Security Masterminds

Reducing Risk by addressing the Threats to your Cybersecurity program through innovative platforms, with our special guest, Bryson Bort.

Security Masterminds Season 2 Episode 6

Send us a text

Check us out on our new LinkedIn Page!  - https://www.linkedin.com/company/security-masterminds-podcast/

Does this sound familiar? You've invested in threat intelligence data and spent countless hours analyzing it, yet you still feel vulnerable to cyber threats. Maybe you were told that having the data alone would be enough to protect your organization. But the reality is, simply having the data without knowing how to turn it into actionable insights leaves you exposed and frustrated. The pain of constantly worrying about cyber attacks and feeling powerless to stop them is all too real. In this episode, we'll show you how to transform your threat intelligence data into actionable intelligence, giving you the tools to defend against even the most sophisticated cyber threats.

In this episode, you will be able to:

  • Realize the urgency of embracing cybersecurity for your business's sustained success.
  • Explore how actionable threat intelligence can augment your defenses against cyber adversaries.
  • Absorb the advantages of using a joint and innovative approach to stay on top of evolving digital dangers.
  • Discern the impact of robust communication and leadership skills in fostering a secure digital environment.
  • Appreciate the role of attack simulation technology in unveiling security blind spots and improving protection.

My special guest is

Bryson Bort is an accomplished cybersecurity veteran with more than two decades of experience under his belt. As the founder of Scythe, Bryson has cultivated a platform that empowers professionals in the cybersecurity space to effectively address and combat cyber threats. Simultaneously, he co-founded ICS Village, a non-profit that aims to increase knowledge and awareness of industrial control system security. With a strong background in both offensive and defensive security, Bryson's drive for constant improvement and growth has made him an influential figure within the cybersecurity community.

Connect with Bryson Bort!

  • Linkedin: https://www.linkedin.com/in/brysonbort/
  • Twitter: https://twitter.com/brysonbort
  • Scythe: https://scythe.io/
  • ICS Village: https://www.icsvillage.com/


Testimonial for Scythe  https://scythe.io/library/purple-team-approach-boosts-cybersecurity

Connect with us:

Website: securitymasterminds.buzzsprout.com

KnowBe4 Resources:

This show's sound is edited by ProPodcastSolutions -https://propodcastsolutions.com/
Show Notes created with Capsho - www.capsho.com

Bryson Bort:

The challenge that a security vendor has is the balance of me protecting you and me not getting in the way. If I get in the way, I'm out immediately. So that's why its threat Intelligence is stuck in this groundhog Day of doing the very basic static IOC stuff. I'm Bryson. I am the CEO and founder at sife.

VoiceOver:

Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry.

Erich Kron:

Innovating in threat intelligence involves re-imagining how organizations gather and utilize information about cyber. Threats in the limitations of current detection methods, demands the development and implementation of more effective and proactive strategies. Bryson emphasizes the need for more effective threat intelligence solutions and the value that innovation can bring to the cybersecurity industry.

Jelle Wieringa:

Bryson Bort a seasoned cybersecurity professional with over 25 years of experience in both offensive and defensive security. His entrepreneurial drive, let him to founding Scythe, a cybersecurity adversary emulation platform board is also the co-founder of ICS Village, a nonprofit provider of education and awareness of industrial control systems security.

VoiceOver:

This is episode 19, reducing Risk by addressing the Threats to your Cybersecurity program through innovative platforms. With our special guest, Bryson Bort.

Erich Kron:

Here we are at Security Mastermind speaking with Bryson Bort. I thought this was a really fun talk we had with him and like so many other of our guests, he had a very interesting cybersecurity origin story and I asked him if he could tell us a little bit about that and here was his story about how he got into cybersecurity.

Bryson Bort:

So I think like many of us, it starts as a kid with a passion and too much time in my hands and access to some tech that looked like it needed to be taken apart. My initial foray was really games and two aspects. One was breaking the d r m so I could play the game, and then at that point, modifying the game to make it more fun. So I would go into the compiled code and make it do what I wanted to do. My programming really took off in high school when in advanced math we were given graphing calculators and those have a, a basic programming language on them. And I discovered that I could in any class, because it's an academic instrument, um spend my whole time coding on that and supposed to paying attention to anything. And I would build all these really elaborate games on the, the calculator, so like street fighter and role playing games and all this different kind of stuff. And I could get away with it because it was a school calculator that I was just also using in English for no reason. I. And, uh, that's, I think that that brings you up through my childhood. I actually had a full ride to MIT but I chose to go to West Point because I wanted to be well-rounded. I wanted to serve. So I saw being an army officer as a way to pay back for society. And this is kind of the point where everyone's like, when did you first get into cybersecurity? And none of this stuff existed back then. I remember the closest I started getting to information security was the various, like, I Love you, Melissa, viruses, whatever that was at that time, running around with a gold CD rom and we had to install it on every single computer to fix it. And that was the closest we got to any understanding of security at that time. That's something I like to point out is how young this industry is. I mean, firewalls, were not commonplace until about the 2000. It's not that firewalls didn't exist, they weren't deployed as a natural part of what an enterprise did. And so I like to point out, I mean, we're only 20 years old in going, your network is different from my network. And so, uh, I think where my origin story really picks up is after I got out of the Army, uh, as an officer, I was recruited into the intelligence community and did some really interesting things there. And that's where I really, uh, made my bones in cybersecurity until I, I left and started my own offensive consultancy called Grimm, uh, 10 years ago. And Grim was my, my nickname in the IC. So that being said, I guess I've been doing this for probably 25 years.

