Introduction (00:35) You're listening to KBKast, the cyber security podcast for all executives. Cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (00:50) Joining me today is Glen Pendley, Chief Technology Officer of Tenable. And today we're discussing today's attack surface, which is in siloed. So, Glen, thanks so much for joining. It's wonderful to have you here. I know we've tried to reschedule a few times, but it's wonderful to have this discussion with you today because I'm super interested on this topic and I want to know more about it. So let's start with your thoughts on today's attack surface. Now, I know when we say today, every day changes in the cyber security world, every second changes. But as of today, talk me through what's happening and what you're seeing from your perspective. Glen Pendley (01:25) First of all, thank you for having me. I'm sorry for having to reschedule a few times. So as far as attack surface and what's happening, it's just interesting that technology has just been changing so quickly. I mean, we see it between just what our phones have done and tablets to the cloud to the way people write applications. So many things have just changed so exponentially faster than I think many organizations are capable of keeping up with. And I think what businesses are trying to accomplish is they try to take advantage of this new technology that's coming out. And in an effort to modernize and provide a better product or offering that whatever their business is trying to provide to their customers, users, or whatever, the fact that they don't fundamentally understand the technology that they're starting to leverage, it introduces a huge amount of risk. And security teams in a lot of these organizations are left behind the eight ball, attempting to make the best out of a bad situation in a lot of cases. It's only going to get worse. I think that the more new things are being introduced, you see chat, GPT, you see all of the stuff and people get crazy excited about it. Glen Pendley (02:45) And it's like, oh, we need to start using it. Not really thinking through the implications of what introducing new technology into their environment does. Just blowing up the amount of the logical physical attack surface that they need to try to secure, what it's really doing to their security teams and how the security teams are trying to keep up with the business. Karissa (03:09) You mentioned before, Glen, that people don't really understand that their technology and how to leverage it. So what do you mean by that? Now, this is an interesting question. I was speaking to someone on the show, I think, last week, and they were saying, generally, an average company here in Australia uses between 75 to 100 different tools, and that's a lot. And then they were just saying, a lot of those tools, there's a lot of overlap, or they don't use them, or they're obsolete, or someone's up the business and no one even knew that they even bought this tool. So talk to me a little bit more about how that works from your perspective. Glen Pendley (03:45) There's tons of different examples. There's obvious examples of the adoption of public cloud, AWS Azure GCP. There's tons of new cloud providers being spun up nowadays. The idea of how best to leverage infrastructure that you don't manage in the whole shared responsibility model, that's a big part of it. But even as cloud service providers introduce new ways of managing the infrastructure that they make available to you to use, it introduces a ton of different risk. And again, people, especially engineers and technology people, they get excited. Aws just launched, what you say, like, Lambda functions, serverless technology. Let's try to use that. Not really understanding the potential security impacts or even from a cost perspective impacts a lot of things. They just try to do it in order to keep up to date or try new things. There are other examples where you think about everybody uses Slack or some messaging tool. For example, in Tenable, we use Slack and we use Zoom for communications and stuff. But within Slack, you can start a Zoom meeting. So the idea that you have different SaaS applications that are intrinsically linked through your identity and stuff like that, and just the risk of just how many different pieces of technology are interconnected and talking. Glen Pendley (05:18) So many people have no idea the risk that they're introducing into the environment because of just ease of use and stuff, whether it's individual users, whether it's administrators, whether it's people from all over the business trying to do what they need to in order to solve whatever it is their problem is. Just think about it. The amount of people, let's say you're using Gmail or even Office 365 or just some SaaS application for your mail. Let's say I want to use a calendar application because I like the way the features and stuff. Now that application that I downloaded that I'm using is now need to access to connect to my inbox and my calendar and all this stuff, that introduces risk. That's a part of the attack surface that people aren't necessarily considering. A lot of times people are just looking at what servers do I have on the internet? What vulnerabilities do I have in a particular web application? It's only getting worse. There's just so much. Everything is so just connected. Every little change and every little thing that people are introducing and using in a lot of ways and positive ways for the business is just introducing more risk. Karissa (06:30) Okay, that's super interesting. Now, you mentioned before that people just aren't considering it, which I can understand. So for an example, I know you're walking down a dark alley, maybe people aren't considering their potential risk. Maybe some people are, maybe some people don't. Sometimes it's just being human beings, we're so focused, like you said, on the shiny object of the new technology, for example, that we're not focusing on the potential risk. So how do people get an idea then on the risk? Now, it sounds obvious. We've got to do risk management meetings