And I think you just got to go for it and just patch, right, like, you just got to turn on automated patching and let it happen. And I'd rather break a system and have to deal with the trouble call, because my accounting department can't access something, then to get the call that all my accounting information has been, you know, given over and corrected, right. And I think we're really in that mindset of managing risk. And so you know, just getting focused on doing the easy things and getting started and not being afraid of like, if I look at the sales, the CIS, you know, there's 18 controls, I don't want to get overwhelmed by saying I've got to do everything and just just get started. Take that first bite, how do you eat an elephant one bite at a

Eric Taylor:

time? Exactly. I mean, just by simply going through and like, Oh, these are three items that I could I do I can implement right now. It's not going to take a whole bunch of time, you're at least getting started. Instead of the whole, you know, each month, or each week or each quarter, whatever it is, you're implementing, and documenting X number of controls by the end of the year, you're fully done. So anyway, before Vince turns into a pumpkin and goes into a bunker in an undisclosed location, because you know, that's the kind of guy he is. We're gonna go ahead and wrap this up, gentlemen. Awesome. Thanks again, for events for joining us. As always, it's been a pleasure, ladies and gentlemen, thank you for attending yet another episode of The Amplified and intensified where we talk about cybersecurity. If this has been a benefit to you, or you know, anybody who would be beneficial from hearing from these topics, please forward it to them. Please give us a rating on your Apple device or on YouTube. Until next time, take care