0:54

How's it going , james ? It's great to get

0:56

you on the podcast . You know I'm

0:58

really looking forward to our conversation

1:00

today . I think you have some really interesting experience

1:02

.

1:03

Well , I'm happy to be here and it's fun

1:06

talking after directories , so you might have

1:08

to get me to shut up at some point .

1:11

Yeah well , I can't go that deep on

1:13

active director and I guess I can , I

1:15

guess I know more than the average person . But

1:17

when we start talking

1:19

about like nesting groups and stuff

1:21

like that , it's just it's going to start

1:24

getting difficult .

1:26

Well , there's there's plenty of complexity there and

1:28

one of the issues it's happening right now is

1:30

a lot of people that learned active directory in

1:32

their 30s and 40s you know , 20 , 25

1:35

years ago are rolling out of the workforce

1:37

. They're retiring , they're

1:39

, you know , getting a nice home in Florida or , you

1:42

know , just going going back to wherever they're living now

1:44

and just having free time . And the

1:46

newest generation isn't learning active directory

1:49

because kind of seeing this dead technology

1:51

that's not going to be around in 10 or 20

1:53

years but it absolutely will be at any , any

1:56

large entity , because getting away

1:58

from it is very , very difficult

2:00

. Blue Lemon tried to do this relatively recently

2:02

, very , very aggressive planning , and

2:05

they ended up having to stay partially on prem and

2:07

now they have all those on prem costs still

2:09

there , along with the migration costs

2:12

. So you know there's there's a toll to pay

2:14

if you don't make it all the way .

2:15

Hmm , yeah

2:18

, I've always felt like active directory

2:20

is one of those like essential technologies

2:23

. You know that you

2:25

just you have to live with , you know it's

2:27

something that you

2:30

know makes your business run , so to speak

2:32

, and if you don't , if

2:34

you don't have it , it becomes a huge

2:36

undertaking and

2:39

stress on your environment . Just

2:41

because you know the like

2:44

, you need an entire team of

2:46

people to manage that custom

2:48

solution or whatever it might be .

2:52

Yeah , yeah , and it's , it's . It's interesting from

2:54

a security standpoint too , because when active directory

2:57

came on , the scene is competing against

2:59

itself with the NT40 servers

3:01

and basically Novel Network were the only

3:04

you know , relatively large players

3:06

in the game . And we had a

3:08

financial institution in China relatively recently

3:10

that was compromised . But

3:13

the hackers ran somewhere . Code didn't work

3:15

because they weren't using active directory . They're still

3:18

on Novel Network , so they

3:20

were able to catch the intruders and remove them

3:22

from the system with very limited damage because

3:24

they were running like 30

3:26

year old technology at their bank . Oh

3:28

, so

3:30

how will star galactic approach to

3:32

security ?

3:35

That's a . That's an interesting

3:38

perspective or a route to take , I

3:40

guess , in security .

3:42

I don't think it was intentional .

3:44

Right , you

3:46

know , jim or James , you know

3:48

how . How do you get

3:50

? How did you get this experience

3:52

with AD ? You know , because I

3:54

feel like you have unique experience

3:57

that not everyone is going to have . Even

3:59

you know nowadays , right , when

4:01

we're , when we're talking about AD

4:03

and people you know , kind of owning it

4:06

or teams owning it . You know it sounds

4:08

like you have a pretty unique experience

4:10

with it .

4:11

Well , I was doing a system administration

4:14

work back in like 99

4:16

, 2000 , effectively , you know , keeping

4:19

the servers up and running . You know

4:21

hardware software at a smaller

4:23

entity in down river , detroit

4:25

, and so I got to touch a lot of things

4:27

because there's a small shop and there's only two of

4:29

us . So we got to do basically everything

4:32

from from networking literally

4:34

running cables across drop

4:36

tiles , to hardware rack

4:38

and stacking to the logical networking

4:41

and logical system deployments . And you

4:43

know , it looked a lot , a lot different back in like

4:45

2000 , 2001 . It's

4:47

not the , not the same shop . Most , most

4:49

entities didn't immediately adopt Active

4:52

Directory in 2000 . But

4:54

once 2000 rolled around , everyone saw the

4:56

, the advantages to it , and I

4:58

certainly did as well and jumped on it . Because

5:00

before you had kind of a , a clergy network

5:02

deployment or you had a

5:04

bunch of NT4L servers all over

5:06

the place , you know , sitting underneath people's desks

5:08

at branch offices , and sometimes the

5:11

cleaning people come in and turn them off , like it

5:13

was . It was bad , it was real bad

5:15

. But with AD it was like the first really large

5:17

, commercially replicated database . So

5:19

you could , you know , hire someone

5:22

in New York and if they flew to Los Angeles

5:24

they'd still be able to log in with their computer without

5:26

any administrative overhead , and that was

5:28

kind of like this . This new concept

5:30

at the time is like this wild new way to

5:32

auth that didn't exist and now

5:34

we kind of take off for granted right , you can

5:36

, you can cloud off from anywhere , it's just always

5:38

there . So it's not a big deal . So

5:40

yeah , I guess being being around

5:43

for a long time kind of helps there from the experience

5:45

standpoint .

