A

Are we having the right conversation when it comes to resilience? Let's talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cyber security. An attack is coming. It's about keeping us safe. He's just a disgruntled hacker.

B

She's a super hacker.

A

Stay alert, stay safe, stay saf is Safe Mode. Welcome to this episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, we're going to be talking with Ben Harris, the CEO of Watchtower. You've been reading all of our reporting on the wide array of vulnerabilities that we've covered over the past month. You've probably seen Ben's name, and we talked to Ben. We go a little bit more in depth on some of those vulnerabilities, whether or not he thinks some of these companies should be cut a little slack. If we should be a little bit more. What's the right word? If we should be a little bit meaner, I guess you could say to them, and whether enterprises are having the right conversations when it comes to how they fix all the vulnerabilities that we see out there on the Internet. But first, talking with Derek Johnson, speaking of the Internet, you know, all of the networks that we talk about, very, very land based. For the story that you did this week, we had some academic researchers take to the skies. Why did they do so?

B

Yeah, so this study, which was done by researchers at the University of Maryland and the University of California, San Diego, was really designed to explore this sort of one question, which is, you know, how much private and sensitive data can you get by pointing just commercial equipment at the sky at a single fixed point and seeing how much unencrypted private information you can collect from around the globe. And they did, I think, 39 different satellites that they passively scanned from. And they found everything from unencrypted SMS text messages and phone calls and things like that, from telecoms like T Mobile and Mexican telecoms like Telmex. They found signals from US Military vessels and artifacts and information that shed light on internal military administrative operations. They found so much information that in one nine hour listening period where they just point pointed basically a $600 satellite dish at the sky and they picked up phone metadata for 2700 people so it's sort of an example of this really kind of niche weakness in our information pipelines that organizations, military and, and private sector just are not thinking of and paying attention to when they shoot information around the globe.

A

So when we talk about the satellites in the sky, what are we talking about here? Are we talking about like Starlink? Are we talking about something else? I mean, there's a lot of satellites up there and that's about the, the extent of my knowledge on satellite infrastructure. So I'm wondering exactly what is the infrastructure that these researchers pulled the data off of or found it when it was bounced?

B

Yeah, and that's an important question because it's not, it's not like there's no security for, for major satellites. What we're talking about here are not the, the, the, the major satellites or the core parts of the, the network that they're, that they're providing infrastructure for. We're talking about the intermediate satellites that are these sort of links in the chain. When information gets sent around the world, right. Just it can only go in one direction, so it needs to hit through intermediate links. And these are the links that tend not to get attention from the people who are transmitting their information over this. So things like network layer encryption, content scrambling, while that gets used for, for some of these more major satellites, they're not really widely used for these. What they're, they're called geo, geostationary satellites. It's, they're largely treated as just another link in the organization's private network. And they're not monitoring for it, they're not encrypting things. It's a mess.

A

Yeah, it's not so much of a private network anymore, isn't it? If that's one takeaway that we could have.

B

And so kind of. I think one of the things that's interesting about this research is that previously we had really viewed this kind of interception as needing a tremendous amount of technical knowledge and technology and funding sufficient to overcome some really troubling signal quality issues that make it hard for sort of an amateur to just point their, their, their satellite up at the sky and start, and start eavesdropping. Right.

A

This was NSA land. Like. Yeah, that's what, at least that's what

B

we thought that was, that was the, that was the thought. And what this research really proves is actually you kind of just need technical know how and hundred dollars worth of equipment. And, and I think it kind of highlights that if you can do, if you can extract secrets with that level of investment, what can you do with more funding? What can you do with more investment, more sophistication?

A

What type of commercial tech are we talking about here? I just, the, the $600 really is a low barrier to entry. Like it's wild to me that it's like, yeah, if I really wanted to as a hobby I could go buy some stuff and set something up in my backyard and just pull in, pull in some data and see where we go from there.

B

I mean, essentially, yes. So you know, I know that, I know that the actual satellite dish itself in the paper was $180. Okay. And so there's about 400 probably frown on a satellite.

C

So.

A

Okay, so I won't do it.

B

But, but, yeah, but the idea here is that they, they really wanted to prove, hey, this can be done using commercial grade technology, that this is not something where you need the nsa, it's not something where you need, you know, the FSB or the SVR to pull it off, that this is something that can be done. And it can be done largely because these, of these, of these gaps in sort of security awareness that, that, that take place and that kind of folds into this larger issue about how much attention we pay to space when it comes to cyber security. Right.

