For the past few years, the focus of cybersecurity has increasingly been shifting to resilience. Core to a resilience program are backups… a safety net that’s also highly vulnerable. How do you make sure your backups are ready when the time comes?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and DJ Schleen, former distinguished security architect, Yahoo. Joining us is our sponsored guest Heath Renfrow, co-founder, Fenix24.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Fenix24
Full Transcript
Intro
0:00.000
[David Spark] For the past few years, the focus of cybersecurity has increasingly been shifting to resilience. Core to a resilience program are backups, a safety net that’s also highly vulnerable.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series, and my guest co-host for today’s episode, thrilled to have him on board, good friend of the show over at the CISO Series. Formerly of the Paranoids over at Yahoo, it’s none other than DJ Schleen. DJ, say hello to the audience.
[DJ Schleen] Hey, everyone. Great to be here. Thanks, David, for inviting me back. I’m looking forward to this conversation. It’s one that’s close to my heart.
[David Spark] Awesome. We have this conversation, but not enough on our programming. I’m glad we’re having it. Also, we got a great sponsor and a great guest to help us with this. First, the sponsor, that is Fenix24 and the Conversant Group. They are responsible for bringing our guest. Also, they can very much help out with the very issue we’re talking about right now, which is resilience and backups.
And so let’s get to this topic at hand, DJ. Resilience is all about being prepared for an inevitable cyberattack. Now, we’ve got to be able to recover and restore quickly to maintain business continuity. Now, backups are a key to all of this, but it seems like they are still very much an afterthought in cybersecurity programs.
And if we’re creating backups, we just assume they’ll be there when we need them. And for those of us who have dealt with this, not usually the case. I’m not going to say not always, not usually because sadly, more often than not, it does not work out the way you want. So, DJ, how are backups failing as we try to build out a resilient security program?
Explain.
[DJ Schleen] Well, there’s a ton of different ways they can fail. First is that they just don’t happen. A lot of folks just assume that because they’re in the cloud, everything’s just backed up for them. A lot of times people who are hosted in the cloud and have all their data in Amazon or in Google or whatever it might be, just assume that their data is protected.
They don’t understand resilience or failover or data corruption issues. So, there’s a bunch of different things there, and then you never really expect the unexpected, right, where all of a sudden you need to get your data back out of the systems that you store them in, and it just doesn’t work.
[David Spark] And the other thing is, if you are a target, they also target your backups as well.
[DJ Schleen] Oh, absolutely.
[David Spark] Yeah.
[DJ Schleen] Think of ransomware.
[David Spark] Yes. And we’re going to be talking a lot about that on today’s episode. All right. The guest who really has experienced this very much firsthand, and I can’t stress that enough. So, we’re going to get someone who has seen the ugly of this and talk about how to get out of the ugly of this.
Thrilled to have him on board. He’s the co-founder of Fenix24 and Conversant Group. Our sponsor guest, none other than Heath Renfrow. Heath, thank you so much for joining us.
[Heath Renfrow] Well, David, thank you for having me. Been listening a long time. Glad to be on here.
What needs to be considered?
2:55.797
[David Spark] Duane Gran of Converge Technology Solutions Corp. said, “There are several topics at play here, but I want to focus on the protection against ransomware because attackers will poison the backup system if possible.” That’s what I talked about, and by the way, Heath can lean on this a lot in just a second but let me go on with Duane’s quote here.
“You can do all the right things like test restores, RTO/RPO, calculated from business impact analysis, 3-2-1, etc., but if the means to access a backup admin system is functionally the same level of authorization as other admin functions in the org, it is at risk. What I’ve advised in the past is to ensure that the administrative access, either via the credentials or MFA, is substantially different from other administrative user accounts.
Additional mitigation steps involve using a jump box to access the backup system.”
And also Mike Elkins, he says, “Test and validate often…” This is going to come up a lot here. “…your backup recovery and disaster recovery and business continuity strategies.” So, it’s interesting he mentioned all of them, not just test your backup. So, “Don’t forget to include the human element in your scenario planning.
