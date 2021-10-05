Understand that compromise is inevitable. If well-resourced attackers want access to your enterprise network, you cannot stop them. Attackers make the same cost vs. benefit tradeoff when selecting their targets as you do when considering defensive investments. The only reason you have not been compromised is because it hasn’t yet been worth their time.

J.J. Guy is the CEO and co-founder of Sevco Security. After spending a decade as an intelligence officer, J.J. joined the founding team of Carbon Black, blazing the trail to create the EDR market. Most recently, J.J. was the Chief Operating Officer of JASK.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born and raised on a family farm in Tennessee. I had cotton on three sides and cattle on the fourth, though I’d never call myself a farmer. I worked two jobs through high school — at a family video rental store (remember those?) and at a paintball field. I didn’t play any traditional team sports but did play paintball, including at tournaments all over the U.S. I earned my undergraduate degree at Case Western in Cleveland on a U.S. Air Force (USAF) scholarship before being stationed in San Antonio at what was then called the Air Force Information Warfare Center.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It was mostly luck. My first Air Force assignment in 1999 was with the USAF Red/Blue team. I already recognized I was more of an “operations guy” than a pure technologist and the aspect of applying technology to operations to achieve an objective was appealing. Combine that with the Red Team operations of compromising systems believed to be secure and I was hooked.

It was a blast. I would make a bet with the Base Commanders (equivalent to the CEO of an Air Force Base) when they expressed incredulity in my ability to break into the network.

I distinctly remember asking, “Sir, my personal record from mission start to Domain Admin is 47 minutes and it’s never taken longer than 72 hours. Would you like to bet on how long it’ll take me here?”

USAF Base Commanders are usually fighter pilots who then move to a boring desk job. When a confident (read: cocky) young officer brings a bit of that operational flair and swagger back to their day-to-day jobs, that makes them excited. They’d always go for that bet.

I never had to say anything. After getting Domain Admin, I’d always go find their computer and change their desktop background to a picture of me with a huge smile. That said it all.

Can you share the most interesting story that happened to you since you began this fascinating career?

I spent ten years in the U.S. Intelligence Community, tactically applying technology to meet national security objectives. I lived in the world of vulnerabilities, non-public exploits and operations. The most interesting stories of my career are all from that timeframe — and they’re all classified. Sorry!

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There’s no way I can narrow it down to just one person. I couldn’t be where I am today without the influence and guidance of numerous very special people. Some that come to mind:

Ken Doss, retired USAF Lt Col and JROTC instructor at Jackson Central Merry High School , for encouraging me to apply for the USAF scholarship

, for encouraging me to apply for the USAF scholarship PJ Myrick, former Captain USAF , deployer of the first firewalls in the USAF and intelligence operator, for giving me the opportunity to move from the USAF into the Intelligence Community

, deployer of the first firewalls in the USAF and intelligence operator, for giving me the opportunity to move from the USAF into the Intelligence Community Jake Schaffner , retired Navy Captain and now Undersecretary of Defense for reminding me that I take the depth and uniqueness of my experience for granted too frequently

for reminding me that I take the depth and uniqueness of my experience for granted too frequently Bob Frisbie , retired Army Colonel, for reminding me to not overanalyze situations and be biased to action

for reminding me to not overanalyze situations and be biased to action Mike Viscuso , then co-founder of Carbon Black, for giving me the opportunity to transition from the federal government to the founding team of Carbon Black

for giving me the opportunity to transition from the federal government to the founding team of Carbon Black Patrick Morley , CEO of then Bit9, for showing a bunch of ex-federal hackers how to run a commercial enterprise software company

for showing a bunch of ex-federal hackers how to run a commercial enterprise software company Mark Hatfield , venture capitalist for TenEleven Ventures , for introducing me to JASK and the opportunity to grow that company

, for introducing me to JASK and the opportunity to grow that company Greg Fitzgerald , my Sevco Security co-founder, for agreeing to be my much-needed partner in getting Sevco moving

for agreeing to be my much-needed partner in getting Sevco moving Mike Viscuso (again), as a venture capitalist for Accomplice, Greg Dracon with .406 Ventures and Bill Wood , the Godfather of Venture Capital in Austin, for believing in Sevco and funding our seed round

for believing in Sevco and funding our seed round Jay Leek, Managing Partner at SYN Ventures, for leading our Series A round

If any of those people hadn’t been in my life at the time and hadn’t cared enough to help me, I would be a very different person than I am today.

Are you working on any exciting new projects now? How do you think that will help people?

I was tremendously proud to launch Sevco Security in June. It was a milestone that was 20 years in the making. My excitement stems from the problem we are tackling: I have long believed the next big thing in security is a renaissance in the basic blocking and tackling of IT practices.

