Dramatically Increase Your Defense With These 3 Affordable Security Layers

TOM: Welcome to the webinar. This is our Deeper Dive series. I am Tom Kirkham, CEO of Kirkham, which has two different divisions, IronTech Security, which is our infosec or our cybersecurity division where we specialize in cybersecurity for critical infrastructure, law and courthouses, and accountants. So we’re dedicated to those three markets. Kirkham.IT is our MSP side where we’re basically an outsourced IT company. But these are all really about IronTech. So welcome aboard.

You want to take notes on this because the way to dramatically improve your organization’s security posture, and especially your defense, is really composed of 3 things. This is what we consider our core. If you get these 3 things – whether you get them from us or someone else it really doesn’t matter, you need these 3 things. Everyone should have these 3 things in their organization.

#1 is continuous cybersecurity awareness training for everyone in the organization. It’s updated constantly. Whether it’s a new test or a video every week or every month, it doesn’t matter. We just want to make sure that the latest greatest scams and threats and things like that, they’re educated on how to detect them.

#2 is you need an EDR. You’re starting to see it called an endpoint protection platform these days. People make a common mistake – and we go into this in the main webinar – and I even hear IT people say this: “Antivirus is as good as it gets, and don’t click on any email attachments from people you don’t know.” First of all, antivirus is about just barely one notch above useless. In fact, if you take into consideration that it gives you a false sense of security, I would actually say it’s totally useless, and you don’t need it. You need a very specialized product that is called EDR.

Now, often people hear me say those 3 things, they get off the webinar, and they go, “Oh, we’ve already got McAfee, and I think I’ve got a promo email that they’ve got a special on their EDR product.” You can only buy a true EDR from a security company. It is not available off the shelf. Their EDR product is simply inferior. It’s better than antivirus, but believe me, there are much, much better. And if you’ve attended our main webinar, you know we’re a best of breed company, which means we’re not going to put substandard EDRs on our clients. So if you can buy it off the shelf, it’s not suitable.

And finally, you have to have a good backup and business continuity plan, which means you’ve got to be able to recover from a ransomware attack or any other type of attack from a backup. You have to plan that, and you’ve got to understand that there’s cost involved with implementing it, how many touchpoints you have – in other words, how many places you need to put protection in there – and then how quickly you need to restore, or how quickly you need to be back up and running.

Generally that’s a function around perhaps the user and certain things that can control the whole organization. Downtime costs a lot of money, especially with our law firm clients. If you’re billing out $300, $500, $1,200 an hour and you’ve got 30 attorneys that are down, it doesn’t take long to figure out that “Oh, I should’ve put this in place a long time ago because just one outage, we’re getting into tens of thousands of dollars in lost productivity.”

You do these 3 things and you do it carefully, you’re going to dramatically not only improve your defensive posture, but you’re also going to be able to dramatically improve your business resilience. Sometimes it’s referred to as business continuity, and other times it’s referred to as disaster recovery. Those 3 things have some minor technical differences between them, but for the sake of our conversation and most conversations around backup and continuity, you can really interchange those 3 terms. The bonus is that tornadoes, floods, nuclear warfare can all be entered into the planning for business continuity.

It’s a function of time and money. It really is. But you’re going to be surprised at how inexpensive you can get these things. Really, really good enterprise grade backups with virtual machines and things like that.

I’m going to stop my share here for a moment and bring up my cybersecurity training screen. If there’s any questions so far, just go ahead and pop it in there, because this is going to take just a minute to get it up. You might want to put the link to the security assessment deal.

KINDSEY: Okay.

TOM: Sorry, everybody. I found out I just might’ve been exposed to COVID, if you’re wondering why this is going a little rockier than usual. Even rockier than usual.

There it is. You’re going to want to save that link, or go ahead and click on it right now while you’re waiting, and you’ll see what it’s for in just a moment.