5:48

Yeah , you know it's , it's

5:50

interesting . So when I was working for

5:52

a credit bureau , you

5:55

know , I owned a Pyrla Jaxus management

5:57

solution and

5:59

a part of that was obviously

6:02

getting all of the accounts in AD

6:04

into the solution and eventually rotating

6:06

them via the solution . It

6:09

sounds like a great idea , you know , from

6:11

a security perspective , but

6:14

it adds in huge amounts of risk

6:16

to the environment if that PAM

6:18

solution is not doing what it should be

6:21

or there's bugs and things like that

6:23

. And so you

6:25

know , literally , you

6:28

know , one day , you know , my manager said

6:30

, hey , we need to put global AD into

6:33

this PAM solution . Never

6:36

heard of global AD , I had no clue what

6:38

it is right . And I go talk

6:40

to our AD guy and he goes , oh , that's

6:42

a legacy like AD

6:44

architecture that we basically can never get

6:46

rid of , because once

6:48

you started it , you know you basically can't

6:51

, can't migrate away from it , like it's almost

6:53

impossible .

6:55

So you're kind of trapped . Trapped in it

6:57

forever because all the apps you buy

6:59

integrate with it for its off store and

7:01

you're stuck with it right , like for better

7:04

or for worse , like at the hip . Demi , you're

7:06

up there , man , sorry .

