Adopting Zero Trust
Adopting Zero Trust
Ransomware: To Pay or Not to Pay?

Ransomware: To Pay or Not to Pay?

Season 3, Episode 6: Two seasoned cybersecurity professionals, Bryan Willett and Kris Lovejoy, shed light on the dilemma organizations face when hit by ransomware: Should they pay the ransom or not?

Catch this episode on YouTubeAppleSpotifyAmazon, or GoogleYou can read the show notes here.

Ransomware: To Pay or Not to Pay? It’s an easy question, and we all have the same ideal answer, but how often does life throw us simplicity? Rarely.

This week on Adopting Zero Trust, we continue our conversation that looked at the role cyber insurance plays in organizations and drill into one of the most challenging topics associated with it: Ransomware. And, because this is a heavy subject, we brought in two heavy hitters from past episodes to share their perspectives, Kris Lovejoy and Brian Willett

Subscribe to AZT for the latest episodes


  • Paying ransomware ransoms is a complex decision that depends on various factors, such as the potential impact on the organization's services or employees.

  • Having robust and tested backups is crucial in a ransomware situation, but organizations must be prepared for scenarios where ransomware affects backups.

  • Cyber insurance can help mitigate the financial impact of ransomware attacks, but organizations should be cautious and consider all the potential outcomes.

  • Avoiding ransomware attacks requires a proactive approach, which includes implementing hardening standards, good practices around vulnerability management, enforcing compliance on systems, and having good identity protection.

  • AI holds promise in the cybersecurity sector, but its role in ransomware attacks is still in its infancy.

This Week’s Guests

Kris Lovejoy is the Global Security and Resilience Practice Leader at Kyndryl (an IBM spinoff) and sits on the board of a utility company.

Bryan Willet is the CISO for Lexmark International where he has spent more than 27 years of his career.

For added context, both Kris and Bryan work at publicly traded companies with sizable footprints.

Editor’s Note: RSA is Here

At the time of recording, Neal was off living life, so unfortunately, we’re missing his voice in this equation. However, this is a big topic, and we’ll continue this conversation at a later date with additional panelists. Fortunately, our guests were fantastic, and we still managed to get off track. Maybe it’s not Neal who pulls off, of course, after all.

This is the final reminder that I’ll be poking around RSA. I have plans to chat with OWASP and MITRE about emerging threats, a new startup securing browsers, and a conversation about navigating new and incoming regulations. I’ll try to slip in another piece or two. If you can’t go and are interested in a particular topic or org, let me know and I’ll try to hunt them down (ev @ I also had a little pre-RSA chat with my friend Dani Woolf, which you can join us on Thursday for.

The Ransomware Dilemma

Willett and Lovejoy offered interesting insights into the ongoing debate about ransomware payments. Bryan stated that his perspective is they would not pay. "It comes down to your resiliency within your operations," he said, highlighting the importance of having a robust business continuity plan ready to execute when an event occurs.

Kris, however, acknowledged that most organizations' stance on not paying can become complicated during a real-life ransomware attack.

"You have to make a decision that is going to be best for you, best for the people you serve, best for your employees," she said.

Backups: A Double-Edged Sword?

Both experts agreed that having robust and tested backups is crucial in a ransomware situation; however, it is not the silver bullet that many would have you believe.

But as Kris pointed out, ransomware can affect backups and storage, making restoration impossible in some cases. Bryan agreed, emphasizing the importance of constantly testing backup systems to ensure they work when needed.

On top of this, it’s not merely an advanced threat actor that can go after backups, but it’s becoming status quo to ensure there are as little recovery options as possible.

The Role of Cyber Insurance

Cyber insurance has emerged as a potential solution to mitigate the financial impact of ransomware attacks. However, as Bryan and Kris noted, organizations should be cautious.

"If a company thinks they're going to pay and immediately get systems back up and running, they need to include that in the risk analysis," Bryan advised.

Artificial Intelligence in Cybersecurity

AI has been a game changer in many sectors, including cybersecurity. Yet, as Kris pointed out, the role of AI in ransomware attacks is still in its infancy, and while it holds promise, it may not be the silver bullet many hope it will be.

Tips for Organizations

To protect against ransomware attacks, Bryan suggests implementing hardening standards, adopting good practices around vulnerability management, enforcing compliance on systems, and ensuring good identity protection. Kris emphasized the importance of recovering from an attack, stating that organizations must be prepared for recovery with vaulted data and services, known-good configurations, and a tested restoration plan.

The choice to pay or not to pay a ransomware ransom is complex and depends on many factors. Organizations must ensure they have robust security measures in place, regularly tested backups, and a well-planned business continuity strategy.

Leave a comment

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello everyone and welcome back to Adopting Zero Trust or AZT. I am Elliot Volkman, your producer and today also playing your solo host. Neil is off traveling the world somewhere, but fortunately we have two fantastic guests who are more than capable to carry us through a very important conversation.

So as you have recalled from a previous episode, we talked with Folks representing the cyber insurance component of the conversation that we have been stretching out for a couple of years now about what role does ransomware play in an organization from a, do you pay or do you not pay perspective?

Obviously with cyber insurance, there is ransomware elements where, you get that backstop, you get coverage, but we have other elements. two guests that are going to take the other part of this conversation forward of does it make sense to pay how to avoid paying but let's just skip all ahead and hear from them.

So let me reintroduce you all to two guests who have been heavy hitters on AZT in the past Brian and Kris, let's do a quick reintroduction.

Kris, maybe you can tell

us a little bit about who you are and where you're at, and then Brian will

kick it off to you.

