This is identity at the center. If it has anything to do with IAM, this is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity at the Center podcast. I'm Jeff and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Good. I'm trying to hold back my giggles because what I wanted to say was I was surprised you showed up for the podcast today and you don't have the new Apple Vision Pro on your face. That's what I was expecting, man.
I have one on order. It will arrive in three to four weeks. Allegedly. We'll see. I'm curious. I've read, I've, I've probably watched every video, you know, review. I'm cautiously optimistic. I got to be honest, it's going to have to really blow me away for me to part with $3400 of this thing on my face, but it looks. Really cool.
Yeah right. I can see you sitting at Chili's, having your chips in queso, wearing your headset and looking all over the place, maybe getting getting some work done. I mean, you are the early adopter of early adopters. I am an early adopter, but it's more like in secret. I don't like. I don't want to be like that guy out there wearing Vision pro skating around New York City like Casey Neistat from from YouTube or anything like that. I'm more of a subtle kind of
early adopter. At home I'll nerd out all day long, but in public I try to keep it to a minimum. I'm enough of a nerd. I don't need to amplify it any more than I already AM. So what I wanted to to ask you about early adoptership, does that carry over into your IEM life? In other words, are you an early adopter of IEM technology? Like if you think ITDR is like it, are you in and are you an early adopter of vendors? So in other words, maybe there's a a dominant vendor or two.
Do you consider the ones that are not the dominant? Or maybe they're new? Or you don't have a whole lot of reference points? Yeah. And it's a really good question. I would say no, I'm not typically an early adopter. I think I'm approached a little more pragmatically. I have to separate my thought that, oh, that's a really cool piece of technology. I really like that with the business side of my brain. That is what is, does it make sense, You know, what does it
cost? How does this fit into my current stack of technologies that are going to be? I have to separate that from the boy, that's really cool. So I I would say I'm not an early adopter in in the real world when it comes to identity, but it's not because I don't appreciate the technologies. It's more of a fiscal, you know, responsible saying, OK, great, if I had a limited budget, sure, I'd throw stuff in price all the time. I don't. Most people don't.
There's limited time, limited resources and there's just not enough time in the world to try and keep up with every single Technet that's out there. Some I think are better than others, or at least more media like ITDR has been hot for the last couple years. Yeah, I think if you've got, you know, everything else solved seems to be like a a natural evolution to go that way. What do you think?
Well, I think when it comes to new technology, well, well, First off, I just think it's like a personality trait. I lean toward being more conservative. I think both of my grandfather's were accountants, right? And the accountants are about as conservative as you can get. I spent most of my career working in more conservative organizations. But since I've been in consulting, which is over a decade now, I've seen a lot of technologies come to come and go.
I've also seen where certain technologies, when they hit, they just hit and address a problem that the industry has. So I think in my oddly enough, in my old age, I think I'd learn more toward being a little more experimental and new technologies. When it comes to new vendors, I feel like you've got to be a little more adventurous. You have to look at those mainline like, you know the the saying like nobody got fired for choosing IBMI. Don't buy into statements like that.
But at the same time and no rail against them might kind of think like OK, you need to look at that quote UN quote IBM, but you also need to look at some of the up and comers. So I think if you are an earlier adopter, you can get in at a better price position, you can do things for your organization, you can use your logo for clout in terms of becoming more or
less a premier customer. Whereas some of those like flagship products, the you know, entrenched vendor, your logo may not provide as much value to them. I mean obviously depending on your, your organization it. Surprises me a little bit. I guess only for do you have money that you're carrying around for the just in case you find something cool on the shelf at Best Buy of Identity. Yeah right. I don't know many organizations that do. I mean some do, right.
And that's great. I just it's interesting that we're a little bit opposite in that regard. Like I'm not, I'm not afraid to go all in with it if I have the money to do it, but I generally don't have the money or the resources. I feel like I'm in the majority in this case. Yeah, You're probably in the majority, but you also say something somebody that's kind of like one of those flagship products now sale point, they were the young up and Comer at one point, right.
Enough people had to kind of buy into that story and kind of like that's what they leverage growing up. Now if you're one of those early ones in, those are probably still the customers that have influence that know the executives at the top of the organization that you know, I can't say that they're they're bossing them around or anything, but we're getting a lot more respect than they would get if they were just buying it now. Yeah, I can see that you get to
wield a little more influence. I wonder if there's a little bit of a back in my day, you know, X product cost $20 and now it's like you know, $400.00 or like you know what you know, where did all this this price increase come from? Yeah, exactly. So I think we should mention, mention conferences. You know we got Identity Week America, I guess that's the summer, but really need to be planning for these things in advance.
So Identity Week, Europe and Amsterdam, June 11th and 12th, Identity Week America which you and I are going to play an active part personally in that's going to be in DC September 11th and 12th and then Identity Week, Asia and Singapore, October 22nd and 23rd. And our listeners get 30% off of these, the IDAC 30 conference or I'm sorry, discount code. Yeah, it's a pretty sweet deal, that conference code or discount
code. And you got me saying it now works for all of the conferences around the world. So whether you're going to Europe, America, Asia, IDAC 3 zero, 30% off. Very. Cool. I was at last year's. We talked about the last episode. I'm looking forward to again this year. I think like you said, we'll be active participants. I think I'm going to host the panel again of some sort.
Last year's was awesome, so we had like a real who's who of identity and looking forward to doing something somewhere. And of course we'll be doing podcasty things while we're there that are still to be determined. I. Think that's one of my favorite parts about doing the podcast overall is just you know being part of the conference circuit, bringing the conference to people who can't be there, interacting with people who are there and bringing that to the podcast community.
