Unlock the mysteries of Active Directory with our guest James Potter, an AD virtuoso, as we traverse the complex labyrinth of group nesting and consider the impending expertise exodus. Tune in for an eye-opening discussion on the surprisingly robust security benefits of antiquated systems like Novel Network and the sticky challenges organizations like Blue Lemon face when trying to pivot away from deeply rooted AD setups. Our episode peels back the layers of legacy architecture, revealing how it intertwines with modern business operations and the tricky integration into present-day security frameworks.
Ever wondered about the Herculean task of managing cloud security for a behemoth infrastructure? James Potter and I share war stories from the trenches, including my hands-on experience refining a company's attack surface across a staggering 400,000 Azure accounts. We highlight the pitfalls developers may unknowingly create and dissect the enduring reliance on outdated NTLM authentication. Also, reminisce with me about the days at Microsoft when Active Directory was the unsung hero of businesses, and explore how cloud service lockdowns and the quest to avoid vendor lock-in are shaping today's tech strategies.
Concluding the episode, we navigate the emotional rollercoaster of imposter syndrome when shifting from a corporate behemoth to the entrepreneurial hustle of consulting. I divulge my personal battle with self-doubt and chart out the tactics that fortified my resolve and credibility. Wrapping up, we warmly extend an invitation to reach out to James Potter and the DSE Team for a helping hand or further dialogue, ensuring you leave not only equipped with newfound insights but also with the connections to help you thrive in the IT realm.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, james ?
00:00:01
It's great to get you on the podcast.
00:00:04
You know I'm really looking forward to our conversation
00:00:07
today.
00:00:07
I think you have some really interesting experience.
00:00:10
Speaker 2: Well, I'm happy to be here and it's fun talking after
00:00:13
directories, so you might have to get me to shut up at some
00:00:16
point.
00:00:18
Speaker 1: Yeah well, I can't go that deep on active director
00:00:21
and I guess I can, I guess I know more than the average
00:00:23
person.
00:00:24
But when we start talking about like nesting groups and stuff
00:00:28
like that, it's just it's going to start getting difficult.
00:00:33
Speaker 2: Well, there's there's plenty of complexity there and
00:00:35
one of the issues it's happening right now is a lot of people
00:00:38
that learned active directory in their 30s and 40s you know, 20,
00:00:41
25 years ago are rolling out of the workforce.
00:00:44
They're retiring, they're, you know, getting a nice home in
00:00:47
Florida or, you know, just going going back to wherever they're
00:00:51
living now and just having free time.
00:00:52
And the newest generation isn't learning active directory
00:00:56
because kind of seeing this dead technology that's not going to
00:00:59
be around in 10 or 20 years but it absolutely will be at any,
00:01:03
any large entity, because getting away from it is very,
00:01:06
very difficult.
00:01:07
Blue Lemon tried to do this relatively recently, very, very
00:01:10
aggressive planning, and they ended up having to stay
00:01:12
partially on prem and now they have all those on prem costs
00:01:16
still there, along with the migration costs.
00:01:18
So you know there's there's a toll to pay if you don't make it
00:01:21
all the way.
00:01:22
Speaker 1: Hmm, yeah, I've always felt like active
00:01:26
directory is one of those like essential technologies.
00:01:30
You know that you just you have to live with, you know it's
00:01:34
something that you know makes your business run, so to speak,
00:01:40
and if you don't, if you don't have it, it becomes a huge
00:01:44
undertaking and stress on your environment.
00:01:48
Just because you know the like, you need an entire team of
00:01:53
people to manage that custom solution or whatever it might be
00:01:57
.
00:01:59
Speaker 2: Yeah, yeah, and it's, it's.
00:02:00
It's interesting from a security standpoint too, because
00:02:03
when active directory came on, the scene is competing against
00:02:06
itself with the NT40 servers and basically Novel Network were
00:02:10
the only you know, relatively large players in the game.
00:02:14
And we had a financial institution in China relatively
00:02:17
recently that was compromised.
00:02:19
But the hackers ran somewhere.
00:02:21
Code didn't work because they weren't using active directory.
00:02:24
They're still on Novel Network, so they were able to catch the
00:02:27
intruders and remove them from the system with very limited
00:02:30
damage because they were running like 30 year old technology at
00:02:34
their bank.
00:02:35
Oh, so how will star galactic approach to security?
00:02:42
Speaker 1: That's a.
00:02:43
That's an interesting perspective or a route to take,
00:02:47
I guess, in security.
00:02:49
Speaker 2: I don't think it was intentional.
00:02:51
Speaker 1: Right, you know, jim or James, you know how.
00:02:55
How do you get?
00:02:57
How did you get this experience with AD?
00:03:00
You know, because I feel like you have unique experience that
00:03:04
not everyone is going to have.
00:03:05
Even you know nowadays, right, when we're, when we're talking
00:03:10
about AD and people you know, kind of owning it or teams
00:03:13
owning it.
00:03:14
You know it sounds like you have a pretty unique experience
00:03:17
with it.
00:03:18
Speaker 2: Well, I was doing a system administration work back
00:03:22
in like 99, 2000, effectively, you know, keeping the servers up
00:03:26
and running.
00:03:27
You know hardware software at a smaller entity in down river,
00:03:32
detroit, and so I got to touch a lot of things because there's a
00:03:35
small shop and there's only two of us.
00:03:37
So we got to do basically everything from from networking
00:03:40
literally running cables across drop tiles, to hardware rack and
00:03:45
stacking to the logical networking and logical system
00:03:49
deployments.
00:03:49
And you know, it looked a lot, a lot different back in like
00:03:52
2000, 2001.
00:03:53
It's not the, not the same shop .
00:03:56
Most, most entities didn't immediately adopt Active
00:03:58
Directory in 2000.
00:04:00
But once 2000 rolled around, everyone saw the, the advantages
00:04:04
to it, and I certainly did as well and jumped on it.
00:04:07
Because before you had kind of a, a clergy network deployment
00:04:10
or you had a bunch of NT4L servers all over the place, you
00:04:14
know, sitting underneath people's desks at branch offices
00:04:17
, and sometimes the cleaning people come in and turn them off
00:04:19
, like it was.
00:04:20
It was bad, it was real bad.
00:04:22
But with AD it was like the first really large, commercially
00:04:25
replicated database.
00:04:26
So you could, you know, hire someone in New York and if they
00:04:30
flew to Los Angeles they'd still be able to log in with their
00:04:32
computer without any administrative overhead, and
00:04:35
that was kind of like this.
00:04:36
This new concept at the time is like this wild new way to auth
00:04:40
that didn't exist and now we kind of take off for granted
00:04:43
right, you can, you can cloud off from anywhere, it's just
00:04:45
always there.
00:04:46
So it's not a big deal.
00:04:47
So yeah, I guess being being around for a long time kind of
00:04:50
helps there from the experience standpoint.
00:04:55
Speaker 1: Yeah, you know it's, it's interesting.
00:04:58
So when I was working for a credit bureau, you know, I owned
00:05:03
a Pyrla Jaxus management solution and a part of that was
00:05:08
obviously getting all of the accounts in AD into the solution
00:05:12
and eventually rotating them via the solution.
00:05:14
It sounds like a great idea, you know, from a security
00:05:18
perspective, but it adds in huge amounts of risk to the
00:05:23
environment if that PAM solution is not doing what it should be
00:05:28
or there's bugs and things like that.