What I’m going to show you is our security portal that keeps track of how everybody in the company is doing on cybersecurity awareness training. You’ve got to do this. You’ve got to keep track of what everybody’s doing. Is my screen up now?

KINDSEY: Yeah, but it looks a little blurry or something.

TOM: Let me do that again. The thing about security awareness training is you’ve got to lead and manage it. You can’t just say, “Here’s the link, go take the quizzes and show me your certificate when you’re done.” You want to manage it and really keep tabs on it and coach throughout this whole thing. Is that better?

KINDSEY: Yes.

TOM: What you’re looking at here – and we try out different security things all the time, so don’t get too alarmed at our own score here. But you can see here for all these different employees, you can see what each one’s score is. Here’s Kindsey, me. We’re a medium risk to the company. Now, the overall impact to the company is we’re still in the green, but I can tell you for a fact that Kindsey, Tom, and Megan here all need coaching and they need to get their scores up.

We also check email addresses. In this case, say tom.kirkham@irontechsecurity.com. We check that email address on the Dark Web to see if that email address has been involved with a breach, like LinkedIn and things like that. Then we usually get a lot more detailed information about that breach. What that tells you is they need to change their credentials, first of all, for that site. And if they’ve reused their credentials, they need to change all the other sites that they’ve used those credentials on too, because if they get one set of credentials, they start testing them against other sites.

The Micro Quizzes – the company as a whole is scoring 97%, which is not bad. And then the phishing fail rate. This particular security system sends a phishing simulated email out once a week, and we keep track of who clicks it, who fails the test. This is showing a 6% failure rate, which is not good. But sometimes these phishing emails are really good.

That phishing email is so important because that is the threat vector by far for most ransomware attacks, and if you take that and consider the statistic that over 90% of breaches to an organization occur because an employee was conned into doing something, almost without exception through an email these days – compromised websites, yes, but email is really the big threat. So that phishing rate needs to be real, real low. That’s a little higher than what it should be, obviously.

So you get these things, and I can switch over to an employee view here. The employees only get to see this view. This is my personal stuff. Everybody’s name is obfuscated. I don’t know why Kindsey’s is not, but at any rate, you can see that I’ve had a 10% failure rate. I’m only doing 96% on the Micro Quiz. But I don’t have any external data breaches. But I’m still a fair Employee Secure Score.

And then I’m going to run a Micro Quiz. I’ll give you a little taste of what it looks like.

Video: “Passwords are our keys to the digital world.” Ugh, not that line again! But seriously, passwords are immensely important for both our work lives and personal lives. A recent report estimates an average person has between 70 and 80 passwords they need to remember and manage. This becomes a serious problem when we realize we all should be creating unique and strong passwords for each of our accounts.

The good news is technology has taken a step forward and has provided us with tools to make the task of creating and managing these passwords more simplified. The best way to ensure that you have strong and unique passwords across all your accounts –

TOM: I’m not going to play this whole thing, but it’s only a 2-minute video. Usually they’re a minute and a half to 3 minutes. After the video plays, they answer these questions. “Two-factor authentication is a major” – that’s false. Password manager, you need to get a password manager. That’s the way to keep track of all that. Let’s see. I need to blaze through these. I may miss one because I’m not reading the details. Actually, they phrase these questions specifically, some of them, to mislead you and to make you carefully read it. So if I don’t get 100%, that’s because I’m just guessing at the last one. I didn’t even read that question. Well, I lucked out.

Anyway, you can see here there’s a whole bunch of videos that I haven’t watched. And a lot of these are on things like gas pump skimmers or credit card skimmers, where they educate you just in your personal life. If anybody’s ever been a victim of a gas pump skimmer, you all of a sudden know what to look for. Basically, the bottom line is if anything looks weird on a gas pump, especially where you put your credit card in, don’t.

