Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:54
How's it going , james ? It's great to get
0:56
you on the podcast . You know I'm
0:58
really looking forward to our conversation
1:00
today . I think you have some really interesting experience
1:02
.
1:03
Well , I'm happy to be here and it's fun
1:06
talking after directories , so you might have
1:08
to get me to shut up at some point .
1:11
Yeah well , I can't go that deep on
1:13
active director and I guess I can , I
1:15
guess I know more than the average person . But
1:17
when we start talking
1:19
about like nesting groups and stuff
1:21
like that , it's just it's going to start
1:24
getting difficult .
1:26
Well , there's there's plenty of complexity there and
1:28
one of the issues it's happening right now is
1:30
a lot of people that learned active directory in
1:32
their 30s and 40s you know , 20 , 25
1:35
years ago are rolling out of the workforce
1:37
. They're retiring , they're
1:39
, you know , getting a nice home in Florida or , you
1:42
know , just going going back to wherever they're living now
1:44
and just having free time . And the
1:46
newest generation isn't learning active directory
1:49
because kind of seeing this dead technology
1:51
that's not going to be around in 10 or 20
1:53
years but it absolutely will be at any , any
1:56
large entity , because getting away
1:58
from it is very , very difficult
2:00
. Blue Lemon tried to do this relatively recently
2:02
, very , very aggressive planning , and
2:05
they ended up having to stay partially on prem and
2:07
now they have all those on prem costs still
2:09
there , along with the migration costs
2:12
. So you know there's there's a toll to pay
2:14
if you don't make it all the way .
2:15
Hmm , yeah
2:18
, I've always felt like active directory
2:20
is one of those like essential technologies
2:23
. You know that you
2:25
just you have to live with , you know it's
2:27
something that you
2:30
know makes your business run , so to speak
2:32
, and if you don't , if
2:34
you don't have it , it becomes a huge
2:36
undertaking and
2:39
stress on your environment . Just
2:41
because you know the like
2:44
, you need an entire team of
2:46
people to manage that custom
2:48
solution or whatever it might be .
2:52
Yeah , yeah , and it's , it's . It's interesting from
2:54
a security standpoint too , because when active directory
2:57
came on , the scene is competing against
2:59
itself with the NT40 servers
3:01
and basically Novel Network were the only
3:04
you know , relatively large players
3:06
in the game . And we had a
3:08
financial institution in China relatively recently
3:10
that was compromised . But
3:13
the hackers ran somewhere . Code didn't work
3:15
because they weren't using active directory . They're still
3:18
on Novel Network , so they
3:20
were able to catch the intruders and remove them
3:22
from the system with very limited damage because
3:24
they were running like 30
3:26
year old technology at their bank . Oh
3:28
, so
3:30
how will star galactic approach to
3:32
security ?
3:35
That's a . That's an interesting
3:38
perspective or a route to take , I
3:40
guess , in security .
3:42
I don't think it was intentional .
3:44
Right , you
3:46
know , jim or James , you know
3:48
how . How do you get
3:50
? How did you get this experience
3:52
with AD ? You know , because I
3:54
feel like you have unique experience
3:57
that not everyone is going to have . Even
3:59
you know nowadays , right , when
4:01
we're , when we're talking about AD
4:03
and people you know , kind of owning it
4:06
or teams owning it . You know it sounds
4:08
like you have a pretty unique experience
4:10
with it .
4:11
Well , I was doing a system administration
4:14
work back in like 99
4:16
, 2000 , effectively , you know , keeping
4:19
the servers up and running . You know
4:21
hardware software at a smaller
4:23
entity in down river , detroit
4:25
, and so I got to touch a lot of things
4:27
because there's a small shop and there's only two of
4:29
us . So we got to do basically everything
4:32
from from networking literally
4:34
running cables across drop
4:36
tiles , to hardware rack
4:38
and stacking to the logical networking
4:41
and logical system deployments . And you
4:43
know , it looked a lot , a lot different back in like
4:45
2000 , 2001 . It's
4:47
not the , not the same shop . Most , most
4:49
entities didn't immediately adopt Active
4:52
Directory in 2000 . But
4:54
once 2000 rolled around , everyone saw the
4:56
, the advantages to it , and I
4:58
certainly did as well and jumped on it . Because
5:00
before you had kind of a , a clergy network
5:02
deployment or you had a
5:04
bunch of NT4L servers all over
5:06
the place , you know , sitting underneath people's desks
5:08
at branch offices , and sometimes the
5:11
cleaning people come in and turn them off , like it
5:13
was . It was bad , it was real bad
5:15
. But with AD it was like the first really large
5:17
, commercially replicated database . So
5:19
you could , you know , hire someone
5:22
in New York and if they flew to Los Angeles
5:24
they'd still be able to log in with their computer without
5:26
any administrative overhead , and that was
5:28
kind of like this . This new concept
5:30
at the time is like this wild new way to
5:32
auth that didn't exist and now
5:34
we kind of take off for granted right , you can
5:36
, you can cloud off from anywhere , it's just always
5:38
there . So it's not a big deal . So
5:40
yeah , I guess being being around
5:43
for a long time kind of helps there from the experience
5:45
standpoint .
5:48
Yeah , you know it's , it's
5:50
interesting . So when I was working for
5:52
a credit bureau , you
5:55
know , I owned a Pyrla Jaxus management
5:57
solution and
5:59
a part of that was obviously
6:02
getting all of the accounts in AD
6:04
into the solution and eventually rotating
6:06
them via the solution . It
6:09
sounds like a great idea , you know , from
6:11
a security perspective , but
6:14
it adds in huge amounts of risk
6:16
to the environment if that PAM
6:18
solution is not doing what it should be
6:21
or there's bugs and things like that
6:23
. And so you
6:25
know , literally , you
6:28
know , one day , you know , my manager said
6:30
, hey , we need to put global AD into
6:33
this PAM solution . Never
6:36
heard of global AD , I had no clue what
6:38
it is right . And I go talk
6:40
to our AD guy and he goes , oh , that's
6:42
a legacy like AD
6:44
architecture that we basically can never get
6:46
rid of , because once
6:48
you started it , you know you basically can't
6:51
, can't migrate away from it , like it's almost
6:53
impossible .
6:55
So you're kind of trapped . Trapped in it
6:57
forever because all the apps you buy
6:59
integrate with it for its off store and
7:01
you're stuck with it right , like for better
7:04
or for worse , like at the hip . Demi , you're
7:06
up there , man , sorry .
