Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies. All

 

Justin Daniels  0:37  

right, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  0:53  

This episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and check out our new book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. You can add any more insurance to our introduction here. If I was good at playing any Canvas as not your specialty, not at all. Now. Maybe we should have our daughter come she could sing one time. She sings all the time. I know and she could come and sing a tune. Maybe that’s what we need. We need her to write a jingle.

 

Justin Daniels  1:51  

We could have a right to privacy and security jingles since she asked very interesting privacy questions for a nine year old.

 

Jodi Daniels  1:58  

She does you have taught her well. She does not like giving personal information anywhere

 

Justin Daniels  2:04  

indeed. All right, well, let’s move on today we have our perfect guest today. So I will introduce our guest today we have Troy Bettencourt a technically skilled people and process oriented leader with more than a decade of supervisory experience in the dfi, our law enforcement and military spaces three of those years as a member of the executive leadership team of a government agency, approximately 18 years of digital forensic Incident Response experience and three years of E discovery experience to include an assignment as the national eDiscovery, Program Manager for a federal government agency. Good morning, and welcome, Troy.

 

Troy Bettencourt  2:42  

Well, thank you, Justin. That was a great intro.

 

Justin Daniels  2:47  

I can read well.

 

Jodi Daniels  2:50  

Well, Troy, it’s really nice to meet you. i It would be great to kind of dive a little bit deeper into that significant experience of yours and bring us full circle to what you’re doing today.

 

Troy Bettencourt  3:02  

Yeah, absolutely. Jodi, it’s been quite a circuitous journey, sort of dipped in and out of the DFI AR space over the years for various reasons. And I think overall, it probably gave me some experiences that I wouldn’t have had if I stayed strictly in the field, especially on the business side and understanding business operations and impacts etc, from a client perspective. But I actually started out as a Special Special Agent for a federal law enforcement agency. And at first I worked on your more traditional crimes, your murder, larceny, arson, drugs, etc. And then a colleague and really good friend of mine moved into cybercrime investigations in 2001. And he was really smart, great with computers really awesome guy, and he invited me to come work for him. The problem was, I had pretty much zero computer skills, like I could kill it with PowerPoint, but that was really the best I could do. And I told him that but at the time, they were focused on trying to bring on folks that had solid investigative skills to teach them the geek as opposed to trying to bring people that had the IT skills and teach them the investigations because that hadn’t gone well. But when they tried that, so really, I came over there, I had no skills. There really wasn’t like university programs focused on DF IR back then, or really any vendor agnostic training. It was it was pretty much vendor training or OJT. So I did a lot of that. And really, for the first six months, I think that was my first true experience with imposter syndrome because I came from a place where I was a subject matter expert, was thrown in this field I knew nothing about and I would drive home every night and tell my wife, they’re gonna realize I don’t know what I’m doing, they’re gonna fire me. And then like, one day, I woke up six months later, and it started to all sort of make sense and I certainly wasn’t great, but I sort of knew what I was doing. And then it oh five due to some family hardship regions and a bit of burnout, we relocated to Florida, and bought a small business in the construction. history. So that was my first departure from the field. After a few years that was boring. So I joined our local police department and was basically an administrator and a department executive. Then fast forward a few more years, and I went back into federal law enforcement strictly in cybercrime. And I was really fortunate to work on some high profile investigations, really, really large global incidents, and, and worked with awesome people across the spectrum from investigators, law enforcement agents, support staff, technical folks and counsel. Then I spent a year as a sales engineer for a forensic software company that was sort of my professional purgatory, I realized that I’m not really into sales, I am not well suited for it. Then I moved to secure works. And I was there for six and a half years. As Justin mentioned, most of that was as the senior most consultant globally. And then the last year, I went back into management. And that was also a great experience and a wonderful team. And then earlier this year, I moved over to IBM X-Force where I am now and I lead our full service, Americas Incident Response practice. So that covers North South and Central America and the Caribbean regions.

