In this Spotlight episode of the Security Ledger podcast, I interview Jim Broome, the President and CTO of the managed security service provider DirectDefense. Jim and I talk about the findings of DirectDefense’s latest Security Operations Threat Report and dig into the intriguing ways artificial intelligence (AI) is shaping both cyberattack and defense automation strategies.

[Video Podcast] | [MP3] | [Transcript]

---

One of the things I’ve noticed is that the growth and evolution of the cybersecurity industry has been so rapid – encompassing a bit more than two decades – that you can sit down for an interview with someone who is simultaneously in the prime of their career and an “OG” who has personally witnessed the birth, awkward adolescence and rapid maturity of the information security space.

That was my experience sitting down with Jim Broome, the President and Chief Technology Officer at DirectDefense, a managed security service provider. Jim’s journey to cyber started back in the 80s as the son of a Radio Shack franchise owner in the southern U.S. By high school, Jim had thrown himself into the nascent Internet: launching one of the biggest BBS-es (bulletin board systems) in Georgia – a community that was ultimately acquired by CompuServe, an early consumer-focused Internet service provider.

After graduating from Georgia Tech, Jim started his career as so many others did – working as an IT administrator supporting customers and rolling out networks for banks and other early adopters of networked technologies. He went on to work for an early CheckPoint reseller at a time when “network firewall” was term that would get you cocked heads and strange looks from business owners. Jim eventually found his way to the seminal cybersecurity firm Internet Security Systems (ISS) in the late 1990s working alongside the likes of Caleb Sima where he was among the first wave of hands-on cyber practitioners helping companies to assess their cyber risk.

All that history gives Jim a unique perspective on the current state of cyber security, which we talk about in this Security Ledger Spotlight Podcast. In it, Jim looks back on the early challenges of cybersecurity, the diversification of threats over the decades, and the factors that are driving our current epidemic of cyber attacks, including the rapid embrace of artificial intelligence (AI) by both attackers and defenders.

Jim and I also dig into the highlights from the latest DirectDefense Security Operations Threat Report and get Jim’s views on the current landscape of cybersecurity, including the growing problem of attacks on multi-factor authentication and the importance of adaptive defense mechanisms. We also touch on the critical role of MSSPs in covering a cybersecurity skills and coverage gap.

Check out the podcast using the player (above). Or, check out a video of our conversation below or on Security Ledger’s YouTube channel.

---

Video Podcast and Transcript

Video Podcast

---

Transcript

 [00:00:00]

Paul: Welcome back to the Security Ledger podcast. I’m your host, Paul Roberts. I’m the editor in chief here at the Security Ledger. And I’m very happy to have Jim Broome with us in the studio, who is the chief technology officer at DirectDefense. Jim, welcome.

Jim: Hey, thanks for having me.

Paul: It’s great to have you. I think this is the first time we’ve had you on the show, but, kind of surprising because

Jim: Long time listener, first time caller.

Paul: Long time listener, first time caller? Man, you’ve got an amazing career and you, you’ve been in cyber, going back to the late ’90s, so one of the questions I always start by asking my guests, particularly guests of our vintage, is what was your journey, into InfoSec, right?

Cause, some of these stories are really interesting.

Jim: Yeah, I actually you know, I go [00:01:00] back to the days of bulletin boards. At one point I had one of the larger bulletin boards in the state of Georgia and, grew up around that crowd and as kind of alluded to used to be at a company called internet security systems. I think you’ve actually had a few former alums like Caleb, a couple of years ago on your show.

And, we all kind of. Gravitated around knowing each other, former Georgia Tech alum. But yeah, for me, it was starting from bulletin boards, early days of, before AOL and CompuServe were really a thing. Truth be told, actually CompuServe bought my little board because I had the largest amount of dial up in the area.

And then they turned that into a pot for their service and moved on. So that was when I was a sophomore in high school. So and kind of grew from there, just always was inquisitive about security. And, at the time it was Novell was the new hotness coming off the Lantastic. So yeah, the gray hair is real when I start throwing out references like that.

But really just kind of growing and learning, you know, security, being an admin, being a network administrator, like one of my first companies was actually just supporting customers and rolling out networks for one of my first major customers was like Barnett bank. So actually, you know, when they were putting teller or a remote banks everywhere, they were having my [00:02:00] crew come in and actually like do all the wiring and do all the infrastructure.

So I learned a lot of things about just basic user behavior and user mistakes. that, you know, it turned into a security career. So

Paul: now were your parents like engineers or in tech, or did you just get into it just because like

Jim: yeah, no, very much so. Yeah. My father was definitely in tech. to make myself a complete and total nerd owned several franchise Radio Shack stores through the Caribbean and in Georgia and Florida where he lived at. So. I, you know, if you ever want to talk about having to work Christmas at a Radio Shack store and, you know, having the questions about customer support, you know, this doesn’t work.

