1
00:00:00,000 --> 00:00:07,100
Yeah, so if you had basically let's do that one. Yeah, so what would you send emoji or a gift?

2
00:00:08,100 --> 00:00:13,060
To our CEO maybe a gift and it would be snarky as hell. I just don't know what it would be off the top

3
00:00:15,820 --> 00:00:20,540
I'll save my response for the actual thing if we want to actually use that one but

4
00:00:21,340 --> 00:00:23,340
Sure dive right in I

5
00:00:23,340 --> 00:00:28,580
And so off the top of my head just because I haven't been working here very long

6
00:00:28,740 --> 00:00:32,660
I'm going to just be super creepy and it would just be like a little gift

7
00:00:32,660 --> 00:00:41,020
That's just like a person like like peeking out from somewhere no context no words just really weird

8
00:00:41,020 --> 00:00:51,060
I mean you're like diamond to it like yeah, I'm like the weird smiley face that you're like, what is this?

9
00:00:51,060 --> 00:00:53,060
Oh, me

10
00:00:56,900 --> 00:00:58,060
I

11
00:00:58,060 --> 00:00:59,980
Would say if it was an emoji for me

12
00:00:59,980 --> 00:01:04,980
It would almost always be just the thumbs up because we just kind of drive by drop information in the

13
00:01:05,460 --> 00:01:09,660
Teams chat all the time and most of time. It's just acknowledgement good. I got it

14
00:01:09,660 --> 00:01:15,220
But for whatever reason I was looking back and my last gift was one that says whoopsie

15
00:01:15,460 --> 00:01:18,100
So I don't know what I said, but I screwed up

16
00:01:20,260 --> 00:01:24,700
That one even for no context just throwing that one out there being like you're a panic

17
00:01:29,020 --> 00:01:33,940
I know I think I'd have to find something knowing that he likes 80s movies and back to the future

18
00:01:33,940 --> 00:01:39,460
I'm like, I think I'd find like a good back to the future one that works in multiple contexts to be like choose your adventure

19
00:01:39,460 --> 00:01:45,540
It's back to the future. So I'm sure I'll be looking on the side not multitasking during this podcast and go

20
00:01:45,540 --> 00:01:47,540
I'm gonna find one. I'm gonna put it in the chat

21
00:01:51,420 --> 00:01:54,900
Yeah, yeah, if I had to send Kyle a

22
00:01:55,500 --> 00:01:59,420
Emoji it'd probably be like a thumbs up or a heart or something like that

23
00:01:59,420 --> 00:02:05,340
You know it's a thumbs up usually because he's asking me something and then heart because I'm super appreciative, right?

24
00:02:05,340 --> 00:02:13,020
Yeah, there's been a couple great mentors for myself here at CIT pals one of them now for the question was to the COO

25
00:02:13,940 --> 00:02:15,940
It definitely be the middle finger

26
00:02:19,060 --> 00:02:21,340
For those that are listening that is my boss so

27
00:02:24,220 --> 00:02:26,220
Because we joke around all the time so

28
00:02:26,220 --> 00:02:28,300
It could be a hard to but

29
00:02:29,300 --> 00:02:32,180
I would say paired with another emoji

30
00:02:32,740 --> 00:02:40,260
Mine would be the blue heart with like a smiley face and a hug because I just had a correspondence via email with Kyle about

31
00:02:40,260 --> 00:02:46,700
Autism Speaks and how we're going to then continue on with our corporate charity of some things coming down

32
00:02:47,700 --> 00:02:53,660
A little bit later this year. So I was like yay super excited. So that was that was my thing

33
00:02:53,660 --> 00:02:56,580
Love it. Love the plug. We got a wide range

34
00:02:58,260 --> 00:03:00,420
The sweet the good the bad the ugly of

35
00:03:01,420 --> 00:03:04,420
Information for Kyle and

36
00:03:05,140 --> 00:03:07,260
After this podcast, we'll all have to just

37
00:03:08,220 --> 00:03:10,220
Send him with no context

38
00:03:11,180 --> 00:03:13,380
All of this stuff and see what he says

39
00:03:14,180 --> 00:03:21,300
But today on our tech for business podcast. We don't have Kyle, but we do have Todd and Nate Todd our CEO

40
00:03:21,300 --> 00:03:27,820
And CISO and Nate our director of cybersecurity and we're discussing privileged access

41
00:03:28,620 --> 00:03:30,620
management specifically

42
00:03:31,180 --> 00:03:34,700
For banks and it seems like a really obvious question

43
00:03:35,220 --> 00:03:41,020
But I'd like to start with why a financial institution would need a PAM

44
00:03:42,020 --> 00:03:44,900
Or maybe just a quick what is it?

