A

How data management saved a Fortune 100 company from a very bad breach. We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity. An attack is coming. It's about keeping us safe.

B

He's just a disgruntled hacker.

C

He's a super hacker.

A

Stay alert. Stay safe, stay safe. This Safe Mode. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment, we're going to be talking with Brandon Willits, the director of cyber resilience for EverPure, talking about how data management can help companies when they are facing security incidents. Like I said at the top, he helped a Fortune 100 company resolve a really bad security incident that could have been even worse, could have ended up on the pages of cyberscoop.com but he talks about how data management and protecting the data really helped that industry, really helped that company avoid a really bad incident. But first, talking with Derek Johnson reported with CyberSecoup. Derek, the AI onslaught has just been that over the past year, but I feel like especially this week, we got hit with a two piece of news on Tuesday that has really set the tone for the week and will probably set the tone for the weeks to come. First, let's talk about the private side and Anthropic expanding project glasswing. What do we see?

C

Yeah, so I mean, this was real, an expansion that came out of a previous rollouts that they have had to certain parts of industry. It does seem like this was another 150 organizations that they are opening it up to. They appear to be organizations, although we don't have the names for many of them. We've kind of been working behind the scenes to figure out who's getting access to it and who isn't. But it appears to be that this tranche is more focused internationally as well as individuals in critical infrastructure sectors. Places like power, water, those kinds of areas where I think policymakers are most concerned about the gap between the speed that these AI tools provide in terms of discovering vulnerabilities and just the lack of resources that they have to respond.

A

Yeah, it's really interesting to see the aperture open wider here, especially with the blog that Anthropic released where they were pretty open in saying that, look, we like that Everybody is coming to us asking about this tool, and we like to see the data that shows what is possible with this tool. But we are looking at a window here, and that window May close in 6 to 12 months where mythos and even Daybreak may not be the leaders in this space. And a year from now, these tools just might be available to any and everybody, and they might not have people behind them that are interested in the safeguards that Anthropic has been very vocal about.

C

Yeah, I think if you look at the way that the open source AI ecosystem has worked up till now, it's been between six to eight months behind the frontier model, sometimes even less. It's really instructive to think about Mythos and Daybreak as being the open source models of, you know, six to eight to nine months from now. Right. That's kind of what is going to be in the hands of open source. And so I think that's what you're, that's what you're seeing. It's, it's, it's certainly going to be interesting to see what organizations can do and how, and how many more times Anthropic opens up access, you know, because as you get closer and closer to that day, where they're going to get do the next model. Mythos is in some sense yesterday's news. Or it's, it's, it's something that maybe the, the. There's less of an onus in terms of giving it to a wider group of, of it defenders. So we'll have to see.

A

Calling Mythos yesterday's news. That's, that is just wild in its own right because six weeks ago we didn't know this thing even existed. And that it just really goes to show, I keep saying it, it's almost beating a dead horse at this point, but the breakneck speed at which this is all unfolding is just, it's almost impossible to wrap your head around.

C

Yeah. And I think we've been through enough kind of cycles on this where. And you know, and the reason why we say that open source is six to eight months behind frontier models is because that's literally what it's been for the last few years. And you know, the direction is only getting faster in terms of how these models are developing. So, yes, we'll have to see.

A

So if that wasn't enough, that announcement came on Tuesday morning around 9, 9:30 East coast time in the US around 11:30. The White House said, well, it's time for us to have some fun and drop that Much discussed and much debated AI executive order. And there was a lot of reporting that we have done where we were this close to actually having one. And then we all know the news that the industry came in to the President and said, this is too much regulation. Let's work on this again. He said, okay, let's do that. And now here we are. So what were the changes that we saw?

C

And to be clear, I mean, I think the original versions were, you know, this is all mostly a voluntary partnership with the private sector. There's really nothing mandatory in, even in these older drafts that would have given the United States government access to Frontier models 90 days before they're released. They can have the ability to test it. Pope prod, see what kind of hacking capabilities. Our understanding from talking to our sources is that this is more about the government getting to see what these capabilities are capable, what these technologies are capable of, so that they can then, you know, make downstream plans for how this affects critical infrastructure, for how this affects government systems, what kind of new protections or policies they might need to put into place. That was the original version. But even that wound up getting a lot of pushback by folks like David Sachs, who's a tech entrepreneur and one of the President's top advisors on AI. That 90 day time frame was looked at by industry as kind of being incompatible with that breakneck pace of development that you talked about, where they don't, they don't want to wait 90 days to release it. So that was a big sticking point. This new version, instead of 90 days, it gives the US government access up to 30 days before release. It's also not clear which models will and will not be covered. David Sack comments indicate that the White House, or at least that his discussions with the White House, they were talking about only using this kind of testing for Mythos, like jumps in capabilities. So, you know, you're not going to see, you know, when mythos 1.1 or 1.2 or whatever, whatever the next model is that's not necessarily going to be subject to these kinds of testing. It's only going to be, you know, that big step jump up. And then how you figure that out is a whole nother part of the order.

