In this episode, our host and Banyan’s Chief Security Officer Den Jones speaks with FBI Special Agent Scott Hellman. Scott has been investigating cybercrime with the FBI for more than 14 years and shares with us some of the key threats facing organizations in 2023. We hope you enjoy Den’s discussion with Scott Hellman.
Scott Hellman Supervisory Special Agent
About our speaker:
Supervisory Special Agent Scott Hellman has been investigating criminal and national security cyber-crime for 15 years with the FBI. He earned a Bachelor’s in chemistry, a J.D. from University of Baltimore, and now leads a team of cyber-crime investigators in the San Francisco Bay area.
View Transcript
Speaker 1:
Hello, and welcome to Get It Started. Get it Done. The Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s chief security officer, Den Jones, speaks with FBI Special Agent Scott Hellman. Scott has been investigating cyber crime with the FBI for more than 14 years and shares with us some of the key threats facing organizations in 2023. We hope you enjoy Den’s discussion with Scott Hellman.
Den Jones:
Well, hey, everybody, welcome to what I think is now episode 14 of Get It Started, Get it Done, Banyan’s lame attempt at podcasting. Or maybe if we don’t do well selling software, then we’re going to have to fall back on this one. So glad our software’s good, I guess. I’m Den Jones, the host, and today I’ve got Scott Hellman from the FBI. We’re going to talk a little bit about cybersecurity from 2022. What happened? Any observations they had, as well as 2023, and how can you protect yourself and engage with the FBI? So Scott, welcome to the show. I’d love for everyone’s benefit, can you introduce yourself so I don’t butcher it?
Scott Hellman:
Sure, absolutely. You got my name right, Scott Hellman. I’m a special agent or supervisory special agent with the FBI. I’ve been in for about 15 years and I sit in Silicon Valley, in South Bay of San Francisco Bay Area and lead a team of cyber investigators.
Den Jones:
Awesome, awesome. So as I mentioned, this is one of those easy conversations, I guess, especially for you guys. 2022 was an interesting year, so it’s hard to summarize it in five or 10 minutes, but could you share just a little bit about the themes of ’22, what you guys were seeing and that kind of thing?
Scott Hellman:
Absolutely. Just one thing to touch on, I know as you and I have talked before, that you talked to my boss, Elvis Chan, in a previous episode. And so I think one thing that’s going to be very different about talking with me versus talking to Elvis, is that I love haggis and Elvis clearly not. I had a neighbor back when I lived in Virginia, who was Scottish, and introduced me to two things. One was a proper scotch and the other was haggis. I had never had it before and it was during Burns Night. So we had a blast. So I think that’s going to be at least one [inaudible 00:02:35].
Den Jones:
That is one difference. Yeah, and I’ll tell you, I hear people all the time, they think haggis is crap or they’re scared of it, they’re even just scared of the thought of it. But yet, there’s so many cultures that have a blood sausage pudding or something of that similar nature. And I think it all generates from the use of the sheep stomach, which are the lining, which these days, not a lot of people really do that. But if you get a traditional haggis from Scotland, then, yeah, you’re getting the full experience. And with a good drink, I would say it’s probably a better experience.
Scott Hellman:
It was pretty fantastic.
Den Jones:
Awesome, awesome. So let’s jump in. So ’22 was a bizarre year or maybe a busy year. So do you want to share some of the thoughts and the insights that you guys had on this?
Scott Hellman:
Sure. I think I’ll touch on three things that really come to mind. And the first is we saw a lot of non-technical workarounds to MFA. As of course, multifactor-off has been pushed so hard in the last maybe five to 10, by both security professionals like yourself and from public industry like us, when we’re talking about best practices. Over time, it has become adopted, very ubiquitously, across a wide range of internet services. And of course, cyber criminals have to figure out ways to get around that. And it is relatively, I think, challenging to take a technical approach to getting around multifactor-off, compromising keys and that thought.
So the mechanism that they’ve chosen, more often than not, is some sort of social engineering approach, whether it’s a direct social engineering with an employee that has access to keys or social engineering to convince someone to click on a multifactor prompt. We’ve also seen a lot of SIM swapping to gain access to people’s phones through 2022. And it’s certainly, I wouldn’t say unique to ’22, but it is something that continues to increase. And so that would be the first thing, is I’ve seen a lot of social engineering. Maybe just a quick story, if I can throw one out there?
