Could one missed alert put lives at risk? Hospitals were once worried about downtime. Now they're facing something far worse: real-world consequences when cybersecurity fails. One ransomware attack shut down a hospital—and a patient died. It was a moment that changed how healthcare leaders view risk forever.
In this episode, Max Clark sits down with Eric Fromm of Trustwave to unpack the silent vulnerabilities plaguing healthcare systems, and how Temple Health made the shift from “good enough” security to fully operationalizing Microsoft E5. They dive into tool sprawl, MSSP gaps, the power of co-managed SOCs, and how to turn underutilized licenses into real protection. If you work in healthcare IT or security, this is your wake-up call.
Watch now—because the next breach won’t just cost data.
TDD EP51 Eric Fromm [Full Clip]
[00:00:00] Max Clark: I bit my tongue the other day. So if I sound strange at some point, it is literally because I just complete, I don't even know how I did it. I'm just like completely wrecked.
[00:00:11] Eric Fromm: I've done that before myself, so it's all good.
[00:00:15] Max Clark: Uh, okay. So quick note about Riverside. Um, at the top of the screen, you're gonna see a little box that's gonna say have like an uploading icon in it.
[00:00:23] Eric Fromm: Mm-hmm.
[00:00:24] Max Clark: Um. The high res is local and then progressively upgrade, uh, upload in the background. So if it gets pixelated, looks weird, don't worry about it. The one we care about is actually uploading the computer.
When we're done, I'll stop the recording. Oh my goodness. I'm not gonna be able to talk today. Wait, hold on.
When we're done I'll stop. And then, um. I'm just trying to actually mentally think of, can I do this or not? Um,[00:01:00]
okay. I, I don't want, I don't wanna push this off 'cause rescheduling is gonna be a nightmare. Um, when we're done, I'll press stop. You'll see it. We just have to wait for it to finish uploading. It'll hit a hundred percent and then you're all good. Otherwise just hang out. After we stop, it's not like, it's not like an instant hangup.
Um, normally I ask about this, but uh, in this case, temple Health is public on your case study, so we can actually use the name.
[00:01:33] Eric Fromm: Mm-hmm.
[00:01:34] Max Clark: That's fun. Were you directly involved in this or,
[00:01:38] Eric Fromm: I was,
[00:01:39] Max Clark: okay, good. So that way I'm gonna ask you questions about it. That's not gonna sound too crazy. I just wanna make sure that like, you know, I'm getting a little scene set here.
Um, oh boy. My tongue. Um,
[00:01:55] Eric Fromm: Hey Max, you know what, and again, if you wanna reschedule, we can
[00:01:58] Max Clark: no, no, no. I [00:02:00] mean, literally I'm booked through June 5th and then we hit the road, so I want to get this done. I'm just, I'm just having a little moment of internal reflection here. I'm gonna let see, this is great. You're supposed to be doing all the talking anyways, so now it just reinforces that, Eric, you're gonna have to, you're gonna have to carry the podcast buddy.
[00:02:20] Eric Fromm: Hey, I'm happy to help.
[00:02:22] Max Clark: Alright. Um, you wanna do any burpees? Get the bud flowing, some jumping jacks? Just, just, just do it live. Let's, let's do it live.
[00:02:32] Eric Fromm: it.
[00:02:33] Max Clark: Okay. Um, I haven't found a really good, like, lead into these things, so just bear with me a second and, um, um, I'm just gonna come up with something on the fly.
I don't know, we'll just figure something out. Eric, thanks for joining. We're here to talk about Temple Health and, um, a, [00:03:00] a couple of different transitions. If you could, if you could start by giving me a little bit, like paint the picture backstory, you know, where Temple Health was and, and how this started for them.
[00:03:12] Eric Fromm: Yeah, so Temple Health originally came to us, actually, they put out an RFP and they were looking for a provider that could help them with their Microsoft journey. I. One of the things that they had mentioned is they always knew Microsoft was the right solution, but they were finding they were having a challenge not only with their existing provider, looking for somebody that could help them with that Microsoft journey. Right. And implement the tools and some of those things. So, um, it's really where we, we first started engaging with, uh, with Temple Health and started the, the, the, uh. Uh, the road, if you will, working with them, so,
[00:03:52] Max Clark: So there were really two issues at play here, right? The first one is wanting to do a. All in migration into Microsoft E five Security, and [00:04:00] then the second one of evaluating how do they actually make that transition, and who helps 'em along the way?
[00:04:07] Eric Fromm: Mm-hmm. Yeah, we're seeing more, you know, first of all, MDR providers, there's a ton of 'em out there, and a lot of
[00:04:15] Max Clark: Hmm.
[00:04:15] Eric Fromm: they all sound the same. But when you start whittling things down a little bit further into who understands Microsoft and that technology stack, there's only a few of us, and this is really where when we started working with and through this process with Temple Health, one of the things that they liked about us is our, we understand Microsoft, right?
We understand what those tools are, but also we helped them with, you know, the vision of their journey of transformation. And so that's where I think that partnership sort of came into play with, know, looking what they had, looking at what some of the gaps that they had within the, their current vendor. some of the things that they shared with us is, you know, they said, Hey, our, our vendor's [00:05:00] great. They do an okay job, they. Um, they could do a good job maybe at identifying, you know, various attacks, but when it gets into the responding to some of the taxes, one of the gaps that they had, um, with the, the provider, in addition to understanding the Microsoft technology stack, and really where Trustwave came into play is, first of all, we were able to leverage, um, the Microsoft tool stack, implement some of those tools. Help them along that transformation process. So it was really a great partnership.
[00:05:36] Max Clark: Okay. There, there's a couple things I wanna dig into a little bit There. The first one is, is Temple is a large organization north of 10,000 people, right? So you're not talking about a small internal team.
[00:05:49] Eric Fromm: Mm-hmm.
[00:05:50] Max Clark: one of the things I see a lot with companies evaluating E five security becomes the, do we do it ourselves
[00:05:57] Eric Fromm: Mm-hmm.
[00:05:58] Max Clark: and do we try to bring this [00:06:00] capability in house?
And then the second one that you hit on briefly was. There's a ton of companies and a ton of MSPs that are now designating themselves as security service providers as well, and saying they can support E five security. And if you could expand on it for me, why is this so, why are both of these thoughts so dangerous for organizations?
[00:06:23] Eric Fromm: I think, you know, we love Microsoft. We've been working with them very tightly, but again, their licensing is very challenging and a lot of people, the first thing that when we start working with clients, they say, Eric, you know, we don't understand. Stand what we have today, let alone know, how it can help us.
A lot of folks start off with Just Sentinel or Microsoft Defender for Endpoint, but the reality is with we are Microsoft Defender, that E five license, that power comes in as something called the Unified platform, in addition to some of those other defender tools that come with that license, the Defender for [00:07:00] Identity, the defender for Outlook, cloud apps, so forth and so on. But this is where for us at Trustwave, not only do we help clients understand what they own, understand the gaps that it fills, but more importantly, we configure those tools for them. We bring them in, we set 'em up in their environment, we get 'em into an optimal state best on based on best practices and more importantly, where they're all communicating.
Um, those tools are all communicating within the unified platform, this really helps transform a program from your traditional. SIM and EDR space to looking at a program approach. So some of the things that, uh, we were able to show Temple Health is your security score. Here's some additional controls that you can do to increase your, the probability of being impacted from ransomware. So this is really where that understanding what Microsoft has and the capability. More importantly, [00:08:00] implementing it in the right fashion. So a client really leverages the full scale of, of the tools.
[00:08:08] Max Clark: I mean, so what's the danger of a company or going and try and doing this themselves? I mean, again, you know, this size, there's gonna be dozens of people in in it that this isn't a necessarily, I mean, I think every IT team is underfunded to a certain degree, but, you know, this isn't like a, a team of one trying to go out and figure out how to add security into the stack.
Um. Why, why not, you know, hire or train or develop or, or, or push this, you know, what is an, what is an MSSP bringing to the table here? You know, that like, really, you know, I mean, you know, I don't wanna phrase this. It's not so, like, doesn't sound so crazy. Like, why, why would you be crazy to wanna do this yourself?
Right.
[00:08:53] Eric Fromm: Yeah, so I mean, just starting off with one, security professionals are hard to [00:09:00] find. Two security professionals with se Microsoft security expertise across that entire E five stack hard to find three. If you do find them, it's hard to retain them, right? And so this, this is where Trustwave solves a number of those problems for folks is. You know, not only do we have the expertise, we have, uh, Microsoft, uh, and MVP, it's, uh, one of the highest Microsoft certifications. I always go back, I'm a previous networking guy. If you're familiar with the, the Cisco days, it's like the
[00:09:37] Max Clark: Mm-hmm.
