Join host Jonathan Crowe and some of the world’s top IT leaders as they recount the most harrowing experiences of their careers. They’ll share how they found themselves in hot water, managed to escape disaster, and their best advice for making sure you don’t end up in the sequel. This is IT Horror Stories, where the call is coming from inside the office.
IT Horror Stories
The scariest stories in all of IT.
About episode
Host
York von Eichel-Streiber
Product Marketing Manager, NinjaOne
Guest
Mike Bergmann
IT-Unternehmer + Coach
About Mike Bergmann
Join host Jonathan Crowe and some of the world’s top IT leaders as they recount the most harrowing experiences of their careers. They’ll share how they found themselves in hot water, managed to escape disaster, and their best advice for making sure you don’t end up in the sequel. This is IT Horror Stories, where the call is coming from inside the office.
Transcript
00:05 Raghu Nandakumara
Welcome to The Segment: A Zero Trust Leadership Podcast. I’m your host, Raghu Nandakumara, head of industry solutions at Illumio, the Zero Trust Segmentation company. Today, I’m joined by Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft.
Sherrod was selected as Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Previously, she was VP of threat research and detection at Proofpoint, where she led a global team of threat researchers, malware reverse engineers and threat intelligence analysts. Her career in cybersecurity spans 19 years, with prior roles including leading red team services at Nexum, Senior Solutions Engineer for Symantec, senior security consultant for SecureWorks, and senior network security analyst for the National Nuclear Security Administration.
In this conversation, she stresses the significance of ransomware resilience and covering security basics, as well as the impact of AI on both attackers and defenders. The conversation highlights the need for actionable threat intelligence and the human element of security.
But before we get into the episode, a word from Illumio: [insert ad spot]
Sherrod, firstly, before we get into the conversation, it’s so exciting to be able to speak to you today. And it’s funny, it was just a complete coincidence. I was listening to some of your recent podcast episodes in sort of prep for this, and I just so, just last week, I decided to relisten to the Lazarus Heist podcast that the BBC made, which I’m sure you’re very familiar with. So I thought those were, it was like, that’s a coincidence. And as a result of listening to that for the last two nights, I’ve put on the interview and then fallen asleep to it. So it says more about either I’m tired of the film or it wasn’t as good, but, anyway, it’s a real pleasure to be able to speak to you. So thank you for joining us.
02:14 Sherrod DeGrippo
Thank you. Thank you for having me. I think you know, as evidenced by your media consumption, North Korea is really getting in the game. They’re getting on the board in ways that we have not seen before. In the past couple of months, North Korea’s scoring some points.
02:28 Raghu Nandakumara
Absolutely, and I’d love to sort of discuss that at some point in our conversation today. But as kind of is, I guess, the norm with these podcasts is, let’s kind of rewind the tape and take us back to where it all began for you in your career to sort of ultimately to what you do in your role today.
02:48 Sherrod DeGrippo
Sure. So, I mean, I think it started when I was 14. Really, I was 14. This was in the early 90s, and I read because I was, you know, a very cool early teen, I read the magazine Thrasher, Thrasher Magazine, which was a skateboard magazine. And one month, in the back of Thrasher Magazine, there was a little ad, and it said, call the Thrasher BBS (bulletin board system), and it had a phone number. And I, you know, went to my dad, who was a major hardcore computer, supercomputer dork. And I said, “Dad, I want to call this BBS. What do I do?” And he said, “Well, you know, I have a modem, and we can set you up, and we’ll get you to be able to call the BBS.” And I remember very vividly I was using a BitFax bit modem, which was the app, or the application on Windows 3.1, and I remember very vividly him saying, “I’m going to turn off ANSI. You don’t need that.” So essentially, he took graphic viewing away from me very early, like, you know, he’s like, my 14-year-old daughter does not need to see these images. And I just I called the Thrasher BBS, and was on, day in, day out. And then, about a month later, my dad screamed, “Sherrod.” I was like, “Oh, I’m in trouble.” I had ran up a $300 phone bill. For the youths listening, we used to have to pay for long-distance phone calls, and Thrasher BBS was not local to me, so it cost money per minute. And my dad didn’t like that, so that kind of got me into freaking, actually; I consider myself a freaker first, which meant that, you know, I had a lineman’s handset. I did things like beige boxing, and I met a lot of people who were very excited to show me a lot of things. And I ended up just, you know, when I was in college, I worked at the mall, and I didn’t make enough money, and I saw a poster on campus that said, “Come work at AT&T.” And so when I was in college, I started working at AT&T. And from there, I just kind of kept getting tech jobs, until I went to work at an ISP early. My career, probably from 2000 to 2001, and that ISP got hacked. One of the clients of the ISP got hacked, and they said, we want you to fix this. You know, it was a data center. So I pulled all their one use, all their servers, stacked them up in a table in a conference room, tracked it out on a whiteboard, and was like, I’m going to work. I’m going to do this work. You know, it wasn’t even called incident response then. And it was a PHP BB installation that was vulnerable, that was hacked by, quote, hacking team. They put up a bunch of MP3s playing in the background or maybe even just wave files. Like it was very primitive. And that was the point where I was like, I want to do security. I want to secure things. I want to learn how all of this works. I want to hack things. I want to secure things. And shortly after that, I got my first real security job, working for the National Nuclear Security Administration, part of the Department of Energy. And that started my network security obsession. I’m obsessed with network security. And I just, you know, did that for quite a while. And not too long, but then after that, I went and worked at vendors. So I have committed the past 18 years of my career to security vendors, Symantec, SecureWorks, Nexum Proofpoint and now Microsoft. I love the vendor space.