and we've got to have our risk matrix and we've got to have business risk and tech risk, all that. I get that. But how do we actually implement... Okay, we've got all these things that are interconnected that you mentioned before, Glen, but how do we actually think that there could be these risks? And then how do we manage that ongoing? Because it sounds easy in theory, but in practicality, this is hard. Glen Pendley (07:24) It is hard. And it's interesting. I've been in cybersecurity since the late 90s, early 2000s, and there are certain fundamental principles that have applied since day one. And first and foremost, visibility is such an important thing. I think a lot of people don't understand the risk that they're introducing by using new technology or just doing things to drive the business forward. When you shine a light on it and when you actually show people, look at everything that's being used or how this is being used, it introduces a light bulb moment for a lot of people. And if they don't even know something exists, ignorance is bliss. So I think in any circumstance, the most important thing you can do when you're trying to get a sense of quantifying risk or just getting an idea of a risk profile from across the attack surface, you have to first get visibility and understand what exactly is my footprint. Again, whether it's servers on the internet or applications being used and SaaS applications talking to each other, whatever it might be. It's super interesting that light bulb moment when you can just show people or have them get an idea of what it is that they have. Glen Pendley (08:40) Usually that's when behavior changes because you don't know what you don't know. Karissa (08:46) True. Now, you mentioned before as well that the attack surface isn't siloed. So what do you mean by this specifically? Glen Pendley (08:57) When you look at the security space today, it's interesting. And people like security vendors, they build tools and they're trying to stop a certain thing. You can't be all things to all people. And so what you'll see is somebody will build a product, start a company that is focused on doing cloud security. You have another company that's focused on doing endpoint protection. You have another... So you have all of these just products, things that are trying to do the best job that they can do in securing an individual piece of the attack surface. The problem is that nothing happens in a vacuum. A good example that I tell people about this is you can buy a cloud security product today and deploy it perfectly. And let's pretend for a second you have it absolutely secure as you can possibly get. It's a perfect environment from a security perspective based on what that security tool is telling you. You would then think based on what that product is telling you that you have no risk in your cloud environment. However, that's not necessarily true when you think of the reality of the situation. So let's pretend for a second, you and I are DevOps folks that manage the cloud, and the hygiene on our machines are terrible. Glen Pendley (10:15) And let's say I'm a mouth breather that clicks on every link that gets sent to me in my inbox, and I have a bunch of vulnerabilities, and I just had bad hygiene. I'm not using endpoint protection. There's no firewall. It's just a bad hygiene of my system. How secure is your cloud environment at that point? If you really think about it, right? If I get exploited, you're done because the access that I have, I can connect to anything in that cloud environment. I can change things. I can do stuff and all that. So when you look at and you attempt and security teams are attempting to try to secure these different parts of the attack surface, we as the security industry, we haven't done them any favors up to this point because we've built tools and they're doing the best that they can. And they're like, oh, I'm secure because my cloud security tool I've been remediating these critical alerts and over here and here and here. But everything is interconnected. Nothing happens in the vacuum. I could just rattle off a bunch of examples. Ransomware attacks happen not because a particular vulnerability exists on somebody's laptop or server. Glen Pendley (11:24) It's a combination of things. And because security tools aren't looking at everything as a whole, it's super hard for security teams to be successful because nobody's putting the pieces together in a way that shows the context of everything in that particular environment and trying to tie those pieces together. Karissa (11:43) So why aren't people looking at how the pieces connect together? Glen Pendley (11:47) Well, it's a very hard job and it's interesting. So at Tenable, that is what we're attempting to do. And we introduced new technology and the vision of where we're going is specifically focused on doing just that. The reason why it hasn't been done to date is, like I said, it's an extremely difficult problem to solve. And the reason being is there have been security tools in the past that have tried to do a good job of bringing data together and trying to programmatically identify certain things in the environment that behavior is happening or something is based on certain things that are happening that a particular attack is ongoing or has happened. When you think of XDR, for example, it's a great example of bringing together a whole bunch of data and trying to programmatically say, Hey, this attack is happening because I see the behavior of this system is doing this and you have this configure, blah, blah, blah, and it tries to say, This attack is happening. When it comes to more of the preventative security side, like enabling people to try to secure their environment before an attack actually happens, there are so many different aspects that goes into trying to identify what I call applied risk, and it's an extremely difficult job. Glen Pendley (13:08) You have to treat it like a big data problem. And even when you look at the security tools in the past, and there's been a few that have attempted to do it, they always look at a