Site icon Easy Prey Podcast

A Lesson in Crisis Management with Jeremiah Grossman

Easy Prey
“Cybercrime is one of the only crimes where the victim doesn’t always know they’re a victim.” - Jeremiah Grossman Share on X

It’s not always easy to determine the value of digital assets. The potential of overestimating or undervaluing your data can make it difficult to establish how much protection you need for a cyber intrusion.

Today’s guest is Jeremiah Grossman. Jeremiah has spent over 25 years as an InfoSec professional and hacker. He is the Managing Director of Grossman Ventures. He is an industry creator and founder of White Hat Security and Bit Discovery. He has his black belt in Brazilian Jiu-Jitsu and is an avid car collector.

“Breaches will happen. At some point prevention becomes prohibitively expensive to get to the next rung.” - Jeremiah Grossman Share on X

Show Notes:

“In InfoSec, we’re trusted implicitly with the secrets of the world. We must act with honor and integrity because otherwise, what are we doing here?” - Jeremiah Grossman Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Jeremiah, thank you so much for coming on the Easy Prey Podcast today.

It's good to be here. Thank you.

Can you give myself and the audience a little bit of background about who you are and what you do?

It's a really good question. I might be the last person one would ask, but I’m Jeremiah Grossman and I'm the managing director of a new venture capital firm called Grossman Ventures, but my background for the last 25 years, I've been in cybersecurity. I was the founder of WhiteHat Security, the founder of Bit Discovery. I've worked with dozens of startups over the years just basically trying to find and fix problems out there in cybersecurity land.

Fun, and I ask all, particularly my cybersecurity guests, have you ever been a victim of a cybersecurity incident, fraud, a scam, because I really want to destigmatize this. If you and I can't get it right 100% of the time, I don't want the audience who doesn't get it right 99.999% of the time to feel ashamed or embarrassed.

I'm with you on that one. I definitely have a story, and I can tell you just being more or less public in cybersecurity in the last 25 years, I'm attacked constantly. It's just never a day that goes by.

But a long time ago when I was about 24, and I had recently started WhiteHat Security—my brand new cybersecurity startup—I had about 20 customers and they were wonderful customers, big companies. You would know their names. The business that we were in was finding vulnerabilities in websites so we would tell them where they are so they can get them fixed.

I had raised money, of course, but it's launching that company. I had put hundreds of thousands of dollars of my own money, at that time, my life savings. This is the thing that I want to do in this company and we are doing really well.

One day I walked into the office where I got a call just before and it's like a red alarm bell because the data that we had stored for customers was quite sensitive. We opened our computers to find a ransom note, an extortion note on our Linux boxes.

Apparently, someone had broken into one of our jump boxes to get into our corporate network and compromised it, and they got access to the crown jewels, all vulnerability data, all passwords, all code. They had everything and they said, “$50,000, otherwise, we're going to release all the data. Tell all your customers, and you will be out of business.”

At that moment you're pulling an, “Oh my god, what do I do?” And it took me a few minutes to try and figure out what we should do at that moment. I came to the conclusion that this might be the end of the company. We're only two years old or something like that and this might be the end. If this is the end, how do I want to go out? I said I'm not going out like that, screwing over our customers.

What we first did is we decided to back up all systems, store all data, and everything that we have, and shut everything down. But we needed a copy of everything first. We literally burned DVDs because that was the era back then. We instantly FedEx’d them out—all of our customers’ data—to our customers so should the data ever be released, they could protect themselves.

Then I personally, as the CEO of the company—this is after I quickly informed our investors—called every customer personally and explained the situation, what we knew, what we were doing about it, and what we think they can do to protect themselves. These were not comfortable calls, to say the least.

In parallel, we're communicating with the FBI to try to figure out who the perpetrator is working on extortion. I'm going back and forth with, the best I could tell, an Eastern European extortionist, threatening me, threatening the company, and things like that.

