Lessons cybersecurity can learn from physical security

In this episode, we welcome Jeff Schmidt of Covail to discuss security and risk management, working at the FBI to create the InfraGard program, and what cybersecurity can learn from physical security controls and fire safety and protection.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 - Intro
  • 2:30 - Origin story
  • 4:31 - Stepping stones throughout career
  • 8:00 - Average work day
  • 12:14 - Learning from physical security
  • 17:18 - Deficiencies in detection
  • 22:17 - Which security practices need to change?
  • 24:15 - How massive would this change be?
  • 27:37 - Skills needed for real-time detection
  • 32:00 - Strategies to get into cybersecurity
  • 34:30 - Final words on the industry
  • 37:16 - What is Covail?
  • 38:40 - Outro

[00:00:01] Chris Sienko: Today on Cyber Work, I talk with Jeff Schmidt of Covail about the lessons that cybersecurity can take from physical security and fire protection. The days of cyber security as a pass fail binary need to go now. That's all today on Cyber Work. Also, let's talk about Cyber Work Applied, a new series from Cyber Work. Whether you want to learn how cross-site scripting attacks work, set up a man in the middle attack or get a blow-by-blow recap of the Equifax breach. Expert infosec instructors and industry practitioners will teach you these cybersecurity skills and show you how those skills apply to real-world scenarios. Best of all, it's 100% free. Just go to infosecinstitute.com/learn or check out the link in the description and get started with fun hands-on training that keeps the cybersecurity skills you have relevant. That's infosecinstitute.com/learn. And now let's begin the show.

[00:00:58] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talked with a different industry thought leader about cybersecurity trend, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. Jeff Schmidt, VP and Chief Cybersecurity Innovator at Covail is an accomplished cybersecurity expert with a background in security and risk management. He founded JAS Global Advisors LLC, a security consulting firm in Chicago; and Authis, a provider of innovative risk-managed identity service for the financial sector.

Jeff is a board member for Delta Risk LLC. In 1998, he worked for the FBI to create the InfraGard Program, receiving commendations from the Attorney General and the director of the FBI. He's an adjunct professor of systems security engineering at the Stevens Institute of Technology, and a Zurich Cyber Risk Fellow, Cyber Statecraft Initiative at the Atlantic Council. Jeff received a Bachelor of Science in Computer Information Systems and an MBA from the Fisher College of Business at The Ohio State University. So, Jeff came to us with an intriguing topic. He proposes what he calls a detected, defend and response posture and cyber security, and postulates that cybersecurity can learn lessons from the mature sciences of physical security and fire protection. So no matter how you're securing your system now, there's often room for improvement, and definitely always room for taking in new ideas. So let's take a closer look.

Jeff, thanks for joining me today on cyber work.

[00:02:27] Jeff Schmidt: Thanks for having me.

[00:02:29] CS: So we always like to start out with the inevitable origin story. How did you first get interested in cybersecurity, computers and tech? It looks like your career started in software design engineering, but move pretty quickly over to security around 2000. And this held fast ever since. So what was it about cybersecurity that you found interesting or compelling?

[00:02:46] JS: Yeah. So my origin story is actually relevant to my thoughts on the detect, attend and respond thinking. So I've always been a computer guy. I was a programmer ever since about third grade. And went to engineering school and after college, I went to work for Microsoft as a kernel developer. So I was working on NT5, Windows 2000, all those sorts of things. And then the Melissa lovebug, mass mailers hit. And that's when my career in security started. I was out of Microsoft when that happened. It was very interesting. Microsoft's kind of internal take on those things, basically, we were as surprised as everybody else. And it was driven by a lack of understanding of how attackers would abuse our systems. And so it got me very interested in understanding the adversary. I think that the defenders, in my case at Microsoft, in the mid-90s, the defenders were the developers that wanted to get their new cool features into production code. And the attackers were all the people that were trying to abuse the systems that they wrote. And the defenders didn't really understand the attackers. They didn't understand how they viewed their systems, how they would have used mistakes that they made, and things like memory management. And so there was an educational component to be taken up there to really train the defenders on how to make their systems more resilient to what attackers actually did. And essentially, that's what I do to this day, is train defenders to better understand how attackers view their systems and how their people processes and technology respond.

