Exploring the Summer of Zero-Days — SolarWinds TechPod 079

Stream on:
Join host Sean Sebring as he talks to SolarWinds CISO Tim Brown about the 2023 threat landscape after an unprecedented number of cyberattacks. You’re going to want to buckle up, type in the code, scan your retinas, say Beetlejuice three times, and download this episode. © 2023 SolarWinds Worldwide, LLC. All rights reserved RELATED LINKS:  
Sean Sebring


Some people call him Mr. ITIL - actually, nobody calls him that - But everyone who works with Sean knows how crazy he is about… Read More
Tim Brown

Guest | SolarWinds CISO and VP, Security

Tim Brown is at the front line of the most vexing challenge facing organizations today: IT security. Tim is currently the Chief Information Security Office… Read More

Episode Transcript

Sean Sebring:                     Hello again, listeners. My name is Sean Sebring and I’m your TechPod host. And today we are joined by esteemed guest, Tim Brown.

Tim Brown:                         Thank you, it’s great to be here. So, Tim Brown, I am the CISO for SolarWinds.

Sean Sebring:                     Fantastic. Thank you, sir. Yeah, I am very excited to have a chance to interview with you. You’re obviously very esteemed credentials in this field, so it’s no joke aside that you’re the most qualified person we could ask to do this. And so one of the things that we want to talk today, again, we’re talking with security, so big focus on security awareness. But I think a great way for us to get started is talking about the landscape in general and how things look right now in the world. So what I want to start off talking about is, again, that threat landscape and a lot of that can be in terms of geographical. So something that we had talked about in notes prior was maybe some specific actors like Russia and China. What can you tell us about that?

Tim Brown:                         Yeah, absolutely. So I’ve been doing security for a long time. Yeah, 25, 30 ish years. So one of the things that we always say is that threat landscape’s evolving. And it really has, it evolves every year in different ways and different things. So yeah, threat actors are absolutely always looking to perform their action. And that action can either be making money, in the case of really most of the business threat actors, but some of the nation-states are crossing over there, or it could be taking control. So a lot of the nation-states are looking for influence, they’re looking for control, they’re looking for other thing. But as technology moves, they move, so they move quickly.

So what have we been seeing lately? So Russia, with situation in Ukraine, the war in Ukraine. The cooperation that we used to get, Russian take-down of organized crime has essentially stopped. So very little take-down happening. So threat actors come on, they operate inside of Russia, or operate inside a friendly country, and they operate with immunity. In past times, US and others have been able to negotiate take-downs. We don’t see that as much. So we see a tighter linkage between Russian organized crime and the Russian state and that really has happened since the Ukraine war.

Sean Sebring:                     Do you think that that has impacted other countries interacting or does it still feel very specific to just Russia, US, and maybe some other country’s familiar with US?

Tim Brown:                         Very specific with that.

Sean Sebring:                     Gotcha.

Tim Brown:                         But again, other areas of the world don’t cooperate either from a take-down perspective. So if you look at China, China operates very dramatically on the cyber threat front. They have well-known huge cyber armies, huge cyber armies that act very quickly today on vulnerabilities either known or zero-day vulnerabilities, vulnerabilities that aren’t known. So when a new vulnerability gets announced, the time it takes for an exploit from them is a matter of hours. And that’s real. So they’re looking at monitoring, they’re looking at saying how can we take action? And based on that action, China’s model is less noisy, not trying to-

Sean Sebring:                     Less about the attention.

Tim Brown:                         … the money, yeah, less about the attention, but absolutely a very big push on IP theft. So they’re trying to advance their mission and their programs internally. So if it’s a program for water treatment, it can be a program for military, it can be a program for farming, it can be a program for better seeds. So all sorts of programs that you think advancements are going into, one of their models beyond research is to steal.

Sean Sebring:                     Just take it.

Tim Brown:                         Right. So it takes the IP-

Sean Sebring:                     Less work in taking it then doing your own innovation and discovery.

Tim Brown:                         So that’s been China’s model. And one of the things lately has been the change towards how aggressive they are on implementing known vulnerabilities to take advantage of things, and implementing zero days, so that they discover something and then utilize that to be able to get at the places they’re trying to get at. But you’re absolutely correct, it’s all about trying to get ahead on the programs they’re trying to advance, not just military though, it’s everything.

