You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we talk about detecting ransomware with cyber

threats evolving at a breakneck speed.

Understanding how to spot the early signs of a ransomware

attack is more crucial than ever.

We're once again joined by cybersecurity expert Dr.

Mike Sailor, who shares invaluable insights on the subtle indicators of

ransomware activity from performance degradation to unusual network behavior.

We'll explore the role of SIM and XDR tools in early detection.

And discuss why a rapid response is your best defense against

these malicious attacks.

By the way, if you have no idea who I am, welcome to the podcast.

I'm w Curtis Preston, AKA, Mr.

Backup, and I've been specializing in backup and recovery all the way back to

30 years ago when I could not restore a database because our backups were broken.

I, I hated having to tell that to my boss, and I don't want you to have to tell that

to your boss, so that's why I do this.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the show.

If I could ask you to take a quick second to press that subscribe or

follow button so that you can always get our content, that would be great.

I am w Curtis Preston, otherwise known as Mr.

Backup, and have with me a guy who almost lost his head today.

Prasanna Malaiyandi guys are going.

Persona, we're we're glad that you're alive.

Yeah, I, uh, I escaped without an losing any fingers or my head,

you know, so that's a, it's a good day, you know, I'll take that

anytime of the day.

so why don't you tell the listeners why we had to delay this recording?

What happened to you?

so I was walking by and getting tea before the podcast and I was like, oh.

And I looked up at the ceiling and we have in our kitchen, we have a ceiling fan.

And I was like, huh, that's weird.

What's that blue piece and why does it look a little tilted?

So luckily I got a chair a step stool and I was like, huh, lemme take a closer look.

And I literally touched it.

And then the thing like fell down and was just dangling by the three wires, right?

The ground, the hot, and uh.

I was like, uh, then I had to quickly call my wife and it's very awkward.

Like these are like 30 pounds, right?

And it's hanging above you.

And I was on a short step stool and I was like, how do

I actually unclip these wires?

And it was a whole fiasco with, uh, ladders and step stools and

all sorts of things in order

to be able to do it.

But I have it down, which is good.

Yeah.

And an anxious wife hanging over to the side.

Uh, do, do you think you're gonna be replacing the fan?

Well, like with the new fan or just

it's, it's gone.

It's gone.

It's

Okay.

going to just put a normal like, 'cause honestly lived here for 11 years

now, 10 years, something like that.

And I think we've only used that fan once

Yeah.

It, it, it's funny, you know, it's funny, you, you know, I recently

replaced my ceiling fan with, in the kitchen with a, with just a light.

And what I remember was I, when I wanted to take it off,

I just could not figure out, I.

How to get it out, like what I was supposed to do to get

it out of there properly.

Um, and I wish that it was just hanging by the three wires.

It was like, it was just, I, I just remember that a saal,

uh, was involved at one point.

Yeah.

Well, and the hard part with that is like, it's like it's bulky and then

I saw the fan blades attached and like you can't see anything, right?

Because they hide all the things and it's like, okay, how do

Yeah.

off this trim piece so then I can get to the screws to unscrew it?

But like you said, luckily because my outlet box head basically

detached itself from its support, it was just kind of hanging there.

And so it made work a little easier.

'cause yeah,

Well, we're.

attached, I don't think I could have figured that out.

I am glad that you survived, and I'm glad that for once it's one of the stories from

your house rather than stories from my house that we're featuring on the episode.

Yeah.

So, speaking of stories, we once again have Dr.

Mike Sailor with us.

Our, our, at this point, resident cyber expert.

How's it going, Mike?

That's going well guys.

How are y'all?

Well, we're alive.

But, uh, this week I wanted to jump right into this idea of

ransomware detection, right?

So we, we, we tell people that they should assume breach, right?

That they should assume they're going to be attacked, and, uh,

because statistically speaking, they, they probably will be.

And you've dealt with a lot of these attacks.

So, so, um, I, I, I wanna understand, you know, what, what does.

What does a ransomware attack look like?

Right?

Like, what are the things that people see that are going on that don't like?

If, obviously if you get a, you know, a big thing on your screen that

says, Hey, give us a million dollars.

We're gonna get your, you know, get your files back.

That's one way to know you have ransomware attack, but what other

things happen before that that tell you that you have a ransomware attack?

