Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

I Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:37

Hello, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:52

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our best selling new book, Data Reimagined: Building Trust One Byte at a Time, visit

Justin Daniels 1:30

Speaking of bytes, I think we’re both hungry today.

Jodi Daniels 1:33

We are made breakfast was a really long time ago and really small and I’m really hungry. I need the desk.

Justin Daniels 1:40

Well, let’s not eat the desk. But let’s introduce our guests and instead. All right, well, today we have someone that I’ve known for a good bit of time, who I’ve worked with on incident response. So today we have Larry Slusser, who leads the technical cyber team at SecurityScorecard including incident response in digital forensics. His experience includes leadership at several Fortune 500 companies and service in the United States Air Force. Larry, welcome to the cauldron of the podcast.

Larry Slusser 2:13

Thanks, Justin. Thanks, Jodi. I don’t know. I don’t know when I got myself in here.

Jodi Daniels 2:17

I was just thinking you have no idea what you signed up for. You’ve confused him. Here like Larry, it’ll be fun. Come on. We’re gonna have a nice conversation. And then you come up call Trey.

Justin Daniels 2:28

Yes. But how do you know it’s not the cauldron where it’ll be Larry and I having fun at your expense? Cauldron.

Jodi Daniels 2:33

Well, yeah, that’s good for you. Not for me. Negative. We’re happy. I flipped the script. Apparently you have Larry, I’m bringing the script back. Tell us a little bit about how you got to where you are today.

Larry Slusser 2:48

Fair enough. Good question. And Justin told me I need to be brief. So that’s that’s always a challenge. Love, love a good story. And my my route to cybersecurity actually is a pretty good story. I’ll do the Reader’s Digest condensed version. Hopefully, some of your listeners are old enough to remember Reader’s Digest and the condensed version of stories. After a career in the Air Force and leadership, pretty successful leadership time and in Fortune 500 companies running a couple p&l as needed to support my wife and then her pursuit of her doctorate. And through that time period, I decided to get a master’s in cybersecurity through a couple of strange happenstance meetings of with friends who were in cybersecurity, decided to pursue it. And then I found my way into life hours working for Andre Corral. And he really, I refer to Andre very positively as the cyber Yoda. He is I think he was there when the internet was invented a lot of incident response experience in several countries. And really just learned a ton from Andre about Incident Response taking care of clients and really enjoyed being a first responder in in the cyber, cyber world security scorecard purchase life hours a year ago this week, and so have have learned all about cyber scoring and ratings and that industry as we’ve integrated over the last year or so, so still still excited to lead our incident response team also deal with our proactive security team doing doing tests pentesting red teaming and then also learned a lot about vendor risk more than I actually ever wanted to know about third party risk management and in particular the cyber pillar of that practice so yeah, so that’s kind of here I met Justin through through to to live incidents two or three. So I would say the best part of my job and hopefully Jess and I are gonna get to do this together is tabletop exercises, really enjoy seeing the chaos of the cyber war, decision making and imperfect environment with with him formation that’s, you know, maybe half hazard part of the time. And then seeing executive teams struggle in practice with what Justin and I actually see them go through, in, in real incidents when it’s when it’s not fun. It’s the worst day of their career, and all those dynamics that come along. So all right, that was not brief. Thank you guys for giving me a chance to answer that question. And cybersecurity is really a great career field. It’s, it’s so much fun, I really enjoy it.

Jodi Daniels 5:28

So first, congratulations on the acquisition. That’s very exciting. And I’m guessing the goal here is we don’t want teams with the cool hashtag IRL in real life. We want them to hang out in tabletop, Bill Wilson, like a new hashtag tabletop bill could be trending.

Justin Daniels 5:51

Sadly, the threat actor has something to say about that. Both Larry and I would be happy to talk to you about prisoner game theory in the negotiation. And

Larry Slusser 6:02

that was a bit of an inside joke. I wondered how soon it would be when you would insert?