06:19 Raghu Nandakumara
Amazing. I mean, that’s quite a story from Thrasher magazine to the head of threat intel strategy at Microsoft. That’s probably a career path, or even a life path, you would never have been able to map out in, if you’d been asked back then in the early 90s.
06:37 Sherrod DeGrippo
BBSs and IRC shaped me. BBSs IRC and Live Journal. Those are my origin foundations, for sure. That I think a part of it was because when I was growing up, even from a very young age, my father always would say, “Anything you need to learn, there’s a book, and you get the book, and you learn it from the book, and you can do anything.” And when he bought me my first car, he bought me the Chilton’s manual that went with my car, and he said, “You have a car, and now you have the book that goes with the car, and you can fix the car.” And so I sort of took that with me. Of anything you need to learn, there’s an IRC channel that you can get in. Someone will help you or point you to something. And I still really believe that. Anything you need to learn, you can find the book, you can find the person, you can find the resource, and you can learn it, and you can do it.
07:30 Raghu Nandakumara
I guess, replace IRC channels now with Reddit that you have, yeah, you have your source of information, right, or knowledge. So, so you spoke about that incident. You’re working at the ISP; one of your clients got hacked. You essentially took their entire infrastructure out of their rack, put it on a table, and said, I’m going to figure this out. Step through that process and sort of talk to us about like, what did you as you were doing this, what did you discover about sort of the nature of the attackers, the behavior, their motivations.
08:06 Sherrod DeGrippo
Yeah. And I think that was a really pivotal moment for me as well. So I worked at this ISP that was a very early redundant cloud capability. We had offices in the bottom, and the data center was in the second floor. And so I hated going up there because it was freezing, right? If you’ve ever been in a data center, you’re just, you know, everyone who works in a data center has a coat at their desk that they put on when they go up to the data center. Same with me. And I also didn’t like going up there because I’m a bit. I don’t like racking, and I don’t like putting things in racks. I find it cumbersome and unpleasant. Once they’re in there, I’m good to go. But I don’t like putting servers into racks. So, you know, I go up, I know I’m going to have to take, this customer has three 1Us, which, you know, at the time, was quite a deployment, right. In the early 2000s, having three 1Us in a data center that was redundant. It’s amazing. So I had to take all those out. I had a cart. Anyone who’s worked in data centers has done this. If you’ve ever worked on raised floor, you know what I’m talking about. Take the cart. You take a drill; you unscrew out of the rack. You pull these giant, long servers that are very, very unwieldy to pull out. You hope you don’t drop them, and you stack them up on a cart, take the cart down in the elevator, you put them on your desk or in an office. If you ever see someone with 1Us on their desk, they’re in trouble. They got bad problems. So, and that was me. I had a conference room, and I said, “Okay, I’m going to figure this out.” So I hooked everything back up to monitors and started kind of looking at logs, which I think is a superpower that most incident responders are really, really good at today. They understand the logs that matter. And I started seeing that, you know, this is a small business, and at the time it was a big, big web presence for such a small business. And I thought, wow, this business is quite advanced. They’ve got phpBB for their customers to ask questions, and they’ve got all these manual pages and all these things. And I started looking through it, and I immediately saw that this version of phpBB was old. And I was like, “Oh, this is really old.” And there were a couple of files you could replace in phpBB that would allow it to continue operating but would give you the splash screen. And that’s what this, you know, I don’t even want to call them a threat actor. They were, like, probably a group of teenagers, I believe. You know, I can’t do full attribution on it, but I think they were Iranian. Had put up, you know, “You’ve been hacked by the hacking team.” Music playing in the background, GIFs floating all over the place, and they had something that’s very dear to my heart to this day, which is a shouts and greets at the end. At the bottom, there’s shouts and greets and a bunch of like hacker handles. Which, at that time, it was very common when you would deface any kind of website you would put like, thanks to the other hackers that carried you on your way. I’m a big believer in shouts and greets. I consider that a foundational life philosophy — thank the people that helped you get there. Not necessarily when hacking, don’t do that. But yeah, so I learned really that the motivations of adversarial groups or adversarial people aren’t something that you will necessarily ever be able to truly understand. I sort of say, you know, a lot of people will say, “Why did the threat actor do this? What is their aim? What is their motivation?” And truly, my response to that a lot of times is we never know the truth of a threat actor’s heart, right? And I think that you can speculate, you can guess, but ultimately, we don’t know. Is this person doing this because they’re trying to support their family? Is it because they’re with BEC (business email compromise) and pig butchering? Is it because they’re in a human trafficking situation and they’re afraid for their life? Is it because they’re truly a bad person and they want to hurt others? Do they want just money, and they’re wild and crazy? You can never really know that. And I think in this instance, I think, you know, it was just some a little bit of fun in an open, open directory of phpBB that they found and went for it.
12:28 Raghu Nandakumara
I think that story at so many levels I can associate with. Let’s just talking about, sort of working in a data center and a raised floor. I absolutely, that takes me back into early days of my career, and you talk about sort of taking things out of racks, etc. That sort of just hoping not to drop anything onto your feet more than anything, right? It was a real fear or real worry.