Is it is a ceiling fan if a ceiling fan starts to fall?

Is that, is that,

I think,

is that.

I think before Mike, before you jump into that, Curtis, maybe it might be a

good idea just 'cause I think listeners may not be listening to every episode

in order, it might be a good idea to say like, why Mike is on the podcast

and why he's the expert in this area.

Right.

Well,

talking about ransomware detection, or Mike, maybe you wanna cover that.

yeah, go ahead, Mike.

Uh, certainly, so happy to, happy to, uh, comment on all of those things.

Uh, I think my experience over the last probably at least 20 years, uh, responding

to incidents both at, know, uh, personal, uh, at the personal level, uh, whether

it's a family member or somebody referred.

someone to us to, to help with a, a problem, uh, or a corporate, uh, level.

And, and that's, you know, school districts, banks, um, normal business

enterprise that, uh, have incurred some, uh, some cyber incident.

Uh.

We, we've seen quite a bit of, uh, variety of incidents, uh,

especially around ransomware.

There's, there's a hundreds of different variants of ransomware.

Uh, there's the more popular ones that we've probably seen more often

than the others, and there are some consistent themes and, uh, you

know, potholes and lessons learned.

And, and, uh, when, when someone that's seen it before, uh, shows up

to help put out the fire, we know where to where to put the water first.

Uh, what not to put water on, uh, when to ask for help and who else

to, uh, who else to involve in that.

So,

So, so

happy

know?

of.

Go ahead.

Finish.

Yeah.

to share, to share my experience and some stories.

Yeah.

So unlike me who's a YouTube person, you're actually

like, grounds on the boots.

Someone who's actually lived and does, does this on a like day to day basis

Uh, absolutely.

And, uh, you said grounds on the boots.

And the first, the

Yeah.

I

on the

thought.

Boots on the ground.

Yeah.

Uh, well, and, and first thing I thought of is that needs to

be a t-shirt at a coffee shop.

I think that would be good, uh, because I'm a, I'm an avid coffee

person, so that made sense to me, even though you said it that way.

But absolutely.

I've, I'm, uh.

Uh, in addition to being hands-on, you know, years ago in, in rebuilding

machines and actually, you know, type it in commands and running

tools, uh, to today, I'm more of what they consider a, a breach coach.

Uh, so you've had an incident, uh, and I'm just there to, to try and herd the

cats and give up updates in a, in a correct and, and less stressful manner.

Uh, be the one there that, that's already had my hair burned off while

everybody else is running around on fire.

Uh.

So d uh, Mike, uh, during the pre-call, you uh, had mentioned how different.

Like a ran like ransom, how different ransomware is from other malware,

and I think that's probably a good place to start before we talk about

what an attack actually looks like.

Sure.

Well, you know, malware in general, just bad software.

Uh, you know, it's, it's intended to do nefarious things or,

or trick us or steal from us.

Um, and, and there are elements of, of malware that are consistent

across different types of malware.

It's like info Steeler, malware.

Uh, harvesting malware that, you know, captures your keystrokes

or looks for certain things.

There's malware that just does reconnaissance.

Uh, and so when you think of really bad malware, it has the worst of

all these elements, uh, combined.

And effective ransomware these days really does.

Uh.

Perform in different phases.

So the first phase is it wants to gain access to, to whatever it's infected.

So that computer, your, your smartphone, that server, whatever it might be.

And then it wants to figure out, well, what do I have access to?

so was it a, a particular user, user account that.

Allowed it to infect this device.

Uh, what does this device then, and, and that user profile have

access to across a network?

Uh, what type of, um, software or files are on this machine?

For example, there is a specific ransomware that only

targets point of sale systems.

And so if, if it infects my laptop, it's gonna determine whether my

laptop is a point of sale system.

And if it is not.

It's gonna look for a way to spread to the next system, and once it does,

it will clean itself off of my laptop.

So as if it were never there.

And then it will continue doing so until it finds a point of sale

system and then it will deploy.

Its, its ransomware, you know, whatever, additional software

and, capabilities it has.

But there's those first few phases of what, what do I have access to?

And what, um, what can I, you know, what value, uh, aligned with my

ransomware campaign, uh, does that bring me, that then, uh, triggers

a whole slew of other things.

Like, okay, so I found I found a point of sale system.

Do I still have internet access?

