Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

Legacy Systems and the Future of Manufacturing Security with Bill Rucker

Season 2 Episode 10 •

Show Notes

In this episode of Cyber Focus, host Frank Cilluffo sits down with Bill Rucker, a seasoned veteran in IT and cybersecurity, currently leading Trustwave Government Solutions. They explore the insights from Trustwave’s recent report on cybersecurity challenges facing the manufacturing sector. Rucker highlights the rapidly rising costs of breaches, now averaging $5.8 million, emphasizing vulnerabilities stemming from legacy operational technology (OT) and the complexities of integrating OT with modern IT systems. The conversation also covers the increased sophistication of cyber threats, the critical need for visibility in cybersecurity, and practical steps manufacturers can take to bolster their defenses.

Main Topics Covered:

  • Rising cybersecurity threats in manufacturing
  • Increasing costs and impacts of cybersecurity breaches in manufacturing
  • Challenges with legacy OT devices and integration with IT infrastructure
  • Recommendations for strengthening cybersecurity resilience in manufacturing
  • Importance of collaboration between private sector companies and government cybersecurity efforts

Key Quotes:

“The average cost of breach in 2023 for the manufacturing sector was about 4.6, 4.7 million dollars. That’s closer to 5.8 now.” – Bill Rucker

“The biggest issue too in manufacturing is the legacy devices and the fact that there’s now such a push to take OT devices and put them into IoT.” – Bill Rucker

“Dwell time—how long an adversary remains undetected—used to be 177 days on average. Now it’s sub-10 days in the last two years, thanks to the explosion of EDR technology.” – Bill Rucker

“Human nature remains consistent for good or bad, and it’s going to take people to have trust and actually work together to get things done.” – Frank Cilluffo

“Bad news doesn’t get better with time.  So let’s talk about what the challenges are.” – Bill Rucker

Relevant Links and Resources:

Guest Bio:
Bill Rucker is the President of Trustwave Government Solutions, with nearly 25 years of experience in cybersecurity and IT. His leadership has been instrumental in securing critical sectors, including government and manufacturing, through strategic cybersecurity initiatives.

Transcript

1
00:00:01,280 –> 00:00:06,008
Frank Cilluffo: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas

2
00:00:06,104 –> 00:00:10,952
Frank Cilluffo: shaping and defending our digital world. I’m your host, Frank Cilluffo and have the privilege

3
00:00:11,016 –> 00:00:14,840
Frank Cilluffo: this week to sit down with Bill Rucker. Bill is a seasoned veteran of the

4
00:00:14,880 –> 00:00:21,528
Frank Cilluffo: IT and cybersecurity space over 25 years. He is currently president of Trustwave Government Solutions.

5
00:00:21,624 –> 00:00:26,216
Frank Cilluffo: And they just came out with a new report focused on the manufacturing sector and

6
00:00:26,288 –> 00:00:31,410
Frank Cilluffo: really look forward to diving in and getting a great snapshot and going deep on

7
00:00:31,450 –> 00:00:34,514
Frank Cilluffo: some of these issues. Bill, thanks so much for joining us. Thanks, Frank. It’s a

8
00:00:34,522 –> 00:00:38,482
Bill Rucker: pleasure to be here. You know, I want to start with your first sentence of

9
00:00:38,506 –> 00:00:45,714
Frank Cilluffo: the report and that talks about how cybersecurity in the manufacturing sector is complex. And

10
00:00:45,882 –> 00:00:50,178
Frank Cilluffo: we all know 17 sectors. They all look a little different, but they all share

11
00:00:50,234 –> 00:00:55,026
Frank Cilluffo: some similarities. What I thought would make sense is to paint the scene, let our

12
00:00:55,098 –> 00:01:01,306
Frank Cilluffo: viewers know what makes the sector unique, different and any thoughts you’d like to tee

13
00:01:01,338 –> 00:01:05,274
Frank Cilluffo: up to begin with? Yeah, absolutely. And these threat reports are great. They come out

14
00:01:05,282 –> 00:01:10,122
Bill Rucker: of our Spider Labs organization by way of a background, a little bit just on

15
00:01:10,146 –> 00:01:16,234
Bill Rucker: myself. So I’ve been with Trustwave since 2010. They acquired a company called Intellitactics. So

16
00:01:16,242 –> 00:01:20,858
Bill Rucker: I come up on 25 years this August with the organization. And then Trustwave Government

17
00:01:20,914 –> 00:01:26,332
Bill Rucker: Solutions became a wholly owned subsidiary of the organization in 2015. And that division purely

18
00:01:26,396 –> 00:01:30,364
Bill Rucker: focuses on the federal government. So also the DIB community and some of the SLED

19
00:01:30,412 –> 00:01:36,060
Bill Rucker: are people that have unique requirements like our federal government customers. Our organization looks just

20
00:01:36,100 –> 00:01:39,916
Bill Rucker: like the rest of the global organization. We have Spiral Labs organizations, we have managed

21
00:01:39,948 –> 00:01:44,492
Bill Rucker: services, we have delivery consultants. So we’re just an arm within that that has all

22
00:01:44,516 –> 00:01:50,172
Bill Rucker: those unique requirements, has all the specific clearances, background investigations, etc. That we would need

23
00:01:50,196 –> 00:01:55,952
Bill Rucker: to be able to service that public sector environment. Because of that, we do work

24
00:01:55,976 –> 00:02:00,112
Bill Rucker: in the manufacturing space as well. So we have customers that, you know, may be

25
00:02:00,136 –> 00:02:05,568
Bill Rucker: involved with with shipbuilding. They may be building parts that go into very strategic things

26
00:02:05,624 –> 00:02:10,992
Bill Rucker: that our Department of Defense uses. And so they have unique requirements. Digging into these

27
00:02:11,016 –> 00:02:15,088
Bill Rucker: threat reports and we do more than this manufacturing. It’s actually the second time we’ve

28
00:02:15,104 –> 00:02:18,672
Bill Rucker: done the manufacturing report. We did this in 2023 as well. So it’s great to

29
00:02:18,696 –> 00:02:22,878
Bill Rucker: actually see the differences from what we did two years ago to now. And I’ll

30
00:02:22,894 –> 00:02:27,102
Bill Rucker: talk about some of those differences and the biggest one is really the impact of

31
00:02:27,126 –> 00:02:33,006
Bill Rucker: the breach in that environment. The average cost of breach in 2023 for the manufacturing

32
00:02:33,198 –> 00:02:40,510
Bill Rucker: sector was about 4.6, $4.7 million. That’s closer to 5.8 now. So it increased over

33
00:02:40,550 –> 00:02:44,766
Bill Rucker: 20% in just two years and it’s actually higher than the overall average of breach,

34
00:02:44,798 –> 00:02:49,520
Bill Rucker: which is I think 5.6 million now. So there’s definitely a threat there from that

35
00:02:49,560 –> 00:02:54,400
Bill Rucker: regard. And the biggest issue too in manufacturing is the legacy devices and the fact

36
00:02:54,440 –> 00:03:00,080
Bill Rucker: that there’s now such a push to take OT devices and put them into. Net

37
00:03:00,120 –> 00:03:05,152
Frank Cilluffo: em up on IoT. Yeah, yeah, yeah. OT SOC convergence and you know, I’ve been

38
00:03:05,176 –> 00:03:09,056
Bill Rucker: to a couple events recently that really focus on the OT OIT environment and they’re

39
00:03:09,088 –> 00:03:14,272
Bill Rucker: still really struggling with how do they take the telemetry of such a unique environment

40
00:03:14,376 –> 00:03:18,944
Bill Rucker: where it really was about production and uptime, not so much the resiliency in cybersecurity

41
00:03:18,992 –> 00:03:22,444
Bill Rucker: where the IT people have had in the past. So there’s a lot of conflicts

42
00:03:22,492 –> 00:03:27,052
Bill Rucker: really on how that environment and how the traditional SOC environment will kind of work

43
00:03:27,076 –> 00:03:32,044
Bill Rucker: together. And because of that, it makes the manufacturing report pretty unique in that. And

44
00:03:32,132 –> 00:03:35,548
Bill Rucker: I think the other thing that we’ll see is there’s a lot of similarities around

45
00:03:35,604 –> 00:03:41,596
Bill Rucker: the actual cyber threat that’s making the impact, you know, of the, of the attacks

46
00:03:41,628 –> 00:03:48,384
Bill Rucker: that we saw in manufacturing, 54% of those were actually US based industries. And that