45
00:03:47,580 --> 00:03:48,540
How do you want to kick off the way of the

46
00:03:48,540 --> 00:03:54,420
How do you want to kick off for what it is and I can maybe start talking about why sure yeah, so

47
00:03:55,260 --> 00:04:02,940
As people may or may not be aware the way windows and networking was initially set up was for the most part

48
00:04:02,940 --> 00:04:04,540
everybody started out with

49
00:04:04,540 --> 00:04:06,300
administrative access and

50
00:04:06,300 --> 00:04:11,100
Which means you've got the keys in the kingdom you can do whatever you can install your own software you can make updates

51
00:04:11,100 --> 00:04:14,300
Etc. Somewhere along the line microstoff put in

52
00:04:15,380 --> 00:04:17,380
the UAC

53
00:04:17,380 --> 00:04:24,260
UAC and which was the annoying box that pops up and says are you sure you want to make that change and

54
00:04:25,660 --> 00:04:31,540
So that was kind of the interim of don't just randomly click yes on everything and as the world has

55
00:04:31,940 --> 00:04:38,380
continued to progress and the threats in the world especially for cyber security have increased what you're starting to see is those

56
00:04:38,460 --> 00:04:43,820
Privileges are being abused and that's whether it's getting ransomware install or something along those lines and so

57
00:04:43,820 --> 00:04:47,020
That's where privilege access management comes in

58
00:04:47,020 --> 00:04:53,260
It's the tool sets that allow you to go through a process and start to restrict the amount of access that individuals have

59
00:04:53,700 --> 00:04:59,140
Most compliance industries use the phrase least privilege, which means you have the absolute

60
00:04:59,820 --> 00:05:05,020
Minimum access you need to complete your job. That's the concept most people really don't comply with it

61
00:05:05,020 --> 00:05:07,740
But a tool like a PAM will help you achieve that

62
00:05:09,700 --> 00:05:12,380
Yeah, and specifically in the banking industry

63
00:05:12,380 --> 00:05:19,860
You know, we are seeing you know the authors saying have you removed a local administrator from all of your users?

64
00:05:20,540 --> 00:05:27,660
Right. I'm not gonna go too deep here, but there are some pretty critical attack paths that

65
00:05:28,500 --> 00:05:30,420
are used

66
00:05:30,420 --> 00:05:32,140
paired with bad

67
00:05:32,140 --> 00:05:35,980
practices from IT administrators that can quickly lead to an account

68
00:05:36,660 --> 00:05:38,660
sorry and

69
00:05:38,660 --> 00:05:45,780
Organization level compromise all the way up to the highest level permissions which tends to be your domain admin your enterprise admin

70
00:05:45,980 --> 00:05:51,420
so the danger that any organization faces not just the banks but

71
00:05:53,180 --> 00:05:55,180
Yeah, is that

72
00:05:56,500 --> 00:06:03,380
We tend to see IT administrators using domain admin for desktop support as well

73
00:06:03,380 --> 00:06:11,580
But that's extremely dangerous Microsoft doesn't always recommend that right the domain admin should only be used for your top level servers

74
00:06:13,620 --> 00:06:20,660
When a user has local admin what we see is when that IT admin logs in on that workstation

75
00:06:21,020 --> 00:06:26,860
Their password is cached or kind of temporarily held on that device and so then

76
00:06:28,100 --> 00:06:29,980
when someone has local admin

77
00:06:29,980 --> 00:06:36,780
If a threat actor gets on to that device they can then take that and log right into the servers without ever having to crack a password

78
00:06:36,780 --> 00:06:43,980
It's called pass the hash. That's the most technical I'll get today, but it is a very very dangerous exploit that we see

79
00:06:44,980 --> 00:06:51,980
fairly regularly it's and then it's also attempted and we see that in sent a one from time to time as well. So

80
00:06:53,140 --> 00:06:55,140
By removing that local admin

81
00:06:55,140 --> 00:07:01,140
You're going to be hitting what the auditors are asking for but also you're reducing some very very critical

82
00:07:02,140 --> 00:07:10,140
security exploits that are commonly attacked right off the bat when trying to gain elevated permissions within the organization. So

83
00:07:13,140 --> 00:07:22,140
So I wanted to hit two points off of that one is I want to clarify for the most part when we're working with banks they do tend to be in the small to mid-sized

