Say Easy, Do Hard - Train How You Fight, Part 2 - BSW #349

Speaker 20s - 70.6s

Did you know that Active Directory is exploited in 9 out of 10 cyber attacks? With access to Active Directory PRODUCT, attackers can gain control of your network. To keep attackers out, you need to find and fix Active Directory PRODUCT security gaps. Meet Purple Knight, a free security assessment tool that scans your environment for hundreds of vulnerabilities and helps you fix the problems. Ready to reduce your Active Directory attack surface. Download Purple Knight PRODUCT,the number one active directory security vulnerability assessment tool. Visit security weekly.com forward slash ORG semperis. Why is identity resilience a top priority for security executives? Because your identity access management or IAM system is critical to your business. Whether you use Octa, Microsoft Entra PRODUCT, or another IDP. If your IAM is attacked,your operations can go down for hours or days, directly impacting your bottom line. So what's your backup plan? Mighty ID is here to save the day, reinforcing your IAM resilience. With flexible backup and recovery,and even migration between IDPs, Mighty ID PRODUCT keeps business running when failure is not an option. Check out Mighty ID PRODUCT at Securityweekly.com forward slash Mighty ID for more.

Speaker 071.3s - 118.64s

Created in 2005 and hosted by security industry veterans, Paul Security Weekly ORG is your source for in-depth coverage of the latest vulnerabilities, exploits, and security research. Our weekly security news discussion dives deep into the security issues we face today and potential solutions in a fun and lively atmosphere. Each week we bring on guestsfrom the security community to learn about their journey and discuss topics relevant to their work and research. You can also subscribe to our show by visiting security weekly.comforward slash subscribe or look for Paul Security Weekly in your favorite podcast catcher. We've recorded a ton of content over the years, so we created Spotify ORG playlist featuring some of our favorite episodes, including interviews with Marcus Random, John McAfee, and Chris Roberts PERSON, to name a few, you can find them at securityweekly.com forward slash starter packs.

Speaker 2122.64s - 128.88s

Welcome back to Business Security Weekly. I am your host Matt Alderman, joined by Jason Elbekirky and Malcolm Harkins PERSON.

Speaker 0129.76s - 133.52s

Get ready for an electrifying experience at the 15th annual Identiverse ORG.

Speaker 2134.16s - 213.7s

Join over 3,000 identity professionals at the ARIA Resort and Casino in Las Vegas on May 28th to 31st for four days packed with dynamic learning and collaboration. Don't miss out on keynote speakers, including Deney DeFore, C-Siso of United Airlines ORG, Tucker Bryant, entrepreneur and former Googler, George Roberts PERSON, Director of Identian Access Engineering at McDonald's ORG, and many more. As a community member, received 25% off your Identiverse 2024 tickets using code IDV-24-SW-25. Register today at securityweekly.com forward slash IDV-20204.All right, gentlemen, we are back for the second segment of our say easy, do hard. And this segment is really to try to create some recommendations. Let's do the hard part. And so in the last segment, we talked about the importance of why you need to train like you fight and be prepared for incidents. In this segment, I want to start in Malcolm PERSON, you started down this path a little bit in the first segment on where do you start? And I didn't want to dig into this too much in the last segment because I think it's a perfect intro to this segment is start with materiality.

Speaker 3214.94s - 219.08s

Or the extinction events. I love that. Yeah, the extinction events. I love that.

Speaker 2219.58s - 224.7s

I mean, it's the easiest way, you know, again, former finance person, people talk about they've got

Speaker 1224.7s - 226.5s

budget problems, staffing problem, stuff like that.

Speaker 3226.54s - 228s

I go, that's a prioritization problem.

Speaker 1228.42s - 244.8s

If you can do nothing else other than understand and mitigate extinction level event, you're doing your job. As long as everybody understands, that's only what you're capable of managing the risk around. Yes.

Speaker 2244.8s - 275.04s

And using those extinction events is where you're capable of managing the risk around. Yes. And using those extinction events is where you probably start your planning process, right? Because, I mean, the first thing you have to do is start to build out a plan for incident response. And so I assume the extinction events are the starting point to start to build some of these plans and then eventually test towards those plans. Any specific order to how you build these plans out?

