Expedient: The Podcast

In Providing Resilience: How PacketWatch and Expedient Transform Incident Response, AJ Kuftic from Expedient hosts cybersecurity veteran Jeff Lennon of PacketWatch to tackle the complexities of modern incident response. With over 25 years in tech and deep experience in cybersecurity, Jeff brings valuable insights into how PacketWatch, an MDR provider partnered with CrowdStrike, elevates threat detection and response through advanced tools like full packet capture (FPC) and constant threat hunting.

They delve into the essential steps of incident response, beginning with rapid identification, classification, and containment of threats. Jeff explains common cyberattack types, including ransomware, business email compromise (BEC), and zero-day vulnerabilities, each demanding unique approaches. The duo emphasizes the necessity of proactive preparation, such as tabletop drills, to ensure companies can respond quickly and effectively when a breach happens. Jeff further illustrates the vital integration of disaster recovery with incident response, noting that simply restoring from backups can reintroduce threats if attack origins aren’t thoroughly isolated.

A key takeaway from the conversation is the need for resilient systems that enable businesses to "respond, recover, and rebuild." This episode is packed with insights for IT leaders seeking to enhance their incident response and disaster recovery strategies, empowering them to not just react but build resilience against evolving cyber threats.

Creators & Guests

Host
AJ Kuftic
AJ Kuftic is Principal Product Strategist for Expedient. AJ has over 15 years of experience as a customer and partner helping end users build solutions that are sustainable and easy to manage. Having knowledge across various silos of IT infrastructure gives AJ a unique perspective of the pain points and what customers are looking to improve. When AJ isn’t thinking about the next big thing, he spends his time with his wife and 2 children trying to bake the perfect loaf of bread.
Guest
Jeff Lennon
Driving Sales Excellence via Partnerships | Sales & Channel Leader | Management Coach

What is Expedient: The Podcast?

"Expedient: The Podcast" is your gateway to the inner workings of technology and innovation, presented with unparalleled clarity and expertise. Each episode is an invitation to join the luminaries of Expedient along with special guests from the forefront of the tech industry. We delve into the latest advancements in cloud computing, the evolution of data centers, cybersecurity trends, and groundbreaking developments in AI and machine learning. This podcast strips away the complexity of the technology landscape, offering listeners an exclusive look at the real stories of challenge and triumph, innovation and leadership, that are driving our digital future.

But we don't just stop at presenting groundbreaking ideas; "Expedient: The Podcast" is about building a community. It's for the IT professionals charting their course through the ever-changing cloud environment, and for the tech aficionados keen on decoding the future of digital infrastructure. Our episodes provide the essential insights and perspectives to keep you at the forefront of a world in constant transformation.

Tune in to "Expedient: The Podcast" for a deep dive into the technologies and ideas propelling us towards tomorrow. Experience the journey through the eyes and voices of those shaping our technological landscape, all presented with the authenticity, insight, and forward-thinking Expedient is celebrated for. This is not just a podcast; it's your insider's look into the technologies transforming our lives.

00:00:00:14 - 00:00:20:18
AJ Kuftic
Hello everyone. I want to welcome you all to this week's, webinar today. We're going to talk a lot about ransomware incident response and what we're doing with our friends over at Packet Watch. And with that, I want to introduce Jeff Lennon. Jeff is from Packet Watch Jeff, tell the, tell the audience a little bit about yourself.

00:00:20:21 - 00:00:45:10
Jeff Lennon
Yeah. Thanks, AJ. Yeah. So Jeff Lennon basically been in, technology for a little over 25 plus years, spent the last eight years, almost nine now, in cybersecurity. Spent some time at FireEye. Mandy. And and, my most recent role here at Packet Watch is I oversee all sales channel alliances and revenue operation and also managing our partners, aka yourself.

00:00:45:12 - 00:00:47:08
Jeff Lennon
So thanks for having me on.

00:00:47:11 - 00:00:55:25
AJ Kuftic
Awesome. Thank you for joining us. Can you tell us a little bit about, what packet watch does and kind of how they fit into the cybersecurity space?

00:00:55:27 - 00:01:20:19
Jeff Lennon
Yeah, absolutely. So Packet Watch is primarily an MDR provider. We have a proprietary solution that we leverage as a threat hunting tool. We've been partnered with CrowdStrike going back to 2018. And basically our big partnership with them is around incident response. That's really kind of how we grew out into the business. So getting into incident responses, which we'll talk a little bit more about.

00:01:20:21 - 00:01:40:25
Jeff Lennon
That's, you know, when an organization has an event or situation where they believe they have been either compromised or breached, our team will come in and actually provide the incident response, and actually help them to identify things, qualify them, and basically take control of the situation so that we can remediate any challenges that might have taken place.