84
00:07:22,140 --> 00:07:32,140
area. It doesn't mean that these tools don't extend into the enterprise because they can. So I just kind of want to clarify that so the vast majority of this conversation will revolve around that

85
00:07:33,140 --> 00:07:43,140
As we were talking about the need for access and whatnot. There is a lot of stuff that happens in the network that does require that administrative access and I mentioned it right at the beginning is

86
00:07:43,140 --> 00:07:57,140
Sometimes it's installing a tool or it's installing an update or something along those lines in where tools like privilege access management come into play as it has the ability to automate some of these tools. So

87
00:07:58,140 --> 00:08:08,140
When we take away the administrative access we still have a tool that says let's say my marketing team is on here. So this will be a great example. My marketing team wants to update the Adobe suite.

88
00:08:08,140 --> 00:08:19,140
Well instead of having to reach out to the network administrator they can just say yes I want to do the update. It'll go compare the MD5 hash against a known good one and says this is really the update. Yep all good

89
00:08:20,140 --> 00:08:32,140
Automatically apply for it and I can do that across a network. I can do it across a company or individual etc. So it gives you a lot of flexibility a lot of automation and then removes the friction which we talk about often on a lot of our podcast

90
00:08:32,140 --> 00:08:42,140
But still gives us high security value. Yep. Yeah and one of the things that come to mind as well is

91
00:08:43,140 --> 00:08:58,140
There's Pam solutions out there today that you have to approve every single update which is not the best user experience. So for example if Chrome has an update or Adobe has an update right.

92
00:08:58,140 --> 00:09:08,140
Todd mentioned it does compare against the MD5 hash and if it's not there because again it's an update there's a new hash value you have to re approve it.

93
00:09:09,140 --> 00:09:23,140
Better solutions today will also take a look at whether or not the update is signed by that publisher already. And so even if it is an update but it's still digitally signed that to be valid from them.

94
00:09:23,140 --> 00:09:40,140
It'll automatically apply the same update without any additional approval. So this is where once you start taking a look at some of these Pam solutions it really becomes powerful on time savings and administrative burden for the IT staff.

95
00:09:40,140 --> 00:09:52,140
So oftentimes we see IT staff is already stretched thin. The last thing that they want to do is apply a new security product in the environment because it's going to require more work for them.

96
00:09:53,140 --> 00:10:06,140
These tools are designed to really reduce that friction and then as we're talking about rolling it out across the organization there are solutions that are free but they are very intensive on the labor to get it set up.

97
00:10:06,140 --> 00:10:27,140
And so again time is money and so these tools do have ways to automatically categorize and inventory the software that is installed already within the environment and then dynamically build policies to reduce that internal labor.

98
00:10:27,140 --> 00:10:42,140
And that's really where we start seeing things like ROI discussions come into play saving the IT teams and then also trying to really elevate the security of the organization as well.

99
00:10:43,140 --> 00:10:53,140
One housekeeping item I realized both Nate and I throughout MD5 and in the hash and it probably doesn't mean a darn thing to most people.

100
00:10:53,140 --> 00:11:05,140
It's basically the nerdy tech portion of data integrity. So when there's a file out there this is kind of the reference we use to say is this valid. Does this come from the place I think it should.

101
00:11:06,140 --> 00:11:07,140
So sorry about that.

102
00:11:08,140 --> 00:11:15,140
I was going to give you a crap about using MD5 because the new one is shot one or shot two but we won't go down there.

103
00:11:15,140 --> 00:11:23,140
Same concept though it's an encryption and log rhythm. It doesn't really matter basically the concept is it's the encryption used to validate the data integrity.

104
00:11:24,140 --> 00:11:29,140
So my apologies and I deserve crap for not using the latest and greatest.

105
00:11:30,140 --> 00:11:41,140
One of the other things that I wanted to talk about and I mentioned this as kind of a focused heavily on the SMB spaces. We do work with a lot of banks and as Nate mentioned you were toying in that space.

106
00:11:41,140 --> 00:11:49,140
I just kind of want to clarify. We do see a lot of times where the examiners are coming in and they're saying what do you do in this particular case show us prove it etc.

107
00:11:50,140 --> 00:12:00,140
But the reason why this can become really important is a lot of times those smaller banks will use a core banking app that's provided by another vendor.

108
00:12:00,140 --> 00:12:14,140
And this is true for in other spaces as well. You'll tend to have a lot of legacy applications out there. And unfortunately the way the world is stored because I mentioned you had access to everything is they were written to require administrative requirements.