[00:09:38] Eric Fromm: of the Cisco, but we have those folks on staff. We have certified Microsoft individuals all the way from our SOC to our delivery services. To, um, our ongoing, uh, meetings with clients and also our professional services. And I think having that wide breadth of expertise across all different disciplines, [00:10:00] but more importantly, you need help with copilot or if you need help with purview, right? We have that expertise and this is where some of the challenges of training people, not only finding people, training them. Getting them up to speed in a, on each one of these, you know, there's 30, 40 different program or solutions under that E five stack, and
[00:10:23] Max Clark: Mm-hmm.
[00:10:24] Eric Fromm: Things that we see is a lot of clients will come to us after purchasing E five license six months, a year later, and they're like, you know, we're, we just don't feel like we're getting the value out of this solution internally.
Like we implemented Sentinel, we've got defender for endpoint, but that's really as far as they take it.
[00:10:45] Max Clark: So, I mean, there's lots of VARs in the market. There's lots of MSPs or var MSPs. You know, it's a very, it's a very, um. You know, it's, it's saturated, you know, like it's very easy to turn up these businesses and [00:11:00] not so easy to sell and support them, but, you know, it's more than likely everybody's got avar they're working with, or an MSP that they're working with trying to sell them solutions.
How does somebody go through and, and really dig into the capabilities of that company? You know, if they're coming, you know, and saying, Hey, we can support, we can, we can support 365, we can support E five, we can support security. We can do these transitions for you. Um. How, how do you, you know, what, what's, what advice would you give somebody and actually trying to dig into that a little bit deeper and understanding the capabilities and whether they can actually deliver what you need.
[00:11:34] Eric Fromm: That's a great question, max. You know, it starts with, you know, since we are a Microsoft certified partner. One of the things that we do with clients is we actually have something that we call workshops. what we can do with a workshop is again, Microsoft funds us to come in, you know, set up their environment,
[00:11:53] Max Clark: I.
[00:11:53] Eric Fromm: MXDR environment.
We will configure Sentinel, we'll configure their defender tools, but more importantly, [00:12:00] we do this within their environment. It's not a demo environment. We actually bring in live data, and this actually goes over a 30 day span. Um, and each day, each week, we go through different tools so clients understand what the capabilities are more importantly, how they all fit together. And so at the outcome of that 30 day type of engagement, they have a good understanding with, for example, Microsoft, MXDR. We've got a lot of these same capabilities with copilot purview. Again, getting folks familiar with what Microsoft, that $20 billion that they invested, um, out there and again, continues to grow. Um, but, uh, you know, this is where, you know, building trust, you know, with our clients are important. those workshops not only show the clients what they own, but more importantly it shows them what we know and how we can leverage that to bring that together.
[00:12:57] Max Clark: I wanna, I wanna come back [00:13:00] and, and dig into workshops a little deeper. Um, E five. Yeah. Microsoft has done a great job over the years of creating platforms, creating ecosystems, creating product, um, and then enabling, um, additional companies to come in and either fill capability gaps or to support deployments.
Now, E five, an E five security. Complicated the landscape a little bit because you have, you know, if you look at a slide deck for a modern security stack for an enterprise, right, there's a bajillion logos on it, right? And there's more logos coming in every day. And, you know, evaluating this becomes this idea of like, best in breed capabilities, what actual tooling do I need?
You know, and, and you turn around and you, and you wake up one day and you realize, like, I have. Dozens of [00:14:00] relationships now each, each servicing, you know, like a small component of my estate and how do I then take and get all that into one place? Because ultimately, right, with security, visibility and correlation becomes a big part of the game.
Can you just see what's happening and, and, and what's going on? So how does an enterprise, I mean, let me, let me, lemme give you a, lemme try to phrase a, a, a smart sounding question here. Enterprise has already invested in other tools, right? There is a push to have efficiency within their tooling and their licensing and their platform, right?
But then you have an investment in those tools.
[00:14:36] Eric Fromm: Mm-hmm.
[00:14:37] Max Clark: What, what triggers that drive to then say, we already have a platform. Let's get rid of it. Let's migrate off this platform. Let's replace it. Let's, let's add on to it, right? I mean, because that's a pretty significant shift.
[00:14:49] Eric Fromm: Mm-hmm. I think you know, part of this, there's obviously the cost savings of consolidation of those tools. I think on a much broader view of [00:15:00] things, right? The best of breed tools are great at point solutions, but they don't do a great job communicating amongst themselves, and this is really where the MXDR or the Microsoft E five tool suite comes together, If you look at an attack right from end to end, let's use ransomware for example. Typically an email comes in, right, user clicks on it. That PC gets infected, starts moving, you know,
[00:15:30] Max Clark: Mm-hmm.
[00:15:31] Eric Fromm: network. Now an endpoint can look at the EDR piece, You have to go to your email gateway to look at some of those other components.
You have to go into your, um, your user directory to look at the users with MXDR. It brings us all together. And we are able to look at an attack from end to end, so not only seeing where that comes in from an [00:16:00] outlook perspective, but also putting in those mitigation steps. Outlook, right from the end user perspective, right? You know, one, we can block out a, a user very quickly, a password very quickly, keep that email or that piece of malware, then from propagating from a, you know, east west perspective, but also we're able to put in some additional containments from reaching out to the command and control. But that all can be done. Be it that Microsoft umbrella and really where the that power comes in is that end-to-end view of everything. So, you know, a timeline of when it happened, we can see everything. But also there's controls where all of those logs, all that information come together in that unified platform and they work together. Um, and it's really a powerful tool. Um, you know, that, uh, clients really like and are, are taking advantage of.
[00:16:57] Max Clark: How much of this was for Temple? Was [00:17:00] consolidation or cost savings, or was it capability gap that was already there? You know, some mixture of all the above.
[00:17:06] Eric Fromm: It's really a mixture of all of the above,
[00:17:08] Max Clark: Mm-hmm.
[00:17:09] Eric Fromm: The, I think one of the big things for Temple is they were able to consolidate a number of their, um, you know, the tools, right? So it's again, much easier to manage, much easier to support. I. But a bigger part of it is they were able to increase their security capability and level beyond just a sim and an EER. were able to look at things from a program perspective versus a point perspective. And this is where, you know, as a ciso, you start looking at KPIs. What things are we measuring? How many emails are coming in? One of the first things we're able to do with Temple as an example, is we're able to zero in on a specific problem area. and this allowed the CISO to not only understand that, but. Put in some additional measures around that specific area of concern, but this [00:18:00] is one of the things that the Microsoft, I should say, well-managed and supported Microsoft solution, um, will allow companies to do so.
[00:18:10] Max Clark: Um,
[00:18:13] Eric Fromm: I.
[00:18:16] Max Clark: in the case, you know, I, I hear this. I've had this conversation with a lot of executives of like, we bought some tool and we implemented it, or it never finished implementing. We're not, we're not fully deployed. We don't have full coverage. Oh, we found, we had a capability gap in our vendor. You know, um, whether that was the actual tool that was purchased or the support organization that they contracted with to help them deploy.
What advice would you give somebody before they start down this process of saying, you know. Especially if you haven't purchased this before or deployed this before, or seen like an actual program end to end before of what you're looking for. What kind of things stand should stand out or be indicators of [00:19:00] like, this is what people should be saying to you, or this is how you can kind of get the sense you're working with somebody that really knows what they're, they're talking about.
[00:19:06] Eric Fromm: Yeah. Let me start off by saying, you know, we, we had a client that came to us probably about six months ago. They bought a tool and they were really in that evaluation stage. Do we need an MSSP or not? And ultimately they're like, you know what? We know enough about this tool to you implement it. I think we're, we will be fine. So about three months later, they called us up and they're like, uh, Eric, you know, we need to talk with your D Efer team. We have an issue.
[00:19:36] Max Clark: Ugh.
[00:19:36] Eric Fromm: we need some help. You know, we've got a ransomware outbreak, and this is where tools are. Great. Proper configuration of tools is important, but what's even more important is the ongoing management of those tools. The days of buying a tool, set it and forget it and becomes [00:20:00] shelfware. That is not the proper way to run your security program. And this is why I think, you know, we're starting to see more and more folks moving to companies like Trustwave because they want that expertise. They want folks that know the solutions. But more importantly, right, as these threats are evolving, these ransomware attacks are increasing, right? They wanna know that they are protected in real time from the latest, it is, you know, thing that the, the, you know, locked bit is putting out whatever
[00:20:31] Max Clark: Mm-hmm.