single variable in the equation. They'll say, Oh, I'm going to bring together all these vulnerabilities and I'll put a machine learning model algorithm on top of all the information I have, and I'll better help you prioritize which things to go patch. The problem with that is your vulnerabilities really don't matter in a vacuum. An example is, let's say you and I, let's say we're both using a MacBook Pro, just a laptop of some sort, and we both have the absolute worst vulnerability in the world on it. Every single security tool in the world will tell you, well, both of those are equally bad. But the truth is, in reality, what security folks are dealt with dealing is that depending on how your machine is configured versus how my machine is configured, depending on what access you have to what systems compared to what I have, that vulnerability fundamentally could have a very different meaning in reality. So if, let's say, your laptop is locked down, you have updated endpoint protection, you're using multifactor authentication all over the place, and I don't do any of that, that same vulnerability, which one is more risky? Glen Pendley (14:25) Objectively, without a doubt, my vulnerability and my laptop is at much more at risk to the business than yours. And the issue is time, understanding all of those aspects, building relationships between all that information and using that to quantify risk is a very hard job to do. And that's what we're trying to do now. And that's what we've been working towards based on the acquisitions we've made and what we've been building organically. It's hard. It's a very different approach to preventative security than what people have done in the past. Karissa (15:00) Okay. So I'm curious now to know from your perspective, Glen, so you mentioned the why, but now I want to focus on the how. So how can people start... People who are listening are like, Okay, Glen makes a great point, a profound point. How can people work on getting better at that? Now, I know after listening to this, people are not going to... It's not going to be a flick of a switch and then all of a sudden everything's perfect. That's not reality. That's not how it works. It's progress and it's more of a Kaizen strategy. But what can people start doing today? If they're like, oh, that's probably me that's in that bucket. Do you have any advice that people can take away from today's interview? Glen Pendley (15:37) From a technology problem, nobody's really there yet. I think we're close and we're about to be there. But you could still make a lot of progress on your own. You have to consider... And it's hard because for somebody to do this on their own, and this is where the challenge is and why people really haven't done it is, you have to build those relationships. You have to know who you and I are. You have to know what those laptops are and how they're configured to do that. You can do that job manually through all these different tools. You can export data out, you can dump it into data lake, you can put in Excel spreadsheets. There's a manual way to do it. But I think what's important is when you're looking at trying to quantify risk and trying to prioritize what you need to do in order to legitimately reduce risk in the environment, be cognizant of the context of that of that vulnerability or that configuration or whatever is out of compliance because that is what real risk is about to the business. It's interesting. You see a lot of tools out there trying to quantify risk, and they're doing it based on a generalized sense, however they're quantifying it, whatever model or whatever equation that they're using. Glen Pendley (16:50) And the issue is every single environment is different and what risk means to you might mean something fundamentally different to me. However, what is universally true is that if you're grading everything on a scale, the way certain things are set up and the way things are run in your environment, some things are more at risk than others. And as long as you're trying to rationalize that concept and trying to bring context together and an attempt to identify what that context is, you're going to do a much better job of actually reducing risk in your environment. Okay. Karissa (17:30) So I want to switch gears now for a second. I'm curious to know how the attack surface changed over time. And then what can we expect to see moving forward? As you mentioned before, Glen, it's going to get worse. A lot of things are more interconnected now. There's a lot more things dependent on certain technologies nowadays. What are you seeing now? I know that you don't necessarily have a crystal ball. You can predict the future. But again, the show is more just about having those conversations, hearing your insights, hearing your knowledge, and then hoping we can learn something from what people like yourself share on the show today. Glen Pendley (18:02) If you look at how things have evolved since the internet became a thing and businesses started legitimately using the internet and just networking in general to do business, things have really started to go from a more centralized management of things. If you think about it, in the late 90s, early 2000s, pretty much through probably the early teens. The responsibility attack surface was very I have a DMC of systems that I manage, I control. Everything is like, I own it. I'm the master of my own destiny when it comes to trying to secure things. Everybody sat in an office, all the laptops and things that people used. It was very contained. And with that containment, it's so much easier to get a handle on what it is that people are doing, how they're doing it, and all this other stuff. It was simpler to try to try to secure. Then came the emergence of public cloud. And at that point, you don't really have control anymore and things just started breaking out a little bit. So that started getting more difficult. And as more services in these public cloud CSPs start evolving, it just is going to get harder and harder. Glen Pendley (19:21) And then you couple on the end of that, you start