Den Jones:
Oh, absolutely. Yeah.
Scott Hellman:
Yeah. So we had a victim company give us a call and basically had an internal, let’s say, help desk-style employee. They received a call from someone claiming to be HR and basically they said, “Hey, Den,” whatever the person’s… Well, I’ll just use your name, “Hey, Den, my name’s Scott. I’m calling from HR. And unfortunately someone has reported that you have posted racist statements in an online forum.” And I think it is such an interesting choice, because there’s been so much additional awareness about, I think, racial sensitivity and thought in the last multiple years, that I’m thinking about how I would feel if I were approached for that situation, and people that I talked to about this, is that you’re immediately so tunnel visioned on, “Oh, my gosh, it has to be some sort of mistake, but this is a serious problem that I’m going to have to deal with immediately.”
And so it brings that sense of urgency to the situation. And of course, the next piece of the social engineering was, “Look, I’m sure that this is just a mistake and this is probably pretty easy to fix, but we’ve got to investigate all of these things. And the laptop you’re using right now, it’s a company laptop, the things you signed when you first came on, basically we have the right to gain access to that laptop. So we’re going to send you this link. We’re going to do a quick remote access and just take a quick peek around for any evidence of the words that were claimed to be used,” this, that, and the other thing. Hours later when the employee finally realizes this is not reality, it’s far too late and 5 million pieces of PII are out the door.
Den Jones:
Yeah. Wow.
Scott Hellman:
So I just think that’s a particularly interesting one. We saw this in the last-
Den Jones:
Yeah, and it’s funny and I think one of the calls I was on with Elvis, he does this kind of weekly call thing with the team and stuff, and one of the calls, somebody I think was sharing that conversation and I was like, “Shit, yeah, this is…” But you’re getting to a point where the social engineering is becoming so good, that as humans, we can be trained on what not to do and what to do. But the adversaries are getting so clever because half of them know what we’re being trained on anyway. It’s like, “Oh, check the from email address, or check this, or check the spelling.” And it’s like, “Holy crap. But that’s the basics.” And they’ve gone far beyond the basics. Well, as you say, creating the sense of urgency with something, which in our society has become a moralistic thing and big topic, it’s huge. So yeah, it’s a shame. I think the thing for us is, I’ll always validate and call back the HR team or something like that, in this scenario, right? It’s funny, yesterday I’m selling something on marketplace-
Scott Hellman:
Oh, don’t let me get started. I was just-
Den Jones:
… and again… Yeah, so it’s funny, I’m selling an antique clock and I’ve been caught out in a scam on this one, and I remember telling Elvis about it and he’s just like, “Oh, my God, yeah, there’s nothing you can do.” And ultimately, it was like, “Pay this to get the ship in,” or do this and do that.
Scott Hellman:
They overpaid you to get the money back.
Den Jones:
Yeah. And I’m like, “Oh, that’s cool.” Now luckily enough, Venmo recouped the funds. But yesterday some guy reaches out and he is like, “I’m going to Zelle you some money.” And I’m like, “Cool.” I said, “The money has to clear before I’ll allow pick-up.” And then-
Scott Hellman:
I feel like you must remind Den in the last two days.
Den Jones:
He’s like, “I’ve just emailed you.” So I look at my email. But I’m in my bank account and I’m looking at Zelle in my bank account, I’m like, “The money’s not arrived.” And then I see this email and it’s instantly Google mail or Hotmail, whichever one I was using, caught the email as spam and threw it in my junk folder. And I just looked and I glanced at it, and I took the screenshot and I sent it to the guy, and I went, “Clearly a scam.” I went, “You need to improve on how you’re doing this.” And it came from a random Gmail account and it had all the Zelle stuff looking great. And if weren’t a paranoid security person, you might have been like, “Cool, let me click the link in the email to validate the money transferred.”
Scott Hellman:
Absolutely.
Den Jones:
Geez. Yeah.
Scott Hellman:
So frustrating, beyond belief.