[00:20:31] Eric Fromm: ransomware group is evolving to, to target these folks. And I think this is where having a good solid, you know, you know, company like Trustwave, somebody that's monitoring the dark web on your behalf, but more importantly providing resources, um, you know, that will work closely with your team. So we. We feel like we're an extension of your team, not just somebody that's over in another country, um, that you gotta pick up the phone or submit a ticket [00:21:00] to talk with somebody.
And that customer intimacy is very important, not only for trust way, but for what our clients are looking for.
[00:21:07] Max Clark: I am sure this feels like beating a dead horse at this point, but what do you say to somebody that, you know, we're not a target, you know, we're not a bank, we're not a defense company. We're not a this, we're not a target for, for. A cybersecurity thing, right? Like what, you know, how do you, how do you respond to that nowadays?
[00:21:28] Eric Fromm: Yeah. You know, there, there's my perspective, right? Which everybody's a target, but I, I tend to point them to, you know, a list of all of the organizations that have been hit with ransomware. I. And I think the latest stat is 96% of all organizations have been hit. Probably that other 4% are just folks that have not reported. Right? So it's a reality, and it's not a matter of if, it's a matter of when.
[00:21:54] Max Clark: Mm-hmm.
[00:21:55] Eric Fromm: A good example here, max is, uh, again, for whatever reason, Friday nights are, are phones ring [00:22:00] a lot. And we had, um, a large electrical, uh, supply company. you know, they had 52 locations. They were hit with ransomware. And you know, they, they never thought that selling electronic components like, you know, for homes for example, or residential, it would be a target.
[00:22:21] Max Clark: Mm-hmm.
[00:22:22] Eric Fromm: they got hit, their supply chain went down their, you know, their distribution. All of that came to a screeching halt. And unfortunately it got to the point where. It could have caused them to go bankrupt. Now, fortunately, we were able to come in, help them, you know, reestablish figuring out, you know, how the ransomware came in and gave them some mitigation steps. But it's the reality no matter who you are, Once that ransomware hits your organization, right, this is where you know there's a good possibility. Um, if you don't have the proper controls in place, you can go bankrupt. Um, and it's, it's, [00:23:00] uh, like I said, it's not a matter of if, it's a matter of when, so.
[00:23:04] Max Clark: I've heard some people tell me that, that we are expressed it like the users are the problem. Right. You know, it's like people are clicking on links they shouldn't be clicking on and, and. You know, we can solve this problem by giving people more security awareness training and like prevent phishing or prevent spear, you know, spear
[00:23:19] Eric Fromm: Okay.
[00:23:19] Max Clark: phishing, spear phishing, this attack, that attack.
You know, it's like
is there any foundation of truth anymore to that? Mm-hmm.
[00:23:31] Eric Fromm: There's not a silver bullet. You know, every, there is a, a, you know, piece of it where I think it's 86% of malware attacks come, come in through email with, users clicking on things, right? But again, in today's day and age, and especially with the advent of ai, you know, these messages look perfect. You know, years ago you could quickly, you know, look at a message and say, [00:24:00] oh, this was misspelled, or they didn't use the proper grammar or context. And this is, I think, where some of that security awareness training definitely helps. And, and I still think it's important for, you know, it's one piece that every organization should go through, it's not the silver bullet.
AI is really changing the dynamic of how these threat actors are operating. And as such, you know, not only are they able to look up Max Clark on the internet, build a profile of you, your family, your kids, and then craft an AI targeted email where it's very convincing and it's just the world that we live in.
[00:24:37] Max Clark: So there's, um, for every enterprise there's a financial stake, right? You know, the whole. There's nothing that they want. Well, you have money. You have money in your own bank accounts, right? Like you have resources that, you know, if you can't use, you'll pay money to get back access to, especially if it's gonna put your, put you out of business.
So there, there is somebody that they're interested in [00:25:00] and, um, you know, and it's just, they'll find, you know, they, they find the weak spots. Right? So, you know, I try to explain this now as, as like, um. You know, thinking about locking your car in a parking lot, if your car's locked and the car next to you isn't locked, you know, like, which car is gonna get opened first?
Right? And, and it's not that your car's not gonna get opened or somebody's not gonna break a window to come in if they see something on the seat that that's really, you know, desirable. But you know, you, you take the measures you can to make yourself less appealing. Right. Put away your stuff, lock the door, don't have things out park, you know?
Um. And it, I, I feel like that's really true for enterprises and cybersecurity as well, which is just, are you making, you making yourself less appealing or less interesting or less easy? Right? You know, whatever, whatever phrase is, is Right now, hospitals raise the stakes [00:26:00] a little bit, right? This isn't, this isn't just financial impact because now we're talking about additional things as well, and.
How, how much of that do you think factors into, you know, the modern healthcare evaluation of cybersecurity and how these programs are being fit, you know, fit in?
[00:26:16] Eric Fromm: You with change Health is definitely the biggest ransomware attack that we've seen here, um, you know, to date. But healthcare has a lot of interesting components, which makes them of interest to, um, ransomware groups like Lock Bit. You know, first of all, you've got the PHI and the PII that's of interest, that PHI information is high dollar information on the dark web. This is where companies, uh, you know, once that PHI is exposed, right? They're able to get top dollar for it. But I think more importantly as well, I. Unfortunately, there was a, a pretty serious case with, [00:27:00] uh, a patient over in Germany that was actually, uh, as a result, an attack that actually, um, you know, uh, died as a result of it. And I think at that point it was really when we started to see a shift in healthcare organizations, um, really starting to look at security a little, little closer. I think up until that point they're like, yeah, you know, we're fine. We're good. But more importantly, this is even opening up the aperture beyond typical IT security and starting to look into the OT and IOT devices within healthcare environments. And for that fact across the industry as a whole. Two years ago, nobody wanted to talk about OT or iot. Today, almost every other client that we talk to, whether it's manufacturing, healthcare, energy utilities. They all have it. It's a concern. And they wanna know what can be done to help [00:28:00] secure these devices. And that's where, here at Trustwave, again, I always point the term, it's really a sock of the future, is what we, what we're building or what we've built, where we bring in not only the IT infrastructure, but we marry that together with OT and iot and we bring that into one platform like Sentinel. This is where you're gonna have, um, not only analysts that understand those types of attacks, but also can respond to those attacks.
And this is really where we're starting to see, you know, a lot of the concerns come in, but also, you know, what clients are asking for from us at at trust way.
[00:28:37] Max Clark: There were two events in healthcare that really stand out to me with this and the first one, and I'm 10, 15 years. Ago, I wanna say in the East Coast and, um, healthcare hospital group, um, ransomware and the visual was National Guard and Fatigues going through and helping their IT teams [00:29:00] re-image computers to get them back online, you know, major trauma network.
Um, lot of ICU beds, really critical infrastructure, completely offline because they lost access to computers and. And, you know, watching evening news footage, you know, of, of uniformed National Guard, you know, going through and helping just get this hospital back online was, was striking. Um, the image of it is, is, you know, is, is, is seared into my memory.
And then, you know, I wish it was only one, but the amount of, of of. Facilities. I know that closed permanently because they had ransomware and were never able to financially recover from it. And, um, you know, I know one specifically that was a, uh, running an ICU and tier one facility and they had to, they were, they were transferring patients out, you know, in ambulances.
Like this was a, you know, you can't deliver care, right? What do you do? And in their case, they, they, um. [00:30:00] You know, rightfully and fortunately pulled the ripcord very early and just, you know, called in for support and, and, and moved people outta the facility. But it's, it's really, it's, it's, it's, um, it's staggering.
I wanna get back to your workshops. I, I was reading about, I was reading into this earlier and this is, this was fascinating and actually I think, um, a really good thing to dig into because part of this, you talk about customer data, but you're also doing this in conjunction with Microsoft in a lot of cases.
And you're doing it in conjunction with the customer team. So now, you know, um, I, I don't wanna, I don't wanna lead this too much. I, I want, I want you to dig into it. So can you tell me more about how the workshop actually functions and what somebody should expect? How the process works? What they, what, what they're bringing to the table, what you bring to the table, what Microsoft brings to the table, and at the end of it, what kind of, where they're at.
[00:30:50] Eric Fromm: Yeah, so a workshop, you know, one of the things that Microsoft, you know, they fund us to come in and do what they call a proof of value [00:31:00] and. They have a number of different solutions, uh, you know, that we can support depending on where clients are at. If they, they want a workshop around just Microsoft Sentinel, it's an area that we can support if it's Microsoft and really understanding that Defender Suite.
