The Intricacies of Active Directory in the Era of Cloud Computing

1 00:00:01
Speaker 1: How's it going, james ?

00:00:01
It's great to get you on the podcast.

00:00:04
You know I'm really looking forward to our conversation

00:00:07
today.

00:00:07
I think you have some really interesting experience.

00:00:10
Speaker 2: Well, I'm happy to be here and it's fun talking after

00:00:13
directories, so you might have to get me to shut up at some

00:00:16
point.

00:00:18
Speaker 1: Yeah well, I can't go that deep on active director

00:00:21
and I guess I can, I guess I know more than the average

00:00:23
person.

00:00:24
But when we start talking about like nesting groups and stuff

00:00:28
like that, it's just it's going to start getting difficult.

00:00:33
Speaker 2: Well, there's there's plenty of complexity there and

00:00:35
one of the issues it's happening right now is a lot of people

00:00:38
that learned active directory in their 30s and 40s you know, 20,

00:00:41
25 years ago are rolling out of the workforce.

00:00:44
They're retiring, they're, you know, getting a nice home in

00:00:47
Florida or, you know, just going going back to wherever they're

00:00:51
living now and just having free time.

00:00:52
And the newest generation isn't learning active directory

00:00:56
because kind of seeing this dead technology that's not going to

00:00:59
be around in 10 or 20 years but it absolutely will be at any,

00:01:03
any large entity, because getting away from it is very,

00:01:06
very difficult.

00:01:07
Blue Lemon tried to do this relatively recently, very, very

00:01:10
aggressive planning, and they ended up having to stay

00:01:12
partially on prem and now they have all those on prem costs

00:01:16
still there, along with the migration costs.

00:01:18
So you know there's there's a toll to pay if you don't make it

00:01:21
all the way.

00:01:22
Speaker 1: Hmm, yeah, I've always felt like active

00:01:26
directory is one of those like essential technologies.

00:01:30
You know that you just you have to live with, you know it's

00:01:34
something that you know makes your business run, so to speak,

00:01:40
and if you don't, if you don't have it, it becomes a huge

00:01:44
undertaking and stress on your environment.

00:01:48
Just because you know the like, you need an entire team of

00:01:53
people to manage that custom solution or whatever it might be

00:01:57
.

00:01:59
Speaker 2: Yeah, yeah, and it's, it's.

00:02:00
It's interesting from a security standpoint too, because

00:02:03
when active directory came on, the scene is competing against

00:02:06
itself with the NT40 servers and basically Novel Network were

00:02:10
the only you know, relatively large players in the game.

00:02:14
And we had a financial institution in China relatively

00:02:17
recently that was compromised.

00:02:19
But the hackers ran somewhere.

00:02:21
Code didn't work because they weren't using active directory.

00:02:24
They're still on Novel Network, so they were able to catch the

00:02:27
intruders and remove them from the system with very limited

00:02:30
damage because they were running like 30 year old technology at

00:02:34
their bank.

00:02:35
Oh, so how will star galactic approach to security?

00:02:42
Speaker 1: That's a.

00:02:43
That's an interesting perspective or a route to take,

00:02:47
I guess, in security.

00:02:49
Speaker 2: I don't think it was intentional.

00:02:51
Speaker 1: Right, you know, jim or James, you know how.

00:02:55
How do you get?

00:02:57
How did you get this experience with AD?

00:03:00
You know, because I feel like you have unique experience that

00:03:04
not everyone is going to have.

00:03:05
Even you know nowadays, right, when we're, when we're talking

00:03:10
about AD and people you know, kind of owning it or teams

00:03:13
owning it.

00:03:14
You know it sounds like you have a pretty unique experience

00:03:17
with it.

00:03:18
Speaker 2: Well, I was doing a system administration work back

00:03:22
in like 99, 2000, effectively, you know, keeping the servers up

00:03:26
and running.

00:03:27
You know hardware software at a smaller entity in down river,

00:03:32
detroit, and so I got to touch a lot of things because there's a

00:03:35
small shop and there's only two of us.

00:03:37
So we got to do basically everything from from networking

00:03:40
literally running cables across drop tiles, to hardware rack and

00:03:45
stacking to the logical networking and logical system

00:03:49
deployments.

00:03:49
And you know, it looked a lot, a lot different back in like

00:03:52
2000, 2001.

00:03:53
It's not the, not the same shop .

00:03:56
Most, most entities didn't immediately adopt Active

00:03:58
Directory in 2000.

00:04:00
But once 2000 rolled around, everyone saw the, the advantages

00:04:04
to it, and I certainly did as well and jumped on it.

00:04:07
Because before you had kind of a, a clergy network deployment

00:04:10
or you had a bunch of NT4L servers all over the place, you

00:04:14
know, sitting underneath people's desks at branch offices

00:04:17
, and sometimes the cleaning people come in and turn them off

00:04:19
, like it was.

00:04:20
It was bad, it was real bad.

00:04:22
But with AD it was like the first really large, commercially

00:04:25
replicated database.

00:04:26
So you could, you know, hire someone in New York and if they

00:04:30
flew to Los Angeles they'd still be able to log in with their

00:04:32
computer without any administrative overhead, and

00:04:35
that was kind of like this.

00:04:36
This new concept at the time is like this wild new way to auth

00:04:40
that didn't exist and now we kind of take off for granted

00:04:43
right, you can, you can cloud off from anywhere, it's just

00:04:45
always there.

00:04:46
So it's not a big deal.

00:04:47
So yeah, I guess being being around for a long time kind of

00:04:50
helps there from the experience standpoint.

00:04:55
Speaker 1: Yeah, you know it's, it's interesting.

00:04:58
So when I was working for a credit bureau, you know, I owned

00:05:03
a Pyrla Jaxus management solution and a part of that was

00:05:08
obviously getting all of the accounts in AD into the solution

00:05:12
and eventually rotating them via the solution.

00:05:14
It sounds like a great idea, you know, from a security

00:05:18
perspective, but it adds in huge amounts of risk to the

00:05:23
environment if that PAM solution is not doing what it should be

00:05:28
or there's bugs and things like that.

00:05:30
And so you know, literally, you know, one day, you know, my

00:05:37
manager said, hey, we need to put global AD into this PAM

00:05:41
solution.

00:05:41
Never heard of global AD, I had no clue what it is right.

00:05:46
And I go talk to our AD guy and he goes, oh, that's a legacy

00:05:51
like AD architecture that we basically can never get rid of,

00:05:54
because once you started it, you know you basically can't, can't

00:05:58
migrate away from it, like it's almost impossible.

00:06:02
Speaker 2: So you're kind of trapped.

00:06:03
Trapped in it forever because all the apps you buy integrate

00:06:07
with it for its off store and you're stuck with it right, like

00:06:10
for better or for worse, like at the hip.

00:06:12
Demi, you're up there, man, sorry.

00:06:15
Speaker 1: No, no worries, and you know I'm being the security

00:06:20
person that I am.

00:06:20
I'm trying to gauge the risk to the environment, right, what's

00:06:25
the risk of adding these, you know, 12 or 15 accounts into

00:06:29
this solution?

00:06:30
And so I started to ask him.