seeing the emergence of phones and people coming their machine is no longer just necessarily a laptop in an office. It's also their phone. So basically, I can go through a bunch of different examples here. But the point is, everything is getting more and more distributed. And the ability of people who are responsible for securing the environment. It's getting way more difficult. And I think it's only going to get worse. With the pandemic, everybody started working from home. So it just exponentially got worse. We start thinking about phones and even corporate laptops not even just running off with somebody body's home network. And I think you start looking at 5G and the opportunity for people spinning up entire networks now that are completely just the possible implications of what 5G could do if it's implemented in the way and adopted like it could, in theory, it's just going to be a nightmare because everything is getting more and more distributed and getting visibility is just going to get harder and harder. So do. Karissa (20:30) You think over time, so the gap between doing best practice security and, like you said before, it's getting worse, is that going to get bigger? Or do you think it'll just stay the same as it is now? Because our security is still getting better, but at the same time, everything around us is getting worse. But do you see there being a massive Delta moving forward? What do you think? Glen Pendley (20:53) I think two things. I think that it's going to get like the gap, because if we agree that visibility is first and foremost the most important thing you need to get. I think the gap in getting visibility is going to get harder and harder. I just feel that's going to be unequivocal truth. I do think, though, that what will always be the case when it comes to security is doing the basics will save you 99 % of the time. And if you really look at all the different attacks that have happened over the last few years and over time, so few of them were really nation state super targeted crazy attacks that you just throw up your hands and be like, there's no chance I could do that. 99 % of all attacks are because people weren't doing the basics. So if you're at least doing the basics on what you know about, that's going to save you nine times out of 10. And the better job that you do of getting better visibility and just applying basic cyber hygiene on what you have visibility on, you don't need crazy products and AI and ML and try to detect all this stuff. Glen Pendley (22:16) If you just do basic cyber hygiene ahead of time, majority of attacks will never happen against you because if you're doing the basics, the way attackers actually work is they're like water. They find the path to least resistance. If you make it a little bit too difficult for them to deal with, they're just going to move on. So I think there's always going to be a constant of just doing basic cyber hygiene is going to be always true. It's going to be harder and harder to get visibility to know what to apply the basic cyber hygiene on. Karissa (22:46) Okay, so there's a couple of things in there that I'm really interested on. Now, you said that the gap is going to get harder with visibility. So when you say that, do you mean because of, like you said before, people working from home, they're using home networks, they've got BYOD, whether it's a phone, whether it's a machine. Is that what you mean by the visibility is going to get harder? Because people all over the shop now, people don't even know what's going on. They don't know who's in the company now because people have been hired in the middle of Timbukt too. It's harder than it was before. It was before, it was we go to an office and then we're all there and we know exactly who's here and who's working here. But now we don't even know what's happening. There could be staff being hired left, right and center that people and other teams wouldn't even know about because they don't see them. Yeah. Glen Pendley (23:30) I mean, that. And then you couple all of that just unknown because people are coming in. It gets harder to use certain tools that show what's happening in the environment to infer a lot of things. So let's say you and I work for Acme Corp, and we both sit at home and we're doing what we're doing, and you decide to install a piece of software on your laptop because you're writing an application and this new ID is going to make life so much better for you. So you install it and you start doing your thing. If I'm a security person, I might have no idea that you did that. It could be an open source tool that's just a Trojan for some piece of malware. Who knows? When you think about the applications that people are using because things are less controlled and it's so disparate. And then think of all the SaaS applications that people are using, too. And you go back to the interconnectedness. People fundamentally have no idea how their users are using applications because they don't have any control on those applications. Couple that with people using a number of different devices to do all this work spread out all over the world. Glen Pendley (24:35) It is extremely difficult. Now, the other. Karissa (24:39) Thing I want to ask is the basics. Now, I have spoken to many people in this show about the basics. Now, what you're saying makes sense, right? But there's a couple of things in there which I want to know more about because we can't do the basics. Now, what I mean by that is you mentioned it before that a lot of people in this space, obviously technologists like yourself them. They're very focused on, oh, shiny new object, new tool, new flashing light, new box, whatever it is. And then the basics go out the window. Why? Maybe there's the banality of doing the basics. But you said before, nine times out of 10, we would have a lot less security incidents. But we as a group of people can't get that right. Makes sense. Endpoint protection, doing patch management. People have been talking this for 20 plus years. We still can't do that. Why can't people do the basics? I don't know if the basics are