A

I was going to ask what was the response in the paper? Is there any sort of response from the entities that they reach out to? Whether it is T Mobile, Telmex, the military, the, the satellite providers that they were like. Oh, well that's, that's interesting. In, in the background they're you know, hair on fire, losing their minds.

B

Yeah. As I, as I recall, the, one of the things that the Wired piece did was, you know, went and reached out to a bunch of the, the affected entities and, and, and their responses were about what you would expect. Right.

A

Which is security, very serious.

B

Which is sort of. Yeah. Acknowledging that this is happening, but kind of downplaying and you know, making it clear that this stuff is only possible in certain scenarios and circumstances. Doing the kind of song and dance that you typically see when organizations get confronted with research like this. So I, I don't know that it tells us anything particularly interesting about these entities so much as it tells us that like society by and large are not treating intermediate geostationary satellites like the information transferring hubs that they are and protecting them accordingly.

A

Which brings up my next point, is that this stuff should basically be labeled as critical infrastructure. I mean, if it's carrying this level of data, if you're able to pinpoint a US vessel somewhere off of what is Essentially, you know, it's a $600 and a pair of. A pair of expensive sneakers. Sounds like you should be lumped in under critical infrastructure, and there should be something done to make sure that, you know, this isn't possible.

B

Yeah, and I think that we are. That is something that folks like at the Cyber Space Solarium Commission and some of the organizations that have grown out from that have advocated for moving space to critical infrastructure. So it's something that, that, that Washington, D.C. is talking about. I, I don't know how much closer we are today towards that happening, because it's still largely happening among the same people who are advocating it. But as more and more research like this comes out, it just becomes more and more apparent that like every other sector of critical infrastructure, space is this sector where we built for, you know, we, we, we, we built things to do things rather than to do things safely and, and securely. And so that's going to need to be addressed, particularly over the next 10, 20, 30 years as we continue to build out our space operations.

A

Well, I was gonna say yes. Well, I mean, there are safety concerns in space, obviously, but they have largely, like most safety concerns, been rooted around the loss of life, whether it's, you know, somebody going up to services. Yeah, yes. Where data, data is never going to be at that same level, but needs to be considered in the conversation more. And I think that that should be one of the main takeaways of this research, is that, no, if the data's going up there, guess what? It should probably be treated with the same level of protections that we have when we're bouncing around data centers and undersea cables.

B

And you should at least be aware of what's leaking out. Right. Which it seems like a lot of these organizations that this happened simply because they were unaware of it.

C

Right, right.

B

And so it's like awareness. It's the first step.

A

Right. Okay. So, Derek, thank you for making the world very aware of this and look forward to seeing how that awareness changes the way that we use these satellites in the future.

C

Yep.

B

Thank you.

A

Joining us on our interview segment this week is Benjamin Harris, the CEO of Watchtower. Really interesting company that does a lot of good work, especially when breaking down the biggest vulnerabilities that cyberscoop reports on daily. We talked to Ben about some of the vulnerabilities that have been in cyberscoop recently and really talked about how enterprises need to change the way they think about fixing and remedying these vulnerabilities. Whether it's thinking differently about patch management or vulnerability management or even just talking about how they think about resilience. We also play a new game, forgivable or Unforgivable, where we talk about some of those vulnerabilities, the Fortune vulnerability, sales loft vulnerability, some others, and whether or not he thinks the onus should be on the company to fix them or on enterprises to understand the way that they are using these tools in order to patch these vulnerabilities at a better rate. Check it out.

C

All right.

A

And joining us on this week's interview segment for Safe Mode is a man. If you've been reading cyberscoop over the past couple weeks and couple months, you've seen this company talking about all sorts of different vulnerabilities that we've been covering. Fantastic company and fantastic leader Ben Harris, CEO of Watchtower. Ben, thanks for joining the program.

C

Thanks, Greg. I think that's the first time I've probably been called fantastic in a long time, but I'll make it at this point. Pleasure to be here and yeah, thanks for your time.