7:08
No , no worries , and you
7:11
know I'm being the security person
7:13
that I am . I'm trying to gauge the
7:15
risk to the environment , right
7:17
, what's the risk of adding these
7:19
, you know , 12 or 15 accounts
7:22
into this solution ? And so
7:24
I started to ask him . I was like , well , you
7:26
know what happens if , you
7:29
know , all of our regular AD gets
7:31
locked out . You know what's the process
7:33
, right ? And he said , oh , I just go into
7:35
global AD , I could reset them all right from
7:37
there . I was like , okay , well , what happens
7:39
if global AD gets locked out ? You know
7:41
, because if all of our normal AD
7:44
gets locked out , more than likely
7:46
that issue is going to reside also
7:48
with global AD , and you know
7:50
it'll get locked out as well . And he said
7:52
, oh , if that gets locked out , we're calling Microsoft
7:54
. I was like , oh , so
7:57
it's , it's pretty serious then . So
8:00
you know , I ended up onboarding
8:02
these global AD accounts . There's
8:04
like 12 of them , but I set them all
8:06
to not rotate . You know
8:08
, that was the idea . We're not going to rotate
8:11
it right now . We're going to figure it out , you
8:13
know , as we go . And you
8:15
know , of course , this wonderful solution
8:17
that I was working with , that I refused
8:20
to work with to this day , decided
8:22
to have a bug that we were not aware of
8:24
it and when you , when you
8:27
essentially selected an individual
8:29
account to rotate the
8:32
database on the back end did not accept that
8:34
filter and it applied
8:37
it to every account in
8:39
its database . And so
8:41
you know this happened one
8:43
of our interns , you know , just
8:45
did a normal BAU task
8:48
. Right , this user's having an issue
8:51
with their password , it's out of sync
8:53
, let's just reset it and call
8:55
it a day . So 15 second
8:58
task . You know , literally
9:00
they do it every single day , all day long
9:03
. And
9:05
you know , as soon as that happened , like
9:08
, my account got locked out
9:10
. Well , that's weird . I mean , I
9:12
did just reset my password because
9:15
it was , it was that time of the quarter
9:17
for me , you know , it was
9:19
very odd coincidence . I'm like okay
9:21
, well , surely you know nothing's
9:23
going on here . And then I see , out of the corner
9:25
of my eye , my coworker
9:28
also had the same , you
9:30
know , pop up , it's time to change your password
9:32
, like okay . And
9:34
so I went , you know , back over to the console
9:37
, because now I can't get into my computer for
9:39
some reason . Once you , you know , lock
9:41
it could , literally the process is you
9:43
lock your computer , you put in the current password
9:45
and then you reset it . Well , my
9:47
current password had changed , so I
9:49
locked it and I couldn't get back in . And
9:53
I went over to my co-worker that was
9:55
still in the console and we looked
9:57
at the last rotation period
9:59
for all these accounts and it was just , I
10:02
mean , it was just fire , and through them there's
10:04
45,000 accounts on this solution and
10:06
it's , I mean it is chugging along
10:09
. And I was like , oh no , I
10:11
have to go to the 12 global
10:13
AD people and tell them to not
10:16
log out of their computer . I mean it's 4pm
10:18
on a Wednesday , you
10:20
know , like everyone is yeah
10:23
, everyone is like running out
10:25
the door , you know , and I have to run
10:27
into this room and say like , okay , no
10:29
one here is allowed to lock their
10:31
computer . You cannot log out If you
10:33
do nothing else . You have to keep your computer
10:36
awake , you know , and
10:38
like it was , it was the
10:40
worst fire drill you can imagine
10:42
because now we have to like pull
10:44
these passwords and set them back
10:47
to their old value , somehow , you
10:49
know , and because you can't have
10:51
all of your users , all you know
10:54
, 10,000 of your users , whatever it might be
10:56
, you know , first thing in the morning . Oh , you
10:58
have to reset your , your AD
11:00
account password and you have to
11:02
reset every service account password that you
11:04
own and you know it's such a mess .
11:07
That's what's really going to kill you , because they're almost
11:10
never well documented . So
11:12
like it gets reset , it's like all right , where all
11:14
is it trying to log in from ? Because it keeps locking
11:16
out even after we reset it on the boxes we
11:18
knew about and then it's like a hunt , so
11:20
very catastrophic to production for
11:22
sure .
11:24
Yeah , I guess you know it's , it's
11:26
looking back on it . It's funny because
11:29
when that happened you know literally
11:31
all of the service accounts you know 12,000
11:33
of them , or something like that got reset almost
11:36
instantly . There was no way to stop it . And
11:40
one of one of one of the managers
11:42
that I'm still friends with to
11:44
sit to today , he said
11:46
oh , on Monday I got this project handed
11:48
down from the CISO that we have to go , you
11:51
know , team by team , and reset all the service accounts
11:53
. So I guess my project just got
11:55
done , you know , in 10 seconds
11:58
. He's like I guess
12:00
I could close that out . This may have had to take
12:02
me two years . Oh
12:06
man , you're welcome .
12:09
No , it's funny because like this is a problem . Like
12:11
a lot of companies have their service accounts
12:13
and they're , they're , they're using creds
12:15
that are 10 , 15, . I've seen 20
12:17
year old credentials that are out there , right , you
12:20
know they're , they're , they're not even using curb
12:22
for off . Like it's , it's a hot mess , but
12:24
no one wants to touch them . Because the last
12:26
time those accounts got touched , you know , joe
12:28
got fired because we didn't realize what
12:30
it was doing to production . And now no one wants to
12:32
go near it because they realize it could bore
12:35
production . So it's like this this
12:37
hot potato keeps getting tossed around
12:39
. Project wise Security doesn't
12:41
want it because they don't want to mess up production . So they go to ops
12:43
and ops doesn't want it because what is this a security thing
12:45
, resetting passwords ? So it just bounces
12:47
around between different orgs until , you
12:49
know , the new guy gets stuck with it , and
12:52
that's not what anyone should want .
12:54
Yeah , even just trying to figure out what those
12:56
service accounts manage and what
12:58
they do is most
13:00
of the time it's an impossible task
13:02
because the people that created it like
13:05
literally that whole team can be
13:07
retired , like not just like change
13:09
jobs retired . You know , like
13:11
that was the
13:13
case for a lot of these accounts where you
13:16
know people were like oh yeah , we're just told
13:18
not to touch that thing because
13:20
it it does something with this
13:22
database over here and you know , whatever
13:25
it might be like that , that's literally the
13:28
description that we're getting when we're going to these
13:30
teams saying what does this do ?
13:32
No one knows . No one knows . There's
13:35
some data from interviewing , but you're not going to be able to get
13:37
everything . So
13:39
I was . I was at Microsoft and we got rid of wins
13:41
, right . So this is kind of a similar
13:44
issue , right ? This legacy technology has
13:46
odd dependencies and
13:48
they literally hunted down at
13:50
the network stack . Who always using
13:52
wins period going to
13:54
those machines and like being like who
13:57
owns this ? We need to talk to them . They
14:00
hunted all of them down so there wouldn't be any impact
14:02
. It was a huge project
14:04
and I've been on like projects
14:06
where the service count rotation comes
14:08
up because it's always a finding during security
14:11
discoveries . It's like you have a cred that's been
14:13
out here for 20 years . It's eight characters
14:16
. There's there's a problem . It's
14:18
well known credentials . It's sitting in RockU
14:20
, like this . This is extremely
14:22
vulnerable to password spray and it has
14:24
either domain admin or server admin , kind
14:27
of across North America , kind of
14:29
a problem .