B

Right.

A

This clearinghouse that's a part of it is really interesting because it comes to the treasury and we don't usually turn to the treasury to talk about cybersecurity developments on the technology front or even talking about federal. It's when, you know, we were hearing about this EO coming, we kept wondering, was CISA going to be involved at all. And it seems like CISA is involved in this to some extent, but treasury is really taking the lead on this voluntary sort of clearinghouse for these models and any vulnerabilities that could potentially come through these models.

C

And that is something that, that I had heard from some of our sources when we were reporting on the original drafts, that both, that Treasury Secretary Scott Bestin had taken a real interest in terms of trying to lead that effort. Not not only that he wanted to have authority, but also it was a question of like, where's CISA involved in this? There, even the earlier drafts, there wasn't a really super robust role for cisa. This clearinghouse is really something that, you know, it kind of sounds like something

A

NIST would normally do.

B

Right.

A

Because they oversee the vulnerability database. So there's, there is that angle to it.

C

And so I think part of this is, is just a product of how hot AI is right now in the administration, how every cabinet officer wants to, you know, plant their flag on it. And this is, this is the administration's kind of biggest bite yet at getting their arms around the national security implications. So treasury, treasury, along with all these other cabinet agencies are, are interested.

A

So what else are your sources telling you about what this means moving forward? Because the executive order is just that this is not law. These companies do not have to submit anything that they don't want to. But obviously, because the government is so interested in its own use cases as well, it seems like there is going to be a role for government to play here and there is going to be a relationship that these frontier companies are going to have to have with the government as these new tool, as these new tools continue to be developed.

C

Yes, but at the same time, I wonder if this is as far as the Trump administration is willing to go. This has been kind of the central tension in all of their AI discussions. They are really, really against, at a, at a conceptual level, the idea of even well meaning regulations around AI because they fear that it will slow them down, that it will slow down AI companies, US AI companies and their race against countries like China. And so there's this real, there's this real sense that, you know, you have to keep going, you have to keep going fast. You have to keep, you know, putting out models on a, on a monthly, monthly basis. And it is creating this, this, this weird tension where the Trump administration recognizes the national security implications of these AI technologies. But they're not really, I don't know that they're willing to go past, I mean, even this voluntary framework that they tried to put out received tremendous pushback from David Sachs in the AI industry and had to be watered down significantly. There's all kinds of language in the EO about how this will not and never be part of a licensing or federal licensing or permitting regime. That, that's actually something where even the critics of, of this eo, like people like Senator Mark Warner or, or, or organizations like the center for Democracy and Technology, have actually been pleased to see, because I think at this point, with how politicized AI has become, particularly with this administration, there's a real concern about what any kind of mandatory licensing or permitting regime around the release of AI models, what that could be subject to in terms of, you know, manipulation or politicization or things like that. So this is the central tension. It'll be really interesting to see, absent some kind of, like, catastrophic AI, you know, driven disaster, that the Trump administration moves from this position that they're on, which they've been pretty consistent on since coming back into office.

A

Great. Always moving so, so fast. And Derek, you do such a good job at keeping up with it and breaking it down for us as it continues to move at Lightspeed. So thanks for joining the program.

C

Thank you.

A

Now to our conversation with Everpure's Brandon Willits, talking about how data protection can stop security incidents in their tracks. Really interesting conversation about a Fortune 100 company that Brandon worked with that avoided a cataclysmic breach. And really getting into how Everpure strategizes resilience with organizations. Resilience is really such an important part of a cybersecurity strategy. And Brandon gets into the conversations and the philosophies around this resilience conversation, and also talks about a product with a name that we have come to like here around Safe Mode. Check it out. All right, and now to our interview segment for this week. Safe Mode. And look, assume breach has been a mantra for years, but what happens when the breach isn't a foothold, it's a full wipeout. You know, we're talking stolen credentials, native tooling, thousands of endpoints and virtual clusters gone, no malware signature to catch. This happens all the time. It can happen at all levels of enterprises. Today's guest helped a Fortune 100 survive exactly that. And the punchline is that the only thing left standing was the data layer when there was recovery. So, welcome to the program. Brandon Willits, Director of Cyber Resilience at Everpure. Brandon, thanks for joining the program.