Speaker 1275.94s - 345.82s

You know, for me, like I said, if you start with those and just, you know, hopefully there's a handful, right, that you can start with. And then just start picking them off. And don't be limited, like the example I gave for food and beverage. Don't be limited to traditional cyber. Look at an extinction event for the business. And then go, what could a cyber-related thing do to trigger as a direct cause or be an indirect contributor to exacerbate something else that's occurring?And I think if you can do that, then you're going to also be able to, you know, the discussion of how do you get alignment with the business? Well, if I'm in the Food and Beverage Organization ORG, I'm like, hey, we've got a food safety person. They're worried about food safety so that we don't kill them and make people sick, right? Okay, great. Let me go business partner with them and show them that if I can manipulate that data, I could trigger that. Okay, now I've got somebody who gives a crap and then we'll then go work on that with me. Now, then just go figure that out in whateveryour business is, right?

Speaker 3346.76s - 393.6s

Yeah, Malcolm PERSON, I was going to say that. You know, we talk a lot on this show about cyber professionals learning the business, speaking the language of the business, getting aligned with the business, right? And going out there and identifying these extinction level events allows you to dig in and drive into the business and learn more about the business. So that's an opportunity. It's an opportunity to get aligned with stakeholders. It's an opportunity to learn more about the business and really start influencing at that level. Because again, if we go in there talking about the bits and bites every day, we're not going to beinfluencing at the level we need to. So going out there, learning the business, figuring out what extinction level events are, what those risks are, I think is super important to not only do your job, but also get that buy-in trust and alignment to the other stakeholders in the business.

Speaker 1394.14s - 453.4s

Yeah. And again, there's a lot of organizations have an enterprise risk map at some level, right? Legal runs it, finance runs it. You have a corporate insurance person. Somebody's doing corporate insurance. Go talk to them and go, what are we insuring against? Where do we have extra coverage for certain things? Well, okay, that's a beginning spot of what could create a big oh shit moment, right? And just start with that and then go figure out then who's managing a physical aspect,a business aspect of it. Again, I'll give you an Intel ORG example. Again, 22, almost 23 years ago, again, Enterprise Risk Map, luckily I had helped create it when I was in finance in the late 90s, so I understood it. But, you go, okay, sole source factory. Factory in Oregon GPE, manufacturing the highest margin product,sole source in an earthquake zone. Guess what was on the Enterprise Earth? You know, risk, that's right.

Speaker 3454s - 456.42s

Okay, well, have an earthquake, and that's disrupted.

Speaker 1456.78s - 494.06s

You just affected output and yield. Well, guess what? I was like, you know what? I don't need an earthquake to have that happen. A cyber event could cause that to happen. All of a sudden, I have, you know,? I don't need an earthquake to have that happen. A cyber event could cause that to happen. All of a sudden I have, you know, discussions with manufacturing. They're like, well,how? What? Why? Well, guess what? Five months later, slimmer happens, right? You saturate a network. You can affect factory output, right? But we had identified that earlier, again, you go a continuation than to ransomware, right? It's all a continuation of ways in which you could shut down the factory physically or logically.

Speaker 2496.58s - 555.78s

So as you build these extinction level events out, right? Then you start to build these connections, these trigger point, right? And the trigger point doesn't have to just be cyber as you've been describing, right? Then you start to build these connections, these trigger point, right? And the trigger point doesn't have to just be cyber as you've been describing, right? It could be, you know, nature in itself, but it could be a cyber event. That helps you start to map out scenarios that you could then build tabletop exercises around, right? Because I think this is where the rubbermeets the road in this work is then getting people together and starting to run through these scenarios. Because this is where things to me get really, really interesting, right? You've got an event that the business doesn't think could actually trigger something. It triggers something. And then as you start to propagate that thing down and see all the other touch points across theother business systems, it's eye-opening down and see all the other touch points across the other business systems, it's eye-opening to me of all the different things that can happen. And it just gets everybody's attention to be like, well, wait a minute. We didn't think that was a critical

Speaker 1555.78s - 588.72s

system. Well, the other part of it, we also have to go beyond just looking at ourselves. Protection of my entity is a self-preservation mode. And we're all interdependent upon each other. Look at colonial pipeline. Look at what happened with United Healthcare's ORG charging system, right? And the ripple effects that occurred.Think of the shipping container company. I'm drawn a blank on that

Speaker 2588.72s - 597.12s

back several years ago had a ransomware. And it disrupted shipping movement. Okay, well, that, you know,

Speaker 0597.12s - 603s

I think roughly it was estimated a $100 million impact of them because of revenue and shipping and stuff like that.