I I just think the whole thing is like it's it's really, I don't know I feel like we're we're providing a service to the community if you will. The man on the street, the man in the field, you should get like one of those like reporter flak jackets. They have a press on the front and like a helmet and then like go into like Identiverse or Identity Week America or something like that with old
microphone. Yeah. Oh, you're not supposed to. If you're in a war zone like that, you're not supposed to shoot the person with that jacket on. So you're safe. That's why you need the big press logo, like on your chest and on your back, so people know. Yeah, absolutely. So what are we going to talk about today? We're going to talk about the role of a systems operation center or a SoC as it's commonly referred to when it comes to identity security.
So I think this is an area that we really haven't touched on yet on the podcast. I think people have probably heard about it, but they're not really sure maybe what it is or what goes on in there. As Jim must say, what would you say you do here when it comes to a SoC perspective? So we're very fortunate that we actually have experts that we work with on set every day as part of our SMS team. So I want to welcome from the RSM managed security practice.
First up, we've got Steve Kane, Managing Director. Welcome to the show, Steve. Thank you guys. Thank you. And we've also got Todd Willoughby. He's a director with the same practice. Welcome to the show, Todd. Glad to be here guys. So before we get started, I'm going to ask a bunch of questions around this and we kind of want to build expertise and knowledge in this.
But before we do that, I always like to hear origin stories of how people got into infosec and identity and just things at large. Steve, we'll start with you. How did you get into the Infosec space? I guess when did you realize you were in the Infosec space? Sometimes that's a question too. Well, it's actually a really good question because sometimes you end up there and you don't even realize that you were headed down that path. For me it really started about 25 years ago.
I have always been an IT person at heart. You know when I was younger I was always the the go to person in the family to go figure out things, computers obviously being newer back in my day it was always a an interesting dilemma and conversation with with friends and family. But I started in IT really at healthcare facility.
So we were in an elder care situation where I was working at the health guys and I was fielding all the calls initially and that kind of grew into understanding more about applications about health systems work and from there ended up moving in the direction of financial services. So I ended up at a large regional banking provider where I ultimately was responsible for managing all of the application technology components, software updates and security updates.
We had to deal with a lot of audits and everything else, so security really started to come into focus at that point. Then moved back into the healthcare space, which is really where I have a yes, personal passion for. So from there I was responsible for not only the IT components of several hospitals, but also I was the HIPAA Privacy and HIPAA Security Director for those facilities.
So before I knew IT, security was part of everything that I was doing and then subjectly ended up for the last 15 years managing clients and SoC and growing business etcetera. So here I am now, you know helping RSM kind of grow into that space as well. And really, it's ever changing, ever evolving and constantly keep showing your toes.
I bet. I think one of those things is, do you consider yourself an infosec person now at this point with your experience and kind of grown to that, or do you still see as like a specialist in a certain area? I I have to consider myself an into a sick person with this many years in one discipline like that. But you'd never really forget the the roots. You still want to tinker around every now and then on some, you know home equipment or friends or family that might have stuff
laying around. Or if you happen to get extra time working on something, you know within your organization where there's test environments and stuff, so you still want to to work things and and actually hands on keyboard and be the intelligent hands like that more so than just monitoring, doing incident response activities etcetera. So definitely more of a infosec person than an IT person at this point, but you never forget your roots.
Todd, how about yourself? How did you get into this space? That's a long, that's a long story. I'll I'll try to give you the abridged version. But much like Steve, you know I started working at a ADSL help desk in college. It's pretty old technology but still out there. It exists for a large DSL
provider. And then from there I went into, you know, it's not, you know, pay your bill or turn off your route or turn it back on again type of deal literally that to doing acceptable use policy violations and helping fulfill subpoenas and warrants from local law enforcement agencies for people doing nefarious things, you know, with our services at the ISV at that time.
And then from there I went into a large early stage of my career doing government contracting mainly around computer network and defense for various government agencies, the Army, the Navy, working intelligence as well there too. And then where I met Steve all these years ago, Steve and I, Steve and I have been together for a long time, almost a decade now. And you know we were at a large BIG4 and Steve and I ran that practice there.
Essentially we had 200 sock analysts, threat hunters, sock managers running that operation from large Fortune 50 clients. And then Steve and our friend Daniel convinced me to leave everything that we built over there and do it all over again here from scratch. So here we are. Sounds like a very similar story. You guys have worked together for a long time. Jim and I have worked together for a long time and now the four of us have worked for a much shorter time, I think probably a
year and a half year roughly. For those who aren't familiar with what RSM brings to here, I don't want to turn this into a commercial for RSM, but give us the elevator pitch for what does the managed security practice do? What are some of the things that come out of it? I know we've you we we've had internal conversation around those things like RSM Defense and Unit 26, but tell us a little bit about what those are for sure.
We not only focus on you know the low level monitoring aspects, what we're trying to do for our clients is provide a end to end security stack of solutions that meet clients where they need to be met right now in their journey. So for us it's as simple as having the the conversations with our clients to really understand where what their needs are because as a consulting firm we have the ability to expand and and pull in the right resources at the
right time. But from a managed security perspective, what we want to do is take the burden of day-to-day operations in various stages of our clients so that they can go focus on more high value, high demand type of activities. And we have everything from doing security monitoring all the way up through instant response activities, all the way through DC service services etcetera that are all related to what we do from a a managed security perspective.
So we're really trying to help meet the clients where they are. So the name RSF Defense is that basically our term for the managed SoC. Yes, that is the the trademark name of our managed security or managed SoC, yes. I can appreciate a trademark name as we have trademark RN as well. How about unit 26? Where does Unit 26 fall into this? I'll let Todd give that story, but it's it is tied to the RSM history a little bit, but I'll let Todd give that one.
