Outcomes Versus Tools. There are so many security vendors and tools on the market that it is easy to be sold into a “solution” that is really just a cool toy. The old adage, “begin with the end in mind” has strong application here. Developing a list of desired outcomes from your security program, ideally driven by an understanding of risk and what is at stake, will help you invest more wisely in the program. If you are a smaller organization, it may help to bring in a consultant or a fractional chief information security officer (CISO) to assist with this exercise. Focusing on the desired outcomes and cross referencing those goals with the solutions and products available are key to maximizing investment.
As a part of our series about “5 Things You Need To Know To Tighten Up Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Kurtis Minder, CEO and co-founder of GroupSense.
At GroupSense, Kurtis leads a team of world-class analysts and technologists providing custom cybersecurity intelligence to some of the globe’s top brands. The company’s analysts conduct cyber research and reconnaissance and map the threats to client risk profiles. This enables us to deliver finished intelligence to clients that could be abbreviated as ITMaaS: “intelligence-that-matters as a service.” He is also a frequent contributor to the start-up community, and serves as an advisor and mentor to growing companies.
He arrived at GroupSense after more than 20 years in roles spanning operations, design and business development at companies like Mirage Networks (acquired by Trustwave), Caymas Systems (acquired by Citrix) and Fortinet (IPO). And, a fun claim to fame: he was even instrumental in building an early custom e-commerce system for the artist Prince that enabled him to circumvent his record company and sell music directly to fans online.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in central Illinois, corn and soybeans abound. I have one younger sister and two nieces.
My father worked for a flour mill in a factory and my mother worked at the State of Illinois in an accounting capacity. I remember going to my father’s job and then going to my mother’s job and thinking “…she is holding a cup of coffee…it is air conditioned. I need to learn how to type.”
I self-taught UNIX operating systems at the vocational center while taking “data processing classes” and started working at early internet service providers at 17. I worked for and helped build three internet companies and did a stint at Southwestern Bell (SBC, now AT&T), before I started working at information security startups.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I read Clifford Stoll’s “The Cuckoos Egg.” While working for the internet service providers, we were often under attack. It was usually by hobbiest hackers, but sometimes foreign actors would find themselves in our routers. I have always enjoyed the forensic process and hunting the actors down. When I moved into security architecture, I became enamored with the interoperability and connectedness (or lack) of the security apparatus. Later in my career, my interest moved beyond product solutions and moved squarely to outcomes. This is where I live now.
Can you share the most interesting story that happened to you since you began this fascinating career?
The most? That is hard to say as there have been so many interesting things, from developing the early e-commerce solution that enabled Prince to sell his first records on the internet to ransomware negotiations for some of the largest companies.
I think the entrepreneurial journey in its entirety was and continues to be interesting and enlightening. So many twists and turns, false peaks, and incredible feats. The team that we pulled together at GroupSense makes it all possible and worth every minute.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I am grateful for many people.
First, I will say I would not be here if it were not for my Mom. She believed in me early and coached and pushed me to get that first technology job. Second, Brett Turner, my first boss, was a strange but effective mentor in a Mr. Miyagi kind of way. I still have the UNIX System V book he lent me. I wonder if he wants that back? Third, Ralph Faught, who gave me early access to the UNIX systems at the Illinois Board of Education who allowed me to explore and learn. Finally, Randy Maxey, who inspired the geek in me while he showed me how to write code to flash ROMs on radiology equipment from a Toshiba Libretto on his kitchen table.
I am fortunate.
Are you working on any exciting new projects now? How do you think that will help people?
We are working on a few meaningful projects. The most impactful is our ransomware/extortion solutions that provide a full suite of tools to help affected companies of any size. We found that many companies in the mid- to upper mid-market do not have the resources necessary to navigate a ransomware situation. We put together a cadre of partnerships that augment our negotiation, transaction, and monitoring services that includes legal counsel on breach disclosure, incident response, public relations, security awareness training, and fractional CISO.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Sure, there are two parts of that. You have to love what you do and want to do it better. The belief in purpose is key to that. If you don’t have these things, it is just a job. Continuous learning and growth is also key to staying engaged and intellectually satisfied.
However, you have to have balance. Make time to do the things that make you happy in life outside of work. For me, that is motorcycles, running, hiking, etc. For someone else it could be gaming, sports, or focusing on family.
Oh, and work for someone that listens to you. Speak up.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I have seen this industry grow from an afterthought to a fundamental business practice.
I think the first thing that excites me about the industry is how quickly it is evolving. The earlier question about “burn out” is easier to navigate because this industry is changing so fast that it would be hard to be bored or intellectually disinterested. I am excited about the pace.
I also find the core problem to be an interesting one. Very few disciplines outside the military have such a tangible enemy. Think about that. In most professional disciplines your biggest enemy is a making an error or a mistake. In cybersecurity, your enemy is often a human being trying to get you. Sometimes it is even a nation! That makes the stakes and the countermeasures that much more interesting.