[00:04:33] CS: So, I think like many people who came into cybersecurity in the early 2000s, you were there at sort of the ground floor of what is sort of an established practice, but at that point was still being – The rule books were being written sort of for the first time. So can you talk a little bit about some of the stepping stone moments in your career, whether they were large projects or promotions, new skills learned, or other factors that help you make the jump from this sort of improvised, “There's a problem. We have to solve it now,” position, to the more ambitious projects and sort of fully formed ideas that you have now. What were some of the main moments in your career in that regard?

[00:05:15] JS: Yeah, so I was always a technologist. Grew up coding, went to engineering school and went out to Microsoft as a developer. And, again, in the kernel group and the Windows NT group was kind of the nerdiest of the nerdy. And it was over the course of my career there that I realized how important it was for technical people, particularly people in security and risk to be able to communicate effectively with business people. And that was a skill that was very lacking back then and very often lacks today. I think security people very often have a very rigid view. There's a right way to do things and a wrong way to do things. And security people are grumpy for all sorts of reasons. And I'm a grumpy security guy. I don't have my suspenders on today. But we’d have this feeling that we've been solving the same problems over and over again and people don't get it and all those sorts of things. And that's great to be grumpy like that, but it's not helpful.

And so effective communication with non-technical people, with business people is something that I learned was important, in the late 90s, early 2000s. And I think it's really become something that has helped my career and it's something that I advise others that I mentoring and talking with to really make sure that you're not just a technologist, and you're not just a grumpy security guy or gal, but you're able to communicate, and that's the only way that we're going to improve and we're going to get better.

[00:06:56] CS: Yeah, I think it's easy to think of the cybersecurity team or the IT department as being this sort of island unto themselves, and they speak their own language, and they're sort of contemptuous of everyone else and stuff. But, obviously, we've heard this in episode after episode that you need to be able to communicate effectively, especially to the leadership, but also to just rank and file people who might be making sort of chronic mistakes and might need a gentle nudge rather than a rude one. I guess you agree that communication, it's got to be there, especially as someone who's just entering the industry. You have to know how to do what you do, but also how to convey what you do to others.

[00:07:41] JS: Right. And without being the pick your euphemism, the department of know, the professional parade reigners, all that, you've got to find a way to turn it into a risk management discussion, not a, “You're a bunch of idiots. This is not the way to do it. My way is the only way to do it.”

[00:07:59] CS: Sure. So, we get people from sort of all different levels of the career ladder on here, from CEOs and people starting startups, to people in help desk and stuff, and we always like to ask them what their day-to-day work looks like. So what is your average workday or workweek as Chief Cyber Security Innovator at Covail? Like, when do you start? When did the emergency start piling up? When does your to-do-list go up in flames? All the all the usual touch points?

[00:08:30] JS: Sure. Well, Covail is fantastic, because it is a small company. We're about 30 people. And so when you're in a small company, you get to do everything. And that's one of the things that I really like about working in small companies. And so there is really no average day for me. I am working with the board and executives on business sorts of things, strategy, long-term planning, all of those sorts of activities. And then I'll be on customer calls, working with my team, problem solving, delivering. All of those things happen in any one day in varying ratios obviously.

My favorite part is certainly working with clients. I love going through the delivery phases of an engagement where a client – I have a philosophy and I tell my team, “I want the client to be better that day in working with us.” I don't like security engagements that end in a report that gets dusty and nobody reads and doesn't lead to improvement, right? And anybody that's been in this space a long time gets grumpy about things like that. And so I turn that around, I say, “Look, I want the client to be better that day.”

And so my favorite part is when I'm in a meeting and we're either doing some sort of a purple team experience or other debrief and I can actually watch the client getting better and say, “Oh, okay, I see how that works.” Or, “We're going to implement a detection there.” Or, “We're going to change that piece of code. Or, “Boy, yeah, that cookie really should have been marked secure, because I can see how it can be abused.” And so watching clients get better is by far my favorite part of the day.