The clock was running out and the way I did the logic was I actually paid the extortion. I paid the ransom. I had no confidence or assurances really that they wouldn't release the data anyway. I figured $50,000 was a worthwhile enough risk to give my customers more time. If $50,000 was going to give them another week to protect themselves, then I would just do it.

I paid the extortion in Eagle. If you remember that way back when, this is way before cryptocurrency and everything else, and it moved around the banking systems and things like that. Turns out the money landed in Latvia.

I think the extortion is through somehow where another got scared because we checked in six months later and the money was still in that bank account on the receiving end. But what was really interesting was we reviewed every line of code. We restored our systems from scratch. It took several weeks. I remember the feeling distinctly—we didn't lose a single customer, not one.

It taught me a couple of things that if you act with integrity and your customers’ best interests and keep them apprised, they'll stick with you. The company went on for another 15 years after that moment. Now, it's like I know what it feels like to be a small business on the receiving end of that thing, and I know the exact way to handle situations like that, both technologically and socially.

It taught me a couple of things that if you act with integrity and your customers’ best interests and keep them apprised, they'll stick with you. -Jeremiah Grossman Share on X

I think that's something that most companies these days don't handle very well—not the mechanics of it, but the public-facing side of it. That is so much these days. It’s, “How do we downplay it? How do we minimize it? How can we say anything that doesn't admit false? How can we sanitize this every which way to Sunday to buy ourselves more PR time to get distance from it?”

Obviously, we've been in the industry long enough to see people handle it in all sorts of ways. I just figured, like, I didn't want this to be my last day in InfoSec, because in InfoSec, we're entrusted implicitly with the secrets of the world, so to speak. We must act with honor and integrity. Otherwise, what are we doing here? I mean, customers have to trust us.

At that moment, they know they're going to get hacked. Other companies are going to get hacked. What I didn't truly appreciate at the time is that they felt confident that should this ever happen again, which I was dead set on never letting this happen again, is that if anything happened, whether it's a hack or something else, they were going to be informed. We were going to let them know and nothing was going to be a surprise.

That lesson I took with me the rest of my career. Whether it's myself, should anything bad happen with the people that work with me, for me, around me, I get bad news quickly. If I get bad news quickly, we can handle the situation. It's a lesson that I live with today.

If I get bad news quickly, we can handle the situation. It's a lesson that I live with today. -Jeremiah Grossman Share on X

Obviously, these things happen to lots of small businesses and I empathize with them. I know what it means so I can often enough help them, mentor them through it.

It’s one thing to say, “Hey, we can help prevent this from happening. We probably can't guarantee it won't happen, but we can help prevent it from happening.” It's another thing to say, “I know what it's like if it does happen, and I can help you through.” It is a fundamentally different perspective. I think most companies would be like, “Well, we're just going to pawn you off to the tier-one customer service people and let them deal with it.”

How can anybody trust you after that? It was a horrible day and I never had to experience it personally after that. That's been nice.

How long did it take you to get back into good headspace after that incident?

Good headspace is a relative term. If memory serves, to recheck all the systems to be assured that they were no longer there, because that's the hard one, how do you know they're no longer in the systems? It took us about three to four weeks to rebuild all the systems from scratch where we had assurances and we beefed up our security, obviously. But that lesson, that emotional feeling never left us, ever.

To me, it helps you become a better advocate in the space when you know what it's like when it's happened to you.

Yeah, we didn't advertise it, obviously, because the only people who cared outside of our company were our customers, and we let them know directly.

That's one of the advantages of a small company is that you can go directly to everybody and there's no journalist that has suddenly stumbled across this hideous corporate secret that everyone's been keeping. It's like, “No, all our customers knew we talked to them directly.”

Yeah, those are awful calls.

I can't even begin to imagine.

They were embarrassing. They were obviously concerned because they took a chance on us as a startup, but nothing bad happened to us like that. Nothing bad happened to them. It worked out for the best.

What's funny is in my experience after that, I have found that companies that experienced major breaches like that end up being the most secure ones, not the ones that have never been hacked, so to speak.