14:32
Yeah , and you know
14:34
, back back when
14:36
those accounts were being created , the easiest
14:38
thing to do was to actually
14:40
just give it , you know , global
14:42
admin , right Service admin , whatever it might
14:44
be , just to make sure that
14:46
it works . And a lot of the times the
14:48
thought was , oh , we'll dial it in later , you
14:51
know , and and now we're learning 30
14:54
years later like , oh , that's a bad
14:56
idea , we probably shouldn't do that because
14:58
we never go back to it .
15:01
Yeah , it's tough , and it's really tough
15:03
in like startups that grew exponentially
15:05
from the I guess we're calling them the odds
15:07
right Now . You start small , you're
15:09
going fast , you're just doing whatever you have to do
15:11
to be operational and then next
15:14
thing , you know you're a you know , multi-billion
15:16
dollar company with an identity system that
15:18
is almost completely unusable and
15:20
so porous from a security standpoint that
15:23
it puts you at a significant financial risk
15:25
, especially for these publicly traded companies
15:27
. Now , with the SolarWinds CISO
15:29
being , you know , taken the core by the SEC
15:32
, like there's , there's skin in the game potentially
15:34
now for these CISOs , like personal liability
15:37
, not just job stuff . So
15:39
it's it's going to be really interesting to see how that
15:41
case turns out . It's going to affect the industry
15:43
, I believe .
15:45
Yeah , absolutely . You know , I actually
15:47
have a friend that's at a company
15:49
that is still , you know , it
15:51
still feels like they're in their startup
15:54
phase . They've been around
15:56
for maybe , you know , 10 , wouldn't
15:59
be any more than 15 years , and
16:03
he said that when he took over
16:05
as the IAM director right
16:07
, he was just trying to get a lay for the
16:09
land and see what they had
16:11
. You know , they were predominantly
16:15
in Azure , right , so
16:17
it shouldn't be that terrible . And
16:19
he discovered that they had like over 400,000
16:22
accounts , you know , and
16:25
they had accounts just
16:27
sitting there , you know , not doing
16:29
anything at all , and
16:31
his first task was to , you know , obviously
16:34
limit the attack surface across
16:36
these accounts . Well , how do you , how
16:38
do you do that ? How do you even get started
16:40
, you know , and I actually spent probably
16:43
a week or two . I should have charged
16:45
them some consulting fee , because I spent like
16:47
a week or two with them , you know , kind of devising
16:50
this plan of how he can go about it
16:52
without causing any outages .
16:55
Yeah , that's the big one not causing any outages
16:57
. It's really easy to fix all the accounts . It's
16:59
very difficult to fix them without causing
17:02
any impact .
17:03
Yeah , yeah
17:05
, it's challenging and the Cloud doesn't
17:07
really make it any easier , you know , because
17:10
it probably
17:12
I mean it makes it more
17:14
difficult because you're so easily
17:17
able to attach these
17:19
accounts to whatever you want in
17:21
Azure , in AWS , you
17:25
know , and it's just , it's
17:28
too easy for developers to
17:30
do that .
17:32
Yeah , it's double-edged sword , right , so you
17:34
can dev fast , you can move quick . But
17:37
suddenly your test environment is
17:39
now labeled production and you only had security
17:41
controls in there for test environment and now
17:43
it's being pushed to prod , along with
17:45
all of these vulnerabilities . The
17:47
biggest thing for on-prem AD for the longest
17:50
time and still today , is developers choosing
17:52
to use NTLM auth instead of
17:54
Curve right , ntlm
17:56
has been broken for a very , very
17:58
, very long time now
18:01
over 15 years . V2
18:03
is pretty good , but almost everyone has
18:05
V1 backwards compatibility
18:08
turned on , so their legacy apps continue
18:10
to work . So devs just hey , let's do
18:12
NTLM . It's fast , it's quick , it's easy , there's
18:14
templates for it and we can get rolling . And
18:17
they sell the app and the company buys the app and they're
18:19
like all right , security team implement this . And they're like wait
18:21
, this uses NTLM . Why
18:23
did we buy this ? Wait
18:25
, this is gonna be a huge problem and
18:27
orgs , especially larger orgs
18:29
, will often buy applications without
18:31
security review . They won't look at their
18:34
dependencies , they won't look at
18:36
how they're built from a security standpoint . They only
18:38
look at , hey , this fixes this big problem and
18:40
it's gonna make us X amount of money , or if it's gonna
18:42
save us Y amount of money Security is very rarely
18:44
a part of that conversation , and
18:47
that's detrimental to all
18:49
of these organizations .
18:52
Yeah , that's a really good point . So
18:54
you mentioned earlier that
18:56
you worked for Microsoft , right
18:58
, so can you talk to me a
19:01
little bit about that
19:03
experience ? Oh sure
19:05
, I was working to work for Microsoft , at
19:09
least on one of their core products
19:11
. I mean , I don't know if you were on the product team or if you
19:13
were on another team that specializes
19:16
in AD , right , but what is that
19:18
like ? Because that's a core technology that
19:20
95 , 98%
19:23
of every company out there uses
19:26
as their directory service .
19:28
I was at a weird point in time
19:31
for Microsoft they had just figured out that , hey
19:33
, as Android things getting really big , we
19:35
need a Windows phone . So I was on the WinPhone
19:37
project . One of the issues they
19:39
were having there is at the time Microsoft
19:41
was very , very siloed
19:44
, like Office was a completely
19:46
different team from OS was a completely
19:48
different team from server
19:51
, and these orgs didn't
19:53
really communicate with each other . Each one kind of functioned
19:55
like a fast moving startup and they
19:57
all rolled their code up into a central repository
20:00
, and this was especially true for WinPhone . I
20:02
was supposed to be using the same code as Windows
20:05
8 , right , so you have a unified desktop phone
20:07
experience . It's actually good , but couldn't
20:10
get anyone to dub for it , and we all know how the WinPhone
20:12
ended up turning out . It was
20:14
a great phone , but no real adoption . So
20:17
, anyways , it was a really interesting environment
20:19
because from a technical standpoint you
20:22
couldn't do a lot of what you needed to without
20:24
blessing from MSIT , kind
20:26
of the key holders for all
20:28
the different teams . All the different teams have their own admins
20:31
and architects , but at the end
20:33
all of the access is controlled by MSIT
20:36
. So it's really interesting
20:38
. Kind of look at it as a company
20:40
that buys other companies and adjust them
20:42
and continues to let them do their own thing , but
20:45
occasionally sticks their finger in the pie . It's
20:48
a very , at the time , combative
20:50
environment , but the people were really great
20:52
. It was fun . It was a fun job .