Yeah, so you're not, you're not really a cool security team if you don't have a cool, witty name, right? That's that's pretty much a industry standard. But no, it it really came, you know, the team wanted to, you know, we have a big team aspect of what we do here and making sure that we recognize that and the team themselves picked that name right. 1926 is when RSM was initially founded. Unit 26, unit being a team, right? That's what we went with. That's where it came from.
It's really the long and short of it. So when we're talking about socks, we're not talking about Sarbanes-Oxley. We're not talking about those things you put on your feet. We're talking about SoC. So Steve, what does SoC stand for and what is it like? Make it as simple as so people. Everyone can.
Understand. SO SoC stands for Security Operations Center. Its primary purpose is to provide infrastructure, people, process, technology surrounding, monitoring your infrastructure in your client's environment, your in your particular environment in a secured fashion with let's say refined processes and procedures and executing against those processes and procedures. So it's about having a softening unit of professionals that are there watching when when nobody else is.
And I think Todd uses this phrase quite often. But a lot of times the people that are in the sock are the smart people in the basement type of thing. That when there's an incident that's that's coming or has occurred, these are the people that you want on your side defending you and trying to understand where patient zero is and and take all the necessary steps to respond and recover from a security incident to cybersecurity incident. Yeah, I mean, it's funny. Use the term patient zero.
Sound fault very much like like a military term in a lot of ways but I I know, I know it's not military but more like OK versus virus or sickness starting. But it's I mean the the amount of attacks that are happening today right. I mean, Todd, tell us like, you know, is, is it like a new ball game now than it was maybe a decade to go with like, you know, instead of being attacked a couple of times a week, you're getting attacked 24 hours a day. What's the deal?
Yeah, Jim, that's a great question. Business is movement if you have somebody of questionable moral ethics, right? No, I mean and frankly the the IT hasn't changed all that much in my opinion, right. I some people will think so and I'm sure there's some, you know, larger edge cases that support that the volume of them and the ease of them have certainly increased their be made easier over time, right. Since the, you know, the last 15
years, correct. There's more connected systems than ever where things are, you know, out there unsecured than ever. There's more applications, your identities are controlling a lot more of this access to the data, right than they were ever before and distributed systems that people particularly don't have visibility around. So yes, there's also a lot of things around, you know, fishing. Fishing is still one of the.
The top three ways that cyber attacks occur, breaches occur, right and we've had Fishing point solutions out on the market now for the last 20 years and nothing has seemingly got better. It's only gotten worse or made made more easily and readily accessible to threat act, right. So I think the answer is yes and no there Jim. I think the other the other things that you know help establish those ease of attack factors is again
vulnerabilities. Now back in the you know I say back in the day or what I can date myself but you know usually when you would patch things right you're 30 days right. You know deployed to a non product system test it right. That's that's sadly not the case anymore patching around high you know CVE related vulnerabilities almost needs to be a tier one
security institute right. I mean, there are threat actors developing capabilities faster than ever before to turn around vulnerabilities and exploits and maybe weeks, days instead of, you know. Months. You know, I always thought that SOCKS SoC would focus on activities like our network is being scanned, there's a DDoS attack. Is there more than that? I mean you mentioned phishing, is the SoC also important in in those types of attacks? Yeah, absolutely.
Phishing is one of the I got the biggest vectors on breaches and how they occur in incidents in general. Business e-mail compromise is another big one on that list. I didn't get involved in e-mail, just like phishing does. But also what they're doing, the threat actors, is subverting the trust models of these companies and corporations. And they're going after the, I would say the weakest links of
those change, right? Why would I, as a threat actor, try to breach your, you know, $1,000,000 firewall solution, right, When I can just send an e-mail and ask you for a pass, right? It's a lot easier. Same thing goes with animals, right? You're I'm a I'm a hunter. I like going hunting things like that. Animals don't walk straight uphill, they walk up on angles. They take the paths of least
resistance. They may escalate to those more sophisticated types of attacks, but they're definitely going to try the low hanging fruit 1st to get in right. So it's it's become a a game of kind of cat and mouse too, especially the way once they do get in the way, they move around inside. They're using legitimate applications and programs that you already used today to administer your systems. So it's being able to find out what the anomaly is. And you know some of them are
pretty tall tale signs. EDR certainly got a lot better and changed the game in that sense about making detections around endpoints. Sure, you know the users use endpoints, right. So that's that's where we want to focus a lot of the attention, not all of it, but most of it, yeah, it's it's gotten I would say easier enough.
And I've got to think that the identity based attacks are, I mean you've you've got to be focusing on on that at some degree, right, Because really it's about getting in the front door, moving laterally, escalating privileges, seeing how far you can get right. How is identity affecting or fitting into what the SoC does? Its core. It's absolutely core. We have to have identity information to be able to do a a good job at what we do every day. You know, you know identity is
evolving, right? I mean I think you guys talk about that every week on here. You know, not only do people have identities, but devices have identities, applications have identities, services now have identities. So the identity space, in that sense, the attack, the attack space is growing, right? So we have to we have to know how those identities are being used to be able to detect anomalies, to be able to start incidents and detect breaches.
Steve, when would I? I know whether or not I can do a better job of doing my own security operations first when I would outsource it. And is it black and white or is there Shades of Grey? As with everything, there are Shades of Grey in different areas, but in general terms, it's an expensive proposition to build a a sock for your own
organization by yourselves. You're looking, you know to do it the right way 24/7, have the right controls in place, have the right technologies in place to support that. You know you're generally looking north of 1,000,000 to $2,000,000 just to even kind of get started. Now obviously there are certain organizations that have compliance regulations or you know specific personnel requirements that that mandate that they must go and make this
investment. And then you know they are obviously controlled and governed by frameworks such as NIST and and fed ramp and and everything. So there are different needs for different companies in in their different states but nine times out of 10 it is not a worthwhile cost efficiency to to go and build your own socket. You want to leverage the the scalability and the cost favorability of a of a managed solution in that spot, Jim.