12:52 Sherrod DeGrippo
Or have to use the giant suction cups to pull the tiles.
12:55 Raghu Nandakumara
Oh, yeah, I’ve done that. Just sat around a data centers, my feet dangling into the void below, while sort of configuring, configuring things in the racks. And the example you gave of sort of these potentially script kiddies essentially exploiting a vulnerability, right? And in this case, in php. And just going to one of the other podcasts, I think you were a guest on recently, and what you said was 98% of intrusions can be addressed by basic security practices, right? And I’d say patching is one of those essential security practices. And my perspective here is that when I kind of, when I sit back, and I look at why attacks are successful, it’s I feel time and again, attackers ultimately exploit negligence in one or more of these security practices to propagate. So, in your opinion, do you feel that we give enough importance to these, to the basics, or are we a, as a discipline, are we too caught up in the in what’s the new shiny toy? What’s the new shiny capability? And we’ve lost sight of the basics, or maybe the basics are too boring.
14:10 Sherrod DeGrippo
I love the basics. I’m a believer in the basics because I sort of was raised in the Bruce Schneier, Ed Skoudis School of Security. I believe in the basics because security is very much something that people with anxiety are drawn to.
And if you can get your basics down, you usually feel a little better. And I think, honestly, what it comes down to is not enough organizations have enough anxiety. I think there’s not enough worry, and there’s not enough productive clinical anxiety, professionally in the industry. I do think we get distracted by shiny toys and we see the basics as being boring. But there is, I think, a completeness, satisfaction in feeling like I know that we have a complete, you know, asset inventory. For example, find those people and get them on your team who have that need to get those things completed, and to feel very strongly that they have them. I think also, you know, we don’t think enough about that 2% of things that can’t be necessarily done with the basics and how we’re going to handle those. To me, I think one of the things that we’re really missing in security, particularly with the current ransomware epidemic, is not even table-topping, but like pre-decision making. If we come under ransom, are we going to pay? And a lot of people start spiraling, and it’s like, wait, do you want to be spiraling now? Or do you want to be spiraling when we’re actually under ransom? Let’s spiral now. Let’s do that worry now so that if something happens in the future, we’re ready for that. I think we don’t do enough of that. I would like to see a lot more, you know, decisions made ahead of time and put down on paper, so that executives and technical leaders and security subject matter experts are already literally on the same page by the time something happens, which is something that in a lot of incidents I have not felt was happening.
16:21 Raghu Nandakumara
So, a couple of things that I’m going to come back onto, the lack of anxiety point you made in a second. But let’s just talk about the ransomware question, right? And to sort of paraphrase Shakespeare, ransomware: to pay or not to pay, that is the question.
I love it. I love it.
Yes, we’ll use that in the social cuts. I mean, now and then, we get asked to comment on, let’s say, some new bit of, like, pick a government across the world saying, “Hey, we want to make ransomware payments illegal, right? And what are your thoughts?” And sort of like the comment is, well, okay, it’s that’ll be, that’ll be great, right? Because of what ransomware, what ransomware potentially fuels, etc. But if you think about from a practical perspective, that may not be possible for every organization, because it’s a choice between paying and potentially sort of being back in business, operational sooner rather than later, or just saying, “Well, actually, I can’t, I can’t afford to pay, but equally, I don’t have the skills to recover properly.” So where do you sit on that? Because I don’t think it’s an easy, binary decision.
17:38 Sherrod DeGrippo
No, it is definitely not an easy decision. I think that’s why I’m a big believer in ransomware resilience planning. And Microsoft released a fantastic guide to ransomware resilience that organizations can look at to kind of build their resilience as well as assess their resilience to ransomware. My question when people say, “Make ransomware payments illegal.” My immediate question to that is, and what is the punishment for violating? So the organization’s been ransomed, they pay to get out of ransom, and now we’re going to punish them, I assume, with a fine. And at that point, it again becomes a risk calculation with just another nexus than you had before. The risk calculation is now against paying the threat actors and getting your data back, and against having to pay a fine to the government for that. I don’t know that that’s necessarily going to be a super successful and happy deterrent. I think that, as technologists, we have to do a lot more work. I don’t think that anyone’s coming to save us on a lot of these. I think that we have to make the technology and the organizations and the people resilient to ransomware. We can’t just say like, well, there will be laws and statutes and some sort of ransomware superhero is going to descend and fix it all. It’s a very complex problem, as you said, and I don’t know that I necessarily have the answers, other than working on becoming more resilient and prepared for those things to happen. You know, focus a lot on crime and my work and they operate by different rules than I think most people really understand.
19:17 Raghu Nandakumara
So you’ve mentioned the word resiliency, just multiple times in that in that response, and it’s resiliency, operation, resilience, cyber resilience, and it’s so topical these days. I think now it’s kind of like cyber conferences have gone from being focused on like Zero Trust to AI, and now it’s all about resilience. But I want to tie that to something else you said about a lack of anxiety. How do you drive a culture of better ransomware resilience if the level of anxiety is not where it should be to drive improvement in the basics? Because I feel that those two are interconnected.
20:03 Sherrod DeGrippo
I think so too. And I have a very controversial hot take on that one.
