I prefer a cloud-based system that will backup

the most important stuff for you.

Um,

I'll disagree with Curtis here

Okay,

I am.

here we go.

Right.

I agree that to some extent, yes.

SaaS based is good.

I just muted your microphone Prasanna.

Thanks, Curtis.

I've never done that.

That was fun.

Hi and welcome to Backup Central's Restore it All podcast.

I'm your host, W.

Curtis Preston.

AKA Mr.

Backup and have with me, my close personal friend, but a guy who's impossible to get

an actual date with Prasanna Malaiyandi.

How's it going Prasanna.

oh, Curtis, I'm good.

I know the fact that you came all the way up to Santa Clara to visit the office

and we didn't get a chance to meet.

And how many times has that happened?

Just saying,

We didn't.

No, no, no.

I think last time you came up, we did meet because remember we did the photo shoot.

okay.

All right.

That doesn't count.

The photo shoot doesn't count.

it does.

I think so.

And then the time before we met twice, so

I

think that I get to carry over one of those, but you were also

busy.

You were

still feeling a little butt hurt.

but you were also busy with

your

get a date with my friend, by the way, my

friend whose wife isn't even in town, like who, who took, who took

priority over hanging out with me?

What entity I want you to say publicly, what entity took

priority over, hanging out with me.

The dog.

The dog.

Yeah.

Yeah.

The dog, you had something to do with the dog.

And so that was more important than hanging out with me,

but whatever, I'm not hurt.

I'm clearly I'm

not hurt.

I love you.

whatever.

All right.

So our guest is like, what have I wandered into, uh, so,

Yeah.

so, uh, we actually have a, this is one of the

few times where I was on our guest's podcast, and now he's on my podcast.

Mark Shriner is the strategic sales director for a memo Q a leading

translation management system and host of the secure talk podcast,

which is how we came to meet.

I got to go over and talk about backups on his podcast, and then he got to come here.

He's now on my podcast to talk about security.

He graduated from Penn state university with a bachelor's degree

in liberal arts and sciences.

In 2022, he completed Harvard cyber security, managing risk in the

information age, diploma program.

welcome to the podcast Mark Shriner.

Thank you, Curtis.

And thank you persona.

It's a actually, I've had fun kind of watching you guys with the intro there.

You seem like an old married couple or something too,

We're an old, married couple that never sees each other.

I'm

right?

cause cause Prasanna lives in and you know what it is.

It's a Santa Clara Yeah.

He lives in Santa Clara.

I live in San Diego and you live a little bit farther north,

as I recall up in Seattle.

Yes.

Yes.

And I'm envious of both of your weather.

Um, I actually, to be honest with you, I just spent the last three months

traveling between Arizona, uh, St.

George, Utah, Las Vegas, and San Diego and Los Angeles all in that

area for three months for business and for some personal business.

And in three months we had like five cloudy, rainy days.

And I got back here at the beginning of may thinking like, Hey, it's

safe to come back to Seattle wrong.

W. Curtis Preston:

Yeah, it's funny to see.

W. Curtis Preston:

Seattle is one of those places where, when it is sunny, it is just one of

W. Curtis Preston:

the most beautiful places on earth.

W. Curtis Preston:

Right.

W. Curtis Preston:

I remember.

W. Curtis Preston:

And I think I told you on when I was on your podcast, that I did some

W. Curtis Preston:

work for Amazon back in 1998, I put in for the record, I put it in their

W. Curtis Preston:

first enterprise wide backup system.

W. Curtis Preston:

And, um, I was there in the summer.

W. Curtis Preston:

Right.

W. Curtis Preston:

And not a single cloudy day for three months.

W. Curtis Preston:

And it was like I said to them, you know, going up to Mount Rainier and going out on

W. Curtis Preston:

the sound and watching them throw the fish there it's a pike place market, of course,

W. Curtis Preston:

hanging out at the bubble gum wall.

W. Curtis Preston:

I'm just saying, I like, I like Seattle,

W. Curtis Preston:

the original Starbucks.

Yeah.

I went up for a trip, I think like four years ago around this time in may.

And like, the weather was gorgeous, like perfectly sunny.

And I was asking everyone, I was like, what are you guys complaining about?

The weather is gorgeous.

They're like, you just ended up being here on like the perfect week.

Yeah.

in contrast right now in Seattle or in San Diego, we are in the

middle of what we call may gray.

And then next, next month will be June loom.

Uh, this is the worst time of the year to actually visit San Diego.

I mean, you can get sunny days, but there will be, you know,

multiple days in a row where it's just a hundred percent overcast.

Is it, is it because of the fog that comes in

or is it just overcast and gray?

It's overcast and gray.

Um, it's not, it's not.

So the fog we call that the Marine layer, uh, the Marine layer generally

burns off after around nine or 10.