00:05:30
And so you know, literally, you know, one day, you know, my
00:05:37
manager said, hey, we need to put global AD into this PAM
00:05:41
solution.
00:05:41
Never heard of global AD, I had no clue what it is right.
00:05:46
And I go talk to our AD guy and he goes, oh, that's a legacy
00:05:51
like AD architecture that we basically can never get rid of,
00:05:54
because once you started it, you know you basically can't, can't
00:05:58
migrate away from it, like it's almost impossible.
00:06:02
Speaker 2: So you're kind of trapped.
00:06:03
Trapped in it forever because all the apps you buy integrate
00:06:07
with it for its off store and you're stuck with it right, like
00:06:10
for better or for worse, like at the hip.
00:06:12
Demi, you're up there, man, sorry.
00:06:15
Speaker 1: No, no worries, and you know I'm being the security
00:06:20
person that I am.
00:06:20
I'm trying to gauge the risk to the environment, right, what's
00:06:25
the risk of adding these, you know, 12 or 15 accounts into
00:06:29
this solution?
00:06:30
And so I started to ask him.
00:06:32
I was like, well, you know what happens if, you know, all of
00:06:36
our regular AD gets locked out.
00:06:38
You know what's the process, right?
00:06:41
And he said, oh, I just go into global AD, I could reset them
00:06:44
all right from there.
00:06:45
I was like, okay, well, what happens if global AD gets locked
00:06:48
out?
00:06:48
You know, because if all of our normal AD gets locked out, more
00:06:52
than likely that issue is going to reside also with global AD,
00:06:56
and you know it'll get locked out as well.
00:06:58
And he said, oh, if that gets locked out, we're calling
00:07:00
Microsoft.
00:07:01
I was like, oh, so it's, it's pretty serious then.
00:07:05
So you know, I ended up onboarding these global AD
00:07:10
accounts.
00:07:11
There's like 12 of them, but I set them all to not rotate.
00:07:14
You know, that was the idea.
00:07:16
We're not going to rotate it right now.
00:07:18
We're going to figure it out, you know, as we go.
00:07:22
And you know, of course, this wonderful solution that I was
00:07:25
working with, that I refused to work with to this day, decided
00:07:29
to have a bug that we were not aware of it and when you, when
00:07:33
you essentially selected an individual account to rotate the
00:07:39
database on the back end did not accept that filter and it
00:07:43
applied it to every account in its database.
00:07:47
And so you know this happened one of our interns, you know,
00:07:52
just did a normal BAU task.
00:07:55
Right, this user's having an issue with their password, it's
00:07:59
out of sync, let's just reset it and call it a day.
00:08:03
So 15 second task.
00:08:05
You know, literally they do it every single day, all day long.
00:08:10
And you know, as soon as that happened, like, my account got
00:08:17
locked out.
00:08:17
Well, that's weird.
00:08:19
I mean, I did just reset my password because it was, it was
00:08:23
that time of the quarter for me, you know, it was very odd
00:08:26
coincidence.
00:08:27
I'm like okay, well, surely you know nothing's going on here.
00:08:31
And then I see, out of the corner of my eye, my coworker
00:08:35
also had the same, you know, pop up, it's time to change your
00:08:38
password, like okay.
00:08:41
And so I went, you know, back over to the console, because now
00:08:44
I can't get into my computer for some reason.
00:08:46
Once you, you know, lock it could, literally the process is
00:08:50
you lock your computer, you put in the current password and then
00:08:52
you reset it.
00:08:53
Well, my current password had changed, so I locked it and I
00:08:57
couldn't get back in.
00:08:58
And I went over to my co-worker that was still in the console
00:09:04
and we looked at the last rotation period for all these
00:09:07
accounts and it was just, I mean , it was just fire, and through
00:09:10
them there's 45 accounts on this solution and it's, I mean
00:09:14
it is chugging along.
00:09:16
And I was like, oh no, I have to go to the 12 global AD people
00:09:21
and tell them to not log out of their computer.
00:09:24
I mean it's 4pm on a Wednesday, you know, like everyone is yeah
00:09:30
, everyone is like running out the door, you know, and I have
00:09:34
to run into this room and say like, okay, no one here is
00:09:37
allowed to lock their computer.
00:09:39
You cannot log out If you do nothing else.
00:09:42
You have to keep your computer awake, you know, and like it was
00:09:46
, it was the worst fire drill you can imagine because now we
00:09:50
have to like pull these passwords and set them back to
00:09:54
their old value, somehow, you know, and because you can't have
00:09:58
all of your users, all you know , 10 of your users, whatever
00:10:02
it might be, you know, first thing in the morning.
00:10:04
Oh, you have to reset your, your AD account password and you
00:10:09
have to reset every service account password that you own
00:10:12
and you know it's such a mess.
00:10:14
Speaker 2: That's what's really going to kill you, because
00:10:16
they're almost never well documented.
00:10:18
So like it gets reset, it's like all right, where all is it
00:10:21
trying to log in from?
00:10:22
Because it keeps locking out even after we reset it on the
00:10:24
boxes we knew about and then it's like a hunt, so very
00:10:28
catastrophic to production for sure.
00:10:30
Speaker 1: Yeah, I guess you know it's, it's looking back on
00:10:34
it.
00:10:34
It's funny because when that happened you know literally all
00:10:38
of the service accounts you know 12 of them, or something
00:10:41
like that got reset almost instantly.
00:10:43
There was no way to stop it.
00:10:44
And one of one of one of the managers that I'm still friends
00:10:51
with to sit to today, he said oh , on Monday I got this project
00:10:55
handed down from the CISO that we have to go, you know, team by
00:10:58
team, and reset all the service accounts.
00:11:00
So I guess my project just got done, you know, in 10 seconds.
00:11:05
He's like I guess I could close that out.
00:11:08
This may have had to take me two years.
00:11:10
Oh man, you're welcome.
00:11:16
Speaker 2: No, it's funny because like this is a problem.
00:11:18
Like a lot of companies have their service accounts and
00:11:21
they're, they're, they're using creds that are 10, 15,.
00:11:23
I've seen 20 year old credentials that are out there,
00:11:26
right, you know they're, they're , they're not even using curb
00:11:29
for off.
00:11:29
Like it's, it's a hot mess, but no one wants to touch them.
00:11:32
Because the last time those accounts got touched, you know,
00:11:35
joe got fired because we didn't realize what it was doing to
00:11:38
production.
00:11:38
And now no one wants to go near it because they realize it
00:11:41
could bore production.
00:11:42
So it's like this this hot potato keeps getting tossed
00:11:45
around.
00:11:46
Project wise Security doesn't want it because they don't want
00:11:48
to mess up production.
00:11:49
So they go to ops and ops doesn't want it because what is
00:11:51
this a security thing, resetting passwords?
00:11:53
So it just bounces around between different orgs until,
00:11:56
you know, the new guy gets stuck with it, and that's not what
00:11:59
anyone should want.
00:12:01
Speaker 1: Yeah, even just trying to figure out what those
00:12:03
service accounts manage and what they do is most of the time
00:12:08
it's an impossible task because the people that created it like
00:12:12
literally that whole team can be retired, like not just like
00:12:16
change jobs retired.