00:01:40:27 - 00:01:59:03
Jeff Lennon
And in doing so, this this the packet watch MDR tool was developed as a threat hunting tool so that in conjunction with our partnership with CrowdStrike, allows us to go in at a much faster, velocity than most, to actually get through or meet and remediate the issues and challenges much faster.

00:01:59:05 - 00:02:21:03
AJ Kuftic
That's really, really great. And there's a reason why we've, you know, worked with pack and watch my pack and watch works with us. So I'm going to jump in. I'm going to kind of talk through, you know, some things around incident response. But if you as a, person in the audience has a question up there in the top right corner, somewhere up there, is a QR code, you can scan that and submit questions.

00:02:21:05 - 00:02:35:14
AJ Kuftic
Jeff and I will go through some things, but then we'll answer your questions at the end. So, Jeff, kind of you mentioned incident response and what packet watch does what does that mean? What is incident response? Let's just start with the super duper basics and kind of go from there.

00:02:35:16 - 00:03:07:06
Jeff Lennon
Yeah. So well and and there's two aspects to it. So incident response basically an incident response is a structured approach to helping organizations address, an incident or a compromised situation. So once something has been identified, there needs to be a process that is kicked off so that they can then figure out what exactly happened. So whether it's, you know, a somebody clicking on an email or an issue with something not being configured properly, and once once they've determined that something has happened, they would reach out.

00:03:07:07 - 00:03:30:07
Jeff Lennon
So the incident again, is where we would come in. And that whole structured process, there's a whole, process behind that and methodology, to help identify, qualify and then, you know, give the organization the ability to move rapidly. You know, I, I kind of compare it to, you know, when, when you were in school and you would have your fire drills or the emergency drill when you were in school.

00:03:30:14 - 00:03:51:11
Jeff Lennon
The whole point was, you know, being able to understand, you know, what's supposed to happen in an emergency. Where are you supposed to go? Who's responsible for what? We do the same thing from cyber attack perspective, right? So that we can basically get in, identify those things so that we can keep the business running. Because a lot of times, you know, certain situations will cause a hiccup.

00:03:51:11 - 00:04:08:01
Jeff Lennon
So to speak, in the business and and having an incident response plan, and, you know, basically giving the organization the time and the resources to go and take care of that while they still kind of run their business because things don't stop. So hopefully that that kind of gives you, you know, a better explanation.

00:04:08:08 - 00:04:23:10
AJ Kuftic
Yeah. And it's interesting because when we when in the IT space, we would mostly just discuss it in terms of a disaster recovery plan. Right. This is what we do to get back up and running. But it's it's kind of more encompassing than that.

00:04:23:12 - 00:04:47:01
Jeff Lennon
Yeah. I mean typically a disaster recovery business continuity. And this is why, you know, you kind of see it kind of starting to blend or merge together. Right. So you have your disaster recovery, which is really about the risk restoration rasterization. Right. The restoring of your opposite, operations, whether it be from, some type of, you know, natural disaster, which we've had quite a few recently, where, you know, you may lose your data center.

00:04:47:01 - 00:05:08:23
Jeff Lennon
So having a disaster recovery business continuity plan is really important. What what we do with packet watch, right. It's about actually going that extra step and having the proactive measures, that will allow you. Because if there is an incident that could also be somewhat of a disaster. So having that in place allows you to, to drive, the mitigation, the recovery operations.

00:05:08:23 - 00:05:19:11
Jeff Lennon
Right. And the whole goal here is to get the organization up and running as quickly as possible, regardless if it's a natural disaster or if it's a, a threat actor or something that is taking place.

00:05:19:14 - 00:05:45:14
AJ Kuftic
So in that sort of response, there's things that come into play beyond just we need to hit the button to start bringing things back up and running. You know, kind of what what role does the incident identification and classification play in to responding to those attacks? Because it's not just, hey, things have gone very wrong, but like what type of attack or what type of problem you're having, kind of what does that how does that play into the response?

00:05:45:17 - 00:06:08:17
Jeff Lennon
Yeah. So, so, you know, I'll kind of list out, I think there's you could probably say there's, there's like the top five, what I'll call real world scenarios of attacks. Right. You, you have and everybody has heard of these, right? First one being ransomware. So if you've got a ransomware situation and basically that just obviously something has happened, a computer has been taken over.

00:06:08:20 - 00:06:31:22
Jeff Lennon
Depending on the size and scope, it can actually be incredibly devastating to an organization because it'll actually be like a stack of dominoes falling. So once the first ransom, you know, devices, ransomware, there's usually this this, like I said, a domino that will actually take out other devices. And again, this is I'll kind of state something that's more my opinion from what I've seen.