20:57
That's really interesting . I wonder how
20:59
that has played out with
21:01
Azure . Now , just
21:04
the nature of the cloud right , you have this giant
21:06
hypervisor that
21:10
probably a handful of people actually
21:12
have access to , and
21:14
how is that
21:17
kind of administered and managed
21:20
and whatnot , right ? Like , I
21:22
always think about it as like the
21:26
worst kind of attack for any cloud
21:28
would be to get access to that hypervisor
21:31
. And , yeah , there's environment
21:33
escape , exploits and things like
21:35
that , right , but no one
21:37
is actually logging directly into that
21:39
hypervisor . From an
21:41
attacker perspective , no one's actually logging
21:43
into that thing . And then , seeing the
21:46
tens of thousands of accounts that this cloud
21:48
provider may have , I'm
21:52
always interested to see how they protect
21:54
it , and I've done a little bit of research into Google and
21:56
how they protect theirs , and
21:58
I mean , from how they make it sound , there's like 12
22:00
people at Google that have access to
22:03
a server and a data center that
22:05
is like highly replicated across the
22:07
globe that gives this
22:09
access , and they invoke
22:12
some sort of just in time access for
22:14
admins that need to access maybe
22:17
a customer specific hypervisor
22:19
.
22:21
Yeah , it's interesting because with all
22:24
cloud providers you don't really have physical
22:26
separation . You have logical separation but
22:29
it's not physical . I mean your virtual
22:31
machine for your active directory
22:33
DC sitting out in the cloud could be on
22:35
the same physical hypervisor as
22:38
a VM owned by the CCP or
22:42
one of these ransomware , because it's pretty
22:44
easy to buy a hypervisor . So
22:46
for physical escapes there's still very , very
22:48
edge case kind of stuff like Rohammer's been
22:50
out for a while and there's all these CPU
22:53
vulnerabilities that are flying around . But
22:55
without physical isolation you don't really
22:57
have true security and
23:00
it's easy to go for the hypervisor out
23:02
because hey , look , I'm up to money , we're saving
23:04
, we don't have to rack and stack something and
23:06
it's great from a cost standpoint . And that's been true
23:08
for a long time . So the past couple
23:10
of years when the large cloud providers
23:12
realized , hey , we got these people like cook
23:14
line and sink or they can't just leave us without a huge
23:17
project so we can raise our rates
23:19
, right , this is the same thing kind of happened with Uber
23:21
and Lyft . Like it was really cheap when you first started
23:23
using Uber , like a nice town
23:25
car picked you up for like $5 , took
23:27
you anywhere you want , and now you're in the back
23:29
of like a beat up Prius that smells
23:32
absolutely awful and it's like third
23:34
round of seat covers and
23:37
that's the prices going up in the
23:39
cloud environment . And it's tough for
23:41
a lot of our larger customers because they
23:43
feel stuck and they feel manipulated
23:45
and they feel controlled and they don't
23:47
like that . And large companies can
23:49
make a switch very quickly if the
23:52
wrong person gets pissed off the
23:54
one Fortune 100 I'm
23:57
thinking of in particular . There's a
23:59
rumor of a backyard barbecue
24:01
in Redmond and they were talking
24:03
with some Microsoft reps there and there
24:06
may have been a few drinks that have happened at this barbecue
24:08
. This is all a legend , second information
24:10
, so I can't validate
24:13
its authenticity , but apparently the Microsoft
24:15
reps said well , you don't have any other option , we're the only
24:17
game in town . And it pissed
24:20
the other guy off and six months
24:22
later they were on GCP .
24:28
Wow , that is substantial . You
24:31
have to . I feel like when
24:34
you're in that sort of situation , you have to gauge
24:36
what kind of personality
24:38
not just that you're
24:40
dealing with in that individual . You
24:43
got to think about the personality of the person
24:45
in that role , what
24:47
it takes to actually get into
24:49
that role . Let's just
24:51
assume , right to CIO
24:54
, cto , something like that , right , what's
24:56
the kind of personality of a
24:58
person that is typically in
25:00
that role ? Someone
25:02
that doesn't like to be told no , Someone
25:05
that probably takes
25:08
that sort of wording as a challenge
25:10
. You know , and
25:12
now you're in this situation of you're losing
25:14
probably one of your biggest customers because
25:18
of a sales rep .
25:20
Yeah , that had maybe one too many drinks at
25:22
a barbecue . It's a very silly
25:24
way to lose a very big contract .
25:27
Yeah , I mean that's
25:29
a really stupid way to get fired .
25:32
Yeah , I don't know what happened to the guy
25:34
that caused the whole thing , but
25:36
I have to imagine he's not working there
25:38
anymore .
25:40
Yeah , probably not . I
25:42
mean , what other
25:44
solution are they left with at that
25:47
point ?
25:47
Like man , yeah , yeah
25:49
, and I'm seeing other clients do
25:51
similar things . Right , they're not
25:53
going all in on one provider , they're kind
25:55
of dipping a foot in provider
25:57
A , dipping a foot in provider B and
26:00
even setting up pretty interesting failover . So
26:02
if provider A goes down for whatever reason
26:04
, they can hot swap back over to B
26:06
for some redundancy . But it also gives
26:08
them cost negotiation , right , because
26:10
now they can suddenly go oh hey
26:12
, provider A , well , provider B is charging us 40%
26:16
less for this . I think we're just going to move our
26:18
stuff over there , and then suddenly there's
26:20
room for negotiation and price of services
26:22
.
26:23
Hmm , yeah
26:25
, you know it's a . It's
26:29
interesting . I've
26:31
seen it from multiple angles
26:33
. I feel and
26:36
I was at a company that they
26:39
were a Microsoft shop from
26:41
the beginning and
26:44
they bought pretty much everything that
26:46
Microsoft sold . If Microsoft sold
26:48
it , they bought it . It wasn't
26:50
even a question . It always
26:53
seemed like we had an unlimited budget when it
26:55
came to Microsoft . But when we were talking
26:57
about like Symantec , right
26:59
, symantec , like EDR , which isn't even
27:01
an EDR , which is terrible , you know
27:03
, it's so low on the magic quadrant at that
27:05
time you know I don't know about the product now
27:07
, but at that time it wasn't even considered
27:09
a top tier EDR . And we're
27:11
penny pinching . You know , this
27:14
solution that we desperately need , that
27:17
isn't even supposed to be that great right
27:19
. And their whole , their
27:22
whole Azure . You know , methodology
27:24
was if we only
27:26
want network closets on-prem
27:29
, the rest of it will live in Azure
27:31
forever and
27:33
we're not going to migrate away from it . And
27:35
I , you know I just asked them
27:37
I was like , well , what if there's something that , like Microsoft
27:39
does that we can't live with ? You know , like
27:41
what if some insider threat
27:43
happens at Microsoft ? And
27:46
you know we have a lot of proprietary information
27:48
that makes a lot of really
27:50
wealthy people , even more wealthy
27:53
because it's a financial firm , it's an investment
27:55
firm , right ? So , like we
27:57
have a lot of proprietary stuff , and
28:00
what if you know all
28:03
of our eggs in one basket and someone
28:05
breaches it right and takes that information
28:07
without us knowing and they're like , oh
28:09
well , that will never happen . Like
28:11
well , what if it does ? Because
28:14
you know there's one
28:16
account for each
28:18
of the big three cloud providers where
28:20
something very suspicious
28:23
happened . You know where a
28:25
new startup is creating some new product
28:27
on you know X cloud
28:30
right , and then magically
28:32
, right out of the blue , just before you're about to
28:35
launch , that cloud provider
28:37
launches this exact same solution
28:39
, exact same interface , with a
28:41
different logo , and now
28:43
you're out of business before you even hit
28:45
the street . You know .
