.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Why Incident Response Keeps Failing
In this episode of Unspoken Security, host AJ Nash sits down with Zoë Rose, SecOps Manager at Canon EMEA. They explore the real-world barriers to building effective incident response programs and discuss why so many organizations struggle to move beyond reactive firefighting.
Zoë shares her perspective from both consulting and in-house roles, pointing out that most incident response teams are overwhelmed, under-resourced, and stuck dealing with basics that never get fixed. She explains why expensive tools and new technology often miss the mark when organizations skip foundational work—like asset inventories, clear policies, and tuned alerts. Zoë urges listeners to focus on practical steps, such as documenting processes, improving communication, and building trust between technical teams and business leaders.
Throughout the conversation, Zoë breaks down how real change happens: by investing in people, closing skills gaps, and fostering a culture where mistakes drive learning instead of blame. The episode ends with a reminder that effective security is not about quick fixes or flashy tools, but about honest assessment, teamwork, and steady improvement.
Transcript for Unspoken Security Episode 50 - Zoë Rose
[00:00:00] Zoë Rose: Simplicity is going to make security more effective.
[00:00:03] Zoë Rose: But no environment I've been in is massively simple. And so we need to simplify yes, but we also need to plan for these unknown unknowns. We need to plan for these risks that we see in an effective way so that when they come up, we also learn from it. And we've planned a way to respond in a structured way
[00:01:12] AJ Nash: Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent 19 years in the intelligence community, mostly at NSA, and I've been building and maturing intelligence programs in the private sector for about 10 years. I'm passionate about teaching, mentoring, public speaking, intelligence, security, all these things, right?
[00:01:31] AJ Nash: I also have a master's degree in organizational leadership from Gonzaga University (Zags), so I continue to be deeply committed to servant leadership, as that was a big part of that program. Now, this podcast brings all these elements together with some incredible guests to have authentic, unfiltered conversations on a wide range of challenging topics.
[00:01:46] AJ Nash: It's not your typical polished podcast. My dogs make occasional appearances. Full disclosure, it's about four in the morning here right now, so they probably won't be on today. but they have shown up before. people argue here. We debate, we even swear here. I certainly do my fair share of that.
[00:02:00] AJ Nash: and that's all. Okay. I want you to think of this podcast as a conversation you overhear at a bar after a long day at one of the larger cybersecurity conferences. These are the conversations we usually have when nobody's listening.
[00:02:11] AJ Nash: So today I'm joined by Zoe Rose, SecOps Manager for Canon EMEA.
[00:02:15] AJ Nash: she's a cybersecurity specialist with extensive experience in designing and executing cybersecurity awareness programs and maximizing the value and effectiveness of technical cybersecurity controls across a variety of industries. She's a Cisco Champion, certified Splunk architect. She's been included in a list of the 50 most influential women in cybersecurity in the UK.
[00:02:33] AJ Nash: She's also been quoted in the media, presented on national news and been featured in Vogue Magazine, and now she's stuck with me today. Anything you want to add to that bio, Zoe?
[00:02:43] Zoë Rose: Not really. You make me sound a lot cooler than I am. I will just say, cool.
[00:02:48] AJ Nash: Well, I mean, the bio certainly sounds pretty cool and, and all the prep conversations we've had, I'd say you're pretty cool. We had some conversations that, I won't be sharing with others, but, I certainly would, would say that we're cool. You're cool, to say the least. So. And interestingly, today we're gonna have a conversation on a topic that I find very interesting.
[00:03:06] AJ Nash: I don't know if everybody thinks it's cool or not. It's certainly a big part of what we all go through. You know, let's talk about how do we improve incident response programs. Now listen, I went through a brief, you know, run of your bio. Like I said, you've been around a lot of different places, right?
[00:03:18] AJ Nash: You've been in different companies, you've been in different countries. I believe you've told me you've been in more than you, you know, you've worked in more than you can actually list at this point. So overall that, I'm gonna go ahead and gamble that you've probably seen a lot, both the good, the bad, you know, some large enterprise, small, you know, business, everything in between.
[00:03:33] AJ Nash: How would you describe the current state of incident response programs in general? Or if you wanna talk specifically about, you know, different regions and comparisons, how would you describe the programs we have right now?
[00:03:43] Zoë Rose: I think I'll talk in general because to be clear, there are some programs that are excellent. They're, you know, very hardworking people. They've put in the work and they're very mature on a majority amount. I would say that's not the case. the text, not to discredit the work they've put in, but in a lot of situations, The people actually doing the incident response are probably overwhelmed. they may not be fully supported and I, I mean, like, maybe they don't have the right skills. Maybe they don't have the right team members. Maybe they don't have the right capacity availability because incident response is put on the back burner and it's like, oh, we only, you only need to do it when an incident takes place.
[00:04:24] Zoë Rose: in reality, that probably means they're under budget or under the required budget. Don't have the right tools. Don't have the right visibility. So in a lot of cases that I joined as, again, I was a consultant for a very long time. Well, to me it seems very long. Maybe not for other people, but, and so I often was called into organizations either as the incident responder or post an incident or, trying to, build a secure by default, by design, set up.
[00:04:53] Zoë Rose: So target operating modules, different toolings, all of this. And they're usually. In a firefighting state. They're not a, we are continuously improving. We're firefighting. We are trying to keep up with the overwhelming noise of our tooling that has not been tuned. The overwhelming situation where we don't know what's in our environment.
[00:05:16] Zoë Rose: We don't have the authority to change it. We are just not set up to succeed. We are literally set up to fail. And, and so that I would say is the more likely situation that I've come into. obviously I'm, I'm talking from my consulting side. I'm not talking from my current situation. I'm quite happy with where I currently am.
[00:05:36] Zoë Rose: Otherwise I wouldn't still be there. But, but in a overwhelming majority, I would say, or maybe from my experience. They're not in a mature state. and as I said, they're firefighting. So I'm dealing with this incident, this other incident is happening at the same time. I only have me to respond to it.
[00:05:56] Zoë Rose: You know, like that's often been a situation that I've seen. and I will be the one called in. And the relationship there is, well, I already know this. I've already told senior leadership, you know, you're not telling me anything new, and egos are a big problem. And I'm like, whoa, whoa, whoa. I'm here to help you tell me what it is that senior leadership is not listening to, because they're paying me a lot of money right now that I can then highlight that I can make it visible.
[00:06:22] Zoë Rose: And so this change can happen for you. So I think, yeah, on a, maybe things have changed since I've moved into a corporate role. I suspect not. but yeah, it's not a, it's is sexy. You know, we've got all these beautiful diagrams and we're. Responding to this map going pew, pew, pew. No. We're usually like overwhelmed, highly caffeinated and exhausted working at three in the morning like you're doing right now.
[00:06:50] AJ Nash: Mm-hmm. Well, it's interesting, you mentioned some interesting things I wanna jump into on that. So at one point you'd said, you know, it's, we don't really worry too much about it. Well, it's only needed in an emergency. Right. So, you know, as you mentioned, like underfunded under planned right. And all I thought of as you were saying that was, imagine if that's how, like medical services worked, right?
[00:07:07] AJ Nash: Oh, the emergency room. Yeah. We don't really worry about training or funding for that. It's just occasionally when there's an emergency, we'll deal with it. Right? That's the wrong time to start trying to figure things out. Right? in order to handle emergencies, you have to really be well prepared, right?
[00:07:19] AJ Nash: You have to do a lot of, a lot of training and a lot of education and a lot of, you know, tabletop exercises in terms of cybersecurity, you
[00:07:25] Zoë Rose: And I think
[00:07:26] AJ Nash: response, things like that.
[00:07:27] Zoë Rose: what you just said, tabletop exercises for me. If you don't have the policies, you don't have the documents, you don't have the processes in place, you. It's really hard to do a tabletop effectively, because even if you're doing a, there's so many gaps that yes, it's going to help, don't get me wrong.
[00:07:44] Zoë Rose: I will never say a tabletop will not help,
[00:07:46] AJ Nash: Mm-hmm.
[00:07:47] Zoë Rose: of that information is locked in somebody's head. And unless the foundations are there, they have the right tooling, they have the right visibility, they have the right tuning on that tooling. They have the right policies, they have the right awareness.
[00:08:02] Zoë Rose: Unless that foundation there, they're not going to continuously improve. They're going to be firefighting. And like, think of a situation where you know you are an organization, you've been compromised. It's above the capability of your team because to the best efforts of the team, they may be excellent, but there is a limit to their skill.
[00:08:23] Zoë Rose: Right there, there's a cap, there's a limit to my skill. and so in some situations you have to call in support. If you call in support and you don't have a baseline, you don't dunno what your environment looks like, how the bloody, how are they gonna help you? They're gonna spend half the time just figuring out what the fuck is going on.
[00:08:39] Zoë Rose: Sorry.