00:06:31:24 - 00:06:59:10
Jeff Lennon
The challenge with ransomware is if there is a ransomware attack, you've already been compromised. Ransomware is typically and again, it's not a hard and fast rule, but typically a ransomware means that the threat actors have done what they needed to do. They took what they wanted to take, and now they're trying to cover their tracks. And by doing so by, you know, basically deploying the ransomware, they can then go and encrypt everything and then hold everything for ransom, hence the term.

00:06:59:12 - 00:07:18:13
Jeff Lennon
Some of the other ones are business email, compromise, which has, you know, really been on the rise more than, than it has. You know, it's so first of all, email is one of the number one threat vectors. But the email, business email compromise, what they call BTC, is probably the number one that will also drive a ransomware.

00:07:18:16 - 00:07:40:11
Jeff Lennon
And I also believe just looking at the numbers between the, you know, AI and the social engineering that's taking place right now, they have proliferated and have maintained a constant rate to be the number one threat vector. Then you have your insider threats, you've got what they call a DOS attack, which is a distributed denial of service.

00:07:40:14 - 00:08:00:27
Jeff Lennon
And that's usually a cybercrime. That's where somebody is trying to overwhelm your systems. You know, whether it's the network, your website, they're trying to shut things down. So that usually tells you that somebody is is purposely targeting you. And then the other one which ironically edge that a post the other day, zero day, and zero days really hard.

00:08:01:03 - 00:08:25:28
Jeff Lennon
Hence the term zero day means that the vendor has had zero days to prepare, fix. It is a brand new vulnerability that has been found. And usually there's a lot of scrambling. A lot of times if it's found through partnerships, they'll notify a vendor and give them kind of a heads up so that they can start building something so that a threat actor is not taking, actually leveraging it in the wild, as we like to say.

00:08:26:01 - 00:08:33:26
Jeff Lennon
But they're really the top five. So would be ransomware, Peck, insider threat, dos and zero days. That was a lot to unpack.

00:08:34:00 - 00:09:02:03
AJ Kuftic
Yeah. And I think that I think the other part of that is one of the things we've seen recently with ransomware is you mentioned it very briefly, is that the ransomware is used to cover the tracks. It is a later function. We've seen a lot of cases recently where it wasn't just that they encrypted and they said, give me money because of, you know, things like our disaster recovery and data, recovery capabilities with our backup and data and data protection platforms.

00:09:02:09 - 00:09:26:25
AJ Kuftic
People have got better at those things to the point where you're not necessarily going to these, you know, attackers aren't getting paid anymore, so they have to switch to other tactics. And one of the things they switch to is we've stolen the data. We will release this data if you do not give us money. And we've seen it from everywhere, from things as innocuous as, recently, the company Gamefreak the company behind Pokemon.

00:09:26:28 - 00:09:56:22
AJ Kuftic
They were breached and they were all of their data was leaked out. Here's their sequels to Detective Pikachu. A real thing, a sentence I'm saying on a professional webinar in the year of our Lord 2024. The details of that movie were leaked. But also we've seen things like health care organizations, they get breached, and things like images of patients in very vulnerable states who are trying to get the medical care they need being leaked, which is really gross.

00:09:56:24 - 00:10:10:08
AJ Kuftic
That's the sort of shift that we're seeing in terms of these, these sorts of attacks. So let's say an incident has happened. What are those initial steps that someone should be taking to respond to that event?

00:10:10:10 - 00:10:37:06
Jeff Lennon
Wow. Yeah, that's that's well, first of all, it's a very kind of large, complex question, right? Because it's going to vary depending on the size configuration of an organization. You know, I will say the first thing is preparation, right? Being prepared, having a plan. Right. As I mentioned about, you know, having an incident response plan, you know, one of the things that we do and I'll digress for a second, I mean, we we do a lot of what we call tabletop exercises.

00:10:37:06 - 00:10:56:26
Jeff Lennon
And what that is, is that's almost like a dry run, like we're doing kind of a fire drill, so to speak, of, hey, you have a business email compromise. What do we do? Who does what? Right. And it's about understanding what the processes are, what the procedures are within the organization. Who's responsible for what, how things are configured.

00:10:56:29 - 00:11:18:02
Jeff Lennon
You know, one of the big challenges, and I'm probably going back even, you know, further than, you know, starting a fire II, but segment network segmentation is is a big challenge. And if you don't have proper segmentation and proper controls, it gives the threat actor the ability to move laterally very quickly. So I would say, you know, for me, for us.

00:11:18:02 - 00:11:39:29
Jeff Lennon
Right. It's about having that plan, right. Understanding who does what, how they're supposed, you know, how we're supposed to respond when there is a situation. You know, coming back to the first part when you're talking about, you know, an actual breach or an incident, you know, one of the the things that has to happen very quickly is we we have to drive to what we call containment, or at least, you know, getting control and containment.