Jelle Wieringa:

I still remember the golden CD ROMs that you had to carry around. He started up with basically being an enthusiast to IT , breaking the DRM games and modifying the games. I started the same way. That's how I found my interest in IT. Cybersecurity in itself. Happened naturally after that. Same with him. It's just you got into the industry, you figured out, man, this, this cybersecurity game is really good fun. It's something that I'm really good at and can learn and I can help other people. Look, I, I love the fact that he wanted to serve, to pay back to society. That's a noble thing to do. I wish at that age, I had the same mindset. I think that he, it was a natural progression for him. That's good.

Erich Kron:

Yeah, I think it's cool, but I get what he's saying. So the next thing we did want to talk about, because he's an entrepreneur, and I wanted to know from him some things like, why did you start your own company and what has he taken away from being an entrepreneur?

Bryson Bort:

There are two qualities to being an entrepreneur, passion and tolerance for bs. So most people think like, I need to be the smartest, I need to have the, all these, no. You need to have found an idea that there is an itch inside of you, that the fact that that idea does not exist bothers you that much and then you need to recognize that that's the cool, the fun part that's the onstage, the backstage is you need to understand human resources and health insurance and every state and how to register in states and all these arcane components of running a business because no one else will. To be a founder is to be the CEO and the janitor. And you need to do 'em both with a smile no matter what time it is. Those are the fundamental requirements of being an entrepreneur. Now, I didn't know any of that when I started. I just knew that I had an idea and I'd become so successful in my government work that I was now running teams. I'd grown my unit to over 200 folks globally. I was very important and that mostly meant I sat around large mahogany tables arguing with staff not to destroy my teams and screw over my people. Wasn't fun anymore. Field work is fun. Higher level management, not so much fun. And that was the impetus to where I said, if I'm gonna do this, I'm gonna do it where everything I do is graded on my own. I'm good at this or I'm bad at this, and the market will tell me that. And that's when I started GRIMM. One person by myself, this consultancy, and of course with lots of help and then started to grow it. And I was not looking to start a product company at all. I had no idea about that stuff. That was that kind of like, that's what you do out of Silicon Valley and VCs. I didn't know what a VC was. I just thought it was like a cuss word. And I eventually found myself in an opportunity where Target came to me. So I liked the story of Target as the milestone in 2012 because they were the milestone for me personally when they came to me in 2016 and said, Hey, We have built a world-class security organization, and I can attest they have built one of the greatest organizations I'd seen at that time and they knew they could still get hacked. So how do we flex those edges? How do we know for sure where we go? Because security is defined by the threat. So how do we find a way to emulate that threat? And they asked me to build a tool to do that piece and I realized that would be a great consulting gig cuz every three months I'm gonna have to build you a new tool because testing tooling would burn by the defensive infrastructure and you get in this arms race of where you're just racing against yourself independent of what the adversary might actually do. And this is where I take the, the red team industry and the penetration testing industry at larged task is there's a lot of really cool research that doesn't matter. I mean, the basics are still so much the basics. And so I suddenly found where I think most great ideas come from, which is somebody else. It's just up to us to determine whether to do something with it. And so what we called Project Crossbow, which was a playoff at Target, we started developing a different idea. And I thought, again, instead of building you one every three months, why not build you a platform where you could scale this yourself? And that was where the idea of Scythe Project Crossbow was born. And I spent two and a half years co-developing it because it just, again, that passion part is, it struck me as incredible that this idea did not exist. If Target needed it, clearly other people would as well.

Erich Kron:

Yeah, I really, really like what he was talking about here. And basically it boiled down to there was a need in the market and he found that need and was able to give a product or a service that really did something with it. I think a lot of entrepreneurs fail because they don't really have a direction.