 

Jodi Daniels  6:13  

I was quite the journey. Thank you so much for sharing, it’s always really interesting how people navigate and I, I like the original part of how you, and I think this is true with people how you take those investigative skills, but can teach some of the technical pieces. And sometimes it’s really hard to take technical people and teach them some of those softer skills. So it really interesting how you kind of got that start.

 

Troy Bettencourt  6:43  

Yeah, it was, for whatever reason, I find it a lot easier to teach people technical skills, investigative skills, I think came natural to me too. I don’t know how to teach people them. I don’t really know how to nurture that. I think there’s a little more of an innate capability there. Whereas the tactical skills, I think, people with aptitude and drive, even if they don’t have the technical background can certainly enter the field.

 

Justin Daniels  7:06  

Me make sense. Now, Troy, that’s interesting, because the way that I met Troy was we were on a Incident Response case together. And the key that Troy was so good at was explaining technical things to business, people who were under time pressure with incomplete facts in a way that was understandable to the point where I had asked to have two people on the file because I hadn’t met Troy before. And looking back on it, I didn’t need two people on the file, because Troy was really good at explaining the stuff. So I say that, because that’s such a critical element of part of what we’re going to talk about today, which is incident response and some best practices. And your point, Troy, I don’t know how easy it is to teach the innate skill to be able to explain something that’s technical, to business people in a way that they can understand and make business decisions when they’re under pressure. And it’s a pretty emotional situation.

 

Troy Bettencourt  8:03  

Definitely, really the way we do it, or I tried to foster it both when I was at SecureWorks. And now here at IBM, is I think it’s experiential. So we try to ensure our more junior folks are paired with a senior person that’s involved with dealing directly with C level execs or boards, but also moving our reactive or emergency consultants to work on the proactive side as well. Because you get to really see in an executive tabletop, what are those business decisions that you’re not exposed to really in a real incident? You know, in a real incident, you’re probably talking to a Cisco maybe or a director, and you’re not understanding why the business is making decisions they’re making that may seem foolish to you as a technical person. But from a business perspective, they make sense. And when you’re in those tabletop exercises, or cyber age experiences, you see really what the business drivers are and understand why the decisions are being made that, again, in isolation, maybe don’t make sense from a technical perspective.

 

Justin Daniels  8:58  

I’m glad you mentioned this proactive services, because the first thing we wanted to have you talked about a little bit is what types of proactive cyber services are you seeing more companies by these days?

 

Troy Bettencourt  9:10  

So I think overall, it depends on the client. For the more security minded or maybe a little more security mature clients seeing a lot more focus on value, and not simply just satisfying like audit or auditor or regulator and requirements, right, but they don’t want just the tech check a box tabletop exercise, they’re going to do one a year and move on. They’re really looking for a security journey so that at the end of the year, if they’re our retainer client or three years or whatever that term is, they can truly look back and say we have improved our process our program along the way. So we’re still seeing a lot of the traditional offerings, the tabletop exercises, incident response plan and playbook development. But we’re also seeing the more value add like I mentioned. So for example, we have a ransomware Readiness Assessment service, which is really a holistic Dek consultative approach. It’s not a technical controls, assessment we go in, we do interviews, we check controls, we check business processes to, to make sure that in the event of an incident, which usually is an indication of a failure of a control somewhere, the business processes and the people and the decision making can come to a better outcome. And then the other is we offer a cyber range. So think of it like a tabletop exercise on steroids with a ton of technical enablement. So, you know, there’s a virtual socket, you can have your sock, folks sit down, sit out and respond to an incident in tooling that they’re probably familiar with. We have role players come in and take the role of, you know, ransomware operators and do negotiations, we create fake, basically, business news segments, like an MSNBC type segment, talking about how the business has been impacted by ransomware. In really make it immersive. And we’ve found for those mature clients that are tired of the traditional wrote delivery, that they’re pretty excited. And then I think threat hunting is just continuing to increase in demand and threat hunting itself is morphing from a very simplistic look at a couple of alerts to see if there’s a problem to really digging through data. And we’re seeing more demand for the more comprehensive threat hunting than maybe in years past.

