BHIS Webcasts | Data Loss Prevention (DLP) Survival Guide

How quickly could you detect sensitive data being exfiltrated?

Join us for a free one-hour BHIS webcast with Ashley Knowles on best practices for data loss prevention and keeping your most sensitive information safe.

You’ll learn about common vulnerabilities, real-world scenarios, and practical, actionable strategies to protect the data you’ve been hired to safeguard.

🛝 Webcast Slides
https://www.blackhillsinfosec.com/wp-content/uploads/2026/02/SLIDES_Data-Loss-Protection-Survival-Guide.pdf

Chapters

(00:00) - Intro
(02:57) - About Ashley Knowles
(03:26) - Why DLP Shouldn't Terrify You (Too Much)
(08:10) - Understanding Your Data Landscape
(10:23) - Data Classification Framework
(11:49) - Where Does Your Data Live?
(14:24) - Understanding Data Exfiltration
(18:34) - Advanced Exfiltration Methods
(22:20) - The Insider Threat Reality
(24:19) - How to Stop Data Loss: The Basics
(25:51) - Technical Controls That Work
(27:44) - Recommended Layered Approach
(30:56) - Cloud & Modern Workplace Protection
(32:01) - The Purple Team Process
(34:18) - Purple Team Testing: Scenario 1
(36:38) - Purple Team Testing: Scenario 2
(39:13) - Purple Team Testing: Scenario 3
(40:12) - Purple Team Testing: Scenario 4
(40:40) - Purple Team Testing: Scenario 5
(42:03) - Starting Your DLP Journey
(43:50) - Key Takeaways & Action Items
(44:16) - Questions & Resources
(55:59) - The "What it's like to work with Black Hills Information Security" segment

Chat with your fellow attendees in the BHIS Discord server:
https://discord.gg/bhis
in the #🔴live-chat channel

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits –
https://poweredbybhis.com

Click here to watch a video of this episode.

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Deb Wigley

Deb Wigley is the Director of Kindness and Generosity for Black Hills Information Security (BHIS). She joined the team in 2019 after celebrating 20 years of working in customer engagement and satisfaction in the Automotive Industry. She brings her passion for helping and serving people to the work she does at BHIS. The part of her role she enjoys the most is interacting with the community through our webcasts and educational content, our Discord servers, and conferences. She loves being a mom to her four kiddos and in her spare time, she enjoys reading, hiking, frequently entertaining a beach day, and being whisked away on rewilding adventures with her husband of 20+ years as much as possible.

Host

Jason Blanchard

Jason Blanchard has been happily adopted into the hacker community at Black Hills Information Security (BHIS) since 2019, even though he “works in marketing.” He’s had every dream job imaginable: teaching filmmaking, owning the world’s most famous comic book store, and fostering the infosec community efforts for SANS. While some at BHIS call him the “Director of Excitement,” he is formally known as the Excitement Co-Creator. In his day-to-day work of “sucking at capitalism,” Jason enjoys helping others, sharing his knowledge, and giving away lots of free stuff. When he’s not working, Jason spends time with his wife and daughter, hosts a semiweekly job-hunting Twitch stream, and enjoys writing short stories and performing stand-up comedy.

Guest

Ashley Knowles

Ashley Knowles joined Black Hills Information Security (BHIS) in Fall 2021. As a Security Consultant, Ashley’s role is to perform network (internal/external), social engineering, and cloud penetration tests, as well as participating in red team assessments. Since joining the infosec community in 2013, she has developed and taught hacking classes, worked as a security consultant, and been a team lead on a red team. Ashley serves as a mentor at a local high school’s cyber security class and, as someone who loves to learn and teach, she looks forward to developing and teaching classes that add to BHIS’s educational catalogue. In her free time, Ashely enjoys photography, hiking and exploring new places with her kids, and building Legos.

Guest

Bryan Strand

Bryan Strand began working for Black Hills Information Security (BHIS) in 2017 as a Manager of Business Capture and a Consultant. Prior to joining the team at BHIS, he worked in a variety of fields including psychology, sales, and aviation. Currently, Bryan is responsible for communicating with clients and guiding them toward a better security posture. Bryan and John have known each other for more than 30 years, and when an opportunity became available at BHIS, he couldn’t pass up working with his family. Bryan loves his team and loves helping to create environments that others would want to work in every day. Away from work, Bryan enjoys reading, being outdoors, and spending time with family and friends.

Producer

Ryan Poirier

Ryan Poirier began his time at Black Hills Information Security (BHIS) as the Video Producer and Editor in August 2020. Ryan polishes and perfects every webcast, podcast, and workshop on the BHIS, ACM, and WWHF YouTube Channels. Prior to Ryan’s time at BHIS, he worked for one of the largest public schools in the United States, conducting their video production and live broadcasting. He joined the BHIS team because he felt like it would be a great group of people to work with, and he couldn’t pass up the perfect next step in his career. Outside of his time with BHIS, Ryan does freelance photography, attends Cars & Coffee events, and expands his knowledge of audio and videos.

What is BHIS Webcasts?

Podcast audio-only versions of weekly webcasts from Black Hills Information Security

Jason Blanchard: 00:00

Hello, everybody. Welcome to today's Black Hills Information security webcast. My name is Jason Blanchard. I'm content community director here at Black Hills Information Security. Thank you so much for joining us today.

Jason Blanchard: 00:08

If you ever need to hire us for a pentest red team, ThreatHunt, SOC services, or continuous pentesting, you know where to find us. Today, Ashley is gonna talk about data loss protection survival guide. So how this came up is that I always ask the testers, what do you wanna talk about? And so Ashley said, there's a need for this. We had clients talk about this, and I wanna talk about that.

Jason Blanchard: 00:28

And so she's gonna give a little more context to that as she gets started. But Ashley is a fantastic presenter. She's a great educator, and she's a wonderful tester, and she's worked in the SOC. She's been throughout all of the things that Black Hills offers, and so she has a wealth of knowledge that she is here to share today. So thank you so much for joining us.

Jason Blanchard: 00:45

If this is your first time, thank you so much. Come back in the future if this is your hundredth time. Thank you so much for keep coming back. I'm gonna head backstage. Ashley, it's all yours.

Jason Blanchard: 00:53

If there's questions, we might pop back in, but for the most part, we'll wait till the end to do q and a. Ready, Ashley? Perfect. Yes. Alright.

Jason Blanchard: 01:01

I'll see you in a little bit.

Ashley Knowles: 01:03

Okay. Bye. Alright, guys. Here, we're gonna talk about day loss protection, day loss prevention, you know, both of those things. It felt like he was about to say day loss prevention, and then he corrected himself correctly.

Ashley Knowles: 01:14

But yeah. So we're here to talk about DLP. Basically, you know, like, they had said, I had a customer come to me a couple months ago, and they were like, you know, one of the biggest questions actually, back up. One of the biggest questions that I ask my customers during rules of engagement call is, what keeps you awake at night? What are you worried about?

Ashley Knowles: 01:34

And they were like, you know, Ashley, DLP. DLP terrifies me. And I was like, okay. Let's talk about this. And so what we were able to do during that engagement is we were able to kind of beat that topic a little bit more during the test because it was something that terrified them.

Ashley Knowles: 01:53

And the best way to, you know, reassure someone or to reassure yourself is to educate. And so that is kind of where this was born. And then I had a family friend who basically went through a DLP issue at at their company. What happened is a a former employee accessed data that wasn't supposed to be accessed. And, thankfully, they discovered it and were able to do something about it.

Ashley Knowles: 02:21

But those are two completely different scenarios where DLP became very important. So today, we're gonna talk about DLP. We're gonna talk about, you know, why you shouldn't be scared of it, how to educate yourself about it, you know, the basics of DLP. I am not a DLP expert, but I have googled until my heart's content, educated myself, talked to some really knowledgeable people. And I think that I've come to a really good collection of information about DLP.

Ashley Knowles: 02:50

So anyway, cute little meme here. Sorry about the quality. It's potato kinda like me. But there you go. So about me.

Ashley Knowles: 02:58

My name is Ashley Knowles. Hi. Welcome. I have about thirteen years in cyber. I'm a little bit over that now and fifteen years in IT.

Ashley Knowles: 03:06

I quite love cheese. Favorite kind of cheese is probably Havarti. I like collecting board games. My kids and I play board games all the time. I am an unwillingly educated person about AI.