And if I do, I'm gonna reach out and download the next, the next

piece of malware I need specific to the point of sale system I found.

And so.

A lot of times that initial malware, ransomware infection is a very, what we,

we call a thin or light, uh, payload.

It's not very large.

It doesn't draw a lot of attention.

It doesn't do a whole lot other than determine whether it, it,

it has access to whatever this ransomware actor is interested in.

And then it'll phone home and say, Hey, I've got, I've got the goods.

Send the, send the next, send the next payload and we'll get started.

For that first phase, I know we're talking about ransomware detection.

Is there anything you could really do to detect, I know you said it's a

very lightweight, thin shim, right?

That gets installed, deployed.

Are there things people can do to detect at that phase?

There are and, and there are some symptoms, uh, ransom.

These, these first few phases are different from, uh, one ransomware

variant to, or even just malware in general, from one variant to another.

But they're, they do consume resources and, you know, to, to do reconnaissance,

to, to do a system inventory.

There will be a change in resource utilization.

CPU may go up, memory may go up, drive io may go up, network IO may go up.

And so if you have the ability to monitor those things, uh, and, and it

may not be much, but you know, set some thresholds that say if my system resources

go above whatever it is, let me know.

That may be because you're watching a movie, but at least you know it's because

you're watching a movie I'm typing, you know, a new chapter to my book,

and then all of a sudden my CPU spikes.

Well, I'm not doing anything that would justify that.

So let me go look at what processes are running and, and so on.

Well, for the normal person or even the normal technical person, you know, I

could go look at Windows processes and not know what 95% of those are, but I

could potentially kill that process.

maybe dig into where, where, well, what spawned that process?

Where's that file and what folder is it in?

And when did, what's the time and date stamp that, that that happened?

And was that something I did?

some things you can do, um, investigatively and you'll, it's

probably a learning process as you do it.

But then there are other tools, like that's, that's kind of what

Black Swan Cybersecurity does.

We monitor environments and in, in our monitoring, we create a.

Behavioral baseline by user, by device, by network segment.

And as weird stuff happens, it flags to us.

Because it's simply deviated from normal behavior before

it becomes a security problem.

So then we can call the client or the tech support person or the whoever

it is and say, let's dig into this and figure out, uh, if this is, uh,

if this is legitimate activity or, or what can we tie it to from a user.

Maybe some user clicked on a link or downloaded a file, and

that's what led up to this.

And so there, there are, there are tools out there and it ranges from.

You know, put your toolbox together and run, run script one and look at,

you know, report B and tie all that stuff together, which is kind of time

consuming, but low cost, no cost, uh, to, to more of the elaborate

capabilities of hiring a, a managed service to, watch over all that stuff.

Hang on.

I'm not sure where I wanted to go from there.

Nevermind.

Nevermind.

I'll um,

Well, well back

uh,

back to the kind of the, the, the attack progression and this, this lines

up with the Mitre attack framework.

You know, reconnaissance is always first, and then how do we, I.

Maintain our access.

'cause that's, that's second part.

Once I've infected you, I wanna make sure that if you've determined I've

infected you and you try to clean me off, I'm still infecting you.

so once you reboot, I'm, I'm still there, and I'm gonna be there until

you throw this computer out the window.

Uh, and so persistence is next.

And then, uh, you know, some of the other, other phases.

And as, as that.

Attack progresses through the Mitre attack framework, and it, it's

all mapped out regardless of, of the attack who's doing the attack.

It, it falls into these categories, these phases, and as that phase progresses,

resource and network and, um, symptomatic, uh, identifiers will always increase.

So the more activity, the further along that attack framework they get,

the more identifiable, uh, it is.

And so.

Um,

Hey Mike, you, you threw out the Mitre Attack framework.

Not everybody, uh, is gonna be familiar with that.

You want to talk about that?

so Mitre, which is an organization, um, a framework within which, and there, and

there's like seven phases, within which every attack sequence can be mapped.

And so almost every attack starts with reconnaissance.

Uh, what do, what did they gain access to?

All the way through, like data exfiltration.

Uh, so they've, they've got access to your stuff and they're stealing it.

and so the, the attack framework is simply a way of, of identifying not only,

uh, where an attack is, but how far did it go, and based on those attributes,

then how big of a problem did we just.

you know, how big of a, how big of a, a, an issue is this.