Sean Sebring:                     Well, talking about that speed. I’ve done a little dabbling in playing with generative AI. And AI is going to be a huge thing. It’s already big and it’s getting bigger and I think definitely it’s on a turning point. It’s bigger now and you can see the raw power of it more than you ever could before. So how has that been playing in? And I’d imagine it’s a lot significant with time, especially how much you can get done with that kind of AI.

Tim Brown:                         Yeah, a lot from the social engineering side, a lot from the deep fake side.

Sean Sebring:                     Oh really? So conversationally…

Tim Brown:                         Conversationally, oh yeah. We’ve played with tests internally to simulate me, record me, play me back, and then switch words that I’d been using.

Sean Sebring:                     I heard that the voice, able to just take a little bit of your voice.

Tim Brown:                         You don’t need that big of a sample, which is pretty amazing, and then video as well. So you can no longer trust your boss calling you to say do things. So just the whole side of phishing, so voice phishing.

Sean Sebring:                     I was at my local public safety center doing some password application stuff and I saw a flyer and it was the grandparent scam. And it was exactly what you’re talking about where you get a call from someone claiming to be a relative of some kind and it has their voice and it brings up things about them asking for money.

Tim Brown:                         Absolutely. So it makes sense and that’s what we have to watch out for. We’ve been trained pretty well from a phishing perspective what to ignore. We look at it, oh, misspellings, or you look at domain, oh, that’s easy one to notice. You look at those types of things. You look at the context, oh, this doesn’t make sense. So the models of today are fairly often easy to detect. The models of tomorrow, they’re going to be contextual.

Sean Sebring:                     It’s getting so much harder to trust anybody.

Tim Brown:                         They’re going to be able to be generated. They’re going to be generated with good language. They’re going to be generated with the right accents.

Sean Sebring:                     And the visual aspect, you’ve mentioned it’s even bigger.

Tim Brown:                         Here’s a video of me telling you something for something. So that’s where some of AI for the bad guys come in. Now, AI in general, the things that we’ve seen so far today, immediate wise, beyond the social side, and they’re just picking up on the social now, they haven’t made a huge impact on the other side. But just think about what we can do from defender perspective with AI. So we’ve got the bad guys and the bad guys will often lead some of the places that we go. But when you look at how you write code for certain things, how you automate things, how you automate detection, how you automate, I’ve got all this information in here. Is there any information from a certain country? Oh, okay. From a certain industry. I’ve picked up all of these things, they’ve answered my initial ping out there to the world. All right, which ones are in this industry? Can you give me that list? Oh sure.

Sean Sebring:                     And that’s that time to value or the reverse really, that I’m seeing. Wow, that’s going to really speed up the way that they’re able to operate off those threats and that zero-day is a big part of this title. That’s exactly one of the reasons, zero-day is basically meaning as soon as it’s discovered, it’s exploited.

Tim Brown:                         Yeah so zero-day, when we talk zero-day from a security perspective, what we’re talking as an unknown unpublished vulnerability gets used for nefarious acts. So it’s not known, it’s not in our CVE catalog. Essentially we track all known CVEs through some pretty standard mechanisms. So those are the known vulnerabilities. But when you get a zero-day, that means that a researcher started using it in the wild before it was known to the public and before it had a fix associate with it at all.

Sean Sebring:                     Does that also mean we may not have known how long it’s been being used?

Tim Brown:                         Oh, absolutely. We may discover that it’s being used after the fact and say, oh, they took advantage of … so this summer’s been known as a summer of zero-days, so Move IT. There was one for Microsoft with 365. There was one for three others. We’re not used to this many. And essentially, what happens in the wild, we see things getting utilized and they’re utilized and we pick them up and then we say, well, what was this? Was this a CVE that we didn’t know of, vulnerability that we knew about, and oh no, it wasn’t. It was something new. And then new becomes published and then as soon as new becomes published, different threat actors start using it. And then they add on to it and continue to look at those threats, continue to investigate more.