Speaker 1603s - 644.06s

But imagine there was food going to an impoverished nation as a UN ORG donation program. And it didn't get there in time. The food was bad. People could have died. You've got critical medicine on a boat. Well, that could cause a ripple effect. If I had parts, you know, think of the supply chain disruptions we had during pandemic. So, so there's a, there's a, a fiduciarian impact on an extinctions level event for you, but then there's also the, what effect does this have on your customers? And then potentially what effect does this have on society, right? That all have a gradient around materiality.

Speaker 2645.86s - 649.18s

Yeah, and suppliers have to factor into this mix, right?

Speaker 0649.4s - 654.46s

I mean, we're so dependent on the supply chain these days.

Speaker 1654.52s - 659.14s

I mean, the pandemic made it very evident, how dependent we are on the supply chains.

Speaker 0659.78s - 664.68s

And you have to test some of these supply chains, I would imagine, in these plans.

Speaker 2664.68s - 677.4s

Because look, if you go to look for concentration risks, right, I'm going to tell you where some of them are, Google, Amazon, and Microsoft ORG, right? Because they are. They're running critical parts of your business.

Speaker 1677.52s - 680.54s

But also AP&P, Verizon, everything else.

Speaker 2680.9s - 685.2s

You've got, you know, networking components. I could even go and say, well,

Speaker 1685.3s - 697.26s

what about Nvidia, Intel, and AMD ORG, right? Because at the base of all of that, ends up being a processor at the end of the day. And at the base of that, every business is different,

Speaker 3697.26s - 715.84s

right? I mean, depending on your vertical, your logistics company could be your critical mass. If you can't, you know, if you can't haul things across the country in an 18 wheeler, you're screwed, right? You're losing revenue. So, I mean, it really all depends. You have to, that's the importance, Matt PERSON, we talk about all the time, is classifying your vendors, right?

Speaker 1715.96s - 724.06s

Because assets aren't just your. You also should classify yourself relative to your part in the supply chain.

Speaker 3724.7s - 727.26s

And if people actually did that, guess what?

Speaker 1727.28s - 729.64s

Our third party risk stuff would be a hell of a lot better.

Speaker 3730s - 736.16s

And always looking at my vendors versus looking at the fact that I'm a vendor to somebody else.

Speaker 1738.16s - 739.26s

Yeah, it's true.

Speaker 3740.2s - 740.38s

Yeah.

Speaker 1740.38s - 742.7s

And what's your importance in that stack?

Speaker 2743.7s - 744.2s

Yeah.

Speaker 1744.3s - 751.26s

And how could you be the cause or trigger of an material event to your customer?

Speaker 0751.26s - 755.96s

Again, I always worried about that because I was in the tech sector.

Speaker 1756.58s - 778.46s

And again, if Intel was disrupted and couldn't ship processors to Dell ORG, Dell ORG's revenue would be impacted. And then, you know, somebody else who couldn't buy a PC or a server would be impacted, right? So I always thought about that spot in the compute ecosystem, not only what was coming to me creating risk, but where I was creating

Speaker 3778.46s - 810.58s

potentially risk for others. Now, Malcolm PERSON, once, you know, you've identified these extinction plans, these extinction events, you've built out potential scenarios. Are you working with other stakeholders within the organization to build out the actual exercise? Are you tapping other stakeholders, other C-level executives, or, you know, folks within the business to say, all right, I want to build out this exercise. I need your feedback. Let's build this out together so that way we have something that's value add to the entire organization. Yeah, yeah, I do. But I've also,