Ashley Knowles: 03:20

Unwilling because kinda have to be in this day and age. So let's get started. Why DLP shouldn't terrify you too much? And if you're terrified of it, you're not alone. Let's talk about it.

Ashley Knowles: 03:34

It can be manageable if you know what you're doing. Right? You want to build incrementally on your DLP protections. We're gonna talk a little bit more, like, about layers and the layers of DLP, the layers of DLP protections that you can put in place to help protect your organization and your users from, you know, either an inadvertent data loss or, you know, an actual threat actor in your environment latching on to data and and trying to exfil it. Like I said, knowledge is power.

Ashley Knowles: 04:05

Understanding the threats and attack vectors will really help you defend your systems and prioritize your security investments wisely. And I hope that everyone here today is able to walk away with, actionable guidance on how to build a DLP program if you don't have one already or enhance the DLP program that you have already. In my research, I saw that recent figures reveal that seventy five 77% of organizations experienced insider related data loss in the past eighteen months. And so traditional DLP tools are not necessarily designed to prevent, you know, like regulated or sorry. They are designed to prevent regulated data loss, such as, like, Social Security numbers, credit cards, medical records, etcetera from leaving an organization.

Ashley Knowles: 04:57

And typically during pen tests, the testers are gonna test for those things. And I would say that the majority of the time, I have never seen an organization that can prevent that type of DLP loss, You know, whether it be via email or uploading to something like Pastebin or XFIL training via, like, a c two. So those are gonna be kind of the topics we'll touch on. But a lot of times, the DLP solutions that you're gonna be sold are largely perimeter focused and compliance driven. So, like, scanning structured data on premises because external threats were primarily viewed as the main priority, right, to the organization.

Ashley Knowles: 05:42

So that's pretty much what I've seen DLP solutions kind of touch on. And so in today's reality, you know, that's a little bit different. Sensitive data, you know, including intellectual property is continuously created and shared across a vast, you know, different resources. So you have, like, cloud environments. You have SaaS platforms.

Ashley Knowles: 06:04

And now we even have AI tools and ShadowAI. And so you'll have things like analysts who move entire customer datasets into spreadsheets. And I can't tell you how many times I've actually found spreadsheets of active directory data, just like dumps of active directory data sitting on file shares. And then you have engineers who sometimes will share design files with contractors. And then, you know, those contractors leave and sometimes don't sanitize the data before they leave or they accidentally take it with them or, you know, not so accidentally take it with them.

Ashley Knowles: 06:39

And then you have employees who are pasting confidential data into AI and potentially not having that AI, you know, again, sanitize it correctly or the AI takes it and trains off of it. And all of this is normal activity. I say normal in quotes because I I don't really necessarily think it's normal and it shouldn't be normalized. But it is critical to productivity in this day and age to use AI, for example. And each of those steps, including using AI, carries a risk.

Ashley Knowles: 07:14

So what do we need from DLP tools today? I think it's context. Right? User behavior analysts and analyzing user behavior. It's not enough to know how a file was sent.

Ashley Knowles: 07:30

You need to know who sent it, why, and whether action fits the normal user behavior. And without that clarity, security teams are kind of left drowning in, you know, this debt of alerts that don't tell the full story. And sometimes it's really hard to discern if this is normal behavior for a user versus if something is, you know, actually happening. Right? And so how do we kind of marry traditional DLP solutions that are currently being sold with that contextual user behavior analytics?

Ashley Knowles: 08:04

So first, we'll kind of dive into the basics. If I can go to the next slide. PowerPoint. There we go. So understanding your data landscape.

Ashley Knowles: 08:13

So what data do you actually have? There's two different kinds. Right? You have structured data. That's organized information that's sitting in databases.

Ashley Knowles: 08:20

Systems with defined schemas and relationships. Sometimes this data may contain personal identifying information. So, like, you know, addresses, people's names, you know, their phone numbers, and their payment information. Employee records may also include Social Security numbers, their salaries, and sometimes, in some cases, medical data. Financial data will also include reports, transactions.

Ashley Knowles: 08:45

It might have credit card numbers. It might have account numbers or balances or, you know, even the Target or whoever is paying it, their their information. So their company name and what the purchase was for. A while ago, I remember uncovering a bunch of information that was just stored in a file share somewhere where it had, you know, the company's name, the purpose of the payment, the amount of the payment, and then it even had transaction IDs, and it had account numbers and routing numbers all stored in securely in a spreadsheet. And so then we have unstructured data.

Ashley Knowles: 09:23

Information doesn't fit nicely into databases. Often, it can be the hardest to protect and the most commonly leaked. And this stuff is, you know, you can read. But documents, spreadsheets, presentations, sometimes presentations can have really sensitive stuff in them. And then you might have emails with, you know, sensitive attachments, encrypted emails.

Ashley Knowles: 09:45

You know, for example, I will often see someone emailing someone else a password, and that is not encrypted. They may not know how to encrypt it. They may not know how to send it securely. You'll have, like, GitHub repositories that contain intellectual property or inadvertently contain clear text credentials. And then again, chat messages with collaboration tools, you know, whether that be like Google Chat, for example, or Microsoft Teams.

Ashley Knowles: 10:13

You know, what is stored? What are your employees saying to each other? Are they sharing passwords through Microsoft Teams? Is this stuff, you know, searchable? And then, you know, your first step after identifying your data and figuring out where it lives is then classifying it.

Ashley Knowles: 10:30

How do we classify data? Is it public? Is that marketing materials, public website content, press releases? Would it be harmful if it's exposed? If your answer is no, then that's public data.

Ashley Knowles: 10:43

Your next kind of classification would be internal documents. So general business documents, internal communications, nonsensitive project details or data that can be not so harmful, but kind of concerning if exposed. Right? That would be internal data. And then confidential and restricted data.

Ashley Knowles: 11:06

Those are the two that, you know, typically management would freak out about. Right? So you have customer data, financial records, employee information that all requires protection, and then trade secrets, whether that be regulated data like PCI, credit cards, or HIPAA data, so like patient records. These would be called your, you know, crown jewels. And so kind of like a pro tip from us is start from the most terrifying scenario and then work your way up to the least terrifying.

Ashley Knowles: 11:39

So you're gonna start with your crown jewels first. What would hurt most to your organization if it was leaked? And then you'll expand on that coverage later. So where does your data live? After you've classified your data, you've figured out where your what your types of data you have, now you're gonna map your data.

Ashley Knowles: 11:58

Is it on endpoints? Is it in network storage? Is it in the cloud? Is it in transit? So, like, your emails.

Ashley Knowles: 12:05

Do you want to figure out where your data lives? Because that's gonna be how you're gonna protect it. That's gonna be how you're going to build detections. You're gonna build detections, again, user behavioral analysis off of all of these endpoints or network services or cloud services to figure out whether or not it being touched by a certain person is their normal business behavior. So for example, during a c two engagement, if you engage with via Jas, where for a c two engagement, it pretty much is called assumed compromise because basically, we start from that perspective of, you know, what a user or a insider threat would have as access.

Ashley Knowles: 12:51

And so we're gonna look at that endpoint. We're gonna look for those protections that are in place for DLP. Can I copy and paste inside of, for example, RDP? Or, like, if I'm VPN into the network onto desktop, can I copy and paste from my desktop outside of the environment into the environment and and vice versa? Can I copy outside of it?

Ashley Knowles: 13:14

Can I access, you know, an IP address off of an endpoint? Those are all gonna be questions that you're gonna ask yourself. You're gonna look at those different scenarios, and you're gonna figure out how to protect against those things. And the same thing with network storage. You're you're really gonna hone in on this principle of least privilege.

Ashley Knowles: 13:30

And so you really want to make sure that if someone doesn't need access to data, they should not have access to that data. And I know that for a vast majority of companies out there, if you haven't tackled this principle of least privilege, it can seem kind of daunting at first, but it is a critical step in protecting against, you know, even just insider threat. Or, you know, say, for example, your admin assistant gets packs and the attacker is using their credentials to see what kind of data they have access to. What can they access? What can they exfil?

Ashley Knowles: 14:06

What kind of privileges do they have in the environment? And that's essential to DLP. And, again, goes back to that user behavior analysis. If this admin has never accessed this type of data before, they shouldn't be accessing it now. That should be a red alert to your SOC and to escalate that type of behavior.