[00:10:17] CS: Are there parts of your job that stresses you out on a Sunday night as you contemplate your workweek?

[00:10:22] JS: Yeah, I mean, incidents – Incident are just code for breaches, right? The lawyers tell us, “You never have a breach. You always have an incident.” Those are always very stressful and they always happen on Sunday nights, or the Friday of Thanksgiving weekend or what have you. It's a lot of stress. Most of the time, when you're providing assistance with an incident, you're providing assistance to people that have never been through anything like this before. And so there's the fear of the unknown. Very often people are worried about things beyond the actual incident hand, like, “Am I going to lose my job over this?” Or, “When the final analysis comes, am I going to be found at fault, or that I made a mistake or whatever?” I mean, the human side of this permeates every incident that I've ever worked with. And that creates a tremendous amount of stress for all parties involved.

[00:11:21] CS: Now, do you sort of think of – Are you sort of always on call? You mentioned Friday of Thanksgiving weekend or Sunday night. Are you always sort of taking these emergency calls?

[00:11:32] JS: Yeah, I mean, I and Covail in general has a very close long-term relationship with our clients. We're not kind of transactional. So, it is not unusual for a client to call on a Sunday night and say, “Hey, Jeff, I think I got a problem.” And I always want to be available for that call, because I've been on the other end of that, and I know how stressful it can be.

[00:11:53] CS: Right. Yeah. And that's good to know. Because as a lot of our listeners are considering what aspects of security they want to get into. And so if you're interested in doing this kind of work, just be aware that your clients will have their problems when they have the problems, and you got to be ready to step in and help them out. So, as I mentioned, at the top of the show, we're here because of a piece I read of yours entitled Evolving to A Detect, Defend and Response Posture. In it, you postulate that information security practitioners have much to learn from the mature sciences of physical security and fire protection. So rather than me trying to imperfectly summarize some of your points, I'd like to have you walk through some of these key points yourself. So tell me what you think we can learn by studying the ancient arts of physical security and fire protection? And what about it surprised you?

[00:12:39] JS: Sure. So the practice of cybersecurity has been largely a pass fail exercise for the past 20 years. You are secure, and you don't have bad things happen, or you are not secure and bad things happen. And so the mentality has been if I do things right, my systems are impervious. And the corollary to that, if I do things wrong, then I'm going to get beat up. And that is not a healthy position for defenders to take in for an expectation. The systems have become too complex and too widespread. And there's so much going on in general that you cannot allow the expectation that a system is impervious. The way to have an impervious system is to shut it off, cut the cord and bury it on a salt line someplace. It's not very useful at that point, but it is impervious.

And so I am enlightened by the approaches to fire detection and fire response and physical security where the approach is not these systems need to be impervious, or else they suck. It is they need to resist the hazard for a long enough period of time for the Calvary to get there. And so – Here we go. My background here, the beautiful city of Chicago, we're very sensitive to fires, obviously. And so the fire codes, if you drill into what a fire code in Chicago looks like, particularly in the dense downtown area, it's all time-based. It's based on your requirements, or your building defensibility is based on how far away from the fire station you are. Again, the corollary there being if you're next door to the fire station, the Calvary will be there quickly until the building may not need to be as defensible for as long. That directly translates into things like armored stairwells and sprinklers and two-way communication. And in the security space, we would call those controls. And so if you're next door to the fire station, you may have fewer controls requirements.

Similarly, if you’re five miles from the fire station and bad traffic, and it might take 20 minutes for the Calvary to get there, you have more requirements for the building to be defensible for a longer period of time. So you might need, again, external stairwells and sprinklers and all those sorts of things. Anybody familiar with the classified world, in the US, you deal with these things called GSA containers, Government Service Administration. GSA containers are where you put classified stuff, and weapons and other sorts of things that the government wants to protect. And GSA containers are defined by their time resistance to a particular adversary with a particular set of tools.

And so a GSA container is defined as it is resilient to an adversary, an expert adversary, with everything except explosives for 45 minutes. And they talk about surreptitious entry and non-surreptitious entry. And again, all those sorts of things that you care about if you're defending classified material. You want to know that somebody got in and they blew a hole in it, versus somebody was able to enter an exit without you ever detecting it, right? But it's all based on time.