109
00:12:15,140 --> 00:12:26,140
So for example there is a banking application out there called Maui and Maui does a reference and a call to an outside application that says I need access to run this additional application to run a batch file.

110
00:12:26,140 --> 00:12:42,140
Kind of a really poor design in today's world unfortunately but you still go through the process of saying is this legitimate valid can so forth and so forth and we can define the tool in the PAM to say in this one instance I will allow that to happen.

111
00:12:43,140 --> 00:12:54,140
And so that tool will help with the automation with it. So as Nate was mentioning earlier you do have some tools that are doing things that would in the cybersecurity world look incredibly malicious and scary.

112
00:12:54,140 --> 00:13:04,140
And we can still lock it down but still remove the friction of saying OK the admin has to look at this every single time because A the IT guy doesn't want to do it and people don't want to be slowed down.

113
00:13:05,140 --> 00:13:13,140
So there are instances where we see that and again in the SMB space in general you'll see it with other legacy apps as well. So that's where tools like this come into play.

114
00:13:13,140 --> 00:13:23,140
Yeah and that's definitely one of the biggest things that we see from the security side over here at CIT is the core banking applications.

115
00:13:23,140 --> 00:13:43,140
It seems like every single one of them requires local admin permissions to be able to execute which then the banks are tied into a hard spot where they say I need to still allow my users to work and I can't spend my entire day just inputting credentials to allow them to work because I'm already bogged down.

116
00:13:43,140 --> 00:13:55,140
But then on the other side you have your auditors coming in saying remove local admin otherwise you're not compliant. And so that's that's where the tool comes into play really reduces a lot of that.

117
00:13:56,140 --> 00:14:07,140
There's other protections that you could put in play and I've worked with other banks that you put in you know for example protected users security group that's a great way to mitigate that prior attack that I was talking about.

118
00:14:07,140 --> 00:14:15,140
However what that happens is now when the auditors also say do you have multi factor on your network switches well guess what that breaks.

119
00:14:16,140 --> 00:14:22,140
And so that's where the PAM solution then comes right back into play saying we can put in this proper security controls.

120
00:14:22,140 --> 00:14:39,140
To support both the network infrastructure and multi factor as well as removing local admin it helps maintain the internal compliance and your auditors and it's a really phenomenal tool and then going back to Todd's point about the least privilege is that

121
00:14:39,140 --> 00:15:07,140
you only have to grant elevated permissions to the particular process or application that's trying to run. So installing a new printer driver installing a new driver update for your Wi Fi card anything like that right is you can let the tool get out of the way while still providing the same security value or even maturing the organization at the same time.

122
00:15:07,140 --> 00:15:20,140
Yeah the maturing the organization is a great point and we've talked about it about banks in the past anyway but it's a really good point just because occasionally we will see banks will be somewhat reluctant to put some tools in place and there's reasons for it.

123
00:15:21,140 --> 00:15:34,140
But the majority of it is they're on a maturity path and it is what it is and so a lot of times a bank will go well why am I forced to do all of these things I'm not well as far ago I'm not US Bank and quite frankly they are often held to those types of standards.

124
00:15:34,140 --> 00:15:42,140
And while the examiners may not come to them and say why I expect you to act exactly like Wells the compliance that they're going through does apply.

125
00:15:43,140 --> 00:15:58,140
And so when you run into some of those issues and concerns of do I really need to do this. Well at some point the examiners are going to ask but in the case where privilege access management comes into play there is another reference back to our SMB episode.

126
00:15:58,140 --> 00:16:09,140
It's required for insurance to you're starting to really see that come into play a lot as well so banks still do their cyber security insurance as well it's still part of their playbooks when they do their incident response plans as well.

127
00:16:10,140 --> 00:16:17,140
And so it is something that we're starting to see being asked and it's not even an ask so much anymore starting to quickly become a requirement.

128
00:16:17,140 --> 00:16:31,140
Yeah. I think one thing I might just toss into the mix as well and then I can tell that the marketing team probably wants to ask a question so the last thing I'd maybe add out is.

129
00:16:31,140 --> 00:16:47,140
I should probably also call out the term application whitelisting and so they go hand in hand so application whitelisting is the concept of only allowing software to run if it's previously approved.

130
00:16:47,140 --> 00:17:10,140
And then what that does is it also pairs in with the privilege access management saying if I need to install something that's not approved or I need to run one of the existing applications with elevated permissions then you can apply different policies on there but application whitelisting is really really critical to the banks as well and they do pair together.

