Las organizaciones del sector público están en el punto de mira de los adversarios cibernéticos más peligrosos de la actualidad, desde los agentes de los Estados nación hasta las redes de delincuencia organizada. Pero con presupuestos ajustados, infraestructuras anticuadas y escasez de personal cualificado, demasiados organismos siguen estando peligrosamente expuestos.
En este seminario web, el arquitecto jefe de identidades de Semperis, Eric Woodruff, se une al redactor jefe de Redmond Magazine, John Waters, para acallar el ruido y profundizar en las amenazas reales a las que se enfrentan los gobiernos, la educación y las entidades públicas locales, y qué se puede hacer para detenerlas. Desde la respuesta a las crisis hasta la resiliencia de la identidad, compartiremos estrategias prácticas para cerrar las brechas de seguridad antes de que se conviertan en titulares de primera plana.
Hi, everyone. Welcome to today’s live tech talk, Defending the Public Sector: Confronting Cyber Threats with Limited Resources. This event was organized by the hardworking folks at Redmond Magazine, and it’s sponsored by Semperis, or Semperis depending on, who you talk to, a leader in AI powered identity security and cyber resilience for hybrid environments. I’m John K Waters, Editor in Chief of the Converge Three Sixty Group of Eleven o Five Media, and I’m joined today by Identity Architect, Eric Woodruff. Hi, Eric. Hey, John. Nice to be here. Glad to have you, man. Eric is a seasoned expert in identity management and security architecture with extensive experience across a wide range of organizations. Currently serving as Chief Identity Architect at Semperis, he focuses on product management for security indicators while also acting as a subject matter expert on Entra ID and cloud identity solutions. I’m really looking forward to this conversation, folks. But let me just do a little bit of housekeeping before we get going. This tech talk is being recorded for later access. Keep an eye out for an email with a link to that recording. It’ll be coming your way in the next few days. Our sponsor has provided some extra resources you won’t wanna miss. They’re available now in your console. And at the end of the conversation, we’ll have a five to ten minute q and a. Please type your questions into the q and a box as they occur to you. We’ll do our very best to get to all of them. Okay. Now I wanna set the stage for today’s talk. You guys might know this or you might not, but public sector organizations are in the crosshairs of today’s most dangerous cyber adversaries from nation state actors to organized crime rings. But with tight budgets, aging infrastructure, and a shortage of skilled talent, too many agencies remain dangerously exposed. I’ll be asking Eric to cut through the noise and dive into the real threats facing government, education, and local public entities, and, what can be done, to stop them. So let’s get started. Let’s start with the big picture. Eric, how are nation state cyber attacks against public sector agencies evolving right now? I mean, I think that they’re, you know, evolving, in step with, you know, the attacks on, right, private sector and really any vertical. Right, and especially if, you know, you think of public sector. Right? A lot of that’s, you know, critical infrastructure, you know, just all sorts of things there is recently right to target on, I think, you know, another water plant, somewhere in the world. But yeah. No. I think it’s just, right, as we advance, you know, as we’re talking preshow with AI and all that. Right? Like, there’s nothing stopping, you know, nation states from using that to their advantage to, go after PubSec. So Yeah. The bad guys have the tools too. Yep. Okay. So do you see a difference in tactics between nation states and organized crime groups so that, comes to targeting local governments or schools? No. I mean, I’d say, they they have different motives. Right? You know, nation states, it tends to be well, depending on which one. More sort of disruptive or, intelligence gathering. Not necessarily if it’s a crime group. They’re more, monetarily motivated, which, you know, there’s obviously complications in there, right, with, you know, not paying threat actors these days or trying not to. And if, you know, again, your your public sector, you’re obviously much more, in the light in, around, you know, cyber incident, ransomware, stuff like that. So, well, speaking of money and ransomware, everybody knows this, that ransomware continues to amber the public sector. What’s changed about these attacks, in the past two years? Oh, I mean, I think well, honestly, nothing has changed in the sense that they continue to persist. Right? And, unfortunately, from a defense perspective, and I’m not saying anything, you know, negative towards defenders. But the the attacks just keep happening. And a lot of times, the the core of it is still the same old, same old, certain vulnerabilities in Active Directory. I mean, I think the only thing you’ve probably seen more in the past couple years, again, that’s, you know, becoming more popular, is the the social engineering where it’s like, hey. Instead of trying to brute force in your account, right, I’m gonna call the help desk and say I’m so and so and see if I can’t get credentials that way into their account, and sort of then then move on from there. So yeah. Speaking of which, phishing and social engineering remain persistent, as