47
00:03:48,392 –> 00:03:53,104
Bill Rucker: was up a little bit from what we’d seen before. But surprisingly, I think the

48
00:03:53,272 –> 00:03:58,624
Bill Rucker: data point that I thought that was really interesting is that 87% of those attacks

49
00:03:58,672 –> 00:04:03,168
Bill Rucker: all came from phishing. So across the board, whether we’re looking at our education report

50
00:04:03,224 –> 00:04:07,360
Bill Rucker: we did, the public sector report we did, I think there was retail health care

51
00:04:07,400 –> 00:04:12,160
Bill Rucker: as well as supply chain fishing remains to be across the board. Right. Or number

52
00:04:12,200 –> 00:04:16,596
Bill Rucker: two, it’s just, it’s an easy access to. There’s a reason people do phishing tests

53
00:04:16,628 –> 00:04:21,380
Bill Rucker: every month because everyone from the low level admin to the CEO will click on

54
00:04:21,420 –> 00:04:24,724
Bill Rucker: something if it piques their interest and there’s a news event. So it’s just a

55
00:04:24,732 –> 00:04:30,644
Bill Rucker: very easy way for adversaries to still gain access to environments. And that is consistent

56
00:04:30,692 –> 00:04:34,564
Frank Cilluffo: across all the sectors you’ve examined, right? That we’ve seen? Absolutely. If it’s not in

57
00:04:34,572 –> 00:04:40,004
Bill Rucker: the top three, then it’s a sector that wouldn’t necessarily be deemed relevant, honestly, from

58
00:04:40,012 –> 00:04:45,924
Bill Rucker: a market perspective. And what about dwell time not to jump right in? Have you

59
00:04:45,932 –> 00:04:50,778
Frank Cilluffo: seen big, big shift in terms of by the time a breach is noticed and

60
00:04:50,834 –> 00:04:55,402
Frank Cilluffo: how to remediate? Yeah, a massive change. I mean if you go back not even

61
00:04:55,426 –> 00:04:59,450
Bill Rucker: that long ago, five years, it was still at 177 days I think was the.

62
00:04:59,490 –> 00:05:06,202
Bill Rucker: Was the dwell time. Now it’s sub 10 days in the last two years. And

63
00:05:06,226 –> 00:05:12,842
Bill Rucker: that’s really because of this, the explosion of EDR technology. So the telemetry that you

64
00:05:12,866 –> 00:05:18,584
Bill Rucker: have now, as a cybersecurity professional, especially as a cybersecurity service provider, from an MSSP

65
00:05:18,632 –> 00:05:24,952
Bill Rucker: perspective, the EDR telemetry gives us the ability to see things on the endpoint in

66
00:05:24,976 –> 00:05:30,136
Bill Rucker: real time, where in the past was really just leveraging almost the edge or sometimes

67
00:05:30,168 –> 00:05:33,976
Bill Rucker: if you were lucky, a log server. If they were really innovative and really mature,

68
00:05:34,008 –> 00:05:38,440
Bill Rucker: they might have had a SIM solution. But you weren’t able to see something go

69
00:05:38,480 –> 00:05:42,120
Bill Rucker: directly to the endpoint, pivot and then kick off a threat hunt and see where

70
00:05:42,160 –> 00:05:46,002
Bill Rucker: else that had gone. So the dwell time now is much better for the good

71
00:05:46,026 –> 00:05:51,042
Bill Rucker: guys, but that’s just made the adversaries get better. Right. And smarter and pivot or.

72
00:05:51,146 –> 00:05:56,162
Frank Cilluffo: And more incidents and more incidents. And so the, the threat hunting aspect that has

73
00:05:56,186 –> 00:06:01,218
Bill Rucker: evolved out of that has helped lower that dwell time a little bit more. Every

74
00:06:01,274 –> 00:06:05,762
Bill Rucker: threat hunt we’ve done with this new platform, regardless of the fact if there’s an

75
00:06:05,786 –> 00:06:10,002
Bill Rucker: EDR solution or a sim, we found something that was unknown to the environment and

76
00:06:10,026 –> 00:06:14,762
Bill Rucker: unknown to those devices. It’s just there’s things that you just can’t necessarily detect if

77
00:06:14,786 –> 00:06:19,674
Bill Rucker: the adversary has a really good or smart approach. Yeah. And we recently had Rob

78
00:06:19,722 –> 00:06:25,370
Frank Cilluffo: Lee, who CEO of Dragosan and he was talking about new malware specifically targeting the

79
00:06:25,410 –> 00:06:30,618
Frank Cilluffo: OT sector. And we had Tom Fanning on talking about some of the IT OT

80
00:06:30,714 –> 00:06:38,074
Frank Cilluffo: convergence issues. And you had mentioned and I want to sort of peel the onion

81
00:06:38,122 –> 00:06:42,442
Frank Cilluffo: a little bit here and hopefully not cry if I peel too much. But I

82
00:06:42,466 –> 00:06:48,710
Frank Cilluffo: mean culturally there are big, big differences between the IT environment and the OT environment.

83
00:06:48,830 –> 00:06:53,654
Frank Cilluffo: And you capture that I think very well in the report. OT very focused on

84
00:06:53,742 –> 00:07:02,166
Frank Cilluffo: public safety, traditional emergency response and security. I think preventing three mile aisles, it focused

85
00:07:02,198 –> 00:07:08,662
Frank Cilluffo: a little differently. How does that impact sort of that IT OT sets of challenges

86
00:07:08,806 –> 00:07:14,100
Frank Cilluffo: and specifically in manufacturing where you do have legacy devices, some of which are 30

87
00:07:14,140 –> 00:07:21,320
Frank Cilluffo: years old. So what are your thoughts there? So great data points. And you mentioned

88
00:07:21,660 –> 00:07:25,540
Bill Rucker: one of the technologies dragos in this space. And so I was just recently attended

89
00:07:25,620 –> 00:07:31,172
Bill Rucker: S4 by 25 and it’s just a phenomenal OT event that they have annually and

90
00:07:31,196 –> 00:07:36,020
Bill Rucker: you’ll have everyone from Nozomi and Dragos and Clarity. So the major Players in that

91
00:07:36,060 –> 00:07:40,132
Bill Rucker: OT space are there. And there’s a lot of discussion still on how do you

92
00:07:40,156 –> 00:07:44,182
Bill Rucker: take those relatively newer technologies, I mean, all of them are two or three years

93
00:07:44,206 –> 00:07:50,470
Bill Rucker: old, right? Maybe four at the most, and integrate them into the contextual adaptation into

94
00:07:50,510 –> 00:07:55,606
Bill Rucker: the SoC. Right. And so the biggest challenge on the manufacturing and that folks like

95
00:07:55,678 –> 00:08:02,454
Bill Rucker: those companies have is that 73% of OT devices are still unmanaged. Right. So from

96
00:08:02,462 –> 00:08:06,630
Bill Rucker: an endpoint, which is staggering, if you think is staggering, I mean, so the visibility

97
00:08:06,710 –> 00:08:10,902
Bill Rucker: you have of what’s truly going on right outside of maybe just HVAs or potential

98
00:08:10,966 –> 00:08:16,078
Bill Rucker: high value assets in your environment is pretty scary in that regard. And you have

99
00:08:16,134 –> 00:08:21,134
Bill Rucker: scenarios where something that you might consider the least likely to be a problem, like

100
00:08:21,222 –> 00:08:26,526
Bill Rucker: a camera, for example, in your environment. We’ve had organizations in the Spiral Labs groups

101
00:08:26,558 –> 00:08:30,638
Bill Rucker: to where they’ve gone into an environment to do a penetration test. And it’s been

102
00:08:30,694 –> 00:08:35,534
Bill Rucker: a very secure environment. Impressive things are locked down. There’s technology on the endpoint, the

103
00:08:35,542 –> 00:08:40,162
Bill Rucker: firewalls are up to date, the right ports are turned off, and yet they look

104
00:08:40,186 –> 00:08:43,682
Bill Rucker: at the rest of the environment of what’s open and they find a network of

105
00:08:43,706 –> 00:08:47,858
Bill Rucker: cameras. And those cameras are very well organized all the way down to whose office

106
00:08:47,914 –> 00:08:51,538
Bill Rucker: is what. And then you can actually off and hike vision. So camera’s a concern

107
00:08:51,674 –> 00:08:54,242
Frank Cilluffo: all the way. To where you could type in titles and you could type in

108
00:08:54,266 –> 00:08:58,850
Bill Rucker: CEO, cfo, coo, go right to their office. And if you’re patient and you have

109
00:08:58,890 –> 00:09:03,106
Bill Rucker: screen recording, you can capture their password by just looking at the keyboard. Right. Depending

110
00:09:03,138 –> 00:09:06,796
Bill Rucker: on the angle of the camera. So we were able to compromise a very secure

111
00:09:06,828 –> 00:09:10,572
Bill Rucker: environment because of an OT flaw. Right. They just had this camera system which they

112
00:09:10,596 –> 00:09:15,916
Bill Rucker: just deemed, you know, a security control for, you know, physical security. And it became

113
00:09:15,948 –> 00:09:20,572
Bill Rucker: a major IT threat. Do you know anyone who’s sort of, and I know you

114
00:09:20,596 –> 00:09:25,724
Frank Cilluffo: have experience in SoCs and most people think of a SoC in an IT environment.