131
00:17:10,140 --> 00:17:25,140
And the reason why is you know this is fairly old now but Zeus was a famous banking Trojan so it's been used and adapted many many times over the years but essentially what that was doing was.

132
00:17:25,140 --> 00:17:42,140
Someone clicks on something malicious you know in an email or downloads an attachment with a malicious payload from there there's a Zeus Trojan which would then intentionally watch web pages and try and scrape sensitive data.

133
00:17:42,140 --> 00:17:57,140
As the tellers and everyone was inputting this sensitive info where the application whitelisting comes into play is if that wasn't previously approved or signed for by an already approved vendor.

134
00:17:57,140 --> 00:18:11,140
That has no chance to run in the environment therefore now you're protecting the customer data as well.

135
00:18:12,140 --> 00:18:17,140
And so I just wanted to call out Zeus because it is by far the most famous piece of malware that's ever hit the financial industry.

136
00:18:18,140 --> 00:18:21,140
And it's all part of the same tool to protect it.

137
00:18:21,140 --> 00:18:37,140
Yeah so a lot of the tools out there are multifaceted they have a lot of functions and you know as typical and we talk about these things there are tools that we know of we'd be happy to talk about them further if you've got questions about it which will make a small plug of letting us know if you got questions.

138
00:18:37,140 --> 00:18:55,140
But there are some that are really really good and they do provide a lot of additional functionality and you get a lot of bang for your buck in the white listing or in some cases it's called ring fencing those tools will come into play as well and they are very important especially when it comes to your defense and depth strategies that a lot of the banks are employing.

139
00:18:59,140 --> 00:19:02,140
So I was kind of waiting for the questions I'm sorry go ahead.

140
00:19:02,140 --> 00:19:08,140
I saw Ariel go off mute at the same time I was like do you mind if I throw one out to them. Yeah for sure. Sweet.

141
00:19:09,140 --> 00:19:16,140
So just as you guys are talking through it I know previously we've had discussions a little bit about right you're sold on it. You understand technology everything's all good.

142
00:19:16,140 --> 00:19:31,140
You go to implement it. Is this something A that you can implement yourself and what does that look like what are the pros and cons there or B is this one of the tools that you go. Yeah you don't even want to get in the weeds there just have somebody else installed for you.

143
00:19:33,140 --> 00:19:34,140
Yes.

144
00:19:34,140 --> 00:19:50,140
Yeah I was gonna say it's depending on what solution you're looking for right and so this is where I'm going to try and be really agnostic to whatever solution you're looking for right but there's the free solutions.

145
00:19:50,140 --> 00:20:04,140
So Microsoft has the Apple locker right they provide that for free that is part of their application right listing they've now introduced another privilege access management solution that's.

146
00:20:05,140 --> 00:20:10,140
A license that you can buy from Microsoft there so you have some cost but.

147
00:20:10,140 --> 00:20:27,140
With a solution like Apple locker you're likely having a lot of that internal manual labor so if you have the team that can support it you can go through all of your devices start inventorying and start building those policies to apply all these different permissions.

148
00:20:27,140 --> 00:20:39,140
That's a one option. There's other ones that you know Todd mentioned the UAC prompt so when you're trying to elevate all it's doing is.

149
00:20:40,140 --> 00:20:41,140
Intercepting that.

150
00:20:42,140 --> 00:20:45,140
To where you would normally put in administrative username and password.

151
00:20:45,140 --> 00:21:00,140
That's a little bit less. Labor intensive but now you might be looking at continually having to approve every request that comes through even if it's a common update and then it doesn't really look across the entire organization.

152
00:21:01,140 --> 00:21:03,140
If anyone else previously had that installed.

153
00:21:03,140 --> 00:21:15,140
Then at the some of the upper echelons of these types of tools you have tools that will automatically scan an inventory and then you can.

154
00:21:16,140 --> 00:21:17,140
Put in all these.

155
00:21:18,140 --> 00:21:28,140
Fancy policies saying maybe I only want to allow that policy to run for one hour and then just get rid of the rule right the tool will have a lot of automation built in there as well.

156
00:21:28,140 --> 00:21:32,140
So it's really a trade off right is as you start moving that direction.

157
00:21:33,140 --> 00:21:35,140
You're going to either start paying for.

158
00:21:36,140 --> 00:21:40,140
Instead of labor and no licensing into licensing and no labor.

159
00:21:41,140 --> 00:21:53,140
Or potentially you're even looking at a solution where maybe you don't even want to do the approval request. You need to have a first pass on that with another vendor like CIT.