00:06:32
I was like, well, you know what happens if, you know, all of

00:06:36
our regular AD gets locked out.

00:06:38
You know what's the process, right?

00:06:41
And he said, oh, I just go into global AD, I could reset them

00:06:44
all right from there.

00:06:45
I was like, okay, well, what happens if global AD gets locked

00:06:48
out?

00:06:48
You know, because if all of our normal AD gets locked out, more

00:06:52
than likely that issue is going to reside also with global AD,

00:06:56
and you know it'll get locked out as well.

00:06:58
And he said, oh, if that gets locked out, we're calling

00:07:00
Microsoft.

00:07:01
I was like, oh, so it's, it's pretty serious then.

00:07:05
So you know, I ended up onboarding these global AD

00:07:10
accounts.

00:07:11
There's like 12 of them, but I set them all to not rotate.

00:07:14
You know, that was the idea.

00:07:16
We're not going to rotate it right now.

00:07:18
We're going to figure it out, you know, as we go.

00:07:22
And you know, of course, this wonderful solution that I was

00:07:25
working with, that I refused to work with to this day, decided

00:07:29
to have a bug that we were not aware of it and when you, when

00:07:33
you essentially selected an individual account to rotate the

00:07:39
database on the back end did not accept that filter and it

00:07:43
applied it to every account in its database.

00:07:47
And so you know this happened one of our interns, you know,

00:07:52
just did a normal BAU task.

00:07:55
Right, this user's having an issue with their password, it's

00:07:59
out of sync, let's just reset it and call it a day.

00:08:03
So 15 second task.

00:08:05
You know, literally they do it every single day, all day long.

00:08:10
And you know, as soon as that happened, like, my account got

00:08:17
locked out.

00:08:17
Well, that's weird.

00:08:19
I mean, I did just reset my password because it was, it was

00:08:23
that time of the quarter for me, you know, it was very odd

00:08:26
coincidence.

00:08:27
I'm like okay, well, surely you know nothing's going on here.

00:08:31
And then I see, out of the corner of my eye, my coworker

00:08:35
also had the same, you know, pop up, it's time to change your

00:08:38
password, like okay.

00:08:41
And so I went, you know, back over to the console, because now

00:08:44
I can't get into my computer for some reason.

00:08:46
Once you, you know, lock it could, literally the process is

00:08:50
you lock your computer, you put in the current password and then

00:08:52
you reset it.

00:08:53
Well, my current password had changed, so I locked it and I

00:08:57
couldn't get back in.

00:08:58
And I went over to my co-worker that was still in the console

00:09:04
and we looked at the last rotation period for all these

00:09:07
accounts and it was just, I mean , it was just fire, and through

00:09:10
them there's 45 accounts on this solution and it's, I mean

00:09:14
it is chugging along.

00:09:16
And I was like, oh no, I have to go to the 12 global AD people

00:09:21
and tell them to not log out of their computer.

00:09:24
I mean it's 4pm on a Wednesday, you know, like everyone is yeah

00:09:30
, everyone is like running out the door, you know, and I have

00:09:34
to run into this room and say like, okay, no one here is

00:09:37
allowed to lock their computer.

00:09:39
You cannot log out If you do nothing else.

00:09:42
You have to keep your computer awake, you know, and like it was

00:09:46
, it was the worst fire drill you can imagine because now we

00:09:50
have to like pull these passwords and set them back to

00:09:54
their old value, somehow, you know, and because you can't have

00:09:58
all of your users, all you know , 10 of your users, whatever

00:10:02
it might be, you know, first thing in the morning.

00:10:04
Oh, you have to reset your, your AD account password and you

00:10:09
have to reset every service account password that you own

00:10:12
and you know it's such a mess.

00:10:14
Speaker 2: That's what's really going to kill you, because

00:10:16
they're almost never well documented.

00:10:18
So like it gets reset, it's like all right, where all is it

00:10:21
trying to log in from?

00:10:22
Because it keeps locking out even after we reset it on the

00:10:24
boxes we knew about and then it's like a hunt, so very

00:10:28
catastrophic to production for sure.

00:10:30
Speaker 1: Yeah, I guess you know it's, it's looking back on

00:10:34
it.

00:10:34
It's funny because when that happened you know literally all

00:10:38
of the service accounts you know 12 of them, or something

00:10:41
like that got reset almost instantly.

00:10:43
There was no way to stop it.

00:10:44
And one of one of one of the managers that I'm still friends

00:10:51
with to sit to today, he said oh , on Monday I got this project

00:10:55
handed down from the CISO that we have to go, you know, team by

00:10:58
team, and reset all the service accounts.

00:11:00
So I guess my project just got done, you know, in 10 seconds.

00:11:05
He's like I guess I could close that out.

00:11:08
This may have had to take me two years.

00:11:10
Oh man, you're welcome.

00:11:16
Speaker 2: No, it's funny because like this is a problem.

00:11:18
Like a lot of companies have their service accounts and

00:11:21
they're, they're, they're using creds that are 10, 15,.

00:11:23
I've seen 20 year old credentials that are out there,

00:11:26
right, you know they're, they're , they're not even using curb

00:11:29
for off.

00:11:29
Like it's, it's a hot mess, but no one wants to touch them.

00:11:32
Because the last time those accounts got touched, you know,

00:11:35
joe got fired because we didn't realize what it was doing to

00:11:38
production.

00:11:38
And now no one wants to go near it because they realize it

00:11:41
could bore production.

00:11:42
So it's like this this hot potato keeps getting tossed

00:11:45
around.

00:11:46
Project wise Security doesn't want it because they don't want

00:11:48
to mess up production.

00:11:49
So they go to ops and ops doesn't want it because what is

00:11:51
this a security thing, resetting passwords?

00:11:53
So it just bounces around between different orgs until,

00:11:56
you know, the new guy gets stuck with it, and that's not what

00:11:59
anyone should want.

00:12:01
Speaker 1: Yeah, even just trying to figure out what those

00:12:03
service accounts manage and what they do is most of the time

00:12:08
it's an impossible task because the people that created it like

00:12:12
literally that whole team can be retired, like not just like

00:12:16
change jobs retired.

00:12:18
You know, like that was the case for a lot of these accounts

00:12:22
where you know people were like oh yeah, we're just told not to

00:12:25
touch that thing because it it does something with this

00:12:29
database over here and you know, whatever it might be like that,

00:12:33
that's literally the description that we're getting

00:12:36
when we're going to these teams saying what does this do?

00:12:39
Speaker 2: No one knows.

00:12:40
No one knows.

00:12:41
There's some data from interviewing, but you're not

00:12:43
going to be able to get everything.

00:12:45
So I was.

00:12:46
I was at Microsoft and we got rid of wins, right.

00:12:49
So this is kind of a similar issue, right?

00:12:51
This legacy technology has odd dependencies and they literally

00:12:55
hunted down at the network stack .

00:12:58
Who always using wins period going to those machines and like

00:13:02
being like who owns this?

00:13:04
We need to talk to them.

00:13:05
They hunted all of them down so there wouldn't be any impact.

00:13:09
It was a huge project and I've been on like projects where the

00:13:14
service count rotation comes up because it's always a finding

00:13:17
during security discoveries.