You know, did you? I don’t want to insult you, but did you turn it on? Oh, it has an on switch. Yeah, it turns it on just runs fine. So, you know, it kind of went through all the things you think of what builds a good security person, which is understanding mistakes people are going to make along the way and kind of growing from there.

And so, You know, my career path was fortunate. I wound up moving up into Michigan, meeting a company that became known as Netrex and we were literally my first week, we became the first reseller checkpoint 401 in North America [00:03:00] before they even shipped 1.0. And so we got to ride that wave and myself and the co founder of that company, Mark Sims we had a chance to go over to Israel and meet the founding four.

And, you know, ultimately it turned into. Myself and he and actually my wife were the primary authors of the checkpoint training program so travel the world preaching the gospel and you know met this a cool little guy named Christopher a Klaus and wound up a Couple months later at the internet security systems and got full time into penetration testing from there.

So, call back to Caleb’s episode of like early days was people wanted validation of why they needed this product. And, firewalls were not a thing, you know, they actually weren’t, did not become standard commonplace until like 2001. So the nineties was very ripe for compromise and access.

Paul: Yeah. I remember Caleb sort of talking about the whole SQL injection thing and basically him being like, I mean, this is just every website I look at has one of these things. Yeah. Yeah.

Jim: yeah, no, it’s it’s it was definitely, you know, fish in the barrel. Yeah, green fields. Yeah, people using [00:04:00] internet routable IP addresses on every desktop and even fast forwarding from ISS going to acuvant and About that time, we were able to actually really build some large teams for ourselves.

And, you know, really, by that point, we started getting speciality in the industry. So, you know, I like to tease that I was in this before it was considered an industry. Now I’m in an industry and with that comes speciality. So now we have the true delineation between. You know, network penetration, testing application, penetration, testing, security, research, mobile device, only embedded platforms, OT Security, so, yeah, I kind of, you know, just on the offensive side of the house, the landscape is definitely changed across the board.

Paul: I mean, change is the constant, right? I mean, and I’ve been, you know, I’ve been doing this for 20 years and it’s just, you know, 1st of all, bad guys keep innovating, right? So that keeps

Jim: very much so,

Paul: trying to keep up. but yeah, you’re right. I think the, the clear trend over the decades is just diversification of technologies, solutions, problems, you know, and I think [00:05:00] we,

Jim: We solved a couple along the way, but we caused more. So there’s a game

Paul: that they call. What

Jim: whack-a-mole. Yes. we literally were just talking about this the other day Phil brass runs our, Consulting side of the house. And he’s also a former ISS alum. His name is actually on the patent for internet scanner.

and yeah, we were teasing. He’s like back in the nineties, like if you were to tell me I was supposed to go hack someone’s web browser, I would have laughed at you. We only looked for operating system and core service vulnerabilities. And now it became, you know, now desktops, you know, desktop applications that are permeated servers and workstations and mobile devices, their primary entry point.

When we talk about vulnerability exploitation today, you know, there’s still plenty of other problems, but that’s kind of the main, you know, main things we’re seeing commonly, like, you know, infected office documents or PDFs, or, you know, click this because it’ll execute this other program that you didn’t know about inside of windows that.

Offers that implant, you know, do the threat actor. And so, you know, to your point, it’s a game of whack a mole that now you’re kind of have to broaden your, you know, your experience on every aspect.

Paul: [00:06:00] Yeah. So, I mean, DirectDefense, obviously, MSSP, and still doing in many ways, a lot of the same types of engagements and, and work. how have you seen kind of the, conversation change, and when you look at the work that, you know, DirectDefense does with its customers?

Jim: I mean, it’s, in most cases, it’s actually supporting customers. We have the benefit of engaging from, if you will, the mid market, that 1, employee organization that is just getting their hands on it to maybe they’re supporting, you know, the military DOD supply chain.

So now CMMC, yet another standard, has come into play for them. So they’re trying to mature quickly. And so. You know, our testing is, is from the programmatic. We’re actually doing the validation testing with a penetration test to see if the solutions they’ve implemented work. we’re doing programmatic testing at scale for applications as they go to market with a product or, you know, doing their own certification of their own utility, you know, their own procedures along the way, all the way up to, you know, manufacturing is actually a big customer [00:07:00] base for us that the CISO, you know, the ever changing you know, job of the responsibility of the CISO is, Post pandemic, the demand for certain brands is so high that if they can’t make, put the widget into the box and the assembly line fast enough, or they have a 15 minute unscheduled outage, CEO gets a phone call to let them know they’re not making their numbers.