160
00:21:53,140 --> 00:21:57,140
There are solutions like that where we can be the first line of.

161
00:21:58,140 --> 00:22:07,140
Defense on those approvals saying we know that this is potentially malicious or we know it's a common application such as zoom or teams or WebEx.

162
00:22:08,140 --> 00:22:14,140
That we can just get in there and approve it more at the global level to ensure that it doesn't impact you right off the bat because.

163
00:22:15,140 --> 00:22:19,140
If you do use a tool that's managed by another service provider like CIT.

164
00:22:19,140 --> 00:22:28,140
We do see. Many many many different networks and so we can say well we saw customer a requested this yesterday.

165
00:22:29,140 --> 00:22:32,140
Let's approve it up at the global level because it's not malicious.

166
00:22:33,140 --> 00:22:38,140
Therefore when your team tries to do it it's already approved and the impact is mitigated.

167
00:22:39,140 --> 00:22:50,140
Yeah I was going to echo that last piece as well as to answer the question about as simply as I could do it is it does depend on on your wherewithal on your bandwidth and what you're willing to take on.

168
00:22:51,140 --> 00:22:54,140
So they can be relatively easy and they can also be incredibly complex.

169
00:22:55,140 --> 00:23:04,140
The part where Nate got into someone like a CIT is we work with a lot of banks and it's probably no surprise that the banks will say well what do you typically see.

170
00:23:04,140 --> 00:23:11,140
And that that's where you'll see a lot of value come in or we can go here's your quote unquote checklist that we can help you through.

171
00:23:12,140 --> 00:23:13,140
We know X Y and Z.

172
00:23:14,140 --> 00:23:17,140
We're just going to go ahead and allow you to do the Adobe suite because we know it's fine right.

173
00:23:18,140 --> 00:23:24,140
We know that you're going to potentially if you're using the Maui app it's going to act like this so we can kind of preempt a lot of those things and just streamline it.

174
00:23:25,140 --> 00:23:28,140
And then yeah there are some tools that have some great automation on them as well.

175
00:23:28,140 --> 00:23:36,140
So I think we focused a lot on banks and if somebody is listening to this and they work for a different kind of like financial institution.

176
00:23:37,140 --> 00:23:44,140
Is there any different kinds of challenges or best practices for them or is it just kind of same across the board.

177
00:23:46,140 --> 00:23:48,140
Same across the board for the most part.

178
00:23:49,140 --> 00:23:52,140
I mean some of the biggest differences that you see in banks is they are heavily regulated.

179
00:23:52,140 --> 00:23:58,140
So there are compliance reasons why one way or another they quote unquote get forced down a certain path.

180
00:23:59,140 --> 00:24:03,140
It's as I mentioned we're asking wells to do this you get to do it too.

181
00:24:04,140 --> 00:24:09,140
That being said in case anybody doesn't know you want I'm sure you do if you're in a financial industry you're aware of it.

182
00:24:10,140 --> 00:24:17,140
But whether you're being regulated by the FTC because you're doing personal loans or whatever the requirements are still the same and the protections are still the same.

183
00:24:17,140 --> 00:24:22,140
You just need to be not having the screws held to you in the same manner that the banks are.

184
00:24:23,140 --> 00:24:26,140
But all of the requirements all more or less end up being the same.

185
00:24:27,140 --> 00:24:30,140
So we talk about this fairly often in this meeting too or meeting.

186
00:24:31,140 --> 00:24:36,140
Sorry in the podcast where we talk about how there are different types of compliance.

187
00:24:37,140 --> 00:24:40,140
There's FTC there's CMMC there's the FDI C etc etc.

188
00:24:40,140 --> 00:24:47,140
They're all getting to the same thing and the intent is to guarantee the CIA triad confidentiality integrity and availability of your data and your customers right.

189
00:24:48,140 --> 00:24:50,140
So the whole point of everything is based on that.

190
00:24:51,140 --> 00:24:56,140
And so it doesn't really matter which one of those compliance is you're under they're all getting to the same things.

191
00:24:57,140 --> 00:25:00,140
And so a lot of times the tools and the reasoning and the methodology is the same.

192
00:25:00,140 --> 00:25:10,140
Yeah I'd say probably the major differences it would mainly be which applications are even allow right.

193
00:25:11,140 --> 00:25:20,140
So we know that as you remove local admin permissions you're still going to need some type of elevated access to run driver updates or you know new printers and stuff like that.

194
00:25:20,140 --> 00:25:30,140
So that is widely consistent.