[00:08:40] AJ Nash: No, you're exactly right. And I think that's, I think that's a key piece, right? Is there's not enough time and effort, money, put into the preparation, right? Put into the, the things I, I think, you know, what I've seen at least is, is there's a challenge, it's a business challenge, I suppose, in that almost everything we do, somebody someplace says, well, what's the return on investment?
[00:09:01] AJ Nash: And yeah, when you're dealing with things that are a future state, there's no return on investment today because you have to explain to people why this matters. Well, we'll deal when it's an emergency. Well, that won't work. Like you will fail if you haven't, like you said, if you don't have these policies and these processes in place, if I don't know the escalation process, if I don't know who to talk to, if I don't know who to bring in and when and don't have the baselines to hand them.
[00:09:23] AJ Nash: So if they do come in to help, they're all scrambling too. 'cause we still don't know anything. You know, you come into an organization and you try to help someone with instant response and, and you don't have a Crown Jewels assessment. You don't have, uh, a CMDB that you believe in and, you know, find anybody who does, I'd
[00:09:35] Zoë Rose: because
[00:09:36] AJ Nash: first
[00:09:36] Zoë Rose: way too often
[00:09:38] AJ Nash: of course.
[00:09:38] AJ Nash: It's, it's exactly what happens. I, I get on stage and talk to people all the time about that. I'm like, you know, everybody raise your hand if you're comfortable with your CMDB. Uh, and for those who don't know what a CMDB is by any means, it's your entire maps network, your configuration mapping for everything.
[00:09:51] AJ Nash: So knowing what every system is and what operating system is on it, what version is is, and all these things, right? And where everything's located and how everything's
[00:09:56] Zoë Rose: what you need for example.
[00:09:58] AJ Nash: Yeah, exactly. But a lot of organizations don't, you know, like Right. I stand on stage and say, raise your hand if you're comfortable with it.
[00:10:04] AJ Nash: And everybody just giggles and laughs. Nobody raises their hand. And I think, well, that's tragic. This isn't funny. I'm old school military intel. Right. So it's sun Sue, like, you know, I know your know yourself, know your environment.
[00:10:14] Zoë Rose: But, but let's, let's look at, Media, incidents happened that were very public. Yeah. 2013 Target had an incident where they didn't follow Principle of Least Privilege. The HVAC company was compromised. They gained access to the sales, point of sales, et cetera.
[00:10:32] AJ Nash: Yep.
[00:10:32] Zoë Rose: You would think, oh my goodness, 2013 major instant, let's learn from that. Capita recently was fined, what, 14 million pounds because they didn't follow principle, principle of lease privilege. they didn't effectively, effectively respond to, alerts. Just like Target, what is that 10 years maybe or more?
[00:10:52] Zoë Rose: I don't even know. Um, between, well, I don't remember when Capita's incident was, so it might have been just 10 years. I don't know either way. Yeah, I think it was 2013, maybe 20. Anyway, either way. That's 10 years or so that we should have bloody learned and we didn't. And I mean, I don't have insider knowledge on either of those, situations of those texts.
[00:11:14] Zoë Rose: I don't know. I imagine they were doing as best they could, but the reality is this is not new. None of this is new. Like I do, I've been doing public speaking for over 10 years now as well and well, I guess maybe 10 years this year probably. And of the things that I'm saying were new, you know, like it's, I I did a talk recently about innovating securely, and I'm talking about please just have your foundations like you wanna build, you wanna be scalable, well plan for that instead of dress for the job you want, bloody plan for the document for the organization you want.
[00:11:52] Zoë Rose: so yeah, it's, none of this is new. How do we learn from it? Well take notes from what's happening in the media. Take your lessons learned. You know, use public publicly. If you don't have a big budget. Everybody has a limit to their budget. Don't get me wrong, I have a limit to my budget. I have to do budgeting every year, but I put in place what I can afford.
[00:12:17] Zoë Rose: Yeah, because I can't go bankrupt trying to secure the environment, but also I use publicly available resources. You know, maybe, uh, the NIS Directive, maybe that's not applicable to me, but there's a lot of documentation online if you need to be compliant with it. Make use of that. What are their, what are they teaching you?
[00:12:35] Zoë Rose: What are those foundations? You know, not everything costs money. A lot of things do, but not everything does.
[00:12:44] AJ Nash: No, it's true. I mean, you make, you make a good point there too about, you know, learning from past experience, right? and I've seen the same thing, right? It, for years, I still have it occasionally now, you know, people will say, you talk about like, what, what's the best thing I can do?
[00:12:55] AJ Nash: what are simple things I can do to be a more secure environment or more secure individual user, et cetera. And I talk about passwords and people get all mad, like, don't talk to me about random passwords. Oh, don't talk about password reuse. You know it, I've heard about that forever. It's boring.
[00:13:07] AJ Nash: Gimme something new. I'm like, well, I'll stop talking about it when you start doing it. How's that? So as long as I continue to find password, 1, 2, 3 out there, or somebody who has their, the same password for their corporate account is all of their banking accounts and all of their email accounts at home.
[00:13:20] AJ Nash: I'm gonna keep saying it. The reason security experts keep saying this is 'cause people don't do it. It's as simple as that. You know, two-factor authentication is a simple solution for a lot of problems. And very few people statistically are doing. Two-factor authentication, multi-factor authentication, something that would solve so many issues and people still just don't adhere to it.
[00:13:39] AJ Nash: And then you say, well, yeah, I keep telling you things that you've heard before and it's not innovative, it's not new. It's exciting. It's not exciting because you haven't done the basics still, you know, there are so many basic hygiene things, most. I think most, you might, you, you'll correct me if I'm wrong here on, I think most security incident still end up being a basic hygiene issue.
[00:13:57] AJ Nash: something, you know, a misconfigured, a bucket, in a cloud instance, for instance, something very simple, right? A bad password. somebody still had a default password on a router at home. Like, it's all these things that are just very basic things, that don't get done.
[00:14:10] AJ Nash: And then people, you know, they're like, well, I've heard that before. I want something sexy and exciting and new and interesting. I'm like, well, I'm not gonna tell you all the, the third layer of things you need to worry about when you haven't done the most basic things yet. I'm not gonna talk to you about building an incredible security home security system with cameras and, and all these things.
[00:14:25] AJ Nash: If you're not locking your front door, closing your windows, like there's no point in having this discussion, right? And yet, people, that's what they want. They get frustrated about hearing these same things over and over again. It's like, well, 10 years and you haven't done anything better about it.
[00:14:37] Zoë Rose: but I think it's because. It takes work. So I can implement a sexy tool, I can spend a fuck ton of money on this tool, but if I don't tailor it to my environment, it's gonna be bloody useless. My, my team, so I'm the security operations manager. Yeah. So I've got a team of security analysts that have to respond to all of these events, investigate them, flag it as an instant, blah, blah.
[00:15:02] Zoë Rose: Yeah. they are continuously getting an insane amount of white noise, their entire day is built around responding to known false positives. That would be shit for them. I mean, they're not gonna enjoy that. They're not gonna innovate. They're not gonna, they're not going to be like, oh, I've noticed this massive trend.
[00:15:24] Zoë Rose: Because they're not going to see the trend because they're going to be drowning in alerts. And so when I implement tools, I'm not implementing the tool to solve the problem. I'm implementing a tool to then be tailored to our environment to then solve the problem, to then make the issues visible. That's the goal.
[00:15:43] Zoë Rose: It's not, this tool is not going to solve our problems. And also when people are like, oh, you know, we can use ai, it's gonna solve all of this.
[00:15:51] AJ Nash: It is everything. Yep.
[00:15:53] Zoë Rose: Yeah. Okay. Do you know what's going on in your environment? Do you know what to expect? How is AI going to learn? If you don't bloody know, you know, it's not going to, it's not gonna magically solve the problem if you don't have the foundations, if you don't know what's normal.
[00:16:09] Zoë Rose: There are certain things that tooling can help with. It can build baselines, but again, you've gotta edit it. You've gotta tailor it. You've gotta, this is a false positive. If it's gonna learn from this, it's gonna be wrong because it's not learned that this is false positive. Right. So,
[00:16:26] AJ Nash: Mm-hmm.
[00:16:27] Zoë Rose: yeah, I think, I think people are so crazy about, well, what's the new innovative solution?
[00:16:33] Zoë Rose: What's the new sexy rule? But they're forgetting. The point you made about reusing passwords. I mean, look at Troy Hunt's, Have I Been Pwned his latest data breach was how many, how many accounts? And like an insane amount. 'cause it's an appendant, appending, append. It's it's breach lists that are added together yet I
[00:16:53] AJ Nash: Right, right, right.
[00:16:54] Zoë Rose: And, and so some of them might be new, some might be old, whatever. and if you look at his blog post, it talks about, oh yeah, I used that password like 10 years ago. And there's other person's like, oh, I actively use that. You know, so people are actively reusing passwords, that are maybe massively old, older than me, maybe then, um, please don't do that.