Ashley Knowles: 14:24

Alright. So we've kind of honed in on this a little bit, but understanding how data exfiltration can actually happen is also important. Is it accidental loss? You know, most data breaches aren't sophisticated attacks. It's not someone going and targeting a certain system or a certain organization, it's an inadvertent loss by an employee who potentially copies the wrong recipient on an email.

Ashley Knowles: 14:50

There are honest mistakes that happen almost every day to everyone. So how do we train our end users to slow down? Right? Really look at who you're sending an email to. Really pay attention to who your your email should go to and what data they're putting in their emails.

Ashley Knowles: 15:10

Is should it actually be in an email, or should you be sharing this data more securely? You know, those are types of questions that you can train your users to ask themselves before they send an email to potentially the wrong person or send an email with potentially sensitive information. And then we're gonna talk about, like, you know, misconfigured cloud storage permissions, exposing files publicly. Do you have buckets that are publicly exposed with sensitive data in them? And then, you know, say for example, you have an employee who's traveling and their device is stolen and it doesn't have any sort of encryption on it.

Ashley Knowles: 15:44

And then, you know, that person is able to access what's on that device and potentially share it. And then old hardware, are you properly wiping your computers and wiping them several different times before disposing of that hardware? Or, you know, you could even I'm not I'm not suggesting this, first of all. But you could even go full office space on a computer if you've if you've really wanted to. I remember years and years and years ago when we used two disposable hard drives, we would smash them first.

Ashley Knowles: 16:16

Again, not recommending that, but it is fun to think about. So anyway, going to malicious exfil, this is where you're talking about data that is intentionally exfiltrated. And so that could be again, that could be an insider threat or that could be a malicious actor emailing sensitive data to personal accounts, uploading to personal cloud storage services or something like Pastebin, using USB drives. You know, do you have your computers locked down appropriately so that they don't recognize USB devices or USB drives and external devices. And then screenshots, like we said, copy and pasting inside and outside of, you know, a VPN or an r d RDP session.

Ashley Knowles: 17:01

And then, you know, the last one, printing sensitive information. I have so many clients who ask me, Ashley, why should we care about our printers? And it's right here. If you have a printer who has default configuration and in that printer, you're able to access previously printed jobs and see what was actually printed. You know, you've just kind of created a perfect storm there because, again, default credentials or even no authentication at all.

Ashley Knowles: 17:32

Because we do have quite often where printers just don't require any sort of authentication because they're in that default configuration state. And you're printing out sensitive data or scanning sensitive data. Like, you're gonna scan it and and upload it into a drive. I actually had that with a client very in the last year, actually, I think, where they were scanning old patient records and then uploading them to a file share to then transport it to where it needed to go, whether that was in their, you know, HIPAA compliant database or it was going to be destroyed. You know, it's it was sitting not only on the printer, but it was also sitting in the file share.

Ashley Knowles: 18:16

So it it potentially could be an accidental loss there, but also a malicious Xfil if, you know, someone was able to gain access to that printer and or that file share. So you can't protect data if you don't know where it is. Alright. So advanced XFIL methods. What does that look like?

Ashley Knowles: 18:37

This is gonna be where we're talking about someone who's kind of living in an environment for a little bit longer than a typical attacker. This person is going to be sophisticated. They're gonna lead a sophisticated attack. They're gonna be using things such as covert channels. And so that is when you have, like, command and control server and it's encrypted and it's talking to an external server.

Ashley Knowles: 19:03

And so that encrypted traffic is not seen by traditional, you know, EDR or SOC alerts because they can't decrypt that traffic. And it so then it bypasses that traditional monitoring. And so you're gonna say, okay. How can I alert on that? Again, goes back to user analytics.

Ashley Knowles: 19:23

Is that typical for that user? Do they typically have this encrypted traffic? Is this something outside of the normal realm of possibility for, let's pick on Nancy from HR. So that can be something. And then you have stenography embedding data into images.

Ashley Knowles: 19:39

I don't really see that so often, but I did think that it was worth mentioning that it could be a potential attack factor where you are using a covert channel to hide data in an image and then sharing that image, and it just looks like an image. You can do TNS tunneling to hide the data in DNS queries. So those are a couple of different covert channels that you can use to XFIL data. And then you have evasion techniques. So this would be something as simple as breaking files up into small pieces to avoid detection.

Ashley Knowles: 20:11

You could even base 64 encode those small pieces and then XFIL those base 64 portions of the data. And so, again, it goes back to testing not only user analytics and behavior, but also making sure that, for example, your DLP protections on your browsers and in email are searching for the space 64 encoded content. And then encrypting in other various methods. Is it a ZIP file? Is it a password protected ZIP file?

Ashley Knowles: 20:39

Can your DLP solution alert on the fact that, hey. Maybe potentially there's a lot of encrypted ZIP files that are being sent over whatever channel out to the outside world to this person they've never talked to? Again, user behavior. And then using legitimate business tools maliciously. So for example, RDP or you could, again, password protect a ZIP file, copy it out of an RDP session into, you know, another outside computer.

Ashley Knowles: 21:12

And then you have slow XFIL over time to blend in with, like, normal traffic. That one's gonna be a little bit harder to detect. But, again, goes back to user behavior analytics. Even if it is slow, it is still probably going to be communicating with either one IP address or maybe a couple rotating IP addresses. And so, again, a little bit harder to detect, but it goes back to that user behavior analytics piece of DLP.

Ashley Knowles: 21:40

And then you have timing attacks. And so those can look like after hours. So is your company based in The US, or is it based overseas? Are they doing large transfers on the weekend? Is it even an employee doing large transfers over the weekend when they know security teams are gonna be offline or not as responsive?

Ashley Knowles: 22:00

So they're able to get away with exfiltrating that data before anyone receives the alert, gets back to their computer in response to the alert. Gradual data theft over weeks or months could also occur to avoid triggering on this volume alerts. I I would say though or I'd venture to guess that is less likely to happen. Alright. So we kinda talked about this a lot already, the insider threat reality.

Ashley Knowles: 22:24

Not everyone with access has good intentions, whether that be because they wanna sell it or they want to take it with them to another employer or they want to make sure that they know or can can take the data for their own benefit to another employer or start their own company or, you know, take clients with them. You know, those are all different kind of scenarios that I can think of. I'm sure that everyone of the imagination could come up with some other ones. But, again, we're talking about this behavior analytics. We're talking about monitoring users, establishing a baseline for what users are typically doing, and then monitoring that to see what abnormal behavior is occurring.

Ashley Knowles: 23:07

And so, again, watching for red flags. Are they accessing data outside normal job functions or business needs, downloading unusually large amounts of data? Are they doing activity during really odd hours? Are they up at three in the morning or on weekends working and downloading all of this data or even on holidays? Are they using a personal device, or is this computer all of a sudden connecting to, you know, a a hard drive off of the computer or an external accounts like their Google Docs, for example?

Ashley Knowles: 23:36

Are they are they going to or did they just give their two weeks notice and they have a huge data access spike prior to that two weeks notice or prior to the termination? This is also a really good time for organizations to look at their termination checklist and to make sure that you are terminating or disabling accounts everywhere possible prior to that termination actually occurring. So understanding that your insider threat landscape could be different for different organizations is crucial in mapping out what that insider threat landscape could look like so that you can again look at your baselines and establish what is normal versus what isn't. How to stop data loss? The basics.

Ashley Knowles: 24:22

So we're gonna build your foundation. We've already talked about knowing your data, knowing where your data lives. We've talked about different methods of control and talked about different methods of of aid access and data exfiltration. We've talked about monitoring activity. So those are gonna be your three big things, and building that foundation is going to be around those three big things.

Ashley Knowles: 24:44

So you wanna discover again where that sensitive data lives, classify it by risk and severity, map who has access and needs, implement those principles of least privilege, conduct regular reviews to make sure not only is that least privilege still in place, but also terminating privileges, you know, if they don't need it anymore. I I recall one of my first jobs out of college, they would require us to access data with a an admin account. And every thirty days, that data or that sorry. That admin account would come up for review, to see if you still needed that admin access. And if you weren't logging in or using it, you would lose that access.

Ashley Knowles: 25:24

So you would have to request it every certain number of days regardless of whether or not you were using it. I know it's a bigger lift on employees and your help desk people, but it is important to securing data and securing near trade secrets from, you know, leaking out into the world. And then monitoring activity. Like we said, establishing that baseline and learning on anomalies, investigating those promptly will be your keys to success. Technical controls, technical controls that actually work and practical DLP implementations.