The onset part of that is there better be an alarm and the cavalry better be there in less than that amount of time. And so that's, again, a really healthy way to view security. Fire safes are the same way. If you go into Home Depot, you'll see a fire-rated safe that is rated at a particular temperature for a particular time. So if you're putting gold in it, you don't really care about the temperature, but you do care about the time. If you're putting paper in it, you definitely care about the temperature and the time. So this whole concept of defending against a hazard for a period of time and the Calvary getting there is a very sophisticated and very healthy way to look at security. And we need to do that in IT and cybersecurity. Not assume that we are building impervious systems, but assuming that our systems will be compromised, and that's okay, as long as we detect it and we respond in a reasonable amount of time. Now, unfortunately, as an industry, we really stink at detection. And so that's where we have – the first opportunity is to get better at detection. And then we can start to worry about responding.

[00:17:19] CS: Yeah, so what are the deficiencies in the current default model of cybersecurity? Because you note that IBM, Verizon and CrowdStrike all report that we grant an adversary days, weeks or even months to operate within our networks before detection. And, it’s curious to me, and I'm wondering what actions or policy changes or just overall changes to cybersecurity posture that you think could or should happen to prevent these enemies within to stay hidden or unreachable for so long? Like, I think we all agree that having an enemy in your system for months is a terrible thing, but it's not like anyone saying like, “Well, there's nothing –” Like how does change exactly?

[00:18:00] JS: Yeah. So the most important thing is defenders start to need to view detection as a scientific exercise. All detection right now, with the exception of some kind of extremely sophisticated players, really, all detection nowadays is by luck. And anybody that – I think most people would agree with that, and if they disagree, we might have a bar conversation about it. But, people, the way you detect something, is you get lucky, right? Chris had the right instinct at the right time. He looked at the right log. Chris was on duty.

[00:18:42] CS: Yeah, something felt off.

[00:18:44] JS: Right, exactly. But boy, if Chris was on vacation that weekend, and Jeff was on duty, and Jeff's kind of a buffoon, you might not get the detection.

We're not really consistent in what logs we detect and what logs we look at on a regular basis, and all of those sorts of things. And so detection usually occurs either by luck. It occurs when you get that fateful call from the FBI saying, “Hey, some of your data showed up in this other thing we're looking at over here. You might want to look at this.” By the way, until recently, that's how most detections actually occurred, was by a third-party notification.

Now, unfortunately, the detection frames are going down. And if you see in the recent CrowdStrike and Verizon reports that the time to detect is going down. But if you dig back or dig into it a little bit, it's actually for terrible reasons. The detection windows are not going down, because we're getting better at detection. The detection windows are going down because the incidents lately have been self-detecting. They've been ransomware, right? You get the note. You get the horrible little note that says, “Pay me in Bitcoin.” There's your detection, right?

Yeah. And so the occurrence lately of these self-announcing incidents are reducing the detection window, but boy, I mean, it's for terrible reasons. So there's a couple things. I mean, I think people need to really analyze detection. Say, “How do I make this rigorous? How do we make this scientific? How do I make this reliable and predictable so that I'm not just depending on Chris being on duty at the right time and having the right instincts?”

By the way, frameworks like the NIST CSF, the Cybersecurity Framework, that they split up the world into identify, protect, detect, respond, recover, right? And that's a really healthy kind of left of boom and right of boom lifecycle to look at things. But there's a whole detect stage in the CSF, which is really healthy, because now people that organize their thinking, their controls their budgeting around CSF have this great little block to look at like, “Okay, what is our detection capability? What are our detection objectives?” And they have to be measured and validated in terms of time.