Den Jones:
Yeah, it happens. So ’22, I mean, it’s funny because there was a lot of friends of mine in companies that I respect and stuff, had some issues and stuff, and I think it doesn’t matter now. You can have a great security organization, you can invest millions, and millions, and millions, and we’re playing Russian roulette because ultimately all it takes is one employee to click a link and then that could be the start of it.
Scott Hellman:
Well, I mean you bring up, I think, another piece which is, you’ve talked about basics, you’ve talked about training. This is maybe a piece that you were planning on talking about later, but I think it feels pretty organic to talk about it now is, when you’re talking about social engineering, you’re talking about phishing. You really need both, I think, to explore both technical solutions, and looking at human training and awareness campaigns. You absolutely need both. You can’t have one without the other. If you don’t have enough technical tools to reduce the footprint of the malicious emails that are getting in front of your people, your statistics are going to be too high of, it’s just too likely that someone’s going to click on something more often. And so your tools, there’s many of them out there and obviously we can’t endorse any one particular tool, but tools that are designed to reduce, let’s say the number of phishing emails end up in front of an employee’s face, you’re still going to have some that get through.
Den Jones:
Yeah. No, absolutely.
Scott Hellman:
[inaudible 00:11:11] sure that your employees are being routinely just drilled about having… That really needs to be in the forefront of their mind. And it’s a very challenging problem, because we’re all being tasked to do more with less all the time. I don’t care what industry you’re in, that’s it. It’s, “Right, we’re going to do more work with less resource.” And at some point you get overwhelmed with a million emails in your inbox and you’re getting pinged on Slack, you’re getting pinged on whatever platform, and it becomes really difficult to stay present, and paying attention to what you’re doing in the moment.
And think about it, you get to the end of the day and tired, and you’re like, “I got to crank through these last 40 emails quickly, so I can get to…” I don’t know if you have children, or my child’s game, or whatever it’s going to be. And that I think is where we’re most susceptible is, we’re not really engaged in what we’re doing in that moment. We’re not being present. And I talked about it at lunch, presence has come up a lot in the last multiple years. COVID was so intense and still is in many respects, and people, their mind is somewhere else. And thinking about how that plays a role in just reading email and phishing, I think is just a really interesting thing to consider.
Den Jones:
Yeah. For us, we engage with a lot of customers and a lot of prospects on where in the supply chain, or the kill chain, is a company like Banyan going to help, but where do we not help? So from a defense and depth strategy, there’s no one vendor that’s going to do it all. So from a vendor scenario. And it’s funny because I got a slide deck that I’ve put together for conferences I’m presenting at this year, and so last year I spent a lot of time talking about zero trust, and it’s a nice buzzword. If you’re playing buzzword bingo, brilliant. But this year, it’s all about the why, why do you want to do something like that? How are we being attacked? And then how and where may these kind of principles help you thwart the attacks?
Like you say, if you think about it, the email comes in, you click the link. Well, we’ve been working on like DNS and URL filtering. There’s many companies that do stuff like that, so that when you click the link, it’s not going to go there, right? And our password list, or device registration, or device posture, all of these things for us, they’re things that we’ve been working on for a while and talking to customers about. Because the reality is, some of these attacks, if you’ve got the right strategy from a defense and depth perspective, you can certainly reduce it. I mean I’d never tell anybody you can eliminate it, but you could certainly reduce it. And 2023, Scott, do you just see much of the same, continuation of ’22 or any surprising new thoughts that you guys are coming up with?
Scott Hellman:
I think it’s a combination of, maybe not surprising, so it’s going to be some more of the same. We’re going to see more ransomware, we’re going to see more hack, and exfil, and extortion, not replacement, but an addition to ransomware. Just seeing more of that because it’s, I think, maybe a little bit easier to hack and steal, and then try and extort in exchange for not leaking, as opposed to going through more iterations of trying to encrypt and go through the infrastructure you need, even as a criminal organization to manage keys and things like that. I think we’re certainly going to see more phishing, 300,000 phishing reports we had in this past year, that’s going to continue to be high. BEC continues to be on the rise. From 2017 we had, let’s say $1.7 billion in loss from BEC, then 1.8 billion in 2019, I think. Yeah, so 1.7 in 2018, 1.8 in 2019, I’m probably missing the numbers here. Oh, yeah, in 2021 it was 2.4 billion.
Den Jones:
Wow.