Ashley Knowles: 25:58

We have your email protections. And so this is very much traditional DLP looking for contents, looking for sensitive data patterns, like are they security number or social security numbers? Are they credit cards? Do they have any confidential labels on them? Blocking or automatically encrypting emails with sensitive data.

Ashley Knowles: 26:23

And then you're gonna quarantine those suspicious attachments for review so that those emails aren't leaving your environment without someone actually touching them. In the day and age where we have SOAR and we have AI, you can really kind of hone in on what is typical emails that are being sent and what could contain sensitive stuff. So I highly recommend that your SOC, you know, look through emails with some type of SOAR implementation or some type of automated implementation, whether that be AI augmented or, you know, something that, again, looks at user behavior analytics. And then you're gonna look at your endpoint controls. And this is where kind of having a desktop or a laptop pen test with, an assumed compromise point of view was is gonna be super important.

Ashley Knowles: 27:13

You know, can we copy and paste inside of the environments outside of the environment? Again, things that we've already kind of talked about. I don't wanna hold down on them and bore you guys too much with the same topics. And then blocking uploads to unapproved cloud services at the system level. So that's gonna be things like putting a browser extension on your browsers to protect your endpoints from navigating to certain websites or downloading certain types of files or uploading certain certain types of files.

Ashley Knowles: 27:42

And then we have network controls. And so this all comes back to this layered approach of DLP protections and your depth in defense. And so this is really important because if one method fails, you have something to fall back on. So, you know, at your first level, you're gonna have those network controls. So you're gonna do TLS inspections for your firewalls.

Ashley Knowles: 28:05

You're going to monitor and block suspicious traffic flows. You're gonna implement, you know, tenant restrictions. You're going to be looking at, your cloud environments, specifically controlling who can access what data. You know, this tenant restrictions piece is really important because you can, like, inject HTTP headers via, like, a proxy or something like that to restrict which tenants users can actually authenticate to. So if you want them to only be able to access your specific m three sixty five instance, that's how you're gonna do something like that.

Ashley Knowles: 28:41

And then you have your endpoint DLP agent. So for, like, remote laptop users that aren't always on the corporate network, these endpoint agents are kind of essential to making sure that your DLP solutions are always running. And so you're gonna be using, again, the Windows based firewall or in for example, if you're using a Mac, you're gonna use the the Mac firewalls and group policy, GPOs to block outbound connections to, like, known cloud storage IP ranges or known, like, cloud storage websites. Again, those are gonna be things like dropbox, box.com, thing you know, legitimate businesses or business cloud offerings to store your your files, but probably don't need to actually have access to those things. And then a kind of worth mentioning here, GPOs are can be really hard to limit this traffic alone.

Ashley Knowles: 29:39

You have, you know, obviously use your error when you're putting your GPOs in place, but you also can have conflicting GPOs. So, again, goes back to that layered approach. It's always good to have backups or using something sophisticated like AppLocker to prevent, you know, unapproved client syncs to things like Dropbox from running at all. And then those DLP agents can obviously monitor and block file operations destined for cloud services. And browser extensions, like we talked about before, can block uploads to unapproved sites.

Ashley Knowles: 30:10

And so then you have DNS sync calling. And so you can use DNS sync calling for, like, quick wins against malicious domains. You're gonna be using things like next gen firewalls, secure web gateways that will block by category. And the common URL categories for those things can include things like personal cloud storage or file sharing. I think it's also worth mentioning here that, again, no single control is sufficient on its own.

Ashley Knowles: 30:36

Determined users will bypass DNS blocks. They will bypass proxies with, like, mobile hotspots and so on. So, again, depth of defense across your network, your endpoints, and identity layers is is the most resilient approach by, you know, doing all of those different things. So then we have I I wanna I thought this was really important again to kind of hone in on and talk about since, you know, cloud and modern workplace protection is changing so quickly, especially with AI. You can implement things like cloud access security broker or CAS to sit between users and cloud services.

Ashley Knowles: 31:16

And you'll apply allow listening to sanction certain cloud applications, like, for example, OneDrive or SharePoint. And like we talked about previously, you can use injection of headers to restrict that account access. And then you have data centric security, encrypting sensitive files automatically based on classification, applying rights, like view only or no download policies, using persistent labels that follow data no matter where it goes. Those are some methods. And then, again, user behavior analytics.

Ashley Knowles: 31:47

I feel like I've kind of honed and and beat that one a little bit. But I really think that it is important, especially in this day and age, for user behavior analytics to be kind of like the go to for DLP protection. Alright. So now we're gonna talk about how to test your DLP solution and how to implement good test cases and how to determine whether or not a scenario is successful. And so first, you know, really quick, what is a purple team?

Ashley Knowles: 32:21

What is the purple team process? It's the the process of testing, learning, improving together. You know, you're gonna plan what the purple team engagement is gonna actually look like, the scenario. You're going to agree on what is gonna be tested. You're gonna agree on the timeline.

Ashley Knowles: 32:36

You're going to get together whether that be in the same room with your red and blue teams or, you know, on a Zoom or a Teams call. You're gonna define what that clear success criteria is gonna look like. You're gonna document expected detections and then what actually happens and and the timing of those alerts. Because if your alerts take hours to generate, it's gonna be too late by the time that alert has generated. That data's gonna be gone and potentially so will the attacker.

Ashley Knowles: 33:06

We've seen attacks that are very they're they're sophisticated enough that the attacker automatically cleans up after themselves after they leave or before they leave or throughout that automated data exfil process. And so they don't leave as many breadcrumbs behind to even detect whether or not they were there. By the time that alert comes in, those breadcrumbs are gone and then you're left wondering, hey, what did they access? Then you're gonna test safely. You're gonna use nonproduction environments, nonproduction sensitive data.

Ashley Knowles: 33:40

You can clone that data. You can sanitize it. You can use dummy data for this. But just as long as it mocks or replicates what which you would have in production. And you're gonna run-in that controlled environment and document every single step for reproducibility.

Ashley Knowles: 33:57

And then you're gonna review collaboratively after the attack has been completed so that you can compare what was detected versus what didn't and analyze again that time to detect and alert quality. And so you're gonna look at any gaps that were discovered there, and you're going to hopefully implement better alerts and then redo the whole cycle. So I kinda came up with a few different scenarios for you guys. If you're like, hey. I don't know what a good scenario looks like.

Ashley Knowles: 34:25

We've got five of them here for you. So the first scenario is like email exfiltration. The test for this one is gonna be sending sample sensitive data to personal accounts. These can be burner accounts. And the the sample data can strictly be like, you know, just made up as Social Security number.

Ashley Knowles: 34:45

What I really recommend is testing in as many ways as possible with each different kind of sensitive data. So you're going to put plain text in the body of the email. You're going to send that. Then you're gonna do a new email base 64 encode that sensitive data. Send it.

Ashley Knowles: 35:02

Do a new email, put that as a text file attachment, and then again, send it and then test again that file text the text attachment with the date base 64 data inside of it, send it, testing whether or not you can identify encrypted attachments, whether or not you can identify password protected files. Even if it's just saying, hey, I can't decrypt this or hey, this is a password protected file that you should probably go pay attention to this is is something of note. So your expected detection here is going to be the sensitive content or maybe it decrypted it automatically because it used weak encryption or known encryption. Or did it log the activity for security review even if it was allowed through or wasn't allowed through because it detected that it was a password protected zip file? So your testing objectives are gonna be, you know, validating that the email DLP rules work disconfigured, tuning those policies to reduce false positives, or make them quicker, documenting gaps, creating that improvement plan, verifying alert quality, and then your investigation workflow.

Ashley Knowles: 36:14

Ideally, each one of these scenarios or DLP scenarios should have a documented workflow, what you want your analysts to actually do. And then your success criteria. Each one of these scenarios should have success criteria. So for the specific one, you receive actionable alerts within a set time frame. I put five minutes.

Ashley Knowles: 36:32

It can be whatever you consider to be valuable for your team and then tracing that full email path. Alright. So now we have scenario two. Scenario two is going to be a cloud upload test. Try uploading sensitive files to personal Dropbox, OneDrive, Google Drive.

Ashley Knowles: 36:48

Try via web browser or desktop sync application or using a mobile app if you're connected to, like, Wi Fi that's offered from your company, testing with renaming those file extensions to evade detection or, again, you know, doing kind of what we talked about before, password encrypted password, yeah, password encrypted zip files or looking at, you know, encrypting the files and other methods like base 64, for example. We're gonna talk about what the blue team should see. We're gonna see maybe potentially CAS or web proxy is blocking the upload attempts. Maybe your endpoint DLP prevents that file transfer. Great.