If you have, if you have a strong Marine layer and it's just weird because

there's no rain connected with it, it's just sort of gloomy, you know?

Um, and, uh, it just is what it is and, you know, and I

talk to people all the time.

They're like, yeah, yeah.

Um, and it, and it just.

Uh, people will come here.

So I thought you guys were sunny.

I'm like, you know, to tell you it's it's may gray man.

Welcome to

Whenever I've been in San Diego, it's always been sunny and I come

down there three or four times a year.

I'll be there twice, this summer for soccer, for my son's soccer tournaments.

Uh, but I love it.

So I I'm curious.

What drew you to cybersecurity?

Well, a couple of different things.

I think.

In 2017, we were moving back from a nine year stint in Asia, moving back to the

states and a good friend of mine, uh, had.

A company that would be with becoming a Microsoft

cybersecurity compliance partner.

Um, he was looking for some help on the business development side.

And, um, and I, and I started taking a look.

The more I researched, the more interested I became because, you know, cybersecurity

is something that can go a mile wide.

And, and, and then also a mile deep in any one of those things.

If you want to talk about, you know, pen testing, uh, backups, um,

encryption, different, you know, compliance organizations, you can

just go in so many, uh, data loss prevention, endpoint protection.

I mean, you can go so many different directions and then each one of those, you

can go down these super deep rabbit holes.

And I like learning.

The other thing I, that I find interesting about cybersecurity back then, and now is.

Before, I think we thought that this is the cybersecurity.

There was a couple of people in the back, in the corner of the it department that,

that their job is cybersecurity, but everybody in an organization needs to have

some type of awareness and responsibility for security, but beyond that.

Us as individuals and consumers, we need to be aware of some

security best practices.

And so it affects everybody's life.

And it's something that, you know, 30 years ago, nobody was talking

about because there was no internet.

And now it's hugely important with the internet, social media, everything.

I have three children.

And they need to know some best practices about, you know, what

does a phishing campaign look like or a phishing attack look like?

What w you know, how do they protect their passwords?

What should they shouldn't do with their, with their mobile devices, et cetera.

So it affects everybody.

And it's this, this like new field that was created partially based upon

the explosion of the internet in IOT.

So, um, I think we're just getting started in both in terms of understanding

the threat landscape, but also the, um, the best practices for prevention.

Does that make sense?

Do you see that a lot of this, I know it's an interesting point.

You made that it's rolling into consumers.

Like everyone has to start caring about this.

Like every day.

Do you start to find that that's actually happening or.

Or are people sort of like, yeah, that's just something that a company

has to worry about or a business has to worry about, or like this large CEO

has to worry about not necessarily.

Well, yeah, let me answer that by backing up even farther.

I think in companies right now, where it used to be the perception of the.

Part of the it teams or the, you know, the CISO's job there, is an a

growing or increasing awareness that it's everybody's responsibilities.

And so you'll have not only do you have like structured educational, um,

programs, but you'll have like simulated phishing campaigns and things like that.

So go enterprise wide.

And if you get the CEO and he clicks on the wrong thing and boom, guess

what you got to go to training you're in a you're you're doing timeout.

Um, and companies try to make that.

So in companies it's becoming, uh, I guess increasingly common for people to accept

that everybody has a responsibility.

If you find a thumb drive in the parking lot, don't just walk in and

stick it in your company's device.

Right.

You know, and, and, and sharing those stories, you know?

I remember growing up and listening to my, my grandparents, tell stories about this

accident, that accident, this person who did something good, did something bad.

And we learn from those stories.

And I think when we share these stories about hacks or, you know, the famous

story about somebody finding a thumb drive and then putting it in their device

and then, you know, downloading some malware inadvertently, we learn from

that and those stories are important.

So that's one method of, uh, or one, I guess, data point.

Come people in organizations are becoming increasingly where individuals I think

are also becoming extreme, increasingly aware, let's start off with high net worth

individuals, where they are very much in the sites of, um, targeted phishing,

spear, phishing campaigns, right?

And so there are certain tools and methods and processes out there to

help these people at least become aware of what's what the threat looks like.

But beyond that, I think, um, just the general public, you know, if

I look at my kids, they are pretty suspicious and kind of cynical and

almost jaded, uh, in terms of like, look at this, they'll show me stuff.

They're like, look at this, you know, it's just, and because

it's obviously it's a scam.

And so I think.

Um, people are becoming increasingly aware at the same time you still hear

of consumers every day, you know, for example, they're, they're, they're

transferring money to a title agency and somebody spoofs the, uh, the address,

uh, that w where they're supposed to they're there, the account information,

that kind of stuff is happening in.

So, um, yes and no, to answer your question, I think people are

becoming more aware, but there's, we have a long, long ways to go.

Yeah.

that there was a study back in 2016, uh, from the

university of Michigan where they left a series of USB drives that had,

that had an HTML in there that if you open up an HTML, it had an image tag.