So like Move IT, a file transfer system, they had one vulnerability, then they had a carry-on vulnerability, then another carry-on vulnerability and many companies were utilizing them across the world. And then they’re internet facing as well, usually being a SFTP server, so they get utilized in that fashion. And those are the ones that we really look out for impact. So once you have the zero day, that’s when you see an add-on to, oh, now we do a ransomware attack, now we do an information gathering, or now we try to break in and move laterally from that box. So it rolls from there. So zero-day is not a zero-day and you’re done, it’s zero-day plus then an exploit of some kind.

Sean Sebring:                     So with it having been a summer of zero-day, I’m sure there’s been other timeframes in the past where there was just a surge of vulnerabilities, nothing like this?

Tim Brown:                         Not this many. Zero-days are supposed to happen once every six months. They’re not supposed to happen five in a three-month period. So sometimes you store them up. You discover them, you keep them, and you don’t publicize them, and then you quietly utilize them.

Sean Sebring:                     Well, I guess that would probably also help them in their threat because now everyone’s scrambling over this one, distracted from that next one. And so just having more ammunition to continue wreaking havoc. It does make sense. Do you think that AI has played a role in how many happen or what would lead to being a summer of zero-days?

Tim Brown:                         Yeah, I think there’s a few things that could. Now, in some ways, seeing a zero-day means that they didn’t do their job well, because you want to as a bad guy, keep it to yourself, keep it stealthy, keep it quiet and not really discover it. And I think some of the monitoring of the world which has greatly improved over the last few years has helped. If you look at the Microsofts of the world, the firewall companies of the world, they’re looking for things, Microsoft in the endpoint, others, CrowdStrike in the endpoints, others in the endpoints have really gotten a good job at finding things that are strange but unknown and then getting them to known. So that’s the other part that helps us discover the unknown. So okay, this is an unknown vulnerability, but I saw the machine acting weird. So CrowdStrike is sitting there on your box and looking.

Sean Sebring:                     Those are areas where I feel AI can really help the good guy.

Tim Brown:                         It can. It can, it’s going to develop, right? AI has the problem of you’re only good as the models that you’re putting in. And then depending on the data that’s coming out, how good is it? Is it an activity that you want to automate, or is it activities that you want to research. So generative AI especially, is what we’re talking about. But AI in the background always helping, us using advanced models to detect things, advanced models to determine things. Generative AI really looks at how do we develop something new or perform actions from it or do some activities beyond what was things were meant to be. So it’s new content, it’s new actions, it’s something new because of a scenario. You kind of bridge the gap a little bit because our old AI ML that was there is also trying to tell you what to do and automate actions and those things. So those help the question. Generative just takes another step further.

Sean Sebring:                     Well, I think generative, I’m curious how it can enhance this because if I look at things from my service management lens, which is where I bring all of my discovery from, is where I’ve got expertise. I understand things through that lens. Problem management is very similar to what you’re discussing right now because by nature it’s reactive, but you want to be as proactive as possible. And what you’ve been kind of talking about is we have to try and respond to the threats. How do I design security around a threat I don’t know exists yet? So with generative AI, I’m curious if we think that we’ll hopefully be able to use it to say, “Please help me go discover potential threats,” so to speak.

Tim Brown:                         So discover and act.

Sean Sebring:                     And act, yes.

Tim Brown:                         The way that I like to think about it. So if I see something and I can go call 10 of my friends and they can give me good help to determine, hey, is this bad, is this good, what do I do next? Generative AI should be able to call my 10 friends and be able to give me valid data that I didn’t know and be able to help me along that path. And that’s when it starts getting cool for us to … because think of not just calling them with all the facts, call them with a model and say, “Hey, let’s talk about this for a little while. Okay, I’m seeing this and I’m seeing this from here and this from here, so what do we do about it? And “Oh, well we could do this.” So that’s kind of the power that I see eventually us getting there where instead of going, you have an expert-

Sean Sebring:                     It just does so much work for you, the time-consuming part that keeps you from being able to act as fast. So yeah, I am blown away by the potential, just in my own simple-

Tim Brown:                         My documentation-

Sean Sebring:                     Oh, yeah.

Tim Brown:                         … it’s a good one.