Be creative and imaginative. Assume an everything, everywhere, all at once and drone swarm style event. Assume your data centers and/or factories may cease to exist tomorrow. Pull cables and power cords and see how resilient your strategies truly are. When was the last time you checked the fuel level on a power generator in a critical building or a data center or restored from a tape on an offsite vault?
When was the last time your service providers, third and fourth parties participated in a collaborative functional testing of operational resource? Do this all to identify your gaps, risks, and unknown vulnerabilities.”
All right. Mike just threw out an exhaustive, but not complete, but an example of you got to think deep about this problem, and then Duane said your backups are a target. So, DJ, this whole idea of resiliency, it’s a very involved, deep discussion, isn’t it?
[DJ Schleen] Absolutely. It’s a culture of backups that you really need to adopt. You also have to know the data classification of the data that you’re dealing with. Is it sensitive? Is it confidential? Is it potentially public knowledge? Do you need to back up things just because it’s data? It really depends from business to business, and from business unit in an organization to another business unit as well.
[David Spark] All right. Heath, I’m going to have you jump on because this is very much speaking your language and what you’ve experienced. In part of your answer, would you do me a favor? Give the audience an idea of what you deal with and through your work and what you see.
[Heath Renfrow] Yeah, David. So, Fenix24 is a pure play disaster restoration company, mainly ransomware events. So, we’ve seen over 1,200 ransomware events over the last few years that we’ve helped clients recover. If you’ve seen it in the news, we’ve been involved with it in one shape, form, or another.
When it comes to backups, absolutely right. It’s an afterthought. My whole perspective on cybersecurity’s changed from my past roles is backups are the most essential security control, in my opinion. They’re the only thing you can truly guarantee from a cybersecurity standpoint. Truly, the only thing you can.
[David Spark] Let me pause you right there. Is there a poster child, any business you’ve ever seen like, “Oh, they got backups,” right? Have you ever seen that?
[Heath Renfrow] No.
[David Spark] Never. What’s the closest you’ve seen? Like give me the best-case scenario you’ve ever seen.
[Heath Renfrow] Major gambling association out of Vegas. Their backup survived because it was older technology and because it was older, that particular threat group called Scattered Spider was unfamiliar with it, and so it survived.
[David Spark] So, they got lucky. [Laughter]
[Heath Renfrow] The luckiness is not just the backups, it’s storage capacity. Keep in mind that in an encryption event, 80% of your storage capacity’s probably encrypted. You can’t delete it. You can’t blow it away. So, you have to have the storage capacity to move the data back into the environment.
That’s one of the biggest challenges most clients have whose backups do survive. Keep in mind, 95% of our clientele, backups do not survive ransomware events.
[David Spark] DJ’s making a nasty face there. Have you gone through an incident yourself, DJ, and had to go to backups? And what was your success? Or have you seen friends deal with this?
[DJ Schleen] Well, I was at a large museum in Washington, D.C., and I was brought in to design their cloud-first backup and long-term storage solution because they just about lost all of their data in the museum. Their tape backups failed. And all the best intentions, again, it’s backing systems up on site, sneaker-netting them over to another building, storing them on tapes there in a big vault.
And the tapes, again, they didn’t know that they were corrupted, so when they had an event where they needed to restore data, some of their data was very hard to put back together again.
[David Spark] To me, the whole thing with backups is like eating healthy. Like we know we should do it, and we know what the prescription is to a degree, but very few people do it. Although I think more people eat healthy that are good about testing their backups. Yes, Heath?
[Heath Renfrow] Oh, yeah.
[David Spark] So, before we jump to the next segment, just give one advice. Like look at Mike Elkin’s quote here of all the stuff that he advised here, which is a lot, what is the one that everyone needs to lean in on?
[Heath Renfrow] A lot of his steps in here are more focused on probably natural disaster versus destruction, and I think most of our recovery options are in there. The one thing he says is pull cables, pull power cords. Don’t ever do that during a ransomware event. If you stop an encryption in the middle of the process, you’re done.