28:47
If you want true security it has to be
28:49
physical . You can't have shared infrastructure
28:51
and security coexist . It's
28:54
just not the same . Physical
28:56
boxes will always be more secure
28:58
than any sort of hypervisor , not because there's active
29:00
vulnerabilities for VMware
29:03
, hyper-v or anything , but because
29:05
there's always the potential for those active vulnerabilities
29:07
. I mean , look at how many CVEs have existed
29:09
for Citrix throughout the years . Seems
29:11
like every six months we hit a new publicly
29:14
facing CVE that's like oh yeah
29:16
, they can pivot to domain admin from
29:18
the cloud , they can pivot
29:20
to domain admin from the admin interface
29:23
. As this configuration like there's
29:25
risk to opening those things up and over
29:27
the past couple of years we've seen the
29:30
penalties to that . Right , all of these network
29:32
devices that are opened up . You know octa
29:34
, I mean the list goes on and on . So
29:36
if you really if security is number
29:39
one and it matters for
29:41
the core of your business and your existence , maybe
29:44
on-prem those right , because there's always a possibility
29:47
on shared infrastructure that if someone
29:49
else has the keys that your proprietary
29:51
information is going to go for a walk , you
29:53
don't see Coke storing their magic
29:55
recipe in the cloud , right ?
29:59
Yeah , that would not be
30:01
a good situation , that's
30:03
for sure . You know , like I
30:06
actually had someone
30:08
on previously that
30:12
wrote a book about
30:15
how oh , james Lawler , that's
30:17
his name about
30:19
how , you know , this is a fictitious
30:22
you know scenario or whatever
30:24
, but I always question how fictitious it
30:27
actually is because of his background
30:29
. You know he was actually a spy for
30:31
the CIA , right ? So
30:35
it's his book .
30:36
It was a hypothetical . It's a hypothetical
30:38
.
30:38
It's a hypothetical with strong quotations
30:40
around it , you know , because I'm
30:43
literally reading his book and I'm like man , this is
30:45
all like , very , just so probable
30:47
. You know , and
30:49
in one of the books , you know , the agency
30:52
moves into
30:54
one of the big cloud providers . Right , he
30:56
used a different name , but it sounded like AWS in
30:59
my opinion , maybe because I'm a AWS
31:01
guy . Right , and
31:04
sure enough , foreign adversaries
31:06
immediately start targeting
31:08
the employees at this cloud provider
31:11
. And you know , it
31:14
leads me down this thought path of
31:16
you know , the employees at these
31:19
cloud providers . They're typically pretty well paid
31:21
. I mean everything that I've seen
31:23
. They're pretty well paid . And
31:26
so for a
31:28
foreign adversary to come into this situation
31:31
and offer up , you know , a check
31:33
of like oh , you know , you want your
31:35
yearly salary and one check
31:37
like well , here you go , we just
31:39
need this little script to run . You
31:42
know that's 10 lines we needed to
31:44
run on your core server or whatever
31:46
it is . You know , I feel like
31:48
that's a very real possibility
31:51
. And even me , being a cloud guy
31:53
now , you know , I only
31:56
do the cloud as far as I'm concerned , at my company
31:58
on prem doesn't exist . And
32:02
you know , I always
32:05
have that paranoia of well
32:07
, how do we protect something that doesn't reside
32:09
on hardware , that we do not
32:11
own , that we cannot go physically
32:13
pull the plug on ? How do we ensure
32:16
you know that even insider
32:18
threat is , you know , protected against in this
32:21
scenario ? It's tough .
32:24
I mean , look at stuck snap right . So there's
32:26
many information is coming out fairly
32:28
recently that it looks like a Dutch
32:31
person was working for stuck snap
32:33
and floated in a USB through
32:35
the water system and then got that into
32:37
the software . But
32:42
and that's a completely air gapped , physically
32:44
locked environment and they still were able
32:46
to get a USB stick in there and plug
32:48
it in and run stuck snap . So
32:50
there's always going to be the risk of that
32:53
physical layer being traversed
32:55
, even in extreme environments , which
32:57
is why defense in depth is so
32:59
important . If there'd been policy set
33:02
up for that environment
33:04
that didn't allow USB drives
33:06
to be attached , that would have never happened . And
33:08
that's really straightforward , simple , basic
33:10
policy that no one is probably worried about
33:13
is because , hey , we're in this high security environment
33:15
, everyone gets searched before they come in . There's no way
33:17
a USB stick can make its way in and it
33:20
did . So
33:22
I mean , the defense in depth has a lot of , a lot
33:24
of pros there to help mitigate risk , but
33:26
you'll never remove it completely .
33:29
Yeah , it's very true . You know
33:31
, when I , when I did some government work
33:33
earlier on in my career , I've
33:36
been in some very uncomfortable situations
33:39
where , you know , I answered
33:41
a last minute phone call on my cell
33:43
phone in their lobby , you
33:45
know , and I mean these
33:48
guys , these security guards that they have
33:50
, I mean they're , they're larger than
33:52
life , they look like they used to play
33:54
, you know , collegiate football . Right
33:57
, they look like they could separate your head from your body
33:59
you know in the blink of an eye
34:01
right and I mean
34:03
they see this cell phone go off . I think they they
34:06
have to have some sort of monitor or something
34:08
, you know , like behind
34:10
their desk that like goes off if the
34:12
cell phone is in use Because
34:16
, like I mean , I sent a text , you
34:18
know , and they were on top
34:20
of me . They were like what are you doing ? I'm like
34:22
I'm in the lobby man , like I'm literally
34:24
cleared to be here . You know
34:26
, it took me a day to get clearance to be
34:29
here . You guys know who I am
34:31
and they're like no , you have to go
34:33
out the front door , like right now
34:35
. If you make that mistake again , like we're going to arrest
34:38
you . You know , it's like geez
34:40
, like where the hell am I ?