Or the ones that don't know they've been hacked. I was just recording an episode. We were talking about that. Either you've been a victim of a cybersecurity incident or you don't know you've been a victim of a cybersecurity incident.

And that's the really strange one. Cybercrime, for as big and as impactful as it is, it's like the only real crime I'm aware of where the victim doesn't know they're a victim. It's very interesting that way.

Yeah, and I guess a certain amount of it is if my computer starts behaving funny and I wipe the hard drive and restart, was it malware or did something just get corrupted? Computers could be such a black box that you may not even know.

Exactly.

What are you doing these days in cybersecurity?

Right now I'm running a brand new investment fund. There are roughly a thousand pre-IPO security companies out there in the ecosystem. I spend a lot of time interacting with customers (CISOs), like what are the number one problems that they're interacting with.

I work with the cyber insurance carriers, and I'm talking with them and what the breach and claims data are teaching them about what the adversaries are up to. Finding the problems, the customers are seeing where the losses are and trying to really hone in on the exact problems that we need to deal with first, and then I try to find companies out there in the world, either design them or find the startups that meet those particular needs.

Yes, I can start another company and do another point solution, but I want to help 10 companies. I want to help 100 companies. I want to scale this up because we're going to need them. I meet with a lot of companies all the time and try to figure out which ones really have it.

It's also a fun process because I like the entrepreneurial spirit, the nature of it, and solving problems for the world. Since I've been doing it for 25 years, when new entrepreneurs come to me, I make it very clear to them that this process they're going through is going to be all encompassing. It's going to be really hard, it's going to be taxing, and you can very easily waste millions of your own dollars and other people's money and years of your life, so it's important to get it right.

I will press on every single assumption that they have. I will shoot down every idea that you could possibly have, not with mal-intent, which is hopefully finding the idea that has the maximum chance of success. The best ideas must win. And if they know that I'm coming from a good place. I'm just not trying to throw them aside. No, I'm like, I want them to win. The only way to win is a pressure test. So that's how I spend my day.

With thousands of companies trying to provide cybersecurity—I don't want you to disclose private investor stuff here—is it a thousand different ways to skin a cat, or is it three ways to skin a cat 333 times and there's this one company that's like, “Hey, wait. They have a really unique approach to this that might change the game”?

I think there are two halves. One is you have to really identify the problems that are worth solving, the ones that have the most impact, and then find the solutions for them. And that's where there's a lot of disagreement on where the solutions are. That's a healthy way of going about it.

But the problem with the last company, Bit Discovery, that we had is we're going after attack surface management. We felt the biggest, most important unsolved problem in the industry is that companies didn't know what they had exposed on the Internet. How can you secure what you don't know you own?

We felt the biggest, most important unsolved problem in the industry is that companies didn't know what they had exposed on the Internet. How can you secure what you don't know you own? -Jeremiah Grossman Share on X

Just that concept was interesting to people because most people really didn't know or appreciate that it was that widespread of a problem, even today, so we had to set out on a way to solve that particular problem. That was one.

The other one that we see that no one's really on is you want to not overspend or underspend on security. The only way to do that is to know the asset that you're meant to secure and the value of it to the business.

The first two steps in InfoSec that we never really did is find the asset and value it. There is, best I can tell, no algorithm or model in the world that will help you appraise the value of a digital asset. So how on earth can we do risk management where we don't know the assets and we don't know what they're worth? Which ones do we protect first? I like the problem of trying to do asset valuation on different corporate networks or the mail server or whatever. Those particular ones.

The third one I'll give you, and we can go to many different places, is that breaches will happen. At some point, prevention becomes prohibitively expensive to get to the next rung. A lot of people are not there yet. But what I learned from cyber insurance care is when they see losses, the loss is equated to dwell time of the adversary.

A breach doesn't necessarily result in a loss and the business just cares about losses. If you're able to detect the adversary within, let's say, a few days or a week, you're not going to suffer major losses like other ones where you're the adversary in a bank for six months, then you rob the place blind.