Sean Sebring:                     Well, everyone could use more documentation. So I want to ask next, Tim, this is obviously big and it’s been in motion for a long time, but cloud. I think one of the most specific parts about cloud that’s still not accepted by everybody is their infrastructure on premise versus cloud. And so what are things that you can help us with when it’s talking about that conversation? What are the challenges of hosting and do you think it poses more security or more risk? And it is a balance, I’m sure.

Tim Brown:                         So one of the things we have to think about our new infrastructures as, again, we always just say, oh, they’re hybrid. What does hybrid really mean? I’m going to steal something I’ve stole many times. So this is an analogy that somebody used with the Jericho form about, wow, 15 years ago, but think-

Sean Sebring:                     It’s still relevant.

Tim Brown:                         … about old infrastructures. Our infrastructure with Castle and Moat was an avocado, right? We had a big seed in the middle, gel coating around the outside and a hard shell, and that’s what we were trying to protect. And we put protection around it and we understood everything that was going on. So we’ve moved to a pomegranate.

Sean Sebring:                     Okay.

Tim Brown:                         So a pomegranate has a big outer shell, but then it has individual seeds with gel coatings. Each one of those seeds is what you’re protecting. So it could be an Office 365 seed, it could be a Salesforce seed, it could be in my internal file shared seed. It can be every one of your application gets a seed and we have to define the right gel coatings around those together. So my organization is now a collection of those seeds, and that’s what we look to from a security perspective, from a management perspective, from a visibility perspective, because they all meld together because you’ve got seeds to talk to seeds. And how do you protect those around the outside? Same for zero trust. When we look at zero trust, it’s the same idea. How does that gel coating get appropriate for that service or that thing that I’m doing? It’s not centralized. It’s independent around each one of those, sometimes with independent management, sometimes with collection of management. But when we look at going to the cloud, there’s all sorts of things that can be good and things that can be bad.

So we can offset some of the security. So today, something’s on premise, I need to monitor it. I need to manage it. I need to make sure it’s running appropriately. I need to secure every aspect of it. Oh, I’ve moved to a cloud service, pick on Salesforce. I’ve moved to Salesforce, first off. I depend on Salesforce to run their service. I don’t have to worry about performance. I depend on them to be managing their service. I depend on them to be monitoring most of the inner workings of the service and to scale it. I depend on them to back up. What I don’t depend on them is to configure my instance or I have a partnership with them for identity. But that changes our security model when we do more hybrid. But we have to think about each one of those seeds is different. Each one of those seeds has different capabilities. Each one of those seeds has different interconnectivity, and we have to have visibility out to everything.

Sean Sebring:                     It’s definitely more complex than the single moat and fence and castle walls. Yeah, something I talk about with prospects, customers and just folks at the IT industry all the time is we’ve got so many tools, so many activities, sometimes I don’t even know what that seed on the other side of the pomegranate it’s doing.

Tim Brown:                         Absolutely.

Sean Sebring:                     And so one of the things that’s come up about cloud for me recently is just there’s not enough providers. So if we’ve got two major, Amazon and Microsoft.

Tim Brown:                         And Google a little bit.

Sean Sebring:                     Right and Google a little bit, but if we don’t have that many, there’s just the security concern for a monopoly. What if something does happen to that provider?

Tim Brown:                         Well, you saw when AWS east went down, shut down businesses, lost millions of dollars for those businesses. And it can happen. We can have those things happen. The how do we secure around them is a good question. How do we ensure that the service is doing what it says it’s doing? How can we ensure that that service is appropriately monitored for itself depending on how much you go up the scale? So if you buy FedRAMP certified solutions, they end up having more monitoring and they have more visibility for you and they have those types of things. Lower down the scale, you have less, but you still want to have both third-party reviews of what they’re doing. You want to gain confidence that they’re running the right type of service and the right value you’re getting.

So operations like ours, we run a third-party risk organization as well. So we review every solution we put into place, all our mission and business critical assets. We know what data is being shared with them. We know how important they are to us. So it’s important you don’t bucket them all together, that you separate them out.

Sean Sebring:                     I did want to ask that as a piece of advice for folks because I do trust my AWS to have redundancies in the scenarios where something goes down, they are performing the backup. So if I have all my eggs in the one basket of Amazon, I’m now just at the mercy of their business continuity plan. Is there a specific business continuity plan that you would say, or is that too much that someone who is focusing so much more on cloud that they should have as a separate backup? Or is it just about their agreements with the provider?