00:13:19
It's like you have a cred that's been out here for 20

00:13:21
years.

00:13:21
It's eight characters.

00:13:23
There's there's a problem.

00:13:25
It's well known credentials.

00:13:26
It's sitting in RockU, like this.

00:13:28
This is extremely vulnerable to password spray and it has

00:13:31
either domain admin or server admin, kind of across North

00:13:34
America, kind of a problem.

00:13:38
Speaker 1: Yeah, and you know, back back when those accounts

00:13:43
were being created, the easiest thing to do was to actually just

00:13:47
give it, you know, global admin , right Service admin, whatever

00:13:51
it might be, just to make sure that it works.

00:13:54
And a lot of the times the thought was, oh, we'll dial it

00:13:57
in later, you know, and and now we're learning 30 years later

00:14:02
like, oh, that's a bad idea, we probably shouldn't do that

00:14:05
because we never go back to it.

00:14:08
Speaker 2: Yeah, it's tough, and it's really tough in like

00:14:10
startups that grew exponentially from the I guess we're calling

00:14:14
them the odds right Now.

00:14:15
You start small, you're going fast, you're just doing whatever

00:14:18
you have to do to be operational and then next thing,

00:14:21
you know you're a you know, multi-billion dollar company

00:14:24
with an identity system that is almost completely unusable and

00:14:28
so porous from a security standpoint that it puts you at a

00:14:30
significant financial risk, especially for these publicly

00:14:33
traded companies.

00:14:34
Now, with the SolarWinds CISO being, you know, taken the core

00:14:38
by the SEC, like there's, there's skin in the game

00:14:41
potentially now for these CISOs, like personal liability, not

00:14:44
just job stuff.

00:14:45
So it's it's going to be really interesting to see how that

00:14:48
case turns out.

00:14:48
It's going to affect the industry, I believe.

00:14:52
Speaker 1: Yeah, absolutely.

00:14:52
You know, I actually have a friend that's at a company that

00:14:57
is still, you know, it still feels like they're in their

00:15:00
startup phase.

00:15:01
They've been around for maybe, you know, 10, wouldn't be any

00:15:06
more than 15 years, and he said that when he took over as the

00:15:13
IAM director right, he was just trying to get a lay for the land

00:15:17
and see what they had.

00:15:18
You know, they were predominantly in Azure, right,

00:15:23
so it shouldn't be that terrible .

00:15:25
And he discovered that they had like over 400 accounts, you

00:15:30
know, and they had accounts just sitting there, you know,

00:15:35
not doing anything at all, and his first task was to, you know,

00:15:40
obviously limit the attack surface across these accounts.

00:15:44
Well, how do you, how do you do that?

00:15:46
How do you even get started, you know, and I actually spent

00:15:49
probably a week or two.

00:15:51
I should have charged them some consulting fee, because I spent

00:15:54
like a week or two with them, you know, kind of devising this

00:15:57
plan of how he can go about it without causing any outages.

00:16:02
Speaker 2: Yeah, that's the big one not causing any outages.

00:16:04
It's really easy to fix all the accounts.

00:16:06
It's very difficult to fix them without causing any impact.

00:16:10
Speaker 1: Yeah, yeah, it's challenging and the Cloud

00:16:14
doesn't really make it any easier, you know, because it

00:16:19
probably I mean it makes it more difficult because you're so

00:16:23
easily able to attach these accounts to whatever you want in

00:16:28
Azure, in AWS, you know, and it's just, it's too easy for

00:16:35
developers to do that.

00:16:39
Speaker 2: Yeah, it's double-edged sword, right, so

00:16:41
you can dev fast, you can move quick.

00:16:43
But suddenly your test environment is now labeled

00:16:46
production and you only had security controls in there for

00:16:49
test environment and now it's being pushed to prod, along with

00:16:52
all of these vulnerabilities.

00:16:53
The biggest thing for on-prem AD for the longest time and

00:16:57
still today, is developers choosing to use NTLM auth

00:17:00
instead of Curve right, ntlm has been broken for a very, very,

00:17:05
very long time now over 15 years .

00:17:09
V2 is pretty good, but almost everyone has V1 backwards

00:17:14
compatibility turned on, so their legacy apps continue to

00:17:17
work.

00:17:17
So devs just hey, let's do NTLM .

00:17:19
It's fast, it's quick, it's easy, there's templates for it

00:17:22
and we can get rolling.

00:17:23
And they sell the app and the company buys the app and they're

00:17:26
like all right, security team implement this.

00:17:27
And they're like wait, this uses NTLM.

00:17:29
Why did we buy this?

00:17:31
Wait, this is gonna be a huge problem and orgs, especially

00:17:36
larger orgs, will often buy applications without security

00:17:39
review.

00:17:39
They won't look at their dependencies, they won't look at

00:17:42
how they're built from a security standpoint.

00:17:44
They only look at, hey, this fixes this big problem and it's

00:17:47
gonna make us X amount of money, or if it's gonna save us Y

00:17:50
amount of money Security is very rarely a part of that

00:17:52
conversation, and that's detrimental to all of these

00:17:56
organizations.

00:17:59
Speaker 1: Yeah, that's a really good point.

00:18:00
So you mentioned earlier that you worked for Microsoft, right,

00:18:05
so can you talk to me a little bit about that experience?

00:18:10
Oh sure, I was working to work for Microsoft, at least on one

00:18:16
of their core products.

00:18:18
I mean, I don't know if you were on the product team or if

00:18:20
you were on another team that specializes in AD, right, but

00:18:24
what is that like?

00:18:25
Because that's a core technology that 95, 98% of every

00:18:31
company out there uses as their directory service.

00:18:35
Speaker 2: I was at a weird point in time for Microsoft they

00:18:39
had just figured out that, hey, as Android things getting

00:18:41
really big, we need a Windows phone.

00:18:43
So I was on the WinPhone project.

00:18:45
One of the issues they were having there is at the time

00:18:48
Microsoft was very, very siloed, like Office was a completely

00:18:53
different team from OS was a completely different team from

00:18:57
server, and these orgs didn't really communicate with each

00:19:01
other.

00:19:01
Each one kind of functioned like a fast moving startup and

00:19:04
they all rolled their code up into a central repository, and

00:19:07
this was especially true for WinPhone.

00:19:09
I was supposed to be using the same code as Windows 8, right,

00:19:13
so you have a unified desktop phone experience.

00:19:15
It's actually good, but couldn't get anyone to dub for

00:19:17
it, and we all know how the WinPhone ended up turning out.

00:19:21
It was a great phone, but no real adoption.

00:19:23
So, anyways, it was a really interesting environment because

00:19:27
from a technical standpoint you couldn't do a lot of what you

00:19:30
needed to without blessing from MSIT, kind of the key holders

00:19:34
for all the different teams.

00:19:36
All the different teams have their own admins and architects,

00:19:38
but at the end all of the access is controlled by MSIT.

00:19:43
So it's really interesting.

00:19:45
Kind of look at it as a company that buys other companies and

00:19:49
adjust them and continues to let them do their own thing, but

00:19:52
occasionally sticks their finger in the pie.

00:19:54
It's a very, at the time, combative environment, but the

00:19:58
people were really great.