A

Well, I will say, look, I don't mean to blow smoke, but we at cyberscoop, I mean, we spend so much time reading threat intelligence reports. And for anybody out there that spends time reading all these reports, we greatly endorse reading Watchtower because just from a written standpoint, they are fantastic reads. They're engaging, entertaining, and sort of there's not this like corporate deference to making sure that people and companies aren't upset. I mean, you talk about bad actors and also talk about corporate responsibility from the standpoint of, hey, if we see a company not really living up to their end of the bargain when it comes to cybersecurity, we're going to call them out on it. So that's one thing that we always appreciate and definitely something worthwhile. If you do read these threat intelligence reports, that's great. So look, speaking of all of these reports, we've been reading a lot over the past couple of weeks. You've been doing some really good work regarding this Oracle mess, the Cisco mess, Salesforce Sales loft, even going back a couple months, Avanti. I know you've been doing a lot of work with Avanti, too. So I'm wondering from like a research standpoint, what's your mindset when it comes to going, oh, we really need to look into X, Y or Z when it comes to the things that you're concentrating on and things that you eventually release to the public?

C

Fair question. Yeah. So I think there's kind of two answers to the question Realistically, I think the first thing I'll say is that honestly, we love what we do. I think across the team, as you can probably tell from it, probably comes through in the writing. We are fairly passionate about what we do, I think fairly opinionated. But this is more than a career, it's more a profession for myself and many members of the team as well. And I think again, it ultimately comes down to personal interest and kind of personal drive. Obviously, the second part of that is the business itself. Our technology is designed to help our clients understand when thing X happens, does it impact them, where does it impact them, et cetera. And so all the research we do feeds into the Watchtower platform, our preemptive exposure management solution that we then use to basically replay simulate those attacks against our client base.

A

So look, so much of what you do and so much of what the threat intelligence in sub industry, I guess is a good way to talk about it does, is making sure that enterprises are aware of the vulnerabilities that are floating around out there and especially the ones that are being attacked by threat actors and making sure that they're managed correctly and they're patched correctly. But look, you know this, I know this. It's not just as simple as, you know, download, update and off we go, everything's back to normal. So, you know, I'm wondering if you've seen any research, especially from the threat actor perspective, that after a patch management system has been put into place and stuff has been patched, whether you've seen examples or stories based on research that Watchtower has done, where adversaries have maintained access despite the research that you've put out, and despite enterprises actually acting in good faith to patch those vulnerabilities, I

C

think we see it more and more. And I think if we look at the last couple of years, it's a trend that's really grown. So cyber is cyclical, unfortunately, it really is like fashion, things coming out of trend, the trend moves on. Then we go back. And so we're back in that kind of vogue phase of in the world exploitation, externally facing devices. Now, I think what's changed since this was last kind of the vogue initial access mechanism, is that enterprises are significantly more mature, not just in terms of how they patch, but do they know what they have on the Internet? Can they actually enact a response? Can they actually go through proper process and change management to get things sorted? So the response size has become significantly quicker. Now in this new world as well, we have attackers that historically were colloquially kids in their bedroom or amateur groups that were fairly motivated. And of course the kind of well resourced stuff sat in that kind of lofty kind of cloud above us. Obviously those threat actors that we typically kind of trivialize have actually become much more serious. They are well resourced now, they have cash from ransoms they've deployed. And so what we're seeing now is this kind of perpetuation of kind of compromise. But in reflection of that improved maturity around patching, attackers are now not focused on just gaining access, they're also really focused on ensuring that they maintain access past that inevitable patching process. So where we used to see just really quick exploitation, now we're seeing incredibly quick exploitation coupled with fairly subtle backdoor attempts so that sysadmins, infrastructure teams very quickly rush in, they patch a system, even a few hours, attackers can maintain their access and continue their attack further on. We've seen that multiple times this year. It's been a theme on and off across the industry for a while. But the first time it really became quite serious was last year. Last year with Avanti's Connect Secure appliance. When we saw that first apt group targeting of the SSL VPN appliance, one of the scary things to come out of it wasn't just that they had a zero day to gain access to a fairly critical system, but at the time there was a lot of context and discussion around the fact that those same attackers were subverting the factory reset process. So that even if you did rip the appliance out of the colloquial server rack, hit that factory reset button, you actually hadn't recovered anything, you were still in that uncomfortable position. We've then seen the same thing play out multiple times a year. Very quick exploitation of Ivanti, EPMM, Sapnetweaver, Fortinet even had an issue with their Fortigate SL VPNs being backdoored very quickly. It's a clear, clear, clear theme. And so what we're going to continue to see, and to your point, is that patching fast is great, but actually doesn't necessarily tell you that you've actually dealt with the incident. And so SOPs will evolve, it'll become a significantly more complex process. Unfortunately.