Kris: Hey, Elliot. Thank you so much for having me back again. So Kris Lovejoy, I am with Kindrel and I lead the security and resiliency practice for Kindrel. I also help look after the compliance functions, the security compliance functions. So in other words, look after commercial security for the company.

Elliot: Big footprint there. Brian, off to you. What do you do? And yeah, maybe we can hear about some of the things that you've been up to at that very large organization.

Bryan: Yep. So Brian Willett. I'm the CISO at Lexmark. Been at Lexmark for a very long time, but we cover not only IT security, but we handle product security manufacturing security privacy as well. So very much looking holistically across the business at at our security footprint and making sure we protect our customers, whether it be the services or the products that they use.


Elliot: Excellent. All right. Thank you so much, Brian and Kris, for coming back. We really appreciate that. Now for our audience, for our listeners, we're going to make this very clear and transparent. There is obviously a question that we're posing here. So we're going to just throw this out to both of you and go from there.

But Brian, maybe we can start with you. What is your perspective, plain and simple? Is there value in considering paying for a ransomware hit? And obviously this is entirely hypothetical and it was not targeting you, but if you're working in an organization and it hits you and all the caveats and legal representations what is your perspective?

And how do you work around that scenario?

Bryan: Yeah, so our perspective is we would not pay. You're going to hear that from every company because they're all going to say they're not going to pay. It comes down to your resiliency within your operations. Are you in a position to be able to to be able to have a business continuity plan in place, ready to execute when when an event occurs.

And we all have to assume when, not if. So we can talk much more about that, but

but that would be our position.

Elliot: Kris, any follow on to that? Where is your


Kris: I would agree that the stance of most organizations is that we will not pay. I think that, that. Is not when you're in, when you are in the heat of the battle, you're forced to rethink that particular perspective because at the end of the day, you have to think about payment from two vantage points.

1 is, if you are a critical infrastructure industry that is providing. services that are critical to the population you serve. Maybe this is health services, energy services, water services, etc. You are in a very different position because the question is, can I, how quickly can I bring my systems back?

And, there was the point made, do you have a kind of a resiliency, program in place that allows you to restore, and obviously that should be option one, but, assuming that the restoration is not possible, which it isn't in most situations. And then the question becomes, do I pay and get the services back for the folks that I serve?

Or do I potentially deal with a long term outage? So that's one question, and the second question, and this is, for organizations that may not be critical services, But have a, a obligation responsibility to their employees. If there's a long term outage, what does it do to the company?

If you're out for a prolonged amount of time, can you even survive? And then what happens to all of the people that are working for you? What happens to their salaries? What happens to their families? And so I think the reality is that, when you're confronted with the real life situation of a ransomware attack, and you can't bring your systems back up again, you have to make a decision that is going to be best for you, best for the people you serve, best for your employees.

Bryan: And I just want to jump in, Kris, I do agree with your, with everything you said. The the thing that, that I would add though is companies have to be careful about if they're going to think about paying, are they really going to achieve what their goal is, which is to get the business back up and running.

As we've seen over time that. that there are bad actors who failed to give the key back or their software fails to actually work to restore the services. So if a company thinks that they're going to pay and immediately get systems back up and running, they need to include that in the risk analysis, right?

Are they going to, are they truly going to get what they need to restore the services and get things back up and running? And it's not always the case, but I agree. They do have to consider what is their position in terms of critical services to the society. And and does it make sense for their business, to your point could they suffer such brand damage that the business will go under? That is very possible.

Elliot: I, I love where this conversation is going. I didn't know we were going to get so real so fast, but thank you for introducing that component into the mix. Kris. I'm going to. I, again, this is just fantastic to be able to have this conversation because it is the reality. Now we can step up a bit back before we get right back into you're up against the wall.

You have a fiduciary responsibility to bring services back and all that. So let's talk about the proactive steps and some of the things that we can also cover. That might help prevent this exact scenario. And obviously, as both of y'all are security leaders, both of you have very strong policy and governance backgrounds and experience.

I think that'll also be a really easy topic to focus on the elements to hopefully avoid some of that. So we don't have to also tap into our cyber insurance Providers let's start there as well. And then we'll rally background to the what if scenarios. Obviously, we can talk about the negotiators who help with those kind of conversations as well.

Brian, I want to look into. A conversation that we had when you were first on, which was you take a very risk based approach to this is possible. This is less possible. This is that severe and those kind of components. I'm curious what elements from a holistic perspective in your strategy.

And I know you definitely in line with the zero trust approach to how do you create a scenario where that is such a reduced Impact that you're a little bit more confident that you won't be in that scenario. What is that? Backup plan and proactive plan look like to you. This is the

Bryan: I would say here, and I think I can give a point and I immediately I can probably give a counterpoint to everything I'm going to say.


your organization that you are going to have hardening standards. You're going to have good practices around vulnerability management.

You're going to have compliance enforced on your systems to ensure that they're meeting your hardening standards. You're going to have your monitoring in place to look for events that occur on the device or devices, but you're going to have a disaster recovery plan that focuses on making sure you have solid backups of your systems and your data that that is tested, right?

That we've tested, that we can restore from on a regular cadence to, To or when an event occurs, you can quickly go to those and rely on them to get services back up and running. Even if you're losing, a month of data, for instance. In your restoration of those systems that at least gets you back up to a point in your business where you can start operating, you can go figure out the accounting later of what sold and that month and and get that address, but you're at least have systems up and running.

So for me it's, that culture of making sure there's hardening standards, people deploy to the hardening standards, you have good identity protection, I forgot to mention that as well and the backup plan and testing that. But, we've seen that the human element in this Can cause problems, right?