 

Jodi Daniels  11:24  

So I love the new segment part. That would be really interesting to be able to deliver and test. And I remember you did something similar when you done some of these types of tabletops. Before, when companies are evaluating companies to help them service providers to help them with these types of proactive services. There’s a lot of different ones out there on the market, it can be confusing, what would be some key differentiators that a company can look for when trying to select and purchase incident response services?

 

Troy Bettencourt  11:57  

Yeah, it’s a great question, Jodi, it really depends on the client. Of course, some clients, especially in maybe the SMB and SMB space, often are very cost driven, because the revenue is not there to support a very expensive security program. Whereas large enterprise, sometimes it’s cost driven, but we’re seeing a lot more value driven. You know, here at IBM, we deal with a lot of very large, you know, fortune 50 companies across the world. So for them, it’s mostly value driven, they really want to get value out of their expenditure, and they’re willing to spend more for that value. And then sometimes it aligns with business verticals, even if it’s a large company, I’ve found, like maybe manufacturing where they don’t have a lot in the way of margins, they’re a volume based business, they’re more cost focused, whereas maybe financial services especially really are the value focused clients. But regardless of what the focus are, whether it’s value or cost, there are certain attributes, I think, are really important. You’ve got to look at yourself as an organization, and see what you expect the needs to be and align that with that firm that you choose. And as businesses become larger, they really need to look on firms that I think have a global reach, and also have a lot of specialization. Because, as Justin can probably attest, in these enterprise wide incidents, they’re business critical. It’s not know there’s malware on the system, jump in, fix it move on. This brings in so many people, we have crisis management. You have the IR consultants, you need malware, reverse engineering, you need Intel analysts, probably some offensive security folks to then test your remediation efforts, people experienced in identity management. And all of those are really technical fields with a lot of depth. And if you go with maybe a firm that’s more a generalist approach, they have that breadth of experience, but maybe not the depth set that’s needed. And especially as the enterprise gets more complex, you need that more specialization. And then the other is how big are they? Can they should there be another solar winds or Casaya, or proxy shell event that’s global? Do they have the bandwidth to support the retainers that they signed with you a year ago to actually service you? And then can they work 24/7 Because as most of us have probably experienced, the big cyber incidents don’t happen, you know, eight to five, Monday through Friday, they tend to launch Saturday at 2am. So being able to support in a major incident with a follow the sun model, you know, 24/7 365 is hugely important.

 

Jodi Daniels  14:38  

Those are some really great tips especially the one where it happens on Saturday at 2am or Sunday at three in the afternoon. It is not a nine to five activity

 

Troy Bettencourt  14:50  

notes the incident response witching hour. On is the incident response to witching hour because nothing good happens after 3pm on a Friday.

 

Jodi Daniels  14:59  

I have had a couple of clients before calling five o’clock on Friday.

 

Justin Daniels  15:05  

So Troy kind of like as a follow up, and I know this is a topic you and I have talked about. But obviously with the rise of ransomware, it has had a significant impact on the cyber insurance market that most large enterprise customers that you service rely on to transfer risk. So how is that insurance market impacting how you price and deliver incident response services, particularly for these companies who really need that depth and breadth that you provide?

