Every organization wants to be able to recover from a ransomware attack. So why does no one seem to test properly for it?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Heath Renfrow, co-founder, Fenix24.
Join the conversation on LinkedIn
Huge thanks to our sponsor, Fenix24
Full Transcript
Intro
0:00.000
(David Spark) Every organization wants to be able to recover from a ransomware attack. So if that’s what everyone wants, why does no one seem to test properly for it?
(Voiceover) You’re listening to Defense in Depth.
(David Spark) Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host, one of your favorites, it’s Steve Zalewski. Steve, say hello to the audience.
(Steve Zalewski) Hello, audience.
(David Spark) That is Steve’s greeting. All right. Our sponsor for today’s episode, one of our favorite sponsors, coming back again with one of our favorite guests who we’ll introduce in just a second, it is none other than Fenix24. Fenix24 redefines cyber resilience, and you’ll find out why in today’s show.
Steve, let’s talk about today’s topic, which you brought up on LinkedIn. When we are thinking about preparing for an incident, tabletop exercises often come to mind. It’s something we’ve discussed a lot on the show. These are fine for testing the lines of communication and responsibility, but they do not test your systems, your backups, and whether you can really be business resilient, like you can be back up at the level you want to be at.
So, my question to you, Steve – what does it take to test a worst-case data loss scenario?
(Steve Zalewski) Yeah. And a lot of people, and I think this is what we’re getting at, was everybody goes, “Well, you have to have good backups and then you can recover the backups,” as the simple answer. But ransomware, as we’re understanding, and the appreciation for resiliency as opposed to just having a single capability, is where a lot of people kind of take the easy answer out.
(David Spark) Yes. And it’s, I will say, just saying good backups is not enough. I find that there are phrases that people echo that they don’t really understand the gravity of. Like my favorite is the “trust but verify.” People say that all the time, but they don’t do it.
You know what I mean? There’s the saying it, and then there’s the actual doing it, and so we’re going to talk about what that really means to do it. And the person who’s going to help us in this discussion – and I just want to stress, this person has seen more people’s bad days than I think any other human I’ve ever met.
(Laughter) So, this guy’s dealt and seen the worst. So, it’s a great person to have on for this conversation. It is our sponsored guest, the co-founder of Fenix24, none other than Heath Renfrow. Heath, thank you so much for joining us again.
(Heath Renfrow) Oh, glad to be here. Glad to see you guys.
What are they looking for?
2:47.446
(David Spark) Andrew Wilder, CSO over at Vetcor said, “So, part of this is business context. What are our business critical systems, what are their interdependencies, and how are we protecting those above other systems? By the way, this is what your board wants to know too.
Once we know that, how are we continuously testing our resilience? When you assume breach, your mindset changes to continuous resilience.” And I think that last line is key. Continuous resilience, which a lot of people, I don’t think that even crosses their mind.
Does it, Steve?
(Steve Zalewski) Well, continuous resilience is hard, and what I like about this quote from Andrew is are you thinking about this as a security practitioner where you have an obligation to bring the data back, or are you looking at this as a business practitioner and appreciating that the security responsibility has to do with protecting key business processes?
And for many folks, that’s a bridge too far because they just want to be tool jockeys and technical experts in cybersecurity.
(David Spark) All right. I throw this to you, Heath. This assume breach has been a philosophy for a period of time, and if you assume that, you really have to focus on the fact that your data is being compromised, don’t you?
(Heath Renfrow) Yeah, absolutely. I would say assume breach, though, is not really looked at from a ransomware perspective. You’ve been breached, you think you’re stopping them, but most people just don’t understand the devastation of a ransomware. It is complete destruction.
It is everything across the board, and I’ve never seen anybody been properly prepared to be able to recover from it.
(David Spark) So, let’s just then just talk about the very basic outlines because I remember asking you this before we did the recording, like, who’s the poster child of doing this right? And it’s what you just said – “I’ve never seen it” – which is depressing that no one’s ever done it right.