If was reading earlier about the MGM breach and in the MGM breach, it was social engineering that got them in, they called the help desk, they got a password reset as an ad, an admin password reset, and they were in. I can harden things extremely well. I can patch things extremely well.

But if an admin effectively gets in and starts doing malicious things, that's much harder. And you have to have the right monitoring in place in order to detect something like that. And that's something we always have to think about. It's not one single thing that you're doing. It's not just segmenting your network that you're doing.

It's We always, we overuse this. It's the layers of the onion, right? You have to implement many or all of these separate controls in order to reduce your risk of business takedown.

Elliot: Absolutely. So that's definitely that defensive depth concept in motion or layers of the onion. As you say,

Kris, anything you would like to add to that as far as like the proactive developments to avoiding those situations. Let's

Kris: Yeah, let me let's talk about preparing or cover. I think, as being pointed out, there's a lot of focus and energy historically, which has been placed on the preparation side. How is it that we're going to anticipate risk? How are we going to protect against that risk?

by implementing a large number of controls throughout the organization to prevent the bad folks from getting into, the infrastructure. And then how are we going to be able to monitor and respond to the incoming issues? So that's primarily where our investments have gone. And then we have the backup and, the disaster recovery stuff that's been over to the side.

And hasn't necessarily been interlinked and that's been problematic. We've seen, within the ransomware context, because, when you get into these ransomware events, what you find is that the ransomware is, has affected the backups the storage. And there is no ability to actually restore.

And what we're finding is for, we've done a study recently this particular subject, no surprise. But most organizations who don't pay don't get their data back because they, the ransomware is propagated into the backups and they have no capacity, to return to service.

So what does that mean? What that means is that organizations really need to take a more a comprehensive approach to, what we're calling in the market cyber resiliency. And this is something that I think the European Union has done a very good job of kind of redefining the space of security, plus business continuity, plus disaster recovery as being a space that is all integrated together.

And essentially, when you're thinking about cyber incident recovery, what you're thinking about is I've got to go beyond response to recovery, but I have to link the two together. And so what it means is I'm going to have to. to have vaulted data and vaulted services that allow me that are that are monitored to ensure that there is no impact from a ransomware perspective that I've got known good configurations, N plus an X number of.

A backup so that we can roll back to where we need to be that the everything is vaulted in such a way as I can assure the integrity of that, which I'm bringing back that I have a site in which I can actually bring the stuff back and that I have tested that the the services can be brought back in an orchestrated way, right?

A lot of organizations make a mistake of thinking, gee, if I have my data, I can bring back my systems. No. doesn't work that way. You also have to have the database configuration. You have to have the the identity store, et cetera, et cetera. So there's a lot of stuff that has to be considered as you're preparing to recover.

And what we recommend for organizations is that they really think about it from a, kind of an MVP perspective. What is the minimum viable business that And what are the services that enable that business to run? Then what you do is you go through the process of, looking at all of the applications and infrastructure that support and the data that supports that process that you Make the, the right investments in being able to, vault the systems as well as vault the data that you test the restoration of those services, pursuant to your RTOs and that you do a lot of tabletop exercises where you exercise that plan, but that's the state of the art today.

And there's some really interesting technologies that have come out in support of these kinds of processes, which I'm happy to talk about. But suffice to say. pretty passionate about the subject. I think that preparing to recover is the kind of the place where we all of us need to be focused because if we can recover, then guess what?

You don't have to pay the ransomware, but we're not there yet.

Bryan: Kris,

do you think that

the the cloud has helped or hurt in this


Kris: I would love to say it's helped. But I think there is the promise is still there. And, early on, I was one of the, greatest agitators on behalf of cloud. And I still am a huge fan. The problem is what you know, we're seeing is a lot of organizations did not refactor their applications.

What they did is they took really old applications and infrastructure. They stuck it in a container. They put it into the cloud, then they, try to wrap some security control around these really old, this really old infrastructure. And we're seeing just a ginormous amount of complexity associated with the combination.

And so I think that, the answer, the question is, could it be a positive? Yes. And where we're seeing customers have, refactored applications so that they're now cloud native. It's been great. But where you're talking about just old infrastructure on a new infrastructure, it's one plus one equals five from a complexity perspective.

Bryan: I agree with you 100%. And that, and on the business side,

that is One of the biggest challenges is the business wants to go to the cloud quickly and and getting them to sign up for the investment that it takes to truly go to the cloud and build that resiliency into the cloud or into the application that you put in the cloud because if there were one application team that came to me and said, we're going to lift and shift, I can tell you there were 10 more right behind them.

And that was the battle that we always had in the business was we're not lifting and shifting. The risk is very different. We need to go and refactor the solution that you're putting in the cloud in order to to protect it. Whether it's. The resiliency side or even the front end, just the security

and the security posture around the application. Kris, I agree with you.

Kris: Yeah, no, between the, hard coded credentials and kind of the fact that, some of this stuff is legacy. It's end of life, end of support operating systems and applications. It's very art antiquated encryption algorithms. It's just a mess that has been ported over to the cloud.

And guess what? The cloud providers, they never really considered that this would be the situation. So the capabilities that they've built for, backup and disaster recovery and vaulting, et cetera, hasn't been around those use cases. And So it's, it is a, it's a big problem.

Elliot: So there's one area, Kris, that I want to actually, there's two aspects that you've highlighted that I want to pull into a little bit further. The most common talking point against we don't need to pay ransomware is we've got backups and backups and we're prepared. That is the most prevalent conversation talking point that we typically see.

So you definitely poked a big hole in that very clearly. I'm curious. Is that a more advanced threat actor that would be a piece of that or do you see in your perspective that it is just that comes to the territory. We've obviously provided a solution. It's been out there for a while now.