B

Thanks for having me. Greg, it's. It's really cool to be here. I've been listening to you for, for a little bit now.

A

Oh, great. Really, really appreciate it. I appreciate the eagerness to get in this conversation. This one I'm definitely interested to dive into. But before we get into the actual work done with this enterprise, let's talk about that assume breach. You know, assume breach has been around for a decade, if not more. And, you know, when it comes to assuming breach in 2026, a lot of that is rooted in the tech around identity, you know, where identity in the control plane itself is compromised. Do you find that when CISOs are talking about assumed breach, this is really the baseline that they need to plan for. And a smart CISO is thinking through this through the lens of identity more so than anything else.

B

Yeah, I mean, I think in terms of, like, the ways that the security industry has been shaped over the last sort of 10 to 15 years, it's really around investing in perimeter defense. Right. We saw a lot of identity investment taking place, I think, especially around Covid time. And I can remember in some of the roles that I had previously, where we spent a lot of time, whether it was with MFA or understanding who has access to what became this really sort of complex problem within organizations. And a lot of it has to do with the software layer. It's not just one tool people have access to, it's several tools. And, and of course, with the proliferation of the public cloud. Right. You gave more access and authorization challenges just in those regards. But I think in terms of perimeter defense, it made a lot of sense that we invested, whether it was from network or endpoints or identity or just application security. With the proliferation of AI and the agentic threats, we really have to think about how do we protect the data? Because in this global economy that we live in, most of our services are delivered digitally.

A

Right.

B

Like the foundation of how companies operate is through digital delivery. Whether you're processing a loan for that small business owner, you're, you know, that nurse is inputting patient data into a system. It all is stored somewhere. So we really need to protect that, you know, that data, that data layer, and really think about bringing organizations together through it, through a common operating model where resilience and security are kind of coming under a more common, common defense structure.

A

So you got into it a little bit with AI there. And I know that AI is compressing attack timelines, whether it's across recon, privilege, escalation, lateral movement. Which face worries you the most when we're talking about moving at machine speed. And what does that do to containment windows when enterprises do recognize that there's a threat inside their enterprise?

B

Yeah, I'm not. I don't tend to be an alarmist about AI for me, and maybe that people can. Can argue that it's an overly simplistic view of it, but I just think it's machine identity with escalator privileges in your organization. So, you know what, what worries me the most about AI is that we haven't nailed the basics before this moment. I think a lot of organizations kind of miss the analytics era. And so we're kind of going into this place where, like, we're going to unleash autonomous agents into our environment, and we haven't established the controls, whether it's related to identity, whether it's related to how you sort of store data within your database. And so you hear the alarmist stories or the headlines about entire databases wiped out by a rogue agent. But if we've been in this industry long enough, you know, plenty of times where that happened over a weekend by an IT professional. And so for me, it's really around. Do you have the proper controls in place, and do you have your data stored in a secondary or even a tertiary way that you can rapidly recover in the event that some sort of data corruption takes place? Because otherwise you're just architecture detecting your own failure faster with AI.

A

So let's get into an incident. I know that you were helpful in helping a Fortune 100 company recover from what was described as a malwareless attack. And when I think about that, I automatically go, well, that. That has to be identity driven. So, you know, we're talking about identity here. Walk us through at a systems level, what an attacker did, what broke and what didn't.

B

Yeah, the kill chain was four moves, all right? It was credential compromise. It was privilege escalation. It was tool abuse. It was max execution. So I'll kind of. I'll talk through these things. I tend to talk about them in such a way that my mom or my wife can be interested in this, because I think at the end of the day, like, these. What. What impacted wasn't just a business. It was people on the other end of this. Right.

A

Like, always appreciate people that want to take it to that level. Yeah.