00:12:18
You know, like that was the case for a lot of these accounts
00:12:22
where you know people were like oh yeah, we're just told not to
00:12:25
touch that thing because it it does something with this
00:12:29
database over here and you know, whatever it might be like that,
00:12:33
that's literally the description that we're getting
00:12:36
when we're going to these teams saying what does this do?
00:12:39
Speaker 2: No one knows.
00:12:40
No one knows.
00:12:41
There's some data from interviewing, but you're not
00:12:43
going to be able to get everything.
00:12:45
So I was.
00:12:46
I was at Microsoft and we got rid of wins, right.
00:12:49
So this is kind of a similar issue, right?
00:12:51
This legacy technology has odd dependencies and they literally
00:12:55
hunted down at the network stack .
00:12:58
Who always using wins period going to those machines and like
00:13:02
being like who owns this?
00:13:04
We need to talk to them.
00:13:05
They hunted all of them down so there wouldn't be any impact.
00:13:09
It was a huge project and I've been on like projects where the
00:13:14
service count rotation comes up because it's always a finding
00:13:17
during security discoveries.
00:13:19
It's like you have a cred that's been out here for 20
00:13:21
years.
00:13:21
It's eight characters.
00:13:23
There's there's a problem.
00:13:25
It's well known credentials.
00:13:26
It's sitting in RockU, like this.
00:13:28
This is extremely vulnerable to password spray and it has
00:13:31
either domain admin or server admin, kind of across North
00:13:34
America, kind of a problem.
00:13:38
Speaker 1: Yeah, and you know, back back when those accounts
00:13:43
were being created, the easiest thing to do was to actually just
00:13:47
give it, you know, global admin , right Service admin, whatever
00:13:51
it might be, just to make sure that it works.
00:13:54
And a lot of the times the thought was, oh, we'll dial it
00:13:57
in later, you know, and and now we're learning 30 years later
00:14:02
like, oh, that's a bad idea, we probably shouldn't do that
00:14:05
because we never go back to it.
00:14:08
Speaker 2: Yeah, it's tough, and it's really tough in like
00:14:10
startups that grew exponentially from the I guess we're calling
00:14:14
them the odds right Now.
00:14:15
You start small, you're going fast, you're just doing whatever
00:14:18
you have to do to be operational and then next thing,
00:14:21
you know you're a you know, multi-billion dollar company
00:14:24
with an identity system that is almost completely unusable and
00:14:28
so porous from a security standpoint that it puts you at a
00:14:30
significant financial risk, especially for these publicly
00:14:33
traded companies.
00:14:34
Now, with the SolarWinds CISO being, you know, taken the core
00:14:38
by the SEC, like there's, there's skin in the game
00:14:41
potentially now for these CISOs, like personal liability, not
00:14:44
just job stuff.
00:14:45
So it's it's going to be really interesting to see how that
00:14:48
case turns out.
00:14:48
It's going to affect the industry, I believe.
00:14:52
Speaker 1: Yeah, absolutely.
00:14:52
You know, I actually have a friend that's at a company that
00:14:57
is still, you know, it still feels like they're in their
00:15:00
startup phase.
00:15:01
They've been around for maybe, you know, 10, wouldn't be any
00:15:06
more than 15 years, and he said that when he took over as the
00:15:13
IAM director right, he was just trying to get a lay for the land
00:15:17
and see what they had.
00:15:18
You know, they were predominantly in Azure, right,
00:15:23
so it shouldn't be that terrible .
00:15:25
And he discovered that they had like over 400 accounts, you
00:15:30
know, and they had accounts just sitting there, you know,
00:15:35
not doing anything at all, and his first task was to, you know,
00:15:40
obviously limit the attack surface across these accounts.
00:15:44
Well, how do you, how do you do that?
00:15:46
How do you even get started, you know, and I actually spent
00:15:49
probably a week or two.
00:15:51
I should have charged them some consulting fee, because I spent
00:15:54
like a week or two with them, you know, kind of devising this
00:15:57
plan of how he can go about it without causing any outages.
00:16:02
Speaker 2: Yeah, that's the big one not causing any outages.
00:16:04
It's really easy to fix all the accounts.
00:16:06
It's very difficult to fix them without causing any impact.
00:16:10
Speaker 1: Yeah, yeah, it's challenging and the Cloud
00:16:14
doesn't really make it any easier, you know, because it
00:16:19
probably I mean it makes it more difficult because you're so
00:16:23
easily able to attach these accounts to whatever you want in
00:16:28
Azure, in AWS, you know, and it's just, it's too easy for
00:16:35
developers to do that.
00:16:39
Speaker 2: Yeah, it's double-edged sword, right, so
00:16:41
you can dev fast, you can move quick.
00:16:43
But suddenly your test environment is now labeled
00:16:46
production and you only had security controls in there for
00:16:49
test environment and now it's being pushed to prod, along with
00:16:52
all of these vulnerabilities.
00:16:53
The biggest thing for on-prem AD for the longest time and
00:16:57
still today, is developers choosing to use NTLM auth
00:17:00
instead of Curve right, ntlm has been broken for a very, very,
00:17:05
very long time now over 15 years .
00:17:09
V2 is pretty good, but almost everyone has V1 backwards
00:17:14
compatibility turned on, so their legacy apps continue to
00:17:17
work.
00:17:17
So devs just hey, let's do NTLM .
00:17:19
It's fast, it's quick, it's easy, there's templates for it
00:17:22
and we can get rolling.
00:17:23
And they sell the app and the company buys the app and they're
00:17:26
like all right, security team implement this.
00:17:27
And they're like wait, this uses NTLM.
00:17:29
Why did we buy this?
00:17:31
Wait, this is gonna be a huge problem and orgs, especially
00:17:36
larger orgs, will often buy applications without security
00:17:39
review.
00:17:39
They won't look at their dependencies, they won't look at
00:17:42
how they're built from a security standpoint.
00:17:44
They only look at, hey, this fixes this big problem and it's
00:17:47
gonna make us X amount of money, or if it's gonna save us Y
00:17:50
amount of money Security is very rarely a part of that
00:17:52
conversation, and that's detrimental to all of these
00:17:56
organizations.
00:17:59
Speaker 1: Yeah, that's a really good point.
00:18:00
So you mentioned earlier that you worked for Microsoft, right,
00:18:05
so can you talk to me a little bit about that experience?
00:18:10
Oh sure, I was working to work for Microsoft, at least on one
00:18:16
of their core products.
00:18:18
I mean, I don't know if you were on the product team or if
00:18:20
you were on another team that specializes in AD, right, but
00:18:24
what is that like?
00:18:25
Because that's a core technology that 95, 98% of every
00:18:31
company out there uses as their directory service.
00:18:35
Speaker 2: I was at a weird point in time for Microsoft they
00:18:39
had just figured out that, hey, as Android things getting
00:18:41
really big, we need a Windows phone.
00:18:43
So I was on the WinPhone project.
00:18:45
One of the issues they were having there is at the time
00:18:48
Microsoft was very, very siloed, like Office was a completely
00:18:53
different team from OS was a completely different team from
00:18:57
server, and these orgs didn't really communicate with each
00:19:01
other.
00:19:01
Each one kind of functioned like a fast moving startup and
00:19:04
they all rolled their code up into a central repository, and
00:19:07
this was especially true for WinPhone.
00:19:09
I was supposed to be using the same code as Windows 8, right,
00:19:13
so you have a unified desktop phone experience.