Jelle Wieringa:

Yeah, it's all about product market fit. If you're, especially if you're a technologist, if you, if you're really good techie and you design something where you think like, oh, I would use that myself. That's great, but that doesn't mean other people are willing to spend money on it. It's not about the best idea. It's if you're starting a company it is just a, as much about execution of what you do. It is can you translate the passion that you have into an actually functioning business? Because even though, hey, you're a startup, , you still need to make payroll and you still have to get all the business administration going. or actually Leading a company is, is hard work and it sometimes has nothing to do with the core of what your company actually produces. That's what being an entrepreneur is about. And I see a lot of companies out there where , they fail because they don't listen to the market space enough. They might have all the knowledge in the world, they might understand what's actually needed, but if your market doesn't understand, they're not gonna buy a product.

Erich Kron:

So Jelle you mentioned something about purple teaming and I love that the purple team actually involves the offensive and defensive sides. Instead of just coming in as a red team, which is your penetration testers, and say, oh, you have a problem, here you go. Here's a report walking away. They work hand in hand with the defensive side, the blue team, and in my opinion, they do a much better job of learning how to defend the organization. So we asked him, because he's been heavily involved in this, you know, how has his successes as a small organization helped grow the concept of purple teaming? And this was his reply.

Bryson Bort:

So tools don't solve culture or process. Tools can help you get there, but tools cannot do it alone. Because of course tech is an, an important component to being able to do the actual technical signal. So there's this people and process maturity around bringing different components together and scoping an exercise, but you still need a tech underneath that works as easily as possible to actually drive it. and so, again, where we saw these challenges on red teaming and then including the challenge with our own tool, this is part of the reason, we were one of the folks first start pushing purple teaming cuz we're going, Hey, let's just bring this together. Let's do red and blue together. I'm the co-founder of the ICS Village with Tom Van Norman. We're a 501c3 that does critical infrastructure education and security cuz apparently I don't have enough free time. So that's what I do in my free time, that's my hobby. And it's a large asset owner and we do collaborative purple team exercises with them. So one of the neat things that I think about our tool is that we graduated beyond just being an IT tool to being a way to unify IT and OT industrial control systems into an assessment. And so we've been doing these exercises with them and there's two levels of success. I'll call out one from the exercises where we've been there with them and have continued to be able to find these holes and again, it's really just validating your assumptions. We thought there was something on that jump box. No, there's not. Well, now we know that. Like, let's build that up. That's a big deal, right? Um, that's the kind of thing where the CISO's heart stops and it's like, okay, but that's why this is a purple team exercise. We pause the exercise and we help you fix it on the spot. Uh, as opposed to the red team, which is, yeah, we owned that jump box right out of the gate three weeks ago into the start of the engagement. Um, here's your report. Have a nice day. And you're like, so you knew about this three weeks ago? And wait, they're already out the door. I gotta go fix this. Which is why I like purple teaming. So this is where I would give a reference that is tool is in fact, easy enough that you can be a blue teamer and use this. And what I mean by that is, yes, the stuff that everybody talks about and gets all the reporting are the high level purple team exercises where there's all this focus and there's all this stuff done. And it helps bridge the gap with the plant managers and the safety engineers, but that they're using it on a daily basis. Again, going back to that middleware concept, which not middleware yet, but testing configurations and base configurations on a daily basis in a lab, comparing, growing and just doing that. And it's like you can't make a customer do that. And it's just tool gives so much value and it's so easy for them to do that they're doing it on their own. It's organic and that's, I think a huge, like, that's the best success story I can think of is that it's become of the way they do business.

Erich Kron:

So yeah, I really like that approach. You know, he's, he's talking about, like I mentioned before, the red teams come in, they do this thing, they say, yeah, we own this box, uh, you know, a couple weeks ago here's the report. Have a good time. I've never liked that approach to fixing things. I really do like mixing it up and having both sides be able to figure out what's going on and learn from the process. It's not just a matter of can we get in. That's always one of those things that happens with any kind of penetration testing.

Jelle Wieringa:

I think that purple teaming is a great evolution where organizations can both focus on what threats they really face and. How well their teams actually are at, at handling that threat. So it's, it's, it's a really good combination and whether that's in security, awareness, where you need to bring in HR and marketing and all of those other talents that are good at communication or good at, at working with people to get your security, awareness program going, or whether it is with purple teaming where you've got , your red and your blue teams that need to work together as one because if we start working as one, if we start collaborating more, I'm pretty sure that will benefit all types of organizations in in general.

Erich Kron:

So a another challenge though that a lot of security people have and, and myself included, I mean, this has always been an overwhelming part for me, and that is staying current on threat intelligence. So I wanted to find out in his role, how does he handle the threat intelligence piece? How does he keep current with the threats?