Threat actors are working around that. They know that is a

solution. So

we're going to go as far as we can spider through

the systems. And yeah, I'm curious what your

perspective is.

Kris: No, you don't need a sophisticated actor to, propagate into the storage and backup systems. Absolutely not. It's just, it's very common right now and it is just, it's, and the interesting thing is as well, what I find with a lot of organizations is they don't even test their backups in the restoration unless they have a legislative obligation or a regulatory obligation to test the backups. we have a lot of situations where customers will, they'll try the backups and they're like, Oh, there's not even a ransomware in a vet and it doesn't work. And so I, I think, for instance, I'll give you a practical example. Customers, they will back stuff up happily for years only to find out that the backup provider has upgraded their software.

And over the years, they upgraded the software and they upgraded the schema by which they were storing the data. And so now, when you try to do the restoration, What you're finding is that you have to go and figure out, okay, if I've got something prior to pick a year, let's say 2021, if I want to restore data prior to 2021, I've got to go back to the vendor, find the end of life, end of service version of the technology, figure out some way to put that in place, figure out what my configuration was at that time.

And then I can bring back my data. So all of these practical things that people aren't actually thinking about as they're restoring. Yep. And this is not even with ransomware in place,

Elliot: That is super interesting. Brian, I'm curious what your perspective is around this now. I'm not going to ask you specifically if you're testing backups or anything to that extent, but yeah, anything that you'd like to expand upon that concept of yeah, it's not the advanced directors anymore. Okay.

Bryan: We learned our lessons long ago about exactly what Kris was talking about. When you try to do a restoration from your backups, There are many things that can go wrong in trying to restore the services.

And so it's important for anything in your business, it's important to test that, that business continuity plan on a regular cadence to make sure it will execute and it will succeed. And so yes, there are things, I think back through the years of testing that we've done. And. I would say probably 20 percent of the time there has probably been some issue that came up during that restoration that we had to go and address and fix.

And that's why it's important to keep testing and keep moving things because one of the things that's that is always true in your environment is things are changing. So you may have built a disaster recovery plan. Based on what the systems look like and what services were connected at that point in time.

But when the disaster occurs, I guarantee they're not the same. They have changed. And and so it's important to keep your plan updated based on what the systems look like at that point in time, but also build the chops within your operational organization to to be able to handle those.

Variances that occur and be able to recover from those. So yeah I do agree with the importance there.

Elliot: Excellent. All right. So the other aspect that I want to highlight and go into a little bit deeper is the financial impact. So obviously, if there's a ransomware, they're asking for money. You maybe bring in a negotiator, they help recover things, or maybe they don't. The other piece is, internally, you have a lot of proactive measures, you have a lot of different technology in place, you have a lot of hopefully, a robust security team and network team an IT team to be able to support this.

I'm curious, at your level, obviously you're having conversations at leadership level, board levels of a similar, Of a similar vein, how do you communicate the proactive elements versus the need for the necessary insurance or ransomware? Amounts that you might store in the background, but how do you communicate the financial impact around this conversation? in a holistic perspective, not just a ransomware scenario.

Bryan: So when I'm talking with the leadership one thing that Lexmark is very very attuned to is brand reputation. We operate in the IOT space and because of that we recognize that it's important for Luxmark From a brand perspective to have a strong security story that we're able to tell our customers and demonstrate to our customers.

So when we go through and we talk about the investments we need to make on the proactive side there is a lot of support throughout the business on. On taking those actions on whatever the system may be now that I have to pull that back a little bit, right? There are certain things that I can go ask for that are just climbing Mount Everest, and there's going to be some real hard discussions on that, right?

There are investment limits on everything that, that we could ask for. But by and large we make a strong case that we have significant risks in the, within the business. We have built that culture with the executive team and built the recognition of the value that security brings to to our brand and to our customers that generally we get adoption for it, but that took years to build up, right?

It took lots of conversations, lots of discussion, but it also helped that on the customer side, they were demanding it as well, right? When customers come in and they say, Hey, look, we're looking for, of resiliency on your disaster recovery or forensic capabilities for this long.

All of those feed into requirements that we're able to drive throughout the business and gain adoption.

Get that, that buy in. And then when you go to the actual execution side, so you asked about the exact, getting leadership buy in, but I view it to be the same on the execution side, right?

I have to get that same culture, same adoption at the individual contributor level and make sure that they they buy in. Because when you go and put hurdles in front of your developers, in front of your admins probably one of the first things they would like to do is get it out of the way.

Because it's slowing them down. And Making sure that you have a good story to explain why you're doing it, why this is being put in place, and why you need their support for it, that's just as critically important in building out those controls and making those controls robust to better protect, whether it's You know, a specific system, moving lateral, identities, right?

They all are hurdles for individuals that

that require buy in for them to support.

Kris: So I think Elliot, this is the best question and the hardest question to answer, but let's just be

Elliot: sounds


Kris: Um, and one of the reasons why it's so hard To answer is because the investments that you make. To ensure good protection. Good security are not necessarily security investments.

So I'll give you an example. Legacy, right? Talk about legacy. I think I probably talked about legacy last time I was on the phone with you all. I'll say it again. Legacy. Biggest problem we have as an industry is how much legacy infrastructure we have. It's just, it is absolutely horrifying the amount of legacy infrastructure we have.

And the investment in upgrading that infrastructure is probably the best security investment you can make. However, that is not necessarily booked as a security investment. So I, so that, that's number one is it's very hard again to tease out what's security, what's not security. So what I would say is this, I have in my career, my 30 years and I'm, this is like where I have patents is in risk quantification.

