Evolution of Ransomware and Other Cyber Topics
KITECAST - JASON REBHOLZ
This Kitecast episode features Jason Rebholz who has an extensive background in cybersecurity. He is currently the CISO at Corvus Insurance, which he joined in 2021. He also serves as an advisor for NetDiligence and MOXFIVE. Previously, Jason served as the VP of Strategic Partnerships for ICEBRG, which was acquired by Gigamon, VP of Professional Services for The Crypsis Group, and Manager at Mandiant.
Jason founded the educational initiative, “Teach Me Cyber,” that is available on YouTube and LinkedIn with the objective of making cybersecurity topics more accessible to general audiences. This was motivated by often seeing technical news coverage using jargon and screenshots that average readers would struggle to comprehend. Through short daily lessons on platforms LinkedIn and YouTube, Jason breaks down cybersecurity topics in simple terms anyone can understand. His goal is to help even one more person gain practical knowledge to improve their organization’s security.
In the podcast interview, Jason discussed a recent high-profile ransomware attack and provided insight into the challenges of containing and remediating active attacks, noting that it is very difficult to fully kick attackers out of an environment within a short timeframe. Jason emphasized the importance of having strong monitoring and rapid response capabilities in place.
Multifactor authentication (MFA) was another topic Jason covered. He highlighted that while MFA is crucial, organizations must be thoughtful about which types they enable, as weaker forms can still be bypassed. He advocated for the adoption of the most secure MFA options available to get the full risk reduction benefit using zero-trust principles.
Managing third-party cyber risk was also discussed. Jason argued that current third-party assessments often provide a false sense of security. He recommended assuming vendors have poor security and mitigating the impact via actions like limiting data sharing, controlling where sensitive data goes, and ensuring you can revoke access.
LinkedIn: www.linkedin.com/in/jrebholz
YouTube: www.youtube.com/@teachmecyber
Transcript
Patrick Spencer (00:01.767)
Hey everybody, welcome back to another KiteCast episode. Tim, how are you doing today?
Tim Freestone (00:07.418)
Yeah, pretty good. I had a Starbucks Nitro Brew, so I’m somewhere between amped and cardiac arrest, but doing all right. That stuff is really strong.
Patrick Spencer (00:19.173)
All right. This will be rapid, rapid fire questions, Jason today from him. I think we’re thrilled to have Jason Rebolts with us. He is the founder of teach me cyber. We’re going to talk a bit about that. It’s a really cool initiative. He has going there. You can find it on YouTube and we’ll let him talk about.
Tim Freestone (00:23.977)
Yeah.
Jason Rebholz (00:24.697)
Yeah, I’ll be ready.
Tim Freestone (00:26.667)
Yeah.
Patrick Spencer (00:41.415)
where you can locate it. And those who are logged on through the web site, you’ll see it posted on the webpage as well. He is the Chief Information Security Officer over at Corvus Insurance. He serves as an advisor for several other organizations such as Net Diligence, as well as Moxfire. Jason, as we’re gonna discover, has a very broad background. He’s not simply relegated to cybersecurity. In the CISO role, he served as an EP of strategic partnerships, for example, at Iceberg, which was acquired by Gigamon.
He was the VP of professional services at a company called Crispus Group. And before that he was over at Mandiant and was on the incident response investigations team managing a team of incident response specialists. Which I’m sure most of which you can’t talk about. There’s some cool stuff he did there. Jason, welcome to a Kitecast episode. Thanks for joining us.
Jason Rebholz (01:32.676)
Yeah, thanks for having me.
Patrick Spencer (01:34.451)
Well, let’s start by talking about your current role over at the Chorlis. You’ve been there, I think, for a couple of years now. And, you know, talk about your charter and what do you do?
Jason Rebholz (01:44.343)
Yeah, so as you mentioned, I’m the Chief Information Security Officer at Corvus Insurance. And I do not have a typical CISO job by any stretch of the imagination. So typical CISO, you’re going to be going in and owning internal security and I do that. And so a lot of that over the last two years has been building out a lot of the foundational components of a security program and getting to the point where we’re at the top of our game. But as I mentioned, not a traditional CISO role.
part of my job. And so I also run our Threat Intel team and this is a really fun part of my job because Corvus Insurance is in the cyber insurance space. It’s really important for us to understand where are attacks going and how are techniques evolving and how does that translate to different security controls that are effective at stopping that. And so I’ve got my Threat Intel team that focuses on looking forward.
Tim Freestone (02:24.878)
Thanks for watching!
Jason Rebholz (02:43.095)
And then I also work with our team who focuses on risk advisory. And so how do we work with our policyholders and our underwriters to let them know about the threats that our threat Intel team is finding. But how do you try to secure against those? And so the way that I think of it is not only am I responsible for the security of Corvus insurance, but I’m also responsible for the security of all of our policyholders as well. And so it’s really about how do you do security at scale at that point, which is a really fun part of it.
Patrick Spencer (03:13.219)
That’s interesting. The aspect of just not the company itself, but all your policyholders. That’s sort of a new way to look at security in the marketplace. What I assume there’s not many of your peers that are doing that.
Jason Rebholz (03:26.963)
Not to the degree that we are. And I think it really comes down to how do you bring in data? Because we’re an insurance company after all, and insurance companies loves data. So to help them make better informed decisions. And so we have a lot of data that we can bring to bear. We have the threat intel component, and we have the advisory component. When you mesh all these things together, you get a really, really interesting combination that is just brutally effective.
at finding what are the most important things that you should be spending your time on, and more importantly, your budget on, as somebody who’s trying to secure their organization. And so that’s a really powerful position because you don’t have to really guess. You’re operating from facts. This is what’s happening with attacks today. This is where we see attacks going tomorrow. So how should you be spending your dollars wisely? If you have a dollar to spend on security,
You want to make sure you’re spending 25% or 25 cents on this, 25 cents on this, 10 cents on this. And so that really positions it where you can drive a lot of value for organizations than trying to help them prevent or at least mitigate the impact of a breach.