B

So imagine, I think, for. For those listeners who maybe aren't as familiar with, like, privilege escalation or credential compromise, like, think about it in terms of, you know, in this case, it was not malware. This was not a Zero day. They're just working with keys for a real account. Like the adversary actually got valid identity credentials. So imagine that someone walks up to your building with a real badge, right? That's the, that to me is the, the differentiating factor in this attack vector way, which is that they had, you know, they harvested the credentials and then from there they're getting privilege escalations. Meaning that that badge now has upgraded to the master key of. Right. So those, those credentials were walked all the way up to global administrator into the identity plan, so the highest tier of access across the estate. And from there they were then able to do like abuse the very tools that, that these organizations use to manage their fleet. They were able to essentially, with that master key in hand, log in to, to the endpoint management console to then wipe out all of your endpoints. Right. So again, you know, weaponizing the very tools that you use to manage your own fleet. And so the alarm system and the sprinkler system are essentially turned against your own building.

A

Right.

B

In this case. And that max execution, right, because there was not a secondary human in the loop requirement. There was a, they were able to basically go across their entire management estate and then wipe it, wipe it out. And that was a devastating effect. Core business processes were taken offline immediately. Individuals are not able to access, you know, critical pieces of information. And so basically that company was ultimately unable to open their, open their doors the next day.

A

Yeah, I was going to dive a little bit more into that. When the identity does go down in the middle of an incident, what does the response team actually lose access to and how do you operate through that? I mean, we hear about companies, all sizes go through this and they are essentially reduced to, you know, before computers, it's, it's pen and paper and the ditto sheets and things that have, you know, been left to the annals of history. So in, in your experience, you know, how do you operate through that? And, and while there is a recovery, you also have to keep the business moving at the same time.

B

Absolutely. And, and in this case, like the storage layer was not the same trust domain as the identity plan. And so, you know, even though the attacker was able to get global administrative privileges into the customer's tenant, where the data set was outside of that blast radius, meaning that, you know, you know, where we, where we came in and helped that customer, like we trained a customer engineer in 20 minutes to recover from snapshots. So imagine for those folks who don't, who are listening, who don't know what that means. Imagine taking a Polaroid of your organization at 3am and you're able to then recover that rapidly. And so you go from, you know, days or weeks or months or even insolvency in some cases where we've seen companies unable to even open their doors the next day, in this case, they were able to recover it very, very, very quickly. And so, you know, because, you know, historically, if you wipe all of your data out, then you have to then go and recover it. And so you're dealing with like, literally the laws of physics of trying to recover all of that. And then you have to test it, and then you have to basically, you know, create an entirely new image and put it on that endpoint, and you have to test all of that. All that takes time. And time is of the essence in this case. And I think this is where it kind of goes into, like, why I'm, you know, these moments, for me, as somebody who started my career in resiliency and then shifted into cybersecurity, is that, like, I've always seen these two, these two functional areas within cyber organization coming closer together, right? Because it's not just a matter of protecting, you know, building bigger walls or digging greater moats around your castle, and it's also protecting what's inside of it and the ability to rapidly recover it. Because, you know, downtime at this, at this stage of the game and the economy is existential for organizations, right. And what our Safe Mode technology actually allowed them to do was great.

A

Main.

B

Yeah, I was, I was. When I, when I found out that we were doing this on Safe Mode, I was like, oh, that's, that's pretty cool. But, yeah, our Safe Mode technology allows you to rapidly restore and again, some of the same. And, you know, in this customer's case, I mean, these are almost unprecedented. Right? But, like, what, what we really have built in is, I think it is this idea that, you know, you separate out your identity plane from your storage from your storage domain. So in the event that your. This takes place to your point, some companies have had to go back to pen and paper, right? You see it in hospitals. You've seen it in other. In other instances, right? What we were able to do is actually have them log in and recover rapidly.

A

So let's dive into a little bit on that recovery. And you talked about all the steps that need to go through. And I've heard this when I've talked to CISOs and security experts in the industry too, that most organizations think they have backups covered just because, oh, yeah, somebody backed it up. It's on a drive somewhere, we're fine. And then they go to recover and it's an absolute mess where it's just literally the digital equivalent of stuffing pieces of paper in a, in a filing cabinet and having to sort through it to figure out how to get the company running. What is the gap between we have backups and what you just described? Let's dive deeper into that.