So they were able to identify, um, how many people actually clicked on the thing.

What do you suppose the percentage was of the people that.

Well, you know, university of Michigan, that's a, that's what?

Big, big 10.

Uh, those guys probably I'm west coast, so I I'm, I'm afraid to guess.

W what was it?

It was half,

That was in what year?

uh, 20 16, 297 USB drives around the Urbana

champagne CA these are college kids.

These are,

At the one of the best universities in the country.

Wow.

They said they found that 48% of the drives are

picked up and plugged into a computer.

Some within minutes of being dropped.

yeah.

Well, Hopefully, hopefully the situation or the, the awareness is getting better.

I mean, I look at little things like, um, turning on MFA's or multi-factor

authentication two factor authentications for just any, any, obviously any bank

accounts, but any, any of your online, um, tools or apps, just turn it on,

you know, uh, it's a simple thing.

That's going to stop 99%.

But some people that, well, it's a hassle.

Yeah.

If you're, if your account gets compromised, then

that's going to be a hassle.

So.

Yeah.

I I've mentioned on this podcast a few times that I went from

being kind of an MFA newb, I don't know, four or five years ago to.

Slowly.

And then, and then it sorta, it was sort of a snowball situation.

Right.

I ended up rolling MFA anywhere it mattered.

Right.

Um, and the cause I have, oh Lord, I have like 800 accounts.

At, I'm not kidding.

I have a password manager, so I, you know, I can pull it up and see it.

And I have, uh, just, just hundreds and hundreds of

accounts at random places where

What are you doing, man?

Hey,

I just, well, it's just stuff.

Anyway.

Persona persona.

You going to tell me Curtis's into some shady stuff, man.

If he's got 800 accounts,

well, I just hope he talks about his experience with MFA.

Yeah.

Yeah.

So, and so I, I, don't my point, my point of mentioning how many accounts I have.

I don't have MFA on most of those.

Right.

Because they're just stuff where I don't, there's no information I'm just anyway,

but I did roll out MFA, uh, everywhere.

And I, I use Google authenticator and wherever I could, because of what I knew

about that using Google authenticator.

Uh, text-based MFA and, and by the way, I, I, I dunno, well, I'd like to come back to

that idea, but, but here's what happened.

Um, I got a new phone and I got locked out of all my accounts.

So, because I didn't know.

I didn't know what I didn't know.

And so I, um, I, when I re when I rolled that out again, uh, I switched to authy

as an app, which allows you to back up the stuff and try, you know, anyway.

Yeah.

So, um, I'm a huge fan of MFA.

And I, and I've mentioned before that, I went from kind of being

a newb to being very angry.

If there's a, if there's a company that I'm interacting with where

things matter and they don't have.

Uh, the authenticator style of, of, uh, MFA.

Prasanna you're, you're you're up on this stuff.

So here's, here's the thing I'm wondering if there's a company that offers

multiple methods of authentication.

Um, like my, my, my credit union, uh, they have my phone and, uh,

they, they use a, they have an authenticator method where you get,

uh, you get the little six digit code.

If you, uh, pull up their app on your phone.

I prefer that method.

I use that method whenever I can, but should I be bothered by the

fact that they also support SMS?

Like there's no way to disable the fact that they have

I would be a little worried just because the number of sort

of SIM swap attacks that are happening these days, like you hear it all the

time when it comes to crypto, right.

With all these acts where someone SIM swaps with someone else

gets the authenticator code, cleans out their wallet, right.

They're a Bitcoin wallet.

So I think it is common.

Right.

And even T-Mobile right.

Was accused of allowing a porting out of numbers as well.

Right.

That's another thing that can.

right.

So, so you, so you think I should be worried?

I don't know what I could do.

Yeah.

And it also depends to what extent, like some random person going after

you specifically Curtis, right.

I'm a big deal.

exactly.

Right.

But I think there are cases like if you're a high net worth user or even

you have sensitive data or things like that, that you care about.

Right.

That I think, yeah, you should be worried about even email, right.

Multi-factor authentication.

Sometimes it's worrisome as well.

Right.

It's things which you can't completely secure on a.

Yeah.

That's what I'm seeing that most of the organizations that I'm F MFA with, um,

offer an option could be, for example, a token that you have, um, uh, it could

be the authenticator app could be a text, could be an email and they offer

the consumer the choice at this point.

Uh, probably just trying to make it easy for somebody to opt in with something.

But there are obviously some that are more secure than others.

And I, I spoke earlier about the, the awareness of some consumers,

especially high net worth individuals, um, becoming more cyber aware.

And the specific attack that I was thinking about is SIM swapping.

And it's be, I, you know, I know a gentleman that's been,

um, SIM swapped three times.

You know, um, and it's, you know, he, he described it as he was on an airplane.

He got out the airplane, his phone wouldn't work.