Scott Hellman:
That’s the key piece there. There is this huge jump. And then we’ve got 2.75 in 2022. And I think about why we might have that huge jump during COVID and how COVID may have played a role? And I think you about phishing and BEC, and part of the reason why it works, is creating this sense of urgency like we just talked about. Having this change in business practice where we’re asking someone to send money to point B instead of point A. And then oftentimes the sense of confidentiality in many phishing emails, “Look, Den, this is really important. I’m trusting you with this information. You can’t tell anybody about it.” And you think about what was happening during COVID and you’ve got all of those things, a constant sense of urgency. Like, “Den, you got to run out and get some toilet paper before it’s gone,” or run out-
Den Jones:
So I was going to say, our CEO, like most executives in companies, it’s funny, always surprised me how executives are like, “Oh, I don’t want to do the blah, blah, blah thing that everyone’s been told to do from a security perspective.” They don’t want to do it because they’re too cool for cats, but yet they’re the ones that are the high value target list because they usually have some great juicy stuff to steal. And our team often get text messages or emails, masquerading as a CEO-
Scott Hellman:
All the time.
Den Jones:
… that, “I’m at a conference and need your urgent help, blah, blah, blah.”
Scott Hellman:
Oh, it’s right now. It has to be right now.
Den Jones:
Yeah. Always a sense of urgency.
Scott Hellman:
Yeah. So those things combined, right? They match up nicely with each other. There’s urgency, the constant change, like we were changing nonstop through COVID, so people got used to an expected change. And then the sense of confidentiality. What better way to prevent people from saying like, “Hey, Den, did you get the same email that I got?” Because it used to be, if you were in person, you stick your head over a cube wall. Even a little bit of friction of everyone being isolated in their homes, I can’t say for certain, but I look at those factors and I think, “Man, that made phishing and BEC just that much more effective.” Another thing that’s really going to continue to be a huge, which we saw in 2022, is a lot more crypto theft, loads of it, and use of crypto. And then for sure, AI being used on both attack and defense. No question. I think that’s going to be really interesting to see how AI continues to be used to craft malware or whatever it’s going to be, as well as being used on the defense side to protect against it.
Den Jones:
And certainly from an AI perspective, it seems like in the last six months, but definitely in the last month, I’ve heard a lot more about AI being used to write code, to execute code, to make decisions about code writing. And it’s getting pretty alarming just on how rapidly that’s advancing.
Scott Hellman:
For sure.
Den Jones:
Yeah. I used to think about IOT. When I worked in Adobe, one of the teams that were responsible for all of the collaboration spaces, I go in and he’s giving me the tour of the space and like, “Hey, Den, look at these lights, and look at this, and look at this.” And that’s on the network and this is this. I’m just like, “Oh, shit.” And I’m like, “You’re just bringing in stuff, and stuff, and stuff.” So we started to work with that team just on how could we look at the tech that they were bringing in from an IOT perspective? Because you’re dropping it. Now, the other thing was, well, could we create a separate network segment just for this IOT classification of devices? Which we were doing with facilities and some of those teams-
Scott Hellman:
It’s almost like a dirty network because it’s coming up so fast. Who has the time to vet these things out to see what’s going on? It’s like, “Oh, just had 64 light bulbs into my house.”
Den Jones:
Yeah. But then the hard thing is, they want their laptop or tablet to connect to other devices that are a similar classification. And it was just a gnarly thing. Now, in 2023, I mean, we talked a little bit about guidance for people to keep themselves safe or to protect themselves more. So I’ll rattle off a few things that we always think of. Passwordless is great. MFA’s table stakes. I mean, for me, table stakes 10 years ago, but MFA, passwordless, I like the thought because it plays well with our company story, which is device posture and even a registered device. So the one thing is, you can’t log in as me from China because you’re not on my devices and I’ve registered them. So I like that.
Scott Hellman:
That’s right.
Den Jones:
I love getting rid of VPNs. I mean, I’ve been talking about that for many years now, because VPNs usually give full access to a network and that’s never clever. So that’s-
Scott Hellman:
So when you think get rid of VPNs, what’s your alternative then? Is just only use cloud services and so you’re going direct to the service?