you say. What makes public sector employees, especially vulnerable to these lures? You know? Are they different from the rest of us? Yeah. I know. I mean, I think there’s things that can be unique with public sector. In in ways, it’s easier to find information out about, you know, who works where. Nice. And, right, just transparency. I spent fifteen years working for the state of New York. And even before LinkedIn or if I wasn’t, you know, on LinkedIn and social media, you could still go to websites, and find data about public employees, that people put out there and sort of determine, you know, who does what, who’s probably important, things like that. So, you know, if anything, the the sort of ability to target, public employees has been out there for a a good long time. And, again, threat actors have access to all that stuff. Yeah. Sort of a, you know, a unique vulnerability, I guess you could say. Yeah. So, you know, we’ve been talking about money and, tight budgets. How can a small city government realistically prioritize cybersecurity investments? I mean yeah. I mean, that’s a big question. I mean, I think, though, if you look at, you know, most attacks, you know, big, small, regardless of vertical, but, you know, also targeting, you know, public sector is, right again, the numbers show, you know, ninety percent of these attacks are identity driven. Right? So if you’re sort of looking at the the the tech, and or the the focus of these attacks, where they’re going after Active Directory, going after Entra or Okta or whatever you’re using to authenticate, and kind of pivoting from from there. So, obviously, I’m an identity guy, so I’m a bit biased. But I think when you just see these these attack chains, the critical point it it has in them, definitely the area that I would, you know, recommend focusing on. Okay. And we talked about this before too that, many agencies rely on decades old IT infrastructure. How does, tech debt increase risk of exposure? Yeah. I mean, like, I know a lot of public sec places, you know, the running joke could be that they’re still getting rid of the mainframe, and they’ve been getting rid of the mainframe for the past, you know, twenty years. Right? And while the mainframe might not be you know, it might be a bit more isolated, I think the point in there is that, in pub sectors, challenges around life cycle, that usually are tied into budget. Regardless of of politics, right, there’s always a political thing. You know, new people with new agendas can come in and sort of disrupt, you know, where IT might be trying to go. So it’s just it’s kinda like I’d say it’s, like, a bit scattered, right, from a resource perspective. And budget certainly plays into things where it’d be like, you know, a slower life cycle to update stuff, whether it’s, the servers or the applications running on the servers, and you get all these sorts of, you know, interdependencies that just sort of hold you back from modernizing. Okay. So if you, if you had only one, to budget for one area of improvement, let’s put that with Yeah. Network security, identity management, or incident response, which would you prioritize first and why? Yeah. I mean, I would say, it’s a tough question, John. I mean, I’d say maybe you’d wanna go look at what’s weaker between incident response or identity. I mean, I still tend to be someone who’s like, if we can focus on proactive remediation, then we can worry less about the reactive, the IR. But, also, you see out there that, you know, there’s too many times that an incident does happen and and there isn’t any sort of, you know, exercise around what happens in an event, like, if Active Directory is taken out. But I would almost argue that some of the stuff, again, that ties into incident response around identity, you can plug a lot of those holes, more in a proactive focus on, you know, your identity and access management. Okay. So how do you convince leadership and policy makers to allocate the money, the resources, to security when there are so many competing priorities? I mean, I’ve always said security is the ugly stepchild of the of IT. Yeah. I mean, I think it’s tough. Right? I mean, obviously, where you need to learn to speak the language of, those running the show. So you might not have a board to go to, but you certainly have directors and other people who have an agenda, that you know, if you’re like, we need to go enable, pass keys or for phishing resistant authentication. They’re gonna say, Well, why? Which I think the data around incidents still becomes very important. And and showing, like, well, you know, these sort of attacks, happen in in this, you know, public sector. Again, whether you’re, you know, state or, you know, town government, you know, obviously, your spend, is, gonna look different and and your available budget. But some of these solutions, can also be simplified. If it’s my my local town and there’s twenty employees, that’s a lot different than, again, you know, state that might have a half million people working for it. But no. I think it’s still the the data around incidents, unfortunately, the the one good thing, I guess, I’d say with it is where you can point to this and say, these are things that actually happened. This isn’t theoretical. We’re not making stuff up. Like, these things happen and, we can put a plan together to, you know, do our best to prevent them, you know, with, you know, these resources, allocated to us. So