Finally, in our practice, it is exciting because we are actually helping people. Sure, much of what we do is focused on protecting enterprises and their assets, but we also help law enforcement, we find sex traffickers, and we notify non-client affected parties gratis as a matter of course. We are also fighting terrorists, and we even have election disinformation and misinformation services protecting some of the largest municipalities and states in the U.S. That is MEANINGFUL. It’s great.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Sure, many of the emerging threats are iterative. I think the “normification” of the dark net marketplaces and their ability to offer “as a service” threat tools is something that will be a negative impact. The threat actors are building services to offer to other bad persons wishing to commit fraud or cybercrime but do not have the sophistication to do so themselves. You can literally logon to a dark net market and buy a DDOS attack, a ransomware attack (where the profits are escrowed and shared); we recently tracked some fraud kits that pretty much submit the PPP loan applications FOR you to take money out of the stimulus program. The dumbing down of the sophistication required to carry out attacks and profit from them are a real issue.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I do ransomware negotiations almost daily, so I have no shortage of these. The easy risk mitigations are no-brainers. Many of the attacks are from exposed remote access or account takeovers. Simply, use controlled access solutions, have strong password policies, and use two-factor authentication wherever possible. Doing these simple things will move you up the fruit tree, as it were.
Regarding ransomware, always bring in a professional to do the negotiation. The threat actors are acutely aware of whom they are speaking with. Likewise, skilled negotiators are aware of the tools, methods, means, and tactics of the threat actor. A skilled negotiator can save you downtime and money.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Personally? I can list a few and explain. Password Manager, Two-Factor Code Generator, VPN, and EDR/MDR.
A password manager is simply a program that helps you store and create your passwords for all the sites that you have to access. Tools like Lastpass, 1Password, and others help you use discrete passwords for every site you access. This prevents account takeover and credential stuffing attacks.
Two Factor Code Generators are tied to your login at various sites and software properties. The idea is with a regular password setup, your password is something you know. If you combine the password, something you know, with something you HAVE, it makes the authentication that much more difficult to crack. This is one form of two-factor authentication. These code generators sync up with sites that offer two-factor. It works like this… you put in your username and password and the site will ask you for a code. You open the code generator on your phone and the number that is on the screen (it changes on a cadence) is entered into the site. Boom. You are in. If your password were guessed or stolen, the threat actor would still need that code on your phone to get in. Security. Examples of tools like this are Google Authenticator and DUO Security, and even some of the password managers offer this.
I use VPN to obfuscate from where my traffic is emanating. Using a cloud-based VPN service can increase security because of encryption between you and the VPN, plus it will hide your information from the sites and places you visit on the internet. Examples of these tools are NordVPN, LiquidVPN, ProtonVPN, and others.
I have an Endpoint Detection and Response (EDR) client on my machines that helps detect nefarious activity on my computer. Think of this as an enhancement to anti-virus. We choose to have our EDR clients managed, this is what is known as Managed Endpoint Detection and Response (MDR). Companies in the EDR/MDR space include Crowdstrike, Cylance, even the AV vendors like McAfee. MDRs, like Expel, Esentire, and others can provide a helping hand.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The answer to this is a complicated one. It depends primarily on risk management. When developing a cyber security strategy, including how and what to utilize to protect yourself from cyber attack, you must first understand the value and impact of what you are going to protect. This is sometimes a difficult exercise, but ultimately understanding the importance of what you are protecting will drive how you invest in your cyber programs.
The good news is there are many cost-effective options for smaller businesses through managed service providers and cloud security vendors. The days of having to run a rack of security gear in your broom closet are dwindling and your accountant doesn’t need to know how to do digital forensics.
I am a big believer in the fractional CISO program — find a firm that fits your business model and size and have this person help you solve the risk/investment equation.
Of course, compliance is another driver…
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
You could get lucky and notice something awry, but most attacks are made to be pretty subtle, and this is why having a professional watching the logs for you is pretty key. I just got off a call with a prospect who detected a breach themselves. The attackers had gotten control of their email server and were sending emails to their finance staff trying to get them to do wire transfers using their internal staff addresses. If you have processes in place for these kinds of requests, and the actor violates those policies — you might see it.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Assemble a response team. The team should include leadership, counsel, cyber insurance (if you have it), incident response, and public relations. The incident response team should get immediately to work to determine the scope and breadth of the attack and exposure. This is key to understanding what your obligations are from a disclosure perspective, which the counsel should be able to assist with. PR will help relay the messages both internally and externally about the incident. If there is ransomware, you should engage a firm to do the ransomware negotiations.
After the breach? A third-party assessment of the security infrastructure is paramount. The incident response report will highlight what vulnerabilities and weaknesses were the root cause. The minimum is to repair these, but also to take a more proactive stance on the security program. User awareness training is also important. Many of the breaches we are addressing are the result of user error or clicking where they shouldn’t click.