Yeah, I would imagine that it's, you know, I, I think from a business standpoint, the way to look at insource versus outsource is I want to direct my own personnel to areas that provide business differentiation, business advantage or value versus my competitors. It seems like this kind of fits more into the infrastructure at some level and below, but that there is some business differentiation at some point where you know it does make sense to have some of your own people.
Is that what you're seeing a lot of organizations doing? In a perfect world, you definitely have some of your own folks, especially on the, I'll say a Level 3 triage incident response side of the house because you want your own people to know exactly where to go, what to do, and be able to react
in a split second. And while a managed security team can do, you know do that well for most organizations, you're never going to be as intimately familiar with your own, with an external entity as you would be on your own
internal side. So there's definitely where we find the the best examples of successful security teams is where there is a blend of pulling in you know managed security or external help in the appropriate areas while still maintaining your own, you know small core security team to help out. So definitely and something back to to add to Todd's notices. So from where we sit, the avenues of how threat actors get in are still the same ways.
Meaning it's still the low level tasks that need to be done, the patching, making sure that users are not clicking on things. It's the basic hygiene that will stop the majority of the threats. And Todd talked about all that. But being a little bit older than the rest of you all can call it still goes way back to to early times in in watching and managing security. It's checked your front door.
Make sure there's you know as little gap as possible and you know, make sure that you use armed your own personal team, your your staff and all the business partners to understand where the risks come from and set that priority accordingly. But at the end of the day it's it's always the basic hygiene stuff that that gets a lot of our clients.
I'm the master of analogies here, and one of the things I like to accord you back to is, you know, look it, if you were going to, if you were going to commit a criminal act, right? Especially like breaking and entering or something like that. Would you rather break into a house and has a bunch of security, lighting and fences around it, or would you have to?
Or would you be more advantageous to break into a house that's got a bunch of overgrown bushes, no lighting, perimeter lighting, things like that? Well, that's obviously going to be the the target of opportunity there at that point. And I I I've written several times about this on our RSM blog. But you have to make yourself just sometimes unattractive enough to waste time so that they move on to easier targets sometimes. And doing those small things is
a big piece of that. Yeah, we've talked about this where you have to you don't have to be faster than everyone else, just faster than your friends when the bears chase. That's right. Exactly that, that that is true for a lot of us. I mean to be be honest, like it does seem kind of cliche and funny, right? But that is you know, if you're if you have a a semblance of roadblocks or making it difficult for threat actors to achieve their goals on objectives.
I mean, time is money to them just like it is time is money to us in the business world sometimes, right. So you move on to deals that are more lucrative and going to, you know, return your investment. Super, right? I think it's probably worth calling out that there's different types of attacks, right? If you are, you know, a random recipient of something like that, that might be. But if you're a target, somebody is literally targeting your organization.
Now we're talking about a different level of threat, right? Really doesn't matter how much faster you are because they are looking to specifically get into your place. How does that play into the work that the SoC does? They become aware that, oh, there is a target, you know, that there is specific target on someone's back when it comes to this? Or does that get discovered as you go through this process? Walk me through what they're like.
Absolutely. So one of the components of our service, we have a, you know, a very good threat intelligence apparatus in our team. We have people that spent years doing threat intelligence for the government, things like that, right. Yeah. We do run across through some of our open sources of investigation that or a pending attacks clients are trying to purchase and broker access into these certain client environments and things like that.
And we do get heads up on those. Hey, you're correct Jeff. The and the one thing I'll say is you know once you do have a target on your back and you're not a victim of I would say some commodity drive by malware, right, or ransomware, you have a serious problem on your hands. Because if depending on the data that you have and what you have and what they want right is good enough or great enough, like they will continue to come back,
right. And they will not continue to come back and just attacking you directly. They'll come at your compliances or regulatory bodies. They will come at you through third parties and vendors, right to try to gain access and the the attack surface just continues which if you have somebody that is confirmed action targeting you or the data that you have at that point you have seriously. Steady.
I mentioned a long history in this, and that's something I want to ask you before is, have you seen the evolution of how a sock operates change over the years or is it still fundamentally? The same the demands and the stress on a sock nowadays is I'll say tenfold just because of the expansion of where the the threat sources can come from, where the threat actors are targeting.
And as we have progressed moving from on Prem equipment to the cloud back to on Prem back to cloud and cloud really taking a hold right now with everything we do, you know with SAS based platforms etcetera. The, the number of investigations and the number of sources of potential threats is exponentially larger than it was even 10 years ago.
So that evolution will continue until there's until the threat actors are gone, which is never going to happen at this point because again, they're driven, they're a a business just like anything else. And as long as they have some motivating factors whether it be political, financial or whatever, it's still going to still going to happen At the end of the day we're we're human for right now until AI takes over at
some point. But we're we're human right now, and things are going to be accessible and all the good intention that we can possibly do is not going to prevent every single attack. One thing to expand on there real quick is you know I think Steve had a a big point there right is we on the defensive side of the house and this was even true. You know back in the day we're working out the government stuff like that was we have to get
right all the time, right. And we have levels of, say, bureaucracy that we have to go through to plug in a proverbial Ethernet cable, right. They, these people don't have that level of bureaucracy. They're very agile. They're very, again, motivated. They don't have to ask for permission and they just have to get it right once. Right. So the stakes are high. And also what Steve mentioned too is, you know, at the ongoing relation to data, right. There is so much data out there,
right. And that's that's one thing I try to stress their clients is, you know, you know, they want to collect this data source. They collect that data source. And sometimes you have to ask, well, why? Because now we have to secure it. There's, there's some good use cases for that, right. And there's some good use cases for not collecting.