Mature security teams are now finding that their biggest challenges are not that their endpoint security controls are sub-standard. It’s that they’re simply not installed on compromised machines. They’re finding vulnerabilities are present not because their patch management tools are slow or ineffective, but because the patch management agents are not installed. They are finding that keeping those tools “fully deployed” is a significant challenge. When assessing deployment efficacy, they know the numerator of the fraction — it’s whatever is reported in the console — but not the denominator.

The collection of IT assets that make up “the enterprise network” are complex. Every complex system has a number of non-functional requirements to meet, in addition to actually providing the services. Often referred to as “the -ilities,” they represent the systems engineering challenges rarely encountered outside the technology teams: availability, scalability, resiliency, and more.

Every security program framework includes “an accurate inventory of enterprise assets” as a foundational control. It’s the #1 control one in the CIS Top 20. The NIST Cybersecurity Framework starts with “Identify.” ISO 27001 A.8.1.1 requires an “always up to date inventory.” However, while we have told auditors for years we have it under control, it is becoming increasingly apparent that we must do more.

It is time we prioritize inventory as a fourth IT pillar, on par with availability, performance and security. It should be accountability, starting with the ability to simply account for your assets with the same discipline required for a company’s financial transactions.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

The job isn’t to secure computers and their networks. That’s impossible. If that’s your goal, you are only setting yourself up for failure and burning out trying to achieve an impossible goal.

The job is to build resilient systems and enable the organization to detect and respond to critical issues as quickly and efficiently as possible. Success is not “you didn’t get hacked.” That’s just a lucky break. An attacker didn’t care enough about your organization to bother trying. Success is measured by how well you respond to the hack when it happens.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

First, as I mentioned, we’re on the cusp of a renaissance in basic IT blocking and tackling. And I’m tickled because I think the window is opening on organizations being ready to invest in improving their discipline around something as simple as knowing where their devices are. We moved the needle once with Carbon Black on the industry, by allowing folks to operationalize detection and response in a way they couldn’t before. And I am super excited to be able to do that same thing again, as an organization to operationalize asset management.

Second, what’s super interesting is how the relationship between the CISO and IT operations plays out in the midst of this renaissance. I’m excited to see more CISO’s taking on IT operations responsibilities. Why?

CISO’s have invested so heavily in endpoint detection and response that they’re not getting breached because their endpoint security tools aren’t good enough. It’s that they’re simply not there. The same is true for patch management tools.

This speaks to a failure in the asset management program. While it’s the security teams that have the requirement that all endpoints are covered, it’s generally the IT operations teams that have the responsibility for it. And the way that usually plays out is that a security leader will say, “hey, I’ve got my endpoint agent deployed on 17,000 systems.” Then he or she will ask the IT department how many it should be deployed on. That’s not a question that has ever been asked toward the IT department. The closest thing has been the asset management functions, but asset management is truly a finance function. It’s capital expenditures until they depreciate off the balance sheet. This requires CISO’s to take on IT operations.

Third, security is now a board-level issue. It’s just impossible to eliminate business risk with potentially high impact, and we will figure out how to make it “business as usual” through a combination of risk mitigation, risk transference and risk acceptance.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

What scares me personally is cyber terrorism. As a society, we are critically vulnerable. The only reason it hasn’t happened is that terrorists haven’t adopted the skills, and criminals haven’t figured out how to monetize it. The recent ransomware operations such as Colonial Pipeline are harbingers of the future. We are lucky those attackers are financially motivated — it becomes a business decision. Imagine similar situations but with attackers motivated by extremist principles.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

The most interesting stories are from my Air Force and Intelligence Community days and as I mentioned, those are confidential.

The breach that I would argue is the most fascinating is Equifax. The company was popped because of unknown endpoints that its patch management program missed. I would never have expected to see a U.S. Senator in Congressional testimony railing against Equifax for a failure of their asset management program, but it’s right there, front and center.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

When considering our toolchains, there are two key considerations. The first is to have a bottoms-up view, focusing on those tools that help ensure the basic blocking and tackling is always taking place. The second is not to expect tools to solve the problem but rather to support the team tasked with the responsibility. For too long, we have outsourced security to vendors, buying a product, checking the box and moving on. The days of that are long gone. Responsibility for security must come from the teams. What’s in their toolbox to help them work more efficiently?

At Sevco, we use our own security asset management platform for visibility into our own systems. We also use Cylance for our endpoint security protections and Automox for endpoint configuration management.

In addition, we run on AWS, so we use the GitHub and AWS toolchains for static source code analysis and various runtime protections for our product security requirements during development.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Think about it from the attacker’s perspective and why they would come after you. If they can’t monetize access, the criminals won’t care about you that much.