I really like solutions that are meant to do fast detection and response of the adversary, because I've been on the offense side of InfoSec for a long time, breaking into systems. Nothing's more heartbreaking and frustrating than spending weeks trying to break into a system only to get kicked off in a day. That's awful. But that's the economic game that we need to play with our adversaries.

It's an interesting aspect because I think so much of InfoSec really seems to be a pass or fail. Maybe we don't need to protect this asset as much as we think we need to protect it, and maybe provide more resources to protect these things that are I think everyone's going to figure out like I apply all these assets are mission-critical, but maybe there are some assets that are more valuable than others or less value.

We do it in every other place in our life. Like how big does the lock on our front door need to be? How secure does it really need to be? We balance this out everywhere. Yes, if somebody drives a truck through it, I mean, nothing's going to stop that, but I just want to prevent somebody from kicking it open, is really what I want to do.

OK, I'm going to laugh at the analogy of the front door because right next to every front door is a plate glass window which you could have the best lock in the world on the front door, and a door that you can't get through with a battering ram, but if you've got a glass window next to it, don’t…

Oh yeah. We balance risks versus cost all day. It's interesting when you think about it, is that let's say we know the world spends about $200 billion dollars a year now on InfoSec products and services. Let's say you go to the biggest banks, and I think it was JPMC, and I'm not going to expose them for anything private because they said it. They said in The New York Times, I believe, they spend somewhere between $200–$250 million a year on cybersecurity.

Here's a fun game for yourself or your listeners. Go ask a competent red team how long it takes them to break into any company. How many people, how many hours. I think at the worst, they could probably break into any company in a few days for $50,000 with a team of four. Now think about that for a second. Any company.

We have this economics game where you have to spend hundreds of millions to defeat an adversary that's spending $50,000. If we can find an economic model to flip that around, then we're making progress, but not a moment until so.

We have this economics game where you have to spend hundreds of millions to defeat an adversary that's spending $50,000. If we can find an economic model to flip that around, then we're making progress, but not a moment until so.… Share on X

What do we do to change that? I think that's one of the things that people are freaking out about with AI is that in a simplistic view, AI is a force multiplier. What could have been done with one person or with 50 people can now be done with one person running an appropriately trained AI. Let's just work from that assumption. How do we flip that script? If we're going to start seeing AI on the offensive side over the next few years, if we're not already seeing it, how do we get that on the defensive side?

The solutions will vary. I'll give you one example. I really liked this company. I was on the board of it for a few years. I think I first engaged with them like eight years ago. This is a company that reimagined the CAPTCHA, the little squiggly images.

The bicycles.

Yeah. They crushed the Google reCAPTCHA thing, but they had a brand new model. You need these types of solutions to stop automated fraud. They put these in front of login screens and authentication screens, anywhere in the money flow.

What they found was that, in the age of Google reCAPTCHA things, the adversary could automate these certain processes in a company and defraud the companies of millions. You put this in place and it's not like you can't get past it with an army of people that are clicking on all the buttons, but it increases the cost of the adversary.

If you can make the solution just a little bit harder where you have to solve it with humans—you cannot automate it—then you've increased their cost, hopefully to a level where they will move on.

In this particular company, the CEO periodically sends me a few snippets from the chat forums where the adversaries are lamenting running into this company and it angers them. I'm like, now we know we're making progress that the bad guys are upset, we know. If there's not one answer, but it's just thinking about economic terms, how do we raise the cost on the adversary?

That's a good point because if the purpose is just being opportunistic to leverage to get a financial gain out of it and it's not a corporate espionage or nation state sort of thing, as soon as you make it cost-prohibitive, the criminal is not going to do it because that's not in their own financial interest.

That is a very smart way to go about things because there are different types of adversaries that are motivated by different things. You have the cyber criminals and that's an economics game. How much money do they put into how much money they get out? We have to play economics. If they have to spend a hundred X to get a dollar, then we're going to win that game.