But you don't have to secure it. Steve, I want to make this actionable for our listeners, something that they can take away and maybe something that if they are responsible for security operations that they can do something to improve their world. And I started off the question of when should I build my own sock and when should I go to the manage service route. It sounds like there's this, it's really a shade of Gray in a lot of cases. But I also want to know like what are the economics?
And putting it to the point like, OK, maybe I have a soccer ready. It's something I run in house, maybe it's partially I'm using some managed services. How do I look at that? But also like if I'm Greenfield, I don't have this today, you know, how do I approach this from, you know, whether or not to start from scratch and built on my own versus going to manage route.
So a a lot of things to consider, Jim, in that question and for the listeners on this podcast, it's it's imperative that you understand there's no right or wrong way to do this. At the end of the day, as long as you are meeting the security objectives of your organization, you can do this in whichever way makes the most sense to to achieve those objectives. But the first thing you need to do is understand what is governing the outcomes from your security perspective.
Meaning are you compliance driven, are you driven by merger and acquisition targets? Are you driven by your own data? Are you driven by your intellectual property? Like there are various ways that you could be governed by and once you understand what that is then come back and say OK, I have a team of three people currently they're doing you know, some IT, some security and you know some running around
field service type activity. You don't have a full-fledged stock because again, three people are not going to cover 24 hours a day and the misnomer that threats only happen 8 to 5 long time out the window. So organizations that only that think they're protected just because they are doing it while they're working. Most of the time your threat actors are ten time zones over and they are just getting
started. Oh, it's imperative that you also realize that if your environment, if your business is doing any kind of digital transaction of any kind, then you're susceptible. No matter how small or how large you are, and a lot of times the smaller organization don't realize how susceptible they are because they're they could affect companies upstream based on how many you know what third parties are involved in the process.
So once you identify what your objectives are, what your current basis is, at the end of the day it comes down to people and or technology to support the effort.
While you can do this with you know traditional Sims or cloud based services or XDR or you know pick your acronym of choice, you still need to make investment in people to understand what that is. Right now, there are things that AI is going to help with certainly down the line as that gets smarter and adapts to threat active models etcetera. But for right now, it still needs to have some level of human involvement to to make the right executions for the
business at hand. A lot of times, you know, like I said you you're going to need north of $1,000,000 probably just to get started between having enough staff, having the tools to do it and writing and training all of the people writing the policies for all the folks constantly updating and training to stay abreast of current threats.
So there's a lot of things to really consider that I want the the audience to understand that it's not, this is not you turned it on tomorrow and then you're ready to go. We want to make sure that, you know, folks are successful wherever they are in whatever fashion they want to do. That's a great answer. You covered a lot of ground there, Todd. I was kind of like keying off of some of the technologies that Steve mentioned there early on.
I guess one of my fundamental questions is you know when you look at a sock, what are you doing? Are you like doing that, that SIM function like pulling in the logs from systems is it that plus some walk us through that what you know more or less it's kind of like how do I get started but it's more just explain to folks like how's the SoC thing done. Yeah, Jim, that's a good question. There could be a long answer
that could be a short answer. And the short answer I'll give you is as a General practitioner in the SoC, I would want as much data backing up my analysis and investigations as possible. So data from whatever disparate sources or systems or stack tools that you may have, you know, including Identity, even tools that people wouldn't think would be relevant to security operations. I can assure you it's 2:00 in the morning and something's going on, They are 100%
relevant. If I if it requires me as the the operator there to make a determination to bring down a domain controller because something's weird going on or disable AVIP user in the middle of the night, right. The more context is better, right? That's one of the things that Identity is helping doing is bring context to a lot of the security alerts, right, especially around what the roles are, the permissions that may be
in the organization. Identity is is key to bringing along that context in that we need to make those decisions ultimately sometimes within 15 minutes and less depending on what SLA's are and things like that. But you know again at the other side of that, you know Jim is you know what we're doing is monitoring, detecting. Responding and trying to prevent threats, rights, and monitoring requires bringing in all that data, right?
We don't have the data, and especially if you don't have it brought in into a normalized taxonomy, you're also going to have a problem there from a stock perspective. So a lot of the SIM systems do a lot of good job with that today. And then the detection piece is also hard to do right just because you go out and spend a bunch of money on a SIM system. It's just a framework, right? Same thing with a bunch of EDR
tools. You can go get the new shiny EDR that's off the shelf and Black Hat, right? And it's still not going to really do all that good for you, right. I mean there are it had gotten better but if you don't have a threat detection engineering team or something like that writing rules for what is bad or what known is known bad environments, it's going to make that tool less and less effective, right.
And less ROI and you're end up going to ripping it out and replace it for another blinky shiny box, right. So yeah, there's a lot of work as Steve said going into that, right. And but yeah, I mean those the data is the most important thing, right? And having the data normalized, when we're searching username or source ID, it's searching across all of those systems in these these taxonomies so that we know what we're applying to and we
see all the whole context. Yeah, to add to what Todd's saying because he's 100% correct, but being that this is an identity podcast, we want to make sure that we keep bringing back the role of not only the user, but the asset that ties everything together as well. The understanding what is normal behaviour from abnormal behaviour is such an important piece of what the SoC is monitoring.
Knowing that they ordinarily a person accesses these five applications every single day, well, all of a sudden on day six they access something that they have never done before and it's not in their business context to do so. That should send up a red flag immediately, and it does. If you're configured properly in the underlying systems, it will raise a flag as far as changing the risk score of that
particular user. A lot of alerts come from identities logging in from remote locations that they're not usually coming in from, and a lot of it is noise because of VPNs and people are travelling. We're, you know, we're global society at this point, so a lot of it is noise. However, unless somebody is visiting Nigeria or Japan or China or whatever, like why would somebody be locking in from those places? And your VPN's are not going to
be sourced in those countries. So that's the time that you want to at least investigate. Well wait a minute. You know, Joe Smith has never left the country while somebody's locking into here, so it is super imperative and has been an increasingly necessary data source for any suck at this point given the proliferation of of how identities are used.