115
00:09:25,892 –> 00:09:30,460
Frank Cilluffo: You also have OT SoCs. Have you seen anyone combine those where you get true

116
00:09:30,540 –> 00:09:39,108
Frank Cilluffo: visibility? We have two very specific and unique pilots in our current customer base. One’s

117
00:09:39,124 –> 00:09:43,764
Bill Rucker: a little bit more advanced than the other and they are a very, very large

118
00:09:43,852 –> 00:09:51,908
Bill Rucker: OT environment utility. Initially not in the utility in the transportation space. They initially had

119
00:09:51,964 –> 00:09:58,436
Bill Rucker: merged kind of their cyber operations, next generation SOC and OT together. Those plans changed

120
00:09:58,468 –> 00:10:02,292
Bill Rucker: a little bit when they realized just some of the challenges that would exist to

121
00:10:02,316 –> 00:10:06,848
Bill Rucker: try to do that on as one. So those kind got split apart. You go

122
00:10:06,904 –> 00:10:12,592
Bill Rucker: fast forward a year into them really revolutionizing their sock. Getting automation and integrating AI

123
00:10:12,656 –> 00:10:16,464
Bill Rucker: ML and having kind of 24 by 7 eyes on glass. All advancement for them

124
00:10:16,552 –> 00:10:20,576
Bill Rucker: now is okay, what can we do from an OT perspective? And they’re making phenomenal

125
00:10:20,608 –> 00:10:24,592
Bill Rucker: progress. None of it’s as fast as us as a solution provider would want or

126
00:10:24,616 –> 00:10:29,024
Bill Rucker: they would want, but there’s just inherent limitations still on how do you get the

127
00:10:29,032 –> 00:10:33,914
Bill Rucker: right telemetry from everything? Because some of your apples and apples, right. Some of the

128
00:10:33,922 –> 00:10:38,010
Bill Rucker: OT technologies work in certain environments, but not in others. And so you know, where

129
00:10:38,050 –> 00:10:43,018
Bill Rucker: one provider might provide context on X part of the environment, they can’t see Y

130
00:10:43,074 –> 00:10:47,594
Bill Rucker: part of the environment. So getting a collaborative to where those telemetries and really that

131
00:10:47,682 –> 00:10:52,522
Bill Rucker: common event format comes into a SIM or some type of automation where you can

132
00:10:52,546 –> 00:10:56,538
Bill Rucker: correlate and do something value with that data, that’s where it becomes very difficult. We’ve

133
00:10:56,554 –> 00:11:01,132
Bill Rucker: been doing that for cyber data sources for decades. Long time. Right? Yeah, but, but

134
00:11:01,156 –> 00:11:04,652
Frank Cilluffo: at some point that needs to happen. Does it? I mean, if you’re, if you’re

135
00:11:04,716 –> 00:11:09,740
Frank Cilluffo: briefing an executive or the C suite, at the end of the day, a visual,

136
00:11:09,820 –> 00:11:14,972
Frank Cilluffo: a picture can say a thousand words and more and it can actually justify budgets

137
00:11:15,036 –> 00:11:21,756
Frank Cilluffo: too. So until you can sort of articulate and communicate and visualize some of these

138
00:11:21,828 –> 00:11:27,042
Frank Cilluffo: issues collectively, I think we’re, we’re not as far along as we would hope to

139
00:11:27,066 –> 00:11:29,474
Frank Cilluffo: be. Is that fair? Yeah. And you hit on one of the. Biggest, and I’m

140
00:11:29,482 –> 00:11:31,794
Frank Cilluffo: biased and I’m leading the witness, so you hit on one of the biggest. Please

141
00:11:31,802 –> 00:11:35,906
Frank Cilluffo: feel free to shoot back. The OT skills gap, I mean let, let alone the,

142
00:11:35,978 –> 00:11:41,458
Bill Rucker: the cybersecurity skills gap. The OT skills gap is, is massive. Right. And a couple

143
00:11:41,474 –> 00:11:44,882
Bill Rucker: of the data points that we had in our report that we pulled out, there

144
00:11:44,906 –> 00:11:53,138
Bill Rucker: were just over 4,000 unique vulnerabilities of the 25,000 public exposed vulnerabilities that were specific

145
00:11:53,234 –> 00:12:00,282
Bill Rucker: to manufacturing. Right. According to a report, out of CISA, 3,800 of those were deemed

146
00:12:00,346 –> 00:12:06,394
Bill Rucker: critical vulnerabilities. On their kev list. Correct? Yeah. And that’s 15% of of the known

147
00:12:06,482 –> 00:12:11,098
Bill Rucker: of the overall list and the majority of the of the list of vulnerabilities. So

148
00:12:11,154 –> 00:12:16,154
Bill Rucker: to say that it’s not a critical threat would be, would be an understatement. The

149
00:12:16,162 –> 00:12:21,290
Bill Rucker: one thing that’s interesting is, you know, I consider myself from 25 years in cyber

150
00:12:21,370 –> 00:12:25,210
Bill Rucker: to know quite a bit about that. And so when I went to the first

151
00:12:25,250 –> 00:12:30,582
Bill Rucker: OT, I had been to dedicated OT event in 2024 you know, I was like,

152
00:12:30,606 –> 00:12:33,606
Bill Rucker: ah, this will be, this will be straightforward. I’ll understand this easily. I remember walking

153
00:12:33,638 –> 00:12:37,558
Bill Rucker: out of the first two sessions going, I don’t know anything about, about ot. So

154
00:12:37,694 –> 00:12:40,614
Bill Rucker: it’s definitely been a journey for us. And the fact that we now have multiple

155
00:12:40,662 –> 00:12:45,062
Bill Rucker: assessments that help people. Where are you on your OT journey? Where do you need

156
00:12:45,086 –> 00:12:47,862
Bill Rucker: to get to? What would we recommend based on what we’ve seen and kind of

157
00:12:47,886 –> 00:12:52,390
Bill Rucker: where is it going? Because all of the major providers are adding some level of

158
00:12:52,430 –> 00:12:57,672
Bill Rucker: OT context to their cyber plan, but the telemetry from the people that have been

159
00:12:57,696 –> 00:13:02,552
Bill Rucker: doing OT for a while is getting better and better, and it’s getting more and

160
00:13:02,576 –> 00:13:07,064
Bill Rucker: more security usable context where in the past was really, am I up, am I

161
00:13:07,072 –> 00:13:11,288
Bill Rucker: breathing, am I alive? And that’s still going to be their priority. Historically. Right. It’s

162
00:13:11,304 –> 00:13:16,040
Frank Cilluffo: uptime. But when you can shut off a valve and poison a water treatment center,

163
00:13:16,200 –> 00:13:20,392
Bill Rucker: you know, that’s when the real life happens. Absolutely. And you know, this may be

164
00:13:20,416 –> 00:13:26,812
Frank Cilluffo: a bad analogy, but I look at it similarly to FEMA and CISA within the

165
00:13:26,836 –> 00:13:33,292
Frank Cilluffo: Department of Homeland Security. One’s a little more emergency response preparedness, resilience. Resilience should be

166
00:13:33,316 –> 00:13:38,124
Frank Cilluffo: the banner around everything. The other is going to be more cyber threat hunt, edr,

167
00:13:38,252 –> 00:13:43,692
Frank Cilluffo: all the, all the bells and whistles that come around cyber. And you see some

168
00:13:43,716 –> 00:13:48,988
Frank Cilluffo: of the same challenges in companies, and sometimes it’s through a chief security officer, sometimes