[00:17:12] Zoë Rose: I mean, I'm not massively old, but I feel like if you're using a password my age, that is massively concerning. even my children days. But, um, but how do we deal with that? Well. There's password managers, make sure you have MFA, you know, even if your account is compromised because the password is compromised, you have MFA to stop the malicious actor, or at least delay them so that you can change it.
[00:17:34] Zoë Rose: You know, there's a lot of things we can do, but if we're not even putting the conscious effort into it, I can talk for hours about this stupid thing called security that I bloody enjoy because it's my like hyper focus, which is my own problem. I get it. I'm a nerd. But if you don't do anything, you're just gonna continuously fall victim to the sea things.
[00:18:02] Zoë Rose: I mean, I had a client years ago that had an incident. I came investigated, resolved incident, gave them the report, said this is the things you need to remediate. I don't remember how long between, it wasn't a very long time between, had another incident came in, I could have copy and pasted the reports.
[00:18:18] AJ Nash: Because I hadn't done anything
[00:18:20] Zoë Rose: not only had they done nothing, but it was the same incident. I was like,
[00:18:24] AJ Nash: of course.
[00:18:26] Zoë Rose: did I imagine this? Like, wait a minute.
[00:18:30] AJ Nash: me in? Why did you bring me in and have, do all work and give you a report if you weren't gonna take any actions based on that report? And lo and behold, the same thing
[00:18:37] Zoë Rose: do this, the amount you're me to do this, this is, it's, it's embarrassing for you. Like, goodness, and, and yeah, it's just like how many pen test reports that, I mean, I don't do pen testing anymore, but when I did, how many pen test reports did I hand over that got put on a shelf and got dusty?
[00:18:53] Zoë Rose: Like, why? Pay
[00:18:55] AJ Nash: yeah. There's an execution issue there, right? There's people, people frustrated about this and then bad things happen and you come in and you do your job, or, or maybe it's preventative, like you said, it's pen testing, and then there's more to it, right? You can't just get a report and go, okay, we see what the problems are.
[00:19:09] AJ Nash: Well, you actually have to execute on that. You actually have to do something about that. and we talked about, you know, going back into the, the crux of this, right? Incident response, right? And, and how to prepare for some of these things. So I, when I first moved into the private sector, I've been, I'm in the private sector now for whatever I said, I dunno, 10 years, give or take.
[00:19:24] AJ Nash: And my first gig in the private sector coming outta the government space was, was at a bank, right? And so I've done a lot of exercises over the years. I was military and then government. So I've done exercises that were cyber related. I've done, you know, exercises that were, you know, kinetic warfare related.
[00:19:39] AJ Nash: I have a background in some of these things, right? And so we were putting together this exercise, right? And it was gonna be a, a live one, not a tabletop. A full organizational exercise and building scenarios and all the things you have to do, right? And, and to figure out where we were. and I not to call anybody out, a very, very good group for the most part, but it was interesting at one point as we were going through this and I said, all right, well we're gonna do for a white cell, and for those who may not know the term white cell, because it might be used differently in the private sector, but in the government space, that's the controlling element basically.
[00:20:04] AJ Nash: for your exercise, you have to have a control element. It's sort of like playing Dungeons and Dragons. You do have to have a dungeon master for anybody who's geeky enough to know what I'm talking about or it doesn't work. Somebody has to actually be in control because things are going to go off the rails.
[00:20:15] AJ Nash: And you have to have somebody who's the hand of God who can kick it back into play and go, okay, well that person is actually in the bathroom. They're supposed to be answering the phone. They can't right now. We'll come back to 'em in a minute. Kick it back into play, right? There's gonna be somebody to do that.
[00:20:25] AJ Nash: And so this whole exercise being developed, this whole organization that's, that's was brought in and, and it was internal to the company. They were hired to build and do exercise. They hadn't planned for a white cell at all. I was like, what are you, what are you doing? How's this gonna operate? It hadn't occurred.
[00:20:39] AJ Nash: I don't know how they brought these people in or what their backgrounds were, but they didn't have anybody to play the Dungeon Master. They didn't have anybody to be the hand of God, so to speak. And I, I explained it and they're like, oh, that's brilliant. You know, so here I'm a hero. I'm brilliant. I'm like, this isn't brilliant.
[00:20:51] AJ Nash: Like, yeah, that's, that was my reaction too. I, I was very brilliant for a while at that place. 'cause I kept saying things I hadn't heard of before that I far from invented.
[00:20:58] Zoë Rose: How.
[00:20:59] AJ Nash: was like, alright, hold on. We gotta, we gotta change these things, right? So we did, and we, you know, changed the scenario and, put white cell in and built that whole team out.
[00:21:05] AJ Nash: And, it was a very interesting day and we failed as you're supposed to, frankly, in these trainings. It's, another thing I think people don't gather is you should fail the exercise at least early on in your first one, you should fail miserably. That's the whole idea. So you figure out what you have to do and get better, and then you run another one, you run another one, you run another one.
[00:21:19] AJ Nash: And hopefully at some point you get sort of successful. and with everyone you have these learnings, right? and you're able to take these notes and then you have to act on those to improve them. I don't know how many organizations do this. Well, this was a, anybody can look at my resume, they'll know where it was.
[00:21:33] AJ Nash: It was a very large bank, still one of the largest in the country, one of the largest in the world, I suppose. Plenty of money, and plenty of resources, and didn't have any idea how to do this. And I'm sure they do now, by the way, for anybody who wants to complain or if anybody who's at that bank wants to come yell at me, it's been over a decade, so I'm sure they're much better at it now.
[00:21:48] AJ Nash: but it was surprising to see how little people understood about it at the time. and then you have to, as you said, you've gotta document these things and then you've gotta act on them. You actually have to make improvements and you have to make changes and policies and processes and continue to exercise and exercise and exercise.
[00:22:03] AJ Nash: You can't just do it once and go, okay, well we did our test. Check the box, move on. I don't know any organization. You correct me on this one, if you know others. 'cause you, you know more than I do. I don't know any organization that regularly does live exercises on like instant exercises. I've been around a while and I don't know many.
[00:22:19] AJ Nash: Well, I'm gonna know one. Apparently Zoe, you run one. I don't, I haven't run into organizations who do this because from what I've seen, they either aren't prepared to do it or they just don't want the disruption. Right. If their days are
[00:22:30] Zoë Rose: Or they don't wanna pay the cost because it's not free. You know, you're not, you're. One thing that I've noticed coming from a consulting background, going into a corporate background, is a lot of times they don't consider the cost of time. they consider the cost of tools, but they forget that me, for example, costs more than an analyst because my time is more, not more valuable, but essentially I do cost more 'cause I get paid more.
[00:22:53] Zoë Rose: Right. So I find that interesting. But, which kind of goes against what I just said, but, but, they don't want the disruption. Yes. But they also don't want the cost because getting all the people in a room, especially when you have to get senior people in a room that's fucking expensive. Sorry.
[00:23:08] AJ Nash: It is. It is. But you know what, but you know what else is fucking expensive
[00:23:13] Zoë Rose: An incident, an incident
[00:23:15] AJ Nash: That's right.
[00:23:15] Zoë Rose: to pay a massive fine for.
[00:23:17] AJ Nash: That's right. A fine or the ransom or the, or the production loss or all the other things,
[00:23:22] Zoë Rose: not just that also the trust. The cost of customers, loss of trust in you, that's costly. And that's, it's embarrassing. It's costly. It's, you know, you, there's not a easy way to measure that cost even. so yeah, no incidents are costly.
[00:23:40] Zoë Rose: Yes, preparing is costly, but not as costly and done properly can be really effective because you can identify, I've gotten to clients that I identified, the tooling they used is so expensive and it doesn't benefit them. It doesn't even meet their needs. So we removed that, got a cheaper one that actually worked better for them.
[00:24:01] Zoë Rose: I saw an interesting talk once, quite recently about, a company, their insurance company, and they research their customers and say, you know, do you have this? Do you have that? Do you have this to understand? Over time Of the customers, they have the ones that have incidents, what kind of tools do they have?
[00:24:18] Zoë Rose: What kind of, controls do they have? What kind of policies, procedures, to better understand their risk when they, offer it to customers so that they only offer customers that are actually, not gonna cost them money. 'cause their insurance, obviously.
[00:24:30] AJ Nash: right there. Insurance? Yeah.
[00:24:31] Zoë Rose: Yeah. But what I found interesting and what they said was a smaller organization needs more tools.
[00:24:39] Zoë Rose: A larger organization doesn't need as many tools because they have the people and the experience and the skills. Or maybe they have, more highly skilled, consultants, for example. And so balancing wise, a small organization should spend more on tooling than a bigger organization. Not more, but like percentage wise, more.
[00:24:58] Zoë Rose: And that to me was like, huh. If that makes sense. But I never would've thought of it. And so I think a lot of organizations, they don't know what their threat map is. They don't know what their inherent risk is. I mean, I've gone to organizations that didn't even know what the, inherent risk assessment is, and I've gone to organizations that have never done a security cybersecurity maturity assessment.