00:19:15
It's actually good, but couldn't get anyone to dub for
00:19:17
it, and we all know how the WinPhone ended up turning out.
00:19:21
It was a great phone, but no real adoption.
00:19:23
So, anyways, it was a really interesting environment because
00:19:27
from a technical standpoint you couldn't do a lot of what you
00:19:30
needed to without blessing from MSIT, kind of the key holders
00:19:34
for all the different teams.
00:19:36
All the different teams have their own admins and architects,
00:19:38
but at the end all of the access is controlled by MSIT.
00:19:43
So it's really interesting.
00:19:45
Kind of look at it as a company that buys other companies and
00:19:49
adjust them and continues to let them do their own thing, but
00:19:52
occasionally sticks their finger in the pie.
00:19:54
It's a very, at the time, combative environment, but the
00:19:58
people were really great.
00:19:59
It was fun.
00:20:00
It was a fun job.
00:20:03
Speaker 1: That's really interesting.
00:20:05
I wonder how that has played out with Azure.
00:20:08
Now, just the nature of the cloud right, you have this giant
00:20:13
hypervisor that probably a handful of people actually have
00:20:20
access to, and how is that kind of administered and managed and
00:20:27
whatnot, right?
00:20:27
Like, I always think about it as like the worst kind of attack
00:20:34
for any cloud would be to get access to that hypervisor.
00:20:37
And, yeah, there's environment escape, exploits and things like
00:20:42
that, right, but no one is actually logging directly into
00:20:46
that hypervisor.
00:20:47
From an attacker perspective, no one's actually logging into
00:20:50
that thing.
00:20:51
And then, seeing the tens of thousands of accounts that this
00:20:55
cloud provider may have, I'm always interested to see how
00:21:00
they protect it, and I've done a little bit of research into
00:21:02
Google and how they protect theirs, and I mean, from how
00:21:06
they make it sound, there's like 12 people at Google that have
00:21:09
access to a server and a data center that is like highly
00:21:13
replicated across the globe that gives this access, and they
00:21:18
invoke some sort of just in time access for admins that need to
00:21:23
access maybe a customer specific hypervisor.
00:21:28
Speaker 2: Yeah, it's interesting because with all
00:21:31
cloud providers you don't really have physical separation.
00:21:34
You have logical separation but it's not physical.
00:21:36
I mean your virtual machine for your active directory DC
00:21:40
sitting out in the cloud could be on the same physical
00:21:43
hypervisor as a VM owned by the CCP or one of these ransomware,
00:21:50
because it's pretty easy to buy a hypervisor.
00:21:52
So for physical escapes there's still very, very edge case kind
00:21:56
of stuff like Rohammer's been out for a while and there's all
00:21:59
these CPU vulnerabilities that are flying around.
00:22:01
But without physical isolation you don't really have true
00:22:05
security and it's easy to go for the hypervisor out because hey,
00:22:09
look, I'm up to money, we're saving, we don't have to rack
00:22:11
and stack something and it's great from a cost standpoint.
00:22:14
And that's been true for a long time.
00:22:16
So the past couple of years when the large cloud providers
00:22:19
realized, hey, we got these people like cook line and sink
00:22:22
or they can't just leave us without a huge project so we can
00:22:25
raise our rates, right, this is the same thing kind of happened
00:22:27
with Uber and Lyft.
00:22:28
Like it was really cheap when you first started using Uber,
00:22:31
like a nice town car picked you up for like $5, took you
00:22:34
anywhere you want, and now you're in the back of like a
00:22:37
beat up Prius that smells absolutely awful and it's like
00:22:41
third round of seat covers and that's the prices going up in
00:22:46
the cloud environment.
00:22:47
And it's tough for a lot of our larger customers because they
00:22:50
feel stuck and they feel manipulated and they feel
00:22:53
controlled and they don't like that.
00:22:55
And large companies can make a switch very quickly if the wrong
00:22:59
person gets pissed off the one Fortune 100 I'm thinking of in
00:23:04
particular.
00:23:04
There's a rumor of a backyard barbecue in Redmond and they
00:23:10
were talking with some Microsoft reps there and there may have
00:23:13
been a few drinks that have happened at this barbecue.
00:23:15
This is all a legend, second information, so I can't validate
00:23:20
its authenticity, but apparently the Microsoft reps
00:23:22
said well, you don't have any other option, we're the only
00:23:24
game in town.
00:23:25
And it pissed the other guy off and six months later they were
00:23:29
on GCP.
00:23:35
Speaker 1: Wow, that is substantial.
00:23:36
You have to.
00:23:39
I feel like when you're in that sort of situation, you have to
00:23:42
gauge what kind of personality not just that you're dealing
00:23:48
with in that individual.
00:23:49
You got to think about the personality of the person in
00:23:52
that role, what it takes to actually get into that role.
00:23:57
Let's just assume, right to CIO , cto, something like that,
00:24:02
right, what's the kind of personality of a person that is
00:24:07
typically in that role?
00:24:08
Someone that doesn't like to be told no, Someone that probably
00:24:14
takes that sort of wording as a challenge.
00:24:17
You know, and now you're in this situation of you're losing
00:24:22
probably one of your biggest customers because of a sales rep
00:24:26
.
00:24:27
Speaker 2: Yeah, that had maybe one too many drinks at a
00:24:29
barbecue.
00:24:29
It's a very silly way to lose a very big contract.
00:24:34
Speaker 1: Yeah, I mean that's a really stupid way to get fired.
00:24:39
Speaker 2: Yeah, I don't know what happened to the guy that
00:24:42
caused the whole thing, but I have to imagine he's not working
00:24:45
there anymore.
00:24:47
Speaker 1: Yeah, probably not.
00:24:48
I mean, what other solution are they left with at that point?
00:24:54
Speaker 2: Like man, yeah, yeah, and I'm seeing other clients do
00:24:58
similar things.
00:24:59
Right, they're not going all in on one provider, they're kind
00:25:02
of dipping a foot in provider A, dipping a foot in provider B
00:25:07
and even setting up pretty interesting failover.
00:25:09
So if provider A goes down for whatever reason, they can hot
00:25:12
swap back over to B for some redundancy.
00:25:14
But it also gives them cost negotiation, right, because now
00:25:18
they can suddenly go oh hey, provider A, well, provider B is
00:25:21
charging us 40% less for this.
00:25:23
I think we're just going to move our stuff over there, and
00:25:26
then suddenly there's room for negotiation and price of
00:25:28
services.
00:25:30
Speaker 1: Hmm, yeah, you know it's a.
00:25:33
It's interesting.
00:25:37
I've seen it from multiple angles.
00:25:40
I feel and I was at a company that they were a Microsoft shop
00:25:48
from the beginning and they bought pretty much everything
00:25:52
that Microsoft sold.
00:25:53
If Microsoft sold it, they bought it.
00:25:56
It wasn't even a question.
00:25:58
It always seemed like we had an unlimited budget when it came
00:26:02
to Microsoft.
00:26:02
But when we were talking about like Symantec, right, symantec,
00:26:06
like EDR, which isn't even an EDR, which is terrible, you know
00:26:10
, it's so low on the magic quadrant at that time you know I
00:26:13
don't know about the product now, but at that time it wasn't
00:26:16
even considered a top tier EDR.
00:26:17
And we're penny pinching.