169
00:13:49,004 –> 00:13:54,348
Frank Cilluffo: it’s through, through a chief information security officer, and rarely do the two fully come

170
00:13:54,404 –> 00:14:00,780
Frank Cilluffo: together. And I just have to think that’s the future. Whoever figures out how to

171
00:14:00,820 –> 00:14:06,812
Frank Cilluffo: do that and articulate it and ensure that the cultures are aligned to meet the

172
00:14:06,836 –> 00:14:12,332
Frank Cilluffo: mission objectives of an organization, whether company, government, whatever it is. That’s sort of where

173
00:14:12,356 –> 00:14:17,180
Frank Cilluffo: I think we need to be. I agree on that. And it is different for

174
00:14:17,220 –> 00:14:23,032
Bill Rucker: manufacturing versus government too, because you think about the number one threat outside of how

175
00:14:23,056 –> 00:14:27,992
Bill Rucker: they get compromised. So the result of that phishing becomes ransomware. Right. And when you

176
00:14:28,016 –> 00:14:36,072
Bill Rucker: look at the threats of ransomware into those groups, one of the challenges is do

177
00:14:36,096 –> 00:14:41,112
Bill Rucker: they take the threat from a cost perspective and mitigate it? Because they’ve done all

178
00:14:41,136 –> 00:14:45,960
Bill Rucker: the right things. They have secure backups, they’ve put all those controls in place. Nine

179
00:14:46,000 –> 00:14:49,194
Bill Rucker: times out of ten, they haven’t. So that’s why you see a lot more of

180
00:14:49,202 –> 00:14:53,834
Bill Rucker: those ransom paid in certain market segments than others. And especially where you need to

181
00:14:53,842 –> 00:15:00,922
Frank Cilluffo: be up 100%. And honestly, the general public, many people outside of it, cybersecurity maybe

182
00:15:00,986 –> 00:15:04,746
Bill Rucker: 10% of them knew what ransomware was until Colonial Pipeline. But all of a sudden

183
00:15:04,778 –> 00:15:08,826
Bill Rucker: you’re in a line of 50 cars trying to get gas and they’re saying there’s

184
00:15:08,858 –> 00:15:12,602
Bill Rucker: no gas because there’s a, you know, there’s an IT issue or a cybersecurity issue.

185
00:15:12,706 –> 00:15:16,298
Bill Rucker: I mean, that was an example where it really brought the public kind of into

186
00:15:16,354 –> 00:15:20,156
Bill Rucker: the fold and they saw for the first time what the impact of an actual

187
00:15:20,188 –> 00:15:24,172
Bill Rucker: ransomware or cybersecurity attack on a very vital production all the way up and down

188
00:15:24,196 –> 00:15:28,920
Bill Rucker: the east coast could actually have. Absolutely. And when you think of manufacturing in particular,

189
00:15:29,780 –> 00:15:34,924
Frank Cilluffo: the intentions as well as the methods or the tactics, techniques and procedures of the

190
00:15:34,932 –> 00:15:40,476
Frank Cilluffo: adversary are going to be a little different because it is that OT dependency. And

191
00:15:40,548 –> 00:15:46,334
Frank Cilluffo: I do think that sometimes gets lost in the shuffle and the sector as a

192
00:15:46,342 –> 00:15:53,502
Frank Cilluffo: whole is lagging, comparatively speaking. Your report has underscored. Would you agree with that? I

193
00:15:53,526 –> 00:15:57,438
Frank Cilluffo: think you would since it was in your report. But I’d be curious what thoughts

194
00:15:57,454 –> 00:16:00,782
Frank Cilluffo: you have there. And I don’t mean to be negative in terms of lagging, but

195
00:16:00,806 –> 00:16:05,150
Frank Cilluffo: it is behind other sectors. It is. And some of the things that have been

196
00:16:05,190 –> 00:16:10,094
Bill Rucker: easy to do for a long time aren’t easy to do in the OT world.

197
00:16:10,262 –> 00:16:15,862
Bill Rucker: And you look at something that major programs in the federal government, if you go

198
00:16:15,886 –> 00:16:19,782
Bill Rucker: back and think about the CDM program, for example, all the way back to 2010

199
00:16:19,806 –> 00:16:24,790
Bill Rucker: and 2011, one of the initial goals of that 15 years ago was asset inventory.

200
00:16:24,870 –> 00:16:29,490
Bill Rucker: Where are all my critical devices? Which ones are high value assets? Where are they?

201
00:16:29,870 –> 00:16:34,646
Bill Rucker: How can you defend and protect what you don’t know exists? That’s really the forefront

202
00:16:34,678 –> 00:16:39,414
Bill Rucker: of where OT is on the manufacturing side. Because again, there are unknown or unmanaged

203
00:16:39,462 –> 00:16:45,750
Bill Rucker: devices today. And there’s not a really good approach to asset inventory from ot. What

204
00:16:45,790 –> 00:16:50,262
Bill Rucker: qualifies? Right. Is it everything up into, including door badge systems, all the way down

205
00:16:50,286 –> 00:16:55,014
Bill Rucker: to a valve and a water system? There’s a lot of work that needs to

206
00:16:55,022 –> 00:16:59,334
Bill Rucker: be done to define what’s critical and what’s not. When it comes to what are

207
00:16:59,342 –> 00:17:03,302
Bill Rucker: we going to integrate into the soc, what’s relevant because you have to have the

208
00:17:03,326 –> 00:17:07,824
Bill Rucker: telemetry, has to have actionable intelligence. Right. We used to have a lot of folks

209
00:17:07,872 –> 00:17:12,352
Bill Rucker: on our, in our cybersecurity work in both the civilian government, the DoD, they look

210
00:17:12,376 –> 00:17:15,632
Bill Rucker: at a specific screen and say, okay, that’s great, I see lots of trends and

211
00:17:15,656 –> 00:17:19,952
Bill Rucker: bars and stuff. But where’s the. So what? Where’s the actionable thing that tells me

212
00:17:19,976 –> 00:17:24,064
Bill Rucker: what to do or not to do or what step to take next. That’s extremely

213
00:17:24,112 –> 00:17:28,320
Bill Rucker: difficult to do when you have potentially life’s on the line, production lines going down

214
00:17:28,360 –> 00:17:32,944
Bill Rucker: and that changes the game. No, that sums it up I think very well. And

215
00:17:33,032 –> 00:17:37,378
Frank Cilluffo: at the end of the day, the adversary gets a vote in all this too.

216
00:17:37,434 –> 00:17:42,834
Frank Cilluffo: Right. So what we may think is essential may be a vulnerability that’s being exploited

217
00:17:42,882 –> 00:17:46,434
Frank Cilluffo: as part of a broader campaign. Right. And they only have to be right once.

218
00:17:46,522 –> 00:17:52,706
Frank Cilluffo: And they only have to be right once. And they are clearly thinking cyber as

219
00:17:52,778 –> 00:17:57,762
Frank Cilluffo: one instrument and tool in a broader campaign effort. Especially when we’re dealing with state

220
00:17:57,866 –> 00:18:06,032
Frank Cilluffo: actors, nation state actors, the Chinas, the Russias, the Irans, the North Koreas and and

221
00:18:06,056 –> 00:18:10,464
Frank Cilluffo: I like to say what we see overseas is often a movie coming to a

222
00:18:10,472 –> 00:18:15,456
Frank Cilluffo: theater near you here. So it has relevance. Those are their practice fields. They are.

223
00:18:15,528 –> 00:18:21,440
Bill Rucker: And again with systems that are connected in ways that we don’t fully understand and

224
00:18:21,480 –> 00:18:26,432
Bill Rucker: may not fully understand what the mapping of connectivity from one OT system is to

225
00:18:26,456 –> 00:18:31,824
Bill Rucker: another, one system’s compromised and then it goes into an actual managed OT system and

226
00:18:31,832 –> 00:18:36,192
Bill Rucker: that that has connectivity to your IT environment. So a something that would seem like

227
00:18:36,216 –> 00:18:42,912
Bill Rucker: a non credible target all of a sudden, massively credible. And now you’re on the

228
00:18:42,936 –> 00:18:47,344
Bill Rucker: network moving laterally and if you’re able to. Again, we talked about the phishing, you

229
00:18:47,352 –> 00:18:50,704
Bill Rucker: know, if you have credentialed access. Yep. And you can live. You talk about dwell

230
00:18:50,752 –> 00:18:53,984
Bill Rucker: time. I mean that’s a hard one to measure because if you’re a credentialed, if

231
00:18:53,992 –> 00:18:58,000
Bill Rucker: you have credentialed access as an adversary, you can kind of move at free will.