00:11:39:29 - 00:11:59:04
Jeff Lennon
Right? There's a whole process and methodology around that. And part of it is to make sure that we're somewhat secure. Another within that same vein, we're also trying to figure out, you know, who basically where did they get in, how did they get in and where have they gone and what have they done. Because we got to figure out if somebody has moved laterally within the organization.

00:11:59:04 - 00:12:18:17
Jeff Lennon
Right. So if they even if they came in at point A, you're trying to basically look and do forensic, you know, investigations to figure out where they have moved within the organization or where it was it just germane to that, that site or that or that device, those types of things. Right. It comes back to what are the controls that are in place.

00:12:18:19 - 00:12:41:24
Jeff Lennon
You know, you and I have talked about this in the past. I mean, you know, big, big fan of nest, right? Which lays out a framework, for helping organizations build out the process and, and map to the nest procedures. And I you know, I know a handful of people were really excited when this 2.0 came out because they they include the governance and and the governance right.

00:12:41:24 - 00:13:03:07
Jeff Lennon
Having the governance, the policies to actually manage what you're doing, I think is, is critical. And we do a lot of things around that. So kind of coming back to let me I just want to make sure I answer the question. It does come back to, you know, having a framework of policies and procedures that you're going to follow and making sure that the team knows who does what.

00:13:03:09 - 00:13:24:03
Jeff Lennon
So when a situation does happen, right. And this goes like this, it's almost like an accordion because you have the teams that are going to go looking for things, but you also have to start communicating to your executives, right? You have to make sure that there is a clear line of communication and that you have the executive, kind of sponsorship, so to speak, so that they know what's going on.

00:13:24:05 - 00:13:58:18
Jeff Lennon
And when you come into a situation and maybe I'm sharing too much, I, you know, but when you get into that situation, and we're actually looking at, you know, in an event or an incident, once there's, what we'll call exfiltration identified, everything starts to shift, right? It becomes a much, you know, not that it wasn't serious, but it takes on a whole different, a whole different set of paradigms that the communication and and both cyber insurance is involved legal, you know, cyber insurance can be involved at different stages.

00:13:58:20 - 00:14:19:06
Jeff Lennon
But once the actual transition, I mean, you definitely need to get legal involved because now you have to basically have 50 states, 50 different cyber regulations and policies at the minimum. Which could be a whole nother, conversation. We could have, but you've got to figure out where was the data when it was taken, who are the people that it was taken from?

00:14:19:06 - 00:14:27:02
Jeff Lennon
Because then we have to go down a different, a whole separate path. And then there's a whole cyber, legal process that has to be vetted out.

00:14:27:04 - 00:14:54:05
AJ Kuftic
And I think the big thing there is incident response, as we kind of talked about earlier, there's a crisis response here. And in your right, the difference between a, a ransomware where everything's encrypted and it's basically just we need to get the business back up and running to there's now been data stolen. So now you need to communicate, figure out what was stolen and how to communicate that to your end users to say, hey, they got usernames.

00:14:54:05 - 00:15:19:17
AJ Kuftic
They got, you know, email addresses, they didn't get passwords, they didn't get payment data, or maybe they did. And those sorts of pieces of data become things that your customers have to go change their passwords. So we're going to force a reset on everyone's passwords. You're going to end up on have I been pound? Well, these sorts of, you know, pieces to the puzzle that change based on those different types of attacks.

00:15:19:19 - 00:15:29:27
AJ Kuftic
So when we start to talk about that, you know, what data has been exfiltrated. How do you determine the extent of a breach? Like what does that even look like?

00:15:30:00 - 00:16:00:29
Jeff Lennon
Wow. Well, it really comes down to the forensic process, right? Oh what devices and and what you're looking for. Is that what I call exfiltration. Right. Has has data actually left the organization? And you know, having seen this from, you know, basically I don't want to call it basic, but, you know, cyber criminals doing things all the way to, you know, we had a recent, event incident with a client where it was a nation state.

00:16:01:01 - 00:16:22:03
Jeff Lennon
And, it was it was very sophisticated. And and there's you know, things that start to give their ttps, right? Tools, tactics and processes that start to point to say, okay, we think it was this threat actor because they did this, they did these three, 4 or 5 things. And then this is what happened after they got in.

00:16:22:03 - 00:16:39:17
Jeff Lennon
And and they also tried to cover their their tracks. Right. They also started doing some things that show you that they were not just, you know, a site, you know, somebody coming in to do to steal data from a cyber perspective. They were coming in and they were really trying to be, innocuous and invisible to the organization.

00:16:39:19 - 00:16:59:18
Jeff Lennon
So when when you start thinking about the type of data, you know, this comes back to the whole, you know, planning piece, right? And there's a lot of tremendous vendors. It's not something that we do, but obviously, you know, protecting an organization, you know, we don't do the email piece, but we can see that traffic, you know, what we do is we look at the network.