So, as bad as this sounds, let the encryption finish because if you do have to buy a decryption tool, you’re going to have to be able to decrypt it. If you stop the encryption in the middle of the process, you’ll never recover that data. So, you have to let it go, and that’s a hard concept for a lot of people to accept.
[David Spark] I didn’t realize that. Good tip.
If you looked at the problem this way.
8:39.758
[David Spark] Teri Green-Manson of KIPP SoCal Public Schools said, “In my opinion, backups must be reimagined as a cornerstone of resilience, not just recovery.” Ah, on your page, Heath. “To maintain business continuity, organizations should embrace the 3-2-1-1-0 rule. Three copies of data on two different media, one offsite, one immutable, and zero untested backups.
Immutable backups segmented from your production environment are critical to thwart ransomware attackers. Restoration speed and precision depend on well-documented, frequently tested recovery playbooks that account for worst-case scenarios, like rebuilding domain controllers from isolated sources.” And Howard Holton over at GigaOm said, “If an attacker is in and compromising accounts, how can you know you are protected post-restore?
Data protection is about type 1 and 2 recovery. Type 3 requires cyber resilience, which is not part of traditional backup.” So, Heath, I’m throwing this to you. The Teri Green advice on how to do backups, is that sufficient?
[Heath Renfrow] I think it’s on the right approach. I do think it has to be reimagined. If I was going to invest and go back and be a CISO again, my security budget would go into backups first and foremost and then figure out resistance after that. I would change the MITRE ATT&CK framework completely backwards.
He has the 3-2-1-1-0. We have a 5-4-3-2-1 approach to it. We absolutely agree with that. Snapshots are so important. Immutable storage is important, not just immutable backups. Most backups are not immutable. The most common backup solution in the world right now is two administrator accounts, is the immutability of that account, so they’re going to get to it.
So, it’s really spot on.
Testing backups, that’s the key. If you look at your disaster recovery plans, and no matter the organization, even my past organizations, your recovery time is not like that. Moving terabytes of data back into an environment that you just had to rebuild and put Humpty Dumpty back together again, it takes a long time.
It is a marathon, not a sprint to recoverability. It’s just something that just blew my mind once I started doing this.
[David Spark] Let me ask you, DJ, about testing backups. Everyone knows they need to do it. Give me the frequency and the extent of testing backups because I’ve done things where it was like, oh, I look, I find a file, I restore the file, I go, “Oh, look, I can restore.” That ain’t cutting it. What is the level that we have to test and how often?
[DJ Schleen] Well, let’s frame the problem a little bit. Do people back up their phones? Yes, no. Right? If you look at an iPhone and just backing it up and restoring it when you go get another one, it takes a good hour, right? Now multiply that by petabytes of data. Some of the organizations I’ve worked at, petabytes.
So, how do you back that up and how do you restore it? Are you looking at snapshots, deltas and change sets? There’s some interesting things around that because you can automate a lot of the recreation of the data or snapshots of data.
For example, if you have a good multi-tiered development environment where you have production data and then you have testing data, which is either scrub production data, you have the ability to test some of those backups and data transfer technologies or just processes that you might have in place.
But then the other thing, too, is infrastructure’s code. We talk about data, but we talk about resiliency and backup and restoration. We might have to bring a whole server fleet back up. If we look at that kind of scenario, it’s quite possible that we want to really focus our strategic vision on moving from zero touch or zero code environments, like just click, click, click to create a server in a cloud environment, to more of an infrastructure that’s code approach so you can rebuild everything in an automated way and configure it as well.
So, at that point, then you have read-only systems, ephemeral environments, that kind of thing. But my main concerns about backing up is, what do you do about space? Immutable is good. And then can you get to the point where you can custom configure or automate a lot of this away?
[David Spark] Let me ask you, Heath, is there some way through testing you can answer the question of business recovery/continuity? Because you talked about like it’s a marathon, it takes a while. Like if everything is encrypted, and everything can mean a lot of different things to different organizations, how do you then through the testing report back to the CEO, “If we get hit with a ransomware incident and we are all encrypted, it’s going to take X long to recover”?