That’s the tolerance level. and so the testing surfaces, the managed services that come along with that,

Paul: just

stepped out to grab a bite. Like what, what,

what did I miss?

Jim: truth be told. Yeah. I mean, you know, it’s, it’s interesting. We’ve got some great partnerships with vendors like Claroty. that give us that OT visibility. Mm

hmm.

Yep. but it gives us, you know, not only a cyber capability in the traditional sense of net, you know, network visibility, but really the biggest like requests for our managed services around change management, just the unauthorized, you know, updates at three o’clock in the morning, because Bob happened to be able to come through during shift change and plug a USB key and update the firmware for whatever this thing that controls the gate.

You know, and now they don’t, and now the lines down, you know, [00:08:00] having that level of visibility is now turning into a real value add story, you know, for ourselves and for our customers, but yeah, I mean, it’s always interesting to see where cyber and just reality come into play. A lot of times that will impact, you know, the overall bottom line for a company.

Paul: So direct defenses has put together. It’s, threat report for 2023, 2024. Yep, his my greys – My greys are getting a little longer now.

Jim: yeah,

 Which,

Paul: by the time this comes out, it will be out, but, I’ve looked at a draft of it. First of all, I always, I really was really loved the threat reports that come from MSSPs because they actually, you know, as opposed to just sort of vendors, which have a very kind of blinkered look at the world through their technology, MSSP is like, you are actually in the trenches with companies, right?

So you’re,

Jim: I appreciate that. Yeah.

Paul: you’re, you’re seeing everything, you Yeah. yeah.

but, I always find those have a little bit more. Substance and credibility maybe than than others. but some really interesting trends that that you all are [00:09:00] calling attention to in that report. And it’s it’s, you know, we’ll put a link on.

It’s definitely worth downloading. 1 of them. I thought was really interesting was, you know, just which we’ve read about it. I mean, it’s not surprising. It’s just a tax. On two factor authentication, multifactor authentication as being something that you all are seeing frequently, as part of, you know, offensive operations on, on customers talk about that because, , we all thought that.

Multi factor authentication was the silver bullet that was going to keep us off from getting hacked.

Jim: Yeah, I mean, so long story short was, it’s again, let’s go back to things that need to mature. my current example, I kind of like going back to time and time again is over the years. Microsoft has done a really good job of actually securing their operating system. the question or the challenge for most customers is when can you go native?

When can you run the most effective, most efficient, you know, version of a Microsoft network? Vulnerabilities I used to exploit in my younger days in the career have [00:10:00] been resolved as of Windows 2008. However, they linger because people don’t go back and run DC promo and turn off the backward compatibility mode.

So, you know, by the way, if you don’t know if you still have backward or you know, mixed mode turned on on your on domain, you’re still supporting settings from windows for work groups in the eighties. Just throwing it out there. And that kind of directly transitions to, you know, the, the, the threat landscape for MFA is yes, it is a much needed thing because username and passwords are too easy to predict or guess, you know, we, we crack passwords for.

For fun, we guess passwords to show off your amazing Kreskin skills on how you can predict someone’s, you know, really terrible password they may use. And MFA was the option of last resort. If the threat actor gets using the password, they still got to get something that’s in your hands. And the problem we’ve found is number one, as we alluded to with, enablements.

The things they were taught to not to look for and, you know, protect the organization against from a user level or have kind of been eradicated. and you know, user awareness training needs to get updated for that, side of the house. But, number two [00:11:00] was, users still give away those three things.

You know, if they fall for a, a decent looking fish, username, password, and then mistakenly accept that prompt. The biggest area that made all the news is everybody saw, which was scattered “spider. Specifically the technique that they kind of, I won’t say pioneer, but refined, was attacking organizations that still support text messaging.

You know, we’ve long since said text messaging should never be a factor for multi factor. Matter of fact, their banks should have stopped using it years ago, but they’re federally insured and we can get a bigger conversation on that. but you know, it’s this. Leveraging a technology, a. k. a. your cell phone carrier, which is outside of the control of the employee and the employer.

So now we have a threat factor that literally for the nominal fee of 15 to 2500 was being exploited to bypass your hundreds of thousands, if not millions of dollars of cyber security investment, just because they were able to go into a store, pretend to be your employee. Trick the cell phone carrier into [00:12:00] porting that phone number to a device they controlled and then using text message to log in.