Um, but it also then allows you to align your response to those

different phases of the framework.

So in reconnaissance, what's my response?

Well, maybe just passive for now.

What is doing this reconnaissance?

Is it normal like internet, uh, pings just to see if a website's

alive that could be reconnaissance.

or is it something a lot more active, uh, where they're doing port scans and.

some active enumeration.

What, you know what, um, I, I pinged this IP and I've, I've

determined these ports are open and they're responding a certain way.

So now I know it's a Windows seven or, or Windows 2018 server, uh, running,

you know, whichever patch level.

And so that's active reconnaissance and that's a no-no.

so what's doing that and can we address it now versus, uh.

Waiting until that progre, that attack progresses into one of the other phases,

which could get a little more, uh, complicated as far as responding to it.

But then you would have kinda your playbook lined up with what phase of the

framework, what phase of the attack are we in, and here are the tools and things

we should, be applying at this point.

Uh, and some of those are management decisions, like cut the hard

wire, you know, uh, it's that bad.

Uh.

But you would want all that stuff kind of mapped out and

planned out, uh, ahead of time.

And that's kind of, you know, I think we touch on that in a different episode

and being prepared for, for game day and having your, having your team on

the same page and, and knowing what to do when certain things happen.

Do you ever see, like, this is fascinating to me, by the way.

I haven't dealt a lot into the security side, so it's kind of cool and it reminds

me a lot of TV shows to some extent.

Uh, the question I had though is I know that you could try to stop an

attack early on, like you said, right?

If you detect it early on, you could probably stop it before harm comes.

But at the same time, if you don't know what they're after, isn't that also

kind of a downside because they might figure out a different attack vector to

come back back at you through, right.

So is that some of the risk trade-offs that happens at like a

business level that the business sort of needs to make that decision?

Absolutely.

And that's the, so there's, there's value in, in exactly what you said.

Um, you know, if I had, if I had a thousand things to protect.

And I only had a thousand dollars to protect them then without knowing

the value of all that stuff and what I really need to protect,

and I'm gonna give a dollar of a protection to all thousand things.

if business says out of these thousand things, 10 of them are the most

critical for us to maintain business operations and continue making money

and make sure the lights are on tomorrow, then I'm gonna reallocate.

Proportionately that a thousand dollars of security funding to

protect primarily these 10 things.

And then some, maybe, uh, diluted version of, you know, decent cyber

hygiene to the other, you know, 990, uh, because they are layers between

bad guys in the outside world and these 10 things that we care about.

So we need some tools and, and capabilities on those other 990 things.

But I'm gonna focus most of my, my resources on the,

the, the jewels, if you will.

Yeah.

and that's just part of what we would consider a business impact analysis.

Where's the, where's the critical stuff?

Well, the other part of that analysis would be what is the financial impact?

What is the business and operational impact if these things are infected

or, or compromised or unavailable?

Is that a thousand dollars an hour?

Is it a million dollars a day?

I.

How, and then how many, how fast do I have to to get things back up and running?

Because, you know, let's say we, we, we lose those 10 things to

ransomware and the bad guys want $7 million, uh, to help you recover that.

Well, the business could go, all right, so they want 7 million.

We've got 5 million in insurance.

Um, insurance says they'll cover it.

So we're out 2 million.

If we don't recover this within a week, we're out 10 million because

that's how much money we're gonna lose.

then the IT guys and, and all of our subject matter experts are telling me

that we can rebuild this whole thing for 10 million or maybe 9 million.

So do we do it on our own and invest in X, Y, Z?

Do we pay the bad guys who.

no guarantee there either.

or do we just suffer through it for a week and we're out X dollars while we

try to rebuild it and recover on our own?

So that's, that's the business side of ransomware and some of these

cyber breaches that it, and subject matter experts like my, we're just

giving business intelligence for them to then make the decision.

Paying the ransom should never be an IT decision.

I.

guy, the

Yeah,

said, we're not the one going.

Yeah, pay the ransom.

We're giving the business, the executive team, the information

they need to make that decision.

Yeah.

Sorry

agreed.

we went off on a tangent, but.

That's all right.

That's all right.

Um.

So, so, so let's, let me get a sort of what I, what I think would be an

interesting part of this episode.