[00:25:20] Zoë Rose: yeah. Okay. I kind of get not doing that. If you're very immature, possibly. but a very mature organization also would benefit there because if you do a granular assessment, you're going to see where those gaps in the foundations are that you wouldn't see looking. Because I had a organization that had, failures, like incidents and they're like, why do we keep failing?
[00:25:41] Zoë Rose: Why do we keep having incidents? And I did a cybersecurity maturity assessment, and they had great programs. They had super innovative solutions, really cool, tooling, really cool, awareness programs. Like it was, I was very impressed. But they had small foundational gaps that actually meant that even though they were spending a lot of money over here, the gaps over here were causing continuous failures.
[00:26:07] Zoë Rose: And so spending a little bit less over here actually, and spending it more over here actually improved them. And they were able to go forward and be a lot more structured in their approach. And some of it was. Boring. Boring stuff like writing a document, writing a policy, documenting roles and responsibilities.
[00:26:27] Zoë Rose: You know, like, yeah, okay. Not the sexiest part of security, but knowledge management is actually really, really important. And so, yeah, I think I, I've gone a little bit on a rant here, but I think
[00:26:42] AJ Nash: All good?
[00:26:43] Zoë Rose: you know, organizations want the quick fix. They want, this is a budget, that's it. But then when an instant happens, they're like, uh, here's a lot more money.
[00:26:53] Zoë Rose: Spend it. And then they throw money at the problem and they're not solving it. And then the techs are so bloody tired because they're like, I've been telling you this over and over again and I want to do this, but I don't have the time. I don't have the capacity, I don't have the skill. Maybe I need training, but I'm not going to only blame the company.
[00:27:12] Zoë Rose: As a tech, it's also my responsibility to make the issues visible. I don't have the experience maybe that senior leadership do a business and a business mindset. I have a security mindset. I went into security 'cause I didn't want to be around people. I wanted die in the server room. full disclosure.
[00:27:31] Zoë Rose: But I had to learn that and I had to, maybe I'm not the best at it at all times, but I had to learn and I have to actively build that relationship with the business. So it is still my responsibility as well. KPIs not sexy, but important documentation. Not sexy, but important. Having a coffee with senior leadership may, oh, well, maybe a tea.
[00:27:52] Zoë Rose: I'm, well I do drink coffee here and there, but maybe not my priority, but I need to make it my priority. 'cause they need to trust that I have their best interest in in heart and we're on the same team. And I, if I say something, they need to trust that my decision took all of those factors into play. and a lot of times when I'm going into an organization to do a target operating model, I have to argue that this tech needs authority.
[00:28:21] Zoë Rose: And it's like, well, why? They can just tell me. I'm like, okay, middle of Christmas, middle of the night when they have to take a very, very critical server offline, are you gonna answer the phone?
[00:28:32] AJ Nash: Yeah. Do you want them calling you at four in the morning? No. Then you better give 'em authority. Right. That's the problem. If you can't delegate, then you're gonna be working all the time. There's no way around it. Hire people you trust, delegate to them or just expect to work all the time. Right.
[00:28:44] AJ Nash: 'cause they're gonna have to
[00:28:44] Zoë Rose: And they need to be able to override the business because yes, taking a sales server offline, like a, a web server offline, that's gonna cost money, but so is maybe causing more compromise to your environment or maybe even compromising your customers. I don't know. What's the issue? we don't wanna, we don't want that happening.
[00:29:05] Zoë Rose: So give them the authority 'cause they need it.
[00:29:10] AJ Nash: Yeah, no, it's, I mean, a lot of excellent points, right? It's, I think, um, yeah, too many organizations. You know, it's interesting, I'm gonna go back further here to, you had mentioned reading an article, or, or there's a talk, I actually forgot the source already. that organizations, small organizations need more tools and le large organizations actually need less tools because they other people, which as you said makes a lot of sense, right?
[00:29:30] AJ Nash: the idea of tools, the idea of technology is force multiplication, right? if you don't have any people, tech is, is theoretically gonna help you do some force multiplication, right? I've only got two people in the office. I really need, you know, 10 people's worth of work to get accomplished.
[00:29:43] AJ Nash: Automation's gonna get me closer to that, right? If I've already got the 10 people in the office, I don't need automation on top of that. I don't need all these other technologies,
[00:29:49] Zoë Rose: you still want it. You still want it, but it's not as big of a issue.
[00:29:54] AJ Nash: Yeah. But the irony is the companies with all the money, the big companies with the money are the ones that vendors push really hard to buy the cool, sexy things, right?
[00:30:02] AJ Nash: And they all want to, or a lot of 'em want to at some point because it's a cool, sexy thing and it's, you know, it's a brag point and we've got all these, you know, cutting edge technologies, et cetera. And a lot of times then, as you said, they don't configure them. so now you've got this cutting edge technology that you were sold, as the solution.
[00:30:16] AJ Nash: and may or may well be,
[00:30:18] Zoë Rose: not even fit the problem. Let's
[00:30:19] AJ Nash: might not, right? That's true. Might not fit at all. But even if it does, if you don't configure it properly, it's just a very fancy, you know, piece of equipment doing nothing for you and you're spending a lot of money on it. But you're also possibly trusting, oh, this problem's solved.
[00:30:31] AJ Nash: We've got tech working on this problem. So now we take people off of this problem 'cause we think our technology's got it covered, but the tech was never actually configured properly anyway. So now you have trust in a thing that doesn't. It isn't set up to succeed, even if it could be, it's not set up to succeed, and then something bad happens.
[00:30:46] AJ Nash: And what happens? They do the incident response and they come through and they figure it out, and then they blame the technology. It's like, well, and then the vendor says, you can't blame us. You never onboarded. we've been having onboarding discussions for six months with, you're trying to get you to configure and you haven't configured it.
[00:30:56] AJ Nash: You haven't given us the documents we needed to help configure this to make it work, or whatever it might be. Right? And so there's this big, you know, pointing your fingers back and forth while the instinct continues to go on because you, you haven't solved the problem. but there's an irony in that the small companies don't necessarily have the money for all the tools, but the tools would help them.
[00:31:10] AJ Nash: The large companies that have the money are buying tools that may or may not need. And if they do need 'em, they're not configuring them properly in a lot of cases. Why? Because they're too busy again, you know? Of course. And so it seems like it comes down a lot of times too, you know? Time allotment, budget allotment and prioritization.
[00:31:25] AJ Nash: Now, I had a question at one point prepped for the show. we've gone far afield of it, which is good, which said, but the question was, you know, what do you see as the biggest challenges security leaders face in terms of instant response? Now, listen, we've done nothing but talk about challenges at this point.
[00:31:37] AJ Nash: So I feel like we've covered a lot of this, but it seems to me it comes down a lot of times to just, again, it's, allocation of time and resources, proper allocation of time and resources, and a prioritization, right? Saying you, you're not gonna worry about instant response. Just hand out when it, when it comes up is too late.
[00:31:53] AJ Nash: But how do you convince people to spend the time and spend the money? To prep, to do the documentation, as you said, to do the exercises, to be prepared, to do the proper analysis, to decide what tools we should or shouldn't have to actually audit those tools and decide which ones we should and shouldn't keep.
[00:32:08] AJ Nash: And if we're gonna have them taking the time and energy to actually configure them properly, which doesn't, it does take more. Now you gotta work with your vendor more and have discussions. They need inputs as well to be successful. And then you have to test those technologies too. And it just seems like, as you said, everybody wants a simple answer, right?
[00:32:23] AJ Nash: Everyone wants the quickest solution. So whatever tool, somebody comes in and sells you, oh, this is, you know, let's plug and play. It'll solve all your problems. It's magic now it's all ai, right? AI's gonna solve everything. You don't even need people anymore. Ai, just call AI in and AI will do it all. Which, is not really the case.
[00:32:36] AJ Nash: So what, for anybody who's just wondering, by the way, that is not how things are going to work, please don't fire everybody and hand it over to the bot, the bots. You're not gonna be happy with the results. But are there other things I'm missing? And we talk about the biggest challenges, security leaders are facing in terms of incident response.
[00:32:52] AJ Nash: I kind of wrapped up what I've heard so far, but are there other things that I missed in there in terms of, you know, allocation of time, resources, what else might be in there, you think?
[00:33:00] Zoë Rose: I think the point that I made briefly, needs to be highlighted very much more closely is I am a manager. I don't see the day-to-day, I do rely on my, my team to make things visible to me. I also don't have the skillset that I used to have. I mean, I used to be hands-on, well, I'm still hands-on, but not as hands-on.
[00:33:21] Zoë Rose: I still would do, you know, I used to do all of the investigative work. Now, more after than not. I say, okay, go get this information. I might do training and teach them how to get the information, for more junior people, but for my more senior people, I expect them to know, I, you need to know step by step what to do and what information to give me and what trends to show me, when it comes to my boss.