I don't know if I've actually seen one organization that does this extremely well. I've seen okay, in different levels, extremely well, not so much. Financial services institutions, they get a little closer and that's because they're, they have to do this. So what I would say is this. The good news is public companies today in the US have obligations under the SEC to be able to identify material or significant events which in aggregate can become material.

Now, for those listening who aren't public companies, it's. It's still okay to look at this kind of guidance because it's makes sense. What essentially the guidance says is you need to know what's going to really harm your business such that if it was so bad, you would actually have to report it to your investors.

So small, medium, big, doesn't matter. Think about it that way. It's so bad that I have to tell somebody, I have to tell my investors. This has happened because it is going to impact my operating revenue. It's going to impact my ability to deliver services. It's going to just impact me. So now you think about that and you say, all right, what are the things that can happen that are going to impact my business?

I it's in such a way that I would have to tell somebody it would be like existential. All right, so I know what those issues are. Now let's identify, do I have the right controls in place to protect that infrastructure? Do I have the right recovery mechanisms in place to be able to recover that infrastructure?

Size that. That's where you start and then you begin to measure or whether or not you have those controls in place, what the value of that investment is and what the gap is between you achieving nirvana around those services and etc. Start there. Again, this, there's no magic to this because a lot of the, a lot of the impact and the cost of the impact, you'll never know until you're actually in the event, because I can promise you for everything you think about, there's five things that you didn't think about.

So it is, it's going to take time for us as an industry to get to a point where we can actually do this financial risk quantification. So for those of you who are not. Sort of financial services institutions with direct obligations to be able to do this as a matter of course, I would say, take the kind of SEC guidance around materiality and try to figure out how to do the quantification within the context of critical business services and what does it cost me to actually build protection and then build the restoration around that.

Bryan: I was just gonna say, you mentioned the focus on the public companies, but what I see coming quickly, just to expand upon your scope a little, is public companies recognize that their supply chain is critical to their operation. They're going to have many business processes that are heavily dependent upon upon their supply chain, and they may not be public.

And so the non public companies need to be ready to to respond just like a public company very quickly to a, an incident because it will become material. It may become material for the public company as well. So even non public companies need to understand the SEC guidance, to your point, and they need to make sure that they're building their practices around how they're going to to report incidents in a very similar manner.

Kris: more.

Elliot: Kris, thank you so much for calling out that aspect of not just the public part, but the private piece, because that is where I want to dig into a little bit further before we go back into ransomware. A lot of our practitioners, our audience, our listeners, they are probably aligned with a Series B, Series, maybe Series A, Series C company.

So they do answer to their investors. And that's, that is a focal point of being able to answer this. So I'm curious, how do you balance, and obviously y'all are significantly larger organizations, but you've worn this hat, you've chatted with other folks. How, if you are a security leader in a smaller organization, how would you shape that conversation where you're not terrifying your investors, you're not terrifying your board of directors with information that they might be seeing headlines of ransomware attacks and all sorts of breaches, which, Larger you are, larger target on your back.

But how do you balance reality with like your risk based approaches you were mentioning versus some of the things that are out there and help alleviate some of that concern, because not all investors have that kind of perspective. They just see, Ooh, AI component company, we're going to throw a bunch of money into that not really thinking about the

implications of the security perspective.

How would you balance the, the FUD versus the reality of piece of


Kris: Yeah, I'd so I'd say good news. Bad news is the investment community definitely is becoming more engaged and recognizing, the extent to which their portfolio companies can act as a risk and be incorporated in these very large lawsuits. So I think they're the obligations that they're flowing down are becoming pretty significant.

And I'm sitting on the board of a couple companies that I fall into that category. And I definitely know that the PEs and the VCs are much more engaged. So that's good news. But if you are part of a smaller organization, series A, series B, let's be realistic. You don't have a security person, right?

You have an IT person and that IT person probably does three other jobs. And the last thing you really want to think about is what do I need to do to secure my infrastructure, et cetera, when I'm just thinking about how do I keep my lights on and get my first sale, right? Many of us have been there before.

So you, so what I would say is this. Anybody who is, a producing, if you're a technology company and you're producing code, you're producing services, you've got to think about security as being built into whatever you're built and whatever it is that you're creating. And so I'd say there are tools that you can build as part of that process.

DevSec, that a per, support DevSecOps, that is the most important investment you can make. And you should be building that as a competitive differentiator into your product life cycle and ensuring that, as part of when you're going through and making your, the investment thesis as to why you should be investing and where you're going to be using your money, make sure that the money is being used for that particular purpose.

And then if you do that correctly, then you're the post facto obligations. On, making the investments in the the ongoing infrastructure lesson because you've built it inside. And if you're a native cloud and you've built it inside, it becomes even that much easier so that it just becomes part of your operational expenditure.

Again, as a, just to net this down as a small business person who's building technology or technology enabled services, DevSecOps or something inside the technology. Build it on the cloud, ensure that the operational investments include long term security. That's all goodness. And that's what you should be using your funds for.

Elliot: Amazing. Brian, this is a perfect opportunity to jump into a conversation we've had the last time you were on, which is the culture of security. And I guess our favorite new buzzword is shift left security or shift left compliance and however you want to look at that. So I know you have a perspective on how you are actually building in that kind of concept.

And not even just as a small organization, but a global organization.

Bryan: Absolutely. Me, and I want to go back to what Kris was talking about, especially with a small organization. It's important that your technical leaders within that small organization set the tone on. Secure design. You're going, small organization. It's going to start with two, three guys or gals, right?