Tim Freestone (04:38.254)
So it’s a big part of it is consultancy. So what it sounds like.
Jason Rebholz (04:42.547)
Exactly, exactly. And it’s, you know, we have a whole team of, we call them our cybersecurity advisors that work closely with not only our policy, but our underwriters as well. So it’s kind of the full service there.
Tim Freestone (04:52.582)
Mm-hmm. Interesting. Go ahead.
Patrick Spencer (04:56.351)
When you’re back, you ran the Fresh Services Organization, I assume serves that role quite well.
Jason Rebholz (05:02.891)
Exactly. Yeah, those skills come in handy.
Patrick Spencer (05:06.911)
Go ahead, Tim. Yeah.
Tim Freestone (05:07.314)
What, yeah, just, you know, when you’re consulting with this array of policyholders, are you seeing any current themes in terms of what is needing to be more or less consulted upon? You know, is there more or less of a gap in knowledge and risk management that you’re seeing in any particular domain? Or is everybody just sort of an open book and needs help everywhere kind of a deal?
Jason Rebholz (05:38.327)
It’s definitely a mixed bag. I think the common themes that we always see coming up are endpoint security. We see a lot with identity access management and then remote access. Like that’s probably the most common questions that we get. And I think it’s largely because we’re in this weird transitionary phase as a world where you had for the longest time, people were relying on remote desktop. Don’t like that.
Then we started relying on VPNs. Well, guess what? Attackers are finding ways to find exploits in those and use that as a front door in the environment. Don’t like that, right? And so like we’re at this kind of new transitionary period where we’re looking at things like ZTNA as a new form of secure access into an organization to help get people the resources they need, but also not open up an attack vector for these threat actors that are out there. And that’s just, that is a lot of education because you know,
Most people in IT and security grew up with, well, if it’s either remote desktop or VPN, I don’t have a way to get in my network. And that’s just not the case anymore. So we have to kind of uplevel across industries there.
Tim Freestone (06:49.83)
What about the data itself? So it seems like since the beginning of cyber, the conversation has revolved around things. So the network secure that, uh, applications secure that devices secure that. The point of all of that though, is the data itself. Um, are, are you seeing more or less or the same, um, focus on. Sure. You.
secure those things, but guys, the whole point is the data. You know, what are we doing at the data layer to ensure that even if someone gets in, you know, it’s limited at what they can access and get from a data standpoint.
Jason Rebholz (07:32.283)
So if you asked me that question five years ago, I would say it was much less important. And the main reason for that was when you look at ransomware, like ransomware was just becoming a real thing, right? I look back to 2016, it’s when I was back at the Crypsis Group and I rode the ransomware wave. Like I literally remember the first time that a $50,000 ransom was like, oh my gosh, I can’t believe we have to pay that much money. And that was because you have this group called SamSam that said,
Tim Freestone (07:36.92)
Mm-hmm.
Jason Rebholz (08:00.975)
hey, I bet we can get more money if we encrypt all of the servers instead of this one server that we just got access to. And so that started a long journey in ransomware where it was just about encryption. And so now you have data theft. And so we’re kind of back to where it was before that, where it’s like, okay, great, how are we securing the data? I think the challenge here is that it becomes a lot harder now.
Tim Freestone (08:08.66)
Ehh
Tim Freestone (08:15.052)
Mm-hmm.
Jason Rebholz (08:28.267)
even though we have all these advancements in technology, because there’s just so much data that’s out there, and these attackers are stealing so much of it. And so while the traditional way of looking at this is how many records, personal records, PII do you have, are you storing in your organization? That’s not enough anymore. And so I think we’re looking at this kind of evolution of still important, but also, how are you protecting it?
Tim Freestone (08:35.063)
Yeah.
Jason Rebholz (08:55.695)
But as an insurance industry, we’re just starting to get to that gate. And it’s like, how do we try to do that in a responsible way that is not going to result in 1500 more questions that people have to answer and still get to some ground truth of what you’re doing to protect the data.
Tim Freestone (09:12.422)
Yeah, somewhere in your answer there I see a similar answer from other folks that I asked that question, which is, well, the problem’s so damn immense that it’s almost, why start the question and answer routine on something that we’re just not even close to solving? And there’s comfort in known solutions and tackle those first.
You know, maybe someday we’ll get to the data layer. Am I being, am I over assessing that? Yeah.
Jason Rebholz (09:48.313)
I think that’s right. It’s because like, look at this way, right? One of the questions that I hate the absolute most that any security questionnaire is going to ask is, do you encrypt your data?
Tim Freestone (09:59.945)
Mm-hmm.
Jason Rebholz (10:01.651)
Literally anyone can answer yes to that today. Is it effective? No, absolutely not. Right. Cause you look at, right, your cell phone encrypted by default now, right? Everyone, everyone’s got the passcode on it. Your Apple device, your windows device, all of them encrypted by default. Right. So everyone is checking the box of compliance there, but it’s not stopping the attacker from accessing the data because we don’t deal with most attacks where people are stealing the laptops and then trying to sell it. Does it happen? Absolutely.
But when you look at any of these ransomware cases that are happening, or even just like lapses where they’re stealing data trying to extort victims there, they’re going in and they’re logging into these systems and they’re accessing the data logically. The encryption doesn’t matter there because most people aren’t going down to the level of file-level encryption or even databases, column-level encryption. It’s those sort of things that becomes such a complex topic. And so you got to train.
clients on that, policy, every company, you got to train the underwriters, you got to train the brokers, right? It is such a complex thing. I don’t think we’re ready as an industry to really tackle that at scale.
Tim Freestone (10:58.86)
Right.