That doesn't account for the nation state actor who doesn't care how much they spend. They'll spend an extraordinary amount of time breaking into the system. It reminds me of that bear in the woods analogy. You don't have to outrun the bear; you have to outrun the other hikers. That works only until the bear wants to eat you. That's different.

If it's a professional team going after you, they're going to win. In that case, what choice do you have except fast detection and response? Can you detect their presence quickly and boot them off the system?

It'll be obviously clear to anyone who's in InfoSec that I'm not a hacker in any fashion. Is that where the concept of honeypots comes in, is to make something look attractive inside your platform so the people put their attention towards this other thing and you're like, “OK, we now know someone's in our system and we can get them out of the system without them actually getting anything of value”?

Honeypot is a broad term. There are different definitions there. I'll give you another example. I'll name drop them if that's OK with you. There's a company that's started by a friend of mine. We go back 20 years. He started a company called Thinkst—thinkst.com—and they make a product called Canary.

The way he describes it is when an adversary breaks into a system, they're never going to break into the crown jewel system first. It's some unpatched web server, mail server, whatever, RDP system that you forgot about. Once they establish a beachhead of the corporate network, then they move laterally to find things that are more interesting, like a Windows domain controller.

What these guys do is they have little Canaries that are literally Raspberry Pis that you configure to take on the persona of a Windows domain controller, and you park them on your network. You configure it and set and forget.

When the adversary breaks in and they see a domain controller, they'll scan it. No one's ever supposed to touch it, but it's like bait for the adversary. Once somebody touches it, it chirps, so to speak, and then you can deploy your incident response team because something weird is going to happen.

That's very inexpensive to deploy. It's set and forgotten. It's cheap to deploy. Don't really have to manage it and it's a high likelihood that something bad happens. The adversary can't help but run across these tripwires. I love solutions like that.

It's a cheap economical way to detect.

Yeah, and I think the whole world should have these things. It's very low cost relative to the adversary, and that could change the world right there.

I'm just trying to think this through my head here, maybe you could walk me through where I'm wrong or right. Would that have any difference on a nation state hacker?

Yeah, because they all go after it the same way. They establish a beachhead. Maybe they go after a person first when they take over their account. Now they're on the corporate network. Their products can be deployed as hardware, and software tokens in the cloud. They have all tokens so you litter them across your network. Should any of them start chirping, then you know something really bad is going on.

He has stories. I don't want to tell his stories. You'll have to ask him one day, but yes, they will, they will catch people and he has many success stories out with these things.

That's really neat. How much is an issue of the physical attack and physical services versus in the cloud or internet surfaces?

Cloud-hosted versus self-hosted sort of thing?

No, the attacker coming in through physical means, like bringing in a USB drive into the office and plugging it surreptitiously into a machine, or is it more often people are just going in through a connection?

I think by far the adversary has no physical proximity to the networks that they're on. I'm sure it still happens where some people break in. The only times I really hear of that happening, even in the news, is red teams doing it as an experiment, breaking that way. Real-life adversaries doing it? It probably happens. Is it going to move the needle in the stats? Probably not.

Again, that comes back down to the math, the human cost of that. Takes a lot more effort to get a human inside of a building, physically connecting something potentially, than it does or risk that someone being half a continent away.

In the age of pre-internet in order to hack a bank, you had to have physical proximity to the bank. You had to live or be nearby. Then the Internet came, all banks went online, and now everybody was equidistant from the adversary, so the physical world mattered less. Now here's a stat for it. I'm at Yahoo 20 years ago, and my title at the time was literally the hacker Yahoo because engineering didn't have any titles. My loose job description was to hack everything Yahoo had, preferably for the bad guys too.

At the time we had, if I remember correctly, 120 million users, which was like the top of the top of the Internet at the time. One to two percent of our user base was malicious in some way, we figured. That was the same across eBay and PayPal. I work with them all the time because we are always comparing notes.