are you saying that, like, you know, big organizations, lots of hoops to jump through, little organizations, fewer hoops? Is that is that basically a good thing to do? I mean, in ways yeah. And, like, I think, I mean, definitely, like, smaller organizations still have smaller hoops. And, again, like, I don’t know. Probably in the past five, six years, I remember a, you know, a local town, was actually ransomware. Then you’d sort of say, well, why would anyone attack a town? Right? But they they still have money, available. And right. You know, but it’s a very small shop, and I think they’re the challenges are probably different. It’s like they don’t know what they don’t know, from an IT perspective and maybe should have worked more with, like, you know, managed service provider. Obviously, like, big state organizations, they have a better idea of, you know, what they’re doing and where they need to go. I guess maybe I’d say to your your original question, it’s like the hoops look different. Right? They might be bigger, but they’re also a a lot different. Right. Okay. So identity is often called the new perimeter. I’ve heard that. Yep. What unique challenges do public sector agencies face in securing user access? Oh, I mean, it’s, you know, just those broad things like I mean, you talk about phishing. Right? Public agencies aren’t immune to it. There’s a lot of identity challenges, in particular with Active Directory, both to a modernization perspective, state, local governments that will have, you know, older versions of Active Directory running on older versions of Windows that are, you know, potentially not even supported by Microsoft even more. And you’re like, I can’t believe we’re still running this stuff. This open up opens up a whole like, I won’t get super I like to get super, you know, nerdy sometimes and things, but I’ll say it opens up by just a can of worms, of potential to be attacked, when you’re using decades old, technology essentially under the covers. And, you know, for all intents and purposes, attacks tend to still, you know, be focused on and oriented and pivoted through Active Directory than, like, you know, cloud identity like Entra and things like that. So that’s definitely still keys to the kingdom. Yep. And feel free to be as nerdy as you want to. So my next question, where are you, seeing the biggest gaps in multifactor authentication adoption across the public sector? Oh, you know, I think there’s definitely challenges with the the way phishing attacks have advanced where now, you know, the technology that, you know, is at Microsoft helping people roll out with, you know, getting a text message or using, you know, the app on your phone for a code. Right? But we’re way past that. Like, that stuff we did five years ago, it’s again, anyone can go out and fish that sort of stuff now. So I think the challenge is definitely passkey adoption. And I know on a federal level, right, there were rules put in place for federal adoption that kind of forced the hand of, like, you know, cloud providers like Microsoft to, bake in things like a pass keys, right, which is just sort of a newer name for FIDO two keys and stuff like that. But, the implementation is still very tricky. And then you also kind of weave in public sector. It can be more difficult to sort of say, right, like, you need to, you know, do this thing on your phone for your job. Right? Because it’s more sensitive around, you know, I guess, I’d say demands on, whether people use, you know, personal resources for, you know, public work and stuff like that. But, honestly, the phishing piece is probably the thing that, you know, again, comes to mind. And, also, another big sort of component in identity that is also tough in, public sector and I touched on earlier is, you know, what’s stopping me from calling the help desk, right, and saying, you know, I’m, you know, the CISO or I’m some director and I need, you know, my password reset and it’s urgent. Right? And you’ve got to do this now. And the verifiable credential piece and sorta like, you know, it’s not like know your customer, but it’s sorta like related, internally where, well, how am I gonna verify that this is actually, you know, John, the director calling in or Eric the CISO, who needs, you know, their password reset. Main push comes to shove too many times. Nothing against that help desk person again. They they they feel that pressure. Right? They might just sort of cave and, you know, go do what they’re asked. They they don’t wanna lose their job over making a mistake. So Yeah. Yeah. Thinking that yeah. Different kind of mistake. Yeah. That’s tough spot to be in. Yeah. Okay. So we we’re talking about privilege access, he tried to say. It’s often overlooked. What’s the best way to manage, as you said, the keys to the kingdom in an under resourced environment? Yeah. I mean, I’d say that, you know, orienting yourself around, like, what the actual problems are. So it’s, you know, running tools that can give you, like, a snapshot of your you know, security, posture. And these things don’t have to be very intrusive. Again, I guess I’d say an unfortunate behavior I would tend to see is that people might run the tools. They have sort of, like, paralysis. Right? There’s so much data because their posture is so weak, and then they’re kinda like, well, since we can’t figure out what to do with some of it, we’ll just do nothing with any of it and, you know, sit on