232
00:18:58,040 –> 00:19:01,252
Bill Rucker: With the exception of some of the anomaly detections and things are out there, you

233
00:19:01,276 –> 00:19:04,340
Bill Rucker: can do a lot of damage in a very short period of time or put

234
00:19:04,380 –> 00:19:07,252
Bill Rucker: things in place that allow you to come back in very easily and then you

235
00:19:07,276 –> 00:19:12,292
Bill Rucker: exit and you know, nobody knows the difference. Exactly. And that was the big takeaway

236
00:19:12,356 –> 00:19:17,124
Frank Cilluffo: from Volt Typhoon. Living off the land and pre positioning. And when you think of

237
00:19:17,212 –> 00:19:23,844
Frank Cilluffo: OT devices and when you think of manufacturing, those are pre positioned could have little

238
00:19:23,932 –> 00:19:31,612
Frank Cilluffo: value in a traditional ransomware crime, even espionage perspective, but can have massive implications in

239
00:19:31,636 –> 00:19:39,240
Frank Cilluffo: a campaign. And the ability to get credentials from the average user environment so that

240
00:19:39,780 –> 00:19:44,492
Bill Rucker: it’s. About upping the credential. Right. You can absolutely elevate privileges if you have the

241
00:19:44,516 –> 00:19:49,964
Bill Rucker: right level of access when you go in, but the number of active and current

242
00:19:50,052 –> 00:19:54,452
Bill Rucker: credentials that are for sale every single day One of the things that we do

243
00:19:54,556 –> 00:19:58,164
Bill Rucker: when we meet with. Do you do Deep Web Darknet? We do, yes. We have

244
00:19:58,172 –> 00:20:01,012
Bill Rucker: some folks that live in certain parts of the world in certain forums. Right. And

245
00:20:01,036 –> 00:20:05,140
Bill Rucker: then we do a lot of Dark Web research, either proactively for our customers or

246
00:20:05,260 –> 00:20:09,924
Bill Rucker: on demand through threat intelligence as a service platform. And that’s unique because that’s a

247
00:20:09,932 –> 00:20:16,132
Bill Rucker: very curated threat intelligence solution that’s really built for the segment and the market and

248
00:20:16,236 –> 00:20:19,908
Bill Rucker: the mission of that entity. Right. So if they’re in the energy space, if they’re

249
00:20:19,924 –> 00:20:23,552
Bill Rucker: in the energy space and a government entity, we’ll look at very specific things up

250
00:20:23,576 –> 00:20:27,792
Bill Rucker: to including kind of what their domains are and then what are the users of

251
00:20:27,816 –> 00:20:32,400
Bill Rucker: that and where can we actually find that domain on the Dark Web? I’ve yet

252
00:20:32,440 –> 00:20:37,424
Bill Rucker: to see a single threat intelligence report where there wasn’t thousands of credentials on the

253
00:20:37,432 –> 00:20:41,520
Bill Rucker: Dark Web. And we find on average that 15 to 20% of those are active

254
00:20:41,600 –> 00:20:49,600
Bill Rucker: credentials. Wow. Still employed same username, same password. Yeah, that’s a scary thought. And as

255
00:20:49,640 –> 00:20:53,696
Frank Cilluffo: bad as that is, I promise you, that’s still only the tip of the iceberg.

256
00:20:53,888 –> 00:20:59,952
Frank Cilluffo: Depends which chat rooms you’re in and which where on the Deep Web darknet you

257
00:20:59,976 –> 00:21:05,424
Frank Cilluffo: are. But that is a scary. That is a scary thought. But it is exciting

258
00:21:05,472 –> 00:21:09,248
Bill Rucker: that we’re able to, able to get that to illuminate and be able to warm

259
00:21:09,344 –> 00:21:12,720
Bill Rucker: those folks. I mean, because a lot of that, sometimes people are aware because their

260
00:21:12,760 –> 00:21:16,260
Bill Rucker: threat intelligence teams are much better than they used to be, but other times it’s,

261
00:21:17,030 –> 00:21:20,862
Bill Rucker: it’s just a misconfiguration, it was a mistake, but it’s out there and people know

262
00:21:20,886 –> 00:21:24,110
Bill Rucker: about it. And then they put it out there for other folks that maybe want

263
00:21:24,150 –> 00:21:28,846
Bill Rucker: to do bad things to actually find and then leverage as a way to infiltrate

264
00:21:28,878 –> 00:21:33,134
Bill Rucker: an environment. So the more we can do that work to share, and that’s a

265
00:21:33,142 –> 00:21:37,070
Bill Rucker: big part of it is the information sharing on it. And the data that did

266
00:21:37,110 –> 00:21:40,974
Bill Rucker: Net provides us, the data we provide back to them. Same with CISA’s JCDC and

267
00:21:40,982 –> 00:21:45,010
Bill Rucker: those collaborations, those are all advancing the cyber game because now we’re able to take

268
00:21:45,050 –> 00:21:49,442
Bill Rucker: that back to customers we provide services for. We’re able to share that back to

269
00:21:49,466 –> 00:21:53,714
Bill Rucker: our partners that were in their supply chain. It is a team sport. At the

270
00:21:53,722 –> 00:21:56,994
Bill Rucker: end of that, you have to be able to share that information regardless of, you

271
00:21:57,002 –> 00:22:01,586
Bill Rucker: know, being a coopetition or competitor. One of the other providers need to share will

272
00:22:01,658 –> 00:22:05,298
Frank Cilluffo: trump the need to know. And in many of these cases, as long as you’re

273
00:22:05,314 –> 00:22:11,648
Frank Cilluffo: not compromising obviously sources and methods. But I think that that is still a cultural

274
00:22:11,744 –> 00:22:16,272
Frank Cilluffo: challenge for some in our intelligence community. And then you’ve got other civilian entities that

275
00:22:16,296 –> 00:22:22,128
Frank Cilluffo: are responsible for sharing and the like. But to me that’s where the real. That’s

276
00:22:22,144 –> 00:22:26,512
Frank Cilluffo: where the rubber hits the road and all the talk about public private partnerships, I

277
00:22:26,536 –> 00:22:30,560
Frank Cilluffo: like to say long on nouns, short on verbs, but we’ve got to go beyond

278
00:22:30,640 –> 00:22:35,104
Frank Cilluffo: just the information sharing to the action. And that’s where nothing like being in the

279
00:22:35,112 –> 00:22:40,632
Frank Cilluffo: same foxhole fighting the same fight against a particular adversary. And do you feel, do

280
00:22:40,656 –> 00:22:46,264
Frank Cilluffo: you feel, have you seen anything from an adversarial TTP or tactics, techniques, procedures, perspective

281
00:22:46,312 –> 00:22:52,184
Frank Cilluffo: where let’s take China, Russia off the table for a second, maybe Iran, North Korea

282
00:22:52,232 –> 00:22:57,992
Frank Cilluffo: as well. They’re all very different too. But are you starting to see human enabled

283
00:22:58,136 –> 00:23:04,920
Frank Cilluffo: technology where human and technical and cyber int and cyber means are combining from a

284
00:23:04,960 –> 00:23:12,146
Frank Cilluffo: criminal perspective? We’ve always seen that. And if you go way back to Trustwave’s legacy,

285
00:23:12,178 –> 00:23:17,074
Bill Rucker: right in the PCI space or the payment card industry, we saw that type of

286
00:23:17,242 –> 00:23:22,802
Bill Rucker: threat being from a financial criminal perspective quite a bit. Now the aspect that we

287
00:23:22,826 –> 00:23:27,234
Bill Rucker: see the most from a criminal aspect is just truly the ransom groups, right? So

288
00:23:27,242 –> 00:23:29,762
Bill Rucker: when you look at ransom Hub and Play I believe are the two that were

289
00:23:29,786 –> 00:23:35,904
Bill Rucker: identified as the top two ransomware groups or adversarial groups that were threats in the

290
00:23:35,912 –> 00:23:43,104
Bill Rucker: manufacturing space. They’re all uniquely different. They all do have their own kind of methods

291
00:23:43,152 –> 00:23:49,728
Bill Rucker: and unique TTPs on how. They act, which is actually really good insiders utilized. That’s