20:07 Raghu Nandakumara
I’d want to hear it. That’s what we’re here for.
20:10 Sherrod DeGrippo
You know, I really think, you know, there’s always these debates, you know, on social media and industry about passion. I’m not interested in that. I’m interested about, do you have a calling for this. And does doing security work result in your soul feeling a decompression, a relaxation? Is securing something a spiritual comfort for you? If it is, those are the people that we want in the industry. Because those people relentlessly pursue efficacy, and those are the people that we have to count on and depend on, because this is not a 9-to-5 job. As much as we want to talk about work-life balance and like, don’t burn yourself out, sure. But that’s not the world that we live in. Ransomware happens 24 hours a day. We don’t have enough people to work 24 hours, all of these things. So I think we’ve got to get the right people in the right places, and that is where we can heighten some of that concern. I come from the era of security vendor FUD, fear, uncertainty, and doubt. That was for a decade, that was the marketing plan. I don’t think that it worked. If it did work, we’d be in a more secure place than we are. But I do think that there is an element of risk evaluation and risk understanding that we as security professionals need to embody and internalize and then evangelize outwardly to our non-security colleagues. And I think that we can do that by speaking that language. I am a practitioner, something called neurolinguistic programming, which talks about how to talk to people. You appeal to the sense that they are most connected with. Is it hearing? Is it seeing? Is it seeing? Is it feeling? Is it experiencing? You have to talk to people in their language and at their level and help them understand what those risks are. Going back to resiliency. Being resilient. We’ve moved to that language because we are looking at the inevitable now. We’ve gone from stop the breach, stop the attack, before it happens to be okay when it does. And I think that that’s a much more realistic picture. I don’t think it’s pessimistic. I think it’s realistic. And you should feel better the more resilient you become, because these things are, I think at this point inevitable.
22:44 Raghu Nandakumara
So I want to come back to the to the assume breach, sort of mentality, and the when not if. Because I think it ties, not nicely, into sort of taking a Zero Trust approach to building your security controls. But before we go there, going back you again, another term that you mentioned is, is efficacy, right? And I absolutely agree. I think I’ve, I’ve only been on the vendor side for just under five years now, and before that. Thank you. Thank you. It’s great. It’s great to be here. I should have come earlier, I enjoy it. Come this side earlier. But absolutely right. I completely agree, and sort of that the FUD-focused marketing that existed, but my perspective as I came in onto the vendor side was that there could be so much done in sort of taking a much more value-based, efficacy-based approach to marketing. But it’s but it’s hard, because we’re used to saying, “We’re better, we’re faster, we’re stronger, we’re more secure.” But it’s really hard for us to put a where we make you. Let’s pick a number, 50% more secure. That’s a pretty good number, right? I know we’d like to say 95%, but I’d say even 50% more secure is a good number. But why is it so hard for in the security space to be quantitative about how effective a control is, a practice is, a process is? To sort of get further validation and justification for being able to do more of it.
24:14 Sherrod DeGrippo
Yeah, I think that’s part of what I take personally as a person. I want to be an effective person. I want my technology to be effective for me, and I want to be an effective person. And I think that’s really hard to measure, and I love things that are very hard to put metrics on. So that’s part of the reason I’m attracted to security is that that is full of subjectivity. It’s full of gray areas. It’s full of like squishy middles that we have to kind of grapple with and figure out, and that’s, I think a lot of people feel the same way, like, that’s why they’re in security. Measuring efficacy is incredibly hard. So I come from, you know, network security and email security for many years, and FNFP is our bread and butter, right? False negative, false positive. Yeah, those are the things that dictate our choices and how we make decisions, and it is very data driven, even though I don’t believe in a wholly data driven approach every single time in security. In the FNFP world, you’re looking at those numbers hour by hour. And I do think that we need to get very objective where we can, and that’s hard, like, there’s a book called How to Measure Anything, which allows for metrics, and there’s that saying of you know, you can’t manage what you can’t measure. I think those things are really true. But I also think alongside objective measurement in security, we have to help our leaders understand the subjectivity aspect of it, and the decision-making and the human aspect of a lot of it. Social engineering is something that is very difficult to measure. For example, this breach happened what percentage of it was caused by social engineering? That’s very, very difficult to nail down. But if we can have that objective numbering, that objective data side by side with subjective decision making information, I think that we give ourselves as security professionals, but also our leaders that aren’t necessarily knee deep in this space all the time, a better way forward to understanding how important it is and generating some of that anxiety that we’re kind of hoping to get from people that are making the choices,
26:26 Raghu Nandakumara
yeah, I like how that’s expressed, about being able to really bring the subjective and objective much closer together, and really finding that intersection Where the one data from one can inform the perception of the other, right, and vice versa, to provide that greater picture. So let’s kind of move on. And let’s talk about, and the other thing that you spoke about earlier is logs. Like trawling through logs. Great. It’s amazing what you can find in there, right? And I just as you said that I was thinking about, I think that’s just sort of how the function of the SOC has evolved, right? Threat hunting evolved is that it’s just sort of the advancement in essentially analyzing logs, and that’s kind of, sort of the progress, and even what we see today within inverted commas, sort of AI-powered tools, is just getting better at log analysis. So as you have, and I know you’ve spent many years looking at logs from various threat actors, what have you noticed as you’ve been doing this, what have you noticed in the like, what are the clear indicators of that evolution that you have seen?