Paul: Right. This was the subject of a 60 minutes, segment. Alison Nixon was in it a couple, couple weeks back, or maybe it was even last week. And I mean, we’ve, kind of seen this and read about this maybe in the context of like crypto wallet heists and stuff like that, right? I think maybe what surprised people about that was just this notion that actually, no, this is, you know, nation state actor with boots on the ground here, able to walk into a cell phone provider and do a SIM swapping attack.

that for me was like, wow. You

Jim: Now it’s loaded kids. And you know, we’ve even gone as far as seeing videos online of, you know, kids working together, literally going to a team that’s branded as a T Mobile store and waiting to the manager hands into the, their tablet for them to give in their creds and they just run out the door.

So if you think about the control procedures to how do you, you know, revoke a tablet access, calling corporate, you know, an 800 number back to mobile corporate saying, Hey, X, Y, Z store [00:13:00] just lost a device that was logged in with admin creds. and then the news that made it this week I believe was the article about how, you know, literally T Mobile employees were being phished directly being text messaging by threat actors offering 300 for them to do a SIM swap. So, yeah,

Paul: Because at the end of the day, we’re, we’re down, you know, You know, we’re here at local retail outlets, people being paid an hourly wage, right? I mean, so in some most, you know, fortune 500 companies might not say, well, this is this is the foundation that our security infrastructure is built on. But it

Jim: exactly. It is. Yeah, it is. Yeah.

Paul: because of the.

You know, consumerization of it because these smartphones that we all own personally are actually critical business implements that we use to access a lot of really high value systems. Yeah. I mean, it’s like, just wrapping your head around that. Oh, my

Jim: Well, even like the byproduct of just seeing this, was working back with our customers on a managed service side and going back and adding custom rule sets that, you know, number one, if you can’t eradicate the use of text messaging, [00:14:00] at least for admin users, then let’s come up with a comparable, like, you know, your standard is The notification push or a pin. If I see the user’s MFA settings get downgraded to text messaging. Should I go ahead and lock that account

out? those types of things where the byproduct of, Hey, this is what they’re doing, Mr. Customer, are you prepared for this problem? Yes or

Paul: That’s right. You really have to think outside of the normal box of, IT, right? you need to have a pretty, capacious view of like what, where the threats are going to come from and what types of systems and behaviors you need to be paying attention to.

Jim: Yeah, exactly.

Paul: Speaking of which so in your, in DirectDefense’s new threat report, you talk as you must about the emergence of, you know, generative AI, chat GPT, and how it’s been a real game changer for, Cyber adversaries for attackers, definitely helping with things like phishing attacks, right?

Kind of cleaning up language. What are some of the other ways that that you’re [00:15:00] seeing AI being used to kind of raise the bar for defenders?

Jim: the challenge really is understanding, like, if you go to your traditional user awareness training on fishing, how to spot a fish, it’s the hover over the name, look for spelling mistakes, look for, Non geographical specific phrasing.

all the way up to no, nothing specific to your company.

Paul: Mm hmm. Mm hmm.

Jim: 95 percent of that’s gone now. So it looks right. Smells right. Looks like somebody from my company wrote it. It’s probably got one of our own internal acronyms because someone mistakenly type that in the source go out there and In which is another problem.

but you know, it’s, you know, we’ve got everything that looks like a legitimate email. And so we all collectively on the MSSP side of the world, MBR side of the world. So I spike, really around Q3 of last year where it kind of went off the charts where you’re, you’re getting a handful on a weekly basis of successful lands.

To, you know, 15, 25 percent there for a while of successful lands inside the environment. The employee [00:16:00] clicked and, you know, we saw signs of access from an outside party,

into the organization. And so that became a, you know, to your earlier example, that became a great game of whack a mole, of just seeing how everything we’ve taught our users to look for just that problem has been gone.

Now you’ve got to go back and retrain for, does it look right? Is it the right time for this? Why is someone asking me about a project that’s internal to the company? and really just kind of being aware. I mean and then secondarily is the, the one I, I kind of have the most fun with, if you think about an organization, you know, security guys, I constantly say, don’t click it, don’t link it.

Don’t, you know, open it up if you don’t know who it came from. However, what’s the two or, you know, two members or two organizations and most companies that are required to do that. Accounts payable

Paul: Mm hmm.

Jim: They’re supposed to look at resumes. They’re supposed to look at bank change requests. So now you’ve got a class of employee that has a lot of access in the organization, if not has some keys to the kingdom, especially around money that is required to do everything you just told everybody else not to do.[00:17:00]

And so if you haven’t built your parameters and your visibility around helping them, especially, you’re going to come up short. You’re going to fall victim. And that’s where you still see today. The A. C. A. Transcript. ACH transfer campaign from business email compromises and so forth still being successful.

Paul: You, you said that some huge percentage of the compromises, the, the direct offenses helped companies with were forms of business email compromise, BEC types attacks. is that just reflective of like, well, you know, all of these kind of start with phishing via email and, and, and that type of thing, or is it.