A

Yeah, I was going to ask you elaborate more on that. How a fetch pass, a fast patch cycle, can really actually create a false sense of security inside the enterprise. Right? Because if you know, you have your cybersecurity plan, you have your patch management plan, you go through that, you go, well wait a minute, I thought we were Good. And here we are, you're saying, well, actually maybe not well.

C

So that's exactly it. So as an industry we have effectively educated everyone to go through what's now called vulnerability management. So the idea that you have SLA to deal with a critical, a high, a medium, a low severity vulnerability, simplified down and trivialized, our whole idea was that once you go through that sla, you patch the vulnerability, the incident is closed, you can move on. Now we're living in a world where actually we can't trust that at all. We have to assume that if it's a serious appliance, if there's in the wild exploitation, that host has probably been exploited and patching is probably the beginning of actually that remediation process. Now that sounds simple as a phrase like just do more. The challenge is that now you're dealing with enterprise teams who have not just one of these systems to patch and perhaps Levert, they have 100. Now that we've also got into the phase of this sort of activity happening almost every day. This is now a significant kind of usage of time, significant overhead, but to the point where you can't even trust these devices. This is compounded by the industry challenges that a lot of the appliances we're seeing targeted are black boxes. You can't get any visibility, any EDR onto them. So if you patch your appliance a, is it compromised? Who knows? Like literally who knows? There is no way to find out. And so you leave these teams in a place of basically mystery. If they patch and do nothing else, they are risking being in a ransom note in a few weeks time if they patch and just revert absolutely everything to factory. I mean you're going to lose weeks at a time and major business disruption. So we are at a very painful place and teams are basically making very difficult risk decisions. And unfortunately in a situation that's kind of fluid and evolving, that's really hard to do accurately, consistently.

A

So let's talk about the network edge device thing because as you mentioned, you mentioned Avanti, SAP, Fortnet, SonicWall's been in the news and you bring up a point that a lot of other experts have brought up in that look, these boxes don't have EDRs on it. So what do you do? I mean network edge devices, I feel

C

like

A

there's always going to be that hybrid network inside enterprises, so you're going to have to have these box in your network at some point. But is it going to get to a point where you're going to start to see products that have EDRs on them or I mean, what do you do? Because it's clear that the actors have really been concentrating on these devices the past couple years.

C

Yeah, and I think that's the challenge for the industry at this point, to be very honest, is what do we do? Because each of these appliances, while we call them appliances generically, they are all uniquely different. They're all built on different oss, they've been patched differently, built differently. We even see some vendors make bizarre custom changes to the Linux kernel. Who knows why? Like, but, but those kind of modifications make it even harder to get a reliable kind of all purpose solution to just monitoring. Obviously we have programs like cisa, Secure by Design, which has encouraged vendors to go down this path to gain, to basically increase visibility, increase the ability to monitor. But we have to contrast that with a, it's a pledge, there's no requirement there. Like they are not going to be held to account if they don't do these things. But also we are applying current day expectations on technology that was built literally 20 years ago. And so I can tell you that when we look at some of these appliances, they don't even have the modules loaded to actually have a proper EDR deployed onto them. We have to add that stuff ourselves. This is where we end up in a very, very difficult situation because enterprises that have these appliances are left in a situation where they really don't get the visibility they need to make a decision. The best they can do is build out stuff around it, try and monitor what's going in and out. But at this point things move so quickly that is still fairly reactive when something's gone horribly wrong. My hope is that we begin to see vendors mature, recognize that this is a problem that they can actually help organizations with. And I would be amazed if we don't see a appliance vendor in the next 12 months touting proper visibility as a major enterprise feature that they can sell on. Like, I, I'm aware of multiple organizations that would jump at that kind of thing at this point.

A

So I mean, and that type of conversation really gets to another conversation about resilience, right? I mean right now it just seems like patch management or vulnerability management,

C

it

A

can no longer really tell the full story of resilience or how good a defense is inside an enterprise. So I'm wondering, how can you, if you're ciso, if you're on a security team, what other metric? I don't know if it's necessarily metrics or tools, a mix of things that enterprises can use to really say no. We're pretty resilient.