7:08

No , no worries , and you

7:11

know I'm being the security person

7:13

that I am . I'm trying to gauge the

7:15

risk to the environment , right

7:17

, what's the risk of adding these

7:19

, you know , 12 or 15 accounts

7:22

into this solution ? And so

7:24

I started to ask him . I was like , well , you

7:26

know what happens if , you

7:29

know , all of our regular AD gets

7:31

locked out . You know what's the process

7:33

, right ? And he said , oh , I just go into

7:35

global AD , I could reset them all right from

7:37

there . I was like , okay , well , what happens

7:39

if global AD gets locked out ? You know

7:41

, because if all of our normal AD

7:44

gets locked out , more than likely

7:46

that issue is going to reside also

7:48

with global AD , and you know

7:50

it'll get locked out as well . And he said

7:52

, oh , if that gets locked out , we're calling Microsoft

7:54

. I was like , oh , so

7:57

it's , it's pretty serious then . So

8:00

you know , I ended up onboarding

8:02

these global AD accounts . There's

8:04

like 12 of them , but I set them all

8:06

to not rotate . You know

8:08

, that was the idea . We're not going to rotate

8:11

it right now . We're going to figure it out , you

8:13

know , as we go . And you

8:15

know , of course , this wonderful solution

8:17

that I was working with , that I refused

8:20

to work with to this day , decided

8:22

to have a bug that we were not aware of

8:24

it and when you , when you

8:27

essentially selected an individual

8:29

account to rotate the

8:32

database on the back end did not accept that

8:34

filter and it applied

8:37

it to every account in

8:39

its database . And so

8:41

you know this happened one

8:43

of our interns , you know , just

8:45

did a normal BAU task

8:48

. Right , this user's having an issue

8:51

with their password , it's out of sync

8:53

, let's just reset it and call

8:55

it a day . So 15 second

8:58

task . You know , literally

9:00

they do it every single day , all day long

9:03

. And

9:05

you know , as soon as that happened , like

9:08

, my account got locked out

9:10

. Well , that's weird . I mean , I

9:12

did just reset my password because

9:15

it was , it was that time of the quarter

9:17

for me , you know , it was

9:19

very odd coincidence . I'm like okay

9:21

, well , surely you know nothing's

9:23

going on here . And then I see , out of the corner

9:25

of my eye , my coworker

9:28

also had the same , you

9:30

know , pop up , it's time to change your password

9:32

, like okay . And

9:34

so I went , you know , back over to the console

9:37

, because now I can't get into my computer for

9:39

some reason . Once you , you know , lock

9:41

it could , literally the process is you

9:43

lock your computer , you put in the current password

9:45

and then you reset it . Well , my

9:47

current password had changed , so I

9:49

locked it and I couldn't get back in . And

9:53

I went over to my co-worker that was

9:55

still in the console and we looked

9:57

at the last rotation period

9:59

for all these accounts and it was just , I

10:02

mean , it was just fire , and through them there's

10:04

45,000 accounts on this solution and

10:06

it's , I mean it is chugging along

10:09

. And I was like , oh no , I

10:11

have to go to the 12 global

10:13

AD people and tell them to not

10:16

log out of their computer . I mean it's 4pm

10:18

on a Wednesday , you

10:20

know , like everyone is yeah

10:23

, everyone is like running out

10:25

the door , you know , and I have to run

10:27

into this room and say like , okay , no

10:29

one here is allowed to lock their

10:31

computer . You cannot log out If you

10:33

do nothing else . You have to keep your computer

10:36

awake , you know , and

10:38

like it was , it was the

10:40

worst fire drill you can imagine

10:42

because now we have to like pull

10:44

these passwords and set them back

10:47

to their old value , somehow , you

10:49

know , and because you can't have

10:51

all of your users , all you know

10:54

, 10,000 of your users , whatever it might be

10:56

, you know , first thing in the morning . Oh , you

10:58

have to reset your , your AD

11:00

account password and you have to

11:02

reset every service account password that you

11:04

own and you know it's such a mess .

11:07

That's what's really going to kill you , because they're almost

11:10

never well documented . So

11:12

like it gets reset , it's like all right , where all

11:14

is it trying to log in from ? Because it keeps locking

11:16

out even after we reset it on the boxes we

11:18

knew about and then it's like a hunt , so

11:20

very catastrophic to production for

11:22

sure .

11:24

Yeah , I guess you know it's , it's

11:26

looking back on it . It's funny because

11:29

when that happened you know literally

11:31

all of the service accounts you know 12,000

11:33

of them , or something like that got reset almost

11:36

instantly . There was no way to stop it . And

11:40

one of one of one of the managers

11:42

that I'm still friends with to

11:44

sit to today , he said

11:46

oh , on Monday I got this project handed

11:48

down from the CISO that we have to go , you

11:51

know , team by team , and reset all the service accounts

11:53

. So I guess my project just got

11:55

done , you know , in 10 seconds

11:58

. He's like I guess

12:00

I could close that out . This may have had to take

12:02

me two years . Oh

12:06

man , you're welcome .

12:09

No , it's funny because like this is a problem . Like

12:11

a lot of companies have their service accounts

12:13

and they're , they're , they're using creds

12:15

that are 10 , 15, . I've seen 20

12:17

year old credentials that are out there , right , you

12:20

know they're , they're , they're not even using curb

12:22

for off . Like it's , it's a hot mess , but

12:24

no one wants to touch them . Because the last

12:26

time those accounts got touched , you know , joe

12:28

got fired because we didn't realize what

12:30

it was doing to production . And now no one wants to

12:32

go near it because they realize it could bore

12:35

production . So it's like this this

12:37

hot potato keeps getting tossed around

12:39

. Project wise Security doesn't

12:41

want it because they don't want to mess up production . So they go to ops

12:43

and ops doesn't want it because what is this a security thing

12:45

, resetting passwords ? So it just bounces

12:47

around between different orgs until , you

12:49

know , the new guy gets stuck with it , and

12:52

that's not what anyone should want .

12:54

Yeah , even just trying to figure out what those

12:56

service accounts manage and what

12:58

they do is most

13:00

of the time it's an impossible task

13:02

because the people that created it like

13:05

literally that whole team can be

13:07

retired , like not just like change

13:09

jobs retired . You know , like

13:11

that was the

13:13

case for a lot of these accounts where you

13:16

know people were like oh yeah , we're just told

13:18

not to touch that thing because

13:20

it it does something with this

13:22

database over here and you know , whatever

13:25

it might be like that , that's literally the

13:28

description that we're getting when we're going to these

13:30

teams saying what does this do ?