Speaker 1810.88s - 868.82s

this is going to sound kind of bad, but I'll state it anyways. Every incident and emergency process that I ever built or operated was intended to keep executives out of it. They don't make good incident response people. Their job is to keep informed and to make decisions and to help communicate at certain points of time to certain audiences. Other than that, you don't want them managing the incident because they're not then doing their job as CEO, CFO, whatever.They have a particular role. Let them do it. So build your incident response plan with people with boots on the ground that are going to be the people in the fight, not the people in the Pentagon ORG that you need to stay informed, right? Because you don't want that time delay. You want them there for clarity, questions, and decision making.

Speaker 2870.58s - 874.38s

So they play the C in the eye in the Racy PERSON model. Yeah.

Speaker 1875.3s - 875.84s

Yeah.

Speaker 2875.98s - 883.44s

They can do some things. But otherwise, they're not doing their job.

Speaker 1883.58s - 912.88s

I mean, it's no different. Take a sports analogy. You run drills on the field and you're playing football. The head coach is not the person on the field running the thing. They're got a mic. They're listening to other things and they're providing input based upon their field of viewand their decisions. But the quarterback and the people on the field are the ones that need to be drilled. It's communication and collaboration with the other executives. Yep. Not fighting. That's right.

Speaker 3914.44s - 915.8s

That's a great way to put it.

Speaker 2915.96s - 916.08s

Yeah.

Speaker 3917.2s - 919.62s

Obviously, the racy model is a big component of this.

Speaker 2919.7s - 922.22s

Who's responsible and accountable for these different steps?

Speaker 3922.3s - 939.16s

Who do you consult and inform along these steps? I mean, obviously that's part of the planning process. responsible and accountable for these different steps. Who do you consult and inform along these steps? I mean, obviously that's part of the planning process. And also, it again tells you who's the quarterback on the field, right? And who else needs to be involved in any step? I think that's a very important step as part of planning.

Speaker 2939.82s - 964.12s

Once you have the plans in place, I want to talk about practice and how often should you be practicing these events, right? you have the plans in place, I want to talk about practice and how often should you be practicing these events, right? I mean, we get, you know, typical kind of, I think my GRC days, right? We go out and we assess risk. We put it on the shelf and we don't see it for another year, maybe more in some cases, depending on who you are. How often should these be practiced? How often should these be practiced?

Speaker 1972.7s - 1092.96s

I'd say, well, unfortunately, I think we're getting too much practice because people are having events and incidents, one after another after another. So on the one hand, I always count a real incident as an exercise. But then it becomes the after-action report. What have we learned? What did we do or not do well? And then go tabletop and drill the thing that you didn't do so well on to make sure that you actually followed through on your actions to make improvements.So get those basics down because you're having skirmishes all the time, right? Then I'd go a couple times a year you do a crazy drill in the extreme to be prepared for the ordinary. Because, but give yourself credit for the things that are going bump. And frankly, when you're in even a small scenario, like we did this just last week, we had a small thing that would bump a couple people got locked out of access, you know, failed logins. Of course, you know, again, simple thing, simple causes. What did I do?I stress test it. I'm like, well, what if this, what if that? What if this? What if that? And so even as we were dealing with this basically minor issue that was caused by a configuration thing, we stretched it to go, well, this could have been caused by that. It could have been caused by this.And we then, because we did that, we found a few things. Oh, we got to, we got to document this. We got to tighten that up. You know, again, early stage companies, I would use a few things. Oh, we've got to document this. We've got to tighten that up. Again, early stage companies, I would use a minor thing and amplify the potentials around it in order to give us that exercise. Right. So you can do it with normal things that have gone bump and then just go, okay, we've dealtwith it. Now let's scenario play around it and use that as a way to do basically a mini drill and not have to go into a whole lot of scheduling and, you know,

Speaker 21093.12s - 1114.98s

scenario planning and all that other stuff. Well, that's my next question. How much planning and how much notification do you give in these exercises? Like I could see one being very planned out, very coordinated, and everybody knows, but there's got to be value to creating an exercise on the fly that nobody has any idea it's coming.