Tim Brown:                         It’s about a number of different things. It’s about the agreements with providers, it’s agreements and contracts with providers and how well they’re doing, what they cost you if they go down, and what their SLAs are and where they stand by them, that type of stuff. But then there’s ways to do redundancy if that data for you is so important. You can shard the data across multiple services if it becomes that important.

Sean Sebring:                     I didn’t know if that took place more often than I realized.

Tim Brown:                         It doesn’t take often that often. In most cases, people rely on their contracts-

Sean Sebring:                     That provider, right.

Tim Brown:                         … and the contracts with the providers. And sometimes you’ll make sure that you test it. You red team it, you make sure it’s doing what it says it’s going to do. You run drills just like we have to do with our remote data centers all the time. We do the same types of things with AWS and say, okay, it went down. Can we recover? Is my either real time or slow backup, both still working, right?

Sean Sebring:                     Right.

Tim Brown:                         So it’s acknowledging the fact that you are not in control of everything, but you’re still responsible for it and responsible for the business. So you have to manage through it.

Sean Sebring:                     There were some nuggets of advice in there about things that you can do. If I put you on the spot and ask you to pick, do you think that you’re at a greater benefit of having them host for you? And if they are secure, you trust them, I would put my eggs in that basket. What advice could you give folks to say, all right, now that you’re here, here’s where you should be focusing your security practice.

Tim Brown:                         So now that you’re there, let’s say we assume that you’ve switched over to cloud type for certain services and certain thing. Step one is making sure your configurations are good. So contracts are beyond, so contracts always, but then your configurations, what you can touch, what you can configure. You can’t trust them to be right, those are in your control. So make sure you’re testing them. Make sure you look at them with an adversary’s eye on them. Are there ways to be able to manipulate what’s going on there? Is there ways to be able to manipulate my virtual instance of the system? So make sure you’re able to do that as step one, is test, understand, and control. Identity is usually one of the biggest places that you do have control so always limit your attack aperture. Always make sure that you only have so many people being administrators, only manage your administrative rights. Make sure that you don’t have people that are-

Sean Sebring:                     Least-privileged access.

Tim Brown:                         … least-privileged everywhere. Identity is one of the things that comes up common because you have control of that. Single sign on, absolutely link it back.

Sean Sebring:                     And as we spoke about earlier it’s also one of the biggest doorways, with the phishing, with AI coming in now to make it even easier and more convincing.

Tim Brown:                         So always MFA. When you look at making sure that your high value systems, implement two keys on certain things. Make sure that it takes two people to be able to do something. Assume breach. Assume somebody is bad in your environment, now, how bad can they do? What could they do? And can you put workflows in place? How quickly can you stop them.

Sean Sebring:                     How quickly can we stop, right, yes. Right.

Tim Brown:                         Right.

Sean Sebring:                     Yeah. Well, and that leads perfectly into one of the other main purposes for this conversation is the security awareness, but the human side of things. So on the flip of these very, let’s call them strict or very well thought out things, there’s still a human on the other side. There is a balance there too. MFAs become second nature to me. It’s something I can touch on my computer or I can just click a button on my phone. It’s not that cumbersome so it’s becoming easier to adopt these things. But what do you see as one of the biggest struggles right now when it comes to balancing that user-centric security versus I wish I could have it this secure.

Tim Brown:                         Right. Yeah. Usually people think secure is harder, and our job as security professionals is to make security easier, and easier than it is to be not secure. So things like going towards passwordless, where YubiKey for everybody, Fido2 for everyone right now, but we’re working to completely passwordless. That will make your life easier.

Sean Sebring:                     Yeah.

Tim Brown:                         You’ll never have to remember a password. It’s got to be rotating in the background, you will never see it. All you’ll know is I hit my YubiKey, or I did my fingerprint, or I answered my hello. Those are the things that you’ll see, but in the background, it has nothing to do with what your real authentications are. They’re something that’s random that you’ve never seen. In one way, I’m going to make your life easier, and the other way I’m going to make it harder for an adversary to circumvent you. They call you and say, “What’s your password?” “I don’t know my face.” No one can steal my face.