But what, I guess, what we also often refer to as sort of the poverty line for doing this, what is the bare minimum you need to do?
(Heath Renfrow) Well, the bare minimum is immutable backups, first and foremost, and that is usually what doesn’t survive. The definition of immutability in the backup space is all over the place. My definition is the data cannot be manipulated or changed no matter who you are for 30 days.
But nothing comes out of the box immutable. It still has to be properly configured, right? And then key thing that was said in that quote is dependencies are so important. A critical system is just a critical system, but if you don’t know all the dependent systems that feed that system, you don’t truly understand the RTO for that system and return to operations.
So, without dependency mapping and criticality of the systems, you’re not going to understand it. What I have seen in ransomware is the IT teams had made a decision on what they think is the most important business solutions inside an entire company without bringing the business leaders into that conversation.
And then when a ransomware happens, it’s just a really large situation that caused a lot of mess.
Another thing that should be considered part of a backup strategy is storage. Storage is so key to recoverability because everything’s encrypted, your production data is shut down. You can’t delete that data. You can’t move the data. You’re going to have to do data forensics.
And in order to start recovering, you had to have a storage capacity to recover in. Most likely, storage is not going to be enough capacity to even recover if the backups do survive. But even then, I rarely see them survive, and if I do, they’re normally not being executed to the level that the clients thought they were.
(Steve Zalewski) So, Heath, I want to push on that for a second, okay, which was there’s three ways we can think about this, right? We have to protect the business applications. And so, where’s the data and what does it look like? We have to be able to protect the data itself if we’ve got data stores of things that we’re using.
And then the one that always gets me, which was, and then we have to protect the individuals. And how many times I can’t count on my hand where I come into an organization and I go to them and I say, “If I take your laptop away and I give you a re-imaged laptop, can you do your job?” The number of times that they’re not appreciating what needs to be backed up because they’ve got stuff squirreled away everywhere, and how can I know what to protect if you’re not using common areas that I’m protecting?
What needs to be considered?
7:23.538
(David Spark) Daniel Frye of BreachRx said, “It has to be a dialogue with the business leaders about the impacts to the business. Restoring Active Directory to an IT problem, not a business problem. Instant response plans tend to focus on what we need to do versus what the business needs to know.” Alluding to what was said in the last segment.
Fernando Maymi of Anomali said, “I’m surprised business continuity planning isn’t part of this conversation. Ransomware is fundamentally a business disruption event, not just a cybersecurity incident. Instant response and disaster recovery matter, of course, but business continuity planning defines how the organization continues to operate during the disruption.
That’s what ultimately protects revenue, customers, and reputation. The real differentiator isn’t whether you can recover after you get hit. It’s whether the business can stay operational when you do.”
I mean, that’s really a great definition of resilience. I keep thinking when I hear this type of stuff, Heath, that the security industry in general doesn’t have this sort of universal acceptance of a Chaos Monkey type thing where we’re constantly testing our resilience and purposely punishing ourselves to see if we can build more resilient systems.
What should we be doing, Heath?
(Heath Renfrow) Well, to go to that quote, BCP’s extremely important, but it’s a ransomware attack. Your entire production environment is completely compromised. How do you operate and turn back on in a compromised event? What we’re missing in instant response, and I used to miss this too, was we didn’t take into account the lead time just to do the data forensics piece of things.
Remember, you’re going to contain everything. Unless you have a hot site, like a complete replicable different production environment that you can flip on, you’re going to be down for a while. So, BCP is important and understanding the criticality of the systems, but it’s still very challenging even then to think that you’re going to be continuously operational during a ransomware event because you have to close a lot of holes.
I mean, it is complicated. First and foremost, AD is not just an IT issue. AD is the backbone, the brain of all operations within a company from IT functionality. The whole nervous system’s tied to it. These threat actors are going to destroy Active Directory and most likely they’re going to get to your backups and corrupt them too.