34:43
Yeah , it's interesting . So we start
34:45
talking about high security or
34:47
gov . The air gap is treated
34:49
very seriously for a lot of those environments
34:52
. I
34:54
was part of a team that did a
34:56
roll out a secure actually
34:58
directory forest deployment for a completely air gap
35:01
environment that had to be able to
35:03
send out the data periodically
35:05
and the solution here was pretty
35:09
, pretty interesting . There was one machine
35:11
that was set up with dual
35:13
sets of very high throughput
35:15
NICs and basically because
35:18
the data set that needed to come out wasn't massive
35:20
but it was sizable , so
35:23
when the data needed to come out I was moved to
35:25
this temporary holding pattern . They called it a lock
35:27
server and then the data was transferred from
35:29
that server to an intermediary and
35:32
then the connection was severed and it was connected
35:34
back to the internal network and then
35:36
that intermediary then moved the data to
35:38
production , then had its network connection severed
35:41
. So they were air gapped , logically
35:43
by network
35:45
throughput , right , and you needed two people to basically
35:48
open the network , which was pretty
35:50
interesting solution for something that
35:52
had to stay safe .
35:57
I wonder what that would
36:00
have even been , because , like you
36:02
know , when you say it takes two people to do
36:05
this thing , you know you're not able to do
36:07
it without it . I mean , the very
36:09
first thing that comes to my mind is well , what
36:11
else in the government works like that that we know
36:13
of ? Oh , nuclear missile silos
36:15
, you know , like
36:19
that's the only thing that I know
36:21
of . You know that operates like
36:23
that , where it's like okay , we need these two people
36:25
, and if we don't have the two people , like we're
36:29
screwed right .
36:31
The nukes get a lot of publicity because of
36:33
all the movies , right . But
36:35
there's use cases for this in the wild , even
36:37
in public companies . For unlocking , basically
36:40
, great glass creds , you need more than one person
36:42
to turn the key .
36:46
Okay , yeah , I've seen solutions
36:48
like that , where it's like a just-in-time
36:50
access , you know with Azure
36:53
, where you have some , you know , global admin
36:55
account or something like that and someone else
36:57
needs to approve it and you get multiple approvers
36:59
Right . Yeah , you get a certain amount of
37:01
time to actually use the
37:03
account and everything is logged and
37:05
watched .
37:07
Yep Screen recording for the full session and all
37:09
that good stuff .
37:10
Yeah , you know , we kind of
37:13
glossed over it and maybe
37:15
that's it's the most interesting
37:18
part for me is the
37:21
Stuxnet Water USB thing
37:23
. So what recently
37:25
came out Because
37:28
I've been very fascinated
37:30
by Stuxnet , you know the engineering
37:32
, the ingenuity that went into it , everything
37:36
around it , you know it just
37:38
fascinates me right . It's kind of
37:41
what even pulled my interest
37:43
into security . That was the thing
37:45
that I was like oh so
37:47
I can literally spend my entire life and
37:50
, you know , not learn everything , right
37:53
. So what's
37:55
this water USB ?
37:57
infiltration method . The
37:59
original story was that it was USB-seeded
38:02
in the parking lot . Someone picked one up and
38:04
plugged it in somewhere . Perfectly
38:07
plausible story , and relatively
38:09
recently there was some information that came out I can't
38:11
verify its authenticity , it's just an article
38:14
right that it was a Dutch contractor
38:16
working at the facility that was
38:19
being paid for this right and they
38:21
received some sort of monetary reward
38:23
, or maybe it was a service , who knows
38:25
what it was . But they used
38:27
a water inlet allegedly to smuggle
38:30
in this USB . Because they were part of the
38:32
cooling area that they knew very well and
38:34
they were able to get something physical that floated
38:37
into the facility . And
38:39
because they're able to do that , they just
38:41
were able to plug it in . And because of the way Stuxnet
38:44
worked , it spread far
38:46
and wide very quickly and it's very hard
38:48
to tell where it came from originally .
38:51
Wow , yeah , you
38:53
know , that's the part that
38:56
always kind of got me
38:58
hung up was actually infiltrating the
39:00
USB-in right
39:02
, because I mean I've been
39:05
to secured facilities
39:07
that are not at the same level as
39:09
that facility would be and I was
39:12
padded down and I had to go through some
39:14
special scanner that
39:16
takes an uncomfortable depth of
39:18
look into me . You know , like
39:20
they'll know , I have cancer , for
39:23
instance , like before my doctor will know . You know
39:25
, like
39:27
it's .
39:28
Yeah , you don't want that guy to tell you to , hey , go get checked
39:30
out on your way out . You know , go
39:32
see your doctor , man .
39:34
Yeah , yeah , I think
39:36
you got a lump . You're right . It's
39:40
like , oh you .
39:41
Yeah , you say , see you later . He says maybe that's
39:43
a problem .
39:45
Yeah , exactly , you
39:48
know like , well , that's the part
39:50
that like I always had issue
39:52
with , because I mean I
39:54
couldn't get
39:56
anything past these guys right , and I
39:58
wasn't . Again , I wasn't actively trying
40:01
to . You know , I didn't want to end up in handcuffs
40:03
. I do like my freedom , but
40:08
still , you know , thinking through it , it's
40:10
like okay , well , there has to be an insider threat
40:12
somewhere . You know that's
40:15
allowing this thing in , but
40:18
bypassing it through the water system
40:20
. I mean , that is something that's
40:25
really fascinating .
40:26
Who's going to check it right ? Who's going to filter
40:28
the incoming water to make sure there's not floating USB
40:30
sticks in it ? Right , Real
40:33
edge case stuff , man . But there's almost
40:35
always like a way in , and
40:37
that's a pretty good example of it and I'll
40:40
give you another one . Right ? So those the scanners
40:42
you keep talking about . So , for I
40:45
did lots of consulting , so for years I would
40:47
fly , fly in my poor backpack
40:49
, finally gave up the ghost . One day the strap broke , so
40:51
I grabbed my wife's and
40:53
I started flying it and think anything of it and
40:55
I just fly into like two , almost
40:57
three years and the backpack went
40:59
off in a scanner . I was having like already a
41:01
bad day and things kind of went
41:03
sideways with a client
41:05
. Like it was not a great situation . So
41:08
I'm already like irritated , which doesn't justify
41:10
what happens next , but it's just like
41:12
a precursor on on , not a bad person
41:14
, let me . Let me add some some
41:16
, some story here . So I go
41:18
through security and through the security of this backpack
41:21
many , many , many times , like two or three years of
41:23
traveling and it flags All right , whatever we
41:25
go through the random check and it's fine . And
41:27
we got to send your bag back through . All right , whatever they
41:29
send the bag back through , they're looking through it like
41:31
really extensively . I have the whole thing inside it out
41:34
, everything out , like separated individually on the table
41:36
. So I'm getting a little irritated . I got
41:38
like another like five or 10 minutes for have to be anywhere
41:40
, so it's fine . And they send it through again . Same
41:43
rigor , merold . And they call some new people over like
41:45
hey , what's going on here ? Guys , I've been using this bag for
41:47
almost three years now . Can I , can I get to my flight
41:49
? And everyone there was like really sympathetic
41:52
with me , except for this one person who's just like
41:54
there's something in this bag , I just know
41:56
it . So they send it through like two
41:58
more times and eventually their
42:00
face just lights up and they reach into the bag
42:03
and like they're really in there and they
42:05
pull out a box knife that I had no idea
42:07
was in there , because my wife used to work
42:09
at Target , you know , 10 years ago , and
42:11
it was her bag and it'd
42:13
been in there for almost three years and the TSA
42:15
never caught it . So like even
42:18
pretty good systems don't always
42:20
work , yeah .