It's another, um, you know, workshop that we can support. But the whole goal of this is really educating clients on the capabilities of the various tools. Now a good example is, uh, when we engage with clients on a workshop. First part is really understanding what the goal of the workshop is. What do they
[00:31:40] Max Clark: Hmm.
[00:31:40] Eric Fromm: achieve? Now having this blind workshop, and again, although we've got parameters that are set forth by Microsoft that we, we definitely follow. I think it's, you know, for us it's more important about customizing this to what the clients want or would like to get out of the workshop. And this is where we can, you know, [00:32:00] tweak various things.
I know good examples with, um, you know, Microsoft Sentinel. They have a tool called Logic Apps, and I had a client that said, you know, Eric, I'd really like to understand. Where, what Logic Apps is and how compares with X sort, which is what I have today.
[00:32:15] Max Clark: Mm-hmm.
[00:32:16] Eric Fromm: X amount of dollars for X sort. It's my understanding that, you know, logic apps is, you know, comes with sent no additional. Cost, but I don't really understand it. we'll actually spend some additional time on Logic Apps. Not, not only just explaining what that is, but even potentially setting up a very, uh, basic rudimentary use case so they could start seeing how it works and how simple it is to set up it is. Now, once we get some of that foundational components put together, like what clients wanna see, put together a, it's a four week process. What each week's going to entail, right? When we wanna meet with our, with the clients and we put together a schedule. And so [00:33:00] each week, we'll, again, with example of XDR, we'll say we're gonna cover defender for identity this week and maybe defender for endpoint and. the time not only educating folks on the capabilities and, and, you know, components of that, but also showing how that comes into the unified platform.
So part of it is education, for, you know, the client, but also understanding what, what, what the, what the vision could potentially be for how it can help them with their security program. And I think
[00:33:34] Max Clark: Mm-hmm.
[00:33:35] Eric Fromm: And this is where, at the end of those workshops, for example, with Microsoft MXDR, bringing all of those tools together and selling, okay, we showed you this, this, this, this, and this, this is how it all comes together from helping a program perspective.
[00:33:53] Max Clark: Some of these tools integrate over the top
[00:33:55] Eric Fromm: Mm-hmm.
[00:33:55] Max Clark: don't really require a lot of integration or deployment. Some, some [00:34:00] do, right? So if you're going to defender to endpoint, right, you have to. Deploy software out, and if you already have an endpoint solution on can you deploy two pieces of software at the same time, can you run Defender for Endpoint and go through a workshop and evaluate it against some other EPP at the same time, and then decide, you know, does this meet our capability requirements or not?
Like, how does this work?
[00:34:20] Eric Fromm: yeah, a great question. Um, and it's very common, not only. Um, you know, the nice part with EDR solutions is they can run in tandem. It's not like the old antivirus tools where if you have semantic and trend both running, they basically flight, they conflict. but two EDR solutions can run at the same time. Um, one needs to be in passive mode, one needs to be in active mode. So if there is something from a response perspective, um, are you still
[00:34:53] Max Clark: Uh oh. Uh oh. Can you hear me
[00:34:56] Eric Fromm: I can hear you.
[00:34:57] Max Clark: okay? I've, I've. [00:35:00] Shoot. Okay. What's gonna happen here is we're gonna let this thing upload for a second,
[00:35:04] Eric Fromm: Okay.
[00:35:05] Max Clark: and then I'm gonna leave the lobby. I'm gonna come back.
[00:35:09] Eric Fromm: Okay.
[00:35:17] Max Clark: Oh, this is annoying.
[00:35:28] Eric Fromm: I assume you can cut all this out.
[00:35:31] Max Clark: Oh, yeah, yeah, yeah. This is the, this is the benefit of, of, you know, having an editor working for you. Right. Okay. On a second.
[00:35:44] Eric Fromm: No problem.
[00:35:46] Max Clark: Okay, so before my technical problems, we started talking about endpoint and, um, uh, I'd asked you, you know, when deploying, when deploying or evaluating Defender for Endpoint, you know, if, if you already have an [00:36:00] EPP or EDR in place, um, how do you, I mean, can you run both at the same time? What does this actually mean for an organization?
How do they test and try it?
[00:36:09] Eric Fromm: Mm-hmm. a great question. I. One of the ni, one of the nice part with ED is you can have two EDRs running at the same time. It's not like the old antivirus systems like Semantic and trend. If you'd actually try to install them both at the same time, they'd basically conflict and you'd have that blue screen of death. Um. For EDR solutions, uh, it's not uncommon for for clients to say, Hey, Eric, you know, we want to try Microsoft Defender and run it alongside of, let's just say CrowdStrike, and see how effective those tools are. And so we can have one. I think the key is just having one in passive mode and one inactive mode, but everything else can be up and running and they can see what EDRs are detecting various things. So not only is it a common place for it can be done, but it's also how we [00:37:00] start to move through the onboarding process. When we work with clients, uh, where they have an existing EDR solution, they're moving to the defender for endpoint. want that confidence that they don't have a gap, um, as we're transitioning from where they're currently at today to the new solution. So this is where we could load them both up, have them running, um, have one in, you know, the primary solution, you know, still in active mode. Bring the new solution on. Just have it running in passive mode. Make sure that everything's perfect. And then when they're ready, we can switch things over, switching the roles from active to passive and they're up.
[00:37:43] Max Clark: When we talked about this briefly, right, and this like tool and the tool sprawl, E five security is a lot of tooling. I. There's a lot of pieces of this puzzle, and not only is it a lot of tooling, but there's a lot of [00:38:00] components within that tooling as well that then you can optionally use or not use. Um, it, it's pretty overwhelming.
Like if you take a step back and you look at it and try to say, okay, let, let's go and configure this. How, how much. Of this becomes blueprints or runbooks or, or things that Trustwave has developed over the years and say, okay, we're gonna go into a new organization and like we just know we have to like, you know, check these flags and this is a default and it's terrible and change this default.
And how much of it becomes some sort of, you know, collaborative effort with the customer of saying, what are you trying to achieve? How do we achieve it for you? What operations do you have? Where do you want us to fit? What capabilities are we filling?
[00:38:42] Eric Fromm: Yeah, it's, it's, it's a great question. You know, we developed something here called the Golden Image, and. Foundationally, it is a number of those check boxes that are, you know, what are the core components that need to be enabled for this tool to run at an optimal state. But you can't [00:39:00] just enable these check boxes blindly. That's just really where we start from that onboarding process. We have a detailed discussion with clients about, Hey, what things are, you know. What directories may not need to be scanned, if there's exceptions that need to be put in. And we take that information and we layer that on top of the golden image, right?
So we understand the client components along with the base component. We bring these together to an optimal image that could be used for a client.
[00:39:35] Max Clark: Let's just take like big pieces here. Let's take, um, identity endpoint and email, right? You know, major, major threat points, major vectors, major, major places. People are getting tested. Just turning on defender for those three pieces and finally into sentinel.
[00:39:52] Eric Fromm: Mm-hmm.
[00:39:53] Max Clark: a lot of noise. How I, what is an organization supposed to do here?
Because I mean, if you turn these [00:40:00] things on and you start looking at this thing, it's like staring off into the abyss, right? Like, like, I mean, I have conversations with a lot of practitioners, really educated, seasoned senior people that are looking at it like, I don't even know what this means. Like what am I supposed to do with this?
[00:40:15] Eric Fromm: And you know, false positive reduction. First of all, having that right configuration
[00:40:19] Max Clark: Mm-hmm.
[00:40:20] Eric Fromm: things are important, but again, you will have those false positives. But then this is really where. The power of having a, a company like Trustwave where we understand the tools, we understand what some of those expectations are, and so we'll take a first swag at, you know, eliminating some of this false positive.
Like, we've seen this before. We know it's tied to this, right? But some of these other components is also where we'll sit down with clients and say, Hey, you know. We see a large number of messages coming in from, you know, this user or this user sending out a number of message. Are they part of your marketing group? Are they part of folks that will be sending out a [00:41:00] lot of messages that will flag these parameters? And this is where I. Again, understanding the business, how it operates, the people in the business are very important, and more importantly, documenting that. So again, part, part of that onboarding process is understanding those components, tuning out those false positives.
So we go into that. Live state, clients aren't getting inundated with false positives. Quite frankly. We don't want to deal with the false positives either. Right. And
[00:41:28] Max Clark: Yeah.
[00:41:28] Eric Fromm: you know, an MSSP that just turns those, those alerts and sends 'em over to an organization is the wrong approach. again, heading that stuff off at the front end, you know, understanding the business, having a thorough onboarding process, uh, you know. I've heard folks that can say, Hey, we can onboard in a day. Well, that may be true, but you know, for the next week or two weeks, they're gonna definitely have a lot of false positives. And although we can onboard folks very quickly, we strive not to go into a live state [00:42:00] with those large number of false positives and really going through our, you know, know, making sure defender for identity is configured properly in addition to, um, you know, the Outlook component.