Roughly speaking, there were about 1.2 million bad guys—spammers, child predators, hackers, all miscreants. Imagine being a security army of 20 dealing with 1.2 million bad guys. You learn scale really well.

Scale is going to be the great equalizer or we're going to fall victim to scale very quickly.

That right there, back to your comment, AI is coming. That's why I like AI because we are fresh out of genuine intelligence so we need artificial intelligence now. We get this brand new tool to help us scale. The bad guys have demonstrated they don't need AI to win this game. We definitely do.

It's an interesting perspective to have. Where else do you see the industry going over the next couple of years?

I look for the influences happening. I talk about cyber insurance a lot and everybody hates the concept of insurance. I do too. It's not really the most fun, sexy topic. But in the business world, cyber insurance is now becoming compulsory and the data that they have, you can learn a lot from it. Because when a breach happens and there's a loss, they get the claims data, how exactly the bad guy broke in and what led to the major losses that they have to pay out on.

The insurance industry over time—the last six to eight years—has been getting smarter and they're going to be prescriptive to their clientele now. They're going to tell you what product categories to buy and what specific products to buy in order to be insurable. That is going to have an invisible influence on InfoSec and the way our industry heads. They're quantifying the things that we already intrinsically know. Many companies said, “If you have open RDP, we're not covering you. You're going to get hacked, and there's going to be a loss.”

In order to ensure you, you must have an MFA installed. This brings claims way down so they're going to be able to tell us things like that. I like talking to the cyber insurance people. They see a perspective that we don't often do in InfoSec. Insurance is one that's common.

Insurance is the great equalizer. With you being in venture capital now, how much does that investment in venture capital influence the companies that are at the success of companies that have good cybersecurity products?

I'm thinking it happens to lots of other industries. Bob could think of VHS versus Betamax. Betamax was technically the better product, but they didn't have as good of a marketing department, let's say, so VHS won out.

How much do you see that impacting the cybersecurity field where you have people investing in companies that they've got a good profit margin so I'm going to make lots of money, versus they have a really good product, but they just don't have the markup to make billions. I can make my billions promoting this other product.

It seems my role in this world is to make people uncomfortable, especially different markets. I told everybody in InfoSec like a long time ago when I was starting WhiteHat that I wanted to do Software as a Service-style of vulnerability management. I was doing cloud before cloud was cool. Everybody said, “You're going to put vulnerability data in the cloud?” I was like, “Yeah, it's economically better.” The consultants didn't want to hear that. Then 10 years later, I worked for a cyber insurance company.

Here's how it works in venture capital land. There are new technologies all the time that we have to secure and the adversary is always evolving. We know we're going to need innovation. For reasons that we can go into the big cybersecurity companies, they don't innovate. They need investment typically from Silicon Valley, finding the next innovative companies that will plug the holes that we have.

Now, two problems occur is that broadly speaking, the venture capitalists in our space that are picking which companies get a shot at our market have no domain experience in cybersecurity—zero. They're spreadsheet investors. They've never worked in security. They've never built a computer. They've never defended anything. They do not know our space. They know nothing.

Most of the companies in cybersecurity land are not profitable, and it's not like they're chasing profits. They're chasing unicorns, and they only have to be right one in 10 times to win. That works great for their business model. It works terribly for the founders. I mean, only one in 10 companies do well, maybe one to two percent of founders make any money. Then there are nine failed companies out there. This is not how our industry progresses.

What I want to see is a better selection of the startups that come in because there are lots of great products that no one sees as being great products because they don't have the domain expertise.

You might have a really good InfoSec engineer that knows the problem will make a good product. A VC wouldn't be able to tell that. They just go, “This person doesn't speak in terms I understand. No one will recognize them.” I see it right away and go, “We’ve just got to pair you with that person, do these things, and you're going to go off and run it. You're going to kill it. The product matters here and what you're doing.”

I think that's coming to the market now. I just think we have to do a better job of picking the right startups that go into market.