Tim Freestone (11:08.138)
Hmm. Interesting. That’s a very interesting answer and probably right on the nail or hit the nail on the head with it. The file, what we kind of speak to data level. It’s like, so ZTNA or Zero Trust, right? It’s the applications in the network. And then, you know, it’s all about least privilege, always on monitoring. But theoretically, that plus that.
plus zero trust that the data layer where you micro segment your data based on sensitivity levels, allow least privilege access to the data within the applications. That’s sort of the holy grail or the triad of risk management. And the companies that can get to down to the data layer, I mean, I think are the ones that have lowered the risk to the nth degree, right? It’s just where are people in that maturity model?
Because some people are still trying to figure out what DLP does, right? Some companies. So.
Jason Rebholz (12:08.132)
Well, I think that’s accurate, right? And I think the paradox of this too is that for the companies that can afford to get down to that level, they’re probably going to have a much larger attack surface. And so they’re just kind of bringing with them all this extra baggage along the way, right? It’s like everybody starts off with just an empty bucket that they throw on their back and the larger you get, the heavier that gets.
Tim Freestone (12:19.53)
Mm-hmm.
Jason Rebholz (12:31.347)
And so you can throw as much money as you want at it, but it just continues to get harder and harder as you go along. And so, you know, if I look at a company, you know, that’s smaller, and maybe just starting with their journey, right? DLP shouldn’t be the conversation that they’re having, right? It’s like, let’s talk about endpoint security. Let’s talk about how you securing access MFA, you know, email security, and it probably is a few year journey for them to even get to the point where they’re ready to kind of expand there because, you know,
Tim Freestone (12:46.763)
Right.
Jason Rebholz (13:01.063)
tooling is one aspect of it, then you got to actually run the program, which everyone seems to forget about. I’ve been guilty of that as well. By the tool, you think you’re good, but then you’re like, oh, I actually got to run this thing. How do you operationalize it? I feel like once you enter into the data realm, that’s where it gets really difficult. Security’s never a one set it and forget it sort of thing, but the amount of volume and velocity with data.
Tim Freestone (13:11.866)
Hmm.
Jason Rebholz (13:30.439)
is such a hard thing to try to tackle. And that’s why you only have a small number of companies that are even ready to start that journey, let alone make progress on.
Tim Freestone (13:33.951)
Mm.
Tim Freestone (13:41.426)
Yeah, most of them, sorry to bogart this Patrick last comment, but the most of the companies that we see that are in the in the data layer, it’s compliance that’s driving it because not many regulations are anchored around. Tell us where all your laptops are. It’s, you know, tell us where your data went. Who saw that PII, who saw that PCI and more and more regulations, more and more highly regulated industries.
Patrick Spencer (13:41.47)
Do you see?
Tim Freestone (14:09.642)
more and more people being thrown at the problem in financial services. And, you know, that’s, that’s really, I think that’s what we’re seeing as the drive, it’s less, it’s less data protection as much as it is data comply regulation and regulatory compliance. Right. And I’m done.
Jason Rebholz (14:25.103)
Yeah. Which is, you know, that’s the benefit of compliance. It might be the only time I’ll ever say the benefit of compliance, right? Because I don’t think compliance equals security, but it’s a forcing function, right? And especially for financial industry, right? Like, that’s where you want to see them investing in their dollars on the security side.
Tim Freestone (14:35.562)
Yeah. Right.
Patrick Spencer (14:46.207)
Well, insurance isn’t a highly regulated industry anyway, right? We know the opposite is certainly the case. Um, piggybacking on what Tim was talking about, you know, the challenges associated with protecting that data. Do you see classification of data, you know, knowing what types of data reside and where, and is it exchanged? Who has access to it? You know, is that part of the, the
Jason Rebholz (14:51.235)
Exactly.
Patrick Spencer (15:14.463)
the hairball that we’re trying to entangle so that we can provide better protection around our data within our enterprises.
Jason Rebholz (15:21.355)
Absolutely, right? Because if you’re going to have a limited number of resources that you can spend, and I think this is more on time than anything else. And so there’s data is not created equally, and it shouldn’t be right. And so, you know, I look at it as, you know, if I’m going to kind of map out my approach for this, it’s going to be first, I need to know where the data is. And data in general, right? Like, I do know where the data is, and I need to know where it’s going.
and then I need to know what that data is. So then I can go and classify that, and then I can put together different control requirements based on that classification of data, and then I can move to actually start enforcing that, and then I’ll mature into how do I audit that to make sure we’re doing what we need to do. And that’s a meaty problem. That’s like a multi-year program that you’re building out there. And there’s certainly things that you could do to expedite different areas here and there.
Tim Freestone (15:57.464)
Hehe
Tim Freestone (16:04.302)
Mm-mm.
Jason Rebholz (16:15.363)
But I find that once you, when you get to the point where you’re ready, like classification is almost like the springboard because once you spring off of that, that’s when you’re going live. And that’s when it’s just like, you have to keep up with that data and you need to make sure you have the right tooling to do this. You need to make sure you have the right people and program behind that to do it. Cause then the drift on that is insane. Like you don’t just start and stop. Like it’s like, you’re going to have to keep treading water on it to make sure that it’s effective.
Tim Freestone (16:45.058)
Mm-hmm.
Patrick Spencer (16:46.363)
Sounds a lot like Kiteworks messaging there.
Jason Rebholz (16:49.397)
Hahaha!