So, now you don’t have an Active Directory. You don’t have domain controllers anymore. They’re completely crippled in these situations. So, that is the reason to have a comprehensive backup solution and storage capacity build. Recovery is going to be so key from there because if you’re backing your AD up properly and it’s immutable, then you’re going to sit there and have something to go back to be able to get the brain functionality instead of trying to recreate the entire nervous system again.
(David Spark) All of that was very valid, but really, the question is why aren’t we sort of giving these sort of punishment tests to ourselves, kind of like what Chaos Monkey does, to sort of essentially build that corporate strength and resilience, if you will?
(Heath Renfrow) People do not think it’s going to happen to them, and then when they do, tabletop exercises historically are paper, the mean time to recovers and BCPs and DRPs and RTOs are all be up in 24 hours. You just don’t understand the devastation of a ransomware event until you’ve gone through it.
We are underestimating how devastating it is to be able to go through these events. And then the engineering that comes behind that is extremely complicated. You have to have the infrastructure engineers, and how many organizations have a robust line of infrastructure engineers is very limited.
Nobody understands it. And all the tabletop exercises I’ve ever seen, it’s not being portrayed at how devastating it is.
And then how do you test a full recovery? I don’t have an Active Directory, I don’t have a domain controller. Those need to be rebuilt. Now I need to move backups and create new virtual machines and create those. I need to rotate the Kerberos tickets on the Golden Ticket for AD, which takes 12 hours, and you’ve got to do it twice.
That’s 24 hours minimum you’re going to be down. It’s just not being really conveyed to folks, and then backups aren’t being looked at. And it’s important, right? Because those RTOs are going to change. Say you have an HR system’s the most critical system for our client.
Let’s just say that’s the case. And then you have 140 servers that are dependent to that HR system. Now you have two terabytes of data to be able to sit there and recover from. Well, what’s the pipeline to recover that? That’s something else people don’t take into account is how long does it take to move two terabytes of data across a pipeline that might be that big?
These are all the things that people don’t take in account. They don’t understand because they haven’t suffered through a ransomware event yet, and it’s just not really being understood.
(David Spark) Well, but the thing is then how, without actually going through a ransomware attack, what is the experience a company needs to have to say, “Okay, we are prepared”? What is that thing they need?
(Heath Renfrow) The thing they need is, in my opinion, is probably a recovery zone within their environment built out. About 25% excess storage capacity, really map their top 30% or 40% of their critical systems. Keep in mind, a full ransomware recovery isn’t needed for a business interruption to stop.
You’re probably going to get at least 30 to 40 percent of your critical systems online, and then you’re making money again. You can start opening up the firewalls. You start pivoting. So, recovery zone or warm site that you’re actually rebuilding domain controllers from clean, you’re cleaning your Active Directory, assuming it’s compromised, and you’re moving new virtual machines in, and you’re recovering the data in those virtual machines.
That’s going to give you a realistic picture of what it’s going to actually take to recover from a ransomware attack. With the assumption that you still have to finish data forensics because if you don’t understand the indicators of a compromise, you don’t understand the credentials they have, you can’t guarantee the AD is clean, and they can’t get access to the environment.
I mean, we’re seeing threat actors that are forging certifications for the Hyper-V environment. So, even when you rotate their credentials for Hyper-V, they’re still able to get access to it because they’re forging the search. So, it’s complicated.
The recovery and the data forensic element is something that folks don’t take into account just how comprehensive and slow that can be at times.
(Steve Zalewski) All true, okay, but as, Heath, you were talking, here’s where my head was going, which was we’re talking here about desktop exercises, which tend to be the purview of the CISO to do a desktop exercise for a cyber event. And yet a lot of what you’re talking about is business continuity plans and DR, which come under the purview of the CIO, and the backups that are IT issues, not security.
So, my question is where is the accountability responsibility between the CISO, which doesn’t own the systems, doesn’t own the backups, and is here because it was a cyber event that caused the business outage, but has no true practical ability to recover, and the CIO, which is supposed to be the owner of BCP DR?