Bryson Bort:

We built command and control comms that could go through Google sheets. We did one that could use Twitter. We came with all these crazy ideas and it was like, it didn't matter. You didn't, nobody uses it. It's like HTTP and HTTPS s are still the main focus cuz that's what the threat does. So there's not a lot of change on that. Where I would say that we've created innovation is, it's not that we have to fill in the space to the latest threats cuz it's, again, most of that is pretty settled. It's the fact that threat intelligence as an industry is failing us. Threat intelligence really is, again, I like using numbers. It's a 10 billion market. Most of that money goes to understanding what's an analyst somewhere found six months ago and was broken down into the simplest form of IP address domain and file signature that you can get six months later and go, I have stopped anti to that attack. Meanwhile, the attacker is way beyond that and has already gone and done something else. That is the bottom of threat intelligence now. It's not that there aren't really smart people in threat intelligence. The challenge that a security vendor has is the balance of me protecting you and me not getting in the way. If I get in the way, I'm out immediately. So that's why threat intelligence is stuck in this Groundhog Day of doing the very basic static I O C stuff of yesterday to get to tomorrow and continue to repeat because they can't do anything further than that. Anything further than that requires customer investment in making security theirs, and that's where the top part of threat intelligence comes in, which are the really fancy threat intelligence reports that come out. Here's 60 pages on how Havoc snow Squirrel did something on something and you print out the report and you're like, what do I do with this? Because it takes a lot of work to take those words and to make it something you can actually then go back to investing in making the security yours. That's how we're able to stay up the latest is because we can take those reports and we have a team dedicated to turning that kind of behavior driven intelligence into something you can now actually push a button and make it real.

Erich Kron:

Yeah, there's a lot of threat intelligence information out there that really doesn't make a difference on whether or not it's actionable. And that's a trick with threat intelligence. I mean, there's useful stuff. There's not useful stuff.

Jelle Wieringa:

I can remember a previous company I used to work for, we had a security operations center and we got 30,000 IOCs from the government. and they were all like nation state, and everybody, all of the analysts, 40 of them we had were like, oooh field day, yeah?! So how many of these iscs actually apply to our customers? Uh, none. Okay, so that in itself, having 30,000 IOCs in that case didn't do much. It is how do you take that information or threat intel in general and make it actionable? The word is actionable. Actionable intel. And that's what I see wrong in a lot of threat intel. It is really not meant to enrich your security operations. You have to do things to it in order to allow it to enrich your security operations. And that's the part where a lot of companies mess up. They forget that part. They take a vendor, take the information that comes out of the box and go like, here, look, this is what we need to be looking at. And I don't agree with that.

Erich Kron:

All right, another topic we wanted to talk about revolves around bug bounty programs. I've been dealing with organizations for quite some time now that do bug bounties. So this was Bryson's thoughts about benefits and challenges with bug bounty programs.

Bryson Bort:

Um, so as somebody who has built a pen contesting consultancy, I have a lot of feelings on bug bounty programs. Casey Ellis, he is the founder of Bug Crowd, is a, is a close friend, so I think they're a good idea. I think like a lot of things they've been done wrong. And this isn't a vendor problem, right? It is. Again, we all, we all do this kind of thing together. Um, I think from, uh, an organization problem. It's seen as a, like, I can contact one of the big three and they will just solve my pen testing problem and I'll get better quality out of it when perhaps maybe I should start with the fact that my SDLC needs work. And that's a bandaid on the backend of the process where I'm really just doing it because it's a coupon as opposed to investing fundamentally and better security. I think it's, it has built an on-ramp for thousands to tens of thousands of folks to get into this space. So it has democratized that and I think that's really neat and really cool. So I love seeing the community and the access that is now granted for these folks to make some, a lot of money. Um, on the flip side, a lot of these folks don't make that much money on it, right? And they get caught up in the, the "rockstar" of, wow, that guy made a hundred thousand dollars last year. And most folks make 250 in the whole year no matter how many hours they put into it, but, I mean, again, it pays what you can do. So it really is tied to talent capability, but it's still, I, I would, I would not say that's an, an overwhelming negative to the, the platform. Um, I think there's some other important things, like I think every company should have a public vulnerability disclosure point of contact. It should be easy to find under webpage, and I think you should commit to periods of triage against that because Okay, great, you got a public point of contact and nobody ever writes back. So there it should in fact be staffed to being able to do that, to take that seriously because why not take advantage of the free public research that can be done, uh, on your behalf? So, I think like a lot of things, it's a good idea. I think there are great elements of it, and I think there are, are negative ones and ones where we have done them wrong.

Erich Kron:

Yeah, I, I like that. And I agree with that. I think bug bounty programs are good, but I, I really like the statement he made about having the disclosure on your website where people can disclose issues and that you actually get back to 'em. I mean, how many times have we seen news stories or we've seen researchers go, I've been trying to reach out to this organization. They haven't gotten back to me, so I'm gonna make this now a big talk, which is probably gonna get them to fix the problem finally, but nobody's getting back to me on this right? That's a frustration for people that are doing research and they're doing it for the right reason. They see this stuff and they go, wow, that's a big problem. That may be putting people at risk. I want to fix that. And so they disclose the vulnerability and nobody does anything about it. It's more than just, oh, there's this problem. You also need to have a way to handle that.