Like, how do you get to be able to have that answer?
[Heath Renfrow] Yeah, it’s great. The reason we created the Ransom Backup Resiliency Assessment, it is over-the-shoulder technical controls. The issue you face with these situations is return operations just isn’t realistic. Every client I’ve ever walked into in a ransomware event, what are your critical assets?
How many assets do you have? So, there’s a loss on that. So, business impact analysis isn’t there. They don’t understand what the moneymakers of their business is, and that’s the key to be able to test. Understand your critical assets. Have all the business leaders chime in on it. What’s number 1 through 500?
And then from there, you can put a testing environment to be able to say, “Okay, we got no storage. Let’s move these petabytes of data back into this environment and see what the pipeline looks like.”
And that’s the key. What’s the pipeline? How much data can go across? And then you have an understanding of what your RTOs are going to be, and that allows you to go transfer that risk over to cyber insurance or whatever it is to be understanding what your true business interruption costs are going to be.
Maybe you have to invest in more technology to speed up things, but that is the lagging [Phonetic 00:14:09] situation. Even in clients’ backups that survived, they’re shocked that their disaster recovery plans of 24 hours to recover is actually more like 9, 10, 11 days because of the pipeline to recover.
[David Spark] By the way, and I’ve had this conversation with other CISOs where they asked this question of their management and they just from the hip said, “Oh, we can last this long without the internet,” and they found out, “Oh no, we can’t last an hour.” [Laughter] You really have to have that deep conversation.
Sponsor – Fenix24/Conversant Group
14:34.848
[David Spark] Who’s our sponsor this week? I want to tell you about the awesome sponsor that Heath works with, and that is the Conversant Group. Cyberattacks happen, right? The question is how quickly can your business recover? What we’ve been talking about. With Securitas Summa from Conversant Group, recovery isn’t just possible, it’s assured.
Securitas Summa is a comprehensive cybersecurity program designed to keep your business secure and operational. It combines proactive defense, continuous protection, and assured recovery through Fenix24, the world’s leading recovery firm. Work begins in less than 60 days and recovery starts the moment you need it.
No delays, no excuses. With Securitas Summa, your organization has access to a fully managed recovery process that gets you back online faster than anyone else, 50% faster than the industry average, to be exact. So, downtime is minimized, risk is reduced, and your operations stay on track. Cyber resilience starts with the right partner.
Visit conversantgroup.com to learn how Securitas Summa delivers security and recovery you can count on. Conversantgroup.com, check them out.
What’s the issue here?
15:47.465
[David Spark] Joshua Copeland of Quadrant Information Security said, “I have done tons of consulting work and can count on one hand the number of people that actually tested if they could restore their backups.” By the way, that does not shock me. Joshua goes on, “I have also done incident response and rarely did the backups actually restore.
If you don’t regularly test your backups and actually restore them, you don’t actually have backups.” And Jerich Beason, CISO over at WM says, “It’s not enough to simply have backups or test them regularly. We must also consider the available compute resources needed to restore backups at scale.” What you were talking about, Heath.
“Especially when deploying them to new hardware. Most organizations only test a small subset of systems to validate the backup process and reliability, but this approach fails short in scenarios where 75% or more of the environment needs recovery due to ransomware attack, for example.” All right, Heath, I’m going to lean on you.
Jerich and Josh are both speaking your language, aren’t they?
[Heath Renfrow] Oh, they certainly are speaking my language. Absolutely across the board. The one thing I would say with Jerich, the old concept of recovery or a ransomware event was greenfield. Go get new hardware. Go get new software. It’s not necessary at all. This is a nation-state. So, we do a brownfield rebuild.
Build back into the infrastructure that’s already there. Get the domain controllers back on Active Directory, rebuild the systems, and they’d be able to recover. But once again, storage capacity is the biggest issue you have there. You don’t have enough data to remove back in there, you have to work with the forensic team to get the intel coming through to understand how the threat actor got into the environment.