13:32

No one knows . No one knows . There's

13:35

some data from interviewing , but you're not going to be able to get

13:37

everything . So

13:39

I was . I was at Microsoft and we got rid of wins

13:41

, right . So this is kind of a similar

13:44

issue , right ? This legacy technology has

13:46

odd dependencies and

13:48

they literally hunted down at

13:50

the network stack . Who always using

13:52

wins period going to

13:54

those machines and like being like who

13:57

owns this ? We need to talk to them . They

14:00

hunted all of them down so there wouldn't be any impact

14:02

. It was a huge project

14:04

and I've been on like projects

14:06

where the service count rotation comes

14:08

up because it's always a finding during security

14:11

discoveries . It's like you have a cred that's been

14:13

out here for 20 years . It's eight characters

14:16

. There's there's a problem . It's

14:18

well known credentials . It's sitting in RockU

14:20

, like this . This is extremely

14:22

vulnerable to password spray and it has

14:24

either domain admin or server admin , kind

14:27

of across North America , kind of

14:29

a problem .

14:32

Yeah , and you know

14:34

, back back when

14:36

those accounts were being created , the easiest

14:38

thing to do was to actually

14:40

just give it , you know , global

14:42

admin , right Service admin , whatever it might

14:44

be , just to make sure that

14:46

it works . And a lot of the times the

14:48

thought was , oh , we'll dial it in later , you

14:51

know , and and now we're learning 30

14:54

years later like , oh , that's a bad

14:56

idea , we probably shouldn't do that because

14:58

we never go back to it .

15:01

Yeah , it's tough , and it's really tough

15:03

in like startups that grew exponentially

15:05

from the I guess we're calling them the odds

15:07

right Now . You start small , you're

15:09

going fast , you're just doing whatever you have to do

15:11

to be operational and then next

15:14

thing , you know you're a you know , multi-billion

15:16

dollar company with an identity system that

15:18

is almost completely unusable and

15:20

so porous from a security standpoint that

15:23

it puts you at a significant financial risk

15:25

, especially for these publicly traded companies

15:27

. Now , with the SolarWinds CISO

15:29

being , you know , taken the core by the SEC

15:32

, like there's , there's skin in the game potentially

15:34

now for these CISOs , like personal liability

15:37

, not just job stuff . So

15:39

it's it's going to be really interesting to see how that

15:41

case turns out . It's going to affect the industry

15:43

, I believe .

15:45

Yeah , absolutely . You know , I actually

15:47

have a friend that's at a company

15:49

that is still , you know , it

15:51

still feels like they're in their startup

15:54

phase . They've been around

15:56

for maybe , you know , 10 , wouldn't

15:59

be any more than 15 years , and

16:03

he said that when he took over

16:05

as the IAM director right

16:07

, he was just trying to get a lay for the

16:09

land and see what they had

16:11

. You know , they were predominantly

16:15

in Azure , right , so

16:17

it shouldn't be that terrible . And

16:19

he discovered that they had like over 400,000

16:22

accounts , you know , and

16:25

they had accounts just

16:27

sitting there , you know , not doing

16:29

anything at all , and

16:31

his first task was to , you know , obviously

16:34

limit the attack surface across

16:36

these accounts . Well , how do you , how

16:38

do you do that ? How do you even get started

16:40

, you know , and I actually spent probably

16:43

a week or two . I should have charged

16:45

them some consulting fee , because I spent like

16:47

a week or two with them , you know , kind of devising

16:50

this plan of how he can go about it

16:52

without causing any outages .

16:55

Yeah , that's the big one not causing any outages

16:57

. It's really easy to fix all the accounts . It's

16:59

very difficult to fix them without causing

17:02

any impact .

17:03

Yeah , yeah

17:05

, it's challenging and the Cloud doesn't

17:07

really make it any easier , you know , because

17:10

it probably

17:12

I mean it makes it more

17:14

difficult because you're so easily

17:17

able to attach these

17:19

accounts to whatever you want in

17:21

Azure , in AWS , you

17:25

know , and it's just , it's

17:28

too easy for developers to

17:30

do that .

17:32

Yeah , it's double-edged sword , right , so you

17:34

can dev fast , you can move quick . But

17:37

suddenly your test environment is

17:39

now labeled production and you only had security

17:41

controls in there for test environment and now

17:43

it's being pushed to prod , along with

17:45

all of these vulnerabilities . The

17:47

biggest thing for on-prem AD for the longest

17:50

time and still today , is developers choosing

17:52

to use NTLM auth instead of

17:54

Curve right , ntlm

17:56

has been broken for a very , very

17:58

, very long time now

18:01

over 15 years . V2

18:03

is pretty good , but almost everyone has

18:05

V1 backwards compatibility

18:08

turned on , so their legacy apps continue

18:10

to work . So devs just hey , let's do

18:12

NTLM . It's fast , it's quick , it's easy , there's

18:14

templates for it and we can get rolling . And

18:17

they sell the app and the company buys the app and they're

18:19

like all right , security team implement this . And they're like wait

18:21

, this uses NTLM . Why

18:23

did we buy this ? Wait

18:25

, this is gonna be a huge problem and

18:27

orgs , especially larger orgs

18:29

, will often buy applications without

18:31

security review . They won't look at their

18:34

dependencies , they won't look at

18:36

how they're built from a security standpoint . They only

18:38

look at , hey , this fixes this big problem and

18:40

it's gonna make us X amount of money , or if it's gonna

18:42

save us Y amount of money Security is very rarely

18:44

a part of that conversation , and

18:47

that's detrimental to all

18:49

of these organizations .