Two, two or three people. And they're going to start building some foundation. They're going to start pulling from open source. They're going to start building their own code. And the thing that, that organizations have to remember is open source doesn't mean clean source. It doesn't mean that it's not going to have malware in it.

And there was an article that I read the other day and I vaguely remember exactly what it said, but was it Hugging Face, one of the main AI open source distros that there was, I don't remember the percentage, but there was a large percentage of malware that was embedded into the Hugging Face AI models that were being pulled and it just highlights the, that.

Attackers are constantly looking at ways to try to get into your supply chain. And so you need to make sure that you have the right tools built into your CICD pipeline, that they're able to scan the source code. They're able to validate the the maturity or the what's the word I'm looking for?

The activity on that source code to see that people are. actively maintaining it, that they're actively patching it that there is, ideally you would like to see some governance around it. That there is someone kind of the Linux model would be nice, but that's not the case for all open source, that there is someone governing what gets accepted into the into the code repository,

to to analyze it and try to protect from malware getting into the environment.

But going back to your question when it comes to When it comes to your organization, it's important that you first establish some sort of security development life cycle that you set the tone that when we're going to come up with a new capability on in our system, we're going to do a threat model around that capability and understand what the risk are and understand.

The, uh, the mitigations that might need to be put in place in order to protect from those. As you get into pulling in the source code, you get into the open source that I talked about just a moment ago. And then your own code, doing that static code analysis. If you have the ability to get the tools to run static code analysis, doing the vulnerability scanning against it.

Dynamic scanning against it. There are so many tools out there today, both open source and of course pay for that you can really get a lot of insight into the risk in your code and and take a lot of steps to protect against those, but also don't forget that. As you run on a, uh, taking an embedded device, for instance, it's running on an operating system.

It's going to have a lot of services that sit on top of that operating system. Those services are no different than what I T would put into their environment. And it's important to remember that you have to harden that system appropriately for your user. your IOT device or service that you're offering.

And that all goes into that security development life cycle. Where you do your threat model, you have your hardening standards, you pull your source code, you do your testing, and then most importantly, you have remediation processes. So whether it's patching, whether it's releasing firmware updates, whatever it may be, but you're constantly monitoring and updating that.

But that all comes from. building a culture in your environment of the developers, understanding the risks and understanding how to mitigate those. And that comes from education. So assuming that you're going to have developers that come out of college and just understand this by, uh, just the classes that they had, that's probably not the case.

More than likely, they were learned, they learned how to build widgets. They didn't learn how to build secure widgets. And so that's something you as a security professional, or you as a technical leader in your organization, need to consider and figure out how you're going to build out that awareness and that knowledge for the developers.

And then as you get into the larger organizations, build out a community. We call it security champions in our environment, but build out a community of people who are advocates for. For securing or building secure product and want to help others learn how to do that and support that, right?

Nurture that and support that. I think that's critically important to get those evangelists in every one of the teams that can help identify and and coach on how to do things in a secure manner. So it's not a one time and done. It's something that that you have to constantly build out.

Now, I do want to give a shout out here real quick. So I do have a daughter who is in computer science at at University of Kentucky right now. And her class he's taking right now is systems programming. And one of the first labs she had in that was building a buffer overflow malware. I said, that's genius.

That's genius, right? Teach them how to actually build the malware that would take advantage of a program so that they know. How to go in and secure it later. We need more schools doing that. We need more schools. Is there teaching programming, teaching how the bad actor would take advantage of something so that they can then program or write programs that, that address that in the future.

Elliot: I love that perspective. And I know that you had called that out. I think we asked in the first round that we chat with you something around security awareness training. You built not just security awareness training for all users, but you're literally training your folks for more elevated approach and that's what you're discussing right there.

To your point, even on the education side, if a journalist has to go through all sorts of ethic training and we sure did. I think from the technical side, I love that perspective where they're having to get like that security, cybersecurity sense as well. So I do want to add in one little piece cause I just did a quick search.

So on that hugging face. System. So basically that's like a marketplace for AI models. They said around 100 different models had malicious code or some malware involved into the system. So obviously we don't know what percent of their library that contains, but that is just a test to maturity and regulations don't really overlap in the best way possible.

With that I was going to say the AI question for last because we, this is unavoidable in this equation, but Kris, I'm going to hand this off to you in your mind, how has AI, and sorry, it is the curse question or AI or machine learning, how have you seen it impacting or I guess making threat actors more I guess dangerous, so to

speak, especially on the ransomware side.

Obviously social

engineering as a component, we've seen some headway, headlines

around that.

Kris: Happy to have that. I do want to just circle back though to the conversation we were just having. And I just want to point out the irony of, we were talking about Linux for instance. I don't know if you all saw it, saw the XE utilities backdoor. It was announced on Friday. This is a perfect example of, the, this was, I think they, they're thinking that this was started, in 2021, but there's a perfect example of, why it is that you need to have, as you were describing the the evangelist within the team.

As well as, I would emphasize automation, because, again, when you're only 3 persons in a shop, there, it's almost impossible to keep up with all of this, but, having automation, will really help you in, not only proactively identifying the issues, but at least when it pops up, you'll know that you have a vulnerable load and you're able to do the remediation quickly.

Though, of course, if you're being told, stop using Fedora, that's a problem, right? But anyway, I won't go on too much about that. AI. What I would say is, where we're seeing AI really impact organizations right now is on twofold. And one is security related, and the second is non security related.

But on the security related side, we're seeing the phishing, smishing, vishing attacks become oh, so much more effective. And what we are seeing is that, a couple of things are happening. The, the threat actors are creating these what we're calling, they're omni channel attacks where they're combining voice, video, and phone email and SMS rec incoming attacks coordinating those together.