Jelle Wieringa:

Yeah, I can't agree more. I see I've spoken to quite a few bug bounty vendors out there, and they're doing a good job. They have good solid programs that allow for the community to do good work, basically. But then if you don't follow up, what's the use of it? Right? It it becomes a PR trick. Like the program itself is never to blame. It's always you as an organization and how you handle what comes out of it. So I love Bug Bounty initiatives. I really don't like organizations that kind of use it as a PR thing. It isn't. It shouldn't be. It's dangerous to do that. Please don't just treat it as it's supposed to be just do it seriously, people please.

Erich Kron:

So we talked earlier, especially in his origin story about how things have changed throughout the years and like him when I started in cyber, it was more of an IT job, but then we also dealt with the security piece. So I wanted his input on this. I wanted to get his feel for, you know, cybersecurity in the past and what's gonna happen in the future.

Bryson Bort:

To me, the modern cybersecurity ecosystem was created with the Target breach in 2012. And the point that organizations funded and prioritized any level of cybersecurity beyond firewall and AV was to me, the modern cybersecurity definition that we would talk about today. You hear the expression, nothing new is ever invented. And I think it's the same thing if cybersecurity is, we had these epics of maturity that we grew from. And so the one that I think is the most definable begins in 2013 for the commercial world, right? It's not that we didn't do computer security, but before, but it wasn't at the level or the priority that we did it now. See, I have Google Bard pulled up, so I'm just gonna ask the AI what the answer is. What is the future of cybersecurity?"The future of cybersecurity is one of constant change in innovation technology advances. So do the threats toward digital security." Okay, so give me a a lame answer. I was hoping for something a little spicier. So what is the future? I was giving a lecture last night to a grad class of cybersecurity students and there was the kind of the question of what should I study now that's gonna be future-proofed. And the point is nothing. Right? Just like when we look about the skills we learned 20, 25 years ago and the technology that we learned 20, 25 years ago, the best skills I can offer are one critical thinking, which is really tech independent because it's going to be whatever artificial intelligence or machine learning does, it's going to be what is my ability to think and to use it as best for the situation. So AI at the end of the day, is just able to go at a scale and an O of n computational depth that no human could ever do, but it's still up to the human to drive and to think about how to furnace that capability. And so I would suggest critical thinking is key part to future proofing. The second part is agility. Um, I got asked the question last night, what's your five-year plan? The Soviets have proven five year plans don't work. So they don't work for individuals either. Think about what do I need to learn in the next six to 12 months to do, what are my targets for doing that? And then just the agility to keep adjusting in that, mental flexibility to keep doing that. And then the last part, is that nobody does this alone. Cybersecurity is a team sport. It's a community sport. And so those that are really good at this are the ones that move beyond being an individual contributor into understanding how do my ideas, my vision, my influence, my education, my training, impact others and bring teams toward a common vision. And if you are doing those things, which by the way, listen to all those, those are all soft skills. That's what's gonna make you better at the hard skills.

Erich Kron:

I like what he said about nobody doing this alone, right? This is, this is a team sport. it's one of the more important things I've learned throughout my career is that building the network around you. Building the other people that can help you because you can't do it all,

Jelle Wieringa:

I agree with everything, but the agility and the mental flexibility is also the willingness to keep on learning. That's the one thing I miss, cuz yes, you collaborate so that others can, can add their value, add their skills to what you need but at the same time, you need to learn from those skills. You need to try to at least understand where they're coming from and understand what they're doing. So you have a basic grasp of it because so many people in our field with our field going so quickly, cybersecurity is evolving continuously. Like it's never stops, but people do. People go like, ah, I know enough. No you don't. You never know enough In cybersecurity, curiosity is the one thing that we need in this field, in order to be ready for whatever future it is. Curiosity, the willingness to learn and the willingness to grow should be added to that list if you ask me.

Erich Kron:

So, okay. When it comes to organizations there's so many organizations that are, that are starting out or they're small. And in the past, cybersecurity wasn't always a super big deal for smaller organizations, but these days we just can't get around that. So for these organizations maybe that don't have a security program in place, or don't really focus on the security culture, we wanted to ask him, what can organizations do to really start or improve their overall security culture? Let's, let's hear some tips from them.