18:52

Yeah , that's a really good point . So

18:54

you mentioned earlier that

18:56

you worked for Microsoft , right

18:58

, so can you talk to me a

19:01

little bit about that

19:03

experience ? Oh sure

19:05

, I was working to work for Microsoft , at

19:09

least on one of their core products

19:11

. I mean , I don't know if you were on the product team or if you

19:13

were on another team that specializes

19:16

in AD , right , but what is that

19:18

like ? Because that's a core technology that

19:20

95 , 98%

19:23

of every company out there uses

19:26

as their directory service .

19:28

I was at a weird point in time

19:31

for Microsoft they had just figured out that , hey

19:33

, as Android things getting really big , we

19:35

need a Windows phone . So I was on the WinPhone

19:37

project . One of the issues they

19:39

were having there is at the time Microsoft

19:41

was very , very siloed

19:44

, like Office was a completely

19:46

different team from OS was a completely

19:48

different team from server

19:51

, and these orgs didn't

19:53

really communicate with each other . Each one kind of functioned

19:55

like a fast moving startup and they

19:57

all rolled their code up into a central repository

20:00

, and this was especially true for WinPhone . I

20:02

was supposed to be using the same code as Windows

20:05

8 , right , so you have a unified desktop phone

20:07

experience . It's actually good , but couldn't

20:10

get anyone to dub for it , and we all know how the WinPhone

20:12

ended up turning out . It was

20:14

a great phone , but no real adoption . So

20:17

, anyways , it was a really interesting environment

20:19

because from a technical standpoint you

20:22

couldn't do a lot of what you needed to without

20:24

blessing from MSIT , kind

20:26

of the key holders for all

20:28

the different teams . All the different teams have their own admins

20:31

and architects , but at the end

20:33

all of the access is controlled by MSIT

20:36

. So it's really interesting

20:38

. Kind of look at it as a company

20:40

that buys other companies and adjust them

20:42

and continues to let them do their own thing , but

20:45

occasionally sticks their finger in the pie . It's

20:48

a very , at the time , combative

20:50

environment , but the people were really great

20:52

. It was fun . It was a fun job .

20:57

That's really interesting . I wonder how

20:59

that has played out with

21:01

Azure . Now , just

21:04

the nature of the cloud right , you have this giant

21:06

hypervisor that

21:10

probably a handful of people actually

21:12

have access to , and

21:14

how is that

21:17

kind of administered and managed

21:20

and whatnot , right ? Like , I

21:22

always think about it as like the

21:26

worst kind of attack for any cloud

21:28

would be to get access to that hypervisor

21:31

. And , yeah , there's environment

21:33

escape , exploits and things like

21:35

that , right , but no one

21:37

is actually logging directly into that

21:39

hypervisor . From an

21:41

attacker perspective , no one's actually logging

21:43

into that thing . And then , seeing the

21:46

tens of thousands of accounts that this cloud

21:48

provider may have , I'm

21:52

always interested to see how they protect

21:54

it , and I've done a little bit of research into Google and

21:56

how they protect theirs , and

21:58

I mean , from how they make it sound , there's like 12

22:00

people at Google that have access to

22:03

a server and a data center that

22:05

is like highly replicated across the

22:07

globe that gives this

22:09

access , and they invoke

22:12

some sort of just in time access for

22:14

admins that need to access maybe

22:17

a customer specific hypervisor

22:19

.