Sean Sebring:                     Well, yeah, it’s getting there.

Tim Brown:                         Yeah, but no. But those types of things. So the other part is sometimes we believe flexibility is in a system or flexibility is in a program and it doesn’t necessarily need to be there. There’s certain things that people inherently believe that they need because they’ve always had it. So have the conversation with people and find out do they really need it? We put in admin-by-request, so we’ve removed local admin from everyone. How do you like that from a draconian thing? No one has local admin rights anywhere, but what I allowed was you can request it. So your machine gets compromised, it’s like, okay, well guess what, you try to do administrative function, it doesn’t let you. You have to specifically ask for admin-by-request, which has certain controls around the outside, which makes sure it’s you, make sure you’re a human, make sure of all of these things and then you’re granted it. So good example of saying, no, you can’t have local admin all the time, but yes, you can have a local admin when you need it. So we need to always balance the user experience with security. And try to satisfy the needs for what’s real and what’s not real. And try not to get in the way as much as sometimes happened in the past, really operate a security team of “yes, but” instead of “no.” Yeah, “Yes, but you can’t have it this way.”

Sean Sebring:                     I have a person I worked with, we said, trust but verify, right?

Tim Brown:                         yep.

Sean Sebring:                     So well, I’ll trust you to have admin privileges after I verify that you are who you say you are.

Tim Brown:                         And I will trust you for only a certain period of time.

Sean Sebring:                     A finite amount of time.

Tim Brown:                         Yes.

Sean Sebring:                     Yeah. No, and that’s a perfect example for it because it is the balance. I’m not taking it away from you, I’m just asking you to verify, validate. Let’s make sure that if, while you’re in that session, at least now as a somewhat recorded session, so to speak-

Tim Brown:                         Absolutely.

Sean Sebring:                     … so that we know exactly where to look,

Tim Brown:                         And it makes it much less exploitable.

Sean Sebring:                     Right.

Tim Brown:                         Because, oh, I took over your machine. Well that doesn’t matter, you still need to be a human doing the function to be able to get the access. So those are the types of solutions we look for. And yeah, we do have to take some flexibility away to be able to manage in a more secure fashion. And that just is a fact. But as long as we do it the right way, we keep things moving forward. And the other part is really having conversation with people. Don’t just say no, just ask them. Ask them. So human side, if you ask somebody and then you get to the bottom of it, well, I’ve always done it this way. Well, I’ve always … do you really need to? Well, no. Okay, great. So if we just do it like this, it’ll be okay. So the communications and the talking, and-

Sean Sebring:                     It’s definitely a culture, right, because to that person who’s always done it that way, it does feel like a grand inconvenience. But the communication and culture is, look how secure safe we are. Look what the potential risk you could have against us on no intention, something could take this down.

Tim Brown:                         You clicked on the wrong link and your machine was taken over, we didn’t know about it and it started acting like you. Now do you really want that to be under you?

Sean Sebring:                     Right. That’s associated with you. So a similar ethical thing, and it’s not about just that inconvenience, but in a sense it also could be. With automation, with AI becoming more and more as part of what we do every day, where do we take out the human decision-making process, the limitations of relying on AI, and making sure that yes, mostly I just wanted to take care of my mundane. But where is that line? Do you see it being something very relevant right now for security?

Tim Brown:                         I would say it’s more relevant for just humans and culture because models can be discriminatory. Models have been shown to be discriminatory. And in some ways we catch it with humans fairly quickly, potentially. But depending on how a model was built, it’s really interesting to see where it sways. So what decisions are you going to have it made? What decisions will you have made automatically? How will you sample decisions to see the decisions trending in one direction or trending in another direction?

Sean Sebring:                     Do you think generative AI has impacted that already in a different way?

Tim Brown:                         Yeah, some, some. You hear about the bad, you don’t necessarily hear about the good.

Sean Sebring:                     That’s what makes the news, the bad.

Tim Brown:                         You hear about the bad, the case law that wasn’t real, that’s cited here and here and here. It’s perfectly written, very well written, except the cases didn’t exist. So you hear about those types of things, where it can make up answers and it implies things because we know the internet’s data is pure, it’s perfect everywhere.