The way I discovered the two different ones that I was worried about – and one of them was absolutely a skimmer – is I stuck my card in and it didn’t feel smooth. Now, I know that the manufacturing tolerances has to be a little bit better than that, so I knew right then and there. Oh, and you punch your zip code in and it failed. The credit card wouldn’t be authorized. So it made you do it over and over again, and that’s another sure sign that it’s a gas pump skimmer.

In fact, the one time that I discovered it, I was out of town. I think the guy in the convenience store was in on it because “Oh yeah, sometimes out-of-town cards get declined like that. It doesn’t work right.” Yeah, okay, so your buddy and you put this on there. I got you.

Anyway, these are really good. It helps people in their personal lives. And the more you make your people secure, the lower their stress level is, and the lower their attack surface is, and the lower the possibility they have an identity theft problem – which increases the value to the company. So not only are you doing it for the organization, but you’re also doing it to help everybody there.

We see everyone that signs up for these, probably at least 20% or 30% get forwarded to friends and family. They can’t take the tests and they don’t get scored, but they can at least watch the video. So we know it’s used internally. So that’s a little demo of that. Did I cover everything on that, Kindsey?

KINDSEY: Yeah.

TOM: All right, let’s get back to the slideshow. Let’s see if this will work as smooth as I think it will. Look at that. Almost. Almost as smooth. We all right now?

KINDSEY: Yep.

TOM: Now, before I start this video, this is a demo of our primary EDR. We have more than one in our technology, our security stack. This one is the best in the world. I just can’t say enough good things about it. If you’re a technology investor, you want to write this company name down because they’re probably going to be going public here in a few months and they’ve got patents on their artificial intelligence and machine learning they built into the software, and they’re not easily copyable. There’s a lot of EDR vendors out there, but this is the best of the best of breed. This is like best of show when it comes to dogs. Best of show, not just best of breed. SentinelOne is awesome.

Now, having said that, what you’re about to see here is what we see in our security operations center. When an event anomaly occurs or something that a human being needs to look at, we get alerts and then we lay eyes on it, we put humans behind it, and we’re looking at this attack, identifying where it’s coming from, trying to figure out how it got in there, how it penetrated, what we need to do to kill it, quarantine it, whatever.

What they’re doing in the demo is they’re going to simulate a ransomware attack by turning off one of the deals in the control panel to say we don’t want to kill it, we just want to detect it. They’re going to let it run and infect the computer, and then, because of the uniqueness of this product, all the files are going to be encrypted, the ransomware notice is going to be displayed pretty quickly. In a real production environment, that may take hours or even days before all of the files it can touch are encrypted. But then this product has the unique ability to do a 1-click rollback. That’s what they’re simulating here in this next video.

I’ll try to give you an overview as it goes, but that’s what’s going on in that video. Let me get back to it, sorry.

Okay, once again, this is the SOC or the security operations center control panel. They’re changing the normal settings to “just detect.” That’s not the way it runs in real life. You don’t do that. We’re going to actually let it attack this computer.

Here’s the victim computer. Maybe the reception. It could be the CEO, could be the managing partner, could be the utility manager. So we’re going to open this email attachment. There it goes. On the left side you’ll see all those file names change. That means they’re encrypted. And then that gets popped up automatically. It’s going to tell you how much bitcoin you’ve got to pay and what your timeframe is. What’s the average now? $200,000 is the average ransom now.

Now, these products, especially this one, it’s called a storyline in our business. How did the threat execute step by step? What is its storyline? What’s the plot? What’s the arc of the attack? If we better understand tactically from a defensive standpoint, we can respond offensively. And that’s what we do when we have an anomaly or a security event. We respond. It’s not like an antivirus that if it doesn’t kill it, we’re over with. It’s got automated stuff built in, but we still lay eyeballs on it. And nothing’s 100%.

We can look here and see all the different things that it fired off. I think they show the encryption service. Remember, these ransomwares do not have viruses. Antivirus cannot detect any ransomware. There’s no virus to detect. So it has to be machine learnt or artificial intelligence has to be applied to good, good defensive tools like this.