Not saying this, this wasn't interesting, but a, a, a fascinating part is you,

you, you've seen a bunch of attacks.

What are some of the like, weird things that we're going on that ultimately, um.

You know, ended up being ransomware attacks, right?

It's like they see this weird thing going on, and then eventually what

they figured out was, oh, well, it's because we have ransomware.

because always what I hear, sorry Mike, before you continue, always what I hear

is like, oh, all of a sudden I couldn't access files because they were all

encrypted, or things like that, which is like way, I'm guessing further downstream.

Right?

And I'm sure you have a lot of interesting stories about, hey, this, this, or this.

Uh, you are right.

It, it, it's, it's usually never, uh, a phone call with someone saying, I was

in the middle of doing X, Y, and Z and all of a sudden I, I, things changed.

It's, it's rarely ever that.

And bad guys know this, so if, if bad guys tip their, their hand

when people are at the console,

the response to that is, is gonna be pretty immediate.

Right.

want, don't want that.

They want, they want your response to be delayed to some degree, hours, days.

they also want to be conscious and even considerate in some cases.

sure that you can, some to some degree have the ability to recover with minimal

impact because they want you to, they want to, they want to be your friend.

They want, Hey, I did this on a Friday.

So you've got the weekend to recover, and so if by Monday you decide to

pay the ransom, everything's fine.

Right?

So ransomware attacks usually trigger Thursday, Friday,

Yeah.

It's usually not in the middle of the day.

It's usually first thing in the morning or in the middle of the night.

it's when you come to work and you notice your computer's useless.

It's when the middle of the night, uh, your, your batch

processes, your batch jobs fail.

And they know that a lot of organizations, well, I'll just check

on it in the morning when I get there.

Right.

so they've had hours to, to de to plan and deploy their ransomware

to do as much damage as they can.

Uh, so there's that part.

And then Curtis asked about some of the things that we've seen and

we've seen, we've seen quite a, a few different interesting things.

Uh, and one of the things I'll touch on too is, uh, initially

you asked, well, how do we notice?

Notice these things?

How do we know if we have ransomware?

Well, you'll notice, uh, a small degradation in performance.

If you are watching a movie as an example, if you're streaming

something, you might see some glitches.

and you're like, that's weird.

I've got fiber to my house.

Why?

Why is it glitching?

well, it's not the internet.

It's, it's, it's the resources on your computer being consumed by other stuff.

So there's some symptomatic stuff that, that's observable.

Well, then on the, um.

Network behavior side, especially if you're a, uh,

a public sector entity, like a school district.

are information sharing and analysis centers called ISACs.

There's a multi-state There's, uh, the state of Texas has its own called DIR.

if you're in a specific sector like financial sector, there's

a finance, a finance isac.

There's one for healthcare credit unions.

Auto dealerships and they all monitor the organizations that belong to their isac.

And so in the state of Texas as an example, they might call a school district

and say, Hey, we are seeing ransomware traffic coming out of your network.

You need to

Hmm.

Just a heads up.

Well, and that's, that's pretty common.

Uh, the majority of.

The majority of notifications to the help desk about something weird going wrong,

going on is usually made by a third party.

It's just the way it's, uh, we're so focused on operations, uh, and, and

keeping the lights on and the fires out.

very rarely do we see these weird things.

And so those, those third parties, whether it's law enforcement or an ISAC or a

customer or somebody working from home, it's usually somebody else notifying

us that weird things are happening.

And so as ransomware progresses, uh, and there's different, and we

touched on this initially too, there's different types of ransomware attacks.

There's the type that attacks just you as a user.

Whether you're, you know, grandma at home or you're just working from home and

you've got this, this hybrid workstation where it's business and some personal

stuff, uh, or just business, but.

We're working from home as kind of as an individual, and so we get infected

outside of the, the normal organizational network, the corporate network.

We're, we're working off of a wifi at the library or a coffee shop or

at home, and so we don't have the same network perimeter protections

that we might have at, at, at work.

Well, those, those attacks focus primarily just on this laptop, this endpoint.

And it's, it's kind of a one dimensional attack.

You're not connected to anything else.

It's just gonna do what it does here, and there's something valuable that

you're willing to pay a ransom for.