Tim Freestone (16:50.866)
Yeah, the you know, one of the reasons I kind of go down this path anyway, and to bring it to the headlines today is the you know, the MGM hack. And really any sort of social engineering, which kind of leads the best practices of hackers these days, it seems like you know, just find the dumb people, so to speak, get the get the information you need. And then we really doesn’t matter what sort of tech, tech security you have in place
They’re going to social engineer passwords and get the privileges they need. And in the MGM case, what super interesting, you know, if I understand this right, is it’s just a guy called the guy or gal called the gal talk to him for 10 minutes. It’s like the old fashioned way. It didn’t even use email, right? It just spoke to the guy for 10 minutes, got, got what they needed. And then they were off to the races. Um, and
You know, you springboard off of that with what’s happening in AI. Imagine the scale that you can start doing attacks like that when you have, um, you know, uh, text to speak or text to speech AI engines that are tailor-made for, um, pulling the hood over people over the phone. I mean, we’re no, it’s worth six months to a year out from that. It’s just, you know, that seems like the path to least resistance from a.
from a hacking standpoint, what do you think of that?
Jason Rebholz (18:18.039)
Yeah, so I think I have a very particular viewpoint on JNI and the impact on security. I think there’s more risk to some of the deception techniques on how are you tricking people to do it, right? And disinformation, you can classify all that underneath there. You got this other school of thought, like there was a bunch of the dark web chat GPT competitors, people were losing their minds on those, guess what, all three, like the three predominant ones all defunct now, right? And so
Tim Freestone (18:35.872)
Mm-hmm.
Tim Freestone (18:46.902)
Mm-hmm.
Jason Rebholz (18:47.659)
I think we’re starting to see early indications of GNI coming in for some of these deceptive techniques in social engineering. So there was one just last week and the company name is escaping me, but they highlighted that, you know, they were able, the attacker was able to take some recordings of somebody’s voice at the company and use that with GNI to bypass a particular MFA function there. And so that is a very targeted example. And so I think we’ll see more of that. I think, you know,
Tim Freestone (19:11.967)
Mm-hmm.
Jason Rebholz (19:16.959)
In the future, we’ll see that more at scale. And so yeah, in the case of NGM, they didn’t even need to do that. It was just calling up the IT person and saying, hey, you know, locked out sort of scenario, you know, reset my password, let me do MFA, you know, new on device sort of thing. But I think that’s the key here is that we’re still in a lake where there’s a lot of just like easy targets, right? And so.
Tim Freestone (19:24.05)
No.
Jason Rebholz (19:45.583)
I think a lot of times the public sees all these hacks and like it’s got to be the most sophisticated thing in the world. There are those out there and I actually would classify MGM as one of the more sophisticated ransomware attacks, not because of the way they got in, not sophisticated, but what they did after they got in. Getting super admin on Okta, getting global admin on Azure AD, those are things that-
your typical ransomware actors are not well versed in cloud, let alone Okta. And so, I think that puts it into a realm of its own, but it does highlight the front door, which is the most important thing, still can get bypassed with some pretty basic techniques. And this just speaks to defense in depth. You have to assume that’s going to fail. So how do you put the right pieces in place to try to quickly detect, respond, and contain an incident when it does happen?
Tim Freestone (20:16.438)
Mm-hmm.
Tim Freestone (20:39.414)
Mm-hmm.
Patrick Spencer (20:40.507)
That was actually one of the questions I had for you Jason, I know you’ve written some about the MGM hack the last week or so. What made it so difficult to actually stop? Because once they got in, like you said, they got access, super admin access and so forth, Okta. But it’s one of these instances where they think they have it stopped, but they haven’t. And I suspect your mania experience helps inform your view here.
Jason Rebholz (21:07.051)
Yeah, exactly. And this is where I hate when the Monday morning quarterbacking comes into play and everyone’s like, oh, they should have done this, they should have done that. And there’s always something anyone who has gone through these incidents can do better. Right. And I think nobody’s going to argue with that. But when you’re dealing with an active attacker situation, it is incredibly difficult to kick them out because you’re working with.
Tim Freestone (21:18.41)
Right. Yeah.
Jason Rebholz (21:36.203)
incomplete and imperfect data. So if we lay out the timeline as we understand it right now, and I’m sure this will change, but you’ve got this threat actor saying that on Friday, they gained access into the environment. So let’s say that’s when they called the help desk and got access into the environment. Between Friday and Saturday, MGM detected something was going on. And so it looks like MGM tried to do some basic containment on Saturday, wasn’t effective.
attacker still had access in the environment. Sunday rolls around. MGM takes more drastic measures, taking things offline. This is like the nuclear button, right? It’s like, you don’t press this lightly. And apparently that still didn’t kick the attacker out. And I think the challenge here, and I’ll share a couple of stories with this, was that when you have these hybrid environments, the complexity goes through the roof.
You are not dealing with just one thing where you push one button, everything goes away automatically. You’ve got Okta, you’ve got Azure, which are meant to be online all the time. If these teams within 48 hours were not able to identify every single spot that the attacker has tried to put a back door in place, or has some sort of access, how are you going to do that? It’s an impossible game to play.
Tim Freestone (22:51.936)
Right.
Jason Rebholz (23:00.099)
You know, the, the Mandiant style approach when they were dealing with nation state threats to kick an attacker out of the environment is you would do the full investigation first. That could take months, right? And this is a very difficult conversation to have with somebody saying, we don’t want you to try to play whack-a-mole because if we do that, we’re going to lose. We want you to allow us to have a full and complete investigation.
Tim Freestone (23:11.927)
Mm-hmm.
Jason Rebholz (23:26.031)
so that we can identify every nook and cranny that this attacker is in, every back door that they have, and then over the span of a single weekend, we’re gonna shut down the network and we’re gonna clean it all up. That has a very high success rate, but companies can’t, especially in ransomware, cannot wait months for an investigation to happen, right? And so that’s the difficulty that you have and that’s where you try to take these actions and you’re basically just trying to stay one step ahead of the attacker.
who has had a head start. And so very, very difficult to do. You still have this attacker, as of when we’re recording this today, claiming that they still have access in the environment, which we don’t know if that’s true. They probably do somewhere. And so like, you just don’t know. And that’s where it’s just like, you gotta try your best as a defender to get ahead of it, have the right monitoring in place ahead of time, and have a good, rapid response in place where you can try to kick them out.