So, how do you see that relationship between those two changing?
(Heath Renfrow) I will tell you what I consider the top two cybersecurity controls, in my opinion, and then they’re not considered today probably. Backups should be the number one cybersecurity control in an environment. You can guarantee you can recover.
You truly can. Number two is asset mapping and dependency mapping. It’s a disaster out there. I’ve never had a client that knew all their assets. I have seen a shift in the industry. I get called in more by CISOs to come in and look at backups and the configuration of backups because it’s starting to shift to their purview.
I’m seeing more and more CISOs jump in to take over the backup side of the house because it should be the number one control. And in my opinion, it’s the only thing you can guarantee in cybersecurity. I’ve seen every budget known to mankind from a resistance standpoint get popped, but you can truly guarantee you can recover.
There should be controls around backups because the majority of time backups are what? They’re connected to Active Directory. Probably 90% of the backups out there are connected to Active Directory. If that’s the case, identity, move laterally to the backups, destroy the backups.
I believe all critical consoles and critical access should be in a separate managed identity zone completely away from Active Directory and it’ll slow down a lot of those attacks. So, you’re spot on. Security needs to start looking at backups as a security control because it’s probably the only thing we can guarantee in security.
You can actually guarantee it. You truly can. We know how to do it.
Sponsor – Fenix24
15:40.935
(David Spark) Who’s our sponsor this week? Well, when a ransomware attack hits, the key question becomes clear. How fast can you get back up? What we’ve been discussing today. So, the moment your systems go down, revenue, operations, reputation, and trust, they begin to slip away.
In that moment, you need more than just a plan. You need a team that knows how to restore your business while the pressure is the highest, and that is what Fenix24 offers. Fenix24 is recognized as the leading breach recovery company in the world and the first civilian cybersecurity force built for modern cyber warfare.
Their team has completed hundreds of ransomware recoveries, including support for major global enterprises, and they bring operations back online far faster than industry norms. They do not rely on theories or generic checklists. They embed with your team, work with your forensics partner and breach counsel, and handle the work required to rebuild infrastructure quickly and safely.
The advantage of Fenix24 begins before an attack occurs. Their cyber resilience program provides clarity, hardening, and protection to withstand threats. They deliver asset visibility, realistic assessments, continuous protection of backups and infrastructure, and a recovery force.
Even identity systems and backups are secured and ready for rapid restoration. Will your backup survive a breach? Well, you can find out if you visit their website, fenix24.com. And when you go, let them know that you heard about them from the CISO Series.
Would this work?
17:25.998
(David Spark) Simon Goldsmith, CISO over at OVO, said, “It’s not about general IT uptime. Traditional BCP doesn’t cut the mustard for ransomware. Unlike localized outages – a fire or server failure – ransomware is shut down by a hostile adversary. You simply cannot restore everything at once.
Knowing what to recover is about knowing exactly which systems keep your business breathing and which ones present the highest leverage for a threat actor.”
Tony Gonzalez of Innervision Services said, “The recovery process needs to have a playbook that is detailed and tested when backups occur and periodically to ensure recovery is intact. But what fails many times is fully understanding of critical infrastructure and systems required to recover completely and successfully.
Many times, organizations focus on data and applications, but not physical or virtual server configurations.”
And Kim Wallace of HPE said, “Once you have successfully restored the data, can you now recover the application to fully recover that company’s business minimal viable product? What are the core IT services that must be recovered first? These details are typically surfaced in a business impact assessment to identify risk and investments needed to successfully recover the business MVP.” Steve, these are a lot of other considerations that maybe others are not thinking about.
What do you think?
(Steve Zalewski) So, two thoughts here. Business impact analysis, the BIA, as opposed to BCP and DR. And I know it’s a lot of acronyms, and for many CISOs, these aren’t the acronyms they’re normally working with. But a business outage is a CIO problem, and what we’re seeing here is know what your critical applications are, processes are, and be able to protect those at the expense of others.