27:45 Sherrod DeGrippo
Yeah, I think that that’s really, it’s really clear. So my earliest, maybe not earliest, but one of my early passions for logs was I ran a web server, and I would tail the weblogs to watch access. So it was a very low traffic website situation. But when I would have that open and running, I could watch as people hit the website, which, if you’ve never done that before, watching logs in real-time. It gives you a different perception of our digital worl
Welcome to The Segment: A Zero Trust Leadership Podcast. I’m your host, Raghu Nandakumara, head of industry solutions at Illumio, the Zero Trust Segmentation company. Today, I’m joined by Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft.
Sherrod was selected as Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Previously, she was VP of threat research and detection at Proofpoint, where she led a global team of threat researchers, malware reverse engineers and threat intelligence analysts. Her career in cybersecurity spans 19 years, with prior roles including leading red team services at Nexum, Senior Solutions Engineer for Symantec, senior security consultant for SecureWorks, and senior network security analyst for the National Nuclear Security Administration.
In this conversation, she stresses the significance of ransomware resilience and covering security basics, as well as the impact of AI on both attackers and defenders. The conversation highlights the need for actionable threat intelligence and the human element of security.
But before we get into the episode, a word from Illumio: [insert ad spot]
Sherrod, firstly, before we get into the conversation, it’s so exciting to be able to speak to you today. And it’s funny, it was just a complete coincidence. I was listening to some of your recent podcast episodes in sort of prep for this, and I just so, just last week, I decided to relisten to the Lazarus Heist podcast that the BBC made, which I’m sure you’re very familiar with. So I thought those were, it was like, that’s a coincidence. And as a result of listening to that for the last two nights, I’ve put on the interview and then fallen asleep to it. So it says more about either I’m tired of the film or it wasn’t as good, but, anyway, it’s a real pleasure to be able to speak to you. So thank you for joining us.
02:14 Sherrod DeGrippo
Thank you. Thank you for having me. I think you know, as evidenced by your media consumption, North Korea is really getting in the game. They’re getting on the board in ways that we have not seen before. In the past couple of months, North Korea’s scoring some points.
02:28 Raghu Nandakumara
Absolutely, and I’d love to sort of discuss that at some point in our conversation today. But as kind of is, I guess, the norm with these podcasts is, let’s kind of rewind the tape and take us back to where it all began for you in your career to sort of ultimately to what you do in your role today.
02:48 Sherrod DeGrippo
Sure. So, I mean, I think it started when I was 14. Really, I was 14. This was in the early 90s, and I read because I was, you know, a very cool early teen, I read the magazine Thrasher, Thrasher Magazine, which was a skateboard magazine. And one month, in the back of Thrasher Magazine, there was a little ad, and it said, call the Thrasher BBS (bulletin board system), and it had a phone number. And I, you know, went to my dad, who was a major hardcore computer, supercomputer dork. And I said, “Dad, I want to call this BBS. What do I do?” And he said, “Well, you know, I have a modem, and we can set you up, and we’ll get you to be able to call the BBS.” And I remember very vividly I was using a BitFax bit modem, which was the app, or the application on Windows 3.1, and I remember very vividly him saying, “I’m going to turn off ANSI. You don’t need that.” So essentially, he took graphic viewing away from me very early, like, you know, he’s like, my 14-year-old daughter does not need to see these images. And I just I called the Thrasher BBS, and was on, day in, day out. And then, about a month later, my dad screamed, “Sherrod.” I was like, “Oh, I’m in trouble.” I had ran up a $300 phone bill. For the youths listening, we used to have to pay for long-distance phone calls, and Thrasher BBS was not local to me, so it cost money per minute. And my dad didn’t like that, so that kind of got me into freaking, actually; I consider myself a freaker first, which meant that, you know, I had a lineman’s handset. I did things like beige boxing, and I met a lot of people who were very excited to show me a lot of things. And I ended up just, you know, when I was in college, I worked at the mall, and I didn’t make enough money, and I saw a poster on campus that said, “Come work at AT&T.” And so when I was in college, I started working at AT&T. And from there, I just kind of kept getting tech jobs, until I went to work at an ISP early. My career, probably from 2000 to 2001, and that ISP got hacked. One of the clients of the ISP got hacked, and they said, we want you to fix this. You know, it was a data center. So I pulled all their one use, all their servers, stacked them up in a table in a conference room, tracked it out on a whiteboard, and was like, I’m going to work. I’m going to do this work. You know, it wasn’t even called incident response then. And it was a PHP BB installation that was vulnerable, that was hacked by, quote, hacking team. They put up a bunch of MP3s playing in the background or maybe even just wave files. Like it was very primitive. And that was the point where I was like, I want to do security. I want to secure things. I want to learn how all of this works. I want to hack things. I want to secure things. And shortly after that, I got my first real security job, working for the National Nuclear Security Administration, part of the Department of Energy. And that started my network security obsession. I’m obsessed with network security. And I just, you know, did that for quite a while. And not too long, but then after that, I went and worked at vendors. So I have committed the past 18 years of my career to security vendors, Symantec, SecureWorks, Nexum Proofpoint and now Microsoft. I love the vendor space.