And this again, defense in depth, we always go back to that, right? If you can kind of create this ahead of time in a way that like you can mitigate their ability to move throughout the environment, even if they still have access, you’re kind of trying to tip the odds back into your face.
Tim Freestone (24:37.034)
Do you know how long, I didn’t look too much in the detail, but between phone call and realizing there’s an attack, i.e. how long were the attackers hanging out in the environment, dropping back doors and other methods of entry?
Jason Rebholz (24:55.819)
It’s not super clear. So, you know, this is going off of the statement that the attacker had on the overall timing of everything. So it looks like Friday is when they got in and Saturday is when the first containment steps were taken. So say like conservatively 24 hours when the attacker got in and sometime in that state, MGM detected, which is actually pretty impressive. Like when you look at the kind of the average time for people to detect it, it’s not 24 hours.
Tim Freestone (25:10.177)
Hmm, not long then.
Tim Freestone (25:19.032)
Yeah, yeah, that is, yeah.
Patrick Spencer (25:22.219)
That’s about the points. Yeah, definitely. Multiply that about 20 fold, and that’s what the average time is, right? So.
Jason Rebholz (25:27.277)
Yeah
Tim Freestone (25:28.37)
Yeah, I mean, you know, one of the obviously the strategies for hackers is to get in and lay low, not raise any alarms for a while, be very cautious and deliberate in every move. So, you know, kudos on MGM for their alert system and moving so quickly. Yeah. Right.
Jason Rebholz (25:45.867)
Exactly. But you know, the media doesn’t pick up on that, right? And how would they? It’s hard to pick that out. And that’s where it’s just like, this is why I hate victim shaming, because it’s like, listen, it’s just could be any one of us, right? And there’s always a lesson to learn. But you know, we can do that in a respective, respectful way, versus, you know, I see a bunch of comments on it. Oh, I can’t believe you know, the help desk and you know, more user training, blah, blah. It’s just like, totally get it, right?
Tim Freestone (25:56.476)
Yeah, for sure.
Jason Rebholz (26:13.968)
But those are probably people who haven’t run a full program either.
Tim Freestone (26:16.867)
Yeah.
Patrick Spencer (26:17.871)
Yeah, very true. You’ve written a lot, you know, we talked about the MGM, you know, we have the Microsoft breach that happened some time ago, but you know, it’s been in the news the last, last month or so you’ve written a lot about identity authentication management, MFA, not enough, you know, can you talk a bit about your perspective on that and then, you know, this Microsoft hack is quite serious since it was a rogue nation state attack and we’re seeing more and more of those.
obviously. How do you stop those? Defense in depth is obviously one approach, but any other recommendations.
Jason Rebholz (26:54.755)
Yeah, so the MFA piece is really interesting for me because this is like it’s the state of security where it’s just like it’s always a do this, but right or do this and we tend to forget about the next parts, right? And so we have long been touting as an as an industry and security professionals that MFA is the way to go. And it is 100% true. But the type of MFA that you implement.
is very important, especially today. And so, the challenge that we’re seeing today, threat intel, right, where attacks going, and we’re seeing increase in attacks where attackers are bypassing MFA, weaker forms of MFA, right? SMS, push-based authentication, one-time passwords, right? And so, the scary part of this is,
for an organization that might be investing hundreds of thousands of dollars to put MFA in place, they’re gonna get to the end of that and say, all right, we did it, we implemented MFA. And somebody is gonna ask the question, oh, well, what are you supporting? Well, we’re supporting SMS, we’re supporting push base, one-time password, and we’re testing out this passkey thing, right? Or this hardware key thing. And you’re like, great, you have the ability to do the most secure way, but you also have all the insecure ways.
And so it’s like, it doesn’t matter if you have this big shield in front of you, if you’re not, if all your sides are exposed. Right. And so that’s where we are. It goes back to like the education and training of like, what are happening in the tax and what’s capable. We have phishing toolkits that can bypass MFA weaker forms of MFA. Right. We have
Tim Freestone (28:20.118)
Hehehe
Tim Freestone (28:38.966)
So you’re saying basically don’t just skip the weaker forms go spend all your time on whatever the most current most effect Yeah
Patrick Spencer (28:44.612)
One Earth.
Jason Rebholz (28:46.271)
Exactly. I have no doubt that at some point in the future, the most secure form today is not going to be the most secure anymore. This is where security is, it’s an endless game of survival. Choose your best weapon today that’s going to give you the best longevity. Don’t choose the thing that’s 10 years old that has known bypasses because you’re just investing your time in an inferior solution. The economics of it are not that different.
Tim Freestone (28:52.466)
Right. Yeah.
Tim Freestone (28:57.398)
Mm-hmm.
Jason Rebholz (29:13.687)
And we live in a time where if you go the most secure route, you’re actually in a position to have a better user experience too. Right. And so that’s where we, we get kind of stuck on how we’ve always done things like VPNs, right? And it’s like, well, we’ve always done it this way. It’s just how you do it. And it’s like, Nope, there’s, there’s new tech out there that can help make it easier and more secure.
Tim Freestone (29:20.667)
Mm.
Tim Freestone (29:28.462)
Pretty sure.
Tim Freestone (29:33.622)
Yeah, I’m going to drop a weird question on you just, and I thought of it just now and you probably don’t have an answer. And, um, but, you know, knowing that we’re always in this cat and mouse game and endless chasing of the latest to, um, uh, oust the, the weakest, let’s say what, if there was a technology that you could imagine that could be invented, that isn’t invented for cyber security.
What would that be? Is there a gold standard that people just can’t even do because the technology doesn’t exist for it yet? Have you ever thought about that sort of utopic, well, if we had this thing, it would forever end? Something along those lines.