Den Jones:
Well, no, so the cool thing is funny. So in 2017, my Adobe enterprise security team, we’ve done a zero trust project there. We called it Zero Trust Enterprise Network, and we took all the internal applications and we put them behind a reverse proxy. In those days we used F5 APMs. Now Adobe shifted to use Banyon’s product, which is cool, but ultimately you’re publishing the app, the service, to the internet and making that accessible, but behind a bunch of security stuff. So you’ve got other controls that protect against cross-site scripting or other security issues are pretty common. And the cool thing about that is, and we’ve done this before COVID, so the great thing is when COVID hit, 40,000 people went and worked from home and they didn’t VPN in, they were still using the apps that we published via our ZEN platform, but in order to access the app, you had to have a registered device, you had to meet a minimum security posture, and you had to have a certificate and not use a username and password.
So we were doing cert based off with MFA, with device posture, and the registered device. Then you get in and you’re still going through the firewalls and the layers of security, but you’re not accessing the whole network. All you’re doing is, you’re only accessing the apps we publish. The other thing, and why we shifted to Banyan, is because sometimes you actually just want to access a lab, like a small subnet or sometimes you want to access servers or infrastructure, we had our bastion hosts, and you’d go in and you could access a bastion host and then from there go to infrastructure. So extra layers. But because we’ve removed the VPN stuff and the password stuff, it made the friction a lot simpler. It’s a really smooth expedience for the users.
Scott Hellman:
Well, obviously the frictions on the front end, is getting it set up. That’s where all the horsepower’s going to be, is getting that infrastructure set up so that-
Den Jones:
Yeah, well, the good news, I mean the Adobe story, we done it in seven months. I mean that was from ideation to POC, to full 40,000 deployment, 2,000 apps.
Scott Hellman:
That’s pretty amazing.
Den Jones:
I mean, we’ve done integrations with Okta and some of the other stuff, but the F5 VPNs, we put them in AWS VPC. So with Banyan though, I mean we done a customer in a week. The other week. I mean, with a customer and that was like 10,000 users in a week, because you can put the reverse proxy technology, the gateway thing, as a cloud service, it’s a hardware appliance. So it’s cool. Anyway, so I don’t drown everyone with Kool-Aid nonsense. I mean, what do you think people should be thoughtful of from a strategy perspective, as they go on in 2013, and try and deal with these attacks?
Scott Hellman:
I’m going to go back to basics because I think not every company’s going to have necessarily the resources to have such a robust security posture that you just described. So I see still plenty of intrusions occurring from a compromise of basics, right? So making sure that your basics are buttoned-up. From a smaller or medium-sized company standpoint, those are things that are still very accessible to you. We’re talking about password management, just like you mentioned, patch management, and we’re talking about employee training. We still see three of the main vectors for most intrusions, are going to be compromised credentials from somewhere, right? We’re talking about exploitation of known vulnerabilities. So that’s going to be patch management, and phishing. And that’s going to be a combination of, again, technical and human training. And we’re talking about defense in depth. Those are just the bare minimum that I think, again, are very accessible to most companies, to find a solution that’s within reach. That are those.
Den Jones:
Yeah. And it is funny because I talked to so many people about the basics and it’s alarming. I think Elvis shared something with me last year about stats on companies in the Bay Area that haven’t fully MFA’d themselves. And it’s like, “Wow, that’s an alarming number of people.” And all I said to Elvis, “Well, at least I’ve got job security, because I’ve spent 25 years doing identity, and access management, and stuff.” So I feel fine there, but I’m alarmed. I’m alarmed at the company’s that haven’t fully done this.
Because if they haven’t done it for their basic employees, then what’s their stance of privileged? I mean, if you think about it, it’s like, “Have they only done privileged and not the rest of the employees?” So I’d be nervous for some of those guys. But yeah, the basics, I think there’s too many companies haven’t taken care of just the basics and spread themselves thin, because I think when people think of, “I’ll do a security program,” they’re like, “Right, let’s do instant management, vulnerability management, blah, blah, blah, blah, blah”
Scott Hellman:
Too much.
Den Jones:
“Let’s do the whole thing,” and you can’t do it all.