06:19 Raghu Nandakumara
Amazing. I mean, that’s quite a story from Thrasher magazine to the head of threat intel strategy at Microsoft. That’s probably a career path, or even a life path, you would never have been able to map out in, if you’d been asked back then in the early 90s.
06:37 Sherrod DeGrippo
BBSs and IRC shaped me. BBSs IRC and Live Journal. Those are my origin foundations, for sure. That I think a part of it was because when I was growing up, even from a very young age, my father always would say, “Anything you need to learn, there’s a book, and you get the book, and you learn it from the book, and you can do anything.” And when he bought me my first car, he bought me the Chilton’s manual that went with my car, and he said, “You have a car, and now you have the book that goes with the car, and you can fix the car.” And so I sort of took that with me. Of anything you need to learn, there’s an IRC channel that you can get in. Someone will help you or point you to something. And I still really believe that. Anything you need to learn, you can find the book, you can find the person, you can find the resource, and you can learn it, and you can do it.
07:30 Raghu Nandakumara
I guess, replace IRC channels now with Reddit that you have, yeah, you have your source of information, right, or knowledge. So, so you spoke about that incident. You’re working at the ISP; one of your clients got hacked. You essentially took their entire infrastructure out of their rack, put it on a table, and said, I’m going to figure this out. Step through that process and sort of talk to us about like, what did you as you were doing this, what did you discover about sort of the nature of the attackers, the behavior, their motivations.
08:06 Sherrod DeGrippo
Yeah. And I think that was a really pivotal moment for me as well. So I worked at this ISP that was a very early redundant cloud capability. We had offices in the bottom, and the data center was in the second floor. And so I hated going up there because it was freezing, right? If you’ve ever been in a data center, you’re just, you know, everyone who works in a data center has a coat at their desk that they put on when they go up to the data center. Same with me. And I also didn’t like going up there because I’m a bit. I don’t like racking, and I don’t like putting things in racks. I find it cumbersome and unpleasant. Once they’re in there, I’m good to go. But I don’t like putting servers into racks. So, you know, I go up, I know I’m going to have to take, this customer has three 1Us, which, you know, at the time, was quite a deployment, right. In the early 2000s, having three 1Us in a data center that was redundant. It’s amazing. So I had to take all those out. I had a cart. Anyone who’s worked in data centers has done this. If you’ve ever worked on raised floor, you know what I’m talking about. Take the cart. You take a drill; you unscrew out of the rack. You pull these giant, long servers that are very, very unwieldy to pull out. You hope you don’t drop them, and you stack them up on a cart, take the cart down in the elevator, you put them on your desk or in an office. If you ever see someone with 1Us on their desk, they’re in trouble. They got bad problems. So, and that was me. I had a conference room, and I said, “Okay, I’m going to figure this out.” So I hooked everything back up to monitors and started kind of looking at logs, which I think is a superpower that most incident responders are really, really good at today. They understand the logs that matter. And I started seeing that, you know, this is a small business, and at the time it was a big, big web presence for such a small business. And I thought, wow, this business is quite advanced. They’ve got phpBB for their customers to ask questions, and they’ve got all these manual pages and all these things. And I started looking through it, and I immediately saw that this version of phpBB was old. And I was like, “Oh, this is really old.” And there were a couple of files you could replace in phpBB that would allow it to continue operating but would give you the splash screen. And that’s what this, you know, I don’t even want to call them a threat actor. They were, like, probably a group of teenagers, I believe. You know, I can’t do full attribution on it, but I think they were Iranian. Had put up, you know, “You’ve been hacked by the hacking team.” Music playing in the background, GIFs floating all over the place, and they had something that’s very dear to my heart to this day, which is a shouts and greets at the end. At the bottom, there’s shouts and greets and a bunch of like hacker handles. Which, at that time, it was very common when you would deface any kind of website you would put like, thanks to the other hackers that carried you on your way. I’m a big believer in shouts and greets. I consider that a foundational life philosophy — thank the people that helped you get there. Not necessarily when hacking, don’t do that. But yeah, so I learned really that the motivations of adversarial groups or adversarial people aren’t something that you will necessarily ever be able to truly understand. I sort of say, you know, a lot of people will say, “Why did the threat actor do this? What is their aim? What is their motivation?” And truly, my response to that a lot of times is we never know the truth of a threat actor’s heart, right? And I think that you can speculate, you can guess, but ultimately, we don’t know. Is this person doing this because they’re trying to support their family? Is it because they’re with BEC (business email compromise) and pig butchering? Is it because they’re in a human trafficking situation and they’re afraid for their life? Is it because they’re truly a bad person and they want to hurt others? Do they want just money, and they’re wild and crazy? You can never really know that. And I think in this instance, I think, you know, it was just some a little bit of fun in an open, open directory of phpBB that they found and went for it.
12:28 Raghu Nandakumara
I think that story at so many levels I can associate with. Let’s just talking about, sort of working in a data center and a raised floor. I absolutely, that takes me back into early days of my career, and you talk about sort of taking things out of racks, etc. That sort of just hoping not to drop anything onto your feet more than anything, right? It was a real fear or real worry.
12:52 Sherrod DeGrippo
Or have to use the giant suction cups to pull the tiles.