Well, then the, the attacks at work on the corporate network, the organizational

network, are a bit different in that the bad guys want to do enough

reconnaissance first to see what they have access to, and then make that,

that ransomware, that infection as broad as possible all at the same time.

So in most cases, they will compromise an account, try to es elevate to a, an admin,

uh, or equivalent account power user.

find your domain controllers and then script a deployment package to put

malware on all your computers, all your endpoints, all at the same time

with a trigger to start infecting and encrypting all at the same time.

And so we had, we had one, uh, it was a, it was a pretty large company,

uh, headquartered in Dallas that has projects all over the country.

dollar projects, multimillion dollar projects.

And, um, they infected 2,800 machines all at the same time, within four hours.

Hmm.

So Friday morning, I

Wow.

think it kicked off at 4:00 AM And so by the time people

came to the corporate office.

machine, 80% of their environment was encrypted in four hours.

And they didn't notice anything before that the 2,800 machines were encrypted.

And even though this is a pretty large environment, they only

had three or four full-time.

IT staff, had a, an executive it.

I'm not sure if he was the CIO or director of what his title was.

Uh, but in this particular case, and then, you know, kind of working backwards, you,

you get the phone call, we need help, you show up, assess the current situation, and

you work backwards to how did this happen?

And we're, so we're starting to piece together, you know,

that was the domain controller.

You know, there was a script, there was all this stuff.

Well, how did they get to the domain controller?

Will they use this account?

Well, how'd they get that account?

And so you're working backwards to patient zero.

And it was actually the, uh, the backup administrator.

Uh, who,

backup Bob.

who, who had worked at this company forever and never taken a vacation

some three or four months ago, uh, while he was looking for vacation

stuff, got infected and they had

Hmm.

to his account for months while also watching him plan his vacation, which

then they lined up their attack with, so he left for vacation Wednesday night.

They, they conducted this attack, uh, Friday morning, and so we actually

were considering him as a suspect as part of this, uh, ransomware.

Right.

we started seeing, uh, several years ago threat actors have been propositioning

internal privileged users to help them their ransomware in exchange for a,

a percentage of the, the monies paid.

But in this

Yeah.

case, they, they had access through a, a network vulnerability,

um, several months prior.

Um, that, uh, um, additional access through the backup administrator account.

And then in this case, the business decided to pay the ransom because

they, these large multimillion dollar projects were at stake and they

wanted to make sure that they got their data back and could continue.

Uh, working on these things.

Uh, so they paid the ransom on a Monday and the very next day, the threat

actors, uh, messaged them back and said, you know, for another $80,000,

we promised to leave you alone.

And it was because they had, they had, you know, I talked about persistence.

Well, they knew that we were gonna clean all the ransomware off, but they

had also configured, um, two dormant back doors that would've allowed

them to regain access to the network.

At a future date.

Well, we had found those over the weekend and made sure everything

was, was clean and tight.

Um, no, no ability to get back in.

So we told them, you know, we told them not to pay the ransom

to begin with, but did it anyway.

And then the, the next day when they said, you know, you pay some more money, we,

we, we will promise to leave you alone.

We told them that we took care of all that and they didn't need to do it.

So.

So a, a question that I have, uh, Mike, is with all of these things,

especially during this reconnaissance phase, surely a good SEIM tool

Mm-Hmm.

see this stuff going on.

Right, and, and can detect it.

Surely that's the case.

Tell me, I'm, and I know that nobody installs them.

Right.

I understand that.

Like, it, it's a, it's an expense for that, that a lot

of companies don't install them and that, and it doesn't matter.

But my question is, what's that?

Or configure them properly.

Right?

Or they've configured 'em because they got too many false positives

and they've, they've ified it right.

You, you're, you're right.

Uh, and, but I think there's a misconception there, uh, that,

that these tools are too expensive.

They, they used to be very expensive.

And really it's, it's the labor that's the most expensive part.

And that's why working with a managed security service provider

is a much better approach.

you're not paying one for one labor, you're, you're paying a,

a disproportionate amount of, of labor because their labor is

spread across all their clients.

And so, SEIM products back in the day for sure, uh, and there were open, they're

still open source SEIM products, but, uh.

to, to you guys' point you, you've gotta configure those, uh, well then

if, if you're not in the, the sim, if you're not experienced in, in how

to configure a sim, then you could be missing the, the, the point there too.

You could be missing a lot.