When I think business email compromise, I also often think of the sort of like, Oh, I’m the CFO and I’m telling you to wire money to this account or, and, and is AI playing a role in, in making those harder to pick out too?

Jim: initial compromise of company a company B, like the most common thing we’ve seen, there are still direct attacks from, you know, random threat actor on the internet just drive by and they’ve [00:18:00] got, you know, 770 million email addresses. They scraped out of LinkedIn two years ago using that as their, their platform.

but we’ve really seen the most. Success rate of compromise, you know, happening with customers and early detection from our part is really a to B, you know, you know, business to business, you know, interaction activity. Maybe it’s a business partner. Maybe it’s part of your supply chain. 1 of the 2 of the organizations got compromised and in most cases, it was.

Hours before. , and you could easily start walking back and you say, Oh, well, I’ve, you know, like the most common phishing campaign I saw last year was, a fake notice from Microsoft. And I’m putting air quotes on that for M365 telling the employee, would you like to reuse the same password you did last month and then please type it in.

and so that was enough. maybe they had an FAA, maybe they didn’t either way when the party’s got compromised and the threat actor would, Then

Paul: Playing on that deep desire to not reset your password. Like,

Jim: Yeah. Yeah. And then they would implant themselves into a mailbox, walk through the mail, you know, the [00:19:00] correspondence between the two parties talking about wire transfers and then insert themselves, literally picking up the legitimate current correspondence you had, and then pivoting out to a third party domain or rewriting a couple of mailbox rules to sit inside of that, the compromised employees, you know, account and hijack that conversation.

So AI may have spent the first part to get the implant. But then it’s just good old human. Like, did you notice that the domain changed eight emails ago? You know, the answer is no. And that’s why I’m here as an incident responder at the moment. and so it’s, it’s, it’s very hard. I can’t fault the employee in some cases.

And in most cases in that scenario, because the only thing that changed was the email address you were talking to, like, you know, one of the parties got legitimately compromised. and then you get the finger pointing and all the, you know, the insurance guys come in to try to figure out who, who was the fault.

But. You know, getting that visibility, having a third party, like, you know, direct defense in our case, you know, monitoring where your employees are logging in from having that ability to actually see where they’re most commonly logging in from and spotting [00:20:00] the anomaly is your 1st signs of true compromise inside the organization.

And then. You know, remediation of that. Microsoft has done a really good job to their credit of putting new stuff into defender for cloud. some of that stuff are rules that we’ve been doing for five plus years. So, you know, had a leg up for now, and now we’re adding more nuance to what they’re doing.

and so that’s, that’s all kind of part of the cat and mouse game of, you know, spot when the compromise happened and go from there.

Paul: Do you see AI kind of, assuming AI benefits attackers, but also defenders and how is direct defense- where do you see the applications of it from the M. S. S. P. One way that you clearly pointed out is just kind of sifting through all that noise and helping your operators and folks focus on, you know, those, those subtle changes that might be very important to know.

Jim: Yeah exactly, I mean from a detection standpoint, we’ve definitely seen a rise in, you know, leveraging AI into assisting and actually detecting initial signs of compromise or initial, you know, strings or tethers, being pulled on that in that [00:21:00] scenario, you’ve also seen new vendors come to market.

Addressing legacy problems in a new way. And I’ll give a shout out to like abnormal security as an example, where they’ve done an excellent job of taking the old school spam problem, but actually really giving it a higher confidence around detection of real compromise. And, you know, like one of the things we lost with all the awareness training is there’s no such thing as junk mail anymore.

It’s all spam. It’s all evil. and what we find is actually no. Bob or Sally are kind of a little lazing. They don’t use the junk mail option outlook. , you know, we haven’t taught our employees how to filter the mail correctly. So everything spam gets thrown to the sock for analysis. And so, you know, they’ve come up with a really good detection pattern, in my opinion, , on spotting these.

AI generated campaigns. They actually call it out as this was AI. This was not written by a human. , and you know, and able to give us a high degree of detection in the early phases of that one vector. then we pivot into the defender side of the house where, you know, EDRs are all, you know, AI, ML, EIEIO enabled.

back end to give us a fighting chance. And then from the detection realm, yeah, again, [00:22:00] there’s more AI modeling being applied today inside of just detection, especially around legacy problems, such as, Configuration errors. Kerberosting is the most common example of that of, you know, as good as Microsoft’s gotten.

We still got some stuff that’s been around for about 15 years that hasn’t been eradicated out of their platform yet. And Kerberosting is number one. And the only way to effectively detect that Is having a subject matter solution or a new real time solution, like defender for identity or falcon for identity to give us the defenders a leg up on seeing when it’s being actively compromised because it’s your network generates this stuff legitimately every day.