22:21

Yeah , it's interesting because with all

22:24

cloud providers you don't really have physical

22:26

separation . You have logical separation but

22:29

it's not physical . I mean your virtual

22:31

machine for your active directory

22:33

DC sitting out in the cloud could be on

22:35

the same physical hypervisor as

22:38

a VM owned by the CCP or

22:42

one of these ransomware , because it's pretty

22:44

easy to buy a hypervisor . So

22:46

for physical escapes there's still very , very

22:48

edge case kind of stuff like Rohammer's been

22:50

out for a while and there's all these CPU

22:53

vulnerabilities that are flying around . But

22:55

without physical isolation you don't really

22:57

have true security and

23:00

it's easy to go for the hypervisor out

23:02

because hey , look , I'm up to money , we're saving

23:04

, we don't have to rack and stack something and

23:06

it's great from a cost standpoint . And that's been true

23:08

for a long time . So the past couple

23:10

of years when the large cloud providers

23:12

realized , hey , we got these people like cook

23:14

line and sink or they can't just leave us without a huge

23:17

project so we can raise our rates

23:19

, right , this is the same thing kind of happened with Uber

23:21

and Lyft . Like it was really cheap when you first started

23:23

using Uber , like a nice town

23:25

car picked you up for like $5 , took

23:27

you anywhere you want , and now you're in the back

23:29

of like a beat up Prius that smells

23:32

absolutely awful and it's like third

23:34

round of seat covers and

23:37

that's the prices going up in the

23:39

cloud environment . And it's tough for

23:41

a lot of our larger customers because they

23:43

feel stuck and they feel manipulated

23:45

and they feel controlled and they don't

23:47

like that . And large companies can

23:49

make a switch very quickly if the

23:52

wrong person gets pissed off the

23:54

one Fortune 100 I'm

23:57

thinking of in particular . There's a

23:59

rumor of a backyard barbecue

24:01

in Redmond and they were talking

24:03

with some Microsoft reps there and there

24:06

may have been a few drinks that have happened at this barbecue

24:08

. This is all a legend , second information

24:10

, so I can't validate

24:13

its authenticity , but apparently the Microsoft

24:15

reps said well , you don't have any other option , we're the only

24:17

game in town . And it pissed

24:20

the other guy off and six months

24:22

later they were on GCP .

24:28

Wow , that is substantial . You

24:31

have to . I feel like when

24:34

you're in that sort of situation , you have to gauge

24:36

what kind of personality

24:38

not just that you're

24:40

dealing with in that individual . You

24:43

got to think about the personality of the person

24:45

in that role , what

24:47

it takes to actually get into

24:49

that role . Let's just

24:51

assume , right to CIO

24:54

, cto , something like that , right , what's

24:56

the kind of personality of a

24:58

person that is typically in

25:00

that role ? Someone

25:02

that doesn't like to be told no , Someone

25:05

that probably takes

25:08

that sort of wording as a challenge

25:10

. You know , and

25:12

now you're in this situation of you're losing

25:14

probably one of your biggest customers because

25:18

of a sales rep .

25:20

Yeah , that had maybe one too many drinks at

25:22

a barbecue . It's a very silly

25:24

way to lose a very big contract .

25:27

Yeah , I mean that's

25:29

a really stupid way to get fired .

25:32

Yeah , I don't know what happened to the guy

25:34

that caused the whole thing , but

25:36

I have to imagine he's not working there

25:38

anymore .

25:40

Yeah , probably not . I

25:42

mean , what other

25:44

solution are they left with at that

25:47

point ?

25:47

Like man , yeah , yeah

25:49

, and I'm seeing other clients do

25:51

similar things . Right , they're not

25:53

going all in on one provider , they're kind

25:55

of dipping a foot in provider

25:57

A , dipping a foot in provider B and

26:00

even setting up pretty interesting failover . So

26:02

if provider A goes down for whatever reason

26:04

, they can hot swap back over to B

26:06

for some redundancy . But it also gives

26:08

them cost negotiation , right , because

26:10

now they can suddenly go oh hey

26:12

, provider A , well , provider B is charging us 40%

26:16

less for this . I think we're just going to move our

26:18

stuff over there , and then suddenly there's

26:20

room for negotiation and price of services

26:22

.