And just to lay on to that, even a more tactical perspective, right, a lot of these, it's good to know that Joe is logging in from Laos, right, or Vietnam or something like that. But what user agent he's using to do so, comparatively to the old ones he's seen on the environment, what Windows device or what operating system they're using, things like that are in very important context that these identity systems are bringing in from the SoC. So help me understand this from
a step by step process. Can you kind of take me through with the anatomy of a breach would look like where does what's the SoC doing to to prevent this or to mitigate the chances of this happening? Todd, I don't think you were kind of talking about maybe putting some examples together. I'll hand it over to you. Yeah.
So great question. I mean, there is going to be a couple phases that are always absolutely every, I guess breach or incident, right, or cyber attack, however you want to lay it out. There's going to be some level of reconnaissance that the adversary is going to do against you, right. They're going to use that to determine weaknesses, vectors of infection, right, attack surfaces that they can go after, right. It's like any good research, right.
I mean, you know, and you know, Jim brought this up earlier, like a lot of it sounds military because it's kind of like that, right? The the methodologies behind it, they certainly were like in a lot of ways that's why you see a lot of, you know, typically ex military, ex government people in, you know, cybersecurity, things like that as well.
But I digress. But yeah, so there could be some sort of a constant stage that they're going to go after to try to probe you, essentially or figure out what you're about, right? That could be social engineering attacks, phishing emails, right? Things like that. And then there's going to come a phase of initial compromises when they're going to make their vector an infection, right? They're either going to exploit some sort of software that
phishing e-mail they sent. It's going to be successful, right? They're going to take advantage of, you know, a vulnerability or something like that. The third phase of that is really going to be, you know, maintaining persistence. Once they got a slip holding machine that the next thing I'm going to do is a threat. Actors make sure I don't lose access, right? And that's where we're also seeing a lot of the monetization of attacks nowadays. That's where some people stop,
right? There's things out there in industry, initial access brokers, but that's all they're doing, going and getting access and selling that apps. They're not actually, you know, encrypting anything, stealing anything per SE, right? But they're compromising the systems to then send it to somebody or self somebody who is going to take that, that next step, right?
So once they have a foothold in your system, and at this time, they're usually either creating new accounts, creating new identities, you know, just maintaining access, right, creating back doors, web shelves, whatever it may be that they're going to use to maintain access. They're going to try to move around laterally in the network, right? That, you know, expands their access to the network. They'll start trying to figure
out where they are. One of those systems they can hit, you know, because you get into a network, you don't really know where you're at sometimes, right? Or if you're on an an end user machine, you want to get more access to see if you can get admin rights, things like that,
right? There's usually that's going to get followed by some sort of like initial attack payload or installation of attack, right, installing like exfiltration tool tools or remote desktop softwares that we're seeing now like this is recording now any guests. The incident just happened the other day, things like that, right? Or they could be using your infrastructure to support their observations for like crypto mining and things like that. Usually some sort of malware is
involved in that in that stage. The last two stages are probably the most important ones, right? Is the actions and the objective, right? So the actions that they're going to take is ultimately stealing the data, disrupting your operations, which is also there for where there's a lot of this organizations out there that just want to bring down services and nothing else, right? But this is their actions on objectives, to their goals.
You're going to start seeing the data getting X filled, right? Deploying ransomware, things are going to start getting encrypted, right? Mile of service attacks are going to start happening. And then finally, the last, the last bit of it is the escape plan, right? Is getting out right? Destroying evidence, avoiding detections, right? And usually that's where a lot of breaches and incidents are detected. And that's where we don't as a defensive operator, right?
That's not where we want to catch things when things are going off at the end of the day. And essentially at that point, you've lost, right? This is where they're erasing your evidence, coming to tracks, clearing audit logs, disabling other security tools, right, things of that nature. That's the general 30,000 foot overview of the Anatomy of
attack. And you can see there in just some of those things I mentioned where identity would play a large role in helping provide context and stocks attacks as well. Yeah. I was thinking as you're going through that, that there are certain steps along the way that probably have a certain signature or footprint to them where it's like, OK, I've got, I'm on a laptop, I've got administrative access.
Now I connect to a download site on the dark web, quote UN quote or in Russia or wherever you're like, Now you go out and connect to that site. That's a pretty hot indicator, right? Well. Jim I I think that's the The thing is like it's even easier than that, right? That's what you think is happening. That is not what's happening. What is happening is they're using the same shared services infrastructure that everybody's using.
If I'm a threat actor and I'm ex filling data to some tour node in Russia, like that's that's some rookie level stuff in my opinion. Like that's to be serious, right. I'm going to spin up a new Amazon EC2 instance attack you from infrastructure that's not listed on any list. It's not showing out in any country using Azure services, right. Things like that to pull data to known good IPS.
And this is how they're good at blending in or provide, you know, a back end to a bulletproof hosting infrastructure where they can't get taken down. They're hosted out of contentious regions like Ukraine, South southern Ukraine, right. No one's going to go serve a subpoena to take down a server and Don stock right now, right? It's just it's just not happening. But yeah, I mean, it's even it's
even simpler than that, right? I mean we've even seen attacks where you know we had a a regionalized hospital that was based in the Northwest of the United States, like all the attacks came from Seattle like where they're located. So the adversary again during that reconnaissance phase knows where their infrastructure's hosted.
So that would blend in better to say sending something to Nigeria. I mean if that go, if that's going to Nigeria or you know Russia, like we're going to pick up on that immediately and shut that down making it harder by blending in with what is known good, right. They're using Amazon, they're using GCP, they're using Oracle Cloud, right? Using those infrastructures against? Right. Yeah, that's cool stuff. I mean it. Well, cool from the standpoint, like, I didn't think of.