[00:42:12] Max Clark: How deep into the workshop did, did, how deep into the workshop did they get before? I mean, there's really, again, there's, there's like three decisions here that were made, right? The first decision, yeah, we, we E five security is gonna do it. Let's move forward be the five. Security and our existing MSSP isn't gonna, we, we've, we're, we're now, we're absolutely certain the MSSP we have is not gonna provide value for us going forward, and Trustwave is the right fit.
Like when does that conversation shift, or when did that conversation shift here and start looking into future state? Mm-hmm.
[00:42:45] Eric Fromm: You know, you know, going back to Temple, you know, it's about building trust and I think this is where within the first few days of us. to them what they had, laying things out, starting that education process. Um, [00:43:00] I think they got a, a pretty good understanding of our capabilities and what we bring to the table from a Microsoft perspective. But I think the, you know, the bigger part too is although we're a big Microsoft partner, they also had some other requirements that weren't just Microsoft that we were able to fulfill. You know, one of the downsides with Microsoft from an E five perspective is you have to have a modern operating system. In today's day and age, there's a lot of, unfortunately, systems that are still running Server 2000, you know, some of those older systems, and this is where you can't have, or, you know, defender for endpoint doesn't, you know, won't operate. So this is an area for Temple. They, you know, they wanted a tertiary or a secondary, um, EDR. Like Sentinel One, where we were able to bring that in, deploy that on those, uh, various older systems, and provide visibility and monitoring in real time to ensure that, uh, those were protected as well.
[00:43:59] Max Clark: Okay, [00:44:00] so this environment was mixed. I mean, it was mostly Windows Modern Defender endpoint, but then the things that didn't fit that you were overlaying another EPP on top of that, which was then giving you telemetry data back into Sentinel as well.
[00:44:13] Eric Fromm: That's correct.
[00:44:15] Max Clark: How does Trustwave, I. You know, um, temple Engaged MSSP Temple engaged with you.
They were looking for an MSSP,
[00:44:24] Eric Fromm: Mm-hmm.
[00:44:24] Max Clark: configuration, for guidance, advice, expertise, as well as ongoing management. We talk about this management piece, right? And part of that management is configuration rollout and tooling and adjustments. You know, how do you reduce false positives? But another big piece of that is just the day to day, right?
You're gonna get an event and that event says, Hey, something is happening, and then you have to do something with that event. How, how does Trustwave fit that and take care of that and help customers with that?
[00:44:52] Eric Fromm: Mm-hmm. So, you know, it's, it's a great question. You know, response was, uh, definitely one of the gaps [00:45:00] that Temple had with their current provider today. I.
[00:45:03] Max Clark: Mm-hmm.
[00:45:03] Eric Fromm: one of the things that we were able to showcase and highlight is how we can respond to an event, not just by the EDR perspective, right? Which is where a lot of folks are.
Hey, we can block the endpoint. more importantly, we were able to showcase what we were able to do from a user perspective. What, uh, what response capabilities we had to block a user, reset those passwords, even, you know, getting into the email component, blocking those emails, both, you know, from a post and a, uh, you know, pre perspective. One of the other things that I wanna say makes us a little bit unique is we have our own threat intelligence team and, you know. Years ago, you, you, you say, you talk about threat intelligence, people roll their eyes and like, Ugh, I've heard this story 10,000 times, but it's really a. differentiator because one of the things that our, [00:46:00] um, threat intelligence team does is they're out there on the dark web, combing information on a regular basis, bringing that in. And as we're getting that information, we're pushing that into block mode on, you know, folks, EDR solutions and real time. Now, you know, where this becomes important is. You know, these threat actors, you know, it's as they are executing their attacks, especially for us being a global company, we'll see attacks, for example, in Asia Pacific. able to quickly see those ips, those IOCs, and upload those very quickly within seconds to our clients', uh, EDR solution to make sure that they're protected. And that's something where, you know, you don't have to wait for the attack to occur, the cert to find out the attack, publish it on the internet, you get it right.
That's time that's wasted. And that's again, another one of our key differentiators. So having properly configured tools all plays into that, not [00:47:00] just from the configuration, the ongoing management, but also having the right threat feeds and the right, um, real time threat protection in there as well.
[00:47:11] Max Clark: When somebody reads co-managed soc, especially here in this case, co-managed SOC for Microsoft. What does that mean for the customer and what are the options and the scale within this, you talk about like capabilities around blocking endpoints, right? And also like feeding threat intelligence. I mean, there's a, there's a little bit of, you know, there's, there's a lot of variety within that.
So if you're in that scale, when you say co-managed, can you gimme some ideas of what that means in terms of like, you know, both extremes and what's in the middle?
[00:47:42] Eric Fromm: Yeah, you know, one of the things that we've found with enterprise clients is they wanna be a part, they've got their own internal SOC team, although they will leverage services like ours, they wanna be able to go in and make some configuration changes. They want to make policy and a, [00:48:00] you know, policy adjustments.
And this is where, you know, it turns into a true partnership. We don't want clients out of their environment like, Hey, trust us, we've got this.
[00:48:09] Max Clark: Mm-hmm.
[00:48:09] Eric Fromm: want them in there working alongside. So again, if they want to publish a policy, they can. If they wanna see what we're doing, they can. And this is where that trust component that I mentioned earlier. You know, it starts very early on with workshops, right? Understanding what our capabilities are. It transitions into that onboarding process, understanding their business, but also going into a steady state, right? We understand that they've got soc analysts that wanna be a part of this investigation, not just wait for an alarm to, or an alert to come over to them for, for them, you know, to be a part of the investigation. And this is where. For us, it makes, it's very important to be co-managed, allow clients to come in and look and work alongside of us if they so choose. If they don't, again, we, we can [00:49:00] either easily take that CO out and turn that into managed,
[00:49:03] Max Clark: Mm-hmm.
[00:49:04] Eric Fromm: I'll tell you, 90% of the folks that we work with really want that co-managed type of solution.
That's one of the reasons why we branded it and more importantly, supported it in that fashion.
[00:49:15] Max Clark: The talking to IT leaders, you know, cso, C-T-O-C-I-O, you know, with with within organizations. I think part of it starts with wanting to have visibility and ownership of a platform so they don't have a, um, you know, a situation where they get boxed in with a vendor that they can't unwind a relationship if necessary.
Right. So I think co-management becomes very important with that. Microsoft E five. Lives inside of the customer's tenant, right? So like there's a different level of control already with it, which is really nice because it's not like it's living somewhere else. I mean, it's already living inside their environment.
But then from there we get into conversations that start talking about, you know, um, you know, industry refers to it [00:50:00] as like run books, right? Like, what do you do if things happen, right? Like, who's getting the alert? Who's investigating the alert? Who's doing the correlation alert? Who's actually saying, whoa, there's something really going on in here.
And we need to do something. And then what happens with that? Something? And then who has the ability to, you know, uh, re you know, take an endpoint off a network or lock a user account or force a password reset as you're onboarding a customer? How do you, how do you walk through this delineation and, and, and, and, you know, um, split of responsibilities, especially in a co-managed situation.
'cause. Yeah, you don't wanna be in a, what's the parable, right? Like, uh, if you tell four people to feed a dog, nobody feeds the dog. You know, there's, I forget the exact story, but like, you, you know, the, you do run that risk, right? If there's not one person or one organization ultimately responsible, you know, can you fall into that trap?
But then also, you know, as time passes, and what I see is of course, like you say Friday night, you know, Friday night at 1130 in, in, in, [00:51:00] in the evening, all of a sudden you have a bunch of stuff happen. You know, are, is, is it the customer's team responding to that? Is it Trustwave's team responding to that?
Do you have to call the customer in order to respond to that? Um, you know, what is, what is, I guess, um, crawl, walk, run here look like for people? And how do they build up to a good endpoint again, instate.
[00:51:22] Eric Fromm: Mm-hmm. One of the things that, this really starts with the onboarding process, understanding the business,
[00:51:28] Max Clark: Mm-hmm.
[00:51:28] Eric Fromm: one of the things that we've developed here is something called a response protocol, and this is where we'll sit down with clients and say. What is your comfort level with us taking actions on various devices. For example, within the healthcare arena, there may be, uh, you know, medical devices that they'll classify as red, where they say, Hey, if you see something here, we don't want you touching any of these devices. Go through the investigation, but get us on the phone. us do that [00:52:00] last leg of the investigation, or take that containment action just to be, be safe for that.