Sean Sebring:                     Sadly it came from us, right, so where did it get its info?

Tim Brown:                         Exactly.

Sean Sebring:                     But yeah, I’ve almost seen “culture” but I’ve almost seen culture from generative AI if I ask it to think in a mindset when it’s giving me its results. So I’m like, it has to have more potential, more potential coming and coming, and it’s exciting and terrifying at the same time.

Tim Brown:                         It is. It’s exciting and it’s terrifying and it’s good and we’ll get through it. I am a believer in that it is going to change things. It’s not going to be a flash in the pan. There’s a lot of different opinions, flash in the pan, or something that’s real. And I think it’s something that’s real and I think that it will get built upon. And I think the potential is there. And I think as a society, we’ve worked through transitions many times, and this will be another one of those transitions that we work through. And we won’t get it right to start with, but we’ll get there.

Sean Sebring:                     I did want to ask you, in conclusion for our topics today, security awareness. Before we get into that conclusion, do you think that there’s any one threat actor to keep an eye on right now? Ransomware was big in the news for a long time and it was the most attention-grabbing. We talked about China’s less interested in attention. Is there one we should look out for that you think might be-

Tim Brown:                         Depending on your industry, North Korea right now is focused on hospitals, which with ransomware to fund their nuclear programs. So if you’re a hospital, if you’re in the medical field, they’re looking for low, they’re looking for smaller, they’re focused there.

Sean Sebring:                     Easy targets.

Tim Brown:                         Easier targets, smaller targets, targets that may not have the same level of protection on them. And then cryptocurrency to be able to fund their program. So they’re a nation-state level, not as sophisticated as other, but absolutely focused on money. So they’re one to watch out for if you’re in those industries. Russia has the potential, depending on what happens in the next period of time, the world is against them right now so you’re pushing them into a corner. The ruble is not doing well. So one of the ways to fix that problem is simply be the organized crime of the world and be that cyber criminal organization of the world and fund everything through that. So that’s a scary result. If things don’t turn that direction, they have the skills, they have the people, they could mobilize in that way and say, isolate it. They’re one. China is absolutely just concerning from an IP perspective. So anybody with IP, anybody that’s doing research, anybody that’s doing research into all sorts of different places-

Sean Sebring:                     That I wasn’t aware of. That’s interesting to know that it’s stealing ideas.

Tim Brown:                         Steal ideas, steal and you name it. I want to grow crops better. I keep saying agriculture. Agriculture is actually one of the biggest cyber targets because of-

Sean Sebring:                     That’s a bit concerning for the planet, knowing that, well, if these threat actors are looking for that…

Tim Brown:                         You do researchers and seeds, you do researchers and fertilizer. Some of it’s open, but not all.

Sean Sebring:                     There’s a high volume over there. That’s a big population to be able to take action. Right.

Tim Brown:                         They’re all of a concern. Ransomware and criminal intents are always there. And they’re essentially keep trying to build their business. So they have targets for next year, their fiscal years are coming up-

Sean Sebring:                     Got a road map and pipeline.

Tim Brown:                         … they got a road map and pipeline, you got to keep going.

Sean Sebring:                     So what about here in America?

Tim Brown:                         Yeah, so American is more, we are quietly aggressive on our take control of other things. So cyber armies, we are a cyber force in that way. And then criminal groups. The thing about US-centric directly is we prosecute and we’ll put you in jail and we’ll discover you. So we’re pretty strong from that side, but sponsored here and executed elsewhere, sure, and that’s mostly organized crime. So yeah, it’s a global phenomenon. And the big thing for ransomware, people think it’s all new, it’s a better and more efficient business model because of things out of the loop. I as a bad guy, take over your systems and I say, you can’t get access to them, pay me. As opposed to stealing your information and then going to sell it and then getting paid.

Sean Sebring:                     Transactional.

Tim Brown:                         I’ve taken out transactions. So that’s where you have to remember about ransomware, it’s just simply a better business model. It’s not always about encrypting stuff. It’s not always about-

Sean Sebring:                     A target of a specific thing. It could be, yeah.