Right.

And it is took him days to get back online.

It was maddening, scary, um, and primarily done through social engineering where

they contact the, the, the mobile carrier and convince them that they

are you and that you need a new SIM.

And it's just that.

Yeah.

They made it so easy to port numbers as well.

That that's also another common vector.

What does that mean to port a number?

Does that mean to change carriers?

To change carriers.

Okay.

And so basically instead of just doing a SIM swap,

they just pretend to be you and port your number to another carrier.

Wow.

Yeah.

That's not good.

These bad guys are really bad mint.

I think that's something we can all agree on.

Um, yeah, so, so like I have multiple accounts where, so like goo like Gmail.

Okay.

Gmail.

It's very specific on what authentication.

Systems that you use and you can disable ones that you

don't want to use specifically.

You can disable SMS authentication, but my credit union, uh, it supports all of them.

And I suppose the only way to disable SMS based authentication is to delete

my cell phone from the account.

But that's just weird,

But Change it to like a mobile number

or, sorry, to the home number,

right.

If your credit union allows you to say, is this a cell phone or.

Or a mo or a home number.

I'm sure if you select a home number, it won't send you SMS, but

a ho what's a home number

a landline a landline and old school.

Like, I, I know I've seen places where it's like, is this a home

number or is this a cell phone?

Interesting.

Uh, so, so I'm curious, mark, what do you, if you're, so I know, you know, as

a person dedicated to backup, there's, you know, I have sort of my top five

of like, these are things and by the way, on your podcast, the first, like

my biggest one, you and I talked about was the, the, the, the idea that cloud

stuff is automatically backed up.

Which it isn't.

Um, if somebody were to say, you know, what are the top five things that I need

to be concerned about, uh, as a, you know, either personally or, or it sounds

like personally you're thinking MFA,

All right.

I would say that's just a best practice personally or for, for companies

and companies have a little bit more sophisticated tools at their disposal,

so they can push an MFA depending on, you know, the user behavior.

Are they logging in from.

A new location.

Are they logging in from another country?

Is there some kind of, some kind of anomalous behavior, this, you know,

mark never accesses these files now he's downloading gigs, downloading

gigabytes of finance records.

Uh, I think we're gonna force an MFA on that.

Right.

Um, so I think MFA is kind of a foundational thing, uh, for

individuals or organizations.

I think some other best practices for, for individuals again, would be backup to

ensure that your information is backed up.

I don't know if you guys have seen these, uh, Mr.

Backup gives me a thumbs up

I'm very, very excited

thumbs up from Mr.

Very excited

Backup.

Yeah.

Um, the, you know, you have, you guys get these emails that say, Hey, you know, I'm

sorry to tell you, but I've been spying on you for the last couple of months.

And, uh, you know, and if you don't send this money to whatever, I'm

going to release this stuff, this, you know, this thing of you going

into these inappropriate websites and they send these emails out to.

Thousands of people and some people, cause they know that some people will

be like, oh my God, I should pay this.

Right.

Well, you should, you should.

For one, if you get that email.

Delete it, I don't care what sites you've been going through.

It's just a, they're just phishing.

Um, and too, if you've got your stuff backed up, you don't have to worry

about anybody encrypting anything.

Now, if they're going to release stuff, that is another thing from

malware is if they take your records, even though you've backed them up.

If they're going to release something that you don't want released to the

public, that's a whole nother discussion, but definitely you should back up,

um, antivirus, running an antivirus is, is, is, you know, super important.

Um, what else?

As a, as a consumer.

Just being aware and pausing.

When you see something that looks a little off any time somebody says, Hey,

um, there's a problem with your account.

We need you to log in and can now just stop or, oh, your, your order for $15,000

from Amazon is on its way, you know?

And you're like freaking out, dude, just, yeah.

Like if you didn't expect it don't click it.

Exactly.

That's a, that's a perfect way to say it.

I like that.

Didn't expect it.

Don't click it.

And I mean, you know, obviously you can, you can, you know, cause you can look at

the, uh, the sender's real, real address and see, is this something real read?

It is a lot of this stuff, you know, they've got shoddy grammar, you know,

fuzzy images, but people get worked up.

I mean, yes, but I'm sure you've seen the ones where you get an email from the CEO.

Hey mark.

I need you to run out and buy 50 gift cards for target and send, you know,

Uh, it's happened to one of my boys, uh, who was working as an internship for the

cybersecurity committee that I was working with before, which the is Adaquest the CEO

of Adaquest, his name is Hiram Machado.

And, um, it was like my son's third day into his internship.

And he got an email saying, Hey, um, you know, Makai.

I need you to run out and buy, um, $500 worth of gift cards from target.

And I need you to, once you have that, just let me know, and I'll

tell you what we're going to do with them, but I need this for this

event we're doing this afternoon.

And so Makai again, again, telling you the kids are getting smarter these days.