And actually do something unique with that as well. Once something, once a client classifies an asset or a group of assets as read, all of the containment controls get locked out from the analysts to ensure there's not human error where somebody accidentally pushes a button and takes those actions. We also have something called, you know, a yellow protocol or, you know, called Traffic light protocol. But,
[00:52:32] Max Clark: Yeah.
[00:52:33] Eric Fromm: we really termed it the response protocol. But yeah, yellow is another area where again, we see something, we'll call the client, we'll say, Hey, you know, maybe two in the morning we take these actions.
We explain the investigation and after we explain to them and what asset, the client could say, yep, go ahead, take these actions. And we do. And then obviously there's a green component as well. We let the client sleep through the night and, you know, maybe a security [00:53:00] guard surfing the internet. They accidentally, you know, stumble across something they shouldn't, their PC gets infected.
Our analysts do a quick investigation like, oh, it's green. We take that response action right then and there. Uh, I will tell you. If it's first time working with A-M-S-P-M-S-S-P like ourselves or, or anybody, there's sometimes some reluctance to say, Hey, until we feel comfortable with, um, untrust wave, we wanna leave everything as red. But what happens is during each meeting we have with clients, we revisit that. We say, Hey, you know, is there something that we can move to yellow?
[00:53:37] Max Clark: Mm-hmm.
[00:53:38] Eric Fromm: Or again, over a two to three month period, we start transitioning from the reds to the yellows, to the greens because they are becoming more confident and they in trust, that trust is built.
And that's, again, that's a big part of security and outsourcing. A piece of your security is building that two-way trust with, with
[00:53:59] Max Clark: Mm-hmm.[00:54:00]
[00:54:00] Eric Fromm: like ourselves.
[00:54:03] Max Clark: One of, um, one of the charts I hate the most in cybersecurity is the cyber maturity model, right? And this is the whole, like, you start at zero and you kind of like start working up the thing and what each level and it's like one through five and some people do it at a, a three by three grid. And then there's other, you know, there's like all these different cyber defense matrix and I find it creates a lot more confusion.
Than actual value and trying to explain the state of the organization and, and where you actually are. Right. You know, it, it's, if you have a measurable target, you know, whatever. Right. You know, 10 is perfect or a number of incidents. We have, you know, a thousand alerts, you know, how do you go from a thousand alerts down to 50 alerts?
Like how do you improve the current state of things? Deploying E five security gives you. A whole swath of tools, right? You're, you're gonna cover a lot of the tool estate within the [00:55:00] environment, but what comes next? What comes after deploying that, that, you know, from a, you know, from an advisor in these environments and talking with a, a company of like.
How do we get you in a better state? How do we improve the state? How do we do continuous improvement? And if somebody comes to you and says, Hey, you know, we've, we've, we've done all of our tools and we've decided that's a, you know, out of a 10, we're out of four now. Right? And how do we get to six? And how do you know?
So how does Trustwave, what comes after this with Trustwave?
[00:55:36] Eric Fromm: Yeah, so one of the things that we leverage, uh, within the stack is, you know, just one of the tools is security scorecard. Um, and what what it does is it rates, you know, it looks at Defender for endpoint, defender for identity, you know, all the various tools. Um, you had mentioned Defender for Identity, so we'll, we'll just use that as a, as a talking point.
[00:55:57] Max Clark: Mm-hmm.
[00:55:58] Eric Fromm: But this is an area where. [00:56:00] Defender for identity will identify users that may be in a privileged ad group that have not logged in or use that account in three months. Now that creates risk,
[00:56:11] Max Clark: Mm-hmm.
[00:56:12] Eric Fromm: And this is an area where, you know, we'll sit down with a client and say, Hey, we wanna make sure you're aware of this.
Can you look into these three specific users? We've noticed that they basically haven't accessed the system in 90 days. Um, if they're not needed, go ahead and disable them. help reduce that risk. But this is really where we sit down with clients to go through that level in detail so they can actually make sense of all of the various components. But more importantly as well, I. You know, there are a lot of different things that can be done. If there's a specific threat or a specific area, we'll basically say, Hey, these are the things you may want to focus in on first, as you know, to really help reduce your threat from this latest ransomware attack. like a [00:57:00] penetration test. You know, you do your first pen test, you have a book of things, and a lot of times organizations will, you know, it's a lot to go through. Right. So for us, we try to look at things more from the lens of a security. Like these are the most important things to focus in on first based on these threats that we're seeing or you know, different things holistically to increase your security program. So really being that guide for them on that security journey. Again, not just monitoring a SIM or an EDR, but looking at things pro program from a program perspective. Um. I.
[00:57:41] Max Clark: What is incident response? Why is it important to have a retainer before an event? And what happens if you don't have a retainer and you have an event?
[00:57:53] Eric Fromm: Yeah, it's interesting question and you know, if there's an event that occurs and you don't have a [00:58:00] retainer, obviously for us here at Trustwave, we take care of our clients that have retainers. So when that call key starts to light up, if you've got a retainer, you're guaranteed a certain response time.
[00:58:12] Max Clark: Hmm.
[00:58:12] Eric Fromm: and looking into things, and this is where I think for the cost of retainer, it's negligible in the whole security thing.
It's definitely very, very important to have, more importantly, when you do have, not if, but when, getting back to just statistics on ransomware. You wanna have a company that you can call that has the expertise with identifying what happened to your organization. Then more importantly, helping you get back online quickly so it reduces that business impact. where that deeper retainer really comes into play. More importantly, um, our defer team here at Trustwave is integrated into our security stack. So our analysts basically, you know, work through things. And again, if they do need to engage the Defer team, [00:59:00] it just, you know, one group over, one phone call, over all the logs come over seamlessly. Now I do see where organizations use different. Folks, you know, there's a lot of deeper, just like there's a lot of MDR folks that are out there. There's a lot of folks that offer deeper retainers and not all, um, MDR providers have that capability or skillset. And it's not uncommon for us at Trustwave to get calls from clients that say, Hey, I'm using provider X.
They just don't have the D for skills expertise. like, oh, you know what? If you don't have a retainer with us, the, the, the queue's slow right now. know, send us the logs over, you know, we'll work with them to figure out what, what happened. And again, it's an important piece. Now the downside to that is, although we can help folks in that scenario, or, you know, there's a lot of time that's [01:00:00] wasted working with another partner that doesn't have the deeper, um, capability built into their stack of, of response capabilities.
I.
[01:00:10] Max Clark: Correct. My recollection on this colonial pipeline
[01:00:16] Eric Fromm: Mm-hmm.
[01:00:16] Max Clark: had an attack. We went, the source of the attack is. They had, they had accounts that hadn't been disabled on a VPN system that wasn't compromised and, and gained access to the network. Right? So we can, we, we can just like, just skip past that whole thing, right?
Because the, the event happens, we see people, you know, putting gasoline in the back of their pickup trucks with tarps in them, which is just crazy, like bonkers land. But then they end up paying a ransom, and I wanna say it was about $40 million. And, and this was then public and it was quoted in the Wall Street Journal and the ex and the, uh, CEOI believe at Colonial Pipeline.
There's a quote around why do they pay or why they come to this [01:01:00] decision, right? And, and the quote was something to the effect of, we didn't know how bad it was. How long it was gonna take to recover. It's like it again, correct my correct, my recollection on this one, but I mean, it, it turned into a, we didn't know how bad, how long it was gonna take, could we recover?
What was gonna happen next, what the impact on the business was. And, and they made a business decision of perceptionally. It was cheaper for them to pay $40 million and have certainty versus having no certainty, right, with potentially worse outcomes. Um. That beyond the, like what caused the breach screams to me a failure in the response to the breach to get to that point where you're making that decision or making those comments.
For somebody listening to this for. How do they protect? Protect themselves? Prepare, so that way they're not in that we don't know [01:02:00] state and authorizing a $40 million payment to somebody to, to hopefully get their systems back online.
[01:02:09] Eric Fromm: Yeah. And, and this is really where I think we're seeing more boards asking the question, other security leaders, like, how do you know?
[01:02:17] Max Clark: Mm-hmm.
[01:02:17] Eric Fromm: I, I know you, you say we're protected, but really I'd like some third party validation of what you're saying. And this is an area where we do a ransomware readiness assessment looking at the various types of controls that are in place. Because all the way from, you know, talking with, you know, do you have a communication plan? Right. If you are impacted, who's gonna talk with the media? Who's gonna talk with your partners? backups, are these done? How often are they on site? Are they offsite? those, those types of things. But we look at things holistically and it's, uh, it's an important piece of, another component in today's modern [01:03:00] security, you know, tools, right?