Scott Hellman:
No, that’s a huge endeavor. You bring up the perfect point which is, you can’t do it all, but you’ve got to start somewhere. And it almost doesn’t matter. I mean, I’m sure there’s plenty of arguments where you should start. It matters more to start than it does to spend an incredible period of time trying to lay the whole thing out ahead and have nothing in place, or very few things in place. Get started. I’m sure like any other company, nobody starts with the roadmap from the very beginning, and just lays it out and gets it done.
Den Jones:
Yeah. Well, it’s funny because the title of the podcast is Get it Started. Get it Done. And for me, it’s like you can’t procrastinate all the time on this stuff. You have to start somewhere. And then especially in the Valley, there’s a lot of consensus-driven. Nobody wants to offend anybody and all that nonsense. And I get it, but that’s only slowing down progress and wasting your resource time. So what was really funny for me was, at Adobe, we had a small team of people that led this, I mean it was only four or five people, and I increased my headcount by one and I spent like $220,000. It wasn’t a huge endeavor. And if you look at the financial benefit for people not changing their passwords every 90 days and people not VPN-ing in, it was huge. So it easily paid for itself within six months of us deploying this. It’s pretty cool.
Scott Hellman:
My question for you on that is, what’s the sort of analog then? For a medium or a smaller company, is not going to have 220 grand lying around to do that. What’s your thought process of where smaller, medium companies should start?
Den Jones:
Yeah, and it’s funny because we have talked to some companies about doing an assessment or even security strategy assessments, but a zero trusts readiness assessment, all those kind of things. And I think in a smaller company, the important thing is, look at the technology you have, and look at the areas where you can spend less time and money. Because if you’re only half arsely doing vulnerability management, and you’re not really scanning and you’ve not really configured the thing, it’s like, “Well, is that really the thing saving your bacon?” Divert resources and funds over elsewhere. The good thing is, we focus on the small, medium market, actually. So this is the audience that you’re talking about and we talk to customers a lot about this, where we are and many of the other companies in this market, they’re not very expensive, but the total cost of ownership, I think, is a thing that lets a lot of companies down.
So the conversation we have internally, is how do we make the total cost of ownership of our product as low as it possibly can be, so that you can install it, and you’re not catering and feeding it with 10 people? You need the ability to say, “Look, I’m not going to increase my head count. I can do this with the team I have and I’m never going to spend five hours a week less elsewhere.” But literally, I’ve done two implementations, different technology stacks, and it’s all focused on users accessing resources and services. And the biggest thing is, find a really small use case. And for the company that’s less than 50 people, we actually offer a free product. So I think some other companies out there probably do something similar, but less than 50, it’s like, “Come on, let’s get it going.” And maybe all you’ve got is a team in your company, that you want to protect them more and it’s less than 50, go have at it.
So, yeah. And I think the big thing, going back to protecting people and stuff, is MFA, do the basics and really, really train your employees, but then also recognize that they’re going to be caught out at some point. So if that point is where they’re going to click the link, then what can you put in place to prevent that going somewhere? And we were focused a lot on all of that stuff. And the big thing for me in 2017, what I realized was, employees are not all in your office. They’re not all on your network. So if they’re going to be home, they’re going to be traveling, and then some or are more of your apps are cloud-based. So that was a big thing for us and we were watching how we were being attacked, and then trying to think of strategies to thwart those attacks, and that’s where that investment really, really came into it. So as we wrap up, Scott, first of all, I really appreciate your time, but-
Scott Hellman:
Of course.
Den Jones:
… FBI, you guys, and I know this because I’ve worked with you guys quite a bit, but you guys have got a great outreach program. You’re really trying to work with industry. Do you want to share a little bit about that and where that’s gone?
Scott Hellman:
Sure, absolutely. So here in the Bay Area, we’ve got a private sector engagement team. And their job, of course, is just to continue to develop and foster relationships with a wide range of entities, not just tech, of course, in the Bay Area. But I think one of the most important things any entity can do, when we’re talking about businesses, is just reach out to their local FBI office and develop a relationship with people like me. Someone who is helping to lead a team of cyber investigators, for a couple of reasons. One, you don’t want to that first conversation to be when your hair’s on fire and you’re thinking about including law enforcement in the process, in the incident response, but you don’t have any relationship. You have no idea what it’s going to look like.