So, it’s a lot of song and dance.
And once again, you’d be shocked, even if backups are there, they’re not being done properly. You make an assumption snapshots are being done. Then you get in there and go, “Oh, we only have 3 days of snapshots versus 30 days of snapshots,” or the backups weren’t even getting to the tapes, or you outsourced to India for tape backups and then they don’t have it labeled, and it takes three months to find the tape backups.
I’ve seen every number of nightmare you can imagine of this, but these gentlemen are pretty spot on.
[David Spark] All right, DJ, going back to our earlier discussion about testing, let me ask you, I always think about this. Like, have you been in any organization where the one person, their full-time job is just constantly testing the backups? Because in this entire conversation we’re having, it feels like if your company’s big enough, you got to at least have one person doing that.
Yes?
[DJ Schleen] Oh, my gosh. I don’t think I can say I’ve ever seen somebody who is solely responsible for backup and infrastructure recovery. That’s mind blowing. I’ve very rarely even seen backup programs in place where folks have actually said, “Hey, you know what? We’re going to back up our data somewhere.” Especially in like multiple availability zones inside of AWS or something like that, where you have a downtime of zero because you can fail over.
A lot of folks just don’t think that far unless they have a mature development organization, engineering vision. Heath, what do you see out there?
[Heath Renfrow] It’s an afterthought. It’s an assumption that they’re going to be there. Same assumption I had when I was running global cybersecurity programs. I assumed my backups would be there. I assumed they were being done correctly. And there’s no money invested in it, to be honest with you. Everybody, it’s looked at as cost, storage is a lot of money.
So, are we going to buy excess storage? Backups, are they immutable or not immutable? Every vendor in the world will tell you they’re immutable, but they’re not.
[David Spark] Is this why you started the company? Because, A, you essentially got singed yourself and you realized, “Oh, geez, this is a problem.”
[Heath Renfrow] No, I spent 20 years at the Department of Defense. I went to a company called the Crypsis Group, which is now known as Unit 42 out of Palo Alto, which is a data forensic incident response firm. And I saw it over and over again. Clients couldn’t recover because they had the manpower to do it, and their backups did not survive.
Then we started Fenix24, helped clients recover, special operations in and out, put Humpty Dumpty back together again, as it was before. And then I started getting repeat clients. And so we’re like, “We’re going to start two other battalions.”
[David Spark] They got burnt. They saw what they needed to do. And still, they had to come to you again. I mean, in an ideal situation, you get a client, you set them up, and you don’t have this situation again with them.
[Heath Renfrow] Oh, that’s the ideal situation, but I’ve had a lot of repeat clients.
[David Spark] [Laughter]
[Heath Renfrow] I’ve been in environments where a threat actor’s encrypted and then come to find out there were two other threat actors that encrypted on top of their encryption. So, it’s been astronomically crazy, the things that I’ve seen.
[David Spark] Hold it, wait, then do these criminal actors start infighting? What happens there?
[Heath Renfrow] They don’t really infight. You got to figure out who encrypted first, who encrypted second, who encrypted third. Then you got to negotiate with them.
[David Spark] So, do you have to make three payouts if they’re going to be starting negotiating with them?
[Heath Renfrow] And then you have to find the order that it happened. That’s the reason you have to make copies that have tons of storage data to move around to play with the decryption process if you do pay for the key. It is mind blowing.
[David Spark] What a mess.
[DJ Schleen] My mind is blown. If it couldn’t get any worse, people not even having backups. Now we have potentially three different organizations or nefarious organizations attacking [Laughter] and encrypting your data.
[David Spark] It’s like being eaten by a shark, drowning, and lit on fire at the same time.
[DJ Schleen] Or a shark being eaten by a bigger shark, eaten by a bigger shark. And then you got to find out what the first shark ate, right?
[David Spark] [Laughter]
[Heath Renfrow] Yeah, it was very interesting. That one particular event that we’ve seen, that most recent one. But then you find different ransom notes and you’re like, “Okay, this is from RansomHub, and this is from BlackCat, or this is from Black Basta. What is going on in here?” And you realize they all hit at the exact same time, and then you have to start negotiating.