00:19:59
It was fun.

00:20:00
It was a fun job.

00:20:03
Speaker 1: That's really interesting.

00:20:05
I wonder how that has played out with Azure.

00:20:08
Now, just the nature of the cloud right, you have this giant

00:20:13
hypervisor that probably a handful of people actually have

00:20:20
access to, and how is that kind of administered and managed and

00:20:27
whatnot, right?

00:20:27
Like, I always think about it as like the worst kind of attack

00:20:34
for any cloud would be to get access to that hypervisor.

00:20:37
And, yeah, there's environment escape, exploits and things like

00:20:42
that, right, but no one is actually logging directly into

00:20:46
that hypervisor.

00:20:47
From an attacker perspective, no one's actually logging into

00:20:50
that thing.

00:20:51
And then, seeing the tens of thousands of accounts that this

00:20:55
cloud provider may have, I'm always interested to see how

00:21:00
they protect it, and I've done a little bit of research into

00:21:02
Google and how they protect theirs, and I mean, from how

00:21:06
they make it sound, there's like 12 people at Google that have

00:21:09
access to a server and a data center that is like highly

00:21:13
replicated across the globe that gives this access, and they

00:21:18
invoke some sort of just in time access for admins that need to

00:21:23
access maybe a customer specific hypervisor.

00:21:28
Speaker 2: Yeah, it's interesting because with all

00:21:31
cloud providers you don't really have physical separation.

00:21:34
You have logical separation but it's not physical.

00:21:36
I mean your virtual machine for your active directory DC

00:21:40
sitting out in the cloud could be on the same physical

00:21:43
hypervisor as a VM owned by the CCP or one of these ransomware,

00:21:50
because it's pretty easy to buy a hypervisor.

00:21:52
So for physical escapes there's still very, very edge case kind

00:21:56
of stuff like Rohammer's been out for a while and there's all

00:21:59
these CPU vulnerabilities that are flying around.

00:22:01
But without physical isolation you don't really have true

00:22:05
security and it's easy to go for the hypervisor out because hey,

00:22:09
look, I'm up to money, we're saving, we don't have to rack

00:22:11
and stack something and it's great from a cost standpoint.

00:22:14
And that's been true for a long time.

00:22:16
So the past couple of years when the large cloud providers

00:22:19
realized, hey, we got these people like cook line and sink

00:22:22
or they can't just leave us without a huge project so we can

00:22:25
raise our rates, right, this is the same thing kind of happened

00:22:27
with Uber and Lyft.

00:22:28
Like it was really cheap when you first started using Uber,

00:22:31
like a nice town car picked you up for like $5, took you

00:22:34
anywhere you want, and now you're in the back of like a

00:22:37
beat up Prius that smells absolutely awful and it's like

00:22:41
third round of seat covers and that's the prices going up in

00:22:46
the cloud environment.

00:22:47
And it's tough for a lot of our larger customers because they

00:22:50
feel stuck and they feel manipulated and they feel

00:22:53
controlled and they don't like that.

00:22:55
And large companies can make a switch very quickly if the wrong

00:22:59
person gets pissed off the one Fortune 100 I'm thinking of in

00:23:04
particular.

00:23:04
There's a rumor of a backyard barbecue in Redmond and they

00:23:10
were talking with some Microsoft reps there and there may have

00:23:13
been a few drinks that have happened at this barbecue.

00:23:15
This is all a legend, second information, so I can't validate

00:23:20
its authenticity, but apparently the Microsoft reps

00:23:22
said well, you don't have any other option, we're the only

00:23:24
game in town.

00:23:25
And it pissed the other guy off and six months later they were

00:23:29
on GCP.

00:23:35
Speaker 1: Wow, that is substantial.

00:23:36
You have to.

00:23:39
I feel like when you're in that sort of situation, you have to

00:23:42
gauge what kind of personality not just that you're dealing

00:23:48
with in that individual.

00:23:49
You got to think about the personality of the person in

00:23:52
that role, what it takes to actually get into that role.

00:23:57
Let's just assume, right to CIO , cto, something like that,

00:24:02
right, what's the kind of personality of a person that is

00:24:07
typically in that role?

00:24:08
Someone that doesn't like to be told no, Someone that probably

00:24:14
takes that sort of wording as a challenge.

00:24:17
You know, and now you're in this situation of you're losing

00:24:22
probably one of your biggest customers because of a sales rep

00:24:26
.

00:24:27
Speaker 2: Yeah, that had maybe one too many drinks at a

00:24:29
barbecue.

00:24:29
It's a very silly way to lose a very big contract.

00:24:34
Speaker 1: Yeah, I mean that's a really stupid way to get fired.

00:24:39
Speaker 2: Yeah, I don't know what happened to the guy that

00:24:42
caused the whole thing, but I have to imagine he's not working

00:24:45
there anymore.

00:24:47
Speaker 1: Yeah, probably not.

00:24:48
I mean, what other solution are they left with at that point?

00:24:54
Speaker 2: Like man, yeah, yeah, and I'm seeing other clients do

00:24:58
similar things.

00:24:59
Right, they're not going all in on one provider, they're kind

00:25:02
of dipping a foot in provider A, dipping a foot in provider B

00:25:07
and even setting up pretty interesting failover.

00:25:09
So if provider A goes down for whatever reason, they can hot

00:25:12
swap back over to B for some redundancy.

00:25:14
But it also gives them cost negotiation, right, because now

00:25:18
they can suddenly go oh hey, provider A, well, provider B is

00:25:21
charging us 40% less for this.

00:25:23
I think we're just going to move our stuff over there, and

00:25:26
then suddenly there's room for negotiation and price of

00:25:28
services.

00:25:30
Speaker 1: Hmm, yeah, you know it's a.

00:25:33
It's interesting.

00:25:37
I've seen it from multiple angles.

00:25:40
I feel and I was at a company that they were a Microsoft shop

00:25:48
from the beginning and they bought pretty much everything

00:25:52
that Microsoft sold.

00:25:53
If Microsoft sold it, they bought it.

00:25:56
It wasn't even a question.

00:25:58
It always seemed like we had an unlimited budget when it came

00:26:02
to Microsoft.

00:26:02
But when we were talking about like Symantec, right, symantec,

00:26:06
like EDR, which isn't even an EDR, which is terrible, you know

00:26:10
, it's so low on the magic quadrant at that time you know I

00:26:13
don't know about the product now, but at that time it wasn't

00:26:16
even considered a top tier EDR.

00:26:17
And we're penny pinching.

00:26:19
You know, this solution that we desperately need, that isn't

00:26:25
even supposed to be that great right.

00:26:26
And their whole, their whole Azure.

00:26:30
You know, methodology was if we only want network closets

00:26:35
on-prem, the rest of it will live in Azure forever and we're

00:26:40
not going to migrate away from it.

00:26:42
And I, you know I just asked them I was like, well, what if

00:26:45
there's something that, like Microsoft does that we can't

00:26:47
live with?

00:26:47
You know, like what if some insider threat happens at

00:26:51
Microsoft?

00:26:52
And you know we have a lot of proprietary information that

00:26:56
makes a lot of really wealthy people, even more wealthy

00:27:00
because it's a financial firm, it's an investment firm, right?