Hopefully not the ones in university of Michigan, I guess that was 2016.

Um, he emailed me and he goes, what should I do with that?

And I said, send it.

I said, we're going to use this as a case study in a learning

example, don't do anything with it.

You know?

Um, but yeah, I don't.

What, what advice would you guys give.

Uh, I mean that stuff's all all good.

I think, um, the, you know, you talked about hovering

over the site to see the site.

What I generally say is if you get an unexpected communication from

somebody you actually do business with.

Right?

Because I get stuff like that.

My Citibank card has been compromised.

I'm like I haven't had a Citibank card in like 20 years.

So I think I'm pretty good, but I get, um, I I've gotten phished

from like PayPal, um, you know, stuff like that or not from PayPal.

You know, as

Pretend people pretending to be PayPal.

Yeah.

pretending to be PayPal, um, is if you

are actually concerned, if it sounds like something that, that

might be real, go to paypal.com.

Don't interact in any way with that email, go to PayPal.com or contact

PayPal's phone number, not anything listed in that, in that email.

Um, would, it's interesting though.

There are times when I, in fact, just a couple of days ago.

I got contacted by a company that I do business with.

And there was a credit card company and they, they were like, you

know, we're such and such from such and such credit card company.

And we want to call to verify charges.

And I'm like, well, how about I freaking verify you?

Like, you're just random nude

Show me your badge.

show, you know, they will, well, we want to authenticate.

We want to authenticate you.

Uh, before we talk to you about account, I'm like, well, how do I authenticate you?

Like, why do you people still think this is like Lee?

I will call.

Thank you.

Thank you for calling.

I will call the 800 number on and by the way, it was a real thing.

Um, I will call the 800 number on my credit card and I will ask for the

fraud department and it was real thing.

Th that that's annoying that that happens, right.

Uh, because that is a, that is a phishing way, right?

Um, yeah.

I mean, in, in people, people think that, um, all cyber

attacks are through email or somehow somebody is getting into your network.

Some of them are just a phone call.

Uh, you know, I've, I've been called by.

The IRS, the texts, whatever.

And yeah, this Mr.

Shriner.

Yes.

We have an urgent matter that we need to talk to you about.

Um, uh, really, and I, I, sometimes I just like, well, where's this gonna go?

Cause I know at one point they're going to ask me for social security

date of birth, blah, blah, blah.

I'm like, okay.

Yeah, yeah.

What's going on?

They're like, well, uh, before we can go any further, we

need to get some information.

And typically the smart ones, they won't go right to social security.

But just say like, they'll say, like, I just want to confirm that

your name is blah, blah, blah.

They got your name.

Right.

I'm like, yeah, that's me and that you're living at.

Yeah, yeah.

Yeah.

And so now I'm starting to respond to them.

Right.

And then as sooner or later they're like, okay.

And then, so, um, can we give us the year of your date of birth, you know,

and you're like, and, and, and they just start to the good ones, start to tease

it out of you because they're not gonna, if they come in first, first thing to

ask you is social security people like.

But you down there and then, you know, they build a rapport and that's,

that's what they're all looking for.

Yeah, it feels like they have that information already.

So it's like, okay, what's this one more piece of information.

we're doing, we're doing it.

Just to verify that we're talking to the right person,

Exactly.

Well, and it's funny.

Cause I remember when my dad retired, like he'd always get all these calls from.

Scammers or salespeople.

Right.

And I'd be like, you guys should just chat with them.

It's like, what do you have to lose?

Just don't give them any information.

But at least you're

You retired, they're willing to talk to you,

And at least you're saving someone

else from having to get a call.

Right.

So,

right?

Don't click on the emails.

Like just, just again, if you think it's actually from

PayPal, then go to paypal.com.

Not anything with that.

Go

and one of the points mark made earlier

around social engineering, I think people also just, it should just

be careful what they post online.

Right.

If you're like putting Facebook messages or tweets, right.

Hey, we're leaving tomorrow for a three week

vacation to The Bahamas, you know?

Yeah.

Sorry.

I'm.

no, no, no, no.

That's totally the case.

Right.

Or it's like, oh yeah.

Or you start inadvertently being like, Hey, it's my birthday.

Or it's like, oh, my mother is so and so right.

And, or a favorite dog's name.

Right.

And all the rest of this and people can take that information and they

could use it for social engineering to extract other information from you.

I know, I know what your favorite dog's name is.

Well, I, because he was more important than me.

I'm sorry, I I'm going to let it go.

you a

I think he's, he's really hurt, man.

He's damaged, man.

I went to il fornaio without you.

That's some really good food.

Um, yeah.

So what about, what about companies?

So we talked about, we talking about have MFA, so there's

two ways to talk about MFA.

You should, as a company, be offering MFA when people are interacting

with your service online, right.

Uh, and then you should, as a company, I like what you were talking about earlier.