it. Right? And, unfortunately, every single day you act like that. It’s another day that that, is a potential for an attack. And, it’s not to disparage anyone, but it’s definitely, like, trying to look at these reports. And and they’ll all sort of say this thing is super critical. Like, you really need to do this thing, and and actually take it serious. Right? Because, you know, as someone who’s worked, you know, in writing those indicators, I mean, there’s a whole lot of time and effort and, you know, sweat and late nights put into, like, that stuff, right, that comes in as the output of those reports. So sorry. If I’m getting a bit soapboxy there, but I’m very passionate about it. Feel free to do that too. Okay. So the, sort of the cultural aspect that, you know, of let me put it this way. Company’s, culture can make or break security. How do you build a buy in for cyber hygiene among staff who who don’t really see themselves as tech people? What about, you know, the sales guys? Yeah. I mean, I think, that’s definitely a good question. I mean, some of it goes back to actually, you know, organizational change management and, like, there’s the ADKAR model. Right? And the “a” is the awareness and “d” is desire. Right? And the whole thing within this is, we’re sort of trying to change people’s minds, which, again, if we’re all nerds, right, it’s not always easy to look at things from this perspective. Because you’re just like, well, we’ll just have a nerd argument over who’s right and who’s wrong or, you know, this is good or this is bad. But I think you have to look at things holistically. Right? Like, why why do we need phishing resistant authentication? And, if we need to get the whole organization on board, like a lot of non tech workers who don’t understand the tech, we need to sort of put that messaging out there to them in in ways that they understand. Like, we’re asking you to do this new MFA thing. Right, because the data that you use, you may not know it, but it’s something that an attacker might want to get. And, you might not think that you’re but I think a lot of people, I’ll say, that don’t work in IT. They don’t think that they are, like, a target for attacks. Right? But they are just as vulnerable because the data that they’re working with, you know, could be super important or interesting to an attacker. So just, I think, trying to frame it in a way where it makes sense to them. So now now they have that awareness. Right? And then you can be like, so, right, we can prevent this by implementing this new type of MFA, things like that. So you just talk to them, basically? Yeah. I mean, just talk to them. I mean, you know, working in tech, working in cybersecurity. Like, I know it’s not necessarily easy, and, you know, I’m in no way an extrovert. But, you know, I think there’s been waves, right, about soft skills, right, becoming important, in cyber. And, not to get way off track from, you know, the tech bits here, but it definitely, is critical, to helping our users understand, This isn’t thirty years ago where you could be, you know, the, you know, IT guy or IT, you know, person who just says, you know, be quiet and do this thing. Right? I’m trying to put it in a nice way there. Yeah. Life would be easy. Right? Yeah. Okay. So how do you see, leadership culture play? What role would you say it plays in either, strengthening or weakening, defenses? Yeah. I mean, I definitely think, you know, leadership, you know, you need to get them on board. Right? And some of it, again, from that organizational change management perspective is actually, finding your champions. So, like, a big thing in where we talked about phishing. And then so phishing equates to probably new MFA. A new MFA might equate to some executives thinking it’s a great idea and other executives maybe not liking it. So, finding those executives that like being the tech champions. Right? And, again, it can be easy. There’s usually the person who likes to tinker. They like having all the new stuff. They can usually be your ally. And then also, right, if say,IT, the security team, infosec, is having trouble translating things to the business. You’ve got people that you can also bring on board to, right, help do that. That maybe someone in finance loves this stuff. And they know how to, you know, talk to the other other parts of the organization. And, yeah, it it works just as great across the the public sector and all the sort of nuances in there. Smart. Find those tech champions. Yep. Yep. Absolutely. Okay. With a well documented shortage of skilled cybersecurity professionals, we all know there’s a shortage. What creative approaches are agencies using to fill this talent gap? Yeah. It’s a that’s another big question. You know, I definitely think that, you know, with with the gap, you see people trying to hire, you know, sort of younger, but the the state definitely has challenges and, sort of like you can’t have, like, internship programs. And wearing my hat going back into the think when of, when I worked for the state of New York. But, I mean, AI is a big thing that’s being touted as filling those gaps, but I still personally have doubts as to whether, from a defense perspective, it, is mature enough to be able to fill them, with a high enough success rate. So, yeah, I mean, I think some of it is just going back and looking at, like, what is it that’s really important to you, and what do we need to do. And and looking at the