42:23
I I hesitate to call the
42:26
TSA a good system . Um
42:30
well , it's not like , I suppose
42:32
. Yes , it does beat nothing . Um
42:38
, the reason ? The reason is because , like I read some report
42:40
by uh , what was it ? It was like the , the federal air marshals
42:42
or something like that , where they actually test
42:44
, you know if TSA is going to catch something or whatnot
42:46
.
42:49
Right , I'm
42:52
sure they were able to get in no issue , right .
42:55
Yeah , I mean they said that they were able
42:57
to , like , smuggle guns through TSA
42:59
and knives , and you
43:01
know they said that there was basically
43:03
no limit to it , like they could get through
43:05
anything that they wanted and TSA
43:08
it was a staggering amount . It
43:10
was something like 96 , 97% of the
43:12
time TSA would let it through .
43:15
Another example . Yeah , I
43:17
mean I don't mean interrupt , but I uh I long
43:20
story . I was flying , I was in Atlanta
43:22
to visit my um , my grandfather , and
43:24
he had this like really like
43:26
old school pair of like sewing . So there
43:28
was like huge meaty , like giant
43:31
scissors and without thinking about it , I just
43:33
threw them on my backpack , went to the airport . You know
43:35
, I on the plane , going into my pouch
43:37
, kind of you know looking for a snack , I see these gigantic
43:39
metal scissors . I'm like how did TSA
43:42
not find this ? This looks like a huge knife
43:44
on the X-ray Right , like
43:47
they're huge . There's no way to miss this Like
43:50
this big .
43:52
Yeah , it's , uh , it's
43:54
crazy , but they'll find the water bottle . You
43:56
know that you forget was full .
43:58
They'll get . They'll get bad every time . But they
44:01
won't get the weapon Like also
44:03
get your energy bars , because you , if
44:05
you take more than like a , like a half
44:07
dozen energy bars on a trip , apparently
44:10
it looks like a plastic explosive at the
44:12
bottom of your bag .
44:13
What .
44:14
Yeah , I eat a lot of energy bars . They're
44:17
convenient food on the go . I'll just throw them all
44:19
in the bottom of my bag and then head off and uh
44:21
, I don't do this anymore Cause like I
44:23
got stopped and it was like the whole rig room roll
44:26
, search , big delay . And then
44:28
they call some other people out to look through the bag real
44:30
carefully and it's just like those are just
44:32
like cliff bars , guys , come on , what's
44:34
going on here ?
44:36
Wow , you know
44:38
, james , we , we , we
44:41
just went like 44
44:43
minutes right and we didn't even talk about your
44:46
, your company , you know
44:48
. So let's uh , let's
44:50
talk a little bit about what you're
44:52
doing now . You know what , what the company
44:54
is and everything like that , what services
44:57
you provide , and we'll dive into that .
45:00
Oh sure . So , uh , I found a DSE
45:02
back in 2019 after doing a
45:04
lot of work for the big four and
45:06
I kept kind of asking myself , like , why
45:08
isn't there a smaller organization doing active
45:11
directory security like this ? I mean , there's there's
45:13
no reason to pay all this overhead for the big
45:15
four , you know , financing
45:17
their , their leases and their 30 foot table
45:19
and all the commercial real estate , when we
45:21
could start an org without those things and offer a
45:23
better price for our customers with the
45:26
same quality of service . So , like
45:28
, let's do it . So we , we , we found it in 19
45:30
and that's kind of what I've been doing ever
45:32
since , transitioning from being highly
45:34
technical to the absolute
45:37
uh , uh , battlefront that is
45:39
, trying to be a leader and a mentor . It's a
45:41
. It's a much , much different job and it's been very fun
45:43
and I've learned just a ton over the past couple
45:45
of years . But we , as I alluded to , we specialize
45:48
in a security run active director . We have
45:50
a active degree security health assessment
45:52
program , our AD Shaw . Basically
45:54
, we use a lot of the tools that actors use . We
45:57
come in as if we were a threat actor . We , we
45:59
show you where the holes are , we prioritize
46:01
them by difficulty to resolve
46:03
and criticality . So you can kind
46:05
of prioritize , because you're not going to be able to fix everything no
46:08
one is it's . It's impossible to fix everything
46:10
, but you got to get the big stuff right , the
46:12
main arteries , anything that's critical
46:15
you know , get those solved and that's going to prevent
46:17
the majority of the threat actors , and that every
46:19
threat actor is an APT right . A lot
46:21
of them are newer and amateurish
46:23
at best and they're just using off the shelf tools
46:25
and if you can stop the majority
46:28
of those , it gives you a much better chance
46:30
against the , the APTs
46:32
and the more you know financed
46:34
threat actors that are out there . In
46:36
addition to that , we do AD migrations
46:38
as well , kind of an emphasis on security . There A
46:41
lot of orgs will just dump everything from point
46:43
A to point B and that really is
46:45
a recipe to bring some pretty bad exploits
46:47
into your environment . If you you don't know what
46:49
you're , what you're doing , anyone can migrate
46:52
a directory environment , doing it without
46:54
compromising the . The final
46:56
destination that is . That is kind of the
46:58
sticky part . That's who
47:00
we are , that's what we do . If
47:03
you want to reach out , we're on dseteam
47:06
and LinkedIn and obviously the
47:08
social gambit there .
47:13
Yeah , absolutely
47:15
. I have a question around
47:17
the mentality of starting
47:20
a consulting company . I
47:25
started mine in 2019
47:28
and I've been fortunate enough
47:30
to have a couple of customers here and there . When
47:35
I started it , I was like
47:37
, okay , this is
47:39
stupid , nothing's going to come of it . Who
47:41
would trust me to pay
47:44
me to come in and
47:46
give them any sort of advice ? They probably already
47:48
have the experts internally . What am
47:50
I doing ?
47:51
And posture syndrome . Man , it's powerful
47:53
.