Um, cause obviously, um, by the way, I haven't thrown out our,

our disclaimer, so Prasanna and I work for different companies.

I work for Druva, he works for Zoom and this is not a podcast of either company

and the opinions here are all ours.

And, um, be sure to rate us by the way, at a ratethispodcast.com/restore.

And then, um, you know, if you want to come on.

You know, listen to me, complain to Prasanna yourself life.

Um you do that

We

that, just it just @wcpreston it on

Twitter or wcurtispreston@gmail.

So, um, yeah, so, you know, with Druva, for example, you know, we've

supported, uh, third-party MFA for awhile, and now we support native MFA.

Uh, if you're a company.

If you're a cloud company, or if you're a company that has, that has information

that is important like that, and people are logging into your system without MFA.

Then bad, bad company.

And, and, and, and it should also not be SMS based authentication you should

offer, um, you know, authenticator method and, um, uh, and I'm gonna throw

out, I'm going to throw out, please.

Don't be a, website that is hard to use a password manager with, right.

Don't be complaining about one or two of the character.

The special characters that my password manager came up with, or I had, I

had one this week that complained.

They're like, Hey man, your password's too long.

It was 20 characters.

And they said, you can use a maximum 17 characters and I'm like, you suck.

Yeah, 17.

Um, and, uh, the, uh, So based on that, I no longer interact with the IRS.

I'm not.

But I also want to go back to a point mark

made earlier, which was that MFA.

I don't think solves everything.

You still need those, especially as a business, you still need those other

things to look for anomalies, right?

For look, to look at the behavior of the user because MFA will protect

you to a certain extent, but it's not the only line of defense.

Oh, yeah.

I mean, at, at the corporate level again, The complexity of the problem

and the P the, the complexity of the solutions available are much

greater, um, at the corporate level.

I mean, you, you have things like, um, device management, for example, and

these days everybody wants to BYOD, uh, but you also have corporate devices.

And, but on my B my own device, I'm going to have access to company apps and data.

How does the company manage that?

Well, there's mobile device management tools out there that

can, if I lose my phone, I can tell the company, Hey, I lost my phone.

They can remote wipe their data.

Um, you know, they can do remote backups, all of that stuff.

They can, they can check for anamolous behavior on a phone.

Mark just logged in from Bellevue, but, but he's also logging in from romania.

Hmm.

Something's wrong here.

Right?

So, uh, yeah, I mean all that stuff and it's, you know, depending on the size

and the shape of the organization, it can be, you have SEIMs to, to monitor all

types of activity to collect your logs.

Um, so that's, again, it comes back to that original point of why

cybersecurity, cause it's such a broad field and there's so many different.

It's constantly evolving.

It's it's pretty cool.

Yeah.

Um, I, I'm curious what you think about, so one of the things I'm pushing

outside of the backup space, one of the things that I'm pushing people to

do or companies to do is to look into a couple of different types of tools.

One is we've we've had, we had somebody on here from a

company that does a DDI, right?

So what, what did we decide that was DNS DHCP?

And IPAM.

Yeah.

Um, and so th that, those one group of tools, which is like,

they can do things of like, why is somebody going to this really?

Why is, why is something looking at a DNS address that is a.

You know, a DNS name that is, that is like 57 characters long,

and it doesn't make any sense.

Right.

That, that is, that is a, you know, a, um, uh,

ransomware thing, reaching out for command and control.

Um, that's number one and number two, the type of software or system or

whatever that can identify data leaks.

Right?

So that, so that you it's like, there's a general level of outgoing.

Uh, you know, traffic and then suddenly there's this giant

spike from Fred's desktop.

And Fred's no longer in the company.

And the company exactly.

Fred's on vacation.

Cause he posted on Facebook that he's in Maui this week.

Um, and you know, his laptops doing that.

What do you think about those two types of tools?

I think, uh, depending on the situation, I mean, it's,

every tool has its appropriate usage.

And I think for, for most companies, both of those make sense.

Um, I mean, for both those tools make sense for a lot of companies

and organizations out there.

Um, and I guess the question, I mean, I, again, I'm not technical more at

the kind of higher level understanding what the, trying to understand, what

the problems are putting together.

Some solutions.

One of the challenges is, is that you have so many different

vendors of so many different tools.

And so do you look for these custom bespoke kind of solutions and tools,

or do you, do you work with a platform provider, for example, Microsoft

365 has a lot of DLP tools in there.

They have, uh, advanced threat protection.

Um, they have antivirus, you know, uh, anomaly detection,

all of that's built in there.

Um, so do you, and then device management as well.

Or do you say no, we don't want to put all of our eggs in the Microsoft basket

and we want to go for best in breed.

And I don't know.

I mean, you know, Prasanna, like at, I don't know how much you can talk about

at Zoom, but like, you know, how do you guys decide, you know, what kind of a tool

are you going to go with a, an integrated approach or do you look for best in breed?