195
00:25:31,140 --> 00:25:39,140
It's just like Todd mentioned who's regulating you and then for those that aren't regulated we still say find one that fits.

196
00:25:40,140 --> 00:25:43,140
So whether or not it's like the NIST cybersecurity framework.

197
00:25:43,140 --> 00:25:54,140
There's a ton of ones out there that you can follow but you know NIST cybersecurity framework says maybe a decent one to at least start on because it's fairly easy to understand as well.

198
00:25:54,140 --> 00:26:16,140
But if you don't have something you should still be pushing towards the same security standards as everyone else because a lot of these organizations are saying or you know regulations and sorry not maybe not regulations but standards that are coming out are saying do you hold your vendors to the same standards as your own company.

199
00:26:16,140 --> 00:26:28,140
So for example if a bank is working with an organization that doesn't have great security standards you'd be listed as a high risk to the bank and therefore they may not want to do business with you.

200
00:26:28,140 --> 00:26:45,140
So everyone collectively over time is starting to hold each other accountable to these security standards and so we see that with some of the manufacturing right is manufacturing was historically fairly slow to adopt new technology.

201
00:26:45,140 --> 00:27:03,140
That's different with technology and you know IOT all of that is rapidly increasing but you have to have the same security standards because you know your customers you know if you're delivering to someone like a general contractor they want to building still within four months.

202
00:27:04,140 --> 00:27:08,140
If your networks are down you might not be able to deliver on that so they might hold you to the same standard.

203
00:27:08,140 --> 00:27:25,140
Yeah I get one tiny little thing I wanted to add on there because it made me give me an aha that if you are a subcontractor of a bank when they flag the high risk component if you're in a bank you already know this but if anybody else is just listening along.

204
00:27:25,140 --> 00:27:42,140
Banks are required to have an exit strategy for all their vendors so if you are falling into that high risk category just be aware that there is an exit strategy that they're already working on and it does behoove you to pay attention and make sure that you're crossing your T's and dotting your eyes.

205
00:27:42,140 --> 00:28:09,140
I was just going to say kind of along those lines of any of our past podcasts we've talked about you know MFA and EDR of that multi-layer approach for security and so in kind of talking today and we're talking about banks so if they have MFA, EDR and now PAM like summarize that a little bit that's just another layer of that you know approach and ensuring that their landscape is kind of covered.

206
00:28:09,140 --> 00:28:15,140
So I want to kind of know a little bit more about that of just that layered piece.

207
00:28:16,140 --> 00:28:17,140
Hi.

208
00:28:18,140 --> 00:28:23,140
This is going to be me nerding out here and so for those that aren't on video I'm going to hold up a book.

209
00:28:24,140 --> 00:28:29,140
Because I love the book and I do this all the time but I've got a book called the cyber defense matrix.

210
00:28:29,140 --> 00:28:42,140
So this is a great book if you're ever trying to figure out if your tools are overlapped or you know why on earth should I throw another security tool into my security stack right and so it.

211
00:28:43,140 --> 00:28:48,140
I talked already about the NISI security framework so there's a couple pillars of it.

212
00:28:49,140 --> 00:28:54,140
It's in a revision so you might see an update soon on that but the first two stages of it are.

213
00:28:54,140 --> 00:29:15,140
Identify what you have right and then the next one is protect what you have so you can't protect what you don't know that you already have and then the goal is to really focus on protecting the assets because the next stage is detect so that's post security incident right so all of sorry not all but most of the effort should be.

214
00:29:15,140 --> 00:29:23,140
Heavily heavily focused on identifying the resources and data that you have and how to protect it.

215
00:29:24,140 --> 00:29:34,140
There and then there are different categories so for example how do we protect our devices how do we protect the data how do we protect the network traffic how do we protect our user accounts.

216
00:29:35,140 --> 00:29:42,140
Multi-factor might only protect the user accounts it doesn't necessarily do anything for network traffic or the applications that are running in the environment.

217
00:29:42,140 --> 00:29:52,140
We have things like EDR or MDR XDR whatever acronyms you want you can go back and listen to all the acronyms on the previous podcast there but.

218
00:29:52,140 --> 00:30:11,140
Those are protecting more the devices and some of the applications where we start getting into the Pam is protecting elevated sessions protecting the applications that are installed on the devices before you have to rely on your EDR because again that's already post security incident so.

219
00:30:11,140 --> 00:30:23,140
That's my deep dive but cyber defense matrix I've read this book many many times and not sponsored but I should maybe seek out a sponsorship so and you can find it on Amazon.