Jason Rebholz (30:19.119)
think it’s actually the connective tissue between it all. Right? Because, you know, I could go and I could wish for…
Tim Freestone (30:25.154)
Good answer, good answer. It feels like a game show. That’s an excellent answer. Yeah, continue, sorry.
Jason Rebholz (30:33.303)
Yeah, you can always, like I would love to have the EDR that catches it all, right? I would love to have the email security that catches it all. But the problem is that the attack surface is too large for one single technology to do it all. Right. And so what I would love to see is how do we have best in class detection capabilities with best in class containment capabilities with best in class response capabilities? Right.
Tim Freestone (30:38.027)
Mmm.
Tim Freestone (30:46.406)
Mm-hmm
Jason Rebholz (30:58.807)
and you throw all this together, if I can have the perfect recipe here, with a security program that is like staying on top of everything, right? And to me, it’s just like, how do you reduce the time between detection to containment to remediation, right? Like, you can have all this, you can have Swiss cheese as an external perimeter, but if you can catch everything and instantaneously contain it and stop it from doing anything else.
I don’t know, are you just as secure as somebody that isn’t Swiss cheese? I don’t know. I think that’s actually a really interesting thought experiment here because at the end of the day, security is about preventing the attacker from getting the end goal. You called it out before with the data. The whole goal is to prevent data from getting lost. You’re not going to get style points by having all the latest, greatest technology. It’s like…
Tim Freestone (31:48.833)
Right.
Jason Rebholz (31:50.247)
How many times has somebody gotten to that end goal? And you might go your entire career in security and never have an incident, and I hope that’s the case for you. But in the one incident that you do have, and you can quickly contain that, that’s still a W in my book. Stop it where it’s not a company ending event, that’s a W. And I think that’s the challenge with any company.
Tim Freestone (31:53.172)
Mm.
Tim Freestone (32:12.259)
Mm-hmm.
Jason Rebholz (32:16.059)
They think you have to go for a perfection where you’re never having somebody break in. It’s just no, no. How do you build a resilient environment that can withstand these attacks so that you can still continue your business operations in the current state of the cyber threat landscape?
Tim Freestone (32:31.97)
Yeah, and to parrot it back, it’s some sort of technology that provides the connective tissue across the entire landscape of all the different technologies for rapid response, essentially.
Jason Rebholz (32:45.495)
Exactly. Yeah, because it’s like, how do you create the hive mind of technologies so that you know, when you when you’re getting hit on the right side here, it’s automatically adapting your environment on the left to put more controls in place to keep you secure. It’s that flexibility is that resilience.
Tim Freestone (32:49.55)
Sure.
Tim Freestone (33:01.586)
Yeah. So here’s what we’ll do, Jason. You and I will put together a pitch deck and go get 150 million in Series A and see where we can go with it. Yeah.
Jason Rebholz (33:10.075)
Let’s do it.
Patrick Spencer (33:14.487)
I had a couple of questions for you around third parties. You don’t have any of those in insurance, right? You probably read the IBM report that came out a couple of months ago now, I guess, and there’s quite a bit in that report this year. Actually is the best report yet in my opinion. But there’s a lot of information around third party risk contained within it, such as
Jason Rebholz (33:21.475)
No, not at all.
Tim Freestone (33:22.402)
Yeah.
Patrick Spencer (33:39.467)
I pulled a couple of data points here. 15% of all data breaches involve third parties. And the risk of third parties is higher. They had this algorithm they inserted this year, which is kind of interesting around cost amplifiers, where if you’re lacking cybersecurity skills, you have system complexity. To your point about the connective tissue and everything talking to each other, it’s not highly complex to manage. And then.
Jason Rebholz (33:54.375)
Thank you.
Patrick Spencer (34:06.811)
lo and behold, regulatory compliance, non-compliance in this case, if you failed in those different areas, then the cost of a breach was dramatically higher. I mean, we’re talking 20, 30% in some instances than organizations that had less complexity when it came to comes to their security systems or they have greater compliance with regulations in their industry and so forth. How do you as an organization manage your third party risk? That seems to be a problem for most organizations.
And then that factors into, I suspect, the technologies that you purchase. And maybe that’s the derivation behind what you’re doing with the T3 Cyber, which we haven’t gotten to yet. I know we’re going to want to talk about that before we enter a conversation.
Jason Rebholz (34:48.962)
Yeah, third party, third party security is an interesting thing. And the way that I look at it, and let me just start by saying I think it’s completely broken today. I don’t think any of the solutions that are out there are effective. I don’t think anyone’s happy with them. And I think we can see the numbers representing that. So
And the reason behind that is I think it’s all built on what is somebody’s interpretation of their own security, right? Like, you know, just like everybody else, it’s we’re going to do the security questionnaire because you have to, you literally have to, but I have regulations telling me I have to do this, so I’m going to do it, but how do you put your own spin on that? Right. And so, you know, it goes beyond, you know, just
Tim Freestone (35:23.05)
That’s right.
Yep. Mm-hmm.
Tim Freestone (35:31.927)
Mm-hmm.
Jason Rebholz (35:38.667)
I’m not going to trust what they’re putting in their security questionnaire because they’re putting their best look on that, their best spin. And so I’m looking at it from, let me assume that they’re garbage to begin with. They can tell me they’re the best in the world and I’d love to believe them. I’ll trust, but I’m going to verify. But let’s assume they’re not good at security. What’s the impact on my business and how do I mitigate that risk? And so that’s going to be…
Tim Freestone (35:44.834)
Right.
Jason Rebholz (36:06.647)
Let’s not give them admin access to our entire environment. If they don’t need to access our environment, let’s not do that. If we’re sharing data, well, what data are we sharing back and forth so that we know how do we classify that data? How do I know when we’re sending really critical data outside of our environment so if they get popped, I’m aware of the impact immediately? And so I think that’s really what it comes down to is like, you have to…
Tim Freestone (36:10.451)
That’s right.
Tim Freestone (36:29.143)
100%.