00:27:03
So, like we have a lot of proprietary stuff, and what if

00:27:08
you know all of our eggs in one basket and someone breaches it

00:27:13
right and takes that information without us knowing and they're

00:27:16
like, oh well, that will never happen.

00:27:17
Like well, what if it does?

00:27:20
Because you know there's one account for each of the big

00:27:26
three cloud providers where something very suspicious

00:27:30
happened.

00:27:30
You know where a new startup is creating some new product on

00:27:35
you know X cloud right, and then magically, right out of the

00:27:40
blue, just before you're about to launch, that cloud provider

00:27:44
launches this exact same solution, exact same interface,

00:27:47
with a different logo, and now you're out of business before

00:27:51
you even hit the street.

00:27:53
You know.

00:27:54
Speaker 2: If you want true security it has to be physical.

00:27:56
You can't have shared infrastructure and security

00:27:59
coexist.

00:28:00
It's just not the same.

00:28:01
Physical boxes will always be more secure than any sort of

00:28:05
hypervisor, not because there's active vulnerabilities for

00:28:09
VMware, hyper-v or anything, but because there's always the

00:28:13
potential for those active vulnerabilities.

00:28:14
I mean, look at how many CVEs have existed for Citrix

00:28:17
throughout the years.

00:28:18
Seems like every six months we hit a new publicly facing CVE

00:28:22
that's like oh yeah, they can pivot to domain admin from the

00:28:25
cloud, they can pivot to domain admin from the admin interface.

00:28:30
As this configuration like there's risk to opening those

00:28:33
things up and over the past couple of years we've seen the

00:28:37
penalties to that.

00:28:37
Right, all of these network devices that are opened up.

00:28:40
You know octa, I mean the list goes on and on.

00:28:43
So if you really if security is number one and it matters for

00:28:48
the core of your business and your existence, maybe on-prem

00:28:51
those right, because there's always a possibility on shared

00:28:54
infrastructure that if someone else has the keys that your

00:28:58
proprietary information is going to go for a walk, you don't see

00:29:01
Coke storing their magic recipe in the cloud, right?

00:29:06
Speaker 1: Yeah, that would not be a good situation, that's for

00:29:11
sure.

00:29:11
You know, like I actually had someone on previously that wrote

00:29:19
a book about how oh, james Lawler, that's his name about

00:29:26
how, you know, this is a fictitious you know scenario or

00:29:31
whatever, but I always question how fictitious it actually is

00:29:35
because of his background.

00:29:36
You know he was actually a spy for the CIA, right?

00:29:40
So it's his book.

00:29:42
Speaker 2: It was a hypothetical .

00:29:43
It's a hypothetical.

00:29:45
Speaker 1: It's a hypothetical with strong quotations around it

00:29:48
, you know, because I'm literally reading his book and

00:29:51
I'm like man, this is all like, very, just so probable.

00:29:54
You know, and in one of the books, you know, the agency

00:29:59
moves into one of the big cloud providers.

00:30:02
Right, he used a different name , but it sounded like AWS in my

00:30:06
opinion, maybe because I'm a AWS guy.

00:30:08
Right, and sure enough, foreign adversaries immediately start

00:30:15
targeting the employees at this cloud provider.

00:30:18
And you know, it leads me down this thought path of you know,

00:30:24
the employees at these cloud providers.

00:30:26
They're typically pretty well paid.

00:30:28
I mean everything that I've seen.

00:30:30
They're pretty well paid.

00:30:33
And so for a foreign adversary to come into this situation and

00:30:38
offer up, you know, a check of like oh, you know, you want your

00:30:42
yearly salary and one check like well, here you go, we just

00:30:46
need this little script to run.

00:30:48
You know that's 10 lines we needed to run on your core

00:30:52
server or whatever it is.

00:30:53
You know, I feel like that's a very real possibility.

00:30:58
And even me, being a cloud guy now, you know, I only do the

00:31:03
cloud as far as I'm concerned, at my company on prem doesn't

00:31:06
exist.

00:31:06
And you know, I always have that paranoia of well, how do we

00:31:14
protect something that doesn't reside on hardware, that we do

00:31:18
not own, that we cannot go physically pull the plug on?

00:31:21
How do we ensure you know that even insider threat is, you know

00:31:26
, protected against in this scenario?

00:31:28
It's tough.

00:31:31
Speaker 2: I mean, look at stuck snap right.

00:31:33
So there's many information is coming out fairly recently that

00:31:36
it looks like a Dutch person was working for stuck snap and

00:31:41
floated in a USB through the water system and then got that

00:31:44
into the software.

00:31:45
But and that's a completely air gapped, physically locked

00:31:51
environment and they still were able to get a USB stick in there

00:31:54
and plug it in and run stuck snap.

00:31:57
So there's always going to be the risk of that physical layer

00:32:01
being traversed, even in extreme environments, which is why

00:32:05
defense in depth is so important .

00:32:07
If there'd been policy set up for that environment that didn't

00:32:11
allow USB drives to be attached , that would have never happened

00:32:15
.

00:32:15
And that's really straightforward, simple, basic

00:32:17
policy that no one is probably worried about is because, hey,

00:32:20
we're in this high security environment, everyone gets

00:32:22
searched before they come in.

00:32:23
There's no way a USB stick can make its way in and it did.

00:32:27
So I mean, the defense in depth has a lot of, a lot of pros

00:32:31
there to help mitigate risk, but you'll never remove it

00:32:34
completely.

00:32:36
Speaker 1: Yeah, it's very true.

00:32:37
You know, when I, when I did some government work earlier on

00:32:41
in my career, I've been in some very uncomfortable situations

00:32:46
where, you know, I answered a last minute phone call on my

00:32:50
cell phone in their lobby, you know, and I mean these guys,

00:32:55
these security guards that they have, I mean they're, they're

00:32:58
larger than life, they look like they used to play, you know,

00:33:02
collegiate football.

00:33:03
Right, they look like they could separate your head from

00:33:05
your body you know in the blink of an eye right and I mean they

00:33:10
see this cell phone go off.

00:33:12
I think they they have to have some sort of monitor or

00:33:15
something, you know, like behind their desk that like goes off

00:33:19
if the cell phone is in use Because, like I mean, I sent a

00:33:24
text, you know, and they were on top of me.

00:33:27
They were like what are you doing?

00:33:29
I'm like I'm in the lobby man, like I'm literally cleared to be

00:33:32
here.

00:33:33
You know, it took me a day to get clearance to be here.

00:33:36
You guys know who I am and they're like no, you have to go

00:33:40
out the front door, like right now.

00:33:42
If you make that mistake again, like we're going to arrest you.

00:33:45
You know, it's like geez, like where the hell am I?

00:33:50
Speaker 2: Yeah, it's interesting.

00:33:51
So we start talking about high security or gov.

00:33:54
The air gap is treated very seriously for a lot of those

00:33:58
environments.

00:33:58
I was part of a team that did a roll out a secure actually

00:34:05
directory forest deployment for a completely air gap environment

00:34:08
that had to be able to send out the data periodically and the

00:34:13
solution here was pretty, pretty interesting.