Justin Daniels 6:06

No, I have to varnish my humor weapons when I can. So that was bad in mind. Larry, talk to us a little bit about because one of the ones we handled last year was first for me, but what are some of the newest challenges, you’re seeing an incident response from those pesky threat actors? Um,

Larry Slusser 6:24

I would say and I have a soapbox, but I’d go out of the picture. If I stood up on it too far, I think the word ransomware gets you universally used, whether it’s data exfiltration and extortion, whether it’s actual ransomware that encrypts or zips up the clients environment. So I find it interesting to hear that ransomware key cases or at least payments have gone down there seems to be some recent pressing less ransomware I’m not sure that’s true, as it’s applied to data exfiltration cases where we deal with data extortion, which is, which is what Justin, what you and I worked on, in that case, that actually so I would say what we’re seeing is a little more of threat actors gaining entrance into into an environment that they’re not supposed to be in, then they move around for a while anywhere from typically 10 days to we did one about a year ago, where the threat actor had been in there about eight weeks, it was a municipality, a fire department, and they were trying to find data to weaponize so so that’s kind of the modus operandi find data to weaponize or dollar eyes. And then at that point, they make a decision on encrypting the environment completely. Partially encrypting the environment to let to let the victim know we were in here, and we had control of your environment. And we chose to only partially encrypt you, but we steal data. Or the third kind of option is they’ll just X filled exfiltrate data and then hold that out for extortion. So so all that seems to be incorporated into ransomware. I think we as a, I think we as a group of service providers, and to those who study this, we need to be better at a differentiating some of the different categories. off my soapbox now. So what’s the trends? We’re moving from ransomware 100% to save 50% ransomware and 50% data exfiltration with extortion demands?

Jodi Daniels 8:17

Well, that sounds like quite the lovely combination. Candy. So if we think about what, you know, other trends, and sadly, war is still here, and especially the war in Ukraine, which, you know, is actually also in a anniversary state. What are you seeing about how the impact of that war has on Incident Response cases? Are you seeing an increase in those? And what might your crystal ball be going forward?

Larry Slusser 8:49

My crystal ball is not very accurate, as I’m still working as an incident responder haven’t got the lottery numbers yet. So so I don’t know how good it is. My sense is, and certainly we heard this from the FBI. I think Justin was involved in one of those briefs that that that conflict did affect ransomware groups, particularly ransomware as a service groups where they might have a call center to help victims get get their systems decrypted, or help them with ransomware payments, these threat actors, they’re very customer focused. And that’s actually something that a lot of executive teams aren’t aware of when we go through the tabletops. And we talk about ransomware as a service. Some crypt is a group that that has a phone call service. They also if you don’t pay they will call your executives or your executive spouses. We’ve seen that in a number of cases. It’s not necessarily a threatening voicemail, but it does ask the recipient to encourage their significant other or themselves to come to the negotiating table. So I think my answer to your question is it definitely affected groups, negotiations that used to only last a week. week or two sometimes could go four and even five weeks, depending on how the game theory was applied that Justin mentioned earlier. I think threat actors are not going to like the press that saying they got they were less effective last year. I don’t think that’s a good strategy. I think, I think we’re gonna see them work harder and faster. And I think on the future, in the big crystal ball, I would say AI is going to dramatically change the environment, possibly not for the better until we’re ready to deal with that threat as threat actors start to get a hold of that technology.

Jodi Daniels 10:35

Can you expand a little bit? What are you thinking might be an example of how AI will play into this in a negative way. Um,

Larry Slusser 10:44

I think, you know, it’s now kind of getting to the point where we can all log on and get an account and play around a little bit with AI and see what it can do for us imagine a threat actor applying that to credential stuffing, or a password, taking, taking all of the publicly available operational intelligence that you could gather on one of us. Our social media profiles all have a lot of birthdays, a lot of school information, where we went to elementary school, high school, a lot of those questions we see there are security questions to verify access. A lot of those can be guests. So if you use AI to comb through an individual’s publicly available information, I think it makes password guessing, credential stuffing, that type of thing. I think it makes threat actors able to multiply their efforts.

Justin Daniels 11:37

Airplane. Larry, I wanted to ask you a follow up, especially in light of a couple cases we’ve handled is when you’re doing tabletops. And you might include where the threat actor starts to call customers or starts to call the spouse of the CEO. What kind of reactions are you getting from the management team? Do they scoff and say this seems a little outlandish? Or are they taking that likelihood more seriously?