basic, though, because we can't do them. Glen Pendley (25:33) That's a good point. You would be surprised. I've been at Tenable for 13 years now dealing with the vulnerability space and doing all this. And here's a little true story. And this was right before the pandemic. I did a CISO round table and I was managing it. In these things, you don't sit there and try to lead the witness. You just foster the conversation. And it was about vulnerabilities and stuff like that. And every single person, CISO in that room, as a part of the conversation, none of those people that were sitting in that room actually tried to find and identify vulnerabilities on their endpoints, like what they were scanning, what they were trying to get visibility into were just their servers. And it blew my mind because the way attacks actually work today, it's not 2000 and people aren't firing off like warms and stuff like that, attacking servers directly. They go after users and send phishing things and take advantage of the weakest link, which are the people. And none of them, and this was only four years ago, three or four years ago now, none of them were even doing that. So you would think that technologists and people that are security people would just innately understand what those basics are and they would be doing it, or they're attempting, but it's too much. Glen Pendley (26:54) You'd be surprised at how many people just are They don't even really, I think, understand the first part, which is visibility and focusing on where real risk is originating or potential risk is originating in their environment. I think for the organizations that are attempting to do it, you bring up a really good point where the amount of vulnerabilities and the amount of things people are required to patch and ensuring everybody's using MFA and stuff like that, it is a lot of work. And I think that's a part of the problem when it comes to preventative security. And I'll be honest, like Tenable, we've contributed to the struggles that people have had to deal with for 20 years of doing the job, where we'll enumerate every single bad thing. Here's 100,000 vulnerabilities in your environment. Yeah, these are the worst. You only have 4,000 of those. Good luck, God speed. And then we just leave people to try to patch everything. And the processes they put in place to try to do that patch management, to do the basics, they're trying to do that job. It's your Sisyphus rolling the boulder up the hill. You're never going to be able to patch everything. Glen Pendley (28:07) And I think to go back to an earlier point, I think what's important and what we're trying to accomplish is to better identify... You only have so many things that you can do, only so much time in the day, only so many people to do it. So how do you do a better job of quantifying that applied risk? These are the patches you need to because if something bad happens, this is what's going to actually cause something bad. Instead of just saying this one vulnerability is on a thousand different machines, you need to patch it all. Maybe you only have to patch it on five machines because of the way everything else is configured and using all that context. So I think you're right. There are a good amount of people that are trying to do the basics, but they're never going to get it right because there's just too much work to do. I'm so very passionate about what we're trying to do here because I feel bad for people that are trying to do the basics and it's just not happening because they just literally can't get it done. So the more that we can do to identify those things and bring that together, it's like, look, can we do so much? Glen Pendley (29:13) Here's what you need to focus on. If you do this, the chances of something bad happening and there being a downstream impact is mitigated. Because if you think about it, having a successful attack doesn't matter. Breaches matter. So if I clicked on a link and I got exploited, but there are other compensating controls in place, there are other things where there is not a breach of data or something fundamentally bad happening in the environment, at least it's contained. Whereas if that wasn't the case, if I wasn't prioritized based on the context around me, that's when the bad things actually have an impact. Karissa (29:52) Totally get it. I still want to press on this point a little bit more because I find this very fascinating. Now, I'm not negating that, of course, doing the basics, like you said, it's hard. It's 100 % it's hard. But I guess it's just more so that the attitude towards certain security professionals is, Oh, just do the basics, as if it's super easy to do. Now, the analogy I like to draw on is it's like, okay, people say I'm going to lose weight. It's pretty obvious how you lose weight. You eat correctly, you eat less and you exercise. Yet people all over the world, they struggle. They're trying to find ways to diet pills and these shakes and doing whatever it is, some fancy, ridiculous exercise or whatever it is. And yet it's like, if you just do the basics, which is eat less and exercise, you would then lose weight. But yet as human beings, we try to find all these strange ways of circumventing, just doing the basics. And I think the same theory applies to cybersecurity, which what you and I have spoken a lot about today, Glen, so the basics, like you mentioned before. Karissa (30:57) But then we're also we're trying to find, oh, let's just bring in this tool that's going to have AI and ML to help detect all these vulnerabilities rather than defaulting to the basics. So I guess that brings me to my next point, which is you mentioned before about that Seizure round table that you had, and you were perplexed why none of these Seizures were again doing the basics. But why were none of them doing that? Why didn't they think of that? Because, again, how can we say it's basic when it's not that basic? Glen Pendley (31:30) Yeah. So two points, I do agree with you. And I'll be totally honest, as an industry, from a security vendor perspective, we haven't enabled people to do the