47:54
Yeah , absolutely , and
47:56
I'm glad I still went forward with it
47:58
, I still went down that path
48:00
and still did it and everything else like that
48:03
. But how
48:05
do you overcome that ? Because I
48:07
feel like it might have been a little
48:09
bit different , if it existed for you at all
48:11
, because you worked for Microsoft
48:14
and now you're starting a consulting firm
48:16
that specializes in AD
48:18
security . So
48:20
I mean , at least for me , if
48:22
I was going to start a consulting firm in AWS
48:25
and I already worked for AWS
48:28
, I don't know Maybe I would
48:30
feel like , okay , I got this thing
48:32
, there's nothing that they can ask me that
48:34
I won't be able to answer . But
48:37
did you experience anything like that , or was
48:39
it a different sort of feeling
48:41
for you ?
48:42
No , I think I'm pretty sure everyone
48:45
gets imposter syndrome . It's just not everyone
48:47
admits they have imposter syndrome
48:50
. It's scary man , it's scary
48:52
. But you have to kind of just take
48:54
yourself and what I do . This works
48:56
for me and your mileage may vary . I
48:58
just throw myself into the fire , right ? Whatever the
49:00
new thing is , I'm just going to put myself in a situation
49:02
where I have to learn it and I have to figure it out , and
49:05
typically I come out of that on top
49:07
or I learn something , and
49:09
either way that's a win and
49:11
a long enough time horizon . But
49:14
it's tough , right , it's tough to put yourself in a situation
49:16
where you're giving answers as an expert
49:19
early in your career because you may only have a couple years
49:21
of experience . Right , you
49:23
may only know what you know and that's
49:25
okay . Right , that's how you learn . Go out
49:27
there and make mistakes . Take that job
49:29
you don't think you're qualified for
49:31
and just learn the crap out of it and really better
49:33
yourself in your career there . It's hard
49:36
. It can be very stressful . I've
49:38
certainly had plenty of stress running
49:41
a business , like actual physical
49:43
problems from the stress , like heart issues , you
49:46
know , hair loss , like
49:49
you stress yourself out enough and your body will
49:51
make you slow down . You won't have a choice
49:53
in it , and that's kind of how I find
49:55
my limits is . When I run up against
49:58
that wall , I'm like , okay , well , I
50:00
physically can't go on , I need to dial it back and
50:02
get more intelligent about how I'm
50:04
doing this . But absolutely imposter syndrome
50:06
every single day of my life . It's
50:08
always there and I'm thankful for
50:11
it because I think it motivates me to a certain extent
50:13
to be better , because there's always someone smarter
50:15
, faster , better , stronger
50:17
, more wealthy out there and the goal is
50:19
trying to catch up to them as quickly as you can .
50:21
In my opinion , yeah
50:25
, it's
50:27
difficult to overcome . You know that
50:29
, just getting into that mentality
50:31
of , okay , I don't know what
50:33
I'm doing today , but tomorrow
50:36
I'm going to know more than what I do today , you
50:38
know , and that's positive
50:40
, that's positive movement , you know , that's going in the right
50:43
direction it's really difficult
50:46
to kind of get into that mentality
50:48
and just accept it and be like , okay
50:50
, I'm not going to know everything , but I can find
50:52
out . And I think that was , I think that
50:54
was the biggest thing for me
50:56
when I got those first couple of customers . You know , I
50:59
was providing consulting on a solution that personally
51:02
I hate . I absolutely hate everything about
51:04
the solution . I wish I
51:06
didn't get the experience that I did , because
51:10
even to this day , you know , I
51:12
get calls of people being like , oh
51:14
, do you want to work on this solution ? Just name your number
51:16
and like , no , I actually
51:18
have no interest in
51:20
doing anything with this solution . And
51:26
you know one , I think
51:28
one of the biggest selling
51:30
points was hey , I know
51:32
, you know all the key players at this
51:35
company . If I literally cannot
51:37
figure it out , I'm going to go ask the guy
51:39
that made it , you know , and get you the answer
51:41
that you need . And that
51:43
was something that no one else was able to offer
51:45
them . You know , because you have all these
51:48
other bigger consulting firms that
51:50
are kind of more reliant on
51:52
the internal talent and skills
51:55
and you know that internal talent
51:57
and skills is getting trained by the experts that
51:59
built it . But they still don't have that . You
52:02
know that connection to where they can go
52:04
and ask that person . You know on
52:06
demand , like hey , what is this thing
52:09
, what is it doing ? What's the snippet of code
52:11
? How do I get around it ? Things like that
52:13
. It's
52:16
an interesting mentality that you have to have , I
52:19
feel , to feel like you're capable
52:21
, you know , of providing
52:23
services that are worth money to
52:26
some company that can , you know , dissolve
52:28
your company overnight .
52:31
Yeah , yeah , I mean absolutely
52:33
like working with some larger organizations
52:36
like Fortune 500 , fortune
52:38
100 , it's very scary because
52:40
you and your you know entity of like
52:42
50 people are a rounding error to
52:44
them , right ? If there's any sort of you know
52:46
legal issue , it doesn't matter if you're on the
52:48
right or wrong , they're going to outspend you . So
52:51
all you can do is do the
52:53
right thing , do as much of it as you can
52:55
and do as best as you can , and
52:57
it's been working out so far for me . Growing
53:00
up thought a lot of extra money helped with this mentality
53:03
of figure it out , because you know
53:05
as really young it was . Hey , my car's broken
53:07
. Well , I can't afford to have it fixed , so
53:09
I better figure it out . Right , pick
53:11
up a wrench , order some order , some parts
53:14
and , okay , let's figure out how this thing goes
53:16
together . It's just like Legos , right ?
53:19
Yeah , yeah , it's a , it's
53:22
a skill set that helps you in a lot
53:24
of different areas . At
53:26
least , that's that's my opinion of it . But
53:29
you know , james , I
53:31
always try to stay on top of my time with
53:34
all of my guests , you know , because I know everyone's time
53:36
is very valuable and whatnot
53:38
. But you know , I really enjoyed
53:40
our conversation . I feel like we
53:43
could easily go another two , three hours , you
53:45
know , and not drink a sweat
53:47
, but you know , that just means
53:49
that I'm going to have to have you on in the future . Anytime
53:53
man or you know we can talk
53:55
about anything . We can bring you on and talk about
53:57
cyber news or anything like that , but you
54:00
know it's a fantastic conversation
54:02
. I definitely really enjoyed it . And
54:05
before I , before I let you go , how
54:07
about you tell my audience ? You know where they can find
54:09
you if they wanted to reach out to you , where they can find
54:11
your company . You know
54:13
what all that information is so that they can
54:15
, you know , reach out if they wanted .
54:18
I just , you know , go out to your your favorite
54:20
browser and dseteam
54:22
that's a Delta , sierra Echo just dot
54:25
team and all of our contact information
54:27
is out there . You can get ahold of my phone
54:29
, email , linkedin , you
54:31
know , twitter , whatever your your preference of communication
54:34
is , and we'd be happy to talk to you and
54:36
help with whatever you got going on .
54:39
Awesome . Well , thanks everyone . I
54:41
hope you enjoyed this episode .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More