And so it seems it's really an amplified attack where you think that, the the CEO is calling you and then you get a text from the CEO followed by a voicemail from the CEO, followed by an email from the CEO, all around the same basic topic. And then your colleagues are getting the same notifications saying, go call Joe and tell Joe to, do this particular thing.

And so the. Failure rate for these fish are meaning the number of the percentage click rate into these campaigns is something like 80 90%. So it's almost impossible to stop. And so that's that is something that we all have to be considerate of is the approach that we take to, training education as well as ensuring that we have the right EDR protections, within our organizations. It's just that is changing, the way in which we have to think about protecting our organizations. The second thing that we're seeing a lot of is we are seeing some malware. That is we assume is being created through a generative AI. Of course you can tell, and we're seeing some really interesting tweaking of the rule sets.

You can set out some Yara rules, for instance, to ensure that you've got, when you're looking for malware, you're looking for code that's coming in that is, has no comments in it because what we're finding is that, obviously when you're writing malware, you can tell who the threat actor is generally by the comments in the code, but some of the, what we're seeing is the code is like comment free, which kind of indicates that it was written by some sort of algorithm.

So that's just one easy way to check. But what we're seeing is on the other, the non security side. Is what people don't realize that I've been trying to say is, generative AI. It's like hiring an intern, and the intern might not necessarily have all of the background, but they're really eager.

And so what they're doing is they'll write you, white papers, they're writing, whatever the case may be, they're writing it using generative AI, but they don't necessarily check their sources. And so what we're just seeing is a lot of organizations are submitting materials that aren't necessarily ground in truth because they've been using that that the AI intern who didn't necessarily again, check to see whether or not what they were saying was correct.

But that's, that's neither here nor there. But that's how I would summarize the world with AI today.

Elliot: Before I hand that off to you, Brian I just have to say that was the most beautiful example of defining AI and use. I, that's got to go everywhere because that is so accurate. I have had a writer who just tried to chat up an article. I'm like, come on a robot wrote that. Where's the flavor?

Where's the sources? Where's the stats? None of that there. An eager intern is just so well positioned. Brian, I'm going to hand that back off to you.


Bryan: I do love that analogy. And I'm, I am going to use that. We have an AI governance group that my team runs, and I am, I'll give you credit, Kris, I'll make sure you get quoted.

Is interesting. I, what we've seen on the development side is it is great for setting up setting up applications or setting up functions and getting developers started, but it is certainly not going to create the program yet.

We're seeing that it allows developers to switch quickly between languages, which is great because they can quickly understand what the program or the does. On the security side let me go back. I would not say that I'm seeing quite yet on the code side that that AI is replacing developers yet, right?

That there, I have always equated it to, and this was a lesson I learned early in my engineering days. So this is a long time ago now. There's creating code and then there's actually delivering code and delivering is actually the hard part, right? You are beating through all the bugs and making the program actually reliable and and functional. And. That is the magic that your engineering brings. And I don't see AI quite replacing it yet. Will it get there one day? Maybe, but it's still an intern as Kris said. On the security side, I've seen some really cool experiments done with AI on the security side, doing analysis of malware, telling me what the risks are, telling me what it could do in the environment, telling me potential.

Mitigations or next steps to take in terms of an incident response. It's interesting. I think it really depends on your, the maturity of your security operations team on whether or not that's going to be beneficial to them. There are going to be many organizations out there that will be extremely beneficial to them because they're not going to have the skills in house in order to go do that.

But there's going to be a lot of other organizations that are much larger, much more mature, and it's not going to be of help. My concern in this space right now is the pricing of the AI. View that it is extremely high and that when you look at the value that it brings, it's not bringing the value on the security side.

And I'm speaking to generative AI here at the moment, but it's not bringing the value that that justifies the price. So that's going, for me, that's going to have to change, right? The, it's going to have to become much more affordable to be something that we would consider rolling out throughout our program.

But in security, we also know that AI has been embedded into many other applications, non generative, and has been very successful. And I do see that continuing. We recently rolled out a tool on our email that uses AI to detect phishing, and it has been extremely effective. Surprisingly effective.

So it has its place There are places where it is extremely positive in terms of the investment cost and the return. And then there's a lot of places that it's just like any new technology, you're paying dearly for it. And and you have to make that personal decision on is the investment worth the return that you're going to get.

But my fear is what Kris talked about earlier, and that's the advancements in the fishing side.

We still see that social engineering is one of the top ways into an organization. This this enables the bad actors to be much more effective in their communication and get in, have, be much quicker at getting their background intelligence on what they need to know in order to get into an organization.

So it's not something that I think everyone is quite ready for, but that's the discussion I've had with my executive team is you need to be ready, you need to be prepared from everything from from just a well constructed email coming from whether it's the CEO or CFO coming in to your organization to potentially voice impersonation coming in. And I keep telling them, you need safe words, make sure you have safe words, something that you guys can authenticate each other with in order to know that you're truly talking to who you think you're talking to. That the advancement that we're going to see there in spaces like voice impersonation are going to have an impact and we need to start preparing.

Elliot: So that is a sort of perfect segue to our final question where let's call it a tabletop exercise. It keeps you out of the shoes that you're currently in for purposes of you're not a public company and all that. And the one other element is you are totally spot on with needing a safe word.

My uncle was a victim of a voice impersonation of myself thanks to all the podcast audio that I put out into the world. That, that is a great Last line to include in there. So family should probably do it. All right. So back to this final question, this tabletop exercise, and we're going to put on my Neil Dennis hat as a RPG D and D concept, and it'll be pretty simple and concise after I ramble a minute.