As noted in my response to the previous question, our industry is in the midst of a transition. We are slowly recognizing that security is a process, not a solution. You cannot buy a security product from a vendor and expect to be secure. You must build a security program, including staff that is responsible for day-to-day operations. After coming to that realization, many companies recognize they do not have the ability or scale to hire the talent required to do that well. That is when you should consider outsourcing your security program to a managed security service provider (MSSP) or a managed detection and response (MDR) provider.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

The bottom line is companies need to focus on the basics. Every breach has clear signs that companies should have seen that could have allowed them to mitigate the breach. But these are missed because the instrumentation in place to show the signs are too narrowly focused on the moment of compromise. Because of that hyper focus on looking for the attacker, companies miss the big picture.

This is all about visibility. The first sign that something may be amiss is the hardest to spot — an unknown device or asset such as a cloud resource. This comes back to having an accurate and continuously updated asset inventory. As U.S. Senate report on Equifax stated, “the risk of not having [an asset] inventory “makes it difficult to ensure systems are patched in a timely manner and are being regularly scanned for security vulnerabilities.” Having an asset inventory is “paramount” from a security standpoint, because an organization can only defend the assets it has identified.

Other signs include misconfigurations and misuse of privileged credentials, such as an administrator credential being used from an anomalous location or time of day. Visibility and observability through telemetry are essential here as well.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Companies today are not judged on whether or not they get breached. They will be judged on how they respond. If they do get breached, they should first engage their legal counsel, who has preferred incident response professionals. This is important because activities are protected under attorney-client privilege and through appropriate disclosure of reports.

These are not relationships that you can set up quickly and companies shouldn’t rely upon them if they get breached. They also need to have an incident response plan that is continuously updated and practiced regularly.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

It’s been a net negative. These measures have come about due to overreaction and they are too broadly applied. My business has little to no privacy risk, but I have to spend the same amount as a company that has a high risk. The net/net is that raises costs and decreases competition.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Companies are hyper-focused on themselves and frequently fail to assess the probability of compromise. They think that they must be secure because of how much they’ve invested in their security programs and how much work they’re doing. As a result, they don’t appropriately recognize how much an attacker is invested in compromising them based on their motivations and ROI potential.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

The pandemic has accelerated the hybrid workforce model. We’re still transitioning from thinking about how an enterprise network is the center of the world to the fact that a distributed network is what supports the hybrid model. Companies have been evolving their visibility and security controls to align with the new model, but COVID-19 has accelerated it.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

I spent the first ten years of my career breaking into networks for a living, first as a red team operator for the U.S Air Force, then as an offensive network operations officer for the US Intelligence Community. My focus over the past ten years has been on applying what I learned about compromising the security of networks to instead improving their defenses by building new products in startup companies. Based on this entire journey, there are a few key things I believe to be true:

Understand that compromise is inevitable. If well-resourced attackers want access to your enterprise network, you cannot stop them. Attackers make the same cost vs. benefit tradeoff when selecting their targets as you do when considering defensive investments. The only reason you have not been compromised is because it hasn’t yet been worth their time. Ensure that attackers don’t know more about your network than you do. With deep knowledge and unrestricted access, attackers have a more complete view than the usually siloed administrators. Plus they don’t have the distractions of meetings, required compliance training or other internal bureaucratic hurdles. Putting yourself in an attackers shoes will help you look at your network differently. Focus on operationalizing security. Continued investment in security “on top” of IT will see diminishing returns until we begin investing to increase the discipline of core IT functions. Operationalizing security is more important than compliance and oversight activities. Invest in accountability alongside availability, performance and security. Historically, IT has prioritized availability and performance: keep it running and minimize the cost. In the early 2010s, companies began investing in security as a third priority. That investment has resulted in significantly increased maturity in our security operations and commensurate reduction in material breaches. We must do more, starting with the ability to simply account for your assets, with the same discipline required for a company’s financial transactions. It is a foundational investment that makes everything else more effective, applies to both IT and security functions, and improves the efficiency of the existing people, processes and products. Don’t ignore the basics. As an industry, we have been focused for way too long on more detection tools fancy algorithm that’s going stop the attacker. I don’t want to diminish any of that, as there are great products out there. But we can’t continue to invest in all of those technologies while continuing to ignore the basics. Every organization has a material breach on their risk register and every risk assessment comes down to likelihood versus impact. When it comes to estimating the likelihood of a material breach, how do you do it? Instead of relying too much on investment in fancy technologies, focus on the basics.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

You will frequently be told “do what you love.” I will tell you something different: “find something to love in what you do.” Understand the difference and the world is yours to conquer. Fail and you will forever be a servant to your own insecurity.

How can our readers further follow your work online?

They can follow us at SevcoSecurity.com, where they can keep up with our news and read useful resources such as our blog posts and technical material. I’d also love to connect on LinkedIn.