Jason Rebholz (36:34.475)
Play the security questionnaire game because you have to do that, but do not take that and any report that they send you as a stamp of approval that they’ve got stuff under control. You have to assume they don’t and you have to do the things that you can control in your environment to mitigate the impact of an issue in their environment.
Tim Freestone (36:55.798)
Yeah, couldn’t agree more. We there’s, you know, Gardner does a lot of great work, obviously. And there’s only so far, so many smart people can take, take things. But when you look at the third party risk management recommendations, and they have this sort of flow chart and it just ends that now you decide whether you work with them or not. It’s like assessment, you know, et cetera, et cetera, contract implications go.
And then after that, it’s just like crickets. Do that again every quarter or something. But it’s, to your point, it’s like, well, while you’re doing business with them, you may wanna control and classify the data that goes to them, and you may wanna make sure that when you’re done doing business with them, you have control over that data, and you can take it back. All sorts of data, again, back to the data layer stuff. It just becomes even more and more important with third parties, because most enterprises have thousands of third parties in their information supply chain. So,
You’re not letting those folks VPN into your network. And they don’t want to have a VPN agent on their computer either. So it’s just, I understand the layer of Intel, and to your point, yeah, sure, go ahead and do that. But you’ve got to manage the data while you do business with people. Otherwise, you’re just blind.
Jason Rebholz (38:13.851)
And I think that’s the tricky part with third party security breaches, because so many people that are out there, they think third party breach and they think, oh, well, the target’s an error, right? It’s like you breach the HVAC provider and that gained access into everything else. But you’re in hot water if your data that you’re supposed to be protecting ends up at a third party and they get breached. Like, guess what? Your customers don’t care how it happened. They only care that their data that they trusted you with
Tim Freestone (38:28.235)
Mm.
Tim Freestone (38:38.763)
Right, yeah.
Jason Rebholz (38:42.923)
was compromised. And so guess what, like you are left holding the bucket, right? And so and that’s where like data, I think data is one of the hardest things to solve today. Because there’s so much of it and the sprawl is so real. And so yeah, if you don’t know where data is going there, or leaving, you know, coming or going, right, like, you’re operating in a state of bad visibility. And we always say, and I think I’ve grown to hate this statement, right, but you can’t protect what you don’t know about, right. But it’s true with data too, right? It’s like
Tim Freestone (38:44.095)
Yeah.
Patrick Spencer (38:44.159)
Yeah.
Jason Rebholz (39:11.439)
Do you know what your sales team is sending out to their prospects? Do you know what your finance team is sending out to other vendors? There’s so much sensitive data that can be misused or used against you or require notification to your customers. It’s tough to try to really grasp your arms around it and when you just throw in the third party scenario into that, it just makes it that much harder.
Tim Freestone (39:34.655)
Yeah.
Patrick Spencer (39:36.472)
You spoke about how cyber criminals are leveraging or attempting to leverage the generative AI technologies. Your organization is probably like us. We’ve actually used it immensely for the last eight or nine months, as Tim can attest. There’s a lot of data that individuals as well as organizations are pushing up into those public AI LLM clouds.
You know, is that something that’s on your radar? Are you worried about what financial documents folks have access to tracking to make sure that they’re not loading those into chat GBT or not taking PII data and inadvertently putting it in there or even the prompts that your organization’s created? Those are proprietary. You don’t want to expose those to your competitors in the marketplaces. Where is that on your risk radar right now? Out of curiosity.
Jason Rebholz (40:32.051)
So I mean, candidly, I would put it as a lower risk, right? Like I’m much more worried about somebody, you know, socially engineering our help desk, right? Or sending a phishing email, because that’s just like the current state of attacks, right? And so when we get into some of the gen AI stuff, you know, there’s the risk to confidential data and you know, we address it, right? Like we don’t ignore it.
by any means, right? We don’t want people uploading confidential information to OpenAI, we don’t want them to send anything that they shouldn’t be outside because there is the potential risk there. But I think too, if you look at what is the total risk, right, well, okay, some, you know, OpenAI can get that information and potentially use that in their models. Somebody still has to have a very specific prompt to try to extract that data.
if it even gets to the point of being used in those models. And so that’s where I think the theoretical risk is there. The practical risk is probably lower, right? And so for us, it’s, you know, how do you address this via policy, you know, make sure that people are aware of the risks and do the right thing. But, you know, is this going to be a company ending event? No, I would, you know, if I’m worried about the financial information, I’d be worried about the third party breaches.
over something via an LM model sitting out there on the internet.
Tim Freestone (41:56.202)
Yeah, the one that I agree with that statement, the one part that we’re seeing growing or the one divergent is our companies that are building their own applications using open source, large language models, and just sort of how insecure that it’s back to where, you know, when people were building web based applications, nobody gave a shit about security, then the WAF market grew and, and things like that. But.
Now that it’s happening, and so even if you have an internal application that’s an LLM application, your company’s built it yourself, it’s re-infenced in a database, internal, on your servers, but it’s internal, so you’ve loaded a lot of sensitive information in it. That’s where I think maybe a year when every enterprise has 10 to 20 LLM applications for different use cases with different data.
it’ll be interesting to see how security evolves to protect those scenarios, you know, versus the leaking to public, uh, public LLMs, right?
Jason Rebholz (43:04.803)
I think you’re right. And I think the, you know, one, I would be curious of how many companies out there are building their own LMS and why they’re doing that. Because that’s a whole nother thing. But yeah, I would say with a high degree of confidence that anyone that’s building this in their homebrew environment is not prepared to protect that data. And you know, it starts with what data are you giving it? Right? So, you know.
Tim Freestone (43:24.385)
Yeah.
Patrick Spencer (43:24.436)
Yeah.
Tim Freestone (43:27.83)
Yeah, absolutely.