[00:33:43] Zoë Rose: He's gonna be even more further back. And then his boss and or in your case other cases, maybe it's a lady, maybe it's non-binary, whatever. But that person, the further, the more senior they get, the less hands on, they're the less likely. They'll have security mindset or even security knowledge in some cases.
[00:34:02] Zoë Rose: And so for them, we need to be clear. We need to build that relationship. So we trust each other, but we need to be clear of what the actual risk is. I cannot go to my boss and say, you didn't give me budget for this. It's all your bloody fault. If I didn't tell them, the reality is if we don't do this, this could be the impact.
[00:34:25] Zoë Rose: If I can't make that visible, then they can't make an effective decision. And so. If you're running into a wall where they will not listen, it could be that you're going about it in the wrong way. You are going about it in a way that makes sense to you. What makes sense to them from a business, you need to talk the business language, which is the language of risk.
[00:34:48] Zoë Rose: Risk management. Make that visible. Don't say, I need this sexy tool because this sexy tool is gonna solve all our problems. No, probably won't as well if you take that approach. But you can say, this is our inherent risk. These are our likely threat actors. This is our likely set of, do you have a risk register?
[00:35:07] Zoë Rose: A lot of organizations do
[00:35:08] AJ Nash: Ooh. Risk register. Hmm. That's
[00:35:10] Zoë Rose: That's important, you know, how do I apply what I need to the business risk? Make that an understanding that speak that language. I mean, I mean, look at, I currently work in EMEA. Okay. Do you know how many languages, actual languages are in EMEA?
[00:35:29] AJ Nash: dozens
[00:35:29] Zoë Rose: Sometimes. Sometimes translation is an issue.
[00:35:33] Zoë Rose: You know, get, get that to solve too, because
[00:35:37] AJ Nash: Hmm.
[00:35:38] Zoë Rose: ultimately if your senior leadership are just not listening, yeah, okay, maybe you're in the wrong organization, but it could also be that you're just expecting them to understand something that is not their area of expertise and that's also wrong on your side.
[00:35:54] Zoë Rose: and then I think also, the point about, automation. We cannot throw automation in place if we don't know what it needs to do. If we don't know what's normal, if we don't know what's where the gaps are, we can't just solve it by saying, Hmm, this will solve it. this will work. Because you might actually cause an instant yourself.
[00:36:18] Zoë Rose: I've seen that happen. and then when it comes to complexity of outsourcing, you have to retain your accountability there. You know, I, we didn't talk about that at all, but let, let's just briefly touch on the shared responsibility model like security. Simplicity is going to make security more effective.
[00:36:41] Zoë Rose: But no environment I've been in is massively simple. And so we need to simplify yes, but we also need to plan for these unknown unknowns. We need to plan for these risks that we see in an effective way so that when they come up, we also learn from it. And we've planned a way to respond in a structured way
[00:37:06] AJ Nash: Hmm. Well, and, you make an excellent point about automation, right? That, you know, people say, well, we'll just automate it. only way you can automate something. Yeah. I just say it like a flippant lad. Just automate that, you know? That's fine. The only way you can automate something is if you can teach the technology or input the technology, however you wanna put it.
[00:37:22] AJ Nash: What the steps are that are done manually now. Like if you're gonna automate something, that means you have to have documentation on how it's done manually first.
[00:37:31] Zoë Rose: But also what, what the use
[00:37:32] AJ Nash: And there's a lot of them,
[00:37:34] Zoë Rose: yeah, well, you can't just say, well block any account that looks suspicious because, I'm sorry, middle of busy, like end of end of month, are we gonna just be okay with accounts like finance to be kicked out? No, I would
[00:37:49] AJ Nash: And what looks suspicious, right? Yeah. What are the criteria for suspicious? What's your, what is your threshold? Does it change at different times of the day or different times of the month as to what's suspicious? You know? Uh, activity that's suspicious most of the month may not be suspicious all in the last day of the month.
[00:38:04] Zoë Rose: And you can't just blindly trust technology either, because I've seen situations where, for example, Microsoft says this IP address is coming from this. No, it's not that. That's actually the wrong country there. Microsoft, and again, not to blame Microsoft. I mean, lots of tooling has these, but it's just because there's, there's a limit to the capability that technology has and it was built by humans.
[00:38:31] Zoë Rose: We have lots of human error. What we built has human error 'cause we built it, right? So you cannot blindly trust things. I mean, I've had texts that have caused instance themselves because they've made a mistake. It happens. We have to plan for red. Sorry, you're probably very tired.
[00:38:47] AJ Nash: No, no, no. You're very right. No, I, I think you're very right. That that's, I mean, there's, there's, technology isn't the answer to everything. People just wanna offload it. And again, it's even worse now with ai. It's like, oh, ai, you'll do, listen. Technology doesn't think, all right. it is derivative of what we put into it, whether it's AI and enabled or not.
[00:39:04] AJ Nash: Right? it's derivative, right? So we have to put it in, we have to put all these different processes in, all these different scenarios in, if you do automation, if you go back and look at, like, SOAR, when SOAR was first coming up, if you look at all the different playbooks you have to put into SOAR could be really great.
[00:39:17] AJ Nash: if you have something that runs from, you know, a ticketing system and you can go through your tip and to your sim and to the SOAR and, you know, run the whole SOPA model, it can be really successful. Only if you put all the work in to build it up. Soar doesn't come out of the box and just automate things and do instant responses, you know, do, do automatic response and all the things.
[00:39:34] AJ Nash: It has to have all these playbooks built out. And all these playbooks have steps after steps after steps into them. It is a lot of effort that comes into sitting down with the analysts who do all these things or the, the whatever the security, uh, professionals are who do all these things manually now and documenting each little step and each little variable to that.
[00:39:53] AJ Nash: Well, what if it's this? Well, now I gotta, I gotta tree it over here and I gotta, you do all of that stuff. There's a long-term payoff, obviously, if you can plug all those things in, but you, it's not like you just buy it outta the box, plug it in and go, well, that's it. So's got it covered. Now we're good. And walk
[00:40:04] AJ Nash: away.
[00:40:05] Zoë Rose: and also a lot of times when you're deploying a new solution, you've gotta pay double because you've got the old solution in place until the new solution can take over and you've gotta pay the person that usually is doing it to do the design and implement. So like it's bloody costly. I understand why organizations are in this state.
[00:40:24] Zoë Rose: I do get it, but how do we go from here? How do we improve? Well, we improve by looking at what is our inherent risk? What is our normal, what compensating controls do we have? Where do we need improvements? Where do we have gaps? Maybe if we're massively immature, it's actually easier to find the next steps.
[00:40:44] Zoë Rose: If we're more mature, it's harder, but it's still
[00:40:49] AJ Nash: you're right. You are, you're absolutely right. And then, so how do we tie this all back? You know, I think we've, we've kind of created two different conversations here, which is perfectly fine, right? We, we, we came in to discuss, we came in to discuss how to make incident response better. And I think we've had a lot of discussion and it's also just been about, you know, standard security practice and how to make security organizations more, but, but it does tie back in, right?
[00:41:09] AJ Nash: How do we tie this all back in, into instant response is, and I'm gonna answer my own question, then ask a different one, but is to, to have all these things in place, right? Is, is all about the foundation, right? As we talked about at the beginning, is understanding your environment, your CMDB and your, your Crown Jewels assessment.
[00:41:24] AJ Nash: Your risk register is a good example, right? All of your tooling, all of your people that are plugging everything into these tools. To know your environment, right? You cannot do effective incident response effective exercises if you don't know your environment inside and out. Which, to be honest with you, I know very few organizations that do.
[00:41:45] AJ Nash: So, you know, that's the reason we've, we've gone far our field a little bit on this is to talk about that, but bringing that back into the incident response discussion. So how do we. Improve incident response? Is it just all the things we just discussed? Is there, what are we missing here? I know there's a bunch of things we're still missing in terms of documentation, in terms of process, in terms of communication.
[00:42:05] AJ Nash: You mentioned, you know, language is a big factor here. How do we move past what we see right now today, which is a lot of organizations that are just firefighting and they haven't built the process in place, but they're also just very busy, right? They're overwhelmed. Pe I don't know any organization that has enough time or enough money.
[00:42:20] AJ Nash: Money or enough bodies. So how do we get there? How do organizations get to a state where their incident response programs are properly enabled by all these other things that are, they're dependent upon so that we can have better incident response in, in the crisis? You know, how, how do we make that happen for folks?
[00:42:39] Zoë Rose: Well, besides the foundations, besides the general hygiene, besides understanding your organization, I think you also need to look at what people you have in your organization. Do you, have you ever done a skills gap analysis? Do you have anybody that's actually competent to do instant response? Because instant response is a specific skillset.