26:23

Hmm , yeah

26:25

, you know it's a . It's

26:29

interesting . I've

26:31

seen it from multiple angles

26:33

. I feel and

26:36

I was at a company that they

26:39

were a Microsoft shop from

26:41

the beginning and

26:44

they bought pretty much everything that

26:46

Microsoft sold . If Microsoft sold

26:48

it , they bought it . It wasn't

26:50

even a question . It always

26:53

seemed like we had an unlimited budget when it

26:55

came to Microsoft . But when we were talking

26:57

about like Symantec , right

26:59

, symantec , like EDR , which isn't even

27:01

an EDR , which is terrible , you know

27:03

, it's so low on the magic quadrant at that

27:05

time you know I don't know about the product now

27:07

, but at that time it wasn't even considered

27:09

a top tier EDR . And we're

27:11

penny pinching . You know , this

27:14

solution that we desperately need , that

27:17

isn't even supposed to be that great right

27:19

. And their whole , their

27:22

whole Azure . You know , methodology

27:24

was if we only

27:26

want network closets on-prem

27:29

, the rest of it will live in Azure

27:31

forever and

27:33

we're not going to migrate away from it . And

27:35

I , you know I just asked them

27:37

I was like , well , what if there's something that , like Microsoft

27:39

does that we can't live with ? You know , like

27:41

what if some insider threat

27:43

happens at Microsoft ? And

27:46

you know we have a lot of proprietary information

27:48

that makes a lot of really

27:50

wealthy people , even more wealthy

27:53

because it's a financial firm , it's an investment

27:55

firm , right ? So , like we

27:57

have a lot of proprietary stuff , and

28:00

what if you know all

28:03

of our eggs in one basket and someone

28:05

breaches it right and takes that information

28:07

without us knowing and they're like , oh

28:09

well , that will never happen . Like

28:11

well , what if it does ? Because

28:14

you know there's one

28:16

account for each

28:18

of the big three cloud providers where

28:20

something very suspicious

28:23

happened . You know where a

28:25

new startup is creating some new product

28:27

on you know X cloud

28:30

right , and then magically

28:32

, right out of the blue , just before you're about to

28:35

launch , that cloud provider

28:37

launches this exact same solution

28:39

, exact same interface , with a

28:41

different logo , and now

28:43

you're out of business before you even hit

28:45

the street . You know .

28:47

If you want true security it has to be

28:49

physical . You can't have shared infrastructure

28:51

and security coexist . It's

28:54

just not the same . Physical

28:56

boxes will always be more secure

28:58

than any sort of hypervisor , not because there's active

29:00

vulnerabilities for VMware

29:03

, hyper-v or anything , but because

29:05

there's always the potential for those active vulnerabilities

29:07

. I mean , look at how many CVEs have existed

29:09

for Citrix throughout the years . Seems

29:11

like every six months we hit a new publicly

29:14

facing CVE that's like oh yeah

29:16

, they can pivot to domain admin from

29:18

the cloud , they can pivot

29:20

to domain admin from the admin interface

29:23

. As this configuration like there's

29:25

risk to opening those things up and over

29:27

the past couple of years we've seen the

29:30

penalties to that . Right , all of these network

29:32

devices that are opened up . You know octa

29:34

, I mean the list goes on and on . So

29:36

if you really if security is number

29:39

one and it matters for

29:41

the core of your business and your existence , maybe

29:44

on-prem those right , because there's always a possibility

29:47

on shared infrastructure that if someone

29:49

else has the keys that your proprietary

29:51

information is going to go for a walk , you

29:53

don't see Coke storing their magic

29:55

recipe in the cloud , right ?

29:59

Yeah , that would not be

30:01

a good situation , that's

30:03

for sure . You know , like I

30:06

actually had someone

30:08

on previously that

30:12

wrote a book about

30:15

how oh , james Lawler , that's

30:17

his name about

30:19

how , you know , this is a fictitious

30:22

you know scenario or whatever

30:24

, but I always question how fictitious it

30:27

actually is because of his background

30:29

. You know he was actually a spy for

30:31

the CIA , right ? So

30:35

it's his book .

30:36

It was a hypothetical . It's a hypothetical

30:38

.

30:38

It's a hypothetical with strong quotations

30:40

around it , you know , because I'm

30:43

literally reading his book and I'm like man , this is

30:45

all like , very , just so probable

30:47

. You know , and

30:49

in one of the books , you know , the agency

30:52

moves into

30:54

one of the big cloud providers . Right , he

30:56

used a different name , but it sounded like AWS in

30:59

my opinion , maybe because I'm a AWS

31:01

guy . Right , and

31:04

sure enough , foreign adversaries

31:06

immediately start targeting

31:08

the employees at this cloud provider

31:11

. And you know , it

31:14

leads me down this thought path of

31:16

you know , the employees at these

31:19

cloud providers . They're typically pretty well paid

31:21

. I mean everything that I've seen

31:23

. They're pretty well paid . And

31:26

so for a

31:28

foreign adversary to come into this situation

31:31

and offer up , you know , a check

31:33

of like oh , you know , you want your

31:35

yearly salary and one check

31:37

like well , here you go , we just

31:39

need this little script to run . You

31:42

know that's 10 lines we needed to

31:44

run on your core server or whatever

31:46

it is . You know , I feel like

31:48

that's a very real possibility

31:51

. And even me , being a cloud guy

31:53

now , you know , I only

31:56

do the cloud as far as I'm concerned , at my company

31:58

on prem doesn't exist . And

32:02

you know , I always

32:05

have that paranoia of well

32:07

, how do we protect something that doesn't reside

32:09

on hardware , that we do not

32:11

own , that we cannot go physically

32:13

pull the plug on ? How do we ensure

32:16

you know that even insider

32:18

threat is , you know , protected against in this

32:21

scenario ? It's tough .