So I would say that if I could look into the future or have a hope for the future, a strong, mature, defensive cyber security program, we'll have a list of techniques, or bad guy tactics. You can use something like MITRE ATT&CK or whatever, but that's just a list of techniques that bad guys use. And then a list of controls for each of those techniques that increase your odds of defending and detecting, but then a time to detect and a time to respond objective for each of those. So you should be able to say, by technique, Kerberosting, right? Pulling and trying to leverage long live Kerberos tickets in a Windows Active Directory environment. I should be able to detect that in X, 45 minutes or less, 30 minutes or less, two hours or less, a day. As long as I have the number, it almost doesn't matter, as long as I know the number. And then from there, what do I do about it?

[00:22:17] CS: Yeah, so I mean, what aspects of the current security practice have to go away? And what comes in their place? Like it sounds great. Like, we have to start doing this now. But like what does that actually mean on the ground in terms of changing your current focus, your current tech, your current employee directives or whatever. How does that change?

[00:22:42] JS: Yeah, so every aspect of an enterprise security program right now is organized around a pass-fail methodology? I have a controller or I don't. I have a green checkmark there, or I don't. Or my favorite board slides, the red, yellow, green, those are all effectively pass-fail, right? And we need to change the mentality to a detection and a response timeframe. So this bad thing is going to happen to me at some point, right? It's inevitable, right? How do I know what's happening? And how do I detect it in a constant, predictable, reliable timeframe, regardless of who's on duty, regardless of what time of day it is, regardless of whether it's the Friday of Thanksgiving weekend, or two o'clock on a Tuesday?

And then, really, that permeates the whole organization. Most enterprises do not have a 24/7 detection and response capability. And so then you have to look at, “Well, do I use other providers? MSPs? Are there aspects of this that I need to outsource? Or does my business dictate that I do need to have a 24/7 capability natively? So, I mean, those are the sorts of questions that we need to evolve to and we need to get to. And those are great resourcing questions for the executives and for the board. If your requirements say you need a 24/7 capability, there's obviously budget associated with that, and other interesting discussions to have.

[00:24:14] CS: Yeah, that leads to my next question. So how big of a change do you think this is in terms of implementation, budget, timeframe? Certainly C-suites and boards are famously reticent at making huge changes and spending huge amounts of money for all of a sudden there's a problem when there wasn't a problem before and so forth. So what is the scope of this look like to you for – I know obviously every system is different. But what do you think?

[00:24:45] JS: Yeah. So on the one hand, I think it's enlightening and liberating. And the reason for that is, look, in the security space, I mean, it's full of noise. It's full of vendors. And nobody really knows what to do, right? Everybody has a philosophical and a religious position. And I'm full of – I'm just like any other security guy or gal. I'm full of philosophical and religious positions, but nobody really knows what to do, right? I mean, it's all kind of non-scientific. And should I deploy a cloud proxy or should I deploy an endpoint tool? I don’t know. I mean, that could make it. They're both fine security controls. You can make an argument either way. But what should I do? I don't know. What's everybody else doing?

And I was with a very well-known security luminary at RSA three or four years ago, and we were standing on the floor in one of the two story booths that vendors have kind of looking around the floor. And if you've ever been to RSA, it's just this massive sea of humanity. There're tens of thousands of vendors. And this gentleman looked around the floor kind of pensively like an old grumpy security guy does and said, “And this is why we have a problem.”

It's very confusing. Nobody knows what to do. And so I think if you can organize around something like I need to defend by having constant time detections in response for a list of MITRE ATT&CK techniques that are applicable to my enterprise and my vertical, that becomes very specific and very actionable. Like that's something that I can do. That helps me, “Do I need a cloud proxy for my remote employees? Or do I need an EDR?”

Well, absent some rubric like that, it's an impossible decision to make. But if I'm looking at like, “Okay, here's MITRE ATT&CK and here's how I detect and defend and respond against every technique, here's my gap, right? I have no way to detect in constant time when Mabel clicks on something bad, because Mable’s always going to click on something bad, there's nothing we can do about it. And Mable’s computer is at home, off the VPN, connected to the internet directly, and I'm not getting logs, right? I have no way to detect that, okay? Now I can start digging through, “Okay, well, what tools can help me with that?” right? Because that's a gap. So I think it's a very healthy way to think about organizing an overall security program, and I hope that we advanced that level of maturity.