[00:42:59] Zoë Rose: understandably, some people cannot do it, and that's okay. But if you don't have anybody there that could do it, you're going to have to outsource it. So you're going to have to fill, figure out, you know, if you have your core competencies, this is the area it makes sense to outsource. I'm not saying outsourcing is a bad idea.
[00:43:17] Zoë Rose: In some cases it is the right idea because a skilled instant responder is expensive. They're not a cheap resource, and they must maintain that skill and continuously develop and build and understand things more. So maybe you need to outsource, maybe you don't have the skill. That's okay. Maybe you wanna build the skill.
[00:43:37] Zoë Rose: So training needs to be, you know, you need to invest in your people. Maybe you need to hire somebody. I don't know. maybe you need to outsource. Do you know what your environment looks like? Can you come, can a company come in and say, this is normal? These are where the, the unusual activity is, this is not normal.
[00:43:55] Zoë Rose: This is the, the points of reference. These are the people I need to contact in an emergency. Does that exist? So how can we improve? Well, besides having your foundations. Do you have the capability of responding to an incident? If you do, what's your end? Where, where does your skill end? Where's the cap? including capacity.
[00:44:17] Zoë Rose: So you may have a very excellent incident responder one, but they may need a holiday. They may get sick, they may go, maybe they're in the hospital, I don't know.
[00:44:27] AJ Nash: they quit.
[00:44:29] Zoë Rose: maybe they quit, which is a huge issue. Loss of when you invest in people and you lose them. You know, retaining, skill is really important and costly, but if you lose them, they may be gone, especially if nothing's documented.
[00:44:44] Zoë Rose: They may take all that intelligence out the door with them, so plan for that redundancy. But also when it comes to getting a third party in, how do you do that in an effective way? You probably have a retainer. You need to know these people. So if you're bringing someone in, they need to know you. They need to know who to contact.
[00:45:04] Zoë Rose: They need to know who has the authority to make certain decisions. they need to know the technologies you have in place because they need to be able to support it. If they've never used that solution, are you going to let them learn it whilst they're responding? That's costly and not massively effective.
[00:45:21] Zoë Rose: So how do we improve? Well build the relationship, identify the gaps. It's just like building the foundations in your organization. do those simulations and figure out where you have those gaps. it could be as simple as a sit down with a team around a table and say, okay, this has happened. What do we do?
[00:45:40] Zoë Rose: This has happened. What do we do? It could be as complex as we're gonna turn all of these off and see what happens, and we're not gonna tell anyone. Red Teaming is important. and. Actually really quite fun. I am security operations. If a red team happens in my environment, I'm not notified because I need to respond as if it is an incident.
[00:45:58] Zoë Rose: and so when those happen in my environment, I like to guess when they are. And actually sometimes I'm, I, I've had situations where I've been like, this is a red team. and I know the team that, uh, puts them on and I'm like, I'm watching you, but it's fun. I like it. but I don't have an ego that's getting in the way because I know how important it's, so if you've got somebody in that's got their ego getting in the way, maybe they're not in the right position as well.
[00:46:25] Zoë Rose: So, you know, figure that out. Figure out what makes your organization. So how do you improve? I keep saying over and over again, do this, do this, do this to start with, identify what your current state is, identify where your gaps are, and then identify where you want to be. Because you cannot map, point A to point B without the point B.
[00:46:47] Zoë Rose: And once you've got that, figure out how you get there within budget, within timeframes that are realistic and with the skill sets and capacity that you currently have in your organization.
[00:47:00] AJ Nash: Yeah, I, I think excellent point the point, you know, point B on a map, right? You can't get somebody, so you don't know where you're trying to get to. So I think that honest assessment of where are we today, which a lot of organizations don't do, maybe they don't wanna do it 'cause they don't wanna be honest about where they are.
[00:47:14] AJ Nash: And then where do we want
[00:47:15] Zoë Rose: head in the sand.
[00:47:16] AJ Nash: Exactly. You know, they just, uh, you know, that's for another day. Right? You know, it's CMDB is the best example I can come up with for that over and over again. It's comical how bad most organizations CMDBs are. When you take a look at 'em and you realize it's like, well, do you really have this much Windows XP running in your environment?
[00:47:30] AJ Nash: Well, no, of course not. We don't have it anywhere. Well, your C MDB is full of it for some reason. If you've never updated this at all, like, what are you doing here? You know, why is this showing that you've got Windows seven running in places? why is this showing you? Have you have systems that, that are deprecated now, like the entire software systems that don't
[00:47:45] Zoë Rose: is the point of contact for this situation? a person that retired 10 years ago, you know,
[00:47:51] AJ Nash: exactly. Yeah. Yeah. Or debt. Right. And why, why do you have these things? Why is there, why is the risk register empty? I don't, why don't I suspect that's not accurate, right? Yeah. Oh, no, we, we built the spreadsheet. We forgot to populate it. Oh, well that's really useful. You know, why, why are these things like this?
[00:48:05] AJ Nash: Right. So, you know, I think that's part the
[00:48:07] Zoë Rose: why are you putting in controls to protect against nation state when your likely threat actor is a bored teenager? You know, like.
[00:48:16] Zoë Rose: Apply
[00:48:17] AJ Nash: a really good point. Yeah, that's a really good point. You know, getting very excited about the things. And I, I, as an Intel person, I've run that a lot where people, you know, come out of the SOC. They're all ranting and raving and all excited. We've heard about this thing. We're always scared. I'm like, the odds of that happening to us are incredibly limited.
[00:48:31] AJ Nash: let's have a, a real serious discussion about why, that would happen. you know, and this adversary is notorious for only going after healthcare. We're a bank.
[00:48:41] Zoë Rose: Or critical, critical national infrastructure. And you aren't even big enough to even be classified as that.
[00:48:47] AJ Nash: You're a shoe store.
[00:48:49] Zoë Rose: yeah. Like, hmm.
[00:48:51] AJ Nash: Yeah. But, but if it's all over the news, well, it doesn't mean it actually affects us.
[00:48:54] AJ Nash: So let's have that discussion, or you know, what,
[00:48:56] Zoë Rose: those incidents to be clear,
[00:48:58] AJ Nash: a hundred percent
[00:48:59] Zoë Rose: you probably
[00:48:59] Zoë Rose: don't need to worry about that threat actor. You don't need to worry about that two leg you, yeah. Yeah. Yeah.
[00:49:06] AJ Nash: Yeah. Or exactly, you know, or the report comes out and you're like, well, that's true. But they compromise this piece of software, which we actually don't own. We don't have it anywhere in our environment.
[00:49:13] AJ Nash: You know, zero day comes out, it's a scary zero day. There's all these things. Yeah. But it, it's not in our environment at all though. We, it, it is specifically designed for one thing that we don't own. I mean, we should know about it, but I wouldn't recommend making a ton of changes today. 'cause as of today, it's not a threat to us.
[00:49:27] AJ Nash: We should learn more about it and see can it more, you know, can it morphous? Am I gonna reuse it? Is it, you know, is it recyclable? Is it, is it changeable? But let's not lose our, our heads over
[00:49:36] Zoë Rose: about this. Yeah.
[00:49:37] AJ Nash: yeah. That isn't affecting us today. The shiny object, the scary thing on the news isn't always our biggest problem.
[00:49:43] Zoë Rose: no, but also the point you made about CMDB. How many incidents have we seen in the media of, or, or, or, you know, I, I, a bit of a go now, but, Log4j and then, uh, what was the latest one? FPR? Like, do you have that environment? Like, is, do you have it in there, but also is it, is it required? Uh, well, I have no idea.
[00:50:08] Zoë Rose: So how many organizations spent. Weeks figuring out if they had it, then months figuring out is it something that they're dependent on. And then more months, yeah. Should we have it? And then more months figuring out, well, yes, we're dependent on it, but what version are we dependent on? You know, like
[00:50:25] AJ Nash: Mm-hmm.
[00:50:27] Zoë Rose: software bill of, what is it?
[00:50:29] Zoë Rose: Uh, software bill of something. I can't remember what that's called. But it's like A-C-M-D-B for our software. What are our dependencies? What do we need? Why do we have this in place? Is it just because it was installed at some point for our testing purpose and never uninstalled? And we don't have a testing environment, so we, I install everything on production
[00:50:50] AJ Nash: Right. Which happens, unfortunately, it's oh so often, right? And it, it turns out, oh, you know what? We're also using a license that's expired, but that's okay. Nobody checked on that either.
[00:50:59] Zoë Rose: but also do we have, do we have a change management process? Because do we decommission server A that required these firewall rules added in server B that didn't require those, but those were never decommissioned and it was in our development, but our development is a production.
[00:51:14] Zoë Rose: Therefore, this compromise is now with it. I, not that I've seen that for many customers, but maybe I have seen that for many customers.
[00:51:24] AJ Nash: Sure, sure. Change management process. Another really good one. I hadn't thought about that. That's another piece that people seem to have, you
[00:51:29] Zoë Rose: My very, very first conference talk was talking about configuration management.