Ashley Knowles: 37:26

Document move on. Was an alert generated, as a result of it being blocked? That's also super important. Are you blocking things and there's no alert generated? That's something that should be fixed in my opinion.

Ashley Knowles: 37:39

And then is your user receiving a notification about the policy violation or is it just being alerted on? That should be a conversation that you should have internally about whether or not you want your users to receive notification about that violation. Your validation goals will be, again, confirming cloud DLP coverage across of the wide for us a wide fast upload methods. This one just doesn't make sense. But, anyway, moving on.

Ashley Knowles: 38:06

You're gonna identify unsanctioned applications being used and then potentially update policies for better protection. Commonly, you know, seeing gaps could be things like web applications bypassing web filters or mobile applications bypassing web filters, you know, if the browser extension isn't working appropriately or app blocker isn't working appropriately. Or, say for example, you're dropping a application into or the EXE for the application into, like, an app blocker allow listed folder. Is that detected, or is there alert generated for that? Like, hey.

Ashley Knowles: 38:43

This isn't normal for this user to drop this EXE into this allow listed folder even if it doesn't block it, is it still alerting on that activity? And then changing the extension might also evade content inspection. And then how are they invoking that? Are they invoking it in PowerShell, or are they, you know, like, invoking it from the desktop? Sometimes personal VPN usage can also circumvent network controls, but, again, that should be caught by things like AppLocker.

Ashley Knowles: 39:13

Alright. So scenario three, insider threat simulation. So this test again, download large volume of customer data that would be outside of the norm. Accessing files outside of their normal job function, performing suspicious actions during after hours or on weekends or say for example, your entire company goes to a conference. How long does it take for the sole analyst that's left behind to detect that behavior?

Ashley Knowles: 39:41

Again, you want to have some sort of validation that the behavior detection worked effectively. You wanna adjust those thresholds to catch real threats without that alert fatigue. Because if you're fatiguing your analysts, then they're just gonna dismiss things that could be potentially real. And then testing or finding those procedures, are they are they detecting it and then they're just not alerting the appropriate people to resolve that issue quickly enough? That's something that you wanna look at as well.

Ashley Knowles: 40:12

Then scenario four, USB and physical exfiltration. We're gonna have, you know, different tests where you're using a USB drive, you're using a mobile device, or you're printing sensitive documents and and seeing whether or not those things are detected. The results should hopefully confirm that your physical controls work is designed. You're identifying printers that potentially may not be monitored. And then really revealing those gaps that are in your device control policies that might need to be updated.

Ashley Knowles: 40:40

And then finally, these are kind of advanced techniques. If you think that your DLP policy is really great and you know that you check off all of the other scenarios, you're doing those things really well, this is something that maybe you wanna look at. So encrypting those files before uploading to a vague content inspection, maybe you're gonna test using DNS tunneling tools to exfiltrate data, you know, covertly. Are you breaking up the files into small pieces and then encrypting those small pieces to avoid any potential size based alerts. And then screen capture.

Ashley Knowles: 41:14

Maybe you're screen sharing to another computer or you're using the name is escaping me right now, but it's like a built in Microsoft screen share application that we've used quite often. And so are they screenshotting sensitive data instead of copying the text and then using AI on the other end to be like, hey. What's in the screenshot? Are you monitoring screenshots that are being taken? Are you monitoring someone's screen sharing with a tool that potentially may not be approved?

Ashley Knowles: 41:42

Or is it approved and they never use it and all of a sudden they're using it today? All different scenarios that you can look at. And so these are gonna be for more mature companies. You've already gone through several of the other scenarios. You think that your DLP maturity is up to snuff basically to go through these more advanced evasion techniques.

Ashley Knowles: 42:03

So we've talked about scenarios. Let's talk about starting your DLP journey in a practical road map. When I was first looking at this, it it was funny. Someone had basically suggested every single month doing something new. And knowing the vast majority of my customers, starting a new DLP journey every single month is very much unpractical.

Ashley Knowles: 42:26

And then even this might be more unpractical practical too knowing how quickly some organizations move. So obviously tailor this to your business. So week one two, the first thing that you wanna do again, discover. Identify your top five most sensitive data types. Map where they currently live, who accesses them regularly, build that baseline.

Ashley Knowles: 42:45

Quarter one, you're gonna be looking at quick wins. Are you enabling email DLP? Are you implementing basic USB control on your endpoints? Looking at things like app usage, maybe looking at things like AppLocker. And then quarter two and three, you're building and testing.

Ashley Knowles: 43:01

You're deploying endpoint DLP to a pilot group. You're running your first purple team tests to see how the DLP catches things. You're tuning in your policies based off of, like, what happened. And then your quarter four is gonna be expanding. Everything went swimmingly.

Ashley Knowles: 43:17

You're like, great. I can deploy this. And then we can go back to the starting line of testing new scenarios, building more mature DLP process, gradually adding different things, gradually rolling out to different unit groups. You don't wanna overwhelm yourself or your SOC, for example, because you need to give people time to adjust and fine tune tools. Because even though test environments are great, the real world case scenario is gonna be way different than a test scenario.

Ashley Knowles: 43:46

And the alerts are gonna look different. And your alert fatigue may be different too. Alright. Key takeaways, action items, quick wins. First, I wanna say you could do this.

Ashley Knowles: 43:57

Here's some ways to start. So again, we already talked about this. I feel like I'm repeating myself quite a lot here. But understanding your data, testing regularly, iterating through all of your tests, and improving on based off of, like, previous tests, focusing on quick wins, and some things that you can do this week. Questions, resources, there's this slide.

Ashley Knowles: 44:19

We're here to help. BHIS is happy to help. We have best support where we can hop on calls with your organization and talk through different ways of implementing not only DLP, but, like, other, you know, security related issues. But DLP doesn't have to be scary and overwhelming. Start small.

Ashley Knowles: 44:38

Build confidence towards, you know, your angle through those incremental wins. Focus on progress and not perfection. As I always tell my kids, practice doesn't make perfect. Practice makes better. So every step forward improves your security posture.

Ashley Knowles: 44:54

And the best time to start may not have been yesterday, but it can be today. And I also have links and resources here, some of the stuff that I identified through my vast research. So any questions? How do I kill a screen share? Someone help me.

Ashley Knowles: 45:13

Yes. The presentation will be saved later. It's gonna be on YouTube.

Jason Blanchard: 45:16

Nailed it.

Ashley Knowles: 45:17

Good job, Ash.

Jason Blanchard: 45:18

Oh my gosh.

Ashley Knowles: 45:20

You were like, somebody help me? Somebody help hello? We heard you were there.

Jason Blanchard: 45:26

The appropriate amount.

Bryan Strand: 45:27

You were paying attention. We just wanted to see you squirm a little bit. That's it. Hey.

Jason Blanchard: 45:31

Great job, Ashley.

Bryan Strand: 45:32

I'm both sides. Thanks.

Jason Blanchard: 45:34

You ever did you ever imagine, let's say, two, three years ago that you'd be giving a presentation on DLP and just really got into it like this?

Ashley Knowles: 45:42

You know, mm-mm. I didn't even imagine this more than two weeks ago, Jason.

Bryan Strand: 45:47

I honestly couldn't picture it in the preshow banter.

Deb Wigley: 45:50

I I mean, yeah, I'm still wondering why you gave it.

Jason Blanchard: 45:52

This is

Bryan Strand: 45:52

Yeah.

Jason Blanchard: 45:53

Alright. Everybody So a couple things. Make sure you check-in for Hackett today. If you haven't checked in for Hackett, please do so. It's in the Discord server.

Jason Blanchard: 46:02

We give you credit for attending. And once you hit 10 webcasts and 20 webcasts, thirty, forty, 50, and a 100 webcasts, we send you rewards to say thank you so much. We mail you things in the mail. And and so if

Ashley Knowles: 46:16

you have Mail them the mail? Mail them in the mail. Yeah. Oh, okay.

Jason Blanchard: 46:20

I also give free things away for free. So Mhmm.

Bryan Strand: 46:23

Yeah. Mhmm.

Jason Blanchard: 46:24

Was just thinking

Deb Wigley: 46:25

Few things cost money. So

Jason Blanchard: 46:26

Yes. Yeah. So if you received a Hackett reward, just go ahead and let people in the chat know it's a real thing. It's a real thing that really happens, and people send it to you.