Larry Slusser 12:09

I think that’s a great question. I think a little bit of both. There’s been times that that I could see the look on their faces that they didn’t necessarily believe that someone could have access to their cell phone numbers. And we have a slide ready, of course, with with all of the protected information redacted, but you can very easily find someone’s name, social security number, every previous address they’ve ever owned, every car that they’ve owned all of their significant level one family or friends and those folks phone numbers. But typically, we have someone who’s a willing participant that we’ve pulled that on in a tabletop, sometimes it’s the CEO, sometimes it’s the CEO, sometimes it’s the CTO, but if they doubt how easily that information is to get, we show them that we actually have it on someone on their staff. And then it gets pretty real pretty fast. And it’s it’s, you know, we joke kind of in the business that scaring is caring, but it really is, it really is a little alarming. That’s so great. You guys to trademark that.

Jodi Daniels 13:22

In our house. Justin’s your mom is sharing is caring. Now we are caring we already sharing is caring. Caring is caring. That’s gonna be great. Yeah. Very caring.

Larry Slusser 13:38

Haven’t traded good. So if you guys beat me to it, let’s

Jodi Daniels 13:41

hear that one. Yeah, well, you know, you’re never gonna go after.

Justin Daniels 13:46

So, Larry, another question I wanted to ask you is, and this is my overwhelming experience. But how often do you handle an IR where a customer actually has a plan that they’ve practiced? Or is your experience mostly they call they have no plan, they just know that you can help them and you have to go from there. What is mostly your experience been over the last several years on that?

Larry Slusser 14:08

Yet, I’d say less than 10% of the time somebody actually has an incident response plan that they know where it is, and they’ve practiced it. I used to say on our tabletops. It’s fantastic that you’re committed to this exercise, we have never actually gone through a live incident with someone we’ve done a tabletop with. But sadly, this past year that that streak was broken. I got a phone call from the client thought it was just going to be a standard, hey, how you doing after about a minute? And he said, Well, we’re in trouble. We activated our incident response plan. And I’ll tell you, it was easy to go through that. It was a difficult situation, but they knew exactly the steps to take what to do, what questions that the threat actor was going to pose how to deal with cyber insurance. So so it really demonstrated the benefit of the tabletop for the organization. But yeah, I’d say maybe not even 10% maybe less, most people are confused. They think they’re going to call their cyber insurance and everything’s going to be wonderful. And it just starts to go downhill from there.

Jodi Daniels 15:08

What are some of the key areas when you do those tabletops that always kind of rise to the top that people aren’t prepared for? Um,

Larry Slusser 15:17

I think knowing exactly who’s going to be on that incident response committee, whether it’s whatever name they choose to have for it, who’s on that committee who’s on that team, the first thing we talk about is out of band communications, I would say 90% of organizations have no real idea how they’re going to do that. So they go to personal cell phones, personal emails. I think the second thing would be decision making, do we have an executive group, kind of a mid level group that’s going to talk about that maybe the CTO, the CEO, and then we’re going to go to the CEO and the board level. But the progression of decision making is interesting. Most organizations have not really thought about that. And funnily enough, most organizations really haven’t thought about, well, we pay ransomware, immediately, the discussion turns to what is insurance cover, and then that’s kind of a rabbit hole we spend some time on, because it’s kind of a quagmire. But a lot of companies, you know, there was one company that told us that they have a philosophy that they will not pay. And then when we actually got to it, the owner of the private equity companies that were going to pay, so that created a huge discussion, right? Because philosophically, we’re not paying ransomware, we’re not paying terrorists, and they’re all terrorists. So that was, I think Mike Tyson said it best, right, everybody’s got a plan till they get in the ring and get hit in the face. And that’s kind of the way it is with ransomware.

Justin Daniels 16:46

I’m gonna send you that slide, because I just used it in a workshop where I was telling everyone how to plan but you get in the middle of an event, sometimes you have to deviate from whatever your plans are, because it’s required. But I have another interesting follow up question I want to ask you, which is, in the cases that you’re involved in where there is a ransom demand? What is the percentage of the time that people pay it 80%. That’s consistent. I almost never have somebody not pay it for two reasons. One, they don’t know how good their backups are. And they consider that it is easier to get the decrypt key, which obviously won’t get you back 100% than to try to go from their backups. And I assume you see that as well as most people do not test their backups, even if they have them. And they’re not willing to rely on that as opposed to paying the ransom.