I agree. But. It's all about not being detected, right? Yeah. And that's the some of the things. I mean that's where a, you know, a sock operator's job and an analyst job is harder, right? It is. I tell people, I've I've done a lot of sock analyst interviews in my time and I tell people like it is the most rewarding and thankless job at the same time, right? Because your job is difficult, right? If something, what one little thing gets through, it's coming down on you right to some
degree. Hopefully you have leadership that'll help stable that for you. But you know, essentially right, you have to get it right all the time, right? And that's that's where they just have to get it right once. Equated to equate it to a football game, You're on defense. You have no idea what play is being called on the offense side and you asked to prevent them from getting to the end zone or
scoring. That's in essence, the job on the sock side is to make sure that you've laid out all of your defenses possible to try and prevent them from staging forward. And it's it is never going to be 100% effective. But it's your job is to keep as many of the the bogeys out of the end zone as possible. And Todd's right, it is a super rewarding job. It is super hard, but a lot of organizations don't, you know, they don't always provide the the backing and support for
folks in that role. So it is a high burnout you know, type of. Role it's It's an easy apparatus. Yeah. It's an easy apparatus to blame when something goes wrong. Right. When there's, you know, systemic problems above that, right, From a program standpoint, you know, a maturity standpoint, things like that, right?
Yeah. I hope you're picking up like our passion for what we do, because it doesn't matter the organization, it like this is a necessary item to protect yourself, your clients, your customers, etcetera. And unless you have some level of passion for it, it's not going to be done right. So that's when you you really need to look and say is this what we really should be spending our efforts on or do we rely on some experts to kind of
help us with that. So you'll you'll get the sense of Pad and I probably should do our own podcast at some point, but you'll get the sense that we have passion for this topic because it is super important for us and and what we do. I got an idea. Sock at the center there. You go something like that. I got two final questions then we'll end on a lighter note. You kind of touched on my first one, which is what happens when things breakdown?
Nothing is perfect. What happens when something gets missed? I mean it's got to happen in the real world, right? What's I guess, Steve, what happens when you know the service fails? So dependent upon the threat actor and the type of vector that they're getting in, it could be. Let me take a step back, This is why you don't have one layer of defence. You have multiple layers of defence. So if they get through the first layer then your secondary control should take into effect.
So say an end user clicks on a fishing link, so they first first layer destroyed, they got through. But your second layer, your DNS, your endpoint, your your e-mail threat protection, that should be your second layer of defence protecting you from any further home. Well now if you have a third like they get through that somehow because your controls were not as effective. Now you have a third layer of defence where use isolated
networks to control that. OK, so if somebody actually did get in, it's only going to affect these 20 assets right here. So it's important to implore or you know that perform a defence in in depth kind of strategy as it relates to protecting environments because no single line of defense is ever perfect and you want to make sure that you are at least isolating your critical assets away from
anything that could be impacted. So that critical fountain jewel is defined by the organization as you know, IP formulas, secrets, trade secrets, etcetera. Like you need to keep them as quote, UN quote air gapped as possible such that they do not get exposed because ultimately that could be not only brand reputation but. You know, long term effects of of impact to the group. Yeah. Making catastrophic to the business, Yes. Trying to avoid that.
All right. So you guys have sufficiently scared me. But what if I'm not scared and I want to become a sock analysts? What would you recommend for somebody who's listening out there? It's like, oh, that sounds interesting. How do I get into that world as a as a newbie or a beginner in the space? A Todd, I don't know. Maybe we'll start with you. Yeah, you got to you got to be curious. I think that's the thing, right?
A lot of, and this could be a whole other episode on, you know, kids that are graduating out of the the education programs around Cybersecure. There's a there's a worldwide industry talent shortage. I can understand some of that. But a lot of them aren't coming prepared out of school to be SoC analysts. But you have to be curious,
right? If you think you're going to sit back and wait for these tools to make detections for you and you're not going to understand the fundamentals of how those detections were formulated and made and things like that, like you're going to have a hard time. I think at least here at at RSM, you're going to have a hard time. But yeah, you got to, you got to understand you also have to check your ego at the door,
right. There's things that you and Jeff, you know, Jim know that I don't know. There's things that I know that we, you know, you don't know. We have that kind of mantra in the security operations center here at RSM is, you know, everybody knows something, everybody brings something different. It's a real a real team aspect around that and we have to we have to parlay off each other and you have to be OK with
getting it wrong. So as long as you're doing and what your actions are doing at the time and your analysis to justifiable and defensible you know trying to protect and do what's right for the clients. I don't think you're ever you're a problem out of me right. But it's when you're not doing anything right that's the problems. But yeah, I mean you got to again, this is another thing is like I don't know what I would do if I had to do this job over
again. And like I I don't want to seem like this is belittling or anything, but like if I had to put steering wheels on that like a car manufacturing, like I think I'd go insane like every day doing the same job over and over. This job is very repetitive. But what changes every day is the tactics and techniques in there. So you're constantly having to learn new ways to make detections, see the activity, see the traffic you're going out.
So it's very exciting from that point that they're they're always trying to game one up on your right, the red active, right. So it's a constant learning battle. Your learning never stops. And you know, frankly, a lot of the, you know, if you're going to get into the sock business, you know, understand like it is a tough game as well too. There's rotating schedules. Like we don't shut down, right? We're like 7-11.
We're always out. That's hard on people too, or especially working overnight shifts. When I first started doing this, I I, I worked in a sock full time and went to college full time. So I would work 5:00 PM to 2:00 AM every night, class the next day. It's very rough, but you got to want to do it. It's got to be a passion of yours and we definitely see a a difference in the people that have a passion for it versus people that want to do it. So you have to be willing to be wrong.