00:34:17
There was one machine that was set up with dual sets of very

00:34:22
high throughput NICs and basically because the data set

00:34:25
that needed to come out wasn't massive but it was sizable, so

00:34:30
when the data needed to come out I was moved to this temporary

00:34:32
holding pattern.

00:34:33
They called it a lock server and then the data was

00:34:36
transferred from that server to an intermediary and then the

00:34:39
connection was severed and it was connected back to the

00:34:41
internal network and then that intermediary then moved the data

00:34:45
to production, then had its network connection severed.

00:34:47
So they were air gapped, logically by network throughput,

00:34:53
right, and you needed two people to basically open the

00:34:55
network, which was pretty interesting solution for

00:34:58
something that had to stay safe.

00:35:04
Speaker 1: I wonder what that would have even been, because,

00:35:09
like you know, when you say it takes two people to do this

00:35:12
thing, you know you're not able to do it without it.

00:35:14
I mean, the very first thing that comes to my mind is well,

00:35:18
what else in the government works like that that we know of?

00:35:20
Oh, nuclear missile silos, you know, like that's the only thing

00:35:27
that I know of.

00:35:28
You know that operates like that, where it's like okay, we

00:35:31
need these two people, and if we don't have the two people, like

00:35:34
we're screwed right.

00:35:38
Speaker 2: The nukes get a lot of publicity because of all the

00:35:40
movies, right.

00:35:41
But there's use cases for this in the wild, even in public

00:35:45
companies.

00:35:45
For unlocking, basically, great glass creds, you need more than

00:35:49
one person to turn the key.

00:35:53
Speaker 1: Okay, yeah, I've seen solutions like that, where it's

00:35:56
like a just-in-time access, you know with Azure, where you have

00:36:00
some, you know, global admin account or something like that

00:36:03
and someone else needs to approve it and you get multiple

00:36:06
approvers Right.

00:36:06
Yeah, you get a certain amount of time to actually use the

00:36:10
account and everything is logged and watched.

00:36:14
Speaker 2: Yep Screen recording for the full session and all

00:36:16
that good stuff.

00:36:17
Speaker 1: Yeah, you know, we kind of glossed over it and

00:36:22
maybe that's it's the most interesting part for me is the

00:36:28
Stuxnet Water USB thing.

00:36:30
So what recently came out Because I've been very

00:36:36
fascinated by Stuxnet, you know the engineering, the ingenuity

00:36:40
that went into it, everything around it, you know it just

00:36:45
fascinates me right.

00:36:47
It's kind of what even pulled my interest into security.

00:36:51
That was the thing that I was like oh so I can literally spend

00:36:55
my entire life and, you know, not learn everything, right.

00:36:59
So what's this water USB?

00:37:04
Speaker 2: infiltration method.

00:37:05
The original story was that it was USB-seeded in the parking

00:37:09
lot.

00:37:10
Someone picked one up and plugged it in somewhere.

00:37:12
Perfectly plausible story, and relatively recently there was

00:37:17
some information that came out I can't verify its authenticity,

00:37:20
it's just an article right that it was a Dutch contractor

00:37:23
working at the facility that was being paid for this right and

00:37:28
they received some sort of monetary reward, or maybe it was

00:37:31
a service, who knows what it was.

00:37:33
But they used a water inlet allegedly to smuggle in this USB

00:37:38
.

00:37:38
Because they were part of the cooling area that they knew very

00:37:40
well and they were able to get something physical that floated

00:37:44
into the facility.

00:37:45
And because they're able to do that, they just were able to

00:37:49
plug it in.

00:37:49
And because of the way Stuxnet worked, it spread far and wide

00:37:53
very quickly and it's very hard to tell where it came from

00:37:56
originally.

00:37:58
Speaker 1: Wow, yeah, you know, that's the part that always kind

00:38:05
of got me hung up was actually infiltrating the USB-in right,

00:38:09
because I mean I've been to secured facilities that are not

00:38:15
at the same level as that facility would be and I was

00:38:18
padded down and I had to go through some special scanner

00:38:23
that takes an uncomfortable depth of look into me.

00:38:26
You know, like they'll know, I have cancer, for instance, like

00:38:30
before my doctor will know.

00:38:31
You know, like it's.

00:38:35
Speaker 2: Yeah, you don't want that guy to tell you to, hey, go

00:38:37
get checked out on your way out .

00:38:38
You know, go see your doctor, man.

00:38:41
Speaker 1: Yeah, yeah, I think you got a lump.

00:38:44
You're right.

00:38:45
It's like, oh you.

00:38:48
Speaker 2: Yeah, you say, see you later.

00:38:49
He says maybe that's a problem.

00:38:52
Speaker 1: Yeah, exactly, you know like, well, that's the part

00:38:57
that like I always had issue with, because I mean I couldn't

00:39:03
get anything past these guys right, and I wasn't.

00:39:06
Again, I wasn't actively trying to.

00:39:08
You know, I didn't want to end up in handcuffs.

00:39:10
I do like my freedom, but still , you know, thinking through it,

00:39:16
it's like okay, well, there has to be an insider threat

00:39:19
somewhere.

00:39:20
You know that's allowing this thing in, but bypassing it

00:39:26
through the water system.

00:39:27
I mean, that is something that's really fascinating.

00:39:33
Speaker 2: Who's going to check it right?

00:39:34
Who's going to filter the incoming water to make sure

00:39:36
there's not floating USB sticks in it?

00:39:38
Right, Real edge case stuff, man.

00:39:41
But there's almost always like a way in, and that's a pretty

00:39:45
good example of it and I'll give you another one.

00:39:48
Right?

00:39:48
So those the scanners you keep talking about.

00:39:51
So, for I did lots of consulting , so for years I would fly, fly

00:39:54
in my poor backpack, finally gave up the ghost.

00:39:57
One day the strap broke, so I grabbed my wife's and I started

00:40:00
flying it and think anything of it and I just fly into like two,

00:40:04
almost three years and the backpack went off in a scanner.

00:40:07
I was having like already a bad day and things kind of went

00:40:10
sideways with a client.

00:40:12
Like it was not a great situation.

00:40:14
So I'm already like irritated, which doesn't justify what

00:40:17
happens next, but it's just like a precursor on on, not a bad

00:40:21
person, let me.

00:40:21
Let me add some some, some story here.

00:40:24
So I go through security and through the security of this

00:40:27
backpack many, many, many times, like two or three years of

00:40:30
traveling and it flags All right , whatever we go through the

00:40:32
random check and it's fine.

00:40:34
And we got to send your bag back through.

00:40:35
All right, whatever they send the bag back through, they're

00:40:38
looking through it like really extensively.

00:40:39
I have the whole thing inside it out, everything out, like

00:40:41
separated individually on the table.

00:40:43
So I'm getting a little irritated.

00:40:44
I got like another like five or 10 minutes for have to be

00:40:47
anywhere, so it's fine.

00:40:48
And they send it through again.

00:40:49
Same rigor, merold.

00:40:50
And they call some new people over like hey, what's going on

00:40:53
here?

00:40:53
Guys, I've been using this bag for almost three years now.

00:40:55
Can I, can I get to my flight?

00:40:56
And everyone there was like really sympathetic with me,

00:40:59
except for this one person who's just like there's something in

00:41:02
this bag, I just know it.