Speaker 11115.54s - 1178s

I love doing those. I love being stress tested myself. You know, again, you, because again, the reality is people are on planes. They've got graduations. They've got things at home. They've got other business stuff. So you do want to do a level of random, have a few people who know. And I did this, you know, both at silence and it until. It was like, hey, you go figure it out. Just put a particular month or weekand, you know, and I am at where I'm at and I have to deal with it like everybody else. And then you also contest is who's the backup, right? If you only have one person who can make a certain decision or access the system to do something, you have a single point of failure. It's also a great way to, you know, again, validate that your call trees, if Malcolm PERSON didn't pick up, and he's supposed to be running corporate emergency operations, who's second in command, right?

Speaker 31179.04s - 1191.56s

Now, Malcolm PERSON, when you're running these exercises, do you have somebody keeping score? Someone actually tallying the areas of improvement, more like a facilitator, someone who's a little bit separated from the exercise, who can...

Speaker 11191.56s - 1196.98s

Because in chaos, you're not always going to remember what areas you need to improve on, right?

Speaker 31196.98s - 1199s

Do you have that person who facilitates?

Speaker 11199.56s - 1204.76s

You want to scribe, you know, because again, even the facilitator, though, they're immersed in it.

Speaker 31204.82s - 1205.24s

So they're not

Speaker 11205.24s - 1211.12s

going to capture the the dialogues or the quick things that somebody might slack and so i just thought

Speaker 31211.12s - 1216.24s

about this but i don't want to distract it or whatever so i'd say you have a facilitator you have a

Speaker 11216.24s - 1223.28s

scribe that scribe's job is to just watch listen absorb and anytime somebody's said well what about

Speaker 31223.28s - 1226.48s

this what about well uh we don't have a good answer for that.

Speaker 11226.58s - 1228.12s

Okay, grab it, bin it.

Speaker 31228.56s - 1229.62s

You know, keep parking lot.

Speaker 11229.62s - 1231.22s

And we can cover it later.

Speaker 31231.36s - 1231.5s

Yep.

Speaker 11232.58s - 1234.92s

And literally, like the thing that we had,

Speaker 31234.92s - 1239.82s

a little thing that went bump last week, we had somebody when we were doing it. And I started throwing out all these different things.

Speaker 11239.82s - 1275.92s

And what they were doing was basically writing all that stuff down and saying, yep, we'll follow up on it. yep, we'll follow up on it. Yep, we'll follow up on it. And then that spawned a bunch of other things. And guess what? We had, you know, a punch list of 10 things that says, hey, you know, we should, because of this,we just thought about other ways in which this could have occurred. And we had to go, you know, do some instrumentation to alert for those in one case. In another case, it's just, you know, having basically instrumentation to alert for those in one case. Another case, it's just, you know, having basically a backup capability for logs, right? Yeah. Do you, do you leverage folks

Speaker 31275.92s - 1309.36s

from outside of your organization to brainstorm different events, scenarios, emerging threats? Because in the confines of your own company, you're kind of in a bubble, right? So I think collaboration is huge, whether it's with an ISAC ORG or, you know, a law enforcement organization, one of the three-letter agencies, something like that, InfraGard ORG, you know, having those external resources that can give you ideas on different exercises, bring them back to your organization and actuallysee if it's an extinction level event or if it's a high risk.

Speaker 11309.8s - 1338.48s

Yeah, no, I think you're right. And I think, you know, there are either industry segment components, location segment components. Heck, I've been used by friends and I've used friends to actually sometimes participate as an instigator, as a facilitator, right? And help me get out of my own sometimes myopic view that can occur.

Speaker 21341s - 1372.5s

Yeah, you learn so much that at the end, I mean, you've got to break these down afterwards, right? I mean, there has to be this continual improvement process. How quickly, so I, I, this was something that I took away from our last exercise. If you don't do those pretty quickly after, you start to forget some of the details. So how quickly should you be doing the post-mortems to think about all these areas to make those improvements back into the plan?