You know, how do I spot the red pin, the red top needle out of a stack of needles? Because that was the one that actually was the attack. and so having those, you know, AI platforms assist us is also a major contributing factor

for detection.

Paul: I mean, obviously, one of the big trends last 15 years is just digital transformation, right? Just the migration of so much so many applications so much of what of our infrastructure to to [00:23:00] to the cloud hugely empowering for organizations from a productivity standpoint, , but it does create. problems around transparency, right?

And and visibility into cyber risk. One of those being as you point out in your report, there really no are no standards for, you know, application security or secure development. That companies can point to or, or make decisions based on how do you work with your customers to kind of assess that, you know, cloud risk or, kind of manage that given that, you know, a lot of these systems are kind of black boxes,

Jim: Yeah. I mean,

Paul: at least for now.

Jim: yeah. So I mean, it’s kind of a multi part answer for you. I mean, the first part is testing at scale. I mean, that’s when the core business is here and you know, this industry has been wrapped around, having testing like OWASP. OWASP is one of the most common standards we use for actually just testing for most common coding mistakes or implementation mistakes.

, so that framework exists. what we found, especially [00:24:00] with incident response and then more importantly, \, application environment, DevOps shops trying to use an MSSP. Is the lack of visibility in the app. And so when you think about just good old fashioned audit one oh one That doesn’t exist in a lot of application code base today.

I’ll be candid in the, in probably the last 10 years, I can only count on, you know, one hand, the number of times I saw an app properly have audit frameworks inside of it. So if you think about,

Paul: And is that just the agile development and the nature of and cloud and

just build these applications? Yeah. they’re not taught. So, I mean, if you think about, you know, how do you spot credential stuffing someone successfully usernames and passwords into your app? And in most cases, the answer is they can’t. They have to wait till some other, like a performance problem happens because they’re getting slammed with all these millions of requests.

Jim: Now that people figured out you have this problem. how do you detect fraud in your application? based on what, you know, whatever technique your applications leveraging and how it’s using. And the [00:25:00] answer is, We waited for the A. P. I. To tell us it was oversaturated. There is no audit to tell me.

we actually have some professional services that we do just to to sockify your application and make sure it’s prepared to. Can you detect compromise of a user? You know, what’s it take to have a user account today? Username password? Maybe a phone number for two FA, you know, again, text messaging, we’ll get into that.

You know, how do you transfer money out of this application? Maybe it’s a wire transfer, maybe it’s, you know, a direct coupon system. all these things come into play that there should be an audit artifact. If, if you just can’t read the log and read it as a human and say, Oh, bad thing happened here, your sock is not going to be able to stop and protect your, you know, your app and the users of your app, so that’s kind of really where we’re spending a lot of time is kind of reeducating the development cycle and, you know, Thankfully, a lot of the customers are receptive to it.

The organization is willing to go back and put that into their, their development backlog and get it built into the app. But, you know, again, in, in the fast-paced world of high financed, dot coms out there, you know, you know, data reference, you know, you know mobile, you know, [00:26:00] newer, newer platforms, that may not necessarily be the case.

You know, they may prioritize just functionality and go to market over, you know, auditability and accountability.

Paul: You got a little bit of a wind at your back. I feel like from the current administration and the federal government, they’re certainly talking a lot, at least for federal contractors about these topics of, you know, secure by design. We want to see S bombs. We want to, you know, you need to show us that you’re doing the right thing when we lift up the hood.

but, of course, that’s just for federal contractors. Right? And, and in fact, a lot of that hasn’t really. Taken It doesn’t have teeth yet.

Jim: So, you know, until we see it actually, yeah, yeah. Until you see, just like HIPAA, until you see the first rule lawsuits, it’s, it’s a nice to have, it’s a recommendation.

Paul: Yeah. For medical devices, there are teeth, but for everything else, not so much. Yeah.

Jim: yeah. I mean, it’s been a large swath of my career there for when, when HIPAA became a thing, just helping hospital organizations fight back and push back to, you know, the owners of the MRI, the owners of the, you know, the, the Alaris pump system or what have [00:27:00] you, and I’d be just to like, Hey, your solution actually spits, you know, You know, MR code and, you know, patient data out to the parking lot.

Cause it’s using this antiquated, you know, pre eight or two 11 technology. Right. Well, I mean, look at, look at the Avanti you know, what we’ve seen come from, from Avanti, right? I mean, just a whole bunch of stuff this week, a whole slew of new vulnerabilities. My guess is, I don’t know, I’m inferring this, but they’re starting to look a little bit more closely at their code and finding a lot of stuff, so

well, I mean,

Paul: better late than never, but.