Because you can’t bring everything back necessarily, and you have to know what to focus on, and you have to know what to give up on. When I think about that, and what he talks about is we talk about DIA. It’s got to be a good distributed architecture.
It’s got to have immutability. So, therefore, we can snap it back. We know to get to a known good state. And it has to be ephemeral. We have to be really good at taking it down and bringing it up. Because the more we practice that, the better we are at being able to “recover” under the guise of us being able to address change in workload.
And yet security is CIA – confidentiality, integrity, and availability. And what I see in a ransomware attack is that we lost the integrity of the data in the systems. We don’t know what we can trust. Therefore, if we doubt the trust, we must rebuild the systems from known good data from scratch.
And now we got a problem because the CIO says, “I’m used to servers going down because they had hardware failures or electrical outages, known good state recovery.” Whereas security is, “We’re going to tell you all the things that could have been compromised, and now you have to bring it all back from ground zero.” We’re stuck.
That is not a conversation that we’re having. And when he says so a lot of security folks are saying, “Oh, for resiliency, we want to own the backups,” or “We need to know where the data is,” I could argue that no, we don’t want to own the problem, but in the testing of ransomware, we need to understand the difference between CIA and DIE.
(David Spark) All right. I throw this to you, Heath. What’s your take? Because you were talking about essentially almost nobody knows all their assets and their interconnectivity, which I hear from every sort of asset management company. They do a scan, and it’s always a surprise to everyone.
(Heath Renfrow) Yeah, it’s always a surprise. And you can’t back up what you don’t know, and you can’t protect what you don’t know. CMDBs, they’re a period in time that somebody’s entered the information in there. So, asset dependency map is important.
You need to understand that and to get to really looking at the recovery and whether or not security should be involved with it. Us former security guys, or security guys used to be former IT folks, and we started splitting it across.
And so, what I would say is the CISOs need to be responsible because the security around backups is flawed because IT engineering is making it easy to get their job done, which they should be doing, but what they’re doing is making it very easy for threat actors to pivot into all these solutions and the backups across the board.
Because that’s not just IT’s engineers, security doesn’t understand IT anymore. Does a CISO truly know what a ESXi is or a Hyper-V host and what the configuration is and look at the Active Directory flaws and the privilege access and local admin across the board on desktop?
The ability for a threat actor to pivot through an environment, through a hosting environment and infrastructure is what’s making it so big of a security risk that backups should be looked at. And storage should be looked at for backups and security because immutable storage is so key.
Only two solutions I know of out there that do immutable storage capability and properly configured. But if you don’t have storage, you can’t recover. And these threat actors are zeroing out storage. They’re destroying it. They don’t want you to recover.
What people fail to realize in a ransomware attack is they’re hands on keyboard. They’re just as smart as your team, but maybe even more knowledgeable of the solutions, and they want to destroy it because they want you to pay them. So, they’re not going to make it easy to recover, right?
And you got to have multiple layers of backups.
And back to the business impact analysis. It’s not being done right. It’s a paper drill, just like DRPs are and BCPs are. Folks, I was the guy that found a template, we plugged some information I thought was good on it back in my days, and I went forward with it because that’s the best you can do.
How do you get business leaders to sit in a room, make a decision? What is our real moneymaker? And that’s the truth. What do you lose money on? What do you need to be able to make your money and make operations grow? And that’s when you start building it out.
But that’s going to change. The priorities or systems change. We’re not looking at that.
All these timelines and the BCPs and DRPs and business impact analysis, they’re not real because they’re not being looked at from a ransomware perspective. You’re making the assumption that you’re going to snap your fingers and be back up. And when you truly understand your critical systems, you can start using storage as a backup strategy.