Larry Slusser 17:35

I definitely agree with your statement. And I think too, as companies, I do think that’s affected the market, if you will, from the threat actors perspective, more companies are focusing on backups. It’s really a business decision, right? If I have good backups, and I can roll my machines back or build new machines, it’s just which is more expensive, paying the ransom or rebuilding, if I have good backups. Unfortunately, there’s times where we deal with smaller companies who don’t have good backups or their backups are encrypted, they have to pay or they’re kind of starting over again. So it’s, we really can’t help them in that situation, which is difficult. But you’re absolutely correct, I think Justin.

Justin Daniels 18:17

So another thing I wanted to ask you kind of stepping back, Larry, because you’re on the forefront of when both companies hire you for incident response and as well as proactive services. So let’s assume for a moment, it’s a company that doesn’t have a CISO, which is pretty common. What C suite executive is controlling the cyber budget for the cyber spend. Um,

Larry Slusser 18:43

they don’t have a CISO. And they don’t even they don’t have a VC. So at all, just just a straight, so it’s probably going to be their CTO, their chief technical officer, depending on the relationship with the CEO, what either the CIO or the CTO, a lot of times the chief financial officer will be the one holding the cyber insurance, which may or may not take into account a lot of their environment, if you will, it’s just a line item that gets paid for, we’re seeing that change in cyber insurance companies have to get a lot more sentient and really pay more attention to that coverage. But I would say the CTO and then and then we get into what’s more important information security in the cybersecurity vein or it. So that’s, that’s kind of a an industry, nuance, if you will, or a little battle that’s always kind of going on it versus cybersecurity within companies.

Jodi Daniels 19:37

We talked a little bit about the variants of ransomware and how we’re starting to see more data extortion, are there other variants or trends that you’re starting to see come out and maybe even trends of how people are responding? Great question. Um,

Larry Slusser 19:58

I think I think we’re just still seeing the usual suspects, if you will, it was nice to see FBIs work on hive. We went up against hive several, many times this past year along with blackcap. I think Acer has kind of a new one, the interesting twist they have as a pop up window to email them, and then after the email, then you follow that through to the chat, which is a little bit different. Take on it. And then scarecrow appears to be kind of a version of content, which has been very successful. They have a they have a shared algorithm. So there’s some some similarity, I guess it at a root level. But I think those two are probably the most recent that are coming out that I can can talk about. It’s always changing cyber, the cyber world is not stagnant. Whichever side you’re on the criminal element, or, or the incident responder teams, we’re always

Jodi Daniels 21:02

going back and forth. Well, doesn’t that sound lovely? rather scary as for a company? Well,

Justin Daniels 21:11

this is what happens on the back end if our we’re not minding our cyber p’s and q’s. And unfortunately, for Larry and I both most of the time, it’s a very chaotic experience. And it’s a struggle to get companies to want to be more proactive. Unless they’ve experienced this. And even then some companies still don’t want to do what they need to do with cyber, which I guess, Larry, you and I’ve talked about this a little bit. But any thoughts you have or any rumblings around these SEC regulations for cyber that come out and what the Biden administration is saying, because I’m of the view, it’s going to take regulation, I’d love to hear your input as to what your thoughts around how cyber regulation would impact some of the statistics that you’ve been giving us from your experiences?

Larry Slusser 21:59

Do you mean reporting the reporting of incidents? Or do you mean more of the steps that need to be taken within an organization to demonstrate readiness?

Justin Daniels 22:07

I think it’d be more of the steps to take to be ready, because now there’s regulations out there that require public companies to report on what is your cyber readiness? What is your plan, because I think that will trickle down into a lot of these mid market companies that are part of their vendor ecosystem.