[David Spark] Do some targets just look like these big ripe cherry tomatoes? All the attackers are like, “Oh, my God, they’re just asking for it,” and there’s like a pile on?
[Heath Renfrow] Since we went to a ransomware as a service, the threat actors did, you have brokers that are selling the access and then anybody can get the access. Particular groups, Scatter Spider, you’ve seen them in the news, a big arrest in Dallas recently. Average 14- to 23-year-old US, UK citizens.
They’re highly sophisticated, highly talented, and they like big game hunting. So, those folks really do see something that’s really juicy, and they really are going to go after it really hard. But they’re brokers, they’re selling it. And then all of a sudden, you have all these threat actors playing around in that environment at the same time, and they all go off at the same time, and then they got you.
What are the elements that make a great solution?
21:50.365
[David Spark] David Ratner over at HYAS said, “Backups that are not regularly tested are worthless.” We’ve talked about this. “Probably less than worthless,” this is what I love, “As they give false hope for recovery and may in fact delay a true recovery. I knew of an organization a long time ago that only realized after an issue occurred that all of their 10 days of backups were corrupt and could not be used.” We’ve heard this many times already.
And Sara Wolpin over at Tel-Arm said, “I would emphasize the importance of offsite immutable backups,” as we talked in the beginning. “In one incident I was responding to, I witnessed attackers actively deleting backups from the backup server as we worked to stop them. The server was within the domain, which shows how important it is for it to be a completely separate location.” You’re nodding your head through this, Heath.
Heath, you’ve seen this.
[Heath Renfrow] Oh, I have seen this. Absolutely. The issue in these situations, and offsite immutable backups is fine and dandy, the fastest recoverability is going to be the source to the source. And that’s the reason storage, immutable storage is so important. And then you have on-prem backups that are immutable and then you can go to the cloud.
Keep in mind, business interruption costs are the 65% of the financial loss in cyber insurance claims and for companies. So, putting offsite is fantastic, but your RTO from offsite’s going to be completely different than your RTO from snapshots or your RTO from on-prem. You’re going to have to analyze all those capabilities and what it takes to sit there and recover from those different points.
So, she’s spot on, absolutely. But I am not a big advocate to say we have offsite immutable backups because that is not the quickest path to recovery. And the reason that people don’t pay attention to this, they don’t understand their critical assets and they don’t understand the quantitative number associated per day that they’re down.
MGM, for example, publicly came out $10 to $12 million a day is what they were losing when they were down. That’s an astronomical number.
[David Spark] That’s a lot of money last time I checked. All right, DJ, I’m going to let you have the final thought on this. If you’re advising, what is a good solution? Where should we be going?
[DJ Schleen] I would like to touch on something first before final comments on that. What I want to find out, Heath, maybe you can answer this question, is getting to the root cause of this. We’ve talked about people avoiding backups and not testing their backups. Why are people ignoring backup solutions in the first place?
Do they think their compensating controls are in place and that they don’t have any risk? Are they calculating the risk down and saying, “Hey…”
[David Spark] I think it’s in the name backup. [Laughter] I think the name backup makes people believe it.
[Heath Renfrow] Yes, it’s a great question. It is an assumption that they’re going to stop the threat actor. It is a cost, to be completely honest with you, it is a lack of education in what the backups need to look like. From a configuration standpoint, if you connect your backups to your Active Directory, you’re done, period.
It’s over with. It doesn’t matter if you have a separate administrator account to it. A threat actor is going to get Active Directory, they’re going to create their own administrator accounts, and it’s the first thing they’re going after. Not only do they encrypt your backups, they change the passwords to them, so you can’t even get to them.
They encrypt the ESXi environment, but they change the administrator password so you can’t see how far the encryption is.
So, there’s a lot of steps you can do to reduce. It’s not a lack of security controls in place. It’s a lack of IT engineers historically are understaffed. That’s just the truth. And what they do is they create paths to be able to make their job easier, to work multiple different things at one time. A remote management solution into an ESXi environment because they don’t want to have to drive in if something happens in the middle of the night.