That'll be an interesting task for people to do. I'm really curious to see how that works because I do feel like we see the same companies coming to prominence over and over and over again, and wonder if, “Gosh, is there some little tiny company out there that has the best product on the planet, but just because they didn't have access to money, they can't bring it to the mass market?”

That happens.

Although my guess is that's true of every industry. That's not an issue specific to cybersecurity.

I would assume so, but I only know cybersecurity. I've never been in health care or finance or anything else like that, but within a few minutes, I can tell quickly in the domains that I'm aware of like for the world-class experts, who are going after what I think is the right way. I just think we can make better selections on early stage startups than anybody else.

You're already seeing a lot of successful entrepreneurs jump over because they see what we're seeing. I don't think there are any reasons for nine out of 10 cybersecurity startups to fail or flatline. I think we can do a much better job, especially since I've been raising money and taking money for 25 years. Generally speaking, VCs will write you checks, but they're not going to be much more helpful than that, broadly speaking.

Imagine if there're cybersecurity experts making investments; not only can they write you checks to help you, but they can help them into your business, put you in contact with customers and things like that. This is how you help. This is how you move the needle.

Just because someone is good at building a cybersecurity product doesn't mean they're good at building a business. That's a fundamentally different skill set. VC bringing in or helping people partner together—let’s have the good business people work with the good product makers, and all of a sudden, we start getting a better success rate and bringing products to market.

Yeah, because every startup is going to have little holes in their strategy. They need people or they need money. They need introductions. They need product feedback. They need lots of little things, things that they're not aware that they need until they run into the problem.

People that have done it before, we can spot those quickly and go like, “You're going to need a CFO or a controller over here. You're going to need someone to market and message you this way.” They don't have to do what we say, of course, but they can get help if they see the same problem that we do.

Got you. As we start to wrap up here, what advice would you have for the consumer small business and medium-sized business in terms of upping their cyber defense.

All right, how to prioritize here. MFA will save you. That's prevention. Then disaster will strike in some way, shape, or form. That'll happen. You just don't want it to be the end of you. Patch it as best you can, and then have backups.

Even if you, unfortunately, have to be out of business for a day, a week, a month, have backups, and then at least you can restore. Ideally, backups that are not connected to the same networks that you're on because the adversary has become accustomed to encrypting the backups because it increases their chances of getting paid, but those few things right there—MFA, patching, backups—will save 99% of everybody.

Does that mean most of the cybersecurity incidents are relatively preventable, like easy mechanisms?

Yes, but it gets a little more complicated than that. You'll have to bear with me for another minute. For instance, you'll see a lot of times that companies will get compromised on a vulnerability where a patch was available and I go, “You didn't patch.” “Yes, that's true.” But they also didn't know that ACID existed because that's a very hard problem. If they knew that ACID existed, then they would have patched. You have to be able to dig a little bit deeper than that. Are the vast majority of the problems preventable? Yes, absolutely.

In hindsight, what we're dealing with a lot of times is a scale problem—just patch. The average large company will have tens of thousands of hosts. Just patching is a little bit challenging of a matter. If you're a small enterprise, then it's easier to patch, easier to have MFA, but it gets a little nuanced there. But yes, most of the problems we deal with are preventable. We just have a scale and implementation problem.

Don't be low-hanging fruit.

Right. Lessons you learn on the battlefield. Absolutely.

Jeremiah, if people want to reach out and connect with you, how can they find you?

I'm on X, formerly known as Twitter: @jeremiahg. I'm also on LinkedIn. Just type in my name, Jeremiah Grossman. You'll find it. I have Instagram accounts where I post personal stuff. You don't need to do that. But that's generally how to reach out to me. Twitter or LinkedIn usually does the trick.

Awesome. We'll make sure to throw those in the show notes as well. Jeremiah, thank you so much for coming on the podcast today.

My pleasure. Thanks so much, Chris, for having me.

Exit mobile version