[00:27:37] CS: So let's pivot over from there that this is the point where we start giving additional value to our newcomer listeners who are trying to put their first foot into the cybersecurity industry. So I think if you are able to come to a new company with these kinds of recommendations and say, “We want to move towards constant, real-time detection that's customized to your specific platform and so forth.” Like what are some cybersecurity skills that students are not as professional should be learning and studying to stay ahead of the curve and be able to sort of deliver this to whatever new company that they're starting with?

[00:28:17] JS: Yeah, so a couple things. I mean, first of all, and I mentioned it earlier, enough business knowledge and acumen to be able to communicate effectively is critical. And so to the extent that you can use online training, and as you advance in your career, getting a business certificate or an MBA or something like that to balance a technical background I think is a really good long term. This is a long term business risk management business that we're in, and it's not going away. Security guys and gals are chronically employable as a friend of mine once said. And so the ability to integrate with the business and talk about risk is really important.

Additionally, for the last 10 years or so, we have largely been throwing people and tools, and then by corollary money, at the security problems. And, obviously, we can't continue to scale like that. And so, investing in – Well, from a people perspective, understanding automation technologies. Understanding, I have to do air quotes, around “AI, ML”.” But I'm not saying that in the snake oil sense. I mean, there're real valuable things there that will help us do our jobs and will help focus the humans. AI, machine learning, all that will never replace the humans. I tell the story. It's like the National Weather Service. They all have models, but then there's some meteorologist that looks at the models and says, “Here's what I think is going to happen,” right? That's the way we're going to get into insecurity.

[00:29:56] CS: Yeah. There’s no robot time skilling to use another Chicago word.

[00:29:59] JS: Right. So understanding what the AI and ML technologies are actually doing, where they're helpful, how to interpret the results, how to use them to lever up or going to have to force multiplier, all these air quotes things, to really help your organization scale is a really important skill set to have. Thirdly, defenders need to understand attackers. We're minting security guys and gals as fast as we can because everybody understands the security skills shortage and all of that sort of thing. And that's wonderful. And I'm happy to see new folks entering the space. But very often, the new folks entering the space are your first line defenders. Very often, your newly minted guys and gals come in and help desk and soft roles and things like that. They’re the level one defenders. And those are the people that have the lightest and the least developed instincts about what's actually happening. What a bad guy is actually doing?

I've shown newly minted security guys and gals, attacker tools, like mini cats and bloodhound and things like that, and they think it's magic. It's just a lack of familiarity. And so I would say every defender, hang out with offensive testers. Pen testers, offensive testers, they're an interesting bunch. But as a defender, you have to understand attackers. You have to understand how they think. How they view a system. What they do. How the spy versus spy or counterpunch punch is going to work. And that makes you a better defender.

[00:31:53] CS: Yeah, be comfortable with a wide range of tools and how to sort of use them creatively and all that kind of thing.

[00:31:58] JS: Yep.

[00:32:00] CS: Yeah. So for people who are looking to get into cybersecurity from other professions, or people who feel stuck in their current job, do you have any strategy tips you can recommend to help them get unstuck? What's one thing you could recommend someone to do tonight that would help them get closer to doing this kind of work?

[00:32:18] JS: Yeah. So there is a tremendous amount of cyber security content online. And I'm not talking about the paid courses and the kind of the traditional repositories of knowledge. The paid courses are great. But this podcast, all of the cybersecurity luminaries out there, or most of them, write blogs, are present on Twitter, are present on LinkedIn, are on podcasts, are sharing their craft. I mean, that is one wonderful, wonderful, wonderful thing about the cybersecurity space. Even though it can seem impenetrable and be populated by a bunch of grumpy people, really, the amount of sharing and openness of the cybersecurity community is tremendous. And so, I would suggest anybody, follow people, read, watch the videos and the podcasts. Find a core list of 10 or 15 folks that are really interesting in your particular area.