292
00:23:49,744 –> 00:23:54,080
Frank Cilluffo: what I was really getting at there with human tech. And so on our side

293
00:23:54,120 –> 00:24:01,180
Bill Rucker: we probably haven’t seen that as much. It’s certainly something that our customers ask us

294
00:24:01,220 –> 00:24:06,428
Bill Rucker: about, but it’s always a secondary. If you don’t have 24 by 7 eyes on

295
00:24:06,484 –> 00:24:13,500
Bill Rucker: glass and your ability to actually defend threats after 5pm and before 9pm the insider

296
00:24:13,580 –> 00:24:18,044
Bill Rucker: thing is important, but not as important as some of those other big rocks. So

297
00:24:18,212 –> 00:24:22,380
Bill Rucker: it’s all about that maturity journey. Some are definitely way more advanced and we help

298
00:24:22,420 –> 00:24:25,884
Bill Rucker: them kind of with that insider threat program and the monitoring of that and how

299
00:24:25,892 –> 00:24:29,412
Bill Rucker: they can kind of report that up, especially in the, in the dib space on

300
00:24:29,436 –> 00:24:32,852
Bill Rucker: the government side. I don’t want to say it’s an afterthought, but it’s certainly not

301
00:24:32,876 –> 00:24:36,212
Bill Rucker: the focus for most of most of the ones we’re engaged with. They really want

302
00:24:36,236 –> 00:24:39,860
Bill Rucker: to get agnostic to. How they just want to Keep it. How can I get,

303
00:24:39,900 –> 00:24:43,524
Bill Rucker: you know, my MTTA and my MTTR under 15 and 30 minutes so that I

304
00:24:43,532 –> 00:24:48,228
Bill Rucker: can actually be an operational soc next generation. Right. And leverage all of these new

305
00:24:48,284 –> 00:24:52,468
Bill Rucker: kind of hybrid operations and having global threat operators, you know, anywhere in the United

306
00:24:52,524 –> 00:24:56,862
Bill Rucker: States, so that I can quote, unquote, follow the sun, but be conus and have

307
00:24:56,886 –> 00:25:01,406
Bill Rucker: a platform that allows me to do that with an actual, an analyst that knows

308
00:25:01,438 –> 00:25:08,382
Bill Rucker: what he’s doing. And I think there’s still this stereotype of kids in hoodies drinking

309
00:25:08,446 –> 00:25:12,270
Frank Cilluffo: Jolt soda, which hasn’t been around for years. So it shows you my age going

310
00:25:12,310 –> 00:25:18,430
Frank Cilluffo: back to the old hacker. Twice the caffeine and three times the sugar. Exactly. But

311
00:25:18,470 –> 00:25:23,208
Frank Cilluffo: in reality, that’s sort of where I think most. But, but these are, these are

312
00:25:23,264 –> 00:25:31,460
Frank Cilluffo: criminal syndicates and they’re run like companies and they, and, and, and the consequences of

313
00:25:32,000 –> 00:25:36,872
Frank Cilluffo: going south is low for them. I mean, the threshold, the bar is very low.

314
00:25:36,976 –> 00:25:42,680
Frank Cilluffo: Very few are, are, are actually prosecuted. Many are provided safe haven in countries we

315
00:25:42,720 –> 00:25:47,912
Frank Cilluffo: lack extradition authorities with. How do we square that circle? That’s a little bit of

316
00:25:47,936 –> 00:25:52,584
Frank Cilluffo: a policy question. But you know, in the NDAA and for transparency, we did a

317
00:25:52,592 –> 00:25:58,712
Frank Cilluffo: big report on transition priorities. We called for designating ransomware gangs and state sponsors of

318
00:25:58,736 –> 00:26:03,752
Frank Cilluffo: cybercrime. So basically to get to the lack of extradition set of issues akin to

319
00:26:03,776 –> 00:26:10,280
Frank Cilluffo: where you have state sponsors of terrorism. But again, that’s not going to necessarily operationalize

320
00:26:10,360 –> 00:26:14,784
Frank Cilluffo: all that. I’m just curious what we think we can do because otherwise it’s a

321
00:26:14,792 –> 00:26:20,144
Frank Cilluffo: bit of a fool’s. We’re always reacting. True. And you know, I, when I think

322
00:26:20,152 –> 00:26:25,952
Bill Rucker: about it, I separate typically the criminal versus the nation state, and that’s what. I’m

323
00:26:26,016 –> 00:26:32,368
Frank Cilluffo: talking criminals now. But you can’t separate the proxies. Right. Because many of these actors

324
00:26:32,464 –> 00:26:36,720
Frank Cilluffo: are provided safe harbor. Well, and many of them use the same tools or they

325
00:26:36,760 –> 00:26:40,208
Bill Rucker: sell their tool to the same. As long as they’re there to do their bidding

326
00:26:40,224 –> 00:26:44,240
Frank Cilluffo: when they want them. Vice versa. Right. And to give them that level of protection,

327
00:26:44,740 –> 00:26:49,212
Bill Rucker: I think it comes back to. And again, policy aside, I think it comes back

328
00:26:49,236 –> 00:26:54,140
Bill Rucker: to the data that we have independently could actually move the needle quite a bit.

329
00:26:54,180 –> 00:26:59,560
Bill Rucker: Right. So that public private partnership of information sharing that I kind of referenced earlier,

330
00:26:59,940 –> 00:27:04,700
Bill Rucker: we have data and IOCs and things that we see globally. And every pen test

331
00:27:04,740 –> 00:27:09,734
Bill Rucker: that we do, it’s just over 2 million hours a year in penetration testing. Every

332
00:27:09,822 –> 00:27:17,094
Bill Rucker: incident response, breach investigation we do, we get additional data and metadata and IOCs we

333
00:27:17,182 –> 00:27:21,366
Bill Rucker: probably don’t at the level we could make sure that all of that information gets

334
00:27:21,398 –> 00:27:26,678
Bill Rucker: to some repository that I don’t really believe exists today. So that information, again you’re

335
00:27:26,694 –> 00:27:32,934
Bill Rucker: talking the volumes are almost incomprehensible. But that would allow us to get better telemetry,

336
00:27:32,982 –> 00:27:36,278
Bill Rucker: better data on some of these threat actor groups. So when you start talking about

337
00:27:36,414 –> 00:27:40,262
Bill Rucker: the ability to at least know who they are and where they are, how we

338
00:27:40,286 –> 00:27:43,062
Bill Rucker: actually get them, how we take them down, what the policies are to make that

339
00:27:43,086 –> 00:27:46,998
Bill Rucker: happen are different. But today many of those act in a way that we don’t

340
00:27:47,014 –> 00:27:49,430
Bill Rucker: really know who they are or where they are. We think we do in many

341
00:27:49,470 –> 00:27:53,702
Bill Rucker: cases. But it’s so easy to obfuscate who you are and where you are. From

342
00:27:53,726 –> 00:27:58,054
Bill Rucker: a cyber perspective. Absolutely. And I hate to say it, and I don’t want to

343
00:27:58,062 –> 00:28:03,722
Frank Cilluffo: sound defeatist, but for now the initiative does remain with the attacker. So we’ve got

344
00:28:03,746 –> 00:28:09,802
Frank Cilluffo: to flip that equation at some point, but we’re not there yet. And I think

345
00:28:09,826 –> 00:28:13,290
Frank Cilluffo: we’re getting better and better and better. But if you look at it just from

346
00:28:13,330 –> 00:28:20,042
Frank Cilluffo: an outcome perspective, it’s not a rosy picture. True. I mean the adversarial threat has

347
00:28:20,066 –> 00:28:25,066
Bill Rucker: certainly never been greater. But if you look at our ability to respond today versus

348
00:28:25,178 –> 00:28:30,792
Bill Rucker: two years ago, five years ago, ten years, it’s volumes and volumes of improvement on

349
00:28:30,816 –> 00:28:36,952
Bill Rucker: what we’re able to do today across both government and industry. Our ability to respond

350
00:28:37,016 –> 00:28:41,352
Bill Rucker: faster, just seeing the dwell times go down 90 plus percent, it’s not enough, of

351
00:28:41,376 –> 00:28:43,592
Bill Rucker: course. Right. Because again, they have to be right once, they have to be right

352
00:28:43,616 –> 00:28:48,152
Bill Rucker: every single time. And that’s nearly impossible. We always talk about it. It’s not a

353
00:28:48,176 –> 00:28:51,768
Bill Rucker: matter of if, it’s just a matter of when. Right. From a compromise perspective, sounds