Storage should be part of your backup strategy because snapshots are going to be the quickest path to recoverability. It’s not considered part of backup strategy, storage is not, in snapshots. But you snapshot the most critical systems. You eat up some storage, you spend some money there, but if they survive and they’re immutable, now you have the capability to spin these virtual machines up.
But you don’t need to snapshot everything. Then you have an on-prem solution. You snap up the critical system still. You need to have multiple layers, but your RTOs are going to change.
To everybody out there, when you build your disaster recovery plan and your BCPs, your RTOs should be built by critical system. Number one system, dependencies to that system, the amount of time it takes the data to move back into a production environment, that is your RTO.
And then eventually, like I said, you’re going to hit some point where you can start opening and making money again. And then you can transfer your risk to cyber insurance. In this industry, and even me, I looked at insurance policies as an expense and not a transfer of risk.
When you truly understand your return to operations, you can transfer your risk from a business perspective over to cyber insurance.
Cyber insurance works on two paths. Ransom payment, data forensics, legal counsel. That is one path of cyber insurance. The thing that I see every client, except for one major casino client, every client has never had enough business interruption coverage.
Never. They run out within days, and they’re losing millions and millions and millions and millions of dollars every single day, and there’s no way to recoup it, right? I mean, Jaguar, for example, 3% of their gross domestic product for the UK was lost because of the Jaguar incident.
I mean, that’s how impactful financially. Go, David.
No one said it would be easy.
25:51.268
(David Spark) Eduardo Ortiz of Techtronic Industries said, “Recovery maturity isn’t a backup problem. It’s a knowledge management problem. Most organizations can restore a server. Far fewer can answer the harder questions when the clock is running. Which systems come back first?
What dependencies only two engineers know? Can you rebuild (Laughter) identity fast enough to use what you restored? Active Directory alone can paralyze a fully backed up organization for days because Active Directory is its own discipline, most teams have not rehearsed.” He’s nodding his head on this, but there’s more.
Eduardo goes on to say, “The maturity shift happens when recovery knowledge becomes a governed asset, not tribal knowledge. Dependency maps, identity runbooks, SaaS recovery paths, and decision authority all need to be documented, tested, and owned before the incident.
Tabletop test communication, technical drills, test execution. The gap between them is where most recoveries break down. The organizations that recover fastest have already answered every hard question before the ransom note arrives.” That last paragraph, I think, nails it.
Yes, Heath?
(Heath Renfrow) It absolutely does nail it. A few things. The biggest lie in cyber resilience is that backups equal recovery, right? Even if the backups are there, like he discussed, AD is so important. Active Directory is not an IT system. It’s a control plane for your entire business, and without it, you can’t even operate.
Just imagine. You get hit. You’re down. No domain controllers. No Active Directory. You have to start rebuilding from scratch, and people don’t take that into account. So, backups aren’t going to equal that immediately recoverability because you need to be properly planning for all the IT systems you have to rebuild, the virtual machines, the lack of storage capacity.
And that’s important because if the backups aren’t there, storage capacity becomes even more important because you’re probably going to have to buy a decryption key. And guess what you got to do? You got to copy data, move it into a sandbox environment, and then from there, you got to practice with a very flawed decryption tool, most likely.
So, you’re eating up even more storage, right?
So, he’s spot on with a lot of stuff in there, but I would tell you, backups most likely aren’t going to be there unless they’re actually properly segmented. If they’re on Active Directory, I’m telling anybody in the audience, if your backups are connected to Active Directory, they will not survive a ransomware attack.
It’s one of the first things they’re going to go after, and they’re going to get to them quickly. They’re going to delete them. But other things people don’t take in account, you’re locked out of your host environment. They’re going to change all the administrative passwords to your E6I’s and your Hyper-V.
They’re going to lock you completely out. They’re going to lock you out of your backup solution even if it does survive. If they can get it, they’re going to delete it. They’re going to encrypt it. They’re going to go to your SaaS platforms and lock you out.