00:16:59:21 - 00:17:19:06
Jeff Lennon
So and then working with other EDR vendors. Right. We're also looking at the edge. And what you're trying to determine is, you know, where did they go and what did they do and what potential data could they have gotten. And you know, I would just and again, it's partially my opinion not not so much a packet watch, but I always make the assumption of the worst.

00:17:19:06 - 00:17:38:20
Jeff Lennon
Like if you know that they were act on x, y, d, x, y, z device, then then you've got to start to make the assumption that if there was an exfiltration, that they may have gotten everything. You know, I was joking with you. I have it over here on my the side of my desk. You know, I got my wife got a letter, and then the next day, I got a letter.

00:17:38:20 - 00:18:03:06
Jeff Lennon
Right? So, you know, we were whatever part of that whole, medical information breach, you know? And, hey, we're going to give you two years of of, you know, we're going to watch your your, your, your your, credit report. My mind just went blank. But yeah, we're basically going to do some monitoring for you. And, you know, I kind of chuckled because, you know, back in 2016, I was part of Equifax.

00:18:03:06 - 00:18:22:27
Jeff Lennon
I remember getting that notification, you know, and and people are like, well, when I go, it's it's the problem is it's becoming more of a common occurrence. And and it's not for lack of people trying. I will tell you, you know, it's most organizations who are trying to do the right thing. I think there's a resource issue, again, a whole nother conversation.

00:18:23:00 - 00:18:40:09
Jeff Lennon
So if you can get the right tools and have a plan in place because, I and I'll quote Kevin Mandiant, because he was probably the first person I heard saying, it's not a matter of if, it's when. Yeah, right. It's it's really a matter of when it's going to happen. And I think it's become a reality. For a lot of Americans.

00:18:40:09 - 00:18:47:13
Jeff Lennon
Right. I think the last one was, what, 210, 220 million Americans, medical data was was compromised.

00:18:47:15 - 00:18:48:07
AJ Kuftic
Yep.

00:18:48:09 - 00:19:22:12
Jeff Lennon
You know, it's it's kind of in that point, it's kind of scary, but so there's things you have to do from a personal perspective. But getting back to the business, you know, what we try to do is preach, you know, preparation, planning and being proactive, right. So the more proactive you are about what you're doing in your environment, you know, one of the things that that we do a packet watch is we, you know, and again we'll kind of tie this back to expedient, you know, when when we work with clients and we've deployed it, you know, the whole point is to be proactive and proactive doesn't just mean that we're looking to get

00:19:22:12 - 00:19:51:08
Jeff Lennon
a, you know, get a, a hit on a potential threat. We are, you know, proactively threat hunting on the network every, every day. We're actually looking at the latest CVS. I mean, I forgot what the number is right now, but there's probably 30,000 plus, you know, critical vulnerabilities that that are out there right now. And and being able to manage that, you know, and I won't mention the vendors, there were two very large vendors that announced, CVS last week that were critical.

00:19:51:11 - 00:19:57:06
Jeff Lennon
And they said, basically, if you have our product, you need to go do this, and you need to you need to put this patch on immediately.

00:19:57:07 - 00:20:09:28
AJ Kuftic
I mean, that could be at this point, any vendor would know there's nobody who's perfectly safe. Every single vendor has some sort of vulnerability, and it's a matter of going in and taking care of that thing on it.

00:20:09:28 - 00:20:32:17
Jeff Lennon
And that's just it, right? So it's about being proactive, being vigilant, you know, it's it's it's a 24 over seven, 365 kind of thankless job because, you know, people don't want to think about cyber security and they don't want to think about an incident response plan. But yet knowing that you have those things in place can give you the peace of mind, because like I said, it's not a matter of if, it's when.

00:20:32:20 - 00:20:41:06
Jeff Lennon
So being able to be prepared to actually execute on that, right. Nobody wants to have a fire drill in their house. But you know.

00:20:41:08 - 00:20:42:26
AJ Kuftic
Everybody knows where the exits are.

00:20:42:28 - 00:20:47:21
Jeff Lennon
Yeah, exactly. You know, the egress is, so to speak. But yeah. So hopefully that answer your question.

00:20:47:25 - 00:21:05:26
AJ Kuftic
Yeah. I think and one of the things that pack and watching Experian have done is it's not just, you know, hey, we both do things that are semi adjacent to each other, pack of watches leveraging our elastic as a service platform. And I think a lot of that comes back to what you were just talking about is you're ingesting a lot of data, right.

00:21:05:26 - 00:21:20:04
AJ Kuftic
You're pulling in a lot of pieces and streams from data streams from different places, kind of what is how is Package Watch leveraging that platform to as part of that incident detection and response? You know, you know, portfolio that you have.