00:26:19
You know, this solution that we desperately need, that isn't
00:26:25
even supposed to be that great right.
00:26:26
And their whole, their whole Azure.
00:26:30
You know, methodology was if we only want network closets
00:26:35
on-prem, the rest of it will live in Azure forever and we're
00:26:40
not going to migrate away from it.
00:26:42
And I, you know I just asked them I was like, well, what if
00:26:45
there's something that, like Microsoft does that we can't
00:26:47
live with?
00:26:47
You know, like what if some insider threat happens at
00:26:51
Microsoft?
00:26:52
And you know we have a lot of proprietary information that
00:26:56
makes a lot of really wealthy people, even more wealthy
00:27:00
because it's a financial firm, it's an investment firm, right?
00:27:03
So, like we have a lot of proprietary stuff, and what if
00:27:08
you know all of our eggs in one basket and someone breaches it
00:27:13
right and takes that information without us knowing and they're
00:27:16
like, oh well, that will never happen.
00:27:17
Like well, what if it does?
00:27:20
Because you know there's one account for each of the big
00:27:26
three cloud providers where something very suspicious
00:27:30
happened.
00:27:30
You know where a new startup is creating some new product on
00:27:35
you know X cloud right, and then magically, right out of the
00:27:40
blue, just before you're about to launch, that cloud provider
00:27:44
launches this exact same solution, exact same interface,
00:27:47
with a different logo, and now you're out of business before
00:27:51
you even hit the street.
00:27:53
You know.
00:27:54
Speaker 2: If you want true security it has to be physical.
00:27:56
You can't have shared infrastructure and security
00:27:59
coexist.
00:28:00
It's just not the same.
00:28:01
Physical boxes will always be more secure than any sort of
00:28:05
hypervisor, not because there's active vulnerabilities for
00:28:09
VMware, hyper-v or anything, but because there's always the
00:28:13
potential for those active vulnerabilities.
00:28:14
I mean, look at how many CVEs have existed for Citrix
00:28:17
throughout the years.
00:28:18
Seems like every six months we hit a new publicly facing CVE
00:28:22
that's like oh yeah, they can pivot to domain admin from the
00:28:25
cloud, they can pivot to domain admin from the admin interface.
00:28:30
As this configuration like there's risk to opening those
00:28:33
things up and over the past couple of years we've seen the
00:28:37
penalties to that.
00:28:37
Right, all of these network devices that are opened up.
00:28:40
You know octa, I mean the list goes on and on.
00:28:43
So if you really if security is number one and it matters for
00:28:48
the core of your business and your existence, maybe on-prem
00:28:51
those right, because there's always a possibility on shared
00:28:54
infrastructure that if someone else has the keys that your
00:28:58
proprietary information is going to go for a walk, you don't see
00:29:01
Coke storing their magic recipe in the cloud, right?
00:29:06
Speaker 1: Yeah, that would not be a good situation, that's for
00:29:11
sure.
00:29:11
You know, like I actually had someone on previously that wrote
00:29:19
a book about how oh, james Lawler, that's his name about
00:29:26
how, you know, this is a fictitious you know scenario or
00:29:31
whatever, but I always question how fictitious it actually is
00:29:35
because of his background.
00:29:36
You know he was actually a spy for the CIA, right?
00:29:40
So it's his book.
00:29:42
Speaker 2: It was a hypothetical .
00:29:43
It's a hypothetical.
00:29:45
Speaker 1: It's a hypothetical with strong quotations around it
00:29:48
, you know, because I'm literally reading his book and
00:29:51
I'm like man, this is all like, very, just so probable.
00:29:54
You know, and in one of the books, you know, the agency
00:29:59
moves into one of the big cloud providers.
00:30:02
Right, he used a different name , but it sounded like AWS in my
00:30:06
opinion, maybe because I'm a AWS guy.
00:30:08
Right, and sure enough, foreign adversaries immediately start
00:30:15
targeting the employees at this cloud provider.
00:30:18
And you know, it leads me down this thought path of you know,
00:30:24
the employees at these cloud providers.
00:30:26
They're typically pretty well paid.
00:30:28
I mean everything that I've seen.
00:30:30
They're pretty well paid.
00:30:33
And so for a foreign adversary to come into this situation and
00:30:38
offer up, you know, a check of like oh, you know, you want your
00:30:42
yearly salary and one check like well, here you go, we just
00:30:46
need this little script to run.
00:30:48
You know that's 10 lines we needed to run on your core
00:30:52
server or whatever it is.
00:30:53
You know, I feel like that's a very real possibility.
00:30:58
And even me, being a cloud guy now, you know, I only do the
00:31:03
cloud as far as I'm concerned, at my company on prem doesn't
00:31:06
exist.
00:31:06
And you know, I always have that paranoia of well, how do we
00:31:14
protect something that doesn't reside on hardware, that we do
00:31:18
not own, that we cannot go physically pull the plug on?
00:31:21
How do we ensure you know that even insider threat is, you know
00:31:26
, protected against in this scenario?
00:31:28
It's tough.
00:31:31
Speaker 2: I mean, look at stuck snap right.
00:31:33
So there's many information is coming out fairly recently that
00:31:36
it looks like a Dutch person was working for stuck snap and
00:31:41
floated in a USB through the water system and then got that
00:31:44
into the software.
00:31:45
But and that's a completely air gapped, physically locked
00:31:51
environment and they still were able to get a USB stick in there
00:31:54
and plug it in and run stuck snap.
00:31:57
So there's always going to be the risk of that physical layer
00:32:01
being traversed, even in extreme environments, which is why
00:32:05
defense in depth is so important .
00:32:07
If there'd been policy set up for that environment that didn't
00:32:11
allow USB drives to be attached , that would have never happened
00:32:15
.
00:32:15
And that's really straightforward, simple, basic
00:32:17
policy that no one is probably worried about is because, hey,
00:32:20
we're in this high security environment, everyone gets
00:32:22
searched before they come in.
00:32:23
There's no way a USB stick can make its way in and it did.
00:32:27
So I mean, the defense in depth has a lot of, a lot of pros
00:32:31
there to help mitigate risk, but you'll never remove it
00:32:34
completely.
00:32:36
Speaker 1: Yeah, it's very true.
00:32:37
You know, when I, when I did some government work earlier on
00:32:41
in my career, I've been in some very uncomfortable situations
00:32:46
where, you know, I answered a last minute phone call on my
00:32:50
cell phone in their lobby, you know, and I mean these guys,
00:32:55
these security guards that they have, I mean they're, they're
00:32:58
larger than life, they look like they used to play, you know,
00:33:02
collegiate football.
00:33:03
Right, they look like they could separate your head from
00:33:05
your body you know in the blink of an eye right and I mean they
00:33:10
see this cell phone go off.
00:33:12
I think they they have to have some sort of monitor or
00:33:15
something, you know, like behind their desk that like goes off
00:33:19
if the cell phone is in use Because, like I mean, I sent a
00:33:24
text, you know, and they were on top of me.
00:33:27
They were like what are you doing?
00:33:29
I'm like I'm in the lobby man, like I'm literally cleared to be
00:33:32
here.
00:33:33
You know, it took me a day to get clearance to be here.
00:33:36
You guys know who I am and they're like no, you have to go
00:33:40
out the front door, like right now.
00:33:42
If you make that mistake again, like we're going to arrest you.
00:33:45
You know, it's like geez, like where the hell am I?