00:41:03
So they send it through like two more times and eventually

00:41:07
their face just lights up and they reach into the bag and like

00:41:10
they're really in there and they pull out a box knife that I

00:41:13
had no idea was in there, because my wife used to work at

00:41:16
Target, you know, 10 years ago, and it was her bag and it'd been

00:41:20
in there for almost three years and the TSA never caught it.

00:41:23
So like even pretty good systems don't always work, yeah.

00:41:30
Speaker 1: I I hesitate to call the TSA a good system.

00:41:34
Um well, it's not like, I suppose.

00:41:39
Yes, it does beat nothing.

00:41:40
Um, the reason?

00:41:45
The reason is because, like I read some report by uh, what was

00:41:47
it?

00:41:47
It was like the, the federal air marshals or something like

00:41:50
that, where they actually test, you know if TSA is going to

00:41:52
catch something or whatnot.

00:41:56
Speaker 2: Right, I'm sure they were able to get in no issue,

00:42:00
right.

00:42:01
Speaker 1: Yeah, I mean they said that they were able to,

00:42:04
like, smuggle guns through TSA and knives, and you know they

00:42:09
said that there was basically no limit to it, like they could

00:42:12
get through anything that they wanted and TSA it was a

00:42:16
staggering amount.

00:42:17
It was something like 96, 97% of the time TSA would let it

00:42:21
through.

00:42:22
Speaker 2: Another example.

00:42:23
Yeah, I mean I don't mean interrupt, but I uh I long story

00:42:27
.

00:42:27
I was flying, I was in Atlanta to visit my um, my grandfather,

00:42:31
and he had this like really like old school pair of like sewing.

00:42:35
So there was like huge meaty, like giant scissors and without

00:42:39
thinking about it, I just threw them on my backpack, went to the

00:42:41
airport.

00:42:41
You know, I on the plane, going into my pouch, kind of you know

00:42:44
looking for a snack, I see these gigantic metal scissors.

00:42:47
I'm like how did TSA not find this?

00:42:50
This looks like a huge knife on the X-ray Right, like they're

00:42:54
huge.

00:42:54
There's no way to miss this Like this big.

00:42:58
Speaker 1: Yeah, it's, uh, it's crazy, but they'll find the

00:43:02
water bottle.

00:43:03
You know that you forget was full.

00:43:05
Speaker 2: They'll get.

00:43:06
They'll get bad every time.

00:43:07
But they won't get the weapon Like also get your energy bars,

00:43:12
because you, if you take more than like a, like a half dozen

00:43:15
energy bars on a trip, apparently it looks like a

00:43:17
plastic explosive at the bottom of your bag.

00:43:20
Speaker 1: What.

00:43:21
Speaker 2: Yeah, I eat a lot of energy bars.

00:43:23
They're convenient food on the go.

00:43:25
I'll just throw them all in the bottom of my bag and then head

00:43:27
off and uh, I don't do this anymore Cause like I got stopped

00:43:31
and it was like the whole rig room roll, search, big delay.

00:43:34
And then they call some other people out to look through the

00:43:36
bag real carefully and it's just like those are just like cliff

00:43:39
bars, guys, come on, what's going on here?

00:43:43
Speaker 1: Wow, you know, james, we, we, we just went like 44

00:43:50
minutes right and we didn't even talk about your, your company,

00:43:54
you know.

00:43:55
So let's uh, let's talk a little bit about what you're

00:43:59
doing now.

00:44:00
You know what, what the company is and everything like that,

00:44:03
what services you provide, and we'll dive into that.

00:44:07
Speaker 2: Oh sure.

00:44:07
So, uh, I found a DSE back in 2019 after doing a lot of work

00:44:11
for the big four and I kept kind of asking myself, like, why

00:44:15
isn't there a smaller organization doing active

00:44:17
directory security like this?

00:44:19
I mean, there's there's no reason to pay all this overhead

00:44:21
for the big four, you know, financing their, their leases

00:44:25
and their 30 foot table and all the commercial real estate, when

00:44:28
we could start an org without those things and offer a better

00:44:31
price for our customers with the same quality of service.

00:44:33
So, like, let's do it.

00:44:35
So we, we, we found it in 19 and that's kind of what I've

00:44:38
been doing ever since, transitioning from being highly

00:44:41
technical to the absolute uh, uh , battlefront that is, trying to

00:44:46
be a leader and a mentor.

00:44:48
It's a.

00:44:48
It's a much, much different job and it's been very fun and I've

00:44:50
learned just a ton over the past couple of years.

00:44:52
But we, as I alluded to, we specialize in a security run

00:44:56
active director.

00:44:56
We have a active degree security health assessment

00:44:59
program, our AD Shaw.

00:45:00
Basically, we use a lot of the tools that actors use.

00:45:03
We come in as if we were a threat actor.

00:45:05
We, we show you where the holes are, we prioritize them by

00:45:09
difficulty to resolve and criticality.

00:45:11
So you can kind of prioritize, because you're not going to be

00:45:13
able to fix everything no one is it's.

00:45:15
It's impossible to fix everything, but you got to get

00:45:18
the big stuff right, the main arteries, anything that's

00:45:21
critical you know, get those solved and that's going to

00:45:23
prevent the majority of the threat actors, and that every

00:45:26
threat actor is an APT right.

00:45:27
A lot of them are newer and amateurish at best and they're

00:45:31
just using off the shelf tools and if you can stop the majority

00:45:35
of those, it gives you a much better chance against the, the

00:45:38
APTs and the more you know financed threat actors that are

00:45:42
out there.

00:45:43
In addition to that, we do AD migrations as well, kind of an

00:45:46
emphasis on security.

00:45:47
There A lot of orgs will just dump everything from point A to

00:45:50
point B and that really is a recipe to bring some pretty bad

00:45:54
exploits into your environment.

00:45:55
If you you don't know what you're, what you're doing,

00:45:58
anyone can migrate a directory environment, doing it without

00:46:01
compromising the.

00:46:02
The final destination that is.

00:46:04
That is kind of the sticky part .

00:46:06
That's who we are, that's what we do.

00:46:09
If you want to reach out, we're on dseteam and LinkedIn and

00:46:14
obviously the social gambit there.

00:46:20
Speaker 1: Yeah, absolutely.

00:46:22
I have a question around the mentality of starting a

00:46:28
consulting company.

00:46:29
I started mine in 2019 and I've been fortunate enough to have a

00:46:37
couple of customers here and there.

00:46:39
When I started it, I was like, okay, this is stupid, nothing's

00:46:47
going to come of it.

00:46:48
Who would trust me to pay me to come in and give them any sort

00:46:53
of advice?

00:46:54
They probably already have the experts internally.

00:46:56
What am I doing?

00:46:58
Speaker 2: And posture syndrome.

00:46:59
Man, it's powerful.

00:47:01
Speaker 1: Yeah, absolutely, and I'm glad I still went forward

00:47:05
with it, I still went down that path and still did it and

00:47:08
everything else like that.

00:47:10
But how do you overcome that?

00:47:13
Because I feel like it might have been a little bit different

00:47:17
, if it existed for you at all, because you worked for Microsoft

00:47:21
and now you're starting a consulting firm that specializes

00:47:24
in AD security.