C

So it's a great question. I personally really like the word resilience because cyber is about resilience. It's not about preventing every cyber attack, it's about making sure that they don't take you down. We've always seen it like that. And so even when myself and the team used to do high end red teaming for banks, et cetera, success wasn't gaining access to the bank, success was actually taking cash. And so resilience in those contexts typically mean you take the cyber kill chain and you basically prevent the attack as far to the left as possible so that the business can continue. Ultimately, that's how the business will think, that's how they'll speak. It must be about continuity, right? When we think about what's going on now, this is where the challenge comes. So resilience is also a fairly privileged word. So if I think about your typical 50 endpoint environment, they've rolled out an EDI generically, they bought off the Internet, they don't have a IT team. Resilience to that kind of organization is really tough because who is responsible and where does resilience sit? In a network that small, once you've popped the vpn, you are one hop from whatever's painful. And so resilience is a very, very small gap. So resilience to me at this point unfortunately means if you're a big organ organization, you've, you've got enough complexity to basically have naturally baked in resilience because by the time attackers figure out how to do what they want, you've had enough opportunities to kind of kick them out and find them. Ultimately, I think we'll kind of see a shift back to what we. Well, we will, we will. My opinion is that, well, 10 years ago we had a big conversation in the industry about assumed breach. So the idea being that basically you assume that you've been compromised and you act a accordingly. Now again, I'm going to call out now that that was a very privileged way to approach things because you still had to have a SOC or an MDR in place. You had to have someone who could actually assume breach and hunt for things. The next step, I think will be trivializing that or, sorry, commoditizing that ability to assume breach. So if we can get to a place where we can say an SME, an SMB has the ability to assume breach and they can react accordingly in an affordable manner, that's where we need to be able to get to as like an industry, I'd love to say that we will fix all these kind of problems of vulnerabilities, but the reality is we won't. And I think the way that I've come to look at it, and I really love the way that NCSE in the UK put it, there are forgivable vulnerabilities that are inevitable in life. It's software. People write software, there will be weaknesses always. And I think if we look at even last week with Oracle, that actually was really complex. That is almost to a point of forgivable because it's such a complex chain. Okay, fair enough. But the unforgivable stuff is the stuff that's very scary. And so again there's an uplift that has to happen everywhere, but it has to be incentivized in the right direction and I think has to be achievable, hopefully.

A

You know, it's interesting that you say I might be showing my inexpertise here, but the philosophy behind assume breach and talking about how it's more of like a threat hunting aspect, where it's like, okay, I'm assuming I'm breaching, I'm assuming somebody's in there, I'm going to go find where my issues are, where I always thought of assume breach as I just know they're there, I don't know where they are. So I'm going to ratchet up my defenses, you know, build the bigger moat, build a higher wall and just get all the defenses that I need to get, but make sure that my business can still operate. So, you know, it's interesting to hear you say assume breach and think about it from a threat hunting standpoint, which you're right if you're talking about that 50m point business, they're not going to have threat. Not only are they not going to have threat hunters, they're not going to know what threat hunting is. So it's interesting that you frame it that way. I'm wondering, am I the one that's wrong there and thinking about assume breach as more of like an impetus to go defense in depth.

C

So it's a fair question. So the major shift that basically happened was how attacks took place and what those attack paths actually looked like. So today, absolutely, we're talking about the fact that people are using vulnerabilities to break into those edge devices, but we're also seeing stolen credentials as a major way of organizations having that kind of first like first breach or first access from an attacker into the environment. Twenty years ago we would say that the attack happened through a series of vulnerabilities that happened throughout their environment. And so you'd look for weirdness, right? You'd look for malware being deployed. You'd look for someone doing something very obviously malicious, which you could then detect on. You wouldn't even need to threat hunt for. Okay, Threat hunting came in and became a real problem because you had an evolution of an attacker who basically went, the easiest way to stay undetected in these environments is to look like an employee. And so we began to see that dwell time massively increase, because what was basically happening, and my team and I used to do this quite a lot. They would breach the organization, maybe take two weeks to gain access, gain complete control of the network itself just by abusing actual functionality. And then they'd spend three months just monitoring, like literally watching a user use their machine. How do they log into Swift, how do they manage ATMs, how do they manage the company bank accounts, and then just replicate it. And so it became very hard for defensive teams to determine that visit to that website was legitimate, but that visit was not, because they look the same. And so you have attackers that are basically acting like normal employees through that.

A

Got it.

C

And so threat hunting became less of, can you spot malicious, but can you spot anomalies, or can you spot, like, abnormality in the environment?

A

Got it. No. All right, that makes sense. And I can definitely see how this all fits into the way that threats are evolving right now. So I'm wondering, what else? How can defenders use threat intelligence and real time data to preempt or disrupt attacker behavior? We were talking about how things are still pretty reactive. So I'm wondering, how do you use the data which, you know, is. Is from a past point and use it to the point where you can stop something before lasting damage is done?