12:55 Raghu Nandakumara
Oh, yeah, I’ve done that. Just sat around a data centers, my feet dangling into the void below, while sort of configuring, configuring things in the racks. And the example you gave of sort of these potentially script kiddies essentially exploiting a vulnerability, right? And in this case, in php. And just going to one of the other podcasts, I think you were a guest on recently, and what you said was 98% of intrusions can be addressed by basic security practices, right? And I’d say patching is one of those essential security practices. And my perspective here is that when I kind of, when I sit back, and I look at why attacks are successful, it’s I feel time and again, attackers ultimately exploit negligence in one or more of these security practices to propagate. So, in your opinion, do you feel that we give enough importance to these, to the basics, or are we a, as a discipline, are we too caught up in the in what’s the new shiny toy? What’s the new shiny capability? And we’ve lost sight of the basics, or maybe the basics are too boring.
14:10 Sherrod DeGrippo
I love the basics. I’m a believer in the basics because I sort of was raised in the Bruce Schneier, Ed Skoudis School of Security. I believe in the basics because security is very much something that people with anxiety are drawn to.
And if you can get your basics down, you usually feel a little better. And I think, honestly, what it comes down to is not enough organizations have enough anxiety. I think there’s not enough worry, and there’s not enough productive clinical anxiety, professionally in the industry. I do think we get distracted by shiny toys and we see the basics as being boring. But there is, I think, a completeness, satisfaction in feeling like I know that we have a complete, you know, asset inventory. For example, find those people and get them on your team who have that need to get those things completed, and to feel very strongly that they have them. I think also, you know, we don’t think enough about that 2% of things that can’t be necessarily done with the basics and how we’re going to handle those. To me, I think one of the things that we’re really missing in security, particularly with the current ransomware epidemic, is not even table-topping, but like pre-decision making. If we come under ransom, are we going to pay? And a lot of people start spiraling, and it’s like, wait, do you want to be spiraling now? Or do you want to be spiraling when we’re actually under ransom? Let’s spiral now. Let’s do that worry now so that if something happens in the future, we’re ready for that. I think we don’t do enough of that. I would like to see a lot more, you know, decisions made ahead of time and put down on paper, so that executives and technical leaders and security subject matter experts are already literally on the same page by the time something happens, which is something that in a lot of incidents I have not felt was happening.
16:21 Raghu Nandakumara
So, a couple of things that I’m going to come back onto, the lack of anxiety point you made in a second. But let’s just talk about the ransomware question, right? And to sort of paraphrase Shakespeare, ransomware: to pay or not to pay, that is the question.
I love it. I love it.
Yes, we’ll use that in the social cuts. I mean, now and then, we get asked to comment on, let’s say, some new bit of, like, pick a government across the world saying, “Hey, we want to make ransomware payments illegal, right? And what are your thoughts?” And sort of like the comment is, well, okay, it’s that’ll be, that’ll be great, right? Because of what ransomware, what ransomware potentially fuels, etc. But if you think about from a practical perspective, that may not be possible for every organization, because it’s a choice between paying and potentially sort of being back in business, operational sooner rather than later, or just saying, “Well, actually, I can’t, I can’t afford to pay, but equally, I don’t have the skills to recover properly.” So where do you sit on that? Because I don’t think it’s an easy, binary decision.
17:38 Sherrod DeGrippo
No, it is definitely not an easy decision. I think that’s why I’m a big believer in ransomware resilience planning. And Microsoft released a fantastic guide to ransomware resilience that organizations can look at to kind of build their resilience as well as assess their resilience to ransomware. My question when people say, “Make ransomware payments illegal.” My immediate question to that is, and what is the punishment for violating? So the organization’s been ransomed, they pay to get out of ransom, and now we’re going to punish them, I assume, with a fine. And at that point, it again becomes a risk calculation with just another nexus than you had before. The risk calculation is now against paying the threat actors and getting your data back, and against having to pay a fine to the government for that. I don’t know that that’s necessarily going to be a super successful and happy deterrent. I think that, as technologists, we have to do a lot more work. I don’t think that anyone’s coming to save us on a lot of these. I think that we have to make the technology and the organizations and the people resilient to ransomware. We can’t just say like, well, there will be laws and statutes and some sort of ransomware superhero is going to descend and fix it all. It’s a very complex problem, as you said, and I don’t know that I necessarily have the answers, other than working on becoming more resilient and prepared for those things to happen. You know, focus a lot on crime and my work and they operate by different rules than I think most people really understand.
19:17 Raghu Nandakumara
So you’ve mentioned the word resiliency, just multiple times in that in that response, and it’s resiliency, operation, resilience, cyber resilience, and it’s so topical these days. I think now it’s kind of like cyber conferences have gone from being focused on like Zero Trust to AI, and now it’s all about resilience. But I want to tie that to something else you said about a lack of anxiety. How do you drive a culture of better ransomware resilience if the level of anxiety is not where it should be to drive improvement in the basics? Because I feel that those two are interconnected.
20:03 Sherrod DeGrippo
I think so too. And I have a very controversial hot take on that one.
20:07 Raghu Nandakumara
I’d want to hear it. That’s what we’re here for.