And SaaS platforms are one thing. ERP system, for example, mostly in the cloud, but you have an on-prem. Most people don’t back up ERP, and they should back up on-prem because ERP’s going to be a long leg to be able to recover. So, a lot of things that just because backups are going to be there, the assumptions are going to be there, and all these playbooks are wonderful.
They’re all paper, I’m sorry. It’s just like compliance frameworks. They’re as good as the day the ink dried. And I’m not insulting. They’re important. They should be out there, but you have to practice this in a real world destructive, you’re truly down, and be realistic with what it’s going to take to recover.
Because if you don’t, your company’s going to suffer greatly, and you’re going to lose a lot of money. People are going to be laid off.
It’s devastating what I’ve seen out there. I’ve seen people actually have heart attacks because of the stress of this and pass away. I’ve seen medical device manufacturers not be able to deliver artificial hearts to patients. It is more than you can ever imagine.
Don’t assume you can recover quickly. You truly need to test it.
(David Spark) Fair warning on that. Steve, as someone who’s also experienced the good, the bad, and the ugly, have you had an experience with a team that was well tested?
(Steve Zalewski) No, absolutely not.
(David Spark) And he, when I had asked him earlier, had never seen one. And he’s seen more than you’ve seen. So, the sad reality is, is more than the norm, this problem, it’s everybody.
(Steve Zalewski) So, here’s the problem. You’ve heard me say this. Security is like brushing your teeth. It’s a hygiene exercise. Nobody does security because they want to. They do it because they have to. It’s a non-functional requirement. That’s the brutal truth.
Well, BCP and DR is the same thing. Everybody kind of goes through it because it’s really hard and really expensive and you do it once and a week from now, the systems have changed and you’d have to do it again because the rate of change is much higher than we would like to acknowledge.
Okay? And so, therefore, what happens is you have a ransomware, you have a true BCP outage, okay? You have a situation where it’s now in your face, money’s being lost, and they realize we can’t do this again.
I’ve had multiple of these. For six months, okay, a lot of money pours into the problem, but then the CIO is asking the business to be able to have more rigor in their processes, to be able to do these desktop exercises, to pay the money for all of this, and all of a sudden, it’s like brushing your teeth.
You know, I’m probably not going to get cavities, I’m going to cheat a little bit here. I need functionality better. Okay? That’s what it is. That’s why we can’t solve it.
Now, I want to add one more perspective to this. I hate to do this, but we are. Okay? We’ve been practicing BCP DR for as long as IT’s been around. We’ve been doing cybersecurity for 30, 35 years, and ransomware’s been around for 25 of that and we suck at it.
Why? Because when we were running all our business applications on our own private data centers and trying to make all that work, okay, it’s an art, not a science. Then we added SaaS, and we started pushing all of the business applications into the cloud, and third-party and fourth-party risk management now enters the picture because I don’t control, as the CIO, 100% of my infrastructure.
Third-party, fourth-party risk is they’re covering things on the back end and we’re trusting them. Cybersecurity now’s got the same problem, which is, well, if I don’t own everything, how can I know it’s all protected? I have to trust you. Trust is bad.
Okay?
But the final kind of nail in the coffin now is AI and AI agents because this is what we said here. It’s about knowledge management. Data management and backups is interesting. That’s data. Then I get information, the correlation component, and we can still work with that.
Well, knowledge management and the compromise of the agents themselves and the ability to recover the agent to a known state, not an expressible concept today. We can’t do knowledge management from a security perspective. So the problem is getting worse and worse on us at this point.
So, part of the value of this conversation is to have people step back and go, that’s why a BIA, that’s why understanding where your data is and your systems are important, but you kind of got to reevaluate what this whole problem looks like so that the CIO and the CISO together can have a reasonable story to the executive team about what’s possible and then what’s probable.
Closing
33:18.952
(David Spark) Well, that brings us to the very tail end of this show. I want to thank both Heath and Steve, but it’s the point where I’m going to ask both of you which quote was your favorite and why? And Heath, I’m going to go to you first. I’ll ask you of all these quotes I read, which is your favorite and why?