B

I mean, part of it is that mentality, right? Like I, you know, I take backups for archival reasons, you know, like, you know, like the way we used to save tax insurance for seven years. And I think, you know, we have to get beyond that mentality of like backups. Like, you people take backups for a lot of different reasons. Like it's not just around, you know, in the event of a security incident. Like, there's operational, there's data corruption. And, and so, you know, understanding that, like the difference between a backup and a snapshot, right? Kind of like I'm going to take a, you know, again, put it in plain language. I'm going to take everything that I have and I'm going to put it into a different house. Like the, the time it would take to literally lift all of your furniture up and move it into a secondary environment and recreate your entire house is literally time, like, versus. I'm just going to take a picture of it so that in the event that I have to, you know, my house is burnt down, I need to share with my insurance company everything that I own. They're going to be able to very, very quickly go through that. Versus, Like, I have to go over that second to drive that second house. I have to look through everything. I have to inventory all of it, right? Again, it's really around throughput. Like, I'm going to take everything because you don't need everything in the event of an incident. You need the most important things. And so what this allows you to do is take this immutable snapshot copy of the most important parts of your business so then you can rapidly restore them. And what I think is really cool about, about our technology is just the, the delays that are built into it. So when someone hits delete on say, a safe mode snapshot, nothing happens for a configurable window, meaning 1 day, 7 days, 30 days. Like, the customer chooses what that is for their business. And so I think, you know, where backups have been seen as a compliance or maybe even a cost center, because like, you know, data has gravity, but it also has a cost associated with it. What this allows you to do is define for your business and your risk profile how much data you actually need to store. So then you can rapidly recover that versus I'm going to recover everything. You don't need everything. You need the most important things and you need business context associated with those snapshots to say, I need this important thing because it's related to my ERP system, it's related to, you know, my HR system, it's related to my production system.

A

Right. So all of the systems. Let's take it back to the incident response that you were talking about with this Fortune 100 company. What came back first and how did the team prioritize when everything goes down simultaneously and, and they're locked out and they, so they have the ability to recover. But how do you go through that. I guess checklist is the wrong word process. How do you go through that process in order to get the right systems up and keep business continuity moving when you know, things are at their worst?

B

I think you know, the techniques of how what was recovered. Unfortunately, I think it's a little too much of the confidentiality of the customer. But I can like speak to you within reason. Yes. Let's broad strokes, give away from. Yeah. So you know, again, you know, like just put it in plain language. Like if I take a snapshot picture of my business at 3:00pm, right. And I, and I say I'm going to hold that for four days and then that snapshot is then offloaded into a secondary environment and say, this happens to me, right? As I'm the company, this happens to me. What that's going to allow me to do is like, okay, I have say 100 endpoints, I have 100 mobile devices that I need to rapidly restore access to because some of those mobile devices are also customers personal phones. And so rather than, you know, have to then, you know, recover both the systems and the applications and all the data and all the interdependencies, what that allows me to do is like literally take a version of the thing that I took and imprint a golden image of it and say I'm going to restore all of it to that point in time. And so then once you've then recovered it, you've tested it, you validated as recoverable, then you're able to then push all that out to those endpoints and then those individuals have, have that data restored back to that point in time. You know, anything that came in afterwards obviously is lost. But you know, in terms of like, how do you rapidly recover versus, you know, recovering from backups. Going back to your question around the, between backups and snapshots, it's okay, now I have to go and I have to recover all the, the, you know, the systems and the applications and the dependencies, and then I have to then bring all of that back back to a system like that. That takes time. And so this is how that company was able to rapidly restore all of those, you know, 80,000 or so endpoints that were ultimately lost is they were able to use that golden image of a point in time and then start to, then push those out to all the critical systems. And so they would. They know what their critical systems are. And so they brought their critical systems up and all that data that was associated with those critical systems at that point in time, they took that snapshot was also brought with it.

A

Great. So I guess could that be the time that they actually like sort of realized as they're going through this, realize, oh, wait, we can actually survive this. We can actually get to that. You know, I, I wish my producer, you can put in the angel voices that, that angel voice term of resilience almost when they realize this, because look, you said 80, 000 endpoints. That's a pretty bigot attack. And you know, industry recovery time, when we've seen stuff like this On a Fortune 100 level, it's measured in weeks or even months. And it's a painful rebuild. So the fact that this company was back up with, you know, in a relatively big window or a relatively short

B

time frame, short term days, days had

A

to be a real turning point in that war room. And everybody realized, wait, we can actually survive this?