20:10 Sherrod DeGrippo
You know, I really think, you know, there’s always these debates, you know, on social media and industry about passion. I’m not interested in that. I’m interested about, do you have a calling for this. And does doing security work result in your soul feeling a decompression, a relaxation? Is securing something a spiritual comfort for you? If it is, those are the people that we want in the industry. Because those people relentlessly pursue efficacy, and those are the people that we have to count on and depend on, because this is not a 9-to-5 job. As much as we want to talk about work-life balance and like, don’t burn yourself out, sure. But that’s not the world that we live in. Ransomware happens 24 hours a day. We don’t have enough people to work 24 hours, all of these things. So I think we’ve got to get the right people in the right places, and that is where we can heighten some of that concern. I come from the era of security vendor FUD, fear, uncertainty, and doubt. That was for a decade, that was the marketing plan. I don’t think that it worked. If it did work, we’d be in a more secure place than we are. But I do think that there is an element of risk evaluation and risk understanding that we as security professionals need to embody and internalize and then evangelize outwardly to our non-security colleagues. And I think that we can do that by speaking that language. I am a practitioner, something called neurolinguistic programming, which talks about how to talk to people. You appeal to the sense that they are most connected with. Is it hearing? Is it seeing? Is it seeing? Is it feeling? Is it experiencing? You have to talk to people in their language and at their level and help them understand what those risks are. Going back to resiliency. Being resilient. We’ve moved to that language because we are looking at the inevitable now. We’ve gone from stop the breach, stop the attack, before it happens to be okay when it does. And I think that that’s a much more realistic picture. I don’t think it’s pessimistic. I think it’s realistic. And you should feel better the more resilient you become, because these things are, I think at this point inevitable.
22:44 Raghu Nandakumara
So I want to come back to the to the assume breach, sort of mentality, and the when not if. Because I think it ties, not nicely, into sort of taking a Zero Trust approach to building your security controls. But before we go there, going back you again, another term that you mentioned is, is efficacy, right? And I absolutely agree. I think I’ve, I’ve only been on the vendor side for just under five years now, and before that. Thank you. Thank you. It’s great. It’s great to be here. I should have come earlier, I enjoy it. Come this side earlier. But absolutely right. I completely agree, and sort of that the FUD-focused marketing that existed, but my perspective as I came in onto the vendor side was that there could be so much done in sort of taking a much more value-based, efficacy-based approach to marketing. But it’s but it’s hard, because we’re used to saying, “We’re better, we’re faster, we’re stronger, we’re more secure.” But it’s really hard for us to put a where we make you. Let’s pick a number, 50% more secure. That’s a pretty good number, right? I know we’d like to say 95%, but I’d say even 50% more secure is a good number. But why is it so hard for in the security space to be quantitative about how effective a control is, a practice is, a process is? To sort of get further validation and justification for being able to do more of it.
24:14 Sherrod DeGrippo
Yeah, I think that’s part of what I take personally as a person. I want to be an effective person. I want my technology to be effective for me, and I want to be an effective person. And I think that’s really hard to measure, and I love things that are very hard to put metrics on. So that’s part of the reason I’m attracted to security is that that is full of subjectivity. It’s full of gray areas. It’s full of like squishy middles that we have to kind of grapple with and figure out, and that’s, I think a lot of people feel the same way, like, that’s why they’re in security. Measuring efficacy is incredibly hard. So I come from, you know, network security and email security for many years, and FNFP is our bread and butter, right? False negative, false positive. Yeah, those are the things that dictate our choices and how we make decisions, and it is very data driven, even though I don’t believe in a wholly data driven approach every single time in security. In the FNFP world, you’re looking at those numbers hour by hour. And I do think that we need to get very objective where we can, and that’s hard, like, there’s a book called How to Measure Anything, which allows for metrics, and there’s that saying of you know, you can’t manage what you can’t measure. I think those things are really true. But I also think alongside objective measurement in security, we have to help our leaders understand the subjectivity aspect of it, and the decision-making and the human aspect of a lot of it. Social engineering is something that is very difficult to measure. For example, this breach happened what percentage of it was caused by social engineering? That’s very, very difficult to nail down. But if we can have that objective numbering, that objective data side by side with subjective decision making information, I think that we give ourselves as security professionals, but also our leaders that aren’t necessarily knee deep in this space all the time, a better way forward to understanding how important it is and generating some of that anxiety that we’re kind of hoping to get from people that are making the choices,
26:26 Raghu Nandakumara
yeah, I like how that’s expressed, about being able to really bring the subjective and objective much closer together, and really finding that intersection Where the one data from one can inform the perception of the other, right, and vice versa, to provide that greater picture. So let’s kind of move on. And let’s talk about, and the other thing that you spoke about earlier is logs. Like trawling through logs. Great. It’s amazing what you can find in there, right? And I just as you said that I was thinking about, I think that’s just sort of how the function of the SOC has evolved, right? Threat hunting evolved is that it’s just sort of the advancement in essentially analyzing logs, and that’s kind of, sort of the progress, and even what we see today within inverted commas, sort of AI-powered tools, is just getting better at log analysis. So as you have, and I know you’ve spent many years looking at logs from various threat actors, what have you noticed as you’ve been doing this, what have you noticed in the like, what are the clear indicators of that evolution that you have seen?
27:45 Sherrod DeGrippo
Yeah, I think that that’s really, it’s really clear. So my earliest, maybe not earliest, but one of my early passions for logs was I ran a web server, and I would tail the weblogs to watch access. So it was a very low traffic website situation. But when I would have that open and running, I could watch as people hit the website, which, if you’ve never done that before, watching logs in real-time. It gives you a different perception of our digital worl