Speaker 11373.96s - 1416.08s

Yeah, I think you're doing the, if you have the right scribe, you're doing the post-mortem while you're actually doing it because that's getting documented. And then it's just a review that determines the potential priority. Because you might end up with this laundry list of stuff. And then you just have to go, okay, well, let's consolidate it. Let's trim it.Let's prioritize it so that you don't have 100 things and you whittle it to the 10 things you can get done. Let's say in the next, you know, some cases it could be next two hours. Other cases it could be, okay, that's going to be a longer term project. Okay, well, we're going to have to put that into our next financial planning exercise because we're going to have to dedicate three people and three months to it, right?

Speaker 31417.82s - 1426.94s

Yeah, and that's when you sit back, assess the risk, assess the investment, build out the project, and now you have that remediation. That's more of a long tail remediation.

Speaker 11427.62s - 1451.5s

Yeah, or you might find something that you go, oh, crap, this is a big heavy lift. We have an architectural flaw that allows for, you know, that's going to cost, you know, $5 million in a year and a half of work to go deal with. Okay, well, if you uncover that, that's a different dialogue and a different discussion. And again,

Speaker 01451.56s - 1458.84s

getting back to materiality, if it's a probable thing that is exploitable, that could cause a material

Speaker 11458.84s - 1495.62s

event, guess what? It probably should be summarized in some level in your 10K, like the loss of a factory that's sole source and an earthquake that could cause a disruption. If you have those, that's where you put it in your 10K. 8K is for the four-day rule, again, not just cyber, anything that's material, that happens, you have four days to report it in an 8K. 10K is for these systemic things that are potentially material that you might not be able to properly or fully mitigate the risk.

Speaker 21497.04s - 1517.82s

Yeah, so let's walk through that scenario quickly because I think this is good guidance for people, right? We're going to use your plan example in Utah GPE. It's a systemic potential risk. It's in my 10K. An earthquake or a cyber event actually happens at that facility. That's when the 8 PRODUCTK kicks in, right?

Speaker 01517.82s - 1527.94s

Correct. Because you've identified it as a systemic potential risk in your 10K PRODUCT, but the actual event when it happens that interrupts that plant becomes the 8 PRODUCTK reporting requirement.

Speaker 11528.46s - 1558s

Correct. Now, but let's think forward. AI. There's manufacturing companies that are using AI to optimize factory output. Some of them have already published case studies that they've delivered hundreds of millions of dollarsthat EBIT of benefit, earnings before income and taxes, avoided billions of dollars of cost of factory operations. Guess what? That's material benefit. Guess what? If your AI is attacked,

Speaker 31559s - 1570.52s

it's a material risk. It's your risk, yep. Right? So now you go from the traditional ransomware and industrial control systems or outage or earthquake or fire.

Speaker 11571.52s - 1617.7s

I've got AI helping optimize factory performance, creating material benefit. If AI is attacked or breached, it's a material risk. Well, guess what? If you haven't managed it, you should be putting in your 10K. I have AI in use in my company that we don't have potentially full capability to manage the risks around that could cause a material risk. Right. So that's where you have to always evaluate the technology.When we shifted to cloud, you didn't have cloud security controls and the cloud transition was creating material benefit. You should have been disclosing in your 10K PRODUCT the potential for material risk. And then you need to test scenarios

Speaker 21617.7s - 1626.2s

around AI attacks that you should exercise for to prepare for in the eventual event that it actually happens. Exactly.

Speaker 11628.2s - 1634.72s

See, we just tied what you should be disclosing your 10K PRODUCT, systemic risk-wise, that impacts

Speaker 21634.72s - 1646.08s

materiality, an 8K PRODUCT event, which you should actually probably plan for prior to needing to file your 8K. Otherwise, you don't know that you have to file the 8K. Correct.

Speaker 11648.32s - 1691.06s

Yeah, that planning should be, in Malcolm PERSON's strong opinion, 90 plus percent preplomed. You should already know all that stuff. And then you've got templates and you know when you're grabbing the finance folks, the legal folks, and they're makingthe final determination of the thing that went bump that tied to something that was already determined to create a material impact. Is it, are we required to disclose it or not? And all the people that they were doing the CYA tells me they didn't actually understand what was material. And so they just rushed and said, well, we're going to say it so that we don't have liability later.