Jason Rebholz (43:29.655)
I think that’s part of it. Again, I’ve seen some companies that are popping up that are trying to basically bring enterprise search capabilities via LLMs to all of the company’s data. And that becomes an interesting problem. Because if the whole point is to have accessibility to data and be able to summarize and blah, that becomes a very complex issue, especially when you’re talking about identity access management with that.
Tim Freestone (43:37.72)
Mm-hmm.
Tim Freestone (43:41.428)
Right.
Jason Rebholz (43:58.583)
need some information, your execs need another. Is that all sitting in the same spot? How are you separating them? Right? And like, that’s where it could get really dicey because there’s no good solutions for it today in my mind.
Tim Freestone (44:01.866)
Mm-hmm. Red. Mm-hmm.
Tim Freestone (44:09.086)
Nope. And everybody, the AI companies, the companies building AI themselves, the infrastructure companies, the cybersecurity companies, it’s the old building the plane while it’s flying, but the plane’s going like Mach 7, you know, it’s like building the fighter jet and, you know, we’re the bolts trying to, you know, hold it together. It’s just, I’m just looking for at one point.
Jason Rebholz (44:26.852)
Exactly.
Tim Freestone (44:38.162)
some sort of MGM level accident from this adventure everybody’s on, right?
Jason Rebholz (44:43.491)
Yeah. And it will happen, right? I mean, look at the internet, right? Like it was created very quickly to try to get, you know, information sharing going and we’re all better because of it, arguably, right? Somebody might have some different opinions on that, right? We could find ourselves in a similar situation here where it’s just like the growth and the capabilities and the positive impact that it has could…
Patrick Spencer (44:57.606)
Thank you.
Jason Rebholz (45:09.419)
outweigh today at least the security implications and then a couple years down the line, we’re like, oh gosh, we’ve made some bad decisions. I think one of my favorite things that I saw with this is with OpenAI, they’re obviously the leader in the space right now. They also were investing in technology to try to detect defects basically and AI generated information. They stopped because they found it was too difficult.
Tim Freestone (45:32.599)
Yeah.
Tim Freestone (45:37.486)
Couldn’t do it, yeah. Right. Yeah, yeah.
Jason Rebholz (45:38.703)
That’s terrifying, right? If the creators can’t even get it, like, man, you know, and I’m sure somebody will come up with something, but I actually, I am more worried about the state of disinformation than I am on really the security implications, because in my mind, I might be wrong on this, right? But if there becomes an over-reliance on these Gen.AI tools, you know, Gen.AI is really good at finding the average understanding of something.
And when we start to rely on the average understanding, we work closer and closer to average, which only drives us below average. And so I think the world is going to be a really interesting place in terms of how do we look at what knowledge is fundamentally and how do we drive things forward, you know, in a state where we are working in a weird spot where all knowledge workers have all access to the same information, but how do they use that and how do they differentiate from it?
Tim Freestone (46:22.53)
Mm-hmm.
Patrick Spencer (46:36.007)
Yeah, the difference is important. Yeah.
Tim Freestone (46:36.096)
Yeah. Yeah, it’s a very interesting time to be alive. And to prove it, they found two aliens in Mexico a couple of days ago. So that plus AIs, this is awesome.
Patrick Spencer (46:44.651)
I’m going to go to bed.
Jason Rebholz (46:49.405)
There you go.
Patrick Spencer (46:51.347)
All right, we got to talk about this before we end. Teach me cyber. What was the derivative? Because it’s really cool. Our audience needs to know about it. When did you start it? I think you’ve done like 300 and some episodes on YouTube, if I remember correctly. Why? And what is it?
Jason Rebholz (47:08.911)
Yeah, YouTube is a little bit earlier on. I hopefully I’ll get to the point of having 300, but more active on LinkedIn. And yet the Genesis for it really came down to a little bit of a fit of rage. Today, when I was, I was reading an article on a news site and I won’t say who it was, but it’s a prominent security site. And it was, it should have been a very basic article, but they start throwing in these screenshots from IDA pro, which is a reverse engineering tool.
Tim Freestone (47:20.65)
Hmm
Jason Rebholz (47:39.251)
that less than 1%, even less than, I would say, probably even lower than that, of the entire security population is gonna be able to decipher that. And so I recognize something at that point where it’s like, for people who are trying to get into cyber, just like less technical, non-technical, interested, and just like understanding how these attacks happen, this isn’t cutting it. And so one of my superpowers from doing consulting for so long,
and honestly just getting beat up in boardrooms and everything was, how do I take a very technical topic and translate that down into something that anyone can understand? As I was building out this Threadintel program at Corvus, I said, you know what, if I’m reading this stuff anyway, I might as well give my take on it. That morphed into this Teach Me Cyber thing where
You know, it’s every day dropping something, you know, some knowledge bombs on LinkedIn to just try to help people better understand security. And then that morphed into a YouTube channel. And so, yeah, I’m just kind of seeing where it goes and where it takes me. But at the end of the day, if I can help just one person better understand what’s going on with MGM and how to take what’s happening and have a practical input into what they’re doing for security, that’s a win.
Patrick Spencer (48:58.943)
Yeah, it’s a really cool initiative and well, everyone can find it on your LinkedIn page, which is on our webpage with this podcast. You can also obviously Google it and locate it. It’s also on YouTube. So well, we could go on for another hour. Unfortunately, we’re time constrained. This has been a very thought provoking and interesting conversation, Jason. We really appreciate it.
Jason Rebholz (49:21.955)
Yeah, thanks for having me.
Patrick Spencer (49:24.055)
And for audience, we always appreciate you guys tuning in for a Kitecast. You can check out other Kitecast episodes and there’s a bunch of them. Just as interesting as this conversation with Jason at Kiteworks.com slash Kitecast. We look forward to having you on our next Kitecast episode.
Patrick Spencer (49:45.319)
And I’ll stop it for a try anyway. Here we go.