Here goes the rollback. He’s going to apply it and the file names will return right back to the way they were. And I think the file for that – yep, that goes away too. They opened up one of the files to prove it was back. It’s not encrypted anymore. So we killed it, mitigated it fine, everything’s over with. We rarely ever have to use that, but when we do, it’s always worked. It’s really neat.

Now, no good security company will tell you that the defense is 100%. In fact, there’s many, many other layers that we consider when we’re talking with prospects about what is their security posture and what are you trying to protect. There’s scads and scads of things that come in. Most people already have a firewall of some sort. Is it good enough? We’ve got to go though all these different things.

But just these 3 things is what you need. Now, since it’s never 99%, you’ve got to plan for a failure or a ransomware attack or catastrophic facility loss. That’s where a good critical part of backup is a virtual machine backup. I’m just going to let you watch this. I think it’s pretty self-explanatory, but write down any questions you have.

All right, so basically what happened there is we use that particular backup solution – and most of our clients use multiple backup methodologies, technical controls, administrative controls, and all of that. If you’ve been through the main webinar, you know what I’m talking about. But that was so cool. The way we do it in our office is we have basically one accounting machine, and at one time all the data files were stored on it for security reasons. That was mission critical machine for us. We’ve got to get invoices out, we’ve got to pay bills, blah, blah, blah.

We just do a backup of the entire machine, taking periodic snapshots – an hour ago. I think that one’s set up to do it continuously. But regardless, we back it up to both a local device and to the cloud. If we had ever had a catastrophic loss of maybe just that machine – maybe it just caught on fire and the hard drive got melted or something, or the whole building got wiped out – we have choices to bring up that machine just as if nothing happened.

That’s where the virtual machine comes in. Our first choice – can we bring it up locally on this other device that we’re backing up to? If the answer is yes, we’re back up and running practically instantly. Now, maybe the whole building burned down, tornado came through, blew the office away. Okay, let’s go to the cloud. Let’s go to my house and we’ll go to the cloud and then we’ll pull up the accounting machine.

So we’ve got an entire backup of that machine ready to go live. And we automate the testing of that machine. What it does each and every day is it boots up the virtual machine. It’s an exact copy of the physical machine that’s in the office, but automatically it boots it up to the login screen. That’s what you see there on the left. I know it’s not shaped like a computer monitor, but you’ll see the whole screen. That is the login screen at that date and time, the time I made this slide.

If we boot up that virtual machine and it’s gotten to the login screen, it is very safe to assume that it’s ready to go at any time. Now, that’s done automatically. We have other technical controls with revolving backup, including this virtual machine backup which is by Datto. But even data only backups. We’ve got tools that monitor those for failures. And then finally, we lay eyeballs on those backups. We don’t set and forget and pray that they’re there in case we need them. We check them continuously, all day long, both automatically and manually for any possible errors, and then we remediate and mitigate them as soon as we discover any.

If your IT guy, especially if you – IT companies are notorious for this, especially if you’re using an outsourced break/fix where you’re paying by the hour. If you’re paying your IT company by the hour and they’re not billing you for checking your backups and there’s no one else in your office doing it – and don’t forget, it does take some skill to check backups. Not a lot, but it does take some. So they’ve got to be trained if it’s somebody on staff. But if they’re not charging you for checking to make sure the backups are going to be there when you need them, then it’s about like using antivirus. It’s about one step above useless. You’re running on a wing and a prayer, and that’s not the way to get your security posture in place.

So how does this all tie together to the NIST Cybersecurity Framework?

KINDSEY: Tom? Do you want to reshare your screen? It’s just a little blurry.

TOM: Okay.

KINDSEY: That is a lot better. Awesome.