basics at scale. But that's the truth. Obviously, I'm biased, I think we do the best job of identifying vulnerabilities and what needs to be addressed from a... These are the things that you need to address and that will help. But because the attack surface isn't siloed, because there's more to it than just a vulnerability, all that context matters. And because as an industry, we haven't guided people in how best to apply the basics to what to actually reduce that functional applied risk. They're looking at every tool individually and they're trying to just do the best they can. So I think everybody, your point is spot on, and I not argue with you. Security products just tell you everything bad. And again, looking, they're the nail or they're the hammer. What they see is the nail and they throw that at people and then they're floundering. And that's just, again, something I'm very passionate about and why the vision I have for Tenable is to actually enable people to do this. Glen Pendley (32:52) When it comes to the CISO Roundtable, I actually broke protocol because I was completely perplexed. And in this particular case when I was like, Wait a minute, I had to ask them. I'm like, So you guys don't... You're not even looking at the vulnerabilities or configuration or how your users and their systems... They said, No. They're like, Those aren't the important assets. That's not what's important in my environment. My servers are what's important. And again, I wasn't going to sit there and try to shame people. And hopefully, none of those people that were in that round table are listening to this. But to them, their idea of how the reality of how attackers think and what... It was just very outdated and flawed. They were trying to do what they thought were the basics on just a very small subset of the attack surface that isn't even the most targeted part of the attack surface. So to me, it was more of them not doing the basics or understanding the basics. I think it was bigger than that, to be completely honest. It was t's very confusing to me for them to not even understand the fundamentals of client side attacks and what that means and how things work. Glen Pendley (34:09) So I think that particular use case or that, excuse me, scenario was just, hopefully, that's just an outlier as far as how people think. Karissa (34:19) Yeah, I get that. And it's not like a matter of making people feel bad. It's just more so that if people aren't doing it, again, it's not that basic. So it's more so the mentality behind it. But you mentioned before, how do we enable people? You gave an example that there's a lot of things going on in organization. Of course, you can't manage everything. But perhaps, for example, you could patch five machines versus 1,000 because five of those have the vulnerability. How do you get to the five? How do you go, Okay, these are the five. This is all we need to do. That way, you're not over cooking it. How do you just cook it just right by just managing those five machines and forgetting the rest? Glen Pendley (34:59) So and again, this is what we are working out of what we're trying to accomplish here. So I'll go through a thought exercise. Let's say you have a thousand system, like a thousand machines in your environment that have a bad vulnerability, like an exploitable vulnerability, the same vulnerability on a thousand machines. What everybody in tenable historically would tell you is you need to patch those 1,000 machines. And people are like, That's a lie. And you have to go through the process change control, blah, blah, blah. But in reality, if you have enough information about everything in the environment, you can start doing very interesting things to focus down in this case, let's say the five that matter. So let's say out of that 1,000, there were five machines being used by somebody that were in an AD group, like active directory group. And somebody in the active directory that manages AD and identity for an organization happens to make a GPO change one day. And that GPO change now introduces a privilege escalation attack for those people that are in that group. So now, if you think from how ransomware works, now the people using those five machines, that same vulnerability that's on 995 other machines, because of the people using those five machines, if that vulnerability got exploited on one of those five, because of the way active directories configured, they are now susceptible to a privilege escalation ransomware attack. Glen Pendley (36:28) So how do you know that? I f it was traditional tools, they would just say you still have to patch all 1,000 because the vulnerability is bad. We know the vulnerability is bad, but you can't patch 1,000 for whatever reason. You only wanted to focus on the five. So if there was a way to identify the fact that because of this GPO and because of the people in this group and the way that GPO is configured, then those five machines and that vulnerability is actually way more important than those other 995 instances of it. So you can fix the GPO, which you should fix, like the change in active directory as well as patching these five machines. So that's the idea of treating this as a big data problem, of pulling data in from so many different sources, building relationships and trying to identify really what matters in an environment. It's not that those other 995 aren't important and that shouldn't attach them, but you can't do everything, especially when you have so many things to do. So focus on that five. And the reason why you need to focus on that five is because of all the things I said that could lead to a privilege escalation, Brents more attack. Karissa (37:34) So just to go on this a little bit because, again, this is something that I'm super interested in and it's something that I've often spoken about in the show. So you're saying before around, yes, focusing on the five, and I get that from a priority perspective. Technically, the other 995 do matter. But again, we're focusing on the five for this particular instance. If we get to the five and we focus on the five, will