00:33:50
Speaker 2: Yeah, it's interesting.
00:33:51
So we start talking about high security or gov.
00:33:54
The air gap is treated very seriously for a lot of those
00:33:58
environments.
00:33:58
I was part of a team that did a roll out a secure actually
00:34:05
directory forest deployment for a completely air gap environment
00:34:08
that had to be able to send out the data periodically and the
00:34:13
solution here was pretty, pretty interesting.
00:34:17
There was one machine that was set up with dual sets of very
00:34:22
high throughput NICs and basically because the data set
00:34:25
that needed to come out wasn't massive but it was sizable, so
00:34:30
when the data needed to come out I was moved to this temporary
00:34:32
holding pattern.
00:34:33
They called it a lock server and then the data was
00:34:36
transferred from that server to an intermediary and then the
00:34:39
connection was severed and it was connected back to the
00:34:41
internal network and then that intermediary then moved the data
00:34:45
to production, then had its network connection severed.
00:34:47
So they were air gapped, logically by network throughput,
00:34:53
right, and you needed two people to basically open the
00:34:55
network, which was pretty interesting solution for
00:34:58
something that had to stay safe.
00:35:04
Speaker 1: I wonder what that would have even been, because,
00:35:09
like you know, when you say it takes two people to do this
00:35:12
thing, you know you're not able to do it without it.
00:35:14
I mean, the very first thing that comes to my mind is well,
00:35:18
what else in the government works like that that we know of?
00:35:20
Oh, nuclear missile silos, you know, like that's the only thing
00:35:27
that I know of.
00:35:28
You know that operates like that, where it's like okay, we
00:35:31
need these two people, and if we don't have the two people, like
00:35:34
we're screwed right.
00:35:38
Speaker 2: The nukes get a lot of publicity because of all the
00:35:40
movies, right.
00:35:41
But there's use cases for this in the wild, even in public
00:35:45
companies.
00:35:45
For unlocking, basically, great glass creds, you need more than
00:35:49
one person to turn the key.
00:35:53
Speaker 1: Okay, yeah, I've seen solutions like that, where it's
00:35:56
like a just-in-time access, you know with Azure, where you have
00:36:00
some, you know, global admin account or something like that
00:36:03
and someone else needs to approve it and you get multiple
00:36:06
approvers Right.
00:36:06
Yeah, you get a certain amount of time to actually use the
00:36:10
account and everything is logged and watched.
00:36:14
Speaker 2: Yep Screen recording for the full session and all
00:36:16
that good stuff.
00:36:17
Speaker 1: Yeah, you know, we kind of glossed over it and
00:36:22
maybe that's it's the most interesting part for me is the
00:36:28
Stuxnet Water USB thing.
00:36:30
So what recently came out Because I've been very
00:36:36
fascinated by Stuxnet, you know the engineering, the ingenuity
00:36:40
that went into it, everything around it, you know it just
00:36:45
fascinates me right.
00:36:47
It's kind of what even pulled my interest into security.
00:36:51
That was the thing that I was like oh so I can literally spend
00:36:55
my entire life and, you know, not learn everything, right.
00:36:59
So what's this water USB?
00:37:04
Speaker 2: infiltration method.
00:37:05
The original story was that it was USB-seeded in the parking
00:37:09
lot.
00:37:10
Someone picked one up and plugged it in somewhere.
00:37:12
Perfectly plausible story, and relatively recently there was
00:37:17
some information that came out I can't verify its authenticity,
00:37:20
it's just an article right that it was a Dutch contractor
00:37:23
working at the facility that was being paid for this right and
00:37:28
they received some sort of monetary reward, or maybe it was
00:37:31
a service, who knows what it was.
00:37:33
But they used a water inlet allegedly to smuggle in this USB
00:37:38
.
00:37:38
Because they were part of the cooling area that they knew very
00:37:40
well and they were able to get something physical that floated
00:37:44
into the facility.
00:37:45
And because they're able to do that, they just were able to
00:37:49
plug it in.
00:37:49
And because of the way Stuxnet worked, it spread far and wide
00:37:53
very quickly and it's very hard to tell where it came from
00:37:56
originally.
00:37:58
Speaker 1: Wow, yeah, you know, that's the part that always kind
00:38:05
of got me hung up was actually infiltrating the USB-in right,
00:38:09
because I mean I've been to secured facilities that are not
00:38:15
at the same level as that facility would be and I was
00:38:18
padded down and I had to go through some special scanner
00:38:23
that takes an uncomfortable depth of look into me.
00:38:26
You know, like they'll know, I have cancer, for instance, like
00:38:30
before my doctor will know.
00:38:31
You know, like it's.
00:38:35
Speaker 2: Yeah, you don't want that guy to tell you to, hey, go
00:38:37
get checked out on your way out .
00:38:38
You know, go see your doctor, man.
00:38:41
Speaker 1: Yeah, yeah, I think you got a lump.
00:38:44
You're right.
00:38:45
It's like, oh you.
00:38:48
Speaker 2: Yeah, you say, see you later.
00:38:49
He says maybe that's a problem.
00:38:52
Speaker 1: Yeah, exactly, you know like, well, that's the part
00:38:57
that like I always had issue with, because I mean I couldn't
00:39:03
get anything past these guys right, and I wasn't.
00:39:06
Again, I wasn't actively trying to.
00:39:08
You know, I didn't want to end up in handcuffs.
00:39:10
I do like my freedom, but still , you know, thinking through it,
00:39:16
it's like okay, well, there has to be an insider threat
00:39:19
somewhere.
00:39:20
You know that's allowing this thing in, but bypassing it
00:39:26
through the water system.
00:39:27
I mean, that is something that's really fascinating.
00:39:33
Speaker 2: Who's going to check it right?
00:39:34
Who's going to filter the incoming water to make sure
00:39:36
there's not floating USB sticks in it?
00:39:38
Right, Real edge case stuff, man.
00:39:41
But there's almost always like a way in, and that's a pretty
00:39:45
good example of it and I'll give you another one.
00:39:48
Right?
00:39:48
So those the scanners you keep talking about.
00:39:51
So, for I did lots of consulting , so for years I would fly, fly
00:39:54
in my poor backpack, finally gave up the ghost.
00:39:57
One day the strap broke, so I grabbed my wife's and I started
00:40:00
flying it and think anything of it and I just fly into like two,
00:40:04
almost three years and the backpack went off in a scanner.
00:40:07
I was having like already a bad day and things kind of went
00:40:10
sideways with a client.
00:40:12
Like it was not a great situation.
00:40:14
So I'm already like irritated, which doesn't justify what
00:40:17
happens next, but it's just like a precursor on on, not a bad
00:40:21
person, let me.
00:40:21
Let me add some some, some story here.
00:40:24
So I go through security and through the security of this
00:40:27
backpack many, many, many times, like two or three years of
00:40:30
traveling and it flags All right , whatever we go through the
00:40:32
random check and it's fine.
00:40:34
And we got to send your bag back through.
00:40:35
All right, whatever they send the bag back through, they're
00:40:38
looking through it like really extensively.
00:40:39
I have the whole thing inside it out, everything out, like
00:40:41
separated individually on the table.
00:40:43
So I'm getting a little irritated.
00:40:44
I got like another like five or 10 minutes for have to be
00:40:47
anywhere, so it's fine.
00:40:48
And they send it through again.