[00:51:36] AJ Nash: Mm-hmm.
[00:51:36] AJ Nash: Mm-hmm.
[00:51:37] Zoë Rose: I created a very poorly, like, just to demonstrate it, I made like a little web server that configurations were populated to super insecure. Don't use any of the code that I used 'cause I knew it was insecure. 'cause I dunno how to code 'cause I'm not a coer.
[00:51:53] Zoë Rose: But, but, and I made it really sexy. It was a black with the green text. but like I was talking about, this is so important. This was 10 years ago that I sucked about this. So why is it still
[00:52:04] AJ Nash: You could give that same talk today. It'd probably still be valid in most, most places, unfortunately, too. So,
[00:52:09] AJ Nash: yeah.
[00:52:09] Zoë Rose: bad at coding, so it'd probably still be insecure.
[00:52:12] AJ Nash: Sorry. It would still be fine. It would probably still work. Don't worry. AI will fix it. Don't worry about it. AI will fix it
[00:52:17] AJ Nash: for you. Now you vibe code it, you just vibe code the whole
[00:52:20] Zoë Rose: Great idea.
[00:52:21] AJ Nash: So anyway, so I mean, I think a lot of good points here to take away from this, right? And it's, there's a lot of prep that needs to be done. I think there's a lot of communication there. I think you make a valid point that there, it's not all about leadership and it's not all about budget. It's also about, you know, hands-on keyboard, being able to communicate.
[00:52:35] AJ Nash: I think speaking the language is a very interesting point about speaking the language of business versus tech, which is a significant challenge. 'cause most people in tech, there's a reason they're not in business. they don't speak the business language by on purpose. A lot of people that sit in the SOC don't wanna talk about the business, but you have to understand the business impacts because that's what's gonna motivate leadership.
[00:52:55] AJ Nash: To actually make changes. Again, I need this thing, it doesn't motivate them. I need this thing because it's gonna reduce the risk by, by so much, which is gonna, you know, potentially reduce our, you know, uh, exposure, which could be very, very expensive, et cetera. There's gotta be a number attached to it at some point.
[00:53:08] AJ Nash: We've gotta, everybody I know in tech hates that whenever we write anything, it's gimme a business justification and put in, you know, that ties it to, to risk and profit and loss
[00:53:16] AJ Nash: and all that. You're like, ugh.
[00:53:17] Zoë Rose: justification? And then my texts are like. And I'm like, okay, let's break it down. How often does this happen? What's the impact?
[00:53:27] AJ Nash: Mm-hmm.
[00:53:28] Zoë Rose: I get it. It's boring. I don't like doing it, but it's very important.
[00:53:32] AJ Nash: I will say that's an area where AI might help you for what it's worth. If you can give it enough inputs, if you can talk to any of the ticket platform, chat, GPT, cloud, whatever it might be, if you give it enough inputs and say, can you write me a business justification for this? It can, uh, it might be bullshit.
[00:53:45] Zoë Rose: what it is needing to measure.
[00:53:47] AJ Nash: That's right. That's right. You give it the inputs and it can, now, I will tell you it might be bullshit, when it comes out, but it will be the bullshit that, that the business will believe and will go forth with, off the record. Don't quote me on
[00:53:58] Zoë Rose: You may. You
[00:53:59] AJ Nash: recorded and it's gone off to the world, but
[00:54:01] Zoë Rose: you
[00:54:02] AJ Nash: you can bullshit your way through it.
[00:54:03] Zoë Rose: You could also ask your environment, are we secure? And it will say, yeah, you're great. I'm pretty sure I saw an, a post of, one of the pe industry contacts I have that said, oh yeah, it said I'm a hundred percent secure. I can go home
[00:54:15] AJ Nash: that's right. Yeah, yeah, yeah. It'll tell you you're great.
[00:54:18] Zoë Rose: yeah, maybe don't trust it blindly please.
[00:54:20] AJ Nash: No, no. It's, it's so sycophantic. It's unbelievable. But, but it will help you write some of these things, which is good. If you're not good at turning transatlantic technology and tech data and tech information into business terms and end of monetary terms, given the right inputs, the, the AI actually will offer you some decent
[00:54:35] Zoë Rose: It can definitely help. It can definitely help. Technology can definitely help. Automation can definitely help. Just use it in the context that makes sense. have the right people that maybe you don't have as many highly skilled people. You have more junior people because you can't afford highly skilled, but you compensate with other things, you know. Just put it in context and if you've done it properly, it's a lot more effective because you will still have compromises, you will still have incidents, but the impact will be reduced. For example, maybe you still have compromised accounts, but you've got automation in place that blocks it quite quickly so that the impact is much lower.
[00:55:19] Zoë Rose: but you need to do it in an effective way.
[00:55:21] AJ Nash: Yeah, no, I think that's a good point. So yeah, the crux of it is we've gotta do a much better job in our documentation. We gotta do a much better job in our preparation and not waiting till bad things happen. we've gotta do a better job in our communication, up and down the chains so that everybody's on the same page.
[00:55:35] AJ Nash: And we've really gotta take the, the take the seriously and invest the time and energy in it, and not just hand it willy-nilly off to technology and hope that that's gonna solve our problems for us, because the tech is very dependent on whatever we put into it. So I think, I think those are all excellent points.
[00:55:47] AJ Nash: I think it gives people, hopefully, a better idea of, of what we're currently dealing with in incident response and how to build better programs and also when to bring in, you know, out outside help, as you said, whether it's outsourcing, whether it's bringing in, you know, vendors to help, you know, contractors, consultants, to help write some of these policies and process.
[00:56:01] AJ Nash: If you don't have the time for it, it might be worth hiring somebody to help come in and do the assessments and write some of these things for you. So at least you have the baselines before you try to automate things without baselines. What were you gonna say? I saw you raise your hand
[00:56:11] Zoë Rose: I just had a really funny memory of, um, awareness in the instant response process being imported. Not just security awareness, but awareness in who to call, because I remember, I remember an incident where the person thought they were being helpful by when something happened, they physically destroyed the device.
[00:56:37] AJ Nash: Oh my
[00:56:37] Zoë Rose: no forensic analysis, no instant response could happen because screwdriver, it's around.
[00:56:43] AJ Nash: Right. Just drilled right through the drive. Yep.
[00:56:46] Zoë Rose: It was hilarious because we're like, oh, okay. Don't turn it off so that, you know, because we can't do, 'cause um, if you turn it off, certain things will change. So don't turn it off. Leave it. We will come investigate. Oh. Oh, okay. So, it's not in one piece at the moment.
[00:57:04] AJ Nash: Yeah.
[00:57:05] Zoë Rose: What, what do you mean? It's not one piece?
[00:57:07] Zoë Rose: You, you opened it, it's a laptop. No,
[00:57:10] AJ Nash: actions.
[00:57:13] Zoë Rose: I solved the problem. It, it won't, uh, cause any more incidents.
[00:57:17] AJ Nash: Yeah.
[00:57:19] Zoë Rose: Okay. Which
[00:57:22] Zoë Rose: is
[00:57:22] AJ Nash: you solved one problem. You've created a new
[00:57:25] Zoë Rose: to a, um, not that it was ever valid before, but you can say to a regulator, Yeah, but you can't go to a regular and say, I don't have the ability to investigate this because it's in fucking three pieces.
[00:57:37] Zoë Rose: So yeah, awareness on what the appropriate process is and who to contact. Also important.
[00:57:45] AJ Nash: Well, it's, uh, I, I've seen a similar story years ago in the government. We had one of those, we had a massive incident and, we were, I don't think this is still classified. The details may be classified, but the broad strokes are not. There was a massive incident. The government and, outlying organizations from around the world actually were, were ordered to ship their, systems back, to be analyzed and multiple organizations.
[00:58:09] AJ Nash: I don't know if they, they, I'm sure they claimed ignorance, but I'm certain they did this on purpose. We got a whole lot of systems that came back that were completely wiped, because nobody wanted to be responsible or, or end up having any forensics done that showed that their organization was, you know, patient zero, so to speak.
[00:58:22] AJ Nash: So yeah, pallets full of computers came back that were all wiped clean. So there's nothing you can do about it. and there was really, I don't know if there were any co repercussions for that. My understanding is there probably weren't. but that's another issue you run into sometimes is nobody wants to be held accountable.
[00:58:34] AJ Nash: And so if you say, oh, we're bringing all the systems back, we're gonna analyze 'em all, we're gonna do forensics, yeah. Well if they just show up wiped clean, you're like, oh geez, sorry. We just thought, you know, it made sense to clean them before we send 'em back. And, and then nothing ends up being discovered.
[00:58:46] AJ Nash: We still, for what it's worth for anybody who's curious, we did discover who Patient Zero was on that one. 'cause it wasn't from one of those organizations. As it turns out, uh, it was from another large agency, a large three letter agency, uh, who was, uh, not following procedures, not surprisingly. And so we were able to find out exactly what the original problem was.