 

Troy Bettencourt  15:33  

Yeah, I think it’s it’s really been interesting, Justin, you know, I went to some really early conferences years ago, some cyber insurance conferences in at the time and that space, nobody knew how to price it, there was no actuarial data they didn’t have any models to work with. So there was a lot of guessing. And I think in the earlier years, if there was an incident, pretty much everything got covered. The insurance didn’t really question anything, the clients submitted the bills, they were signed off, and that was it, there was no effort at cost containment, as the industry matured enterprise ransomware hit so now the costs were just getting out of control. And then with the data theft component that brought in the regulatory compliance, etc, really saw that insurers were starting one to have actuarial data to support it, but to where they are exposed a lot more. So then saw a lot more effort towards cost containment, and that is considerably driven down the, you know, insurance reimbursable per hour rates for DFR response. But then, I think, maybe the last two years ish or so, we’re starting to see insurers, maybe even three years becoming really more active, they’re overseeing expenditures during an engagement, they are making sure the incurred costs are actually reasonable, they remain within the initial scope. And in a key one is there not efforts to improve the overall security program during an incident at a cost of the insurer has, right it’s not, oh, we had an incident. So you know, we haven’t updated those windows seven systems forever, that we’re going to pass that cost on to insurance. That used to be pretty acceptable insurance wrote the check. Now we’re really seeing them being focused on cost containment. And then as people are getting new insurance, they’re probably seeing now that many of the major insurers are requiring that you have a mature security program, they probably have at least the self assessment process that you have to go through, if not an assessment process that they oversee.

 

Jodi Daniels  17:26  

A lot of times, those insurance companies require you to ensure you have different security measures. And of course, know where your data is. So Justin, I have a favorite phrase, know your data. Actually, Justin likes that phrase more than me, we really wants you want your Red Clover t-shirt, anyone listening? Please make him a t-shirt. This is no your data. But how else? Okay, Red Clover. There you go. Bonus points to anyone listening. But a lot of times people miss the connection between privacy and security. And they don’t understand and they don’t know where all of their data is. What’s your find are the common reasons that that happens. So I think

 

Troy Bettencourt  18:11  

one, it’s difficult. It’s really difficult when it’s a large enterprise that’s been around for decades to then decide it’s time to get into bolting on a data privacy or security program after the fact right there. At that point, you have so much legacy, technical debt, bureaucratic inertia in years and years of poor people habits to fight against. And depending on the ability to communicate to the executive team for that level of support. The program is not going to be successful, if you don’t have executive buy in to really architect that program. I don’t wanna say enforce compliance, but to ensure compliance happens, it becomes a check the box exercise like a lot of other security efforts. And honestly, it’s not a problem until it is right then the chickens come home to roost, major cyber incident. And as the provider were asked by counsel, that one of the chief concerns, of course, was data access and exfiltrated. And without that really good data privacy or security program that was implemented beforehand. We can never say no, we might be able to say it’s unlikely some gradiation in response, but that’s not going to make counsel happy. And we understand that. If the data is not there, we can’t answer those questions. And I think really, it becomes a prioritization of efforts right security, for so long has been secure the perimeter if the castle walls are big, we don’t have to worry about anything. And now we’re seeing more of a defense in depth, but I still think data privacy and data security is so far in those layers as you come that it just hasn’t penetrated yet it is not being prioritized until it is a problem and then it’s too late.

 

Jodi Daniels  19:54  

Well, hopefully we’ll just slowly make process at chipping away A and hitting it out of the little microcosm that it’s in and get it, get it broader. I think we’re slowly getting there, especially with more regulations requiring companies to understand where their data is. Personally, we don’t want more incidents, for the

 

Troy Bettencourt  20:17  

more firms like Red Clover, focusing on it, you know, it’s become a true specialization, whereas before, it was often, I think, a secondary or tertiary responsibility of somebody. And I think now that there’s the awareness, their awareness comes with funding, hopefully will mature because I think that that’s, especially in regulated industries, it’s such a huge risk.

 

Justin Daniels  20:39  

I think I would add, something that Troy said, to really reiterate is, remember, the breach notification laws, the trigger and legal consequences are off of data, whether it’s access, or exfiltrated. And so I know in the case that Troy and I worked, it wasn’t clear where all the data was. So we never could come to a conclusion. But what was interesting is, and this is another reason why you work with law enforcement is we knew what kind of variant of ransomware it was. And between the work that Troy did, and law enforcement telling us yes, your case number 70. And the blast 67 cases, they don’t exfiltrate or access data, they just encrypt the network, because they want to get paid. That was how we were able to take a legally defensible position that no further notification was necessary. It was a combination of boys work forensic, and also engaging with law enforcement to find out what they know, because they are a wealth of information, as Troy knows, from his many years and working. Collaboration is critical.