Bryson Bort:

You can't start if you don't know where your baseline is, and then you need to be able to show. Progress. And you need to be able to quantify that progress. You need to understand it and it know that what you're doing is going where you think it is and buying a person, buying a tool, buying a policy, any of those three things have tangible effects or they don't. And you can, you need to be able to have the measuring stick to prove it. There's two kinds. You get it, you don't get it. Uh, where we can help is a lot of folks, uh, and I think this is less an issue, uh, this is where I see the silver lining in colonial pipeline. Turns out in a hydrocarbon based economy, when we cut off the gas, everybody noticed that. And so ransomware became what I call a kitchen word. Before that, it really was technical jargon. It's not something your 75 year old grandmother would know. Now, grandma knows she gets what ransomware is, and it's the same thing for the business. Now, yet what ransomware is, they may not understand what that means for them, but they know what it is now. And so it moved from technical jargon and security world to now something. Okay, I got it, I got it. But show me how that works here. Right? Show me that that segmentation, the zero trust networking you're trying to force on me, that's pissing off my plan. Engineers show me why this trade off is worth it. And sometimes that takes being able to demonstrate that so that they can see it. Cause a lot of times it's like, yeah, that's your discipline, your thing. And I don't even have the abstract accessibility to understanding the concept. So show it.

Erich Kron:

Okay. So while, , the pipeline issue was definitely something that put ransomware on the news over here, I would also say, depending on where you live, It was out there a little bit sooner.

Jelle Wieringa:

I think that the problem that we have today is that we, as security experts, we in the industry understand what ransomware is. And grandma might have heard the term ransomware, but there's two things that go awry here. One, they might have heard the term, but they don't really understand what it is and they surely don't know what the impact of it is on their lives and what they should do to actually fix it when it happens, and it will happen. so we're not there yet. And when you wanna build a good security culture, basically the whole deal with security culture is making security top of mind. Second nature, that's what you want. We're not there yet. Uh, and a lot of organizations are now starting to realize what security culture is. So we get the question more. Luckily, how do I do it? How do I get to a security culture?

Erich Kron:

Okay, so, uh, we were curious, with his military background and the cyber experience, I'm kind of wondering like, how does he see the two coming together to help in cyber warfare, which is a significant matter these days.

Bryson Bort:

What cyber does is it can enable and support actual combat operations. Can gimme the, all the intelligence I want. And it's not that it can't break things, but show me where it's breaking things on the battlefield that changes either one of those equations. I haven't seen it. The Russians did wiper attacks on custom and border control. Right? They created chaos and it made things more difficult because we suddenly went from we can't control the borders with equipment that we had to do it. But I didn't stop anything at the border. I didn't break the border. I didn't make it easier for Russian forces to go through the border. I just created delay in chaos and damage. And so when we talk about cyber warfare, again, I think we really have gotten as a public carried away with the idea that we have this cyber ray gun that's gonna appear on the battlefield and T 90 s are gonna have videos of their turds popping off because of the cyber ray gun. And we don't, we do have much better intelligence that is driven from that. We can affect enemy command and control, but we're not blowing up tanks or stopping helicopters in their tracks. And again, that is how wars are won.

Erich Kron:

As much as we see about cyber warfare and our adversaries capabilities it is kind of an interesting point that yes, cyber does really kind of back that stuff, and, cyber warfare is, is the only warfare in the future.

Jelle Wieringa:

Yeah. Be before talking to Bryson, I was actually on a different mindset, but after talking to him I agree. It's like cyber warfare. A bullet stops you right now, it kills you right now. Cyber warfare has devastating effects, but it's not ballistic. It doesn't. Do something right now, if I put a gun to your face or tell you, Hey, I'm gonna scare you with ransomware. It's two different things. And yeah, as long as we have tanks, as long as we have planes and stuff like that, is the physical site that scares me more than the the digital side.

Erich Kron:

So there are a lot of people that do a lot of things right in cybersecurity, no doubt about that. And a lot of people that are trying extremely hard. But what I wanted to know from him was what are the top three mistakes that he sees happen in cybersecurity?

Bryson Bort:

So I'll start with the first, which is I believe there are two kinds of companies in the world, and it starts with leadership's approach to cybersecurity and it's. I care about compliance, which everybody cares about compliance is the existential foundation of a company's existence. But that's not security. And either leadership only cares about compliance or leadership cares in investing on security. They don't care in investing in security, you're not gonna have security. And I see way too many talking about burnout. I see way too many talented individuals inside those organizations pounding their head on a wall and not understanding why leadership doesn't care. And the answer is, they already told you they don't care. So stop trying. Fit the mold or walk out. Those are your options. You can, could try to educate them, but pushing it too far, uh, you're not gonna get there and you're gonna be frustrated. So I see that mistake, and that's a, I think a leadership mistake. And I think that is an area where at the practitioner level where we don't understand why things don't work. Another mistake, the waiting to test. I've seen the, we know we're broken. So what's the point of testing? Well, how else are you going to show progress towards something? How else are you going to baseline and do that? So I think that the, the ostrich in the sand of we need to achieve some level before we do it is a flawed logic. Again, it is the measuring stick. So why wouldn't you bring a measuring stick to show that you're actually growing and you're growing in the right direction? Otherwise, we're just pouring money. And third, this is something I'll, I guess we'll tie back to the first, but in a broader sense, is I see too few folks in our space really going and trying to understand the industry that their company, that what they do for a living. Very few of us actually work in security companies. Most of us work in companies that requires security, which means you should go and learn that. When I built, a global configuration management database, which is not something I talk about very often cuz it takes away from my elite hacker cred. It took me four years. We saved the company, four million dollars per annum because the trick that I found was I didn't make it an IT problem. I didn't make it an IT security problem. I went to the C F O and I got him to agree to a process where we could show the savings that we were going contract by contract and asset by asset as we were doing those things. And so we hooked into procurement and I used finance actually as the wedge to build IT and IT security where it needed to be. And that was something the business bought into. And whenever, and of course there were organizational changes and things happened, my stuff never changed because I was anchored into the money of the organization and was able to tie that directly back to the performance of the organization. And one of the things I learned when I was there is I would go and talk to the IT staff at these facilities around the world. And I was like, have you ever walked to the manufacturing floor? And they kind of looked at me like, why would I do that? I was like, do you know what we build here? Do you know what we do? And none of them did. Nobody had ever bothered to go and ask about what they did. And it's like, how can you possibly think that you're gonna go to a general manager or a plant manager or anybody over on that side? Like go and learn it. Go and walk the halls, go and understand what you do, and meet people and build relationships.