Speaker 31692.48s - 1696.88s

Yeah, they were hitting the easy button because they didn't do the job up front. They didn't do the hard work up front, right?

Speaker 21697.44s - 1744.58s

Right. And I think Malcolm PERSON, what you've done is articulated a really good approach to think about how these pieces fit together. Because I think this is the challenge that organizations now have to get their arms around is understand those extinction level events. What is material? Identify those in my 10K.Prepare plans for those. Test against those plans so that if something does happen, not only do you know that you need to file the 8 PRODUCTK, you're actually prepared to mitigate the event as it's happening. So it's kind of dual benefit. It's preparing you for the 8 PRODUCTK, but also protecting the organization from the extinction level event. Exactly. And then do mock

Speaker 11744.58s - 1757.5s

depositions because your communication will be weaponized against you. And again, a dialogue I have with a peer the other day, we were talking about incident response, out-of-band communication, stuff like that.

Speaker 01757.5s - 1761.76s

And they're like, yeah, we're getting to formalize choosing blah as our out-of-bound communication.

Speaker 11761.98s - 1781.36s

Having been deposed too many times, I said, okay, great. Imagine, you know, I said, as soon as you believe that you might be sued for something, you have the obligation to preserve all communications, text, phone, email, black.

Speaker 01782.14s - 1782.6s

Guess what?

Speaker 11782.68s - 1810.7s

Out of band communications. And if you then don't preserve that, imagine you're getting deposed and you said, hey, did you use out of band communications for incident response? Yes. Why? Well, because it was easier and blow alone and preserve the confidentiality.So do you have any reason to believe that your communication mechanisms were compromised? No. Okay. Now you just lined yourself up for a kill shot from a plaintiff's attorney saying that they're going to then make the case that you were intentionally

Speaker 31810.7s - 1820.78s

hiding communications throughout bad communication for no good reason. Yep. And then how do you practice

Speaker 01820.78s - 1828.08s

that response? Right, right, exactly. Which is why you go, if you're going to use out-of-band communications for stuff, you have to have a trigger.

Speaker 11828.6s - 1832.26s

We suspect your communications are compromised, right?

Speaker 31832.32s - 1837.9s

Or we're communicating with external third parties that are a part of it and that becomes a trigger.

Speaker 11837.9s - 1842.54s

And then you still have to have the obligation for preservation if you believe you're going to be sued.

Speaker 31842.72s - 1845.16s

In which case, you create a manual record.

Speaker 11845.7s - 1865.52s

I texted Matt PERSON on this out-of-band encrypted communication channel, and I just go, I asked him this question. His response was this, and you keep a handwritten set of notes because you have the obligation to preserve from discovery, you know, for discovery purposes. Yeah. Yeah.

Speaker 21865.9s - 1866.06s

Yeah.

Speaker 11866.5s - 1866.68s

Yeah.

Speaker 21866.68s - 1868.26s

How many of us are prepared for that?

Speaker 11868.88s - 1890.28s

But that also gets to be, be, you know, prepare for the fight because that will also be a part of the fight, not just the cyber fight, the liability and legal response fight that will come afterwards. And if you're not doing that preparation, you're also not truly preparing for a fight. Yeah. So we started with incident response, but now you got to prepare

Speaker 21890.28s - 1896.14s

for deposition and practice like you, train like you fight over there as well. Exactly. I mean,

Speaker 31896.14s - 1899.98s

that's the, that's the long tail of the battle, though, to keep in military terms, right?

Speaker 21900.18s - 1906.18s

That's the long tail of the battle. It's not just the firefight that day. It's that long

Speaker 31906.18s - 1912.62s

tale of battle. Yep. Malcolm PERSON, it was an absolute pleasure. Thank you for joining us on

Speaker 21912.62s - 1921.6s

Business Security Weekly. Thank you. And Jason, always, a great topic this time around. Thank you,

Speaker 11921.6s - 1925.52s

sir. And thank you for everyone watching, listening.

Speaker 21925.52s - 1927.84s

We'll see you next week at Business Security Week.