that then mean that doing the basics becomes more basic? Because we're only then focusing on those five. We're not trying to boil the ocean here. We're just focusing on those priorities because then the vulnerabilities which could have the escalation, etc. Will that then prove the point of the basics? Glen Pendley (38:10) I think the basics become achievable. The basics are the basics. It's a constant. I think everybody knows what needs to be done. But to your earlier point, applying it is very difficult. And it's just because it's extremely difficult to do because there's just too much. You just literally can't do enough work to do the basics on everything. I think in this case, it's an achievable goal. You're identifying what is more important based on the context of the environment, all the stuff we said. So applying the basics there, whether it's patching, fixing the GPO and active directory and doing those things, that's achievable. Patching five machines is much easier than patching 1,000. Fixing one ADMIS configuration is achievable versus trying to identify all people that are over provisioned and whatever that might be from just an identity security perspective. So I just think they're easier pills to swallow and it's more achievable. And that's the goal of reducing risk, like actionable real risk, it's possible if you have achievable things to address and attack. Karissa (39:25) So I guess that's the operative word achievable. So maybe we need to frame it in security, like do the achievable basics. That way you're not overwhelmed, you're not trying to bore the ocean, you're not trying to do everything because doing everything is hard. But let's just focus on, for example, the five. Focus on that, remediating that, patching that. That's achievable and handable rather than focusing on the whole 1,000. Glen Pendley (39:48) Yes. The only way you're going to know the achievable, though, is if you're using that context and understanding more. Because, again, the way every security tool up to this point is really try to do it is they're only looking at that one variable in the equation. So you're still stuck at the 1,000. So you're never going to get those smaller achievable bites. Karissa (40:08) So do you think this is the big problem here? This is what people are struggling with. Because, again, as we've spoken about at length that we all go around saying, Oh, it's the basics, but there's too much of it to handle. But again, if we're isolating maybe some of these higher priority related, the five, for example, focusing on that again, that's what's going to become achievable. And then, yes, of course, you can go back to focusing on everything else. Or else when you're trying to do too much, it's too hard to handle, too hard to manage. And then what do you do? You just give up and you don't bother anymore, which is probably the situation that we're in as an industry at the moment. We're overwhelmed, we're overworked. Glen Pendley (40:47) It's interesting in the traditional vulnerability management space, I know for... I mean, it's true. I have been doing this for a while now. People don't scan everything, not because they don't know they can't do it. They can't already fix what we tell them today. So why are they going to just do more? It's just overwhelming for them. I'm not saying I'm betting the company on this, but my vision for what we're doing and what I feel so passionate and this is what we're working towards, we're trying to achieve is enabling people to take those bite sized bites by doing the hard job for them of driving that context. And yeah, I think it's achievable. I think we've come a long way in being able to do it. And we're about to start rolling out some extremely interesting ways of trying to make this a reality. Karissa (41:34) So to bring this a bit more full circle now, what would be your advice to those who are unaware of how to handle and manage the forever changing attack landscape? We've honed it on the basic side of things and other things earlier today around the interdependencies looking at risk. But again, I'm very always mindful of providing tangible insights for people on the show that they can start to implement or start to talk about within their organization. Glen Pendley (42:00) There's a lot. I think a few things. So first of all is understand that there's so much more to the attack surface than you probably think, and making a commitment to at least try to find ways to get the visibility necessary. Really sit down and think, what applications are we using? Whether it's SaaS applications, managed applications in the cloud, it doesn't matter. Really start to work backwards from how your organization is doing business and the tools that they use and try to audit what that means and put together a plan to try to get the visibility necessary. I also think it's important for buy in from the top of the company all the way down in order to do preventative security and the basics, the consumable basics that we are discussing. It's more than just a security team trying to do it. I think there's fundamental changes that need to happen from a business perspective. We have a customer, and it's interesting. It's a very large customer too, that we deal with the people that are trying to secure their public cloud instances and stuff. And the only way they know about the things that are out there that their company is dealing with is they have to go to the finance organization and they look at who's paying for AWS on the corporate credit card. Glen Pendley (43:26) And then they go to that person's like, Hey, I see you're spinning up AWS instance. We need to secure that. So without guidelines and more vigor around policy and procedure and how people start leveraging applications or services or whatever it might be, they're never going to be able to get the visibility, first of all, to go back to the first point. And there has to be an all in buy in from the top of the company all the way down and a commitment to doing what is necessary. And too often you don't see that. It's its security is either looked at as an