[00:59:03] AJ Nash: That happens with executives who don't follow the rules, which happens in the private sector too. So. Alright, listen, we're running out of time, so, we're gonna wrap up here. I think, for anybody who's, you know, wants to learn more about what we've talked about today, hopefully some of this was very valuable and useful.
[00:59:16] AJ Nash: If not, you know, ping Zoe, make her tell you more about how to build, build a better incident response organization. but, uh, no, I, I think there's a lot, you know, that we've unpacked here and there's, we could do this, you know, for a lot longer probably, but ultimately I think there's a lot more investment in time and energy and, uh, that needs to be done upfront, that that really isn't happening right now.
[00:59:34] AJ Nash: And a lot more documentation, as you said, a lot of things that are less sexy. Uh, but as we get ready to wrap through here, you know, you get hit with the same thing everybody else does, right? The name of the show is Unspoken Security. So with that in mind, it's your turn. Now you get to tell me something.
[00:59:48] AJ Nash: You've never told anybody some, uh, before. Something that, to this point has been unspoken,
[00:59:52] Zoë Rose: Hmm. Completely unrelated to security. Um,
[00:59:59] AJ Nash: can be.
[01:00:00] Zoë Rose: uh,
[01:00:03] AJ Nash: And believe me, Zoe told me a whole bunch of things before we prepped, but I apparently those are not unspoken
[01:00:06] AJ Nash: either. I guess
[01:00:07] Zoë Rose: are not unspoken.
[01:00:08] AJ Nash: Yeah. Not unspoken Zoe. Zoe's pretty open, so this is a tough one. I know. Uh, 'cause she says everything,
[01:00:14] Zoë Rose: I, I, I have no ability to block what I'm saying because essentially, um, I just think why, you know, if you're, here's, here's the thing that's going on in my head. Is any of that interesting to you? Let's chat about it. Let's dive into this very granular topic because I love talking about random stuff.
[01:00:34] Zoë Rose: let me think. Probably not a hundred percent unspoken, but maybe more my accent. My accent is very weird. I get questioned about it constantly. you took the same route everyone takes, they first assume I'm Irish, then they assume I'm British. And then for some reason, a lot of people then assume Australian.
[01:00:57] Zoë Rose: I dunno why I don't sound at ooh, Australian. But
[01:01:00] AJ Nash: really. No. But there's a relationship between that, I suppose so.
[01:01:03] Zoë Rose: Not really. but, I'm neither of those things. I did live in Ireland and I did live in the UK. I visited Australia, but I've never lived there. But, I, I've done conference there, but, this is actually from Australia. but no, so my accent, it picks up when I talk to people.
[01:01:20] Zoë Rose: and. The thing that is unspoken is the more uncomfortable I get, the stronger it gets. It's my sort of like, defensive. So, um, if I go, uh, back to where I grew up, um, a lot of times people are like, oh, you start, like I know colleagues that when they go or start talking about where they grew up, their home accent picks up.
[01:01:46] Zoë Rose: Mine is the opposite. I sound more, in some cases, more Porsche, more British, some cases more Irish. I don't know. I guess it depends, probably depends on how long I've been away from those places. Maybe. I dunno. But it's my like, defensive until I start sounding thicker and then, and then I realize it and then I can't stop it and then it gets even thicker.
[01:02:10] Zoë Rose: So it gets to the point where I get really embarrassed because I'm like, I'm not putting on an accent. I promise you. It's just I can't control it. Yeah, and then I want to
[01:02:21] AJ Nash: I mean that.
[01:02:21] Zoë Rose: with the person I'm talking about so often if you have a really thick accent, I'll then start picking up your accent because I'm like trying to empathize with you.
[01:02:29] Zoë Rose: And so, yeah, it gets really awkward.
[01:02:32] AJ Nash: Yeah, it's, it's fascinating. And as you said, like when we first started talking, I was like, well, I, it sounds like you're Irish, which you're not. I have actually a similar, trend I suppose, or, that I'll pick up other people's accents, right? I have friends. I have friends, I have a friend, a good friend of mine from Alabama.
[01:02:46] AJ Nash: And if we, if we talk for any period of time on the phone, anybody can tell who I'm talking to. 'cause suddenly I sound like I'm from Alabama. I have, I have a friend who's from Scotland and I'll pick up his accent in almost no time at all. It seems like I have friends from the UK and so, uh, I'm originally from Minnesota.
[01:03:00] AJ Nash: For those, uh, who aren't unaware, which seems like nobody probably, uh, for years I, I lived outta the state for, for 20 plus years. But for years, anybody who was listening to me have a phone conversation could tell if I was talking to somebody from Minnesota. 'cause I suddenly would pick up a Minnesota accent, which as you can tell, I don't actually have.
[01:03:16] AJ Nash: Uh, but given some time on the phone, I would pick up that accent. I, you could tell if I was talking to family. So I, I have that too. It's not a nervous, thing in my case. it's just one of those things that comes naturally. I know there's some people it does. so I do find it interesting when it happens and I, like you have had to worry about, is somebody gonna think I'm making fun of them If I start speaking with their accent, they know I'm not from Scotland, or I'm not from England or wherever it might be.
[01:03:35] AJ Nash: I'm really not trying to mock somebody. It just comes naturally. It just, I end up mirroring back, you know, as you do, obviously. Now in your case, your accent is a, an amalgamation of having been to a lot of places too. 'cause you do have some Irish in there and you have some British in there, apparently. I don't, I don't hear any Australia and those people are crazy.
[01:03:50] AJ Nash: but you've, you've been, you've been around and it's sort of picked up and so I, I do think it's interesting. I think it's, uh, I think it's, it is an interesting thing. It may not be completely unspoken, but it's not a commonly spoken thing, I guess. And so anybody who wants to know now Zoe is not from Ireland, uh, or the UK I will not say where she's from 'cause she didn't mention it.
[01:04:06] AJ Nash: So I don't know if it's some big secret, but I'll tell you that I know where it is and none of you get to find out unless she decides to tell you later. So, um.
[01:04:13] Zoë Rose: I'm sorry. If they look up me online, they'll figure it out. So good luck. It's not that difficult.
[01:04:19] AJ Nash: It, it's not. If you're into Austin at all, you should have a good idea where Zoe's from. I will tell you this, it is not remarkably far from where I'm from. and I'll leave it at that and you can go figure it out. So listen, I appreciate you taking the time to be on today.
[01:04:30] AJ Nash: this has been a really interesting conversation. I've enjoyed it quite a bit. I hope others have as well. I'm gonna close out the show in a minute. Is there anything you wanna leave? Any last thoughts? Anything you wanna plug? Anything you wanna talk about? Anything at all before we, you know, wrap this up and, and let people go on with the rest of their lives?
[01:04:43] Zoë Rose: I think the only thing I want to say is everybody's trying the hardest typically in an organization, so don't. Place the blame and think that that's gonna solve it. What you need to do is you need to recognize you're all on the same page or on the same team, sorry, not same page, or on the same team.
[01:05:02] Zoë Rose: and so go forward together. And the way to do that is to make it a safe environment, to admit mistakes and limits to capability. And once you're safe and able to acknowledge your limitations or when you made mistakes, 'cause everybody makes mistakes, um, then you can grow together and build further, build those relationships and be a lot more effective, when egos and, uncertainties are outta the way.
[01:05:31] AJ Nash: Yeah, I think that's a great closing point and, and fantastic, right? You have to have a safe environment. As you said, mistakes have to be acceptable. Like it can't be a one mistake and you're out the door kind of a place, right? Because it's gonna happen to everybody. We're all overworked. People are trying really hard, so are the adversaries, you know, that's part of the job, right?
[01:05:47] AJ Nash: And, and they're, they're pretty good at their jobs too. So I think you make an excellent point about, you know, having a safe environment. It's not about pointing fingers, it's about getting better. You know, we're all on the same team. We're all trying to pull the rope in the same direction. So, uh, good closing remarks.
[01:06:00] AJ Nash: Really appreciate it. Hope people take that to heart. so again, thank you for being on the show. Zoe, really appreciate you taking the time to be here. For everybody who's listening or watching, thank you, for taking your time. Please feel free to, to subscribe to, like, to forward this to other people, you know, let people know you like the show.
[01:06:14] AJ Nash: If you don't like the show, shut up. I don't wanna hear about it. No, I'm kidding. I say that all the time. But if you don't like the show, let me know. Let me see how we can improve it. If you know somebody who should be on the show or if you should be on the show, reach out. Let me know that as well. but please continue to, to give us that feedback and to push to, to, you know, grow this audience, you know, so we can continue to bring on great people like Zoe to talk about all sorts of stuff and try to make people a little bit smarter and a little bit safer.
[01:06:34] AJ Nash: So, with that in mind, I'm gonna close it out for today. Again, thank you very much for being here, Zoe. Thank you everybody for watching and listening. This has been another episode of Unspoken Security.