00:21:20:06 - 00:21:40:06
Jeff Lennon
Yeah. So it's I mean it's funny right. And we have kind of talked about this. It's it's more on the back end. Right. So the whole point is having and use leveraging elastic from a search perspective. And even have any on, you know, the, the cloud based data. But you know, a cloud database allows us to do more, faster, right?

00:21:40:06 - 00:22:02:10
Jeff Lennon
Because it's allowing for that flexibility in the elasticity. You know, we the packet watch product and again, this isn't a patch, but, you know, we do FPC full packet capture. And and the reason we do that is it is the network is the single source of truth. It's where people have to go if they're going to move around, you know within an environment you have to be on the network.

00:22:02:12 - 00:22:22:07
Jeff Lennon
So having the full packets allows you to do a level of digital forensics. If there is a situation, that you're not going you're not going to get from a log, you're not going to get it from potential metadata. It's actually being able to see exactly what the packet is. So that piece alone, you know, will kind of lend itself to that.

00:22:22:07 - 00:22:34:28
Jeff Lennon
You need to have some elasticity because as things start to ramp up and we're pulling in more data, from more sources, I mean, you know, you want to be able to, to actually do that in a, in a rapid fashion and not miss a beat.

00:22:35:01 - 00:22:56:08
AJ Kuftic
And I think the other piece there is what you're saying here is the packet watch, watch matches packets. I think that's kind of what you what your goal there was. I think the other part of this is you guys are actively hunting threats, you know, trying to manage infrastructure. Right. That's kind of the whole point is that you wanted to be able to focus on those pieces and not on, hey, we got to constantly keep our platforms up to date.

00:22:56:08 - 00:23:15:05
AJ Kuftic
Let's let those people do what they do best and so that we can do what we do best. And I think that's really where these two sides kind of come together. I know that we've discussed and it's available on Packet Watch. Your website is, you know, kind of these like joint solutions. Kind of how does that play into disaster recovery?

00:23:15:05 - 00:23:38:03
AJ Kuftic
Because there is a, I think that's a big deal right now is that you have all these you know, all the security tools are there. But that's not the end of the framework, right? It's identify, detect, respond, recover. There's another one in the middle of the discover that's identified discover detect respond. There's a rhyme in there somewhere.

00:23:38:09 - 00:23:57:12
AJ Kuftic
But when we get into the at the actual you know, we've talked a lot about the detection and I and identification and responding. But that recover piece is usually where most of the security tools kind of fall down. Where does disaster recovery kind of fit into this from a, you know, an inability to get back up and running?

00:23:57:15 - 00:24:32:24
Jeff Lennon
Yeah. So and I think I kind of mentioned beginning. So to me, right, just looking at the, the, the model framework of a disaster recovery plan. Right. And having systems. Right. So you kind of have a failover. Right. It's kind of a failsafe. But but really integrating, you know, your disaster recovery with your incident response gives you that whole incident response plan is essential for really having rapid recovery, because where one is the disaster recovery is really designed for, you know, a catastrophic failure of something so that you can have a failover and go to a different data center, and you have your backups and all that.

00:24:32:27 - 00:24:53:18
Jeff Lennon
In the instance of an event right where you have an incident that it's not exactly that simple, right? So getting in and having an incident response plan tied to your disaster recovery, case in point, you know, you as you go as we go through and we start looking and identifying, you know, where did they get in? What did they do?

00:24:53:20 - 00:25:16:04
Jeff Lennon
How did they move. When. Right. All of a sudden people go, what do you make? Well, you can have a disaster recovery plan, but if if you go, oh, okay, I'm going to go back. I'm just going to restore from two weeks ago. You know, there was there was a situation where we identified that, you know, that the threat actor had probably been in since March.

00:25:16:06 - 00:25:34:17
Jeff Lennon
Like, you could just like your head kind of exposure, like, holy cow. So. And the reason that's important is if when you're doing your incident response before you just start running backup and recovery, you know, you need to figure out when. Because if I do, if I do a restore, I'm just I'm just bringing a threat actor back in again.

00:25:34:21 - 00:26:01:04
Jeff Lennon
Like I'm bringing it back in one of the, you know, and in a lot of situations, you know, the recommendation is you're not to just rebuild like the server, just just rebuild the server. Don't run your but, you know, you have a backup, you have specific data we got to go through and do forensics. But in the meantime, you may your best bet may be to do this, especially if it's been identified as a fairly long period of time, because now you don't know.

00:26:01:06 - 00:26:35:11
AJ Kuftic
Yeah. And that's that's definitely something we've seen, we've helped clients get back up and running from a ransomware attack, but we've definitely seen, a shift in they don't just come in and immediately encrypt everything. They come in and they sit there for a while because they know retention policies are a thing. Is it? Yeah, a month, is it two months if they can come in and just sit for a three months, they know they're likely not going to be part of any sort of recent, you know, backup profile or backup, you know, policy that they know that they can just get right back in whenever they try to restore.