So, back to the experience and expertise of an MSSP, uh, to do all that for you.

So I think there's a misconception about price.

Uh, I, it's very affordable.

today than more affordable than it have ever has been.

And whether the client wants to own the license or or not,

that's a different conversation.

But to your point, yes.

new next gen security incident and event management tools, sims, um, are

capable of identifying weird stuff.

Uh, and so our sim, as an example, does use, it's UEBA user

and event behavior analytics.

it uses machine learning to develop a behavioral baseline

by user, by asset, by network,

And so for example, if Curtis does something 10 times a day, or his machine

does, and tomorrow it does 10 or a thousand, get flagged as the behavioral

anomaly before whatever that activity is evolves into a security incident.

So if you got ransomware.

That new file or even a file that maybe it, it, it looks like it's, uh,

something that's been ed on your machine forever, but it starts doing something

that your machine isn't normally doing.

get, we'll see a flag for that and.

In our experience, we'll also be able to determine, well, is that behavior

consistent with symptoms of ransomware or, or some other type of malware?

and then we can get on the phone and talk about, well, what did

you just do or what have you done?

On that note too, uh, I mentioned how organizations are typically, how

they identify ransomware or malware.

One of them is.

You get a call at the help desk today that a user says, Hey, about two weeks

ago, I, it, it just kind of occurred to me, it's really been bothering me, but

about two weeks ago I did this thing and you know, it's really been bothering me.

So I just thought I'd tell you now.

happens quite a bit too.

And so when you start looking at that user's machine and, and their,

their email and yep, sure enough you clicked on ransomware and it's

somewhere in this environment now.

So now we gotta go track it down.

Uh.

Yeah, there's any number of things and a SEIM tool too, you can populate

with, for example, if, if, if Mike got ransomware and we can determine the

type of ransomware it is, we can then go do research on the, the, the, at

the characteristics of that ransomware.

I can now put that in the SEIM tool and it can look across your entire

environment for other, um, other occurrences of those things during, to

try and get ahead of the next infection.

Um.

But really SEIM is just part of the solution.

You've also have, you also have to have a good protection, anti-malware,

and those two things need to play well together the SEIM can identify the weird

stuff, but then it has to be capable of telling the anti-malware on the, the,

the computer what to quarantine and clean and, and do all this automatically

because I've been preaching this forever.

Response is the most important thing.

You're gonna get attacked, you're gonna get infected, it's gonna happen.

The only thing that's gonna save you, or at least mitigate the impact is how fast

you can identify it and respond to it.

Is

so

Is it.

making sure that your tech stack really plays well together so that your response

is, is as effective as it can be.

Is it too soon to bring up the C company, the company whose name starts with the C?

CrowdStrike.

Yeah.

It is not,

too soon.

it's not

I, I, well, I will say, well, we don't have, we don't have much

time left, but uh, if we can cover them quickly, I suppose.

so CrowdStrike's a great, uh, endpoint protection tool and it, it has some

really good capabilities as far as interacting with Sims as an example

where the SEIM says weird stuff.

Hey, CrowdStrike, go do this thing, clean that, that, uh, that machine.

But I think it's also an interesting time to add that those endpoint, uh, that, that

anti-malware stuff, that, that system, that, that software that's running on

your system, it's collecting all this contextual data that's then feeding up to

a SEIM and it's, it's the ability of that.

That software on the endpoint, that CrowdStrike as an example.

It's the, it's the, it's the ability of CrowdStrike to collect this good

contextual data then gonna allow the SEIM to, to build a good baseline

and, and really quickly determine where the deviations from normal are.

in a lot of cases, the sim.

Is gonna detect that behavioral anoma anomaly before CrowdStrike will,

because CrowdStrike is still kind of, is very rules based when this

and this and this and this happened.

That's a security problem.

CrowdStrike does really good at addressing security problems.

CrowdStrike does not currently do really good at saying, Hey, that's never

happened before, or That's happened a heck of a lot more often than it used to.

That's what the SEIM does.

But then the SEIM and the, and and CrowdStrike, as in this case,

have to play really well together.

So when the SEIM says That's weird, Hey, CrowdStrike.

Put a pause on that, put a pin in that, put it, put it in

quarantine, put it in timeout until we figure out what's going on.