There's a lot of different. Things that you need. But having that ransomware readiness assessment that's, uh, been completed is important. And more importantly, it's not something that's one and done, it's something that should be done on a regular basis because people leave.
[01:03:17] Max Clark: Mm-hmm.
[01:03:19] Eric Fromm: right. You also need to test that program as well. part of it is having that assessment from figuring out where you're at, but then dusting off that IR playbook. And, and hey, you know, it's great we got it. Um, actually testing it, And this is something that I don't see a lot of organizations doing, is going through that testing process, um, on a regular basis to say, you know, let's, let's go ahead and, you know, say we got hit and we go, we, we put together testing scenarios where we role play, but not as many folks do it as, they should do it.
[01:03:58] Max Clark: I, I don't wanna, I don't wanna steal your [01:04:00] glory here. I'm gonna try to prompt this properly. Can you explain the reason why it's important to have a plan?
[01:04:07] Eric Fromm: Mm-hmm.
[01:04:08] Max Clark: On paper distributed to people and accessible, and if they're creating their first one, if somebody's watching this and, and doesn't have an an incident plan, what kind of things they should put on that
[01:04:20] Eric Fromm: Mm-hmm.
[01:04:21] Max Clark: be checking.
[01:04:22] Eric Fromm: Mm-hmm. So. You know, part of it's creating a plan and if you don't have one, Sam's has one. We
[01:04:31] Max Clark: Mm-hmm.
[01:04:31] Eric Fromm: that we're, we provide as a foundational starting point, but it gets back into like the tool discussion. Just having a plan or a tool is not good enough. The second part of having that plan is understanding, that out to people, and it's just not an email, but it's saying. An event of an attack. This is what we need your team to do. This is
[01:04:52] Max Clark: Hmm.
[01:04:53] Eric Fromm: need the IT team to do. This is what we need the database team to do, and everybody needs to understand [01:05:00] their role as it pertains to that IR plan. The last part of it is people come and go, and this is where, know, unfortunately, you know, today's, you know, day and age, you know, there's, there's a very, you know. on how you look at it. Security individuals, there's high turnover.
[01:05:18] Max Clark: Mm-hmm.
[01:05:18] Eric Fromm: people are moving around and that's if you can find them. But you know the folks that you've sent that email to and they've got it on their shelf three months from now, six months from now, they may not be here. plan needs to be updated with the proper contact in person. And where that becomes even more important, you know, with the advent of Covid when that came around, is people are all in the office. And having the right contact information when you need them, and testing that is important we all can get on some type of, you know, a bridge, whether it's at out of band or in band, depending on the impact of the, you know, the, the type of ransomware.[01:06:00]
[01:06:01] Max Clark: You talked about PHI
[01:06:02] Eric Fromm: Mm-hmm.
[01:06:03] Max Clark: earlier, so health information and personal identifying information, which of course this is the. Everybody's probably had somebody have a breach where they've gotten a notice in the mail that says, here's your free credit monitoring. Right? But this is valuable data. It's also, um, regulated information that causes financial penalties for companies if it gets out.
Trustwave has a interesting capability called DB Protect. Um, what is DP Protect and how does an organization use it to. Take that next step and increase their posture.
[01:06:40] Eric Fromm: Mm-hmm. So lemme start off by saying, you know, reality is, just to your point, all PHI, all of your valuable information is within that database. Um, it's an area where I don't see a lot of organizations focusing in on protection [01:07:00] of those databases. Edr. They're great at the OS level, but they don't do a lot at looking at what's happening within the databases.
And the reality is, you know, when these ransomware attacks come through or they're trying to exfiltrate data out, they're going after that sensitive information. Now, we actually, we have a, uh, a solution as you mentioned, it's called DB Protect and really focuses in on three pillars, right? The first pillar is vulnerability management. Right. And you know, I've had folks that say, Hey, you know, I've got Tenable, I've got, you know, and it does a vulnerability scan. And, tenable checks may be 300 different database checks we provide over 3000. more importantly, we have fixed scripts that we apply that we can provide to the database administrators so they could apply those fixed scripts, um, to help, um, remediate or
[01:07:57] Max Clark: Mm-hmm.
[01:07:58] Eric Fromm: of those various, uh, [01:08:00] threats. Uh, the second issue that we see a lot of is over privileging, right? Again, you think about how ransomware gets in, they do an escalation of privileges. They get into this first thing. Again, building those walls is looking at who has access to the databases and what privilege level they have. not uncommon for us to see where, you ask somebody. Actually, always interesting. We start off with asking folks, how many databases do you have in your environment? And they say, uh, 50. And we provide 'em a tool where they could do a free scan and they're like, oh my gosh, Eric, we have 350. And, and this is really where it ties into the ransomware question that you asked earlier. You know, shadow it is up and running, you know, and they're doing great. But you know what's maybe on this 50 databases, but what's on this other 300? Is there PHI, [01:09:00] Is there financial information? Right? You gotta identify actually on those databases first, and then put controls around, um, what's there.
And the last part is really the monitoring piece, right? Being able to monitor what's happening at the database level. Um, you know, if somebody gets in and they're running SQL commands to exfiltrate information out, right? You have to have that level of visibility and that's where we, we provide, you know, one of the top leading database security solutions out there on the market today.
[01:09:35] Max Clark: Yeah, if somebody's doing a select star against your user database, it's probably not a. It's probably pretty scary, right? You know, that's, that's one of those, something really bad is going on. I mean, this goes back, you know, 25 years. We talk about firewalls, you know, a firewall, um, creates a policy that says either allow traffic or deny traffic.
And I can remember going through, I. You know, PCI audits where the auditors wanted a [01:10:00] firewall in between the web server and the application server, the application server, and the database server. And I'm looking at this auditor, I'm like, why The application server has privileges to log into the database.
Like what are we protecting here? You know? Um, it's, uh, you know, it's like it was a checkbox, you know, it was a checkbox on that list. But, you know, you come back to it and you say, you know, the EDR is really good for. Operating system level. You know, if somebody has access and is not installing ransomware on a computer, and that computer has access to a database and they can connect to that database and do operations against the database, EDR is not gonna say anything about it, right?
Like, I mean, or you know, am I wrong?
[01:10:40] Eric Fromm: You're, you're spot on. you know, a lot of databases, they've got APIs that connect to, to all of those different applications, and a lot of those are out on the internet. so it, it really opens up the aperture for, for attacks, not having the visibility, um, to those, uh, various systems.
[01:10:59] Max Clark: Now, if [01:11:00] it's healthcare, they're probably running Epic, you know, not to, not to say anything good or bad about Epic, but, you know, wouldn't, I mean, how many organizations would just automatically assume and say, Hey, you know, this is Epic's problem, or Epic's taking care of this for us, or we don't have to think about this ourselves because it's being taken care of.
I mean, is is like what, what's, what's the counsel that you would give them?
[01:11:22] Eric Fromm: You know, epic's a good tool. And you know, actually, you know, one, one of the things we see from our healthcare, um, you know, providers that we support is they say, Hey, we want to monitor the logs within Epic.
[01:11:33] Max Clark: Mm-hmm.
[01:11:34] Eric Fromm: again, it's not something that comes outta the box from Microsoft. But it is something where, you know, when we run into those situations like Epic, you know, we can develop custom connectors and develop rules for that.
And as such, we can help provide those epic logs. Now again, Epic's not the same level of as a database security solution, as like DB Protective, although there is definitely value with monitoring that [01:12:00] information very via your
[01:12:01] Max Clark: Mm-hmm. What's one thing that you wish more healthcare companies understood about cybersecurity and, and were doing differently?
[01:12:14] Eric Fromm: Mm-hmm. You know, I'm, I'm purposely not gonna get into the AI component because I think it's, it's an over,
[01:12:21] Max Clark: Mm-hmm.
[01:12:22] Eric Fromm: a lot of people are talking about. Um, I'll, I'll take us down a path of threat hunting. Maybe I'll, let me start there with the threat hunting piece. And I think although this is healthcare, I think this is really industries across the board. it's interesting when I talk to clients like, what are you doing from a threat hunt perspective? And they're like, yeah, we're checking that box. We're doing it. You know, when I start asking them like, what exactly are you doing for threat hunts? You know, I get very, you know, different types of answers.
But basically they all roll down, roll back to IOC based threat hunting. [01:13:00] And although that's good important as a foundational perspective, of the things that we're saying with ransomware is these specific attackers are in your environment. And again, there's various reports anywhere from 221 days down to 41 days.