list of priorities and saying, we do have a limited number of people. How are we going to to make this work? And some of the you know, sometimes I’ve seen this happen in private sector and public sector is potentially shifting people around, which can feel tough in PubSec. But, you know, as, like, an identity person on here, I tend to find that identity people, work better with security when they work, like, in security. They report to the CISO. But, historically, they’ve probably been part of, like, the server team. Right? And then you sort of get into contention. Well, if we take Eric off the server team, because he manages Active Directory there, and now he works in, you know, infosec, well, who’s backfilling Eric’s job. So, you know, it’s one of those things where I think sometimes it’s there there’s no, like, one singular answer to your question, and it’s sort of having to look at people not to reduce them as cards. Right? But definitely needing to look at at everyone and saying, well, how can we maybe shuffle things around, to, take things that really have a security function and put them in security, you know, without hurting, other other parts of the organization. That was a bit long. But No. No. Makes sense. Yeah. So, you mentioned, you know, like, AI, you know, gotta ask some kind of AI question. Yeah. We’re in this, you know, incredible time right now with this emerging technology. Are you finding it, I don’t know, difficult to work in with your strategies, or is it becoming an integral part? I mean, I will say, I think it’s interesting. Right? And I think if you have the budget, which I know a lot of PubSec doesn’t, right, that it’s interesting to play with. But that being said, you know, there’s too many applications I see where it looks good on paper. But then when you actually see someone, even like a demo, try to put it through, like, the paces or you start to pull up the threads, right, of, like, the limitations of the solution and things like that. Again, I’m not trying to say that we shouldn’t have progress, but I definitely think those would be pain points in, like, PubSec where you’re like if we’re strapped to resources, we certainly don’t have time to sort of babysit AI now. Right? Right. Right. So I would see probably just like it would not surprise me that in public sector that the adoption is is slower. It still is a very costly thing, to try to implement. Like, you know, the copilot-y type solutions that will do SOC type stuff for you. So I think until those things are ironed out, it’s gonna be, something that I don’t foresee being a great, like, broad tool where you just have, like, a prompt, then you go ask it to, you know, do AI things. Now I’ll say, there’s definitely, a lot of vendors out there who push AI where it’s really more still, like, machine machine learning. But you still have to kinda call it AI these days. I mean, those things are great. So I’m definitely differentiating between, like, the AI prompt thing versus, like, probably software a lot of PubSec already owns that, it has machine learning behind the scenes that’s helping you say, hey. Is this thing a threat or not? Right? And that stuff has existed for a long, long time. So is there more at stake in the public sector than I mean, in private sector? I mean, you I don’t know what the, you know, the stakes are. Yep. Yep. I mean, I think the stakes are different. I mean, in both cases, the stakes can be can be money, but, like, a PubSec can’t go out of business, so to speak. Right? Right. Right. But when you look at statistics around, like, the ability to recover from, you know, cybersecurity incidents, and I think, you know, in our ransomware report, it was something like, it takes some like, there was no state organization or state and local government that, you know, could recover in less than a month. We’re just making sure there’s not a wasp floating around this room here. Sorry to get distracted there. And, like, to me, that is very concerning because, for, like, any sort of state agency to not operate for an entire month, like, right, regardless in what they do, that is a very, critical function that’s probably gonna be sorely missed by whatever part of the public that they’re serving. So, and almost I maybe will answer my question or your question as I’ve rambled here in that, like I mean, the stakes, I think, are much different in that public sector. Your customer is the public, and there’s different things on the line with the public than, you know, if I have to wait an extra day because, it takes something longer to be delivered to my house because of a different private sector issue. Yeah. So how important are partnerships with vendors, other agencies, or even, like universities in extending cybersecurity capacity? Oh, I mean, I think that it’s it’s, you know, critical out there. You know, and and, I mean, if you look at PubSec, they all kinda have unique advantages and challenges and disadvantages. Like, where the education space actually, there’s a lot of potential. You know, when I talk with professors in cybersecurity, I mean, you have all these students who are sort of hungry, to learn cybersecurity stuff. Right. And how does that translate, though, to maybe helping out, you know, if it’s a state funded school. Like, can can that translate to helping out, you know, or or having pipelines, of this talent maybe not going to the private sector, right, once they go to, like, a public school