inhibitor of the business, and even if they're not, they're not enabled from a company perspective to make the hard decisions or put in policies and procedures and things to secure the business that's needed. Karissa (44:14) So just one quick question on that. So in terms of the AWS example, so they only knew about it because of the credit card statement? Glen Pendley (44:21) Once a month, they would go to their finance department and then say, can we see all of the credit card... People that are putting in expense reports to pay for AWS. And then they would see who they didn't know and what was an under management from a cloud security perspective. And then they would go to that person and say, What are you doing? And it might be just like a marketing team that spun up for some marketing campaign. So they had to introduce some websites and things, promotions or whatever it might be. Just think about it, the whole cloud environment is completely unmanaged. People are probably outsourced a bunch of developers in middle of nowhere to write this application. Who knows what vulnerability source is in the web app? And all of that is just running under that company's banner. The security team had no idea. I felt bad for them. Karissa (45:15) I guess it's not a bad approach, though. They said a reverse engineer. Let's go to the finance team, let's look at all the credit cards, let's look at all the bank accounts. What are the charges? So it's not a bad way to approach it. But again, how would you know? Especially now when people are sitting wherever, how would you know? They got a company credit card and they buy something, you'd never know unless you're doing the reconciliation. But I guess theory works. I guess this is pretty manual, though. Glen Pendley (45:38) It is manual the amount of time that something could have been spun up in running is time that there's potential risk introduced to the environment. Let's say on the first day of the month, I went to the finance team and did that reconciliation. And then the second day of the month, you spun up an AWS instance and you started doing your thing and deploying applications or whatever it might be. It could be 28, 29 days of absolute anarchy going on with nobody knowing until the first of the next month. And then I come to you and say, hey, what are you doing? And then how long does it take to get visibility from that point forward? It's not like on the next day, all of a sudden I have full visibility into the environment. So it's impressive. They reverse engineered it and they are working through it. But what would have been a much more sane approach is the company itself said, We're not supporting this. You can't spin up AWS instances on your credit card. You have to go through here. We have to provision and all this other stuff. And what ends up happening is people will... Glen Pendley (46:42) I was going to say the B word, but complain that while you're slowing down business and like, oh, we have this thing, I need to hurry up and move, move, move. And so many times the business is like, yeah, business is too important. Do what you got to do. Security is left holding the back, trying to handle it. Whereas a company that is serious about security and trying to really protect their assets, they'll be like, yeah, I know it's slowing down the potential opportunity for you to go faster and do this, this and this, but we're not willing to take the risk. So that's what I mean about to do a lot of this stuff, you have to have buy in. A lot of it's process procedure and just buy in from the business to enable security people to do what's necessary. Karissa (47:23) And I guess look, I've been that same situation before. Marketing department were leveraging Dropbox for, I don't know, their advertising team, company externally with the bank I was working in. And then we found out about it. And then there was an issue, but we didn't know about it. There would be no way of really having that visibility. So I guess the process and procedure, yes, in theory works, but people go around at all time. That's how we have shadow IT. Oh, you're slowing me down. Or this is a better way to do it because I did it at my last company. So I guess, again, it's hard. I think it's just going to be constant monitoring. It's going to be probably doing things manually like before. It's going to be having the visibility. It's just that in theory, again, there are laws out there like you shouldn't speed. People are getting speeding tickets every day. They know you have a driver's license. That's the law, that's the rules. People are still doing it. So I guess it's just, again, goes back to human nature. People like to always follow rules, even if the rules are right in their face. Karissa (48:19) But again, it's up to the teams to find the best practice to help manage that, help reduce it as best as they can. Glen Pendley (48:26) Yeah, but I would argue that with the out the rules, like we use your speeding example, if I speed and I get caught, I'm held accountable. If there was no speeding laws and rules and stuff, I could do it without any repercussions. So at least I agree with you, shadow IT is a thing and people circumvent the rules in place. But if they do that, at least you can hold them accountable when it happens, when you find them. But you can't really hold people accountable for doing what's necessary if you allow it to happen. 100 %. I think. Karissa (48:58) It's important to definitely have those policies and procedures. But again, I think there's always going to be that 1 %, 10 % of people that don't follow the rules. So I guess you've always got to factor that in as this is what people are going to do, regardless. So I guess, again, it's not an easy thing to accomplish. So thank you so much, Glen, for your time and your insights and for coming on the show today. Glen Pendley (49:20) Thank you so much. Karissa (49:21) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit mercsec.Com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to kbi.Digital. This podcast was brought to you by kbi.Media, the voice of cyber.