 

Troy Bettencourt  21:42  

Yeah, and honestly, coming from that world is now operating in this world. For years. It used to be a one way street, law enforcement really was trying to get the information or further in their investigations. But there wasn’t a lot of support back to the victim. Over the last decade, there’s been such a sea change, and especially the FBI has taken such a proactive approach to really working with victims. And while the information probably flows more towards them, because they can’t share as much, they really are sharing information that that helps them in the response and in the business decisions about for example, the data risks that you talked about, or maybe the risk of the threat actors coming back. Are they a nation state align? Could they be on, you know, a denied parties list or an OFAC list? So it really changes years ago, I would have said, I don’t know if you want to involve law enforcement yet. Now, I think you almost have to really early on in the process. Right now,

 

Justin Daniels  22:42  

to kind of switch topics is everyone is using the R word. Recession word. And so yes, and ugly are So from your perspective, how do you see a recession impacting cybersecurity budgets? And what might the unintended consequences of those decisions be?

 

Troy Bettencourt  23:03  

Yeah, I think it’s often is the case with tough economic times, right, your budgets are probably going to stagnate at best but likely contract. For those with mature programs that have seen well focused investment during the good times, it’s not going to impact them probably as much. Now from outside firms like ours, I would expect a decline in revenue. Because the lack of opportunities, I’m going to see an under investment probably in proactive work, maybe a decision to try to keep reactive work or emergency work in house until they can’t support it. All of those decisions, though, create a slow decline. So even if you’ve invested in a very mature program, all it takes is a few years of underinvestment, maybe not backfilling some key positions, and you lose a lot of that, that solid ground that you’ve claimed. But for those companies that never really fully invested in the program, I think this is going to be pretty perilous, especially if they really target cuts, because one of the most expensive areas is going to be people, right FTAs are expensive. And as you cut people are don’t backfill that, of course, that means that to do more or less, do more with less attitude for everyone else. And that just means a slow degradation in performance over time, additional churn of people. And as that security posture slowly goes down, the risk is going to continue to grow up. I would imagine the threat actors aren’t going to be as heavily impacted by you know, by a recession, and are going to continue their activities. And then the other thing is if an organization ends up having like enterprise ransomware, or some other real business critical cyber incident, it’s going to be even harder to respond when they don’t have the people the budgets the established contracts with outside vendors. And I think that tipped the scales for those incidents to almost become an existential crisis for the business as opposed to a severe hiccup but something they can bounce back I really hope I’m wrong. Heck, I hope I hope the recession forecasts are wrong. But, you know, I don’t see any good coming out of a recession from a security perspective. If

 

Jodi Daniels  25:11  

you were talking to a company who had not as flush of a budget, they needed to make some cuts, what might you recommend to them? To, to focus on to try and keep they have to make some types of decisions? Is there any particular areas that you might say, please make sure you stay focused in these for sure.

 

Troy Bettencourt  25:33  

Oh, definitely. I passionately believe in people in process, they’re going to win the day for you. And it may sound odd coming from someone, you know, that’s in a vendor industry that depends on selling services and products to organizations. But I really believe you can buy the most expensive and sexiest new security product that’s in everybody’s Magic Quadrant are, are wave, and it’s on CEO magazine. But if you don’t have good people that you’ve, you know, you’re not properly hiring and developing good people. And also, this is key, enabling them with solid business and security processes around them, you’re exposing yourself to risk, I would take great people and process with moderately good tools over the opposite any day of the week.

 

Jodi Daniels  26:18  

Good advice, thank you for sharing.