Tim Brown:                         I’m just going to shut down your 911 service until you pay me. I’m going to do these-

Sean Sebring:                     Finding a market to take advantage of just for the money, for no other purpose. Well, yeah, again, this has been fantastic. So I want to wrap up what we talked about. Really, it’s been a fairly broad discussion around security, but is there anything you can say, here’s some takeaways. If we’re talking about staying woke, right, or security awareness, what are some takeaways you can give the listeners?

Tim Brown:                         Yeah, so don’t expect security to stop. We evolve every day. We evolve every week. We evolve every year. And as threat actors evolve, we have to as defenders evolve and get better. And our tooling continues to get better. If you look at the investments in small companies and some of the advances that they’re making, we expect to even see more and more. So we continue to make the bad guys’ life harder. Remember that there’s people are your low hanging fruit, so always understand what people have access to. Always understand where you can limit attack apertures. Always understand where you can test to make sure that the people who are doing the configurations of your SaaS services, of your environment, that you test what they’ve done. What can always get you is assumptions, assuming somebody did something correctly. So test assumptions, red team things, do your models. The threat actors, in many ways, are not that sophisticated, but they are thoughtful. So in many ways we need to outthink them. So don’t forget to think-

Sean Sebring:                     And get creative.

Tim Brown:                         … and get creative and understand and say, “Hey, if I was trying to get into this system, this is what I would do.” And for many of you guys that are listening, you are configurators of those systems. You understand those systems better than anybody else, so put your brains on and determine, Hey, how would I get into this? How would I break into it? What would I do differently? How would I get into my environment? And then communicate that to your security teams, communicate that to your others because those who know best will know how to get around what is in place. So yeah, make sure you spend some time thinking.

Sean Sebring:                     So again, from a shared responsibility, anybody can help contribute to securing the environment.

Tim Brown:                         Absolutely. We depend on everybody to contribute. So yeah, please contribute.

Sean Sebring:                     Great stuff. So this is a part of our episode, we may or may not have given you enough briefing on, but this is our rapid fire and this is just a little fun part to end our discussion today where I get to know you a little bit more.

Tim Brown:                         All right.

Sean Sebring:                     So we’re going to start off with my personal favorite rapid fire question that I put in here. And I’m going to predict your answer and I’m curious to see, but if time travel was an option, if you could travel right now, would you go to the past or the future?

Tim Brown:                         Future.

Sean Sebring:                     I knew it. I knew it. Not even a question. Let’s find out what they’re doing over there.

Tim Brown:                         Absolutely.

Sean Sebring:                     Absolutely. Okay. This was given to me by one of my co-hosts and I love this question. If you could have any talent, if you could just say, man, I really wish I could do that, something that you adore, but you can’t. If you could give yourself that talent, Tim, what would it be?

Tim Brown:                         Transportation.

Sean Sebring:                     Transportation. All right. Yeah, I like that. I like that. Yeah. It’s funny you say that. That’s-

Tim Brown:                         See, you can be in Ireland tomorrow.

Sean Sebring:                     Yeah.

Tim Brown:                         Tonight. Now.

Sean Sebring:                     We’ve changed so much in the last few hundred years about getting from place to place.

Tim Brown:                         I just want a transporter.

Sean Sebring:                     If I didn’t have to worry about it at all, where would I be? What is your favorite tech invention?

Tim Brown:                         Wow.

Sean Sebring:                     Could be the wheel all the way up to generative AI.

Tim Brown:                         No, generative AI hasn’t met the wheel yet. The wheel was pretty cool. Wow, so many innovations. They just start, right. When you look at hardware and look at what we’ve done with hardware, the microchip and Moore’s law, and how we continue to expand and expand and expand and expand capabilities, nothing would be possible without that. So I’ll go with that.

Sean Sebring:                     That’s totally fair. I always think to myself, if we put the geniuses that know computer science in a room and gave them just raw materials, could they make a computer without another computer? Computers are just so fascinating to me. How did you make the first one because without another computer to make it’s really hard to do. Again, Tim, thank you so much for joining us today. This has been fantastic.

Tim Brown:                         All right, thank you. It was great.

Sean Sebring:                     Thank you for listening, for joining in for another episode of SolarWinds TechPod. I’m your host, Sean Sebring. If you haven’t yet, make sure to subscribe and follow for more TechPod content. Thanks for tuning in.