And we see that a lot in, um, organizations, especially it

where we're rolling out updates.

We're installing new software or third party things like your

financial system or your dealer management software needs to update

something that the SEIM is gonna go.

No.

Oh, that's weird.

And you're gonna hear it from it or, or the end user going, Hey, my, my install

paused, or it didn't work, or whatever.

And Well, that's good.

It's, it's working the way it should.

Yeah.

Yep.

Yeah, it would've, it would've been nice if, if a, if a SEIM tool had

said, Hey, uh, uh, that file you just pushed out is zero length.

Uh, you might might wanna take a look at that.

right.

And so, well that's a whole other story and a whole other ball of wax.

But that's right.

yeah.

um.

In this case, it was an involuntary patch.

You, you didn't have a choice of, of not

Yeah.

installing

Yeah,

it, it, it messed things up.

But if you had a good incident response plan with a playbook that says when

these certain types of things happen, and they can be categoric things

like, my machine stopped working.

I've got this blue screen of death.

I don't know what to do with it.

Uh, well, there's a playbook for that

Throwing

we.

so, so if you're not.

and,

So if you're,

to call and, and here's where the, the extra machines are or the images

that we need to re, re-image machines with or whatever the case was.

We've thought through this and here's our playbook for it.

And that needs to be part of your incident response plan.

so basically not Delta Airlines apparently.

Yep.

Oh.

Uh,

But

anyway.

By, by the way, it's funny.

Yeah.

What was that?

credit, having a good virtual environment with your snapshots

and all those things that

Yeah,

that saved the other airlines,

yeah,

or, or in some cases, some of the airlines had different operating

system environments and all that too.

But the, the virtual

yeah.

able to, to, uh,

It was just,

snapshots

it was funny, I, I, last week I flew to Atlanta for, you know, the company that

I worked for and for the first time.

No one asked me, why didn't you fly Delta?

Well at.

Oh.

Anyway, well, well listen, we gotta finish up here.

Um, so what I'm, what I'm hearing from you is it does sound like a, a good SEIM

tool is, um, SEIM tool versus XDR tool.

Uh, just a quick thought there.

Um, you know, 'cause I know there's both.

so, SEIM is a little limited in, in its traditional ability.

It's a, it's traditional ability to ingest data.

So, uh, in SEIM tools typically don't have that automated response.

They call it soar.

The, the, the orchestration of automated response.

So SEIM tools, that's usually a bolt-on a third party or, or extra.

But SEIM also does just tra traditional SIS log and.

firewall log, you know, that kind of thing.

Open XDR or XDR, uh, XDR is better because it's, it's primarily,

it's, it's more of an open source approach, but XDR is that extra.

Well, now I can adjust, uh, cloud and third party tools and I OT devices and OT

device scada, uh, you know, smart stuff.

Um, so it's, it's the evolution of sim, um, not just in its ability,

but it's also, its its scope.

Uh, so in in cyber uh, ingestion, we talk about north,

south, east, and west traffic.

So North and south is in and out of your environment, and east and

west is, is within your environment.

And as we, as, as a lot of environments start to migrate, either, either totally

to the cloud or some hybrid on-premise cloud architecture, it's really

important to to, to have a, a platform that's capable of, of expanding with

you, uh, both in scope and capability.

And, uh, so our platform is actually an open XDR platform.

Um, it connects to just about anything that has a data, uh, a data feed.

Cool.

All right.

Well thank you again, um, Mike, for joining us.

As always, anytime happy to be here

Persona, I, I am still glad to see you alive and not decapitated or

or

any, um,

you were gonna make fun of me too.

I know that you were like, ah, excuses, excuses.

because again, normally this is me, not you that's doing the stupid stuff.

Um, why am I seeing the outlet box for my thing at least?

Did you, did you install this fan?

Nope.

Okay, well then, well you guys, because that would be me.

Yeah.

the one who installed the fan improperly 20 years ago, and

then the fan is coming down.

Um, and as I look at the air conditioner that I've installed up over there.

Um, all right, well, thanks again to our listeners.

We would be nothing without you.

Uh, that is a wrap.

The backup wrap up is written, recorded, and produced by me w Curtis Preston.

If you need backup or Dr.

Consulting content generation or expert witness work,

check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that

you hear are those of the speaker and not necessarily an employer.

Thanks for listening.