And you could agree or disagree with them, but it brought up an issue that you thought was valuable. Which is your favorite?
(Heath Renfrow) I pivoted from earlier. Andrew Wilder, I really liked his quote across the board because it really sits there and resonates is actually what I think.
(David Spark) He’s talking about it’s the interconnectivity of your environment, essentially.
(Heath Renfrow) Right. Interdependency’s so important. It’s the reason we created Argos99, our dependency mapping software, is because when we walk into a client to be able to recover them, the first thing we ask is what’s your critical systems? And then I have to get the business leaders in a room and really try to decide it because you have IT individuals trying to make decisions on what they think is critical without really understanding.
And then from there, I’m like, okay, what are all the servers and systems that feed that? And that’s difficult because we’re trying to put Humpty Dumpty back together and the client has no clue. It’s not mapped out. They don’t understand it. So, it’s so important.
You can’t back up what you don’t know, and you can’t protect what you don’t know.
So, dependency mapping’s so important, and that’s how you can drive those RTOs, and true RTOs by critical system. Like I said, full recovery is not what you need to plan for. You’ll get to the full recovery. Recovering those critical systems timely, quickly is going to drive down your business interruption and save your reputation.
And that’s what you need to focus on. What does it take to keep the money flowing in and out of the company? And then you can put all the ghosts and the systems back up over a period of time.
(David Spark) All right. Excellent point. Steve, your favorite quote.
(Steve Zalewski) Yeah, Andrew’s is good, but I’m actually going to go with the last one, which with Eduardo Ortiz, and here’s why. Recovery maturity isn’t a backup problem. It’s a knowledge management problem. And it’s the appreciation now that historically, transactional systems and the data to be able to recover the business systems is a set of static data snapshots.
Now it’s knowledge management, as I’m relying on AI agents that are actually providing the back ends of making decisions, of understanding the context. That it’s not just a transaction of playing checkers, but we’re playing chess. And that for all of us now, it’s we’ve got to be good at the basics.
Everything he said’s absolutely true, but we got to kind of take a step up now. And while we continue to fight the good fight there, we got to look at what AI agents and knowledge management looks like because that has got to be incorporated into the story soon.
(David Spark) All right. Well, that brings us to the tail end of the show. I want to thank Heath Renfrow and Fenix24. Remember, Fenix24 redefines cyber resilience. And by the way, Heath, I’m going to let you have the very last word here. I also want to thank my co-host, and that’s Steve Zalewski, who I love having on the show, always bringing the great insight.
All right, Heath, last word from you. Any offers or anything special you want to tell about Fenix24? And can people get in contact with you? And are you hiring over there?
(Heath Renfrow) Yeah, Fenix24, we exist for one reason, to answer the only question that matters in a breach, how fast can you get back on operating? So, we don’t simulate recovery, we do it. We don’t assume backups work, we validate them. We don’t plan in theory, we execute in reality.
Because in the end, this isn’t about systems, it’s about keeping businesses and the people behind them alive. Yes, we’re always hiring, so reach out to us. We have peacetime, wartime side of the house, and we also, Argos99 is our new dependency mapping software that was released at RSA and announced.
You can’t protect what you don’t know. It sits on a jump box, it maps all the workflows across the board and will show you all the dark spots internally and externally. And that way, you can really build a true disaster recovery plan and execute across the board to understand what your critical dependencies are and your critical systems.
(David Spark) And Heath is looking for the number one poster child, the one that he can say, “These guys are the best prepared.”
(Heath Renfrow) Come on, I challenge you. I challenge you.
(David Spark) (Laughter) All right, one of those companies, we want to see it. All right, thank you very much, Heath. Thank you very much, Steve. And thank you, our audience. As I always say, we greatly appreciate your contributions and listening to Defense in Depth.
(Voiceover) We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at (email protected). Thank you for listening to Defense in Depth.
Source link