So you are at a startup, say a series B, you got an it guy. Who's your security leader. You have cyber insurance, you've gone through maybe a SONIC 2 and ISO. So what's there, but one of your folks clicked on a link. Yeah. They hit the phishing simulate not the phishing simulation.

They hit the phishing lure. They put in some information. Now someone's got access to your network. I'm curious in your shoes as a well known. A group of well experienced security leaders. What would be your first step to do to handle a scenario where ransomware is now on your heels, so to speak in those and again for legal purposes, not in your shoes in your current profession and your current title.

Bryan: So if someone clicked on the link and we have ransomware actively in the environment first thing I'm going to do is I want to look at how do I start to shut down its ability to spread? So I'm going to assume any system it's on it's compromised at this point.

So I want to shut down. Any lateral movement throughout the environment, so I'm going to look depends on where it's at, right? Is it in the cloud? Is it on a workstation? If it's on workstation, I'm shutting down networking on that workstation. If. If it's just local to the workstation. But if I have to, I'll go to the network and start shutting down layers of the network or VLANs on the network.

If it's in the cloud, we need to look at similar things. How do we just shut down workloads in the cloud in order to prevent lateral spread? Personally more of one of I'm going to be very liberal, in my response, in the sense of I'm going to shut down first and then start to look at bringing things back up

Bryan: To prevent that

spread going more broadly and affecting more services.

Elliot: right, perfect answer.

Bryan: Kris is going to, Kris is going to give you even a

Kris: no, No, I thought it's a great answer, but I would also say there's, the phone a friend. I, I think, if it's an IT guy, I, that's not, or a gal that doesn't necessarily have the background in forensic analysis, you need to call somebody because it is really easy to call.

Yeah. make mistakes that make it impossible for you to gather the evidence that you need, right? Number one is take the end user off the network, as is described, make sure it any ingoing outgoing traffic is stopped, make sure don't shut anything off necessarily, but you want to make sure that, ingoing outgoing traffic to whatever kind of limit the blast radius, if you will, make sure that they, nothing can propagate.

Call a friend, to get some advice. If you have access to, and I always think, I, one of the things I always recommend is create a drop kit. It's easy to have a drop kit ready of network detection and response, because there's open source tools that are, pretty good. And so one of the things that even if you're not going to be the person or the organization that's going to be looking at the logs, it is really useful to have NDR running.

So you can see whether or not there's any beaconing or any kind of behaviors that are, the actor is trying to move laterally within the organization. That's useful. And then change everybody's passwords. That's the other thing. Changing everybody's passwords as quickly as possible.

But, those are some of the basics.

Bryan: Kris, I'll ask you, which friend are we

phoning? Are we phoning our cyber insurance carrier? Are we phoning, our

friendly neighbor IT guy? Who are


Kris: I think, there's IR companies that will help you in from a response perspective. they know how to they know what to do and they know how to do it, when to do it. And so it's really important that you've got and there are lots of IR companies that are out there. Just make sure that you have their phone numbers so that when something happens, you can call them.

Bryan: We've had an interesting discussion with our legal team internally around, Is it the IR company we call first? Is it cyber insurance we call first? Is it a legal team that we call first? In terms of the protections that you may need for the back end, right? The lawsuits that might come in later.

And I don't think there's a single right answer because things continue to change from what we've seen out of the judicial side of various lawsuits. But

Bryan: It's a discussion I think you,

your team and your legal

team and your executive

team should Yeah, no, absolutely. But I, my bias is always towards health and safety. Particularly if there's any, if there's a human that can get hurt in that chain, then, your obligation is to protect, protect health and safety first, and then, talk to the lawyer second, but don't tell the lawyers I said that.

Strike that from the record.

Elliot: Yeah, I'll censor that part. Don't worry. No, I think that's the reality of it. Even in a, so I don't know, I've gone through like a security plus and some of those basic stuff. And that is always at the pinnacle and the philosophy

of security. Of cybersecurity.

So yeah, lawyers might not agree with

that, but that it

comes with the

territory of the

function of the

experience. Exactly. And when you've done it so many times and you know, that, there's the practical, there's what you like to say in books and what you like to say in public. And then there's the reality of what happens when the door closes and you're dealing with an event. And there's just so much, what people don't understand.

Kris: And I love this when, executives ask you why don't we know? And what's the update? It's it takes time. It's going to take you a hundred times longer than you want it to take. And in between every single update, there's five things that are going to change. And it's just the reality of how it works.

And. There's, it's just, it is the fog of war when you're in one of these incidents and, over time you become cynical because you've been there, you've done it, you've done it five times. You've seen the movie and every movie script is going to change. It's basically the same horror theme, but it's going to change in between.

Yeah, it just is what it is.

Elliot: I think that's really well put the reality is every situation is going to change drastically and ransomware is definitely 1 of those scenarios. A lot of organizations will have that hard public stance of absolutely not paying. We also have cyber insurance that covers those things, but sometimes it becomes outside of your control and out of your hands.

So I, I love the perspective of absolutely not doing it. And then Brian mentioned before we even went on air The number of people paying has gone down. So there's positive information in reinforcing that concept, but. Obviously, at the end of the day, it's also a financial impact and every organization has to play a different card.

Kris: Exactly.

Elliot: All right. Brian, Kris, thank you so much for being on with me. And on behalf of Neal, who is traveling the world really appreciate your perspective, being able to weigh in on this pretty critical and important topic, which is obviously a lot more complex than anyone would So that said, again, thank you so much, Brian, Kris, really appreciate you being here, sharing your perspective.

And I'm sure now that I have a army of other topics of omni channel attacks, talking about AI,

Elliot: we'll probably loop back around and have an additional chat with y'all.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.