for, you know, cybersecurity degree. Maybe ways to try to get them into helping out, you know, the the state that they’re living in right now or, at least PubSec. But no. I mean, there’s there’s certainly the skilling challenges. I think the industry overall right now, there’s a lot of people who wanna go get their masters in cybersecurity, and they pen tester or something that’s, like, cool. And, like, it’s a broader industry problem that isn’t just on PubSec that we also need people to realize. Like, that, the defense side also needs people. And they might not be, like, the, quote, glamorous jobs. Right? But they’re just as as critical or, you know, if not important than some of these things that, you know, everyone just sort of wants. It makes me think of, when I was in fifth grade and everyone to play saxophone in band. Right? And they needed, like, two saxophone players. Right. Right? The defenders are, like, the twenty trumpet players that the band needs. Right? They’re still, important. Right. Right. It’s all glamorous, as far as I’m concerned. Yeah. Okay. Walk us through a cyber, crisis, you know, what it looks like in a public sector, situation. What’s often the first sign that something is wrong? Yeah. I mean, it that’s a that’s a very broad question. I’ll say just from my own experiences, it’s usually eventually noticing some, well, I guess I’ll say it’s either two ways. It’s either something’s wrong and you’re going to know it because, you’ve just had, like, a ransomware incident. And that’s pretty clear cut, because they’ve been lurking. They’ve been, you know, basically plotting everything, and now everything’s in motion. And you usually still don’t have time to sort of catch it, at least not before, say, Active Directory is hit, and then everything kind of falls apart. So before that it’s definitely if you wanna try to catch, like, a threat actor, right, sort of in your systems before damage is done, it it’s really that, like, sorta anomaly detection and, you know, sort of behavior analysis. And, again, it all sort of ties back to identity. Right? Because a lot of these things are like, oh, there’s this weird thing where you know, we saw John log in from, you know, Mexico. Are we going to say, hey, John. Like, are you sure that you did this thing, or maybe we need to investigate that further? But a lot of times, SOC can be overwhelmed or it’s not properly staffed or they don’t have the identity knowledge. And the thing will be on the screen with a hundred other different things that, you know, John signed in from Mexico, and we’re just gonna either deprioritize it for a day, which could be too long, right, or, you know, just sort of mark it as ignored. It’s like an anomaly, or we don’t believe the data that we’re seeing. Right? So, yeah, it’s focusing on those edge case things, but it goes back to needing to really, if they understand how your identity systems work, so that you then can understand what abnormal is. Okay. So what would you say are the most common mistakes agencies make in the first twenty four hours of a breach? Oh, I think it’s, you know, not not reacting, you know, quick enough, or and or well, so the top three things are are inaction. Either in someone not believing that there’s a breach happening. Again, you might say, well, if it’s, like, ransomware, it’s probably pretty apparent. And then it’s still, really starting to become a challenge where the, agency or whatever branch of government it is, they don’t have any sort of, you know, playbook, run book put together, and they’ve never done a tabletop exercise or anything like that in their life. So, you know, in private sector, you can get issues where it’s like we need to, you know, check with the lawyers, and I don’t wanna say finger pointing. But, like, oh, I can’t do anything unless someone else tells me what I can do. You know, PubSec is no different. Right? It might not be lawyers, but it’s probably agency directors and and, well, depending on the branch of government. Probably lots of lawyers. But still not still not having that branch together or not branch, that plan put together beforehand of, like, what do we actually do in actually going through a tabletop exercise. But, yeah, back to your original question. When when people don’t know what to do, they tend to freeze, or they tend not to want to have to deal with the weight of making a decision on themselves, so they’ll sorta defer. And and you can’t blame those themselves, so they’ll sorta defer. Right? And and you can’t blame those individuals, but all this deference and sort of passing the buck. Right? I mean, this is when, you know, minutes can matter that you you can’t wait a couple days to sort of figure out, like, okay. Who’s going to say it’s okay to do the next thing here? Okay. Well, so how can smaller agencies, prepare tabletop exercises or crisis simulations without a massive budget? Yep. Well, I think it’s all on scale. So, obviously, well I don’t wanna say that it’s taking things for granted because it’s not that a small agency or a small, you know, like a town doesn’t have a lot going on. But in ways, it might almost be easier to make calls. Right? Like, instead of a big state breach where maybe there’s a lot of things with getting a lot of people different a lot of different people involved. You know, from a town perspective, it’s like saying, hey. Like, well, we can just go ask, I know this maybe seems silly, but we go ask the