Ashley Knowles: 46:37

So We're not just trying to get you to click on something. I promise. Or scanning that too.

Jason Blanchard: 46:42

Yeah. But speaking of clicking on something, in the Zoom chat, we're giving away the free orange book. It's a new the survival guide. If you click on the link there to the Spearfish General Store and give us your contact information, we will send it to you for absolutely for free.

Ashley Knowles: 46:59

In the mail.

Jason Blanchard: 47:00

If you live in The United States, if you live outside The United States, we do have a link to read it digitally, and and you can download the PDF there. For everyone that got your orange book, let everyone know that that is also a real thing and not just a highly engineered phishing campaign.

Ashley Knowles: 47:14

Who has an orange book? Where's my orange book, Jason?

Jason Blanchard: 47:17

We'll send you an orange book, Ash.

Deb Wigley: 47:19

I'll send you an

Ashley Knowles: 47:19

orange Thank you. You can click on that link if you want.

Jason Blanchard: 47:21

Yeah. Just click on the link. Get through it. Actually.

Ashley Knowles: 47:24

Go. Don't want to.

Deb Wigley: 47:25

Can't do everything for you. Come.

Jason Blanchard: 47:28

Alright. Man. So we do have some questions. We'll go ahead. We do

Ashley Knowles: 47:31

have some questions. And I can go through them. Yes. We can through them in Zoom.

Jason Blanchard: 47:35

Yeah. Yeah. Go. Alright.

Ashley Knowles: 47:37

Perfect. So we have a question. How do you prevent data loss leakage from support? Because they usually ask for a lot of data, which is now apparently AI driven, which is mind blowing to me. Anyway, how do you prevent data loss from, you know, overly invasive support questions?

Ashley Knowles: 47:55

I think that's gonna go back to training your employees. Right? Your employees are gonna be your first line defense. Training your employees on what is an appropriate question versus an inappropriate question from a support personnel, whether or not it is technically AI driven, they're still gonna be able to discern whether or not it is appropriately phrased or questioned. And then training your employees on how to report if an inappropriate question is or a overly evasive question is asked.

Ashley Knowles: 48:26

If if really think your first line defense is gonna be your people. And then if your people don't do it, you know, presumably, you have a log of that support call, and you're maybe potentially using another AI to look through that support log, to identify whether or not passwords were shared via this support call, whatever. I don't know. Chat. However you wanna call it.

Ashley Knowles: 48:55

Are you scoffing at me? Someone's scoffing at me. Someone's coughing? No. Don't the Brian.

Ashley Knowles: 49:01

No.

Jason Blanchard: 49:02

Don't want to scoff.

Bryan Strand: 49:04

I'm not even paying attention enough now.

Ashley Knowles: 49:21

Making sure that, you know, whether or not it be AI or some sort of alert that is monitoring for passwords or other sensitive data that's being shared. Yeah. Someone said principal or nightmare. Yeah. That is a nightmare.

Ashley Knowles: 49:38

Don't have your principal or service running on your domain controllers, please. Thanks. Next. Has anyone found a way to lock down printing specifically detect if sensitive data is being printed? Interesting question.

Ashley Knowles: 49:52

Someone said they use Papercut for print management. Someone else says make sure you keep it up to date. Oh, yes. Really good. Just keep your printers up to date.

Ashley Knowles: 50:01

Put authentication in place on your printers, please. Make sure your printers aren't sending things over HTTP either. That's that's always a really good way to lose data.

Deb Wigley: 50:18

Jason, we need to check our printer.

Bryan Strand: 50:20

Yeah.

Ashley Knowles: 50:22

Yeah. You do.

Deb Wigley: 50:23

Yeah. We do.

Ashley Knowles: 50:24

Yep. And then and then you have shadow IT too, which is when IoT devices or printers are plugged in without letting your IT people know about it first and letting it live there forever and scary, scary stuff.

Jason Blanchard: 50:40

Yeah. That was my nickname in high school. Shadow IT.

Ashley Knowles: 50:42

Shadow? Oh, I see your scary, scary stuff. Makes sense.

Jason Blanchard: 50:47

Well, it depends on the day. Yeah.

Bryan Strand: 50:51

There was some touching that. Real nickname in high school was shadow it, but he thought it was cool to see him.

Ashley Knowles: 50:58

He thought it was cool to put the dots in there. Okay. Yeah. Yeah. Someone said secure printing via badges will help because you can definitely, like, log who has printed what.

Ashley Knowles: 51:14

That's a really good question. I'm going to look into that a little bit more because I don't really know the good answer for it. How do you prevent data loss leakage from support? Because they usually ask for oh, no. Sorry.

Ashley Knowles: 51:25

That was the same question just repeated. Recommendations for trusted browser extensions to assist in DLP efforts. I would start with whoever you're using for an EDR. Sometimes they might have something that's built in that can be implemented. If you don't have something that is built into your EDR, I don't know if I necessarily have a recommendation.

Ashley Knowles: 51:50

Maybe someone in chat has it.

Jason Blanchard: 51:54

Speaking of chat, I just put the link for ordering the orange book again into the Zoom chat. So if you wanna go and order that or if you wanna read it digitally, you can. And then Brian's gonna be here in the next couple minutes to answer questions. If you wanna know what it's like to do business with Black Hills Information Security, we normally don't talk about that at all during the webcast. And so when the webcast is finished and we're done answering questions, then Brian will be here to answer some of your questions of what it's like to hire us to be your SOC or continue to spend testing or or pen testing or any of the other stuff that we do.

Jason Blanchard: 52:27

So, Ashley, one of the questions I I always like to ask testers, and I've I've asked you this before. I'm gonna ask you again. It's got new audience here. So, Ashley, when you're doing a pen test or when you're working and doing your work, if you are unable to figure out how to to bypass something or or gain access to something, do you feel like you're not very good at what you do, do you feel like their defenses are better than than you're able to break into?

Ashley Knowles: 52:54

I mean, are you are you asking? A loaded question. It is a very loaded question. Caffeinated Ashley would probably say their defenses are great. Uncaffeinated Ashley would probably be like, maybe I suck.

Ashley Knowles: 53:09

It's been two weeks. Why did they hire me? Why did they hire me? I still ask myself that occasionally. I'm like, what am

Deb Wigley: 53:19

I doing here?

Ashley Knowles: 53:19

I'm a piece of potato. But seriously, on a serious note, I would say a little bit of each, but I would also say that we do have very mature customers. A lot of people that come to us for assumed compromise tests or, you know, some of our more I I wouldn't say mature testing, but, like, more mature testing. You know, you're here for a purple team assessment. My assumption is going to be going into it that you have mature capabilities.

Ashley Knowles: 53:46

And so I'm going to assume I'm gonna have to try harder. And, you know, that might not be a reflection on me as a person or me as a tester, but more a reflection on the customer's environment. However, I'll make one caveat there is that I always go back to my team and the tribe of BHIS testers and I say, hey. I have this environment. I'm up against these controls.

Ashley Knowles: 54:10

Someone help me, please. How can I bypass this? Have you seen bypasses that are working? Have you seen, different ways that I can, for example, reconfigure my c two payload to bypass this potential EDR? And so I do ask for help.

Ashley Knowles: 54:26

And majority of the time, 99.9% of the time, if someone's alive, right, they will respond because BHIS testers are the best. So, yeah, that is that is pretty much my answer. If you're coming to us for a potential, you know, seemed to compromise test or a purple team assessment, your environment's probably going to give me a hard time.

Jason Blanchard: 54:51

Yeah. And I I appreciate the answer. And then I I like asking the testers because I want people here to realize that sometimes we doubt our skills. We go ask for help. We check to make sure that we're we're doing what we, we think will work.

Jason Blanchard: 55:04

And so every once in while, the thing that we're trying doesn't work the way we think it will. Speaking of which, you have an opportunity to solve the CTF. There's a free CTF challenge based on today's webcast that you can participate in for free, where you get a chance to solve a CTF, question. And then the winner of that has, the chance to win prizes. So please, everyone that participates has a chance to win a prize, and then the person who actually wins gets a chance to win win the prize.

Jason Blanchard: 55:33

I'm putting the link into the Zoom chat. So if you look in the Zoom chat and also here in the Discord chat, and so you can go to that link right there. Zach got it all set up, ready to go. And so if you go ahead and do that. Alright, Ashley.