Larry Slusser 22:23

It’s, it’s always, I mean, not to delve off into a big debate. But I do think it’s interesting, you know, kind of the centralized government versus versus states rights, that’s kind of essentially what we’re talking about is mandating, mandating a certain amount of cyber defense. And I think the government is trying to take the lead in that I think insurance companies are also finding out that they have to take the lead in that things like multifactor authentication, things like endpoint detection and response quality backups, there’s a lot more due diligence going on in the insurance market, to ensure they’re doing things like you know, Home Inspections, you know, to ensure the home meets certain standards. I do think Justin and Jodi, I do think that’s the way it’s gonna go. Like we have public building codes for buildings need to be built to a certain standard, I think we could see a similar move within cybersecurity within businesses, you have to have backups, you have to have a certain amount of air gapping, you do need to have minimum standards to protect the crown jewels of your organization. I’d neglected to mention Jodi, to your question on tabletops. Most, I’d say half of the C suite executives in companies when we meet, do not know what their crown jewel data is. And if they do know what it is, they really can’t tell you how well protected it is. And that’s, and that’s a concern. Right? Everybody feels like we’re going to the cloud. So the cloud will make us safe. And as we all know, it’s not. So I think, I do think the long, many-worded answer to your question Justin is I do think it’s going to impact I think there’s going to be a battle as to how much it’s going to impact businesses, how much they have to spend to demonstrate that they’re adhering to the this cyber building code, if you will,

Jodi Daniels 24:16

cybersecurity. Since a big part of what you do is trying to help companies protect those crown jewels. What would you offer as your favorite best cyber tip?

Larry Slusser 24:34

Wow, you said she was going to ask good questions, Justin. Holy smokes. I think the best cyber tip I would give companies is it’s gonna sound horrible, but it really is awareness. I would I would try to get aware of what are my crown jewels? Am I prepared for an incident And what can I do to work on preparedness, there are a lot of tools, we are being inundated with tools that are going to make us more secure. Some of them overlap, some of them don’t. But I think rather than just spending a lot of money on tools, take some time and have some awareness and get some education. If I had to pick one tool, if you if you were really pinning me down, I think endpoint detection and response, although it’s not cheap. It is it is a necessity. And I’ve seen a very well known company that had a lot of different tools. They didn’t have a quality endpoint detection and response on sitting on their endpoints watching from the bad guys. That’s not a that’s not an antivirus system. It’s it’s antivirus on steroids. It allows you to hunt and destroy bad guys. And it’s not cheap. So it’s hard for smaller businesses to do but but I would say having an EDR out there is is a good, necessary tool. Justin, I agree or disagree.

Justin Daniels 26:02

I think that’s a great tool. I think you hit the nail on the head is affordability. And willingness to spend the money on that, because let’s be honest, buying EDR is kind of like putting new windows on my house. It’s something like I have to do, but I’m not real excited to do it. And it’s not cheap.

Jodi Daniels 26:19

I like my windows. I like my windows. I was very excited to hear we did new windows.

Larry Slusser 26:26

I heard two he said you get new windows. I didn’t hear him volunteer to wash. But he did say Oh,

Jodi Daniels 26:31

we did. We got new windows a couple of years ago. And I love my new windows. So CDR can be cool and fun. Okay, I would agree with very nice, Larry.

Justin Daniels 26:40

What do you like to do for fun when you’re not helping clients respond and handle data breaches.

Larry Slusser 26:48

So I enjoy mountain biking, not super technical, dangerous off edge of cliffs stuff, but just, you know, a little bit so you can feel like you’re off road on a mountain bike, I really enjoy that. And then I have a woodfired pizza oven that I built, that I really enjoy having family and friends over and cooking up pizzas. So those are kind of my two little pursuits that I like to do.

Jodi Daniels 27:14

It sounds good. And you too will have to coordinate some type of mountain biking experience.

Justin Daniels 27:20

I think so the next time I’m out in Larry’s neck of the woods will be going there’s a lot of cool places near him to go. There’s

Larry Slusser 27:26

there’s a lot of cool trails. Yeah, absolutely.

Jodi Daniels 27:29

Definitely. Larry, thank you so much for sharing all this wealth of knowledge with us. Where can people connect and learn more?

Larry Slusser 27:37

Great question. would be a great resource. And you could that’s probably the that’s probably the best resource To learn more about what we do. And then within that, you can click on on the cybersecurity technical team and meet the rest of the team that that helps businesses out.

Jodi Daniels 28:00

Wonderful. Well, Larry, thank you again. We’re really grateful for your time here today.

Larry Slusser 28:05

Thank you guys. It was a pleasure to be part of it. Thank you.

Outro 28:12

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.