00:40:49
Same rigor, merold.
00:40:50
And they call some new people over like hey, what's going on
00:40:53
here?
00:40:53
Guys, I've been using this bag for almost three years now.
00:40:55
Can I, can I get to my flight?
00:40:56
And everyone there was like really sympathetic with me,
00:40:59
except for this one person who's just like there's something in
00:41:02
this bag, I just know it.
00:41:03
So they send it through like two more times and eventually
00:41:07
their face just lights up and they reach into the bag and like
00:41:10
they're really in there and they pull out a box knife that I
00:41:13
had no idea was in there, because my wife used to work at
00:41:16
Target, you know, 10 years ago, and it was her bag and it'd been
00:41:20
in there for almost three years and the TSA never caught it.
00:41:23
So like even pretty good systems don't always work, yeah.
00:41:30
Speaker 1: I I hesitate to call the TSA a good system.
00:41:34
Um well, it's not like, I suppose.
00:41:39
Yes, it does beat nothing.
00:41:40
Um, the reason?
00:41:45
The reason is because, like I read some report by uh, what was
00:41:47
it?
00:41:47
It was like the, the federal air marshals or something like
00:41:50
that, where they actually test, you know if TSA is going to
00:41:52
catch something or whatnot.
00:41:56
Speaker 2: Right, I'm sure they were able to get in no issue,
00:42:00
right.
00:42:01
Speaker 1: Yeah, I mean they said that they were able to,
00:42:04
like, smuggle guns through TSA and knives, and you know they
00:42:09
said that there was basically no limit to it, like they could
00:42:12
get through anything that they wanted and TSA it was a
00:42:16
staggering amount.
00:42:17
It was something like 96, 97% of the time TSA would let it
00:42:21
through.
00:42:22
Speaker 2: Another example.
00:42:23
Yeah, I mean I don't mean interrupt, but I uh I long story
00:42:27
.
00:42:27
I was flying, I was in Atlanta to visit my um, my grandfather,
00:42:31
and he had this like really like old school pair of like sewing.
00:42:35
So there was like huge meaty, like giant scissors and without
00:42:39
thinking about it, I just threw them on my backpack, went to the
00:42:41
airport.
00:42:41
You know, I on the plane, going into my pouch, kind of you know
00:42:44
looking for a snack, I see these gigantic metal scissors.
00:42:47
I'm like how did TSA not find this?
00:42:50
This looks like a huge knife on the X-ray Right, like they're
00:42:54
huge.
00:42:54
There's no way to miss this Like this big.
00:42:58
Speaker 1: Yeah, it's, uh, it's crazy, but they'll find the
00:43:02
water bottle.
00:43:03
You know that you forget was full.
00:43:05
Speaker 2: They'll get.
00:43:06
They'll get bad every time.
00:43:07
But they won't get the weapon Like also get your energy bars,
00:43:12
because you, if you take more than like a, like a half dozen
00:43:15
energy bars on a trip, apparently it looks like a
00:43:17
plastic explosive at the bottom of your bag.
00:43:20
Speaker 1: What.
00:43:21
Speaker 2: Yeah, I eat a lot of energy bars.
00:43:23
They're convenient food on the go.
00:43:25
I'll just throw them all in the bottom of my bag and then head
00:43:27
off and uh, I don't do this anymore Cause like I got stopped
00:43:31
and it was like the whole rig room roll, search, big delay.
00:43:34
And then they call some other people out to look through the
00:43:36
bag real carefully and it's just like those are just like cliff
00:43:39
bars, guys, come on, what's going on here?
00:43:43
Speaker 1: Wow, you know, james, we, we, we just went like 44
00:43:50
minutes right and we didn't even talk about your, your company,
00:43:54
you know.
00:43:55
So let's uh, let's talk a little bit about what you're
00:43:59
doing now.
00:44:00
You know what, what the company is and everything like that,
00:44:03
what services you provide, and we'll dive into that.
00:44:07
Speaker 2: Oh sure.
00:44:07
So, uh, I found a DSE back in 2019 after doing a lot of work
00:44:11
for the big four and I kept kind of asking myself, like, why
00:44:15
isn't there a smaller organization doing active
00:44:17
directory security like this?
00:44:19
I mean, there's there's no reason to pay all this overhead
00:44:21
for the big four, you know, financing their, their leases
00:44:25
and their 30 foot table and all the commercial real estate, when
00:44:28
we could start an org without those things and offer a better
00:44:31
price for our customers with the same quality of service.
00:44:33
So, like, let's do it.
00:44:35
So we, we, we found it in 19 and that's kind of what I've
00:44:38
been doing ever since, transitioning from being highly
00:44:41
technical to the absolute uh, uh , battlefront that is, trying to
00:44:46
be a leader and a mentor.
00:44:48
It's a.
00:44:48
It's a much, much different job and it's been very fun and I've
00:44:50
learned just a ton over the past couple of years.
00:44:52
But we, as I alluded to, we specialize in a security run
00:44:56
active director.
00:44:56
We have a active degree security health assessment
00:44:59
program, our AD Shaw.
00:45:00
Basically, we use a lot of the tools that actors use.
00:45:03
We come in as if we were a threat actor.
00:45:05
We, we show you where the holes are, we prioritize them by
00:45:09
difficulty to resolve and criticality.
00:45:11
So you can kind of prioritize, because you're not going to be
00:45:13
able to fix everything no one is it's.
00:45:15
It's impossible to fix everything, but you got to get
00:45:18
the big stuff right, the main arteries, anything that's
00:45:21
critical you know, get those solved and that's going to
00:45:23
prevent the majority of the threat actors, and that every
00:45:26
threat actor is an APT right.
00:45:27
A lot of them are newer and amateurish at best and they're
00:45:31
just using off the shelf tools and if you can stop the majority
00:45:35
of those, it gives you a much better chance against the, the
00:45:38
APTs and the more you know financed threat actors that are
00:45:42
out there.
00:45:43
In addition to that, we do AD migrations as well, kind of an
00:45:46
emphasis on security.
00:45:47
There A lot of orgs will just dump everything from point A to
00:45:50
point B and that really is a recipe to bring some pretty bad
00:45:54
exploits into your environment.
00:45:55
If you you don't know what you're, what you're doing,
00:45:58
anyone can migrate a directory environment, doing it without
00:46:01
compromising the.
00:46:02
The final destination that is.
00:46:04
That is kind of the sticky part .
00:46:06
That's who we are, that's what we do.
00:46:09
If you want to reach out, we're on dseteam and LinkedIn and
00:46:14
obviously the social gambit there.
00:46:20
Speaker 1: Yeah, absolutely.
00:46:22
I have a question around the mentality of starting a
00:46:28
consulting company.
00:46:29
I started mine in 2019 and I've been fortunate enough to have a
00:46:37
couple of customers here and there.
00:46:39
When I started it, I was like, okay, this is stupid, nothing's
00:46:47
going to come of it.
00:46:48
Who would trust me to pay me to come in and give them any sort
00:46:53
of advice?
00:46:54
They probably already have the experts internally.
00:46:56
What am I doing?
00:46:58
Speaker 2: And posture syndrome.
00:46:59
Man, it's powerful.
00:47:01
Speaker 1: Yeah, absolutely, and I'm glad I still went forward
00:47:05
with it, I still went down that path and still did it and
00:47:08
everything else like that.