The cybersecurity area has 101 niches. And it can seem daunting to somebody just kind of getting into the space, but there are a lot of niches that are interesting, everything from secure coding, web apps. That’s a whole practice right there. Governance and controls and kind of defense optimization, that's a whole area. Offensive testing is a fantastic area. Identity and authentication and authorization systems, that's an area that I have a particular interest and passionate about. I mean, that's a fantastic area. And it's the root of almost every security problem. I mean, almost every security problem started as an authentication and authorization problem. So pick some niches that kind of interest you. Pick some personalities to follow and immerse yourself.

[00:34:29] CS: That's great. So as we wrap up today, do you have any final words for the industry? Things that you'd like to see start to change on a wide scale? Because obviously some people are going to implement this, some people aren't. But what are your crystal ball predictions and hopes for the coming years?

[00:34:47] JS: Yeah, I really think we are entering a golden age of defense. I think that the industry is evolving from a, “I've got to be impervious,” to, “You know what? I need to detect, defend, respond in a loop, in a cycle,” an OODA loop to use the term, “where my defenses are always evolving based on what the attackers are doing.” And that static reports that collect dust in a corner. Compliance reports that are checkbox sorts of exercises. They're not going to do it anymore.

And so that's going to mean evolving to more frequent and more dynamic offensive testing. Not the kind of offensive testing that we've been used to in the past, but more purple team, which is the red team and the blue team working together to make the defenses better. Instead of doing one or two offensive exercises over the course of a year, you might do five or six offensive exercises over the course of a year. Integrating offensive exercises, which are largely technical with the non-technical components of defend and respond. So if something bad happens, Mable clicks on something bad. The attacker has access to Mable’s machine and starts moving laterally. Great. There's the technical piece of that response. But then there's the non-technical piece as well, right? What sorts of compliance and contractual requirements did this indicate? How are we going to communicate with our employees? If we're going to require 30,000 employees to do a password reset, what are we going to message to them? What are we going to message when that becomes public? What are we going to message when we get hauled up in front of Congress to testify about the particular incident that occurred, right?

So continuing the technical exercises into the non-technical realm with things like tabletops and other things I think are incredibly important to really integrate the detect and respond pieces into a more holistic response. I think it's a really, really exciting time to be in defense. And I think that as businesses build a defense capability, that they can do all these things. It's a great time to be in the space.

[00:37:17] CS: This has been a great talk. And I want to thank you for your time today, Jeff. But before we go, tell us about Covail. What are some services you provide and some projects, services or initiatives that you're working on for 2021 that you're particularly excited about and want to tell our listeners about?

[00:37:30] JS: Absolutely. So as you might imagine, I have a passion for offensive testing. And so Covail offers a number of offensive testing services that span the gap, or expand the range from very traditional compliance-oriented pen tests all the way through purple team, constant loop supported by tabletop, kind of very advanced offensive form factors. We do those for a number of large enterprises in a number of verticals. We also integrate a compliance and governance team into those exercises. So I like to say, if you're concerned about ransomware, for example, all 800 controls in NIST, 853 or 800-171 don't matter equally. There's like do 12 well, right? So we focus on helping you –

[00:38:25] CS: Yep, customizing your system. Yeah.

[00:38:27] JS: Right. Right. So we identify and then help you figure out which controls really matter are really going to contribute to your security and really support the objectives of the offensive team.

[00:38:40] CS: All right, one last question for all marbles. If our listeners want to learn more about Jeff Schmitt or Covail, where can they go online?

[00:38:47] JS: Yeah. So I would go to covail.com. And we have a blog there. We have information about our services there. And a lot of the philosophy and the points that you've seen here are covered in the concept you'll find there. So please visit us at covail.com.

[00:39:03] CS: Terrific. Jeff, thank you so much for your time and insights today.

[00:38:21] JS: Thank you, Chris. Pleasure.

[00:39:07] CS: And as always, thank you all at home or at work for listening and watching today. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video at our YouTube page and at infosecinstitute.com/podcast, or on audio wherever find podcasts are downloaded. And don't forget about our hands-on training series, Cyber Work Applied. Tune in as expert infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real-world scenarios. Go to infosecinstitute.com/learn to stay up to date on all things Cyber Work. Thank you once again to Jeff Schmidt. And thank you all for watching and listening. We'll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.