354
00:28:51,784 –> 00:28:56,876
Frank Cilluffo: like the old counterterrorism business. But the ability to, to have the playbooks in place,

355
00:28:56,948 –> 00:29:01,100
Bill Rucker: the ability to have run the tabletops and the instant response exercises, ability to have

356
00:29:01,140 –> 00:29:04,876
Bill Rucker: already know who your strategic third party partners are when it happens. Right. Everything that’s

357
00:29:04,908 –> 00:29:09,900
Bill Rucker: right of the boom, we’re really getting better at that. And how to communicate it

358
00:29:09,940 –> 00:29:16,764
Frank Cilluffo: to shareholders, internal, external and the many stakeholders to include shareholders or publicly traded. I

359
00:29:16,772 –> 00:29:20,636
Bill Rucker: think that’s one of the most critical parts. My board sits in on our tabletop

360
00:29:20,668 –> 00:29:23,790
Bill Rucker: exercise. Awesome. When we do that annually, they want to actually understand it. And then

361
00:29:23,830 –> 00:29:27,422
Bill Rucker: you know, if there’s discussions, it’s at a level of the exercise where there is

362
00:29:27,446 –> 00:29:31,118
Bill Rucker: going to be law enforcement or cyber insurance or those type of things engaged there’s

363
00:29:31,134 –> 00:29:35,102
Bill Rucker: always. At what point do the members of the board get notified and what level

364
00:29:35,126 –> 00:29:38,382
Bill Rucker: of communication do you do that and how do you do it? And so if

365
00:29:38,406 –> 00:29:42,078
Bill Rucker: I go back to, you know, I’ve had that same board Ish for, for almost

366
00:29:42,134 –> 00:29:47,118
Bill Rucker: a decade, they weren’t sitting through my tabletop exercises, you know, five, 10 years ago.

367
00:29:47,174 –> 00:29:50,514
Bill Rucker: Right. But for the last three or four, they sit in every single one. So

368
00:29:50,522 –> 00:29:54,610
Bill Rucker: that, that definitely changes the mindset, their approach to, you know, how secure are we

369
00:29:54,650 –> 00:29:57,714
Bill Rucker: as a service provider? Because that’s, that’s my brand at the end of the day

370
00:29:57,722 –> 00:30:01,202
Bill Rucker: too. So if I’m compromised, how are people going to trust me with being a

371
00:30:01,226 –> 00:30:07,154
Bill Rucker: solution provider to their. Absolutely. And, and that’s beyond just the internal external. You don’t

372
00:30:07,162 –> 00:30:11,042
Frank Cilluffo: want to be exchanging business cards when the balloon goes up. Right. You want to

373
00:30:11,066 –> 00:30:16,888
Frank Cilluffo: also know your partners, whether law enforcement, national security course, public safety, you name it.

374
00:30:16,944 –> 00:30:20,600
Bill Rucker: Who are those points of contact, who’s in your system. Trust matters. Right. It’s still

375
00:30:20,640 –> 00:30:23,992
Frank Cilluffo: the coin of this realm and every other realm. And how do you contact them?

376
00:30:24,016 –> 00:30:26,712
Bill Rucker: Right. You got no email or your systems are down. How do you actually let

377
00:30:26,736 –> 00:30:29,720
Bill Rucker: your employees know what’s going on? How do you let you know your, your key

378
00:30:29,840 –> 00:30:32,632
Bill Rucker: partners know what’s going on? You know, one question I want to go back to

379
00:30:32,656 –> 00:30:38,024
Frank Cilluffo: and then we’re, we’re unfortunately running out of time. I could sit down for hours.

380
00:30:38,112 –> 00:30:42,016
Frank Cilluffo: As you can tell, I’ve never had an unspoken thought, but the skills gap issue.

381
00:30:42,088 –> 00:30:50,672
Frank Cilluffo: Sure. And in the IT and cyber environment, it’s massive. And it’s only larger in

382
00:30:50,696 –> 00:30:56,672
Frank Cilluffo: the OT environment because they’ve never necessarily thought of themselves in this orbit and world.

383
00:30:56,856 –> 00:31:00,544
Frank Cilluffo: What can we do? I mean, Idaho National Labs does some good work. They have

384
00:31:00,552 –> 00:31:07,632
Frank Cilluffo: an OT Defender program. It’s career paths where cyber and security at least can be

385
00:31:07,656 –> 00:31:11,004
Frank Cilluffo: part of that. Do you have any thoughts on that? Because we’ve, we’ve spent a

386
00:31:11,012 –> 00:31:17,036
Frank Cilluffo: lot of time working on OT and actually training that workforce. But those numbers are

387
00:31:17,108 –> 00:31:21,612
Frank Cilluffo: onesies and twosies, comparatively speaking. Yeah. You mentioned in L and then nrel, I think

388
00:31:21,636 –> 00:31:28,252
Bill Rucker: partners with them on a similar scenario though. So it’s the challenge that we will

389
00:31:28,276 –> 00:31:31,852
Bill Rucker: continue to have. I mean, I think on the cybersecurity gap, I think last I

390
00:31:31,876 –> 00:31:36,124
Bill Rucker: saw it was. It still said it was like 4.8 million was the standing cybersecurity

391
00:31:36,172 –> 00:31:43,232
Bill Rucker: gap. Right. I’ve never seen the OT portion of that. Right. Do we want to

392
00:31:43,256 –> 00:31:46,432
Frank Cilluffo: see that? Yeah. We actually need to know it though. We do. And so Is

393
00:31:46,456 –> 00:31:49,792
Bill Rucker: it? Is it? Ignorance isn’t going to double it, but. It’S going to be a

394
00:31:49,816 –> 00:31:53,952
Bill Rucker: material thing. The problem is even though there’s that, that skills gap. Right. And so

395
00:31:53,976 –> 00:31:57,632
Bill Rucker: you look at all the college of Engineering and Cyber security programs that have started

396
00:31:57,736 –> 00:32:01,952
Bill Rucker: around the United States in the last three to five years. Yeah, tons of those.

397
00:32:01,976 –> 00:32:05,936
Bill Rucker: Right. Like Auburn, a bunch of other ones that didn’t exist five plus years ago.

398
00:32:06,008 –> 00:32:10,560
Bill Rucker: So I do believe we’re making a conscious effort to educate the next generation of

399
00:32:10,600 –> 00:32:14,848
Bill Rucker: folks. Right. To be able to understand that. Where it’ll be interesting to see is

400
00:32:14,904 –> 00:32:21,216
Bill Rucker: where, where will the importance of the OT aspect of that overlay that I haven’t

401
00:32:21,248 –> 00:32:24,304
Bill Rucker: seen yet. It’s definitely been cyber security. This is a great profession. You can get

402
00:32:24,312 –> 00:32:29,152
Bill Rucker: a job right away. Pen testers are in demand, become a threat hunter. These are

403
00:32:29,176 –> 00:32:33,480
Bill Rucker: things that are actually pretty. Exciting and there are career paths, but not on the

404
00:32:33,520 –> 00:32:36,744
Frank Cilluffo: other side and not integrated. Yeah. And it’s not an it. You’re going to the

405
00:32:36,752 –> 00:32:41,144
Bill Rucker: college of Engineering with a focus in cyber security. So it’s the level of, I

406
00:32:41,152 –> 00:32:45,192
Bill Rucker: guess respect’s probably the wrong word but like the level of respect of going into,

407
00:32:45,296 –> 00:32:49,288
Bill Rucker: you know, cyber security is different now. Right. Especially when you associate with the college

408
00:32:49,304 –> 00:32:52,056
Bill Rucker: of Engineering at most of these schools that makes a big difference. And the owner

409
00:32:52,088 –> 00:32:56,444
Frank Cilluffo: operator needs to be there or it will be the Rodney Dangerfield of, of cyber.