Erich Kron:

That is the fact that as security people, we've gotta think of ourselves in a different mindset. But what we really need to be is business enablers. And if we can't understand or don't care to understand the business, how are we gonna enable that? How are we gonna know what security controls are really more important and which ones are absolutely gonna, you know, potentially stop the business in its tracks? Because we do have that capability, sometimes we have to understand what's the point of the business. Because if the business isn't doing what the business is supposed to do, they don't really need anyone in security to secure what doesn't exist.

Jelle Wieringa:

I, I like his remark on compliance. A lot of companies nowadays look like, Hey, I'm compliant, so I'm doing okay. No, you're not. You can't say that. You might be, we don't know. So compliance in itself is not enough. Being compliant in itself is not enough. And we still see a lot of companies making that mistake today.

Erich Kron:

I like that. Now, one of the things we do like to ask our guests, because I think this is a, a really important part of it, is it has to do around failures. I mean, we learn from failures, right? But we wanted to know from Bryson, like what was his biggest failure and what did he learn from that experience?

Bryson Bort:

The most public, I think I'll start with is when I was a first lieutenant and my brigade were responsible for the annual 4th of July festivities on, Fort Hood. Which was , the largest, military post to the United States. And, this is I think one of the first times that arrogance got to me, cuz I mean, I'd already done my platoon leader time. I'm now hot stuff first lieutenant. Um, and I wasn't even supposed to be a part of this stuff cause I was supposed to be like over it. And one of the second lieutenants was botching it. So they were like, let's get Lieutenant Bort there. And I'm like, yeah, I'm coming in. And I did not do everything I was supposed to do. And there was, I'm gonna summarize this, but let's just say there were multiple incidents in my part of that situation, which generated a mob and we, we got through it. I'm clearly here, still alive. Uh, and I had to write public apology in the post newspaper, which they were kind enough to put on the front page in a bright red box from First Lieutenant Bryson Bort. So that was a big failure, that I had to deal with. I'll go back to the origin of where I described our product. I built a tool, a platform for a product market that does not exist, that is a strategic failure, that is a mistake. I don't know how I would've done it differently. I still, after all of this time and looking at what we built toward, um, I still feel that that was in the, the long term, that is the, the best decision. So when I look at my competition. My competition started from where the budget was. Breach and attack simulation was built as an agent-based framework. That a blue team could just configure, install, and then sit back and get pretty colors. That sounds nice. And that sounds like the kind of thing I can sell directly to a blue team. Scary red team bill. Well, no, I can't, and I haven't. Um, the success we've had has been convincing blue teams to give the budget to the red team who's capable of using it. Um, and that's how we've had success. But that is company by company swimming upstream and trying not to look like you're drowning. Whereas when you jump into the big pond of money, you kind of float with Koozie and a beer and just worry about your sunscreen because you're inside of that budget. So I don't know if that's a failure other than that is a really hard blessing that took me years to learn. I have adjusted the strategy, but I still don't know I would've done it any differently because I wouldn't have built the right tech, which I think can displace all of that.

Erich Kron:

I love the fact that he makes that comment about when he was a first lieutenant there's always a kind of a running joke that the first lieutenant is the one that gets the whole squad lost, but he went a whole another level up and took it to an apology in the front page of the newspaper. I mean, talk about failing big, but failure is definitely a part of it. The idea is if you're gonna fail, fail fast, fix it, and move on.

Jelle Wieringa:

So in anything, I think that failing faster, moving on to the next thing pivoting is, is a good thing. And I think the good thing is we learn from our mistakes. We don't really learn from our victories. We we're far better as humans to learn from our mistakes. Making mistakes is part of it. It's how we deal with them.