Jim: well, even like sort of my analogy at the beginning there with the you know, the migration of server and operating systems, the biggest thing we’ve seen in the last two years, post pandemic is direct compromise of security platforms. I mean, it’s, it’s been, you know you

Paul: just go.

Jim: I’ll give the credit, but for the four guys at Fortinet, yeah, Fortinet, Palo Alto, Cisco, all the other SSL VPNs have gotten a good whacking for the past, you know, few years and I’ve actually had IR, you know, ransomware investigations.

That was the point of entry.

Paul: Okay. [00:28:00] Two more questions. Got time.

Jim: Yeah.

Paul: So, I mean, one of the big challenges and MSPs, you know, are important players in this is, is kind of what, now they’re called, the security poverty line, right? Like, just the ability of small firms, SMBs and, and less, less wealthy firms to Afford, you know, high level cybersecurity, both the people, the systems, right.

how do you see that playing out right now? And, you know, kind of what’s your advice to some of those SMBs and small enterprises out there who, you know, are concerned about the risk, but don’t have the deep pockets of, you know, the financial services firms or even the venture funded tech firms, you know, to go out and buy what they need.

Jim: multi answer here as well. Number one is make sure you’re getting what you expect. The whole concept of MDR, , especially those empowered by vendors, is essentially the interpretation of how they expected their product to be used. what kind of gets lost along the way is the customer experience.

you know, [00:29:00] Mr. And Mrs. customer, what did you hope to get out of this? What was your goal besides just having someone look over your shoulder at three o’clock in the morning to make sure it got detected? so like part of my education that I do for my own, customers first time they can talk to us about our managed services is like, you know, right now.

Ask everybody you’re talking to, hold me accountable to it as well. Will you support a custom alert? Will you support a custom triage playbook? And will you support a custom response? And you’ll find that if you put 10 MDR providers in the same room right now, you’re gonna only wind up with 2 to 3 that actually can answer.

Yes, to all 3. And there’s a reason why. And that’s go to market strategy. You know, it’s hard to scale that amount of customization on our side. , but, you know, again, make sure you’re getting what you’re paying for and then realize the visibility you are getting. There’s a lot of. point and powered platforms today, they’re still out there advertising as a core component.

And yeah, malware is a major problem of our industry, but it’s not everything. And so make sure you’re getting malware covered, you’re getting authentication covered and you’re getting your cloud visibility and covered as well. [00:30:00] And so that’s kind of the, you know, the big things that tell custom, like, just make sure you’re getting what you’re looking for.

And then we can talk about price after the fact and

Paul: There’s a lot of variety under that umbrella of MSSP, right? Underthe category, right? A lot of, a lot of variation, a lot of different, types of configurations. okay. Final question.

You wrote a really interesting piece on dark reading, a few weeks back, which we’ll link to talking about the, it’s been just a persistent problem in our industry, which is.

filling jobs and finding new people to take on, you know, InfoSec, important InfoSec roles, whether it’s SOC operator or, or what have you. , and you were basically sort of arguing, we just, we need to open our minds about who, what types of people might really work in these roles. Talk about kind of your thoughts on that.

Jim: yeah, I mean, our entire industry came from academia. and so we do believe in higher education, having a master’s degree, but I’ve never met a master degree, person that [00:31:00] was really good at managing fireballs on a day to day basis. There may be a few of them out there, but at the end of the day, it’s really a, you know, a Yeah.

True focused, you know, apprenticeship program. And so if you ever see me talking and get out there, I’ve been saying cyber is the new blue collar for almost a decade. , it needs to be treated as such. And we need to be open to people that came into this industry from non traditional sources. my. Past lineage and I’ll even shout him out here.

It was like, you know, gentlemen, like Martin boss, who’s one of the key members over there, trusted sec with Dave Kennedy and the guys, you know, Martin is kind of the one I was talking about in the article specifically where he came from being essentially a sound engineer. For some very prominent bands, but he was there during the transformation of analog to digital.

So he got the experience of core network foundations and, and, and understanding, you know, the pressure of putting on a live performance in front of 15, 000 people and not screwing up.

Paul: High stakes.

Jim: Stakes Yeah, exactly. Yeah. If you, you, if you really want to make somebody mad, Metwatch, Taylor Swift, not be able to give her concert, you know, because the mic’s [00:32:00] working.

Paul: It just happened to Grimes at Coachella, by the way.

Jim: I know. I saw. Yeah. Yeah. it was pretty pretty ugly Yeah. But and again, it’s look for people that’s coming from non traditional sources. Actually, I really enjoyed the comments from the article because, you know, while I noted, we definitely need to find more diversity in the industry itself, and bringing people in, especially, you know, those that are Yeah.