B

I would say even shifted even left of that. Right. Like, you know, I often think about some of the times that I've been called to incidents in my career and whether I was on the security side or resiliency side or even a service owner, and you know, when the CISO or the chief availability officer, whomever it is, is in charge of that incident says, like, can we recover? Too often, you know, they're like, I hope so. Right. Because they haven't tested it. Right. They haven't validated it. And you know, this kinds of these, this type of technology truly didn't exist for a very long period of time in terms of like our defense in a rapid recovery. And I think a lot about those moments in my life where in my career where I'm like, I look across the room or the incident bridge and

A

I think, like, how do we get

B

beyond hope to certainty, right? I started my career in the military, I served in Afghanistan, and like, hope was not a plan. And so I'm often really excited about watching this shift within, within our industry to sort of say, like, we're not going to hope, we're going to validate and then we're going to be able to tell that CISO or that CIO who has to report to the board. This isn't about hope. This is about certainty. We know we can because we tested it last week. We, we, we've done this before. And I would say for us, that moment came, you know, in helping that customer, right. The original individual was on vacation when this happened. Like, no fault of their own. They couldn't have possibly even planned for this. Right? But we were able to train a customer Engineer in under 30 minutes on how to do this. Like a person that, that is not their core competency and job. We were able to train them on how to recover this. And these snapshots, to me, that would have been if I was, if I was in the customer seat, that would have been angels come from heaven that you were referring to. Like, oh, wow, this is not the end for us, right? Because then you already know how the technology works. At that point you're like, oh, we're not locked out of our own systems. We can actually recover these very quickly. And that's when you know, okay, this isn't a months upon months incident. This is a, this is going to take a couple days for us to get our systems back up and running and start delivering our core capabilities to our customers.

A

So let me frame it another way to as, as we wrap this up. If you are a business leader listening to this, who doesn't know how to code, who might be on the end of that, I, I need to fix this and I don't know what I'm doing when it comes to like back office it. But you're responsible for paying for the tools and the people that manage this. It. What is the number one lesson from the incident that you're talking about about where you should be spending your security dollars as you consider new security dollars in your budget?

B

I mean, one trust but verify. So that, that involves testing all of your systems in the event that you can, so you can actually recover it? Continue to invest in your perimeter defenses. Like, continue to invest in your identity, your network, your, your application security. But, but no, don't obfuscate the responsibility of the data layer to somebody else in the organization.

A

Right?

B

Like, to me, that's the number one thing, like the reason that I, you know, I, I joined NeverPure here about, about three or four months ago now. And the reason I came into the storage environment from where, you know, running cybersecurity product management at a, at a Fortune 100 software company, was that I didn't have access to the storage layer. I had all the tools, like name all the major vendors, I had all of them. Right. The thing, the thing that I didn't have access to was the storage layer. And you know, in the event that there was an intrusion, you know, often what we would find with a lot of our security violations, that one in four data breaches are misconfigurations. So going back to that phrase I used earlier of nailing the basics, nail the basics of your configurations because once you're doing policy driven, whether it's data protection or policy driven configuration, you can have a lot more confidence in that your security controls are already there. And so also assume breach, assume that somebody's going to be in your system and so work with your CIO or your ciso, depending on which side of the operating model you sit on and say, how can we partner together? Because one of us is going to be called to that bridge, if not both of us. And I just want to make sure that we're telling the same story about the same protection layers all the way from our network and endpoints all the way down to the most important thing, which is your data. And again, test, test, test. Like, you know, there's a lot of ways that especially Everpure has made it so that, you know, traditional doctor testing is kind of a legacy idea that you don't need an entire weekend to validate your systems. You need a sandbox environment and you basically need to sort of say, can we do this rapidly? The answer is yes or no. It has become binary at this point and I cannot, I cannot emphasize this enough, but the, literally the more you test in these moments, the less pain you're going to feel in the incident. And because you have to assume it's going to happen to you, it's no longer happening to somebody else, it's happening to all of us. And we really just need to prepare better in terms of investing in our recoverability.

A

Great. Yeah, the idea that your data layer is the last thing standing and you know, most organizations won't know that until it's tested. Look, it's something every security leader needs to pressure test and do it before the incident, not during it. So I definitely agree with you there. So Brandon, really appreciate you hopping aboard. Thanks for being here.

B

Thanks Greg. It was a real honor. Appreciate it.

A

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy brought to you by Safety Cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.

B

Sam.