We are subject to these laws like everyone else. We don’t maintain a tremendous amount of personally identifiable information (PII), but we would have to remove what we have for any given user who requests it. There is no major impact.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Many organizations still see security as an afterthought, a necessary evil, and a cost center. Approaching a cyber program through this lens is detrimental as the costs for doing this on the cheap or incorrectly can be immeasurable.
Fortunately, the most common mistakes are easily fixable. Password policies, encryption, and user behavior can all be easily solved with some simple software, two-factor authentication, and training.
I cannot stress the training enough. User behavior contributes to the bulk of cyber attack success.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes. Most of the incidents we have seen have revolved around account takeover (stolen credentials) and vulnerable remote access. In a rush to support everyone’s remote access and to maintain productivity, companies enabled remote desktop services and VPNs without the necessary authentication steps to ensure best practice security.
Most of these security risks could be mitigated by password policy, credential loss monitoring, and two-factor authentication.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
There are a handful of basic steps that prevent the bulk of cyber attacks. Unfortunately, most companies fail to address these.
- The first is password policy — a simple policy that prevents users from password reuse or simple password combinations — will go miles to reduce account take over. Implementing an organization-wide password management tool would be supplemental to this, ensuring that there is no password reuse inside the organization or on third-party properties. Speaking of third-party web applications, the password policy should indicate that the corporate email address should not be used for personal web logins, social media, or unauthorized web applications. Third-party breaches are a core cause of account take over and successful phishing attempts. Policy and reinforcement of that policy leveraging monitoring for corporate exposure in third-party breaches will help curb this threat.
- Two-factor authentication should be enabled everywhere possible. If your SaaS provider does not support it, consider switching providers. This is a simple solution that makes an enormous impact on security.
- Endpoint protection is also key. The latest managed detection and response solutions will identify when a machine has been compromised and provide a mitigating response.
- Finally, access control. Implementing a zero-trust access control policy will minimize risk and attack exposure. Least privilege access, need to know, and other basic access controls are critical to mitigating and containing breach exposure. Consider using a privilege access management solution (PAM) as well.
User behavior is one of the biggest contributors to cyber attacks. This is inclusive of some of the things mentioned above, like password reuse, or use of corporate credentials on an unauthorized third-party site, and also includes things like detecting malicious phishing attempts and scams.
Invest in user security awareness training and make it a consistent part of your cyber hygiene program. It will pay off in spades. I like programs that are focused on psychology and are non-punitive to the users. (No one likes to be told how wrong they are constantly.)
Outcomes Versus Tools
There are so many security vendors and tools on the market that it is easy to be sold into a “solution” that is really just a cool toy. The old adage, “begin with the end in mind” has strong application here. Developing a list of desired outcomes from your security program, ideally driven by an understanding of risk and what is at stake, will help you invest more wisely in the program. If you are a smaller organization, it may help to bring in a consultant or a fractional chief information security officer (CISO) to assist with this exercise. Focusing on the desired outcomes and cross referencing those goals with the solutions and products available are key to maximizing investment.
Do the Math
Before you spend millions protecting something that is worth thousands, or thousands protecting something that is worth millions, do the math. Garnering a firm understanding of what financial and business risks you are trying to mitigate and the quantitative values associated with those risks is the only prudent approach to cyber security budget and prioritization.
The majority of security programs are very internally focused. Desktops, firewalls, intrusion systems, and web proxies, are focused on the threat emanating from the outside focused inward. This is a necessary perspective, but often the indicators that lead to an attack are ignored. Those indicators are the corporate digital exposure outside the corporate network. These indicators include stolen or leaked credentials, leaked or stolen corporate confidential documents, fraudulent domains, fraudulent applications, threat actors planning attacks, or monetizing stolen data.
This is often referred to as cyber or threat intelligence, and it isn’t just for the Fortune 500. Why does the government use intelligence? Intelligence programs inform the leadership on where, why, and the likelihood of attacks so that they know how to allocate their defensive and offensive resources. Organizations should do the same when it comes to cyber programs.
These days, cyber intelligence is available to the masses through managed services. At a minimum, have an external risk assessment done to determine your existing exposure.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I like to keep things simple. Help others. If you have a special set of experiences or skills, offer to help mentor others in this area. Not only will it help them achieve their goals and build confidence, but it will also enrich your professional experience in ways that cannot be described easily. I have always believed that you get back what you put into the universe, and this is an investment that will bring rewards that are meaningful and others will be inspired to pay it forward as well.
Given the visibility afforded by social media, you could easily take on a mentor or two by offering to help. I am eternally grateful to everyone who has helped me and I am paying it forward whenever I can.
How can our readers further follow your work online?
Most of my online work ends up in our corporate blog or news site at https://www.groupsense.io.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!