410
00:32:56,492 –> 00:32:59,612
Frank Cilluffo: And it can’t, it can’t afford that. And I think there’ll be more funding in

411
00:32:59,636 –> 00:33:03,372
Bill Rucker: and around that. So my, my, my son’s currently looking at colleges right now and

412
00:33:03,396 –> 00:33:07,612
Bill Rucker: one of the things that was interesting is the number of college of engineering who

413
00:33:07,636 –> 00:33:12,380
Bill Rucker: actually wants to get into cybersecurity that were providing funding. Right. And say hey, this,

414
00:33:12,420 –> 00:33:15,292
Bill Rucker: this school, we’re going to give you X because of that discipline. That wasn’t because

415
00:33:15,316 –> 00:33:18,540
Bill Rucker: of his grades, wasn’t because of where he lived or his background. It was because

416
00:33:18,580 –> 00:33:22,630
Bill Rucker: of the, the fact that he was going into a specific field. That’s a great

417
00:33:22,670 –> 00:33:26,182
Bill Rucker: sign for me to be able to see that that’s the response coming out of

418
00:33:26,206 –> 00:33:32,182
Bill Rucker: the university and scholarship for service. All these initiatives are essential. Before I ask my

419
00:33:32,206 –> 00:33:36,050
Frank Cilluffo: last question, I can’t let you go. AIML. Where do you see it fitting in

420
00:33:36,590 –> 00:33:43,862
Frank Cilluffo: your 2 minute version, your elevator pitch? Good guy, bad guy. Gosh, it’s interesting. So

421
00:33:43,886 –> 00:33:50,124
Bill Rucker: it will revolutionize the soc. What we’ve been able to do with ML in security

422
00:33:50,212 –> 00:33:56,348
Bill Rucker: operations and hybrid kind of SOC as a service and MDR has, you know, we’ve

423
00:33:56,364 –> 00:34:00,028
Bill Rucker: been able to do in six months what took us three years. Wow. It’s just

424
00:34:00,164 –> 00:34:05,388
Bill Rucker: there’s so many known scenarios, known incidents that you can effectively automate. You know we,

425
00:34:05,444 –> 00:34:09,052
Bill Rucker: we refer to it sometimes as Tier zero analysts, some other folks do that as

426
00:34:09,076 –> 00:34:14,913
Bill Rucker: well. That ability to, to leverage that information and those large, large language models is,

427
00:34:14,971 –> 00:34:19,493
Bill Rucker: is phenomenal and will continue to change the game. The AI aspect of that to

428
00:34:19,501 –> 00:34:24,005
Bill Rucker: be able to not only see the situation but see a situation that also happened

429
00:34:24,037 –> 00:34:29,285
Bill Rucker: that’s similar to it and take action based on a runbook and traffic light protocol

430
00:34:29,477 –> 00:34:34,037
Bill Rucker: will take the security operation center to where honestly tier 0 and 1 and almost

431
00:34:34,093 –> 00:34:38,565
Bill Rucker: part of 2 can be automated to a degree within a majority of an environment

432
00:34:38,637 –> 00:34:44,213
Bill Rucker: with the exception of critical assets, high value assets. U.S. companies ahead. You think of

433
00:34:44,301 –> 00:34:47,861
Frank Cilluffo: the rest of the pack or is that getting close? I think we do a

434
00:34:47,885 –> 00:34:52,565
Bill Rucker: very good job on that. I mean there’s certainly concerns around mostly. Because of application

435
00:34:52,677 –> 00:34:58,789
Frank Cilluffo: or you think it’s the LLMs? I think it’s mostly because of we’ve been doing

436
00:34:58,829 –> 00:35:02,853
Bill Rucker: certain things very well in a very manual process from a SOC perspective for a

437
00:35:02,861 –> 00:35:07,221
Bill Rucker: long time. So our runbooks, our playbooks, we’ve been there, done that, kind of know

438
00:35:07,245 –> 00:35:11,962
Bill Rucker: it. So the ability to take all of that context, all of that knowledge, all

439
00:35:11,986 –> 00:35:15,034
Bill Rucker: of that metadata and data and put it into a place to where we can

440
00:35:15,122 –> 00:35:20,122
Bill Rucker: leverage it for automation, I think that gives us a benefit from a Vandy’s have

441
00:35:20,146 –> 00:35:25,466
Bill Rucker: been doing cyber globally. Right. From that perspective the AI piece of it will continue

442
00:35:25,538 –> 00:35:33,226
Bill Rucker: to evolve. Right. I think leapfrog other from both the Blue Defender perspective if they’re

443
00:35:33,258 –> 00:35:37,344
Frank Cilluffo: smart, but also adversarially. Right. Well and so the flip side to this coin is

444
00:35:37,432 –> 00:35:47,280
Bill Rucker: everything that we can do faster, better automated, the ability for I think about the

445
00:35:47,320 –> 00:35:52,352
Bill Rucker: social pen testing from a social engineering standpoint, the fact that you can now pick

446
00:35:52,376 –> 00:35:57,856
Bill Rucker: up the phone and call someone and through the app sound like Frank, yeah. Giving

447
00:35:57,888 –> 00:36:00,784
Bill Rucker: you a call. We’ve got the show, we’re doing that. And you cannot tell me

448
00:36:00,792 –> 00:36:03,984
Bill Rucker: that this. Says yes or no and they got it and they’re using it. And

449
00:36:03,992 –> 00:36:08,452
Bill Rucker: whether that’s credential harvesting or sealing identities or the ability to just have someone take

450
00:36:08,476 –> 00:36:13,428
Bill Rucker: an action or make a configuration change, that will continue to be an issue because

451
00:36:13,484 –> 00:36:16,564
Bill Rucker: again, they have to be right one time. They have to get one person to.

452
00:36:16,572 –> 00:36:20,964
Frank Cilluffo: Make one mistake, one misconfiguration, just like spam. You can send a billion, all you

453
00:36:20,972 –> 00:36:23,716
Frank Cilluffo: need is one or two and it’s good day Right. There’s one or two. Nigerian

454
00:36:23,748 –> 00:36:27,524
Bill Rucker: prince. And you’re in. There you go. Bill, what questions didn’t I ask that I

455
00:36:27,532 –> 00:36:33,500
Frank Cilluffo: should have? Oh, wow. I think from us, you know, I kind of touched on

456
00:36:33,540 –> 00:36:37,276
Bill Rucker: earlier, it’s like, what, what can we do to. To continue to move the needle

457
00:36:37,308 –> 00:36:41,132
Bill Rucker: to get better? For me, when I think about. About cyber and the partnerships, it

458
00:36:41,156 –> 00:36:46,600
Bill Rucker: comes down to that particular word. So I think about public private scenarios for us,

459
00:36:46,900 –> 00:36:51,772
Bill Rucker: the ability for folks to truly tell us where their, where their pain is from

460
00:36:51,796 –> 00:36:56,540
Bill Rucker: a cyber perspective that, you know, in the past, people have been reluctant to, to

461
00:36:56,660 –> 00:37:01,146
Bill Rucker: kind of expose and say, hey, I’ve been compromised. Here I have this weakness there.

462
00:37:01,298 –> 00:37:06,346
Bill Rucker: Our best relationships, where we’ve had the most phenomenal outcomes with our customers and partners

463
00:37:06,458 –> 00:37:10,602
Bill Rucker: is when people are transparent and we take that same approach. Hey, here’s where we

464
00:37:10,626 –> 00:37:14,350
Bill Rucker: can help you right away. Here’s what will take a while on your cyber journey.

465
00:37:14,770 –> 00:37:19,002
Bill Rucker: But there’s always immediate help for those folks if they’re transparent, because they’re all trying

466
00:37:19,026 –> 00:37:25,082
Bill Rucker: to solve some challenges that are not always easily solvable. But through partnerships and some

467
00:37:25,106 –> 00:37:29,322
Bill Rucker: of that transparent sharing, we can make a difference. Right. And it’s every single one

468
00:37:29,346 –> 00:37:35,786
Bill Rucker: of those small advancements will move our security needle further down. And I’m really glad

469
00:37:35,818 –> 00:37:40,762
Frank Cilluffo: you underscored. At the end of the day, technology will always change, but human nature

470
00:37:40,826 –> 00:37:46,058
Frank Cilluffo: remains consistent for good or bad. And it’s going to take people to have trust

471
00:37:46,154 –> 00:37:50,650
Frank Cilluffo: and actually work together to get things done. Bad news doesn’t get better with time.

472
00:37:50,690 –> 00:37:53,834
Bill Rucker: Right? So let’s talk about what the challenges are. If it bleeds, it leads to

473
00:37:53,922 –> 00:37:57,818
Frank Cilluffo: it. There you go. Bill, thank you for spending so much time with us. Thank

474
00:37:57,834 –> 00:38:01,606
Frank Cilluffo: you for fighting the good fight, and I’m glad you’re in it. So thank you.

475
00:38:01,678 –> 00:38:03,150
Bill Rucker: Thanks, Frank. Real pleasure. Thank you.

Related Content