So you want to be able to have that conversation much earlier, before an event happens. Also, it makes it very helpful. Many times we’ll come across pieces of intelligence through other investigations where we can identify, “Oh, gosh, it looks like Company X is next on the target list for whatever flavor of ransomware.” And if I’ve got that relationship already with you, I can pick up the phone and just give you a call directly, and say, “Hey, I’ve got this source and desk IPs from these ports, and this is kind of what we’re seeing. Hopefully it’s something you’re able to do something with.” I think that’s really what it comes down to, is developing the relationship early, so that you have some additional options and you’re not trying to make a decision at the point of duress.
Den Jones:
Yeah. And the one thing for me, over the years, I’ve had Elvis come in when Adobe were doing our insider threat program, and Elvis come in and talk to the team just about ideas and approaches that the FBI have seen working for other companies, and given us guidance like that. So that kind of stuff has been brilliant.
Scott Hellman:
Absolutely.
Den Jones:
And then ultimately, yeah, as you mentioned, you don’t want your hair to be on fire, to be the first time you’re having an introduction with someone. Oh, and another thing, doing business with embargoed countries and stuff. I called Elvis just the other week and I’m like, “Hey, we’ve got this scenario, what do you think? Any advice?” And then from there I could act upon that and make sure I’m giving guidance back to the team at Banyan. So I think there’s not just like when shit hits the fan, the FBI might want to help. I mean if you can build the relationship, you’re going to get way more value.
Scott Hellman:
And we participate in TTXs all the time with local companies. I mean, I find it helpful because it gives me an understanding of how various different company and corporate structures work, and how their security apparatus works. But it lets you get those reps in, right? How are we going to handle this situation and when do we bring in the FBI if we choose to do so? So TTX is definitely another way to do it.
Den Jones:
Well, awesome. Awesome. So there’s your local FBI office. Otherwise, there is a website that people can go and get more information?
Scott Hellman:
Sure. Well, if you’re just looking for general information or best practices, is that what you’re getting at?
Den Jones:
Well, there could be that and then there could be, how do you get the number for your local or the contact to your local-
Scott Hellman:
Oh, I mean, gosh, you can just Google. That’s pretty easy to find. It’s just Google. If you wanted the San Francisco FBI’s office, you just Google San Francisco FBI and you’ll find the main number. And then you’d obviously tell them who you are and ask that you’re looking to talk to whoever is in charge of their cyber program, right? And that is just a pretty easy way to initiate that relationship and we’ll take it from there.
Den Jones:
Awesome. And I even think there’s a 1800-CALL-FBI, right?
Scott Hellman:
There is. That’s more of a tip line, I think, you can talk, but you could certainly do that, for sure.
Den Jones:
Yeah, you could give them a tip, “Hey, I need help.” So, excellent. Hey, Scott, look, thank you very much. I really appreciate you taking the time. We actually managed to go way over what I was thinking that we go over-
Scott Hellman:
Sorry.
Den Jones:
No, it’s great conversation. I’m sure there will be people out there that’ll find this really valuable. And thank you very much for your time, Scott, really appreciate it.
Scott Hellman:
Thanks very much, Den. And I actually forgot to ask you. If you’re in the Bay Area, looking forward to running into you at some point.
Den Jones:
Yeah, I’m in San Jose and our office is in San Francisco, so I go between the two places. And then, as I mentioned, I’ve got a really crazy travel schedule. I’ve done a LinkedIn post this week to say, “Hey, where is Waldo?” Because I’ll be talking at seven conferences in 12 weeks.
Scott Hellman:
Oh, my gosh. You’re going to be all over.
Den Jones:
Yeah. Start off hitting Dallas on Wednesday and then it just goes from there.
Scott Hellman:
You’re down close to us. We’re just in the Pruneyard.
Den Jones:
Oh, cool.
Scott Hellman:
So if you happen to be around, we’ll meet up for a coffee.
Den Jones:
Yeah, that would be awesome. I’ll definitely drop you a line. Well, Scott, thank you very much.
Scott Hellman:
Thank you.
Den Jones:
Let me end this recording, then I can start swearing like a Scottish guy.
Speaker 1:
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.
Close Transcript
Free for 30 Days
Simple, secure, & free!
Quickly provide your workforce secure access to corporate resources and infrastructure.