mayor. And the mayor’s like, sure. We’ve got, you know, fifty people that live in our town. Just just do it. I think their issue might be more like they don’t know that they need to do a tabletop exercise, but I will actually say that, I know, you know, like, well, you know, companies like Semperis. We do tabletop exercise things. A lot of cybersecurity conferences do a lot of tabletop exercise things. There’s a lot of companies out there that will do tabletop exercise things for, you know, free right at, like, b side, stuff like that. I know the FBI has done things, again, open to the public, as part of, like, InfraGard where they’ll sorta help you understand what a tabletop exercise is. So probably for a lot of organizations, big or small, it’s kind of giving the concept of, like, what is a tabletop and how do we do one? But I think there are a lot of resources out there. It’s just a matter of, again, someone sort of take an initiative to understand that and, you know, kinda make the the next move. Because and I’ll just I’ll just finish this rant in saying that I think the the sort of paralysis can also be unfortunately on the proactive side. And unfortunately, sometimes in pub sec because people can have a negative opinion of public sector employees as I found out firsthand, that can get to you after a while, right, where you won’t be like, oh, well, let me go sort of see, like, you know, what can I do right working in IT, working in our infosec team to, try to bring tabletop exercises right into the organization? Okay. So beyond recovery, what are the top let’s just make it the top three things agencies should do to build long term resilience after an incident. Yeah. I mean, definitely after an incident. You’re you’re gonna wanna look at, you know, your IR plan, you know, what worked, what didn’t. I mean, this is assuming you have a plan. Definitely looking at the parts that didn’t work, and trying to iron those things out. And I guess that’s more from the organization, the operational perspective, then obviously the tech. Like, you know, needing to examine, like, well, you know, from the the attack chain. Like, what was the tech piece at fault? And, again, maybe maybe it’s a blend of things. Because maybe it was a phishing attack, or I should say maybe it was, like, social engineering, the help desk, or, you know, the knock or things like that. But I think it’s I’ve almost probably overcomplicated and just saying simply, like, looking at both the tech bits and the organizational bits that failed and, digging into those, to kind of figure out, like, well, how can we improve in in these areas? Okay. So I always have to ask my, sort of future focus, you know, get out your crystal ball, question at the end here. If you had to predict what’s the next, headline grabbing cyber threat likely to hit the public sector in the coming year, what would it be? Oh, that’s I mean, I think it’s probably a boring thing. I think that phishing is, going to just dominate. Like, I think the way it gets reported, it’s not like, oh, this big super fancy attack happened. It’s just almost like a common place for phishing. I do think there’s newer types of phishing attacks that are being called, like, downgrade, attacks where the attacker in so this is like a, you know, attacker in the middle scenario, and what they’re doing is they’re sort of interfering with authentication. So say I have, like, phishing resistant authentication enabled for me, but I also have, like, SMS text as, like, a backup or something. What the attacker will do is they’ll actually the way the attacker in the middle scenario works is they’ll interfere with authentication so that I only get presented with, like, the backup method. Right? My username and password and the SMS text. And I think these will be a challenge, and these are starting to become a thing that we’re seeing out there, just, you know, broadly. And I don’t see, this not also hitting public sector. So the problem with the attack is now we’re like, well, we’ll go set up phishing resistant auth, and we’ll give everyone pass keys and FIDO two keys. But unless we make it so that is the only way you can authenticate, right, the attackers are now learning, hey. We can just force an end user to do this other thing. They’re probably not thinking. They authenticate all day long for stuff, depending on what they’re doing. So they probably also need to get work done. And, again, the statistics are showing that the user will just put in their username and password. You know, they’ll do the SMS text, and now they’re back to being phished. And we’ve spent all this time and money putting fancy authentication in place, and it’s just essentially been bypassed. So, those identity attacks, I think, are going to be over the next year or something that we’ll start to see more of. So, but then I’ll just say the unfortunate part is the industry, right, gets into these traps of, like, the blame game because when they happen, right, people won’t like the way the attack is reported because they’re like, well, it’s not really, you’ll see some of these headlines recently will be it will say, like, pass keys aren’t safe or Fido two’s broken. Right? And, really, when you dig into it, it’s saying someone’s found a way to work around things. And we get into all this weird cybersecurity infighting instead of looking at, like, okay. Well, how do we actually just protect our end users and our resources and our data, and