But the reality is they're in your environment doing things and your tooling is not actually picking up on them. This is where for us at Trustwave, we actually have developed a, you know, we call it advanced continuous threat hunting, which takes a different compo, uh, uh, you know, different look at things altogether.
It's really focused in on indicators of behavior, this is an area where we've mapped out, you know, all the various, uh, ransomware threat actors out there, the various TTPs, this is what we use as a foundational component to do those threat hunts. I'll tell you, every time that we've done a threat hunt, we have found something we found with one healthcare [01:14:00] provider. we had a rat, a remote operating tool that was running in their environment for 11 months, We, we found, you know, WannaCry, we found a number of these different components, not, not to mention just threat actors that again, roaming around in the environment. One of the byproducts of this is we also see configuration, um, misconfiguration.
So just like a threat actor, once they get into your network, they start sniffing and monitoring traffic back and forth. This is what our threat hunters are doing as well. They're looking for these TTPs, but one of the other things that they're doing is, do we just see that and password go by in clear, clear text, maybe telnet to a router. Hey, so, one of the byproducts of our threat hunts is we actually will say, Hey, Mr. Client, go ahead and, you know, you may wanna look at SSH enabling this. So we don't see these clear text [01:15:00] passwords, but we see a lot of misconfigurations as a result of these stret hunts. And this is something that I don't think folks are thinking about, you know, about. You know, back to the WannaCry days, you know, we're talking about firewalls in the early days, like WannaCry, you know, having that notoriety, you know, being on CNN it was a great, you know, today. You know, the, the modern threat actor, they want to go undetected,
[01:15:28] Max Clark: Mm-hmm.
[01:15:29] Eric Fromm: They know when your IOC list is published out on the internet. They know their ips out there, and they will change their dns, their ips, so it doesn't pop up on that list of IOCs you're looking for. And so if you're looking for, again, clients should be looking for things IOCs important, but they should be looking for things beyond just IOCs. They should be looking for these iops to really see if somebody's operating in their environment undetected.[01:16:00]
[01:16:00] Max Clark: Dwell time. Statistics, you know, it used to be upwards of a year. Now we see it coming way down. What is more terrifying for dwell time? Dwell time in months, or dwell time in days.
[01:16:12] Eric Fromm: Mm-hmm. Yeah. And this is, you know, and this is where I think I've seen different statistics that are out there. I've seen months, I've also seen days, and clients have asked me, or, or folks have asked me like, well, is it coming down or not? And, and, this is where it all depends on the poll. I think it is ultimately coming down, and this is really with the advent of AI and tools and some of the things that we're seeing, but also it gets into for clients that are out there, how many of these roadblocks do you have in place in your environment? Right. I do a ransomware, you know, talk track where I actually demo a piece of ransomware and I use some of the common TTPs that lock bit uses. It gets down to, you know, how well are [01:17:00] you patched? Right? Do you have all the patches there or is there one that you miss that you can exploit? 'cause that's what they're looking for, Are you seeing those usernames and passwords? Like how many of those roadblocks do you have in place? And I think this is where programs that are putting in the time to expand out the capability, looking at things from a program perspective and building out these various roadblocks, not just a firewall, to your point. Right, but having the right controls at each point to make sure that things are, you know, slow, slow things down. And so this is where it turns into, you know, days could be months for an organization that has controls in place, which increases the probability of you detecting them before they actually execute the attack.
[01:17:48] Max Clark: Dwell time for me. You know, I, when I first started tracking this. Um, dwell time was almost a year, which is scary because it means somebody's on the network for a [01:18:00] year before either they launch an attack or you discover them. Usually they launch the attack and what happens in that period of time. And so now, you know, seeing stats with dwell time coming way down.
Same question. Is it coming way down because it's being detected or because they're exploiting a network and launching an attack f faster. Is this a, you know, we know how to monetize these things so efficiently now at this point that we don't even need to spend time trying to figure out what we have here.
We just know as soon as we're on, we can go launch and attack and monetize this. And, you know, I am, I don't know, which is scarier to me. It's like, it's just scary both ways. Um, Eric, uh, one last sound soundbite here for your question.
[01:18:44] Eric Fromm: sure.
[01:18:45] Max Clark: Somebody's watching this, you know, and, and we can, we can make this specific to healthcare.
We can, we can make it broader in terms of enterprise. If somebody's watching this and they've heard something and, and they've had like triggering, like, you know, like there's, oh, you know, what's a good one? [01:19:00] It's not what, we'll, it's not, if we'll find something, it's, we will find something on your network.
Right? Like anybody who's listening to that. Should have a moment of reflection of, of like, do we not, do we have the tool, have we deployed an EDR? Do we have this? Do we have that? It's just that like actual understanding of, of just it, ot, iot sprawl, there's something going on. What advice would you give that person in terms of, you know, what the next 3, 6, 12 months of, of their life and their program should look like and what.
You know, and from a, you know, of course it's become specific, right? But at a generic level, you know, somebody who's having that thought, like, what should they be thinking about over the next 3, 6, 12 months?
[01:19:45] Eric Fromm: Mm-hmm. Yeah, this is a tough one, and again, I hate to start with a generic response of like
[01:19:51] Max Clark: Mm-hmm.
[01:19:51] Eric Fromm: off with a security maturity assessment to measure and understand where you're at from a baseline, but it's really a [01:20:00] foundation. You know, this is where, you know, there's big holes and small holes, and at the end of the day, you need to focus in on the biggest holes first to reduce your risk, You're always gonna have holes in the program. But again, there's a limited amount of money that that organizations have to spend and it makes sense to. some of those funds on the biggest holes first, and then start looking at critical and high, you know, holes. Then start moving down to medium and low. But I think more importantly, it's understanding where those holes are in the environment. We're actually seeing a shift in what, um, board level members are asking of clients and coming to us. They're like, you know, want that annual pen test, right. Like that checkbox. we're starting to see this evolution of boards that are like, you know what?
We want more of an annual health check, and we want that pen [01:21:00] test in addition to a one-time proactive threat hunt done by a third party. So we not only understand what holes are in the infrastructure, but we wanna know, we just don't want to take the IT director's word for, hey. We're safe, we're protected.
There's not nobody in our environment. We want a third party to come in, um, like Trustwave and, and do that proactive threat hunt and combine these together in one single report. And so we're seeing that as a result of questions are being asked of, of board, and they want to know what their posture is. Um, so we're seeing that evolution, and this is turning into more of a. Not doing pen tests once a year, doing it quarterly. Same thing with, you know, they get the first proactive threat hunt like, Hey, we found something, Maybe we start doing this on a quarterly basis and then we start doing this on a continuous basis to again start evolving the program. But that's just, I guess, one example of what we're seeing [01:22:00] from, you know, the evolution and, and where people need to start.
[01:22:06] Max Clark: Um, talking with a lot of companies and executives going through this, I would say there's a certain, there's a certain person or personality that goes to a place of despair of like, oh, we can't do anything. It's almost not worth it. Right. And approaching it. And the real good news here, I mean, look, statistically you're gonna get breached.
[01:22:25] Eric Fromm: Mm-hmm.
[01:22:26] Max Clark: just statistically it's gonna happen and. The value is not preventing the breach from occurring.
[01:22:35] Eric Fromm: Mm-hmm.
[01:22:36] Max Clark: It feels like the value now is about detecting it as soon as possible
[01:22:40] Eric Fromm: Mm-hmm.
[01:22:40] Max Clark: limiting the exposure that it causes. So not this like we can have a perfect security. 'cause I mean, outside of an air gap system, there's no such thing, right?
Um, but actually being able to detect and, and respond faster. 'cause the more you shrink that window, the less damage it creates. Right?
[01:22:59] Eric Fromm: Exactly.[01:23:00]
[01:23:01] Max Clark: Okay.
[01:23:01] Eric Fromm: Yeah. It's, it's definitely, you know, and this is where an organization, again, you could have all the tools in the world, but you know, having the right MSSP or the right organization with, with the right level of security expertise that could come in. I where you're at today, but also help you with that transformation over time. and this is where, you know, it's, it's not a silver bullet and you can't plug all of those holes, but having an organization like Trustwave that come in, do that base level assessment work with you, build your program alongside of yourself, align your priorities with, for example, you know, what Trustwave has and recommendations, but having that. You know, cohesive, uh, team together. So you're, you're working out a one hymnal if you will.
[01:23:51] Max Clark: Absolutely. Eric, thank you very much for your time. This is fantastic. Always, always a pleasure.
[01:23:57] Eric Fromm: Max. Thank you for having me. My pleasure for being here.[01:24:00]
[01:24:02] Max Clark: Oops. Not that button, this button.