 

Justin Daniels  26:21  

So we like to ask this to everyone who comes on our show, which is what is your best privacy or security tip that you might offer us if we were at a cocktail party and Jodi was wearing a dress.

 

Troy Bettencourt  26:35  

One I would say people in process again, I am so passionate about that it is the people in enablement processes over security controls every day. Secondarily, though, just the basic security controls, you know, pick your framework, CIS, whatever it is, pick those top 10 focus on them. You know, identity is huge. Most of our threat actors right now, it’s all about getting in. And it’s not that hard nowadays. And once they can, you know, escalate to privileged access, they pretty much own the environment. So if you can implement those key concurred security controls your MFA, identity management, segmentation, just do the fundamentals. Your goal is not to be perfect. It’s to just be slightly faster than the other slower Gazelle on the plane. When you get chased by the cheetah. You just have to outrun somebody else.

 

Jodi Daniels  27:31  

There’s a lot of animals

 

Justin Daniels  27:34  

in the National Park, I just have to outrun you and the bear comes along. That’s it right?

 

Jodi Daniels  27:41  

So try when you’re not helping companies against cyber threats. What do you like to do for fun?

 

Troy Bettencourt  27:49  

That’s a good question. Um, since I spend so much time staring at screens, I try not to as much as possible, although I’m addicted to iPhone, like many. So really more hands on stuff. Our daughter recently enjoy or join scouting, formerly known as Boy Scouts. So we’ve really enjoyed like all the outdoor events, camping, and I forgot how much I just loved being outdoors like that. And then, you know, I mentioned a couple of times in the earlier question about some family health issues that caused some career changes work because of that we’re sort of more homebodies and we don’t travel as much as he used to and all that so I focus on projects here at home. So anything from minor improvements, total renovations, and then most recently, I finished building a houseboat from recycled and reused materials.

 

Jodi Daniels  28:36  

Wow. That is quite impressive. There is no house boat building going on over here for sure.

 

Troy Bettencourt  28:44  

No, what do you guys like to do for fun?

 

Jodi Daniels  28:47  

Cool. What do you like to do for fun? Justin?

 

Justin Daniels  28:49  

What do I like to the audience wants to know? Oh, for me. Oh, that’s all things outdoors. That’s easy for a mountain bike skiing to squash. It’s all

 

Jodi Daniels  28:59  

splashes indoors. Yes. But it’s still fun. It’s doesn’t count as outdoors. It’s indoors. I’ve seen

 

Justin Daniels  29:05  

courts outdoors in New York.

 

Jodi Daniels  29:06  

Okay, like one court outdoors. It’s active. We like hiking. I love the fall leaves and I enjoy I enjoy baking. I do skew slightly on the healthier side. But I do love baking. Yes.

 

Justin Daniels  29:24  

You know, it’s like live in this house.

 

Jodi Daniels  29:26  

Oh, eat this cookie eat this big. It’s all about moderation. I mean, if you do all the exercise, and you might as well at least have a really good cookie to go with it.

 

Troy Bettencourt  29:35  

So if you live in the south, is it true? It’s one stick of butter per cookie? Because that seems to

 

Jodi Daniels  29:40  

have an adopted ratio. Okay. I haven’t adopted that concept. No, no, maybe but I might have ignored all those recipes. Troy we’ve really enjoyed having you if people would like to learn more and connect where’s the best place to send them?

 

Troy Bettencourt  29:56  

LinkedIn always that I’m constantly checking it looking for new to Allen’s new people, you know, whenever we have openings, want to see who’s out there, and it’s a great way to keep up with the trends, and then drive from there. So that’s the easiest way to find me.

 

Jodi Daniels  30:10  

Excellent. Well, thank you again for joining. We really appreciate all the insight that you’ve shared to help protect companies against threat actors.

 

Troy Bettencourt  30:19  

Thank you so much for having me. It’s been great and great to see you again, Justin. Nice to meet you, Jodi.

 

Jodi Daniels  30:24  

Likewise.

 

Outro  30:24  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.