C

Absolutely. So I think from our perspective, this all comes down to really understanding what attackers are doing. I mean, we've been strong proponents throughout Watchtower's existence and before that as well, that the reality is that attackers defend against attackers. It's not an academic science. It's not something that we can kind of learn to do. It's something we have to really feel and understand the science inside the art of, from our perspective, that then becomes becoming the attacker. Do we understand how they're going to breach organizations? Do we understand how they look at things? Can we identify risk before others see it? But at the same time as well, can we very quickly capture what the attackers are doing in the wild and effectively then replay that into environments before they get down that chain. A big part of what we've been doing is kind of saying, okay, we've become very, very strong at understanding what attackers are doing to break into organizations right now, but post that behavior, especially in a world where, as we discussed, right, they're not just breaking in, but they are backdooring as well. What do the signs that we can see externally actually look like for that behavior? How can we help teams that actually need to front run this to understand the actual impact as it is right now over and above patching. So for example, if we can in our honeypot networks, observe particular post exploitation behavior, particular backdoors being dropped, particular kind of access, different systems, we can give teams before they've even been touched that visibility of actual in the wild behavior that they can then use in their environments to catch those attackers before they get much further. To me, that then expands the parts of the kill chain that we can cover we have visibility of, while at the same time giving those teams the ability to kind of say, okay, we may have done what we thought was remediation, but there are still those signs of potentially actually people still moving in the environment. Let's kill it now. Based on what we've seen elsewhere, it's a pain that I think we all live through at this point. But as we're seeing constantly at the moment, and relentlessly constantly, attackers will not stop. They are going to be relentless. And I think the reality is that they are evolving at a rate that we haven't seen before. And so this kind of like proper visibility of what they're doing is almost essential at this point.

A

Got it, got it. No, that's some really great insight. So final thing before I let you go here, like I said, you and your company have been just cranking out good threat intelligence on a bunch of stuff that we were covering. And I'm going to seal something that you just said right there that Oracle, you said that the recent Oracle clot issue is forgivable. I'm going to ask, I'm going to run through like, I think it's been like five over the past month whether you think that they are forgivable or unforgivable from the company perspective. So Oracle, we already have you, Oracle, forgivable, the Fortra, the go anywhere flaw, giveable or unforgivable.

C

Because there's so much mystery around what's happened, we can only judge the response at this point. Unforgivable in my opinion, if vulnerabilities are a fact of life. Breaches, whatever they look like, are factor of life. But transparency is a choice. And in our opinion at this point, based on what we see, I would describe the situation as unforgivable.

A

Salesloft forgivable or unforgivable?

C

Forgivable. Unfortunately, we're going to see more of that.

A

Okay, elaborate just a little bit the

C

idea that you can breach any SaaS platform and leverage the integration set up. Given that every all of these systems are interconnected at this point with different connections, we're going to see more and more targeting of single sources, of points of failure for the access they have into different systems. Now the reality is as well that SaaS is full of lots of companies who don't have the maturity of a billion dollar company in terms of defenses. And so these are almost sitting targets at this point, but with significant amounts of access. So it's quite scary and I would be surprised if we didn't see other threat actors take noted it.

A

Okay. And Avanti, a favorite of cyberscoop and Watchtower. I feel like forgivable or unforgivable?

C

I think it depends on the instance. But if we think about things like epmm, I would class it as unforgivable. Personally, I am very. I feel sympathy towards some of these larger vendors because they are, because of their position, because of how successful they've been. They are relentlessly targeted by people who want access to a series of organizations. But again, it comes down to did the vulnerability have to exist? Could it have been found by someone else in internal process? Did they have to make the remediation process quite so inanely painful? So yeah, I think unforgivable. Unfortunately, at this point, the thing that was always disappointing is that the expectations that we have in the industry on these vendors to do the right thing is really not that high. The fact that we have a pledge, which I'm sure started off as like a commitment and got whittled down by lawyers to a pledge. I think so.

A

Right, you're talking about the secure by design pledge.

C

Exactly, exactly. It gets us to a point where you can see how those conversations probably went. And so we have a chance to do the right thing. And we'll see. We'll see.

B

Great.

A

Ben, really appreciate you hopping aboard. Fantastic conversation. We'll have to talk to you again soon.

C

Thank you, Greg, appreciate your time. Thank you very much.

A

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy, brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad. Anybody that wants to know more about cybersecurity. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.

C

SA.