Not really stem oriented, , but, you know, really have a good core acumen for being an analyst or being a compliance person or being, you know, just a really good project manager, is really, you know, looking at non non standard areas. So, 1 of the things I like, you know, 1 of the comments is like, you know, 1 of the people that she would recommend was people that are event planners.

You know, event planners, especially think about, you know, there’s TV shows called broadzilla for a reason of, you know, being able to think on your feet, having a very hostile environment and still being able to get a creative output done you know, bringing in

Paul: attention to

Jim: you know careers. Yeah, exactly.

And then most recently, as before we got on [00:33:00] recording, I, I shared I’ve been doing some seminars here locally in Colorado, where I live at. And I work with a couple of the stem programs with, like, cyber patriots and so forth as well. And, it got brought to my attention. There is a cultural shift of people in their twenties and thirties.

They’re, they’re postgraduate. They’re, they’re into their. Career, and it maybe didn’t pan out for him. Maybe not. Maybe it may not be the career. They really wanted or is not the environment they want to continue working in. And so 1 of those non standard areas I’ve been seeing the largest inquiry literally in the last 2 months has actually been nursing.

so, you know, as you, you know, as you lead to, and you’re sharing, it’s near and dear to your, your family as well, the challenges there, and, you know, we’re definitely getting, you know, the current generation of. You know, mid mid range nurses or more importantly, nighttime nurses because we always need the staff after hours, that are looking to get out of the nursing career and get into cyber because

Paul: lot of burnout from the pandemic a lot of people like okay, that’s that you know, like time to move on Yeah, no, I that that’s really interesting. It doesn’t surprise me knowing just for my

Jim: Yeah. I mean, they’re, they’re, they’re technical. They’re, you know, [00:34:00] they’re highly skilled. They’re, you know, hyper focused. so it’s all the things you’re looking for in a penetration tester, a compliance auditor, a security researcher, especially from offense to compliance to even on the, you know, back, you know, malware research, you know, just a research analyst for a malware shop.

You know, they, they make some of the best candidates I’ve found so

Paul: Why do you think we haven’t had more success in recruiting into this career, especially given that, you know, jobs pay well, you know, they’re, they’re white collar jobs, professional jobs. My sense is that we just, we have not had the support of, you know, like the federal government that we need to really kind of, you know, Push this nationally and really, you know, provide the resources to start, you know, channeling kind of a Rosie the Riveter approach, you know, channeling people into this, into this thing that we need, you know,

Jim: yeah, I could definitely agree with that. I think the other challenge, and the one I face, especially with high school students, we haven’t advertised the fact that cyber security is a term. It is a job. You know, it is a skill set. Within cyber [00:35:00] security,

there’s, you know, 20 plus different career paths today that if you, you know, kind of specialize in focusing on offense, we have, you know, literally enterprise app, you know, app and security research. On, you know, defense, we’ve got security analysts, security engineer for building the infrastructure.

We’ve got incident response capabilities. You’ve got compliance and all the alphabet soup that comes with that and specialty. And then you’ve got, you know, vertical specific like OT, that, you know, can actually draw more attention to the wider audience. You know, nowadays kids come up and like, I think cyber security.

And the first thing they get taught, talk to is about, you know, basically some firewalls and networking infrastructure. And really that’s unfortunately the entry level in the industry. And, you know, how do you get into this? Well, go get your, you know, CompTIA plus, you know, security plus, plus, and then you can start shopping your job for the first, first foot in the door.

And it’s like, but I don’t want to do that. I want to do this. So again, we have the, you know, the challenge of being, you know, we’re an industry, we have speciality. So giving them a proper career path for where they want to land is really the, you know, kind of the message I’ve been going back

Paul: Instead of trying to push him through the same [00:36:00] funnel we’ve been pushing people through for 20 years. Yeah.

Jim: Yeah, I mean, I can, I can cite my own daughter. She, you know, she’s about to graduate college, but when she graduated high school, she went to a STEM school. There was 151 graduating students, 38 declared cybersecurity and two had a job. both of them went to work immediately for actually you know, frontier airlines who had an apprenticeship program on application security.

And so they went straight to work. They, they skipped the school route and, you know, now I know both of them very well, one of them’s going back to school to learn, essentially basic MBA. So you can actually talk business and become a manager.

Paul: Right. That’s what you need to move on.

Jim Broome, Chief Technology Officer, at DirectDefense, thanks so much for coming on the Security Ledger Podcast and we’ll do this again.

---

(*) Disclosure: This Spotlight Podcast was sponsored by DirectDefense. For more information on Security Ledger sponsored content and the various ways in which we work with sponsor organizations, check out our About Security Ledger page on sponsorships and sponsor relations.