Jason Blanchard: 55:48

Final thoughts for today. What are your final thoughts? If you take everything you talked about today and one final thought, what would it be?

Ashley Knowles: 55:55

Never stop learning.

Jason Blanchard: 55:58

Never stop learning. Yep. Alright, everybody. That is the end of the webcast officially. So if you would like to leave, feel free to leave.

Jason Blanchard: 56:04

If you would like to hear what it's like to work with Black Hills as a you know, we're your vendor. We help secure you. If you wanna know what that's like, then please stick around for the next maybe five, ten minutes or so.

Bryan Strand: 56:20

I'm sorry if you leave. I'm just gonna No.

Jason Blanchard: 56:24

So, Ashley, if you wanna stick around, feel free to stick around. If not, if you're like, I'm just so tuckered out from all that show banter and all that webcasting. But great job, Ashley. Thanks. Ashley, seriously.

Jason Blanchard: 56:36

Thank you.

Deb Wigley: 56:36

Seriously. Thanks. Yeah.

Jason Blanchard: 56:39

Ashley Knowles: 56:39

No. No. Thank you for having me and and and and hiring me and working with me and I don't know. I don't know. I'm here because you're here.

Jason Blanchard: 56:49

Well, kind of. And we're here because you're here.

Ashley Knowles: 56:52

Yeah. It's the same.

Bryan Strand: 56:53

We wouldn't be here. Here because I'm here.

Ashley Knowles: 56:56

Yeah.

Jason Blanchard: 56:56

We're not here because Brian's here. Alright. Speaking of Brian. Speaking of Brian. Speaking of Brian.

Jason Blanchard: 57:02

Alright. So we do things a little differently at Black Hills when it comes to sales. And so Brian, for the most part, we don't have a team of people that are going out and like asking people like It also feels weird to ask a company like, so you want us to break in? Like I know you never met us before, but it would be a shame if something happened to your company, you know what I'm saying?

Bryan Strand: 57:27

It does feel like the mafia. It does. Yeah. Like, you pay us for your for our protection.

Deb Wigley: 57:33

You're Yeah. Really selling selling us very well right now. I would. You wanna start over?

Bryan Strand: 57:38

Yeah. Let's start over. Let's start over.

Jason Blanchard: 57:39

Okay. Okay. So if somebody wanted to work with Black Hills, what's the very first step?

Bryan Strand: 57:45

You you ask me this every time, I never know if I give the right answer, but you've never told me I've given the wrong answer before.

Ashley Knowles: 57:50

You're always

Bryan Strand: 57:50

There's there's, like, too many answers for that. Like, on our website, you can fill out the web form there. You can email consulting@BlackHillsInfoSec.com. If you wanna just email us directly, you can message me on on LinkedIn. You wanna find me on LinkedIn, I guess, you could message me on Discord.

Bryan Strand: 58:08

You can message Jason, Deb. Honestly, we don't really care because we don't work off commission, so it doesn't matter who talks to you first.

Jason Blanchard: 58:15

Mhmm.

Bryan Strand: 58:15

So any of us, anybody, anywhere, any anybody at Black Hills, they'll they'll they'll get you pointed in the right direction.

Jason Blanchard: 58:23

Yeah. Okay. So someone reaches out, they go to the contact us form, they send us a message, they do this, and then then what happens?

Bryan Strand: 58:32

Melissa or Nora are gonna email you back, and they're gonna say, thank you. Here's a Calendly link you can use to get on a call with Tom, Logan, or Brian.

Jason Blanchard: 58:42

Bryan Strand: 58:42

Hopefully, Tom or Logan.

Jason Blanchard: 58:43

So Thank you. Yeah. So it's not an automated AI response?

Bryan Strand: 58:47

Not yet. I can't get rid of my sister. I've been trying. Can't get rid of her. But, no, she she will respond back.

Jason Blanchard: 58:56

Yeah. And it the speed in which they do respond back, like, catches me off guard sometimes.

Bryan Strand: 59:02

Nora is a little Nora is overzealous. Let's just put it that way. Yeah.

Ashley Knowles: 59:06

Nora

Bryan Strand: 59:06

is shouldn't say overzealous. She's correctly zealous.

Jason Blanchard: 59:09

Yes. It's it's one of those things, like, you email us, please expect a response, like, really fast.

Bryan Strand: 59:17

Yeah. And if you don't, you you can you can call the phone number. That's another way you can you can call the number, and then you'll get Logan. Yeah. And he's the nicest, most south he is I think the reason why John hired Logan is because he looks at him, he's like, that that kid's South Dakota.

Bryan Strand: 59:33

He is like the embodiment of South Dakota. Yeah. He's like the nicest person you've ever met. So Yeah.

Jason Blanchard: 59:39

Yes. Yeah. I I still remember the email that Logan sent in asking for a job at Black Hills. It was the most earnest.

Bryan Strand: 59:46

Mhmm. I

Jason Blanchard: 59:46

was down to earth. The most, like

Bryan Strand: 59:49

I wanna find it now that you mention it.

Jason Blanchard: 59:51

Bryan Strand: 59:51

ahead. It's

Jason Blanchard: 59:51

it's so good. It's in the contact us form somewhere. Like, he Yep. He reached out.

Ashley Knowles: 59:56

I did.

Jason Blanchard: 59:57

Oh, alright. So okay. Now they've emailed us Nora or Melissa right back. You schedule a Calendly meeting, and then it's Logan and Tom. And then do they just badger people for, like, thirty minutes to buy stuff they don't need?

Jason Blanchard: 01:00:13

Yeah. That's yeah. That's that's that's us.

Bryan Strand: 01:00:16

Yeah. No. Yeah. It's it's funny. When I I when we brought on Logan and we brought on Tom, probably can't say this anymore, but I used to say, act like you're having two beer conversations.

Bryan Strand: 01:00:27

Like, you're two beers in, you're not intoxicated, intoxicated. You're You're not not drunk, but you're relaxed. And that's how I like us talking with people. And now I tell people just whatever the energy they have on preshow banter, just bring that into the sales calls. And so that's seriously kind of what we do.

Bryan Strand: 01:00:41

We just hang out on calls. We talk with people. A lot of times, we're done scoping stuff by, like, five to ten minutes in, and then it's just hanging out and talking time with with with people. I've I probably spend more time talking with people about random stuff than actual scoping things, don't tell John, on sales calls.

Ashley Knowles: 01:01:01

I'm gonna be honest. My favorite thing is when customers come back to me, and I feel like customers don't take advantage of this enough. And they ask questions even if it's completely unrelated to the test itself. I had a customer come to me a couple months ago, and they were like, hey, Ashley. We are looking to prohibit or identify all of the ways you can access systems internally.

Ashley Knowles: 01:01:27

Do you have a list? And I was like, I don't know of a list, but I will make one. And I made one, and I sent it to them. And they were super happy about it.

Jason Blanchard: 01:01:35

Sure.

Ashley Knowles: 01:01:36

So if you're not taking advantage of your testers and asking them for advice or questions, you're kind of losing out on a hidden thing that we can offer.

Jason Blanchard: 01:01:45

Mhmm. Yeah. Because we kinda changed the name. Like, on the website, we called penetration testers, right, for a long time. And we're we're like, no.

Jason Blanchard: 01:01:53

We're security consultants. Like, that's what we do. We consult on security matters because we know how to do that.

Ashley Knowles: 01:02:01

Alright. And if we don't know, we Google.

Jason Blanchard: 01:02:03

We do. We Google.

Bryan Strand: 01:02:04

And if Google doesn't know, we use AI.

Jason Blanchard: 01:02:07

Yes. So, Brian, I've heard it say that if if you can find a dentist the day of, like, an emergency

Bryan Strand: 01:02:16

Be wary of the dentist you can get into tomorrow.

Jason Blanchard: 01:02:18

Yeah. Be wary of the dentist you can hire today. Or

Bryan Strand: 01:02:21

Yeah. Something like that. Yeah.

Jason Blanchard: 01:02:22

So if someone does hire us, are are we available today?

Bryan Strand: 01:02:26

Yep. No. We are not. We are typically The high price. Yeah.

Bryan Strand: 01:02:32

Right? No. We have honestly, that's a funny story. We have had people email us that are so desperate in quarter four. This hasn't happened in years.