00:26:35:11 - 00:26:54:29
AJ Kuftic
And I think that's there's this is sort of the shift in tactics that we've seen. And I think part of the the recovery process needs to be, are you going to a known clean place if you have both sides of the platform you've brought in, doctor, and you're managing both and they have direct connectivity between themselves, you're probably attacker can probably go to the other side to it.

00:26:54:29 - 00:27:16:18
AJ Kuftic
Just go sit where you're recovering to. So having a known clean location is also something I think that's really critical. But let's say that incidents happens, Pagar one of them is able to do, you know, figure out that everything is good, everything's clean. What do you do after that? I think everybody kind of gets like, nervous is kind of like, okay, my house is broken into now, what do I do?

00:27:16:20 - 00:27:24:05
AJ Kuftic
What what's sort of the the post, the post mortem that comes out of that to, to help with that going forward.

00:27:24:08 - 00:27:45:22
Jeff Lennon
Well there there's yeah. Wow. That that's again that could be a whole conversation. Right. But but kind of keep it simple. You know there there is first of all everything's learning opportunity in my I believe you know, there's I used to joke with people. Right. Every situation has two ways to go. It's either a teaching moment or a learning moment.

00:27:45:25 - 00:28:03:29
Jeff Lennon
And, and post incident. You know, it is there is a post mortem, right. So at the end, basically there's a there's a report, right. Whether it's us or any other er vendor. Right. They're, they're going to supply a report that just says, hey, this is what we found. This is what we did, you know, and then start to give some recommendations.

00:28:03:29 - 00:28:10:18
Jeff Lennon
Right. Like, you know, you you can't leave your RDP open. Right. You know, you you.

00:28:10:21 - 00:28:18:11
AJ Kuftic
You can't I was told that RTP is a very secure protocol, but I could just leave open to the internet at all the time. That's.

00:28:18:13 - 00:28:37:20
Jeff Lennon
Well, you know, we gave we gave, and I hate to use name, so. Hey, we gave Bob access. He gave him admin rights, and he's doing stuff and, you know, but, but now, I mean, part of it is like, it's it is, it's an educational opportunity, right? So you want to take that post analysis report. And really there's going to be some recommendations, right.

00:28:37:23 - 00:29:03:25
Jeff Lennon
And I and it's funny, I'll give a plug to a couple, partners without mentioning the names, but, you know, number one, you know, identity, you know, identity, identification of identities. Right. And MFA, passwords. And and I've seen this not just here, but over my, my career post incidents. I would say it's always in the top five, maybe even the top three.

00:29:03:27 - 00:29:26:00
Jeff Lennon
Let's get a password. Get a password vault. Get a password vendor. Because if left to the devices of just creating, hey, every 72 days, you have to change your password. For example, most people. Right. You're going to start to create passwords that you can remember. And next thing you know, you know, you've got a situation where you're using the same password in multiple places.

00:29:26:00 - 00:29:28:09
Jeff Lennon
And that's another recipe for disaster.

00:29:28:09 - 00:29:34:17
AJ Kuftic
But, that I know that came up mist actually came out and said, don't do that anymore. Stop rotating passwords. It's not worth it.

00:29:34:19 - 00:30:05:13
Jeff Lennon
Yeah, yeah. And that was this recent escalate. Actually, because it's, it's, you know, and again, we get into the whole best practices piece, but, but I to me it's, it is about, you know, taking that and learning from it. You know, the, the challenge is, you know, time, you know, I tell everybody it's time technology and, you know, people, those three things are, you know, you have to figure out how you're going to deal with that post event and, you know, changes have to be made in some respects.

00:30:05:13 - 00:30:40:04
Jeff Lennon
And there I've watched organizations and I've talked with people where it's like they just let things go. The incident happens all of a sudden, you know, and and again, budget magically appears to do X because, you know, now they have to but but I really do come back to the education and then getting involved with organizations, you know, we also recommend, you know, you know, as a follow up kind of doing, you know, whether it's a security assessment, because a lot of times when you have an incident, you know, you're coming in and you're dealing with the specifics of the incident.

00:30:40:04 - 00:31:01:15
Jeff Lennon
I mean, you're looking you can see everything, but you're going to focus on exactly what happened, right? Ground zero, where did it go? And you're addressing all those things because you're trying to rectify to get the business back up and running. It's it's often a good opportunity to take a step back and just evaluate the inventory of what you have, the systems that you have.

00:31:01:15 - 00:31:20:06
Jeff Lennon
Right, getting into, you know, what was your air plan? How did that go? How did you guys execute on that? Did it go? Did it go the way you thought it was going to go? You know, this comes back to a big, a big thing of mine that I and I, and I kind of stole this from somebody else a couple of years ago is cyber resilience, which you're hearing more and more about.