You got to continuously learn and you got to put yourself out. Steve, anything to add? No, he he stole my Thunder for me the when I'm doing interviews and obviously Todd and I are yin and Yang on on interviews. So what I'm looking for is I can teach most people anything. So from a technical perspective, unless worried about did you go to this SANS course or did you learn this particular thing or did you get this, you know, SEC
plus certification, etcetera. Like we can teach people that if you aren't a fast learner and curious about why a certain thing happens, your success as a sock analyst will be difficult because it's that curiosity that drives your thought patterns on
where to look for things. And once we would teach you the the past to look for, then it's up to you to to put all of that together and say OK, now A does equal BC and then I goes to a letter that I don't know yet, but I know that it's not, it's not something that is correct or a positive outcome.
So it really comes down to how curious you are about learning and what the next thing is. So just like a a four year old or whatever asking the constant why that's the that's the kind of mentality that actually will do well as not only a sock house, but as an Internet responder and as other areas in the detect and respond side of the house you. Got to have an investigation mindset, an investigation based mindset, right? I I equivalent a lot of it too.
And I tell this to the sock team, especially the new people that have never worked in a sock is you know, you're a police officer you show up to a crime scene, there's it's just you and whatever's in front of you and the crime scene, right. What do you do? Well, you got to start asking neighbor, right? I start canvassing the area, looking for cameras, looking for evidence, right?
There's there's a bunch of things that in that investigatory mindset that you have to have and it's the same thing translates into stock, right? An alert goes off. That's just the genesis and where you need to begin. Like where do I need to go find fire on logs? Who is this user? What are they doing on the network? What access roles do they have, right. You got to go through all that very quickly too. All right. So we're up over an hour. We're going to start to wrap it up.
We got a little serious there at the end. So we got to, we have to end on a lighter note. Steve, you brought up a Super Bowl or football analogies. We're going to talk about the Super Bowl. Here's my my question for all of you. So by the time people listen to this, it's going to be Monday, February 12th. the Super Bowl would have taken place last night. We're recording this a week in advance. Who is going to win the Super Bowl and why is it going to be the 49ers?
Todd, we'll start with you. Well-being a Philadelphia sports fans, I hope none of them win. I'll say that. But I think the I think the Chiefs are going to win. I think their their offense is too potent. Their defense has been stepping up recently in the last couple of weeks here, especially in the playoffs. I think equally could be said about the 49ers, but I just don't think they have the the talent there on the offensive side to get it. Done Boo. Wrong answer, Jim. How about yourself?
Who are you picking between the 49ers and the Chiefs? I was hoping not to even have this conversation with you, Jeff, because obviously you're biased. OK, but I. Don't know what you're talking about. We're vendor neutral here. Vendor neutral will accept. When it comes to NFL, I'm going with the Chiefs and the reason why is Patrick Mahomes. I mean look at all those Super Bowls that the Patriots won. And I think it came down to Tom the GOAT. And yeah, that's. I just think that Mahomes is
going to find a way to win. Sorry to tell you that, Jeff. I don't think it's going to be a blowout, but I do think he's got the edge. All right. Oh, for two, Steve. All right. So why are the 49ers going to win? So everyone's. Ignoring the elephant in the room, the reason the Chiefs are going to win is because of Taylor. That is the reason that they're going to win. At least that's the way the media will have you believe. Finally, a real NFL analysis
getting done here. I think she just won a Grammy last night. Obviously I'm I'm unfortunately not in the United States so I can't see the the Grammys from where I am and in El Salvador currently did win. Besides the fact as a loyal Philadelphia fan and unfortunately Jeff you're you've got three of us on the call here
on the podcast today. I don't know how you did that and witnessing what happened last year when the Eagles should have won that flipping football game in the Super Bowl, there's no way Kansas City loses the game again. It will not be a blue out, a blow out, but I I just they got hot at the right time of the year.
They were really mediocre or horrible in the beginning part of the year, but they turned it on at the right time and I think it's it's just a matter of time to to complete that. So, unfortunately, it will not be the 49ers. It will be Kansas City Chiefs. You know, it's a real shame to have so many smart people on this podcast and not be able to to to pick the right team here. Ruin it in the last 30 seconds. That's right. I'm going to cut this out.
Since I do all the editing, I'm going to make you guys say, Oh yeah, the 49ers going to win. I obviously I'm going for the 49ers going to stand forever. It will continue to be so I think they win 3528. I think it'll be a close game. I don't want it to be a blowout. I want it to be a good. I think that's yeah, the lock it in, get those bets in and don't hold me accountable. This has been a great conversation. We're going to leave it there. I know that there's all kind of a lot to cover.
This is kind of the the beginnings of it. But I'm glad you guys were able to make some time for us to talk through this. I think this is an area that again a lot of people hear about, but they don't really kind of get to peel back and look behind the curtain sometimes. So I appreciate you guys taking the time with us. We'll have some links in our show notes for people to check out. You know, Todd, you mentioned some blog stuff that you've
written. So we'll get a a link to that in our show notes if you want to check that out. And then if you guys want to connect, we always put LinkedIn profiles so you can connect with Todd and Steve as well as Jim and myself as we go through that. And then we're on the web, idacpodcast.com, Twitter at IDAC Podcast, Mastodon at IDAC Podcast at infosec, dot exchange. Still don't like the way Macedon does their names, but nothing to be done about it right now.
Like subscribe to all that stuff, keep sharing with it. I continue to see a Reddit thread that keeps talking about how people enjoy the show. So hats off to the folks who are in that thread. Not that I was checking or anything while recording, but it was kind of cool to see that. So with that, we'll go ahead and leave it for this week. Thanks everybody for listening and we'll talk with you all in
the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com and find us on Twitter at IDAC Podcast. See you next time on Identity at the Center.