Erich Kron:

So another thing we do like to get the personal side of people here too and part of that comes back to how they learn. So we wanted to know in, in his case, what are some of his favorite books and podcasts. And, and this is what he said.

Bryson Bort:

So I don't listen to any podcasts, including my own, um, but I'm gonna recommend a podcast. I'd recommend my podcast. Hack the Planet. So it's hosted by the ICS Fellows, the nonprofit that I co-founded with Tom Van Norman. We're ending our, our season three. Um, and what I would say to folks who have any interest in critical infrastructure, and, we also, for those of you who are, uh, experts in the space, uh, we cover such a variety of folks you've never even heard of doing things you've never even thought of, um, that I guarantee you there's gonna be something interested in there. My favorite book is Catch 22 by Joseph Heller. And it's because I think that is the right mentality to have with life. Systems that they're absolute are absurd, but necessary. And so recognizing the humor and accepting the stupidity is the only way that you can smile and get through every day

Erich Kron:

Recognizing the humor and accepting the stupidity. Wow, that really is a, a life mantra.

Jelle Wieringa:

A humor gets us through everything. A laugh, it, it's perfect if you can make people laugh. If you can make yourself laugh in a difficult situation, the things happen in your brain. There's actually processes that, that start, that make you feel better. So if you're ever down, put on a smile. It's the cheapest way to brighten up and to look at life differently.

Erich Kron:

So we asked Bryson, what are your final thoughts? What are some things you'd like to put out there for everybody? And this was his final thoughts.

Bryson Bort:

I'm gonna take a moment and I'm gonna throw this idea at you because I, I led with the fact that security has not been solved. I've also said that security is defined by the threat. I'm going to name this the Bryson attack model. BAM. Okay. I'm, and I need to actually write that out and put it out. Yeah. I'm an army officer. Everything is very simple and bam is that there are only three phases of an attack: reconnaissance. I case the neighborhood, I decide that what house I wanna break into. I study the pattern of life, I figure out what's the best way to attack that house. And then the part that our industry is so focused on, which is initial access, I, uh, picked the lock, the door opens, or in the technical world, I got a shell call back. Nothing has actually happened to you yet, but this is the prevention mindset that we get caught up on with the fact is, you cannot be, you cannot guarantee prevention. The third phase is the phase that matters and it ties this together. And that's effects. This is where the thief, the threat. Proverbially makes its money. How do I get around the house? How do I get into the safe? How do I get the money out? I'm ransomware. How do I get everywhere and ransom things? Now, what's interesting about this is that's a constrained environment. The threat is not doing that on computers that aren't there and they're only being able to communicate. The command and control and the way it's moving through your network is only through the protocols you already have in that environment. I mean if, everybody speaks English and Jelle runs by shouting in Dutch, I don't have to know. It's Dutch to know it's not English. The protocols have to be a part of the environment, and so that's all my platform does is I looked at host effect malware and saw it only had those two attributes. It has comms which are constrained. There's only so many communication protocols, and the most common one used is https cuz it blends in with everything and it's encrypted. And then capabilities. I need to be able to do things on hosts. Again, also constrained because no attacker wants to do everything on a host. There's only a certain number of things I care to do. Now, the rabbit hole is, there's a number of ways to do those, but fundamentally that's it. And that's what my platform does, is I just turn communications and capabilities into Legos. You can build your own Legos and you put them together, and now you can literally recreate any threat from scratch. And so the common question I get as a follow up is, well, how do you stay up to date with the threat? Here's the secret, the post effect activities of a threat when you look at the malware and the campaigns and what they do, 95% of it is the same from threat to threat, campaign to campaign, all of the novelty is how they got there. There's very little novelty on the back end. And so in terms of solving cybersecurity, I believe that space is a constrained square. If we can find a way to replicate that, those permutations at scale, you now can actually quantify cybersecurity.

Jelle Wieringa:

So I like his very fundamental approach and I, his acronym of BAM, everybody's gonna like that. The Bryson attack method. But the way that Bryson attacks it, the fundamental thoughts that he has behind this, that's basically it. he's thought provoking. He understand what he's doing can really help us along.

Erich Kron:

All right. Well, this was a great discussion with Bryson. I think I, I know I learned a lot about this, especially around the threats that cyber have in warfare. That was a, a truly mind boggling moment in there that that really shifted how I'm looking at the world in cybersecurity and with the conflicts that are going on. So that, that was a very, very cool part. I wanna thank Bryson for being here, for lending his knowledge to everybody and for sharing it to our listeners here. I hope that, uh, all of you found it as interesting as we did here on Security Masterminds. Thank you for joining us. Say goodbye Jelle

Jelle Wieringa:

Goodbye Jelle.

VoiceOver:

You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.

People on this episode