So I can't talk specifically about

Zoom, but in general, right?

I think it's going to come down to.

The need for a tool, as well as the expertise.

If I'm looking at sort of small, medium businesses where maybe they

don't have specialized it admins, we face the same thing in backup as well.

Right?

There is no one who could go learn everything and

anything about security tools.

And so you're going to probably want a single tool that allows

you to solve everything.

Just like in backup.

You sort of have those issues as well, but once you get to larger

companies, or if you have specialized problems, you might start to.

Uh, rollout into, okay.

I now need a specialized tool, a best of breed tool because I have this special

need, or I now have the skillsets to be able to address some of these issues.

And therefore I'm going to pick different tools based on my needs.

And I think it's sort of hard to say one is better than another.

I think it depends on where you are and what your needs are.

Yeah, I would, I would agree.

I mean, and not just because I work for a SaaS company, but I would agree that

where, where there's a big business need, that you have such as email,

clearly a business need a need that every business has, um, that, that if a

SaaS solution is available and it's a, it's a well-known respected et cetera

solution that you can vet out then.

Uh, from a security basis, I would prefer that over something that you're going

to, let's say I would prefer Microsoft 365 over Exchange on prem in a heartbeat.

Exchange on prem is harder to secure.

It's harder to manage.

So you've got to manage the system.

You've got to manage the storage and then you got to manage the backup of that.

And then you gotta make sure that backup gets off site.

All of that is easier if you have Microsoft 365.

Right.

Um, now you should be backing it up, right?

Microsoft is not backing it up for you.

That was what you and I talked on your podcast, but there are services,

that will back up, obviously Druva offers one, but there are many

companies that backup Microsoft 365.

And so I, I think from a security basis, as long as you vet the security vendor,

Um, you know, look at, look for things like MFA, look for things like, um, you

know, what their, what their NDA situation is to cut the type of data that they

have, whether or not they share personal information, uh, cause some, so many

of these SaaS vendors, that's actually their, um, that's their business model

is they're they're, they're either cheap or, free, and they make, you know, their

money with using your personal data.

That's that's, uh, that's not what I'm recommending.

No.

Um, it's interesting.

You know, when you talk about, um, tool selection, I think another factor should

be, do you have the in-house expertise?

Uh, and if you don't, how accessible is it on the market?

Because right now, depending on what tool you're trying to deploy,

uh, it could be very challenging.

I mean, you can, you can get a great deal and that's interesting, cause it would

be what people will start talking about.

Well, how much is this per seat or per license and, and.

One of the things that you have to look at is what are your

deployment costs going to be?

And then what are your ongoing maintenance costs going to be in terms

of the, the expertise to manage that?

And that's, that's something that often doesn't come into play until after the,

you know, they, they, they focus on the technology, um, or the vendor, but not

on the total cost of the deployment.

And, uh, I would encourage everybody to do that.

Yeah.

also along with the deployment, it's how flexible is it to change

as your environment changes as well?

I think some in some tools are very static.

It's easy to deploy the first time, but anytime you add a new app or

a new environment or something else, it becomes very difficult.

Right.

Or it's time consuming to get it, to expand to now cover that new

workload, versus maybe it's better to get something that might be a little

bit more complex for the initial deployment, but like you said, ongoing

maintenance, ongoing monitoring, right.

All the rest of that becomes a lot easier.

Yeah, that that's, I think that's why from a

security basis, I'm a big fan of SaaS apps because you know, you

look at again in the backup space.

If you're, if you're using an on-prem backup software, you must be up to date,

right, on what, you know, you, you have both a, a box, maybe multiple boxes that

are, you know, you might have a server, you might have a storage array and a.

That, that you must be up to date on that operating system and protecting

that operation, securing it, doing all of those things, uh, hope you have

MFA on that backup server, by the way.

And then, and then you've got the software, the backup software that

you have to stay up on and people are notoriously very bad at upgrading

their backup software that, uh, the, we, you know, we brought a guy over

from Veritas and he told us that their best guess was that the average

time that customers took to upgrade their backup software was 18 months.

If it works, don't touch it.

People are terrified of upgrading their

backup, their backup server.

Right.

Cause it's the last line of defense, but the problem is back up.

The problem is that ransomware folks, uh, specifically the Conti group are

specifically targeting backup servers.

And so not only is it, um, You know, something that,

that needs to be protected.

It is a, you know, it is a direct attack point, right.

So, um,

I'm curious because we touched on consumers before.

Uh, what are your recommendations or suggestions for just individuals,

um, to, in terms of backing up their, their personal data.

Uh, you know, I'm going to sound like a broken

record, but SaaS backup, man.

Uh, there are, there are SaaS backup Druva's not one of them.