00:47:26
So I mean, at least for me, if I was going to start a

00:47:30
consulting firm in AWS and I already worked for AWS, I don't

00:47:35
know Maybe I would feel like, okay, I got this thing, there's

00:47:40
nothing that they can ask me that I won't be able to answer.

00:47:42
But did you experience anything like that, or was it a

00:47:47
different sort of feeling for you?

00:47:49
Speaker 2: No, I think I'm pretty sure everyone gets

00:47:52
imposter syndrome.

00:47:53
It's just not everyone admits they have imposter syndrome.

00:47:56
It's scary man, it's scary.

00:47:59
But you have to kind of just take yourself and what I do.

00:48:02
This works for me and your mileage may vary.

00:48:04
I just throw myself into the fire, right?

00:48:06
Whatever the new thing is, I'm just going to put myself in a

00:48:09
situation where I have to learn it and I have to figure it out,

00:48:12
and typically I come out of that on top or I learn something,

00:48:16
and either way that's a win and a long enough time horizon.

00:48:21
But it's tough, right, it's tough to put yourself in a

00:48:23
situation where you're giving answers as an expert early in

00:48:26
your career because you may only have a couple years of

00:48:28
experience.

00:48:29
Right, you may only know what you know and that's okay.

00:48:32
Right, that's how you learn.

00:48:33
Go out there and make mistakes.

00:48:35
Take that job you don't think you're qualified for and just

00:48:38
learn the crap out of it and really better yourself in your

00:48:41
career there.

00:48:42
It's hard.

00:48:42
It can be very stressful.

00:48:44
I've certainly had plenty of stress running a business, like

00:48:49
actual physical problems from the stress, like heart issues,

00:48:52
you know, hair loss, like you stress yourself out enough and

00:48:57
your body will make you slow down.

00:48:59
You won't have a choice in it, and that's kind of how I find my

00:49:02
limits is.

00:49:03
When I run up against that wall , I'm like, okay, well, I

00:49:07
physically can't go on, I need to dial it back and get more

00:49:10
intelligent about how I'm doing this.

00:49:11
But absolutely imposter syndrome every single day of my

00:49:14
life.

00:49:14
It's always there and I'm thankful for it because I think

00:49:18
it motivates me to a certain extent to be better, because

00:49:21
there's always someone smarter, faster, better, stronger, more

00:49:24
wealthy out there and the goal is trying to catch up to them as

00:49:27
quickly as you can.

00:49:27
Speaker 1: In my opinion, yeah, it's difficult to overcome.

00:49:35
You know that, just getting into that mentality of, okay, I

00:49:40
don't know what I'm doing today, but tomorrow I'm going to know

00:49:43
more than what I do today, you know, and that's positive,

00:49:47
that's positive movement, you know, that's going in the right

00:49:50
direction it's really difficult to kind of get into that

00:49:54
mentality and just accept it and be like, okay, I'm not going to

00:49:57
know everything, but I can find out.

00:49:59
And I think that was, I think that was the biggest thing for

00:50:03
me when I got those first couple of customers.

00:50:05
You know, I was providing consulting on a solution that

00:50:08
personally I hate.

00:50:09
I absolutely hate everything about the solution.

00:50:11
I wish I didn't get the experience that I did, because

00:50:17
even to this day, you know, I get calls of people being like,

00:50:21
oh, do you want to work on this solution?

00:50:22
Just name your number and like, no, I actually have no interest

00:50:26
in doing anything with this solution.

00:50:33
And you know one, I think one of the biggest selling points was

00:50:38
hey, I know, you know all the key players at this company.

00:50:42
If I literally cannot figure it out, I'm going to go ask the

00:50:46
guy that made it, you know, and get you the answer that you need

00:50:49
.

00:50:49
And that was something that no one else was able to offer them.

00:50:53
You know, because you have all these other bigger consulting

00:50:56
firms that are kind of more reliant on the internal talent

00:51:01
and skills and you know that internal talent and skills is

00:51:05
getting trained by the experts that built it.

00:51:07
But they still don't have that.

00:51:08
You know that connection to where they can go and ask that

00:51:12
person.

00:51:13
You know on demand, like hey, what is this thing, what is it

00:51:16
doing?

00:51:16
What's the snippet of code?

00:51:18
How do I get around it?

00:51:19
Things like that.

00:51:20
It's an interesting mentality that you have to have, I feel,

00:51:26
to feel like you're capable, you know, of providing services

00:51:31
that are worth money to some company that can, you know,

00:51:35
dissolve your company overnight.

00:51:38
Speaker 2: Yeah, yeah, I mean absolutely like working with

00:51:41
some larger organizations like Fortune 500, fortune 100, it's

00:51:46
very scary because you and your you know entity of like 50

00:51:49
people are a rounding error to them, right?

00:51:51
If there's any sort of you know legal issue, it doesn't matter

00:51:55
if you're on the right or wrong, they're going to outspend you.

00:51:57
So all you can do is do the right thing, do as much of it as

00:52:02
you can and do as best as you can, and it's been working out

00:52:05
so far for me.

00:52:06
Growing up thought a lot of extra money helped with this

00:52:09
mentality of figure it out, because you know as really young

00:52:12
it was.

00:52:13
Hey, my car's broken.

00:52:14
Well, I can't afford to have it fixed, so I better figure it

00:52:17
out.

00:52:17
Right, pick up a wrench, order some order, some parts and, okay

00:52:21
, let's figure out how this thing goes together.

00:52:23
It's just like Legos, right?

00:52:25
Speaker 1: Yeah, yeah, it's a, it's a skill set that helps you

00:52:30
in a lot of different areas.

00:52:31
At least, that's that's my opinion of it.

00:52:35
But you know, james, I always try to stay on top of my time

00:52:41
with all of my guests, you know, because I know everyone's time

00:52:43
is very valuable and whatnot.

00:52:45
But you know, I really enjoyed our conversation.

00:52:49
I feel like we could easily go another two, three hours, you

00:52:52
know, and not drink a sweat, but you know, that just means that

00:52:57
I'm going to have to have you on in the future.

00:52:59
Anytime man or you know we can talk about anything.

00:53:02
We can bring you on and talk about cyber news or anything

00:53:05
like that, but you know it's a fantastic conversation.

00:53:09
I definitely really enjoyed it.

00:53:11
And before I, before I let you go, how about you tell my

00:53:14
audience?

00:53:15
You know where they can find you if they wanted to reach out

00:53:17
to you, where they can find your company.

00:53:18
You know what all that information is so that they can,

00:53:22
you know, reach out if they wanted.

00:53:25
Speaker 2: I just, you know, go out to your your favorite

00:53:27
browser and dseteam that's a Delta, sierra Echo just dot team

00:53:32
and all of our contact information is out there.

00:53:34
You can get ahold of my phone, email, linkedin, you know,

00:53:38
twitter, whatever your your preference of communication is,

00:53:41
and we'd be happy to talk to you and help with whatever you got

00:53:44
going on.

00:53:46
Speaker 1: Awesome.

00:53:46
Well, thanks everyone.

00:53:47
I hope you enjoyed this episode .