TOM: Sorry about that. So anyone that’s been in our main webinar, we’re a NIST CSF shop. That’s NIST Cybersecurity Framework. It’s part of National Institute of Standards, and that’s part of U.S. Department of Commerce. It’s used worldwide. All sorts of companies use it. It’s just a really good cybersecurity framework to both identify everything and go about protecting your organization.

So with just these 3 things – continuous cybersecurity training, right there on the top; an EDR or an EPP, the one in the middle column; and then backup and resilience – we’re covering all 5 key components at least twice. We use an onion, layered defense. Not the French Maginot line. We’ve got multiple layers of defensive strategy. We do a lot with layers, and we want at least two layers on everyone. And just those 3 things hit two layers of each of the 5 NIST main categories.

Remember, the EDR, we can recover with 1-click rollback and we can recover with backup. Respond – good training will detect threats and alert managers. Of course, the EDR is going to automatically respond and alert human beings to look at it, and backups are going to respond just through the nature of doing the backup. But anyway, detection, protecting, and identifying. It covers at least two layers on every one of those.

To give you an idea, because the title of this is “affordable,” I did a sample pricing. This is a very, very small network. The larger the network, the per user price usually goes down. Now, we have to do a security assessment, though, because it’s a function of time and money and the nature of the assets that we’re trying to protect. If you don’t have industrial control systems, then we probably don’t have to look at putting log analyzers on there to look for anomalies in the logs of firmware. We can look for anomalies in a printer. If somebody tries to attack a printer, we can pull those logs and look. But chances are no one’s going to try to attack. That’s not going to be the vector. It’s going to be through an email.

But at any rate, those 3 things, the security training, the EDR, and the backup, if you’ve got just 3 PCs and no centralized separate server that does authentication and things like that, it would only cost you $99 a month. That’s just a sample. Some people it’s cheaper, other people it’s more for 3. It just depends on what you have to protect and how long you can be down and various other things.

And we work with you on that. The security assessment, we send you a form. It’s very basic. It’s only got a few questions on it. We’ll spend 20 or 30 minutes talking to you about some things and asking you questions and probing. If you’ve got an IT staff or an outsourced IT company, have them join in on this. We have an IT partner program if you outsource your IT. We work with IT staff and IT companies. Should not be a threat. We should not be a threat if you outsource your IT. We’re experts at this, and we see this stuff every day.

So we work with them to build out the best solution for your company, and then we let you decide. Because as an owner, managing partner, utility manager, whatever your head honcho title is, you know that’s where the buck stops. You’re the one that has to know, “How much money do I need to spend, or how much money am I willing to spend so my name and my company don’t end up on the 5 o’clock news? Or my customer data is not stolen and used against me? Or all of the company data isn’t encrypted and we’re shut down?” You have to know that and you’ve got to make those decisions.

What we do is work with you to say, “Here’s all your possibilities and here’s our recommendation for the level of risk that we’ve seen in organizations such as yours.” There’s the phone number. Add that to the 3 things. It’s free. You don’t have to do anything. We can also hook you up with 30 days of security training, which gives you that full manager portal, and we walk you through it. For those 30 days we’re going to say, “Hey, your people are doing really bad here.” We’re going to nag you a little bit.

The worst thing you can do is just send it out and say “Everybody do this” and that’s it. It won’t work that way. You’ve got to establish a security-first environment, and it has to come from the top down. And it takes a while. It takes a little effort. Not a whole lot. You onboard employees, if you’ve got good security – we went through it today, went through it last week. We’re onboarding employees, and it’s a hassle to get them set up at first. But once you do, everything gets so much better and so much more secure and so much smoother. It actually increases productivity if you’ve got a really good secure environment. But everybody’s got to buy into it.

At any rate, I’m a little over. If there’s any questions, though, we can stay as long as you’d like. I’ll open it up. Mary has usually got one. [laughs]

KINDSEY: Doesn’t look like we have any yet.

TOM: Alrighty, that’s it. Thank you for attending, and we’ll see you next Tuesday, I guess.

KINDSEY: Thank you, guys.