Well, that remote management solution gets compromised with a credential, and then the threat actor has direct access into a hosting environment. And as you know, ESXi hosts, you cannot pin an endpoint solution for protection in it. There’s nothing in there. So, there’s no alerting going to happen. So, it’s a lot of IT engineering, not mistakes they’re making.
They’re trying to get their job done. So, it’s not so much security sometimes when it’s down to the IT.
An issue we’ve had is security’s gone down this path, and IT has gone down this path, and there’s a lack of knowledge for a security person to go, “Is Active Directory connected? Are there ACLs in front of the ESXi host? Is backups connected to Active Directory?” Because they don’t have the IT knowledge, and IT folks don’t know the security side.
There’s some path that we have to come back together as a community to understand both sides of it, but unfortunately, there’s some sophisticated attacks. Everybody calls these threat actors sophisticated. They’re not. They’re great system administrators.
[David Spark] They’re great system administrators. Ah, what a jab. [Laughter]
Closing
26:11.223
[David Spark] All right, I am going to have you, Heath, there were a lot of people who spoke your language here. So, there’s some quotes here that are definitely along your path. Which quote was your favorite and why?
[Heath Renfrow] I like Teri Green, to be honest with you. It needs to be reimagined. Backups need to be reimagined, and that’s what we’re trying to bring to the table with the program that we’ve initiated based off the intel that we have from Fenix24 day in and day out.
[David Spark] All right. I like it. DJ, your favorite quote and why?
[DJ Schleen] I think Teri Green, as well, is the one that I would point out. I love the idea of 3-2-1-1-0. It makes you think about different ways to store your data, back your data up. Restoration speed, the precision, that’s all things that we have to take into consideration. And I think what Teri’s really outlined are some points that we really need to think about when we’re thinking about backing up, and we’re thinking about resilience, restoration of data, and just the overall integrity and availability of the data that we serve to our customers.
[David Spark] Very good point, DJ. All right. Well, that brings us to the tail end of the show. I want to thank Heath Renfrow and his phenomenal companies, Fenix24 and Conversant Group. Obviously, you have given us the knowledge, Heath, and I’ll let you have the very last word here on this very topic of, well, resilience, backups, and pretty much don’t trust your backups.
I think, really, I think we have one theme from this episode is, “Oh, that trusting over your backup, it’s not going to play out for you.” DJ, I want to thank you for stepping in as my guest co-host for this very episode. Thank you very much. DJ, do you currently have another show going on right now?
[DJ Schleen] Yeah, I’m considering doing some more podcasts. I just completed a series called daBOM, which focused on software bill of materials, and I’m most likely going to be starting season two in January of this year.
[David Spark] Oh, okay. This will probably air after that. So, check out DJ Schleen’s daBOM podcast series all about SBOM, and we will provide a link to that. All right, Heath, I’ll let you have the very last word here. Any calls out to our audience in terms of Conversant Group, Fenix24, how you would like them to get in contact with you and your organization?
[Heath Renfrow] We created a Ransom Backup Resiliency Assessment. It’s the best assessment I’ve ever seen. Not NIST, not CIS, it’s over-the-shoulder technical control, looking at the attack path of a threat actor from an engineering perspective, but also are your backups being done? Are they being snapshotted?
What’s the data? What are your critical assets? What are your true return to operations based off that? And done 18 Fortune 500 companies over the last nine months, not one of their backups would have survived a ransomware event. Before I got on this call, I was with a major private equity firm that we looked at this Ransom Backup Resiliency Assessment.
They’re in the same situation. So, be shocked, reach out to us. It isn’t expensive, okay? It is a quick assessment, over-the-shoulder, technical. It’s the best assessment I’ve ever seen, and I would have buyed it a million times if I was back in my role as a CISO.
[David Spark] Excellent. Well, thank you very much, Heath. Thank you very much, DJ. And thank you to our audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.