00:31:20:08 - 00:31:38:24
Jeff Lennon
And, and it's that ability to be resilient. So even after something happens, how do you how did you respond? What can we do better and how do we take that right. So identifying the areas of improvement, identifying the areas that are weak, you know, what processes do we need to put in place, you know, so that things like this don't happen again?

00:31:38:24 - 00:32:02:28
Jeff Lennon
We can respond quicker. It is, you know, and I'll kind of share. I mean, just having sat in on a number of these, it's it's a bit emotional. You know, I, the example I give to people who aren't familiar with it, or maybe not even in the industry, is if you've ever had your car broken into or, God forbid, your house.

00:32:03:00 - 00:32:22:17
Jeff Lennon
You know, it's not so much about what they talk. It's that feeling of being violated. I mean, it it is such a such a core response. But, you know, it's it's uncomfortable, you know, at the end of the day. But, you know, and I will say, you know, our goal, right, is to help businesses refine their incident response.

00:32:22:17 - 00:32:35:06
Jeff Lennon
That's answer, response and business continuity, you know, strategies and help ensure that they're prepared if something does happen. Right. That that's really our goal.

00:32:35:08 - 00:32:54:25
AJ Kuftic
And I think with their I mean that that sums it up amazingly. Jeff, this has been amazing. For any of you who have, honestly, if any of you have questions, please scan the QR code. And ask your question. We did have one, free, event question that we can, bring up here, which was, pretty straightforward.

00:32:54:25 - 00:33:15:16
AJ Kuftic
One can I purchase a full bundle solution including packet watching experience? We are working on ways to build out methods to do things together, but we absolutely do work together. If you want to figure out how Experian and Packet watch together can help you, please reach out to me or reach out to Jeff. And we can come up.

00:33:15:16 - 00:33:35:20
AJ Kuftic
We can work with you on what a solution would look like, because I do believe that incident response plus security tooling, plus recovery capabilities are going to be much more beneficial for you in the long term and including what Packet Watch does to help you understand what to do in the event of that incident. I think is key.

00:33:35:20 - 00:33:46:12
AJ Kuftic
And Jeff, I don't know if you wanted to add anything there, but I think this is something that, combining our powers is something that is really, really beneficial to a lot of organizations.

00:33:46:15 - 00:34:09:27
Jeff Lennon
No, I mean, I think you kind of summed it up. I mean, you know, and again, not to make it a pitch or anything, it's just, you know, if you have questions, you know, obviously we're here to provide information, right. And, and help guide and give direction. But if you haven't looked at it, thought about it or have thought about it, but not sure where to start, you know, it's merely just a conversation, right?

00:34:09:27 - 00:34:33:10
Jeff Lennon
And figuring out, you know, you you need to have a plan, you need to have. And if you have this, if you're using some type of disaster recovery or, you know, business continuity today and you don't have any type of incident response, you know, that's where we we come out with a retainer, right? So the retainer is basically that policy that's going to allow you to move very rapidly.

00:34:33:12 - 00:34:43:28
Jeff Lennon
And, and again, we'll kind of help guide you through that process. But it's really just, you know, be prepared. Be prepared, you know, like be prepared for the worst that happen and hope that it doesn't.

00:34:44:01 - 00:35:07:22
AJ Kuftic
I mean, that's kind of where we that's kind of where we can end it. Right there is, you know, be prepared. And if you want to get help on being more prepared, come speak with me at expedient or speak with Jeff at Packet Watch. And with that, we will wrap it up for today. I want to thank Jeff for for coming on and really providing a ton of really great information around the way the security incidents happen and how to respond to them.

00:35:07:24 - 00:35:09:03
AJ Kuftic
Jeff, thanks for your time.

00:35:09:06 - 00:35:11:15
Jeff Lennon
Yeah, thank you man, I appreciate it. Okay.

00:35:11:17 - 00:35:35:18
AJ Kuftic
And because we talked a lot about recovery today, join us next month. We're going to talk about the state of disaster recovery. There's been a lot of changes over the last couple of years. And we're going to talk through the way that disaster recovery has really morphed into a into a new space, and how a lot of the changes we've seen across the industry, how that's playing into disaster recovery.

00:35:35:22 - 00:35:54:13
AJ Kuftic
So be sure to join us next month. With that, I will wrap up for today. If you do have any questions, there's going to be a QR code here on the screen afterwards where you can talk, or you can ask us questions. And potentially set up some, additional discussions around this and more. So with that, I will leave you today.

00:35:54:19 - 00:35:56:15
AJ Kuftic
Thanks. And we'll see you next month.

00:35:56:18 - 00:35:57:23
Jeff Lennon
Thanks, man. Thank you.