whatever it is that we’re we’re here to do for our our living. Sorry. Getting a bit on my High Horse. Yeah. I think that’s absolutely fascinating. But that’s that’s all the questions I’ve got for you. I wanna remind everybody that you can type your questions into the q and a box at any time. We’ll do our best to get to all of them. We’ve got a we’ve got a really good subject matter expert here. Get us your questions. We’ve only got a couple. So let’s go ahead and start with, Al, who’s wondering. Eric, we haven’t seen any evidence of an attack, so why should we be worried? Yeah. I mean, I’ll say, unfortunately, it’s one of those things where, it’s so cliche to say, but it’s, like, not if, but when. So if you haven’t been attacked, it just the attacker hasn’t gotten to you yet. So and unfortunately, this the speed of attacks these days, and the dwell time for some attacks is getting shorter and shorter. So, right, it used to be, like, an attacker would live in an environment for, you know, months, and now you’re seeing numbers that are dropping that down. And I think the whole point in there is that, is you don’t know when something’s going to happen. So you can’t just kick back and sort of presume that, like, we won’t be a target. Right? And so ultimately, it goes back to no matter how big or how small or how unimportant you think maybe the work that you do is relative to why would an attacker wanna come after us, you absolutely are. Your agency absolutely is a target for whatever it is that it does. And, that’s why it’s so important to get ahead from a proactive perspective, right, in trying to make sure that you have the the sort of smallest, attack surface area possible. Okay. We’ve got another one here from Perry who’s wondering, what if we have a hybrid identity environment? Will Purple Knight and, Forest Druid, still work for us? Yeah. Yeah. So, absolutely. I mean, honestly, those so the two tools being called out here, Purple Knight is the tool that, we have a hundred almost probably two hundred security indicators in here. We look at both Active Directory and Entra, and I’ll step back and say, great. Like, well, you might say, well, what is hybrid identity? And hybrid identity is when you have something like Active Directory, and then you also have cloud, whether it’s, you know, Entra ID, which is the one that we see most commonly, but also some organizations will have things like Okta, and, you know, potentially some other IDPs. But yeah. So, you know, tools like Purple Knight, they’ll absolutely work with hybrid identity. I mean, they’re designed to work with hybrid identity. And same with Forest Druid, it will look at, you know, the attack paths, out there in both your Active Directory environment, as well as Entra ID. And, again, I’ll step back and say, you may say, well, what is Forest Druid? So, where Purple Knight kinda gives you a list, right, of here’s all the things we’ve checked. Here’s what’s good. Here’s what’s bad. Forest Druid is more visual where you get a graph, of, oh, I see if I can, you know, compromise John, then maybe I can move into this because John has access to this. And then maybe I can go here, and now all of a sudden, I own Active Directory. So Forest Druid helps show, attack paths in, like, a visual manner. But, yes, to the original question, these tools are all specifically designed to for hybrid identity. So yep. Gotcha. K. We got one more question here from Lynn, who’s wondering, are there specific threat feeds or information sharing groups, ISACs, you recommend as essential? Yeah. I mean, I definitely would say, you know, to to me, I mean, my mind goes to, CIS. And I know that CIS, has specific programs for state, local government, and I think programs also oriented around, potentially education and or other parts of, the government. And I don’t remember it all off the top of my head because I work with CIS, but, you know, things are kind of always evolving there. But they definitely come to my mind when when you talk Pubsec. And, also, you know, I pitch, you know, InfraGard. Definitely looking at membership in InfraGard. You know, my own membership I’ve had there. There’s a lot of community driven things with, you know, your local InfraGard. Right in that InfraGard is is FBI, run. I think it’s like a nonprofit, right, sort of managed by the FBI. But, you know, there’s a whole lot of information sharing in there both, potentially, you know, official, you know, information sharing from the FBI, abilities report sort of back up to the FBI, and then also, bring more informal information sharing just right through, you know, other forms that they that they have available. So, yeah, I mean, those are the two that kinda come to my my mind. I guess and and more from a community or different angle than saying, hey. We’ll go buy a vendor product that does, you know, threat intelligence. I mean, there’s plenty of those. If you’ve got your XDR of choice, they also have threat feeds that are going to be, you know, available to you. Well, my friend, that’s all the time we have for this, I wanna thank, our guest today, Eric Woodruff, he tried to say, for an informative conversation, and many, many thanks to the folks at Semperis for making this conversation possible. Thanks, man. It was really a pleasure talking with you. You are a font of information, and, and I’m sure the attendees, got their money’s worth. Thanks, everyone, and have a great day. Alright. Thanks.