00:47:10
But how do you overcome that?
00:47:13
Because I feel like it might have been a little bit different
00:47:17
, if it existed for you at all, because you worked for Microsoft
00:47:21
and now you're starting a consulting firm that specializes
00:47:24
in AD security.
00:47:26
So I mean, at least for me, if I was going to start a
00:47:30
consulting firm in AWS and I already worked for AWS, I don't
00:47:35
know Maybe I would feel like, okay, I got this thing, there's
00:47:40
nothing that they can ask me that I won't be able to answer.
00:47:42
But did you experience anything like that, or was it a
00:47:47
different sort of feeling for you?
00:47:49
Speaker 2: No, I think I'm pretty sure everyone gets
00:47:52
imposter syndrome.
00:47:53
It's just not everyone admits they have imposter syndrome.
00:47:56
It's scary man, it's scary.
00:47:59
But you have to kind of just take yourself and what I do.
00:48:02
This works for me and your mileage may vary.
00:48:04
I just throw myself into the fire, right?
00:48:06
Whatever the new thing is, I'm just going to put myself in a
00:48:09
situation where I have to learn it and I have to figure it out,
00:48:12
and typically I come out of that on top or I learn something,
00:48:16
and either way that's a win and a long enough time horizon.
00:48:21
But it's tough, right, it's tough to put yourself in a
00:48:23
situation where you're giving answers as an expert early in
00:48:26
your career because you may only have a couple years of
00:48:28
experience.
00:48:29
Right, you may only know what you know and that's okay.
00:48:32
Right, that's how you learn.
00:48:33
Go out there and make mistakes.
00:48:35
Take that job you don't think you're qualified for and just
00:48:38
learn the crap out of it and really better yourself in your
00:48:41
career there.
00:48:42
It's hard.
00:48:42
It can be very stressful.
00:48:44
I've certainly had plenty of stress running a business, like
00:48:49
actual physical problems from the stress, like heart issues,
00:48:52
you know, hair loss, like you stress yourself out enough and
00:48:57
your body will make you slow down.
00:48:59
You won't have a choice in it, and that's kind of how I find my
00:49:02
limits is.
00:49:03
When I run up against that wall , I'm like, okay, well, I
00:49:07
physically can't go on, I need to dial it back and get more
00:49:10
intelligent about how I'm doing this.
00:49:11
But absolutely imposter syndrome every single day of my
00:49:14
life.
00:49:14
It's always there and I'm thankful for it because I think
00:49:18
it motivates me to a certain extent to be better, because
00:49:21
there's always someone smarter, faster, better, stronger, more
00:49:24
wealthy out there and the goal is trying to catch up to them as
00:49:27
quickly as you can.
00:49:27
Speaker 1: In my opinion, yeah, it's difficult to overcome.
00:49:35
You know that, just getting into that mentality of, okay, I
00:49:40
don't know what I'm doing today, but tomorrow I'm going to know
00:49:43
more than what I do today, you know, and that's positive,
00:49:47
that's positive movement, you know, that's going in the right
00:49:50
direction it's really difficult to kind of get into that
00:49:54
mentality and just accept it and be like, okay, I'm not going to
00:49:57
know everything, but I can find out.
00:49:59
And I think that was, I think that was the biggest thing for
00:50:03
me when I got those first couple of customers.
00:50:05
You know, I was providing consulting on a solution that
00:50:08
personally I hate.
00:50:09
I absolutely hate everything about the solution.
00:50:11
I wish I didn't get the experience that I did, because
00:50:17
even to this day, you know, I get calls of people being like,
00:50:21
oh, do you want to work on this solution?
00:50:22
Just name your number and like, no, I actually have no interest
00:50:26
in doing anything with this solution.
00:50:33
And you know one, I think one of the biggest selling points was
00:50:38
hey, I know, you know all the key players at this company.
00:50:42
If I literally cannot figure it out, I'm going to go ask the
00:50:46
guy that made it, you know, and get you the answer that you need
00:50:49
.
00:50:49
And that was something that no one else was able to offer them.
00:50:53
You know, because you have all these other bigger consulting
00:50:56
firms that are kind of more reliant on the internal talent
00:51:01
and skills and you know that internal talent and skills is
00:51:05
getting trained by the experts that built it.
00:51:07
But they still don't have that.
00:51:08
You know that connection to where they can go and ask that
00:51:12
person.
00:51:13
You know on demand, like hey, what is this thing, what is it
00:51:16
doing?
00:51:16
What's the snippet of code?
00:51:18
How do I get around it?
00:51:19
Things like that.
00:51:20
It's an interesting mentality that you have to have, I feel,
00:51:26
to feel like you're capable, you know, of providing services
00:51:31
that are worth money to some company that can, you know,
00:51:35
dissolve your company overnight.
00:51:38
Speaker 2: Yeah, yeah, I mean absolutely like working with
00:51:41
some larger organizations like Fortune 500, fortune 100, it's
00:51:46
very scary because you and your you know entity of like 50
00:51:49
people are a rounding error to them, right?
00:51:51
If there's any sort of you know legal issue, it doesn't matter
00:51:55
if you're on the right or wrong, they're going to outspend you.
00:51:57
So all you can do is do the right thing, do as much of it as
00:52:02
you can and do as best as you can, and it's been working out
00:52:05
so far for me.
00:52:06
Growing up thought a lot of extra money helped with this
00:52:09
mentality of figure it out, because you know as really young
00:52:12
it was.
00:52:13
Hey, my car's broken.
00:52:14
Well, I can't afford to have it fixed, so I better figure it
00:52:17
out.
00:52:17
Right, pick up a wrench, order some order, some parts and, okay
00:52:21
, let's figure out how this thing goes together.
00:52:23
It's just like Legos, right?
00:52:25
Speaker 1: Yeah, yeah, it's a, it's a skill set that helps you
00:52:30
in a lot of different areas.
00:52:31
At least, that's that's my opinion of it.
00:52:35
But you know, james, I always try to stay on top of my time
00:52:41
with all of my guests, you know, because I know everyone's time
00:52:43
is very valuable and whatnot.
00:52:45
But you know, I really enjoyed our conversation.
00:52:49
I feel like we could easily go another two, three hours, you
00:52:52
know, and not drink a sweat, but you know, that just means that
00:52:57
I'm going to have to have you on in the future.
00:52:59
Anytime man or you know we can talk about anything.
00:53:02
We can bring you on and talk about cyber news or anything
00:53:05
like that, but you know it's a fantastic conversation.
00:53:09
I definitely really enjoyed it.
00:53:11
And before I, before I let you go, how about you tell my
00:53:14
audience?
00:53:15
You know where they can find you if they wanted to reach out
00:53:17
to you, where they can find your company.
00:53:18
You know what all that information is so that they can,
00:53:22
you know, reach out if they wanted.
00:53:25
Speaker 2: I just, you know, go out to your your favorite
00:53:27
browser and dseteam that's a Delta, sierra Echo just dot team
00:53:32
and all of our contact information is out there.
00:53:34
You can get ahold of my phone, email, linkedin, you know,
00:53:38
twitter, whatever your your preference of communication is,
00:53:41
and we'd be happy to talk to you and help with whatever you got
00:53:44
going on.
00:53:46
Speaker 1: Awesome.
00:53:46
Well, thanks everyone.
00:53:47
I hope you enjoyed this episode .