220
00:30:24,140 --> 00:30:26,140
Anywhere that books are sold near you.

221
00:30:26,140 --> 00:30:40,140
Yeah to answer your question unfortunately it isn't as simple as if I do these three things I'm good to go when it comes to banks and banks know this which actually leads to a really good kind of segue if you will to another potential question of how do you keep up on all this.

222
00:30:41,140 --> 00:30:53,140
There are plenty of people out there this podcast it's a great resource obviously in our opinion because hey it's us but we did the answer is obviously that that just is not enough there's so many components of cyber security unfortunately.

223
00:30:53,140 --> 00:31:05,140
But but Nate nailed it right I mean that was a great overview it's not as simple as I put in a tool and I'm good to go it's I gotta protect the users by training them I gotta talk to my customers and make sure that they are aware that.

224
00:31:05,140 --> 00:31:22,140
I'm never going to just send them a note that says I changed your a C H account and that stuff is it's really in depth and there's all kinds of it reality is fraudsters are incredibly clever and they're going to do everything they can to get your money.

225
00:31:22,140 --> 00:31:40,140
For sure so I mean I I kind of thought in my head oh if we could you know kind of order these in in what's most important but I'm going to cross the board they're working together and it's so important to have all of these pieces together.

226
00:31:40,140 --> 00:31:51,140
If you had it just for a future podcast idea if you had to add another piece so we got the MFA we got the EDR and now we're talking about Pam.

227
00:31:52,140 --> 00:31:59,140
What's kind of the next alphabet piece yeah it depends it depends it depends.

228
00:31:59,140 --> 00:32:17,140
Unfortunately I would say it does depend because everybody's in a different space and I mean everybody there is not one bank that I've said you are exactly like this other bank so everybody is in their own space and they're at their own portion of the journey and so everybody's in a different spot but you know same as way up there.

229
00:32:17,140 --> 00:32:31,140
I may can throw in some other acronyms to so yeah I don't have my acronym dictionary up let me see if I can pull it up real quick.

230
00:32:31,140 --> 00:32:46,140
I don't know what's next year but the my answer for that one is probably great you got multi factor you got EDR you got Pam there's still a lot of fundamentals where if you don't have it.

231
00:32:46,140 --> 00:33:01,140
You have to tackle the fundamentals first because that is the stuff that's the most easily exploited so I could start talking about backups and you know everything like that if I was to look a little more of what's the future look like is it's going to be.

232
00:33:01,140 --> 00:33:14,140
And I'm not going to I hate this term at times but the zero trust model right and trying to remove the trust that's built from you know maybe it's branch to branch right so maybe you have a.

233
00:33:15,140 --> 00:33:18,140
Minneapolis office and you have a Chicago office or you know that stuff.

234
00:33:19,140 --> 00:33:25,140
Oftentimes banks start putting VPNs between the two so their software can interact with each other.

235
00:33:25,140 --> 00:33:33,140
I don't love that approach right if one branch gets compromised you can move over to the next one compromise that one and just further the attack there so.

236
00:33:34,140 --> 00:33:46,140
One of the things that CIT has placed very very heavily focused even here at our organization and this is where the acronym comes in is sassy this is a phenomenal thing that's been coming out for the last.

237
00:33:46,140 --> 00:33:54,140
I mean it's been out for a long time maybe 10 years but really starting to gain traction on the last two or three and.

238
00:33:56,140 --> 00:34:13,140
This is bringing a zero trust approach to all the web traffic that you have the interconnections between your sites how are the sites connecting to your critical data right and it's not just a simple VPN tunnel it can check do I have each other.

239
00:34:13,140 --> 00:34:22,140
Is that user authorized you know are they maybe paired with some type of certificate for additional trust.

240
00:34:23,140 --> 00:34:24,140
That would be the future.

241
00:34:25,140 --> 00:34:27,140
A lot of places aren't there yet.

242
00:34:28,140 --> 00:34:30,140
Today start with the blocky and tackling of the basics.

243
00:34:31,140 --> 00:34:32,140
Love it.

244
00:34:33,140 --> 00:34:39,140
Love it basics fundamentals most important things a web we used together and.

245
00:34:39,140 --> 00:35:01,140
If you have questions or you want to talk to somebody about Pam or EDR or MFA I'll make sure all of our podcasts are linked in this description but definitely reach out to us at info at CIT dash net dot com or head out to our website at CIT dash net dot com slash podcast.

246
00:35:01,140 --> 00:35:10,140
Thank you Todd and Nate for joining us today and we'll be back next week with an all new episode.