Bryan Strand: 01:02:41

But people have emailed us and have been like, how much will it cost for us to get in? And we're like, it doesn't work that way. I'm sorry. But, no, it's a typical lead time from a signed contract is sixty to ninety days depending upon the time of year. You get into q four.

Bryan Strand: 01:02:55

By the time, like, August hits, we are sold out for the rest of the year.

Jason Blanchard: 01:03:00

Okay. Yeah. I wanna I wanna talk about that real quick. We're sold out for the whole year by August.

Bryan Strand: 01:03:07

Kind of. So we have we have we've made we've made little promise. It's think of it like think of it like we're engaged to customers, but we're not married yet. Mhmm. But, like, we could still call the whole thing off.

Bryan Strand: 01:03:19

So we have, like, we have times that we've promised to customers, but they things are always moving and shaking for the next, like, month or so anyways.

Jason Blanchard: 01:03:26

Okay. So if somebody wanted a pen test in this year, don't wait till September is what you're saying?

Bryan Strand: 01:03:32

Don't wait till September.

Jason Blanchard: 01:03:34

Like, you maybe in September. Maybe in October. Like, maybe.

Bryan Strand: 01:03:40

It depends on how big of a test you want. If you want, like, a three day external, we can probably do

Jason Blanchard: 01:03:44

that. Okay. Alright. And then are do we base our prices on how big the company is and what they can afford to pay, or how does that work?

Bryan Strand: 01:03:54

I I like to scope things based off how nice they are on to me on sales calls, personally. But CJ doesn't like that, and he stopped that a long time ago. And so right now, it is just everything's predone. So whether you're super small or we even do that with, like, CPT, by the way, which is crazy to me. I'm like, went to Corey.

Bryan Strand: 01:04:11

He's like, no. Stop sucking at capitalism. And we got into a big fight about it, and we haven't talked since. But, no, we don't really change our price based off the size of the company. It's it's it's well, kind of, but it's not it's not based off how much money they make or anything like that.

Bryan Strand: 01:04:26

So I what's the level of effort we're gonna have to put in to the test to do an an attic, like, a a a good job on your pen test? Because we could spend a month on a web app, but, I mean, is that are you gonna get that much better results than after a week? Probably not on most most web apps. So, no, it's not based on how much money the company has or anything like that.

Ashley Knowles: 01:04:49

I'm going to hard disagree with you there, Brian. Oh.

Bryan Strand: 01:04:52

Yeah. Let's do it.

Ashley Knowles: 01:04:53

Yeah. Mhmm.

Jason Blanchard: 01:04:54

Slow down.

Ashley Knowles: 01:04:55

So I was recently on a three week engagement for an internal, and I feel like it wasn't enough time.

Jason Blanchard: 01:05:02

Three week? It wasn't.

Bryan Strand: 01:05:03

Of course you don't. Because every pen tester feels that way. I would I could pull you away from this keyboard screaming there's a zero day in there somewhere. And perfection is the enemy of the good. Stop it.

Bryan Strand: 01:05:12

You go away.

Ashley Knowles: 01:05:14

You go away. Goes away. He goes away. He's like, I'm done here. Bye.

Ashley Knowles: 01:05:21

But, no, seriously, I I know that I provided them good value. Right? And I know that at the end of the day, they got a really good test out of it, but I felt like I didn't even scratch the surface.

Bryan Strand: 01:05:33

I know. I know. And it's wonderful that all of our pen testers feel that way. But it's an economies of scale. Not everybody can afford $500,000 for a pen test.

Jason Blanchard: 01:05:42

Yeah.

Bryan Strand: 01:05:43

But no. And I I at this point, this is a conversation that has been going back and forth between CJ and I and Melissa and our pen testers for the last decade has been, you know, I I I remember you guys know Justin Angle? Has he done a webcast recently?

Jason Blanchard: 01:05:59

None for a while.

Bryan Strand: 01:06:00

Not for a while. So he's, like, back of house doing, like, dev stuff. Like, his second month on the job, I needed help scoping a web app, and I was like, hey. Like, look at it. What do you think?

Bryan Strand: 01:06:10

And he went over it. He's like, I'd probably give it, like, thirty days. And he literally said thirty days of testing. And I was like, oh, cool. I can never ask him to scope anything again.

Bryan Strand: 01:06:20

That's unrealistic. So I think that's a very good sentiment. And, honestly, that's a good sign for most pen testers is they want to do a good job for the customers. Yeah. Or the clients.

Bryan Strand: 01:06:29

I don't know if that's the right word. But but they wanna do a good job, and they do feel like, hey. If I left something behind, and that's the one thing, they they take it personal. And I've I've kinda learned that over the last ten years. So

Jason Blanchard: 01:06:40

Alright. Last question. Thanks for answering all these. Are we the cheapest pen testing company that anyone can find?

Bryan Strand: 01:06:47

I don't I honestly I don't, you know, a lion doesn't concern himself with the musings of a lamb. I don't know what other people are charging. I really I I know we are not the cheapest, but I know we're not the most expensive either. That came across really egotistical tonight.

Jason Blanchard: 01:07:01

He's trying to be funny. I heard it.

Bryan Strand: 01:07:03

I heard

Ashley Knowles: 01:07:03

it. Down.

Bryan Strand: 01:07:05

I saw lion's share. He's doing all this stuff, and for some reason, I just couldn't get that out of my brain.

Jason Blanchard: 01:07:10

Okay. Discord.

Bryan Strand: 01:07:13

So, no, we are not the cheapest, but we're not the most expensive either. I mean, we haven't raised our rates with the all the inflation stuff in, like, over two years. Think now John has been really hard on, like, I wanna try to keep our rates where they're at so we don't just charge more because everybody else is charging more. So

Jason Blanchard: 01:07:28

Yeah. And and instead of charging more or anything, like, instead of doing that, we give, like, Antisyphon Training to the team.

Bryan Strand: 01:07:36

Yeah. John yeah. That's kind of his whole

Jason Blanchard: 01:07:38

thing is he's like, let's keep

Bryan Strand: 01:07:39

the price the same, let's keep throwing more stuff at them. Like, if you sign up, you get a free you get John's classes for free. Cyber Range. Yeah. Cyber Range.

Bryan Strand: 01:07:48

He he throws a bunch of stuff at it.

Deb Wigley: 01:07:51

But I throw lots of stuff at people when

Jason Blanchard: 01:07:53

T shirts.

Ashley Knowles: 01:07:54

I know. Friends of ours. Yeah.

Bryan Strand: 01:07:55

I think he spends too much time with you guys.

Deb Wigley: 01:07:58

No. That's not true.

Jason Blanchard: 01:07:59

Yeah. We're the probably sucking at capitalism team.

Bryan Strand: 01:08:02

Yeah. You're the yeah. That's your branch.

Jason Blanchard: 01:08:03

Alright. Brian, anything that you feel like you need to share with the 200 people that stuck around to hear what it's like to do business with us that I didn't cover?

Bryan Strand: 01:08:12

Don't feel like you always have to keep learning.

Ashley Knowles: 01:08:16

Jeez. Yes. I mean, job security for a small brand.

Bryan Strand: 01:08:20

No. I think that's it. I think we're

Jason Blanchard: 01:08:25

So if you enjoy this, you may enjoy working with us as well. And so Ashley is a part of the a team of like, there's, like, 40 of you guys.

Ashley Knowles: 01:08:34

A lot.

Jason Blanchard: 01:08:34

It's just working together. We're There's a few. Teaching each other. It's amazing. So I I feel blessed to work here to get to work with the team that I do.

Jason Blanchard: 01:08:43

And so, Deb, shake us out. What are your final thoughts?

Deb Wigley: 01:08:47

It's the same every time. Thank you for spending your time with us and learning from us, learning from Ashley, learning how to drive better maybe because of her. But we just really appreciate you guys spending your time with us, and we love you. And we'll see you next week. Maybe don't pick us out.

Bryan Strand: 01:09:04

Does Ryan kill it with fire now? Chase. Yep.

Jason Blanchard: 01:09:06

Ryan, it's time.

Deb Wigley: 01:09:08

Ryan? Yourself and each other. Here?

Jason Blanchard: 01:09:10

Yeah. Ryan, are you here? Ryan?

Ashley Knowles: 01:09:12

Ryan's always here.

Jason Blanchard: 01:09:13

How's it, Ryan?

Ashley Knowles: 01:09:14

I just kill it.

Bryan Strand: 01:09:16

I wonder if you job.

Jason Blanchard: 01:09:17

Kill it with fire, Ryan.