There are SaaS backup companies that target consumers and you're, you

know, you're looking at like, Like 50 bucks a year, that sort of thing.

Um, I, you know, I, I, I pay more than I would like to back up my iPhone,

like I pay for paid for iCloud.

So that's, you know, there's that, uh, but, but there are a number

of services that will back up.

What's important to you.

Um, and specifically if, if you've got a, if you've got a laptop, right.

Uh, and, and let's be honest, you got a laptop.

Uh it's.

It's not that hard to get that laptop backed up.

I am not a fan of using uh, USB devices to backup the laptop.

I know it works.

The problem is that that USB devices generally sitting right next to, or in

the same bag that the laptop itself is.

You get a theft, there goes your backup.

You get a fire that goes your backup.

Right.

So I much prefer for the same reasons for the companies.

I prefer a cloud-based system that will backup the most important stuff for you.

Um,

I'll disagree with Curtis here

Okay,

I am.

here we go.

Right.

I agree that to some extent, yes.

SaaS based is good.

I just muted your microphone Prasanna.

Thanks, Curtis.

I've never done that.

That was fun.

I agree that there are certain things that you do, you will,

you want to use a SaaS based service for.

But if you're not willing to shell out, or if you don't think you really need

it, take at least what's there with your existing, uh, laptop, for instance.

Like if you have Time Machine, I know Curtis, we've had the discussion

about Time Machine in the past.

You're not as thrilled about it, but if you do have a mechanism, use that

mechanism rather than have nothing.

Right.

I'd rather have someone use something rather than being like, oh, do I want

to pay $50 a year or whatever it is?

Yes.

Those are better solutions, but take what you have and just do something.

Yeah, I'm not going to disagree with that.

Uh, I mean the only thing I will say is that hard drive that

you, if you have the hard drive already, I'm not saying it's bad.

I'm just saying you just need to think about the fact that, um, that hard drive

is, you know, it's so do things like rotate, but the problem is you go buy.

You go buy a modern hard drive.

To, to, you know, to back up your, your system.

Well, that's going to be a hundred bucks plus, right.

That's a couple of years of the service that I'm talking about.

So just saying, just saying, um, so anyway, what,

thought, I think the big thing is just do something.

Don't do nothing.

Yeah,

I think we're saying that for, I think

that's our summary statement.

Maybe we'll make that the pilot title of the podcast just do something.

kind of like the Nike thing, but, but just, just

put, just change it to something.

Do do something it's not as inspiring as it, but something,

I like it.

Hey, I gotta ask you guys something.

Um, you know, cause you asked me earlier.

Uh, so, uh, how did your, uh, the idea to do a podcast come about

and you know, and your friendship and you know, how did that work?

Um, I dunno, I, I got, I got the idea of

doing a podcast after being.

After going from like, not believing in podcasts.

Like I didn't, I didn't get it.

Like, I didn't understand why anybody would do a podcast.

And then I, and then I started listening to podcasts.

I, I got in a situation where they were valuable to me as a person.

Then I was like, you know, I talk a lot.

Maybe this would be something to do.

And so, uh, and then I encountered Prasanna in the office.

He used to work at Druva.

That's how, that's where I met him.

And, uh, I went up to him.

And, uh, uh, I proposed the idea of us doing a podcast together

because I thought that we had a, you know, a decent interaction and

Prasanna just jumped at the chance.

Didn't you Prasanna?

I was like, what are we going to talk about for 20 minutes?

I have nothing to talk about at all.

I don't know what you're talking about.

yeah, yeah, yeah.

It very quickly

So wait, when did, when did you guys launch

it?

About three years ago.

I got to say that I feel, um, extremely uncredentialed,

um, because I'm looking at Curtis's background and he's he's got diplomas

or certificates or something.

At least he's got books there.

yeah.

That's my book right there.

Oh, it's your book.

Little product placement there on the shoulder.

All right.

just a little bit.

I mean, it's a very small, so it's not that good of a product

placement, but, uh, yeah.

Subliminal.

Subliminal.

Yeah.

So, yeah.

Um, so, uh, all right.

Well, well, thanks a lot, mark, for coming on the podcast.

This has been awesome.

I don't get a chance to be on too many other podcasts other than my own.

And, um, I've really, really enjoyed this.

You guys are awesome and funny and obviously very, um, deep subject

matter experts in this area.

So I've enjoyed it.

and I, and, and unlike being on your

podcast, you can now just leave.

Yeah.

See you guys.

I'm out of here.

What are you going to get this edited?

Curtis?

What is he gonna go online, man?

I mean, come on man.

It's already Thursday.

Exactly.

Thanks Prasanna, you know, it's, you know, even though you ditched me

I'm sorry

Curtis

know,

I'm sorry, I disagreed with you

about SaaS, but yeah, do

yeah, whatever, whatever.

All right.

And thanks to the listeners, make sure to subscribe so that you can restore it all.