32:24

I mean , look at stuck snap right . So there's

32:26

many information is coming out fairly

32:28

recently that it looks like a Dutch

32:31

person was working for stuck snap

32:33

and floated in a USB through

32:35

the water system and then got that into

32:37

the software . But

32:42

and that's a completely air gapped , physically

32:44

locked environment and they still were able

32:46

to get a USB stick in there and plug

32:48

it in and run stuck snap . So

32:50

there's always going to be the risk of that

32:53

physical layer being traversed

32:55

, even in extreme environments , which

32:57

is why defense in depth is so

32:59

important . If there'd been policy set

33:02

up for that environment

33:04

that didn't allow USB drives

33:06

to be attached , that would have never happened . And

33:08

that's really straightforward , simple , basic

33:10

policy that no one is probably worried about

33:13

is because , hey , we're in this high security environment

33:15

, everyone gets searched before they come in . There's no way

33:17

a USB stick can make its way in and it

33:20

did . So

33:22

I mean , the defense in depth has a lot of , a lot

33:24

of pros there to help mitigate risk , but

33:26

you'll never remove it completely .

33:29

Yeah , it's very true . You know

33:31

, when I , when I did some government work

33:33

earlier on in my career , I've

33:36

been in some very uncomfortable situations

33:39

where , you know , I answered

33:41

a last minute phone call on my cell

33:43

phone in their lobby , you

33:45

know , and I mean these

33:48

guys , these security guards that they have

33:50

, I mean they're , they're larger than

33:52

life , they look like they used to play

33:54

, you know , collegiate football . Right

33:57

, they look like they could separate your head from your body

33:59

you know in the blink of an eye

34:01

right and I mean

34:03

they see this cell phone go off . I think they they

34:06

have to have some sort of monitor or something

34:08

, you know , like behind

34:10

their desk that like goes off if the

34:12

cell phone is in use Because

34:16

, like I mean , I sent a text , you

34:18

know , and they were on top

34:20

of me . They were like what are you doing ? I'm like

34:22

I'm in the lobby man , like I'm literally

34:24

cleared to be here . You know

34:26

, it took me a day to get clearance to be

34:29

here . You guys know who I am

34:31

and they're like no , you have to go

34:33

out the front door , like right now

34:35

. If you make that mistake again , like we're going to arrest

34:38

you . You know , it's like geez

34:40

, like where the hell am I ?

34:43

Yeah , it's interesting . So we start

34:45

talking about high security or

34:47

gov . The air gap is treated

34:49

very seriously for a lot of those environments

34:52

. I

34:54

was part of a team that did a

34:56

roll out a secure actually

34:58

directory forest deployment for a completely air gap

35:01

environment that had to be able to

35:03

send out the data periodically

35:05

and the solution here was pretty

35:09

, pretty interesting . There was one machine

35:11

that was set up with dual

35:13

sets of very high throughput

35:15

NICs and basically because

35:18

the data set that needed to come out wasn't massive

35:20

but it was sizable , so

35:23

when the data needed to come out I was moved to

35:25

this temporary holding pattern . They called it a lock

35:27

server and then the data was transferred from

35:29

that server to an intermediary and

35:32

then the connection was severed and it was connected

35:34

back to the internal network and then

35:36

that intermediary then moved the data to

35:38

production , then had its network connection severed

35:41

. So they were air gapped , logically

35:43

by network

35:45

throughput , right , and you needed two people to basically

35:48

open the network , which was pretty

35:50

interesting solution for something that

35:52

had to stay safe .

35:57

I wonder what that would

36:00

have even been , because , like you

36:02

know , when you say it takes two people to do

36:05

this thing , you know you're not able to do

36:07

it without it . I mean , the very

36:09

first thing that comes to my mind is well , what

36:11

else in the government works like that that we know

36:13

of ? Oh , nuclear missile silos

36:15

, you know , like

36:19

that's the only thing that I know

36:21

of . You know that operates like

36:23

that , where it's like okay , we need these two people

36:25

, and if we don't have the two people , like we're

36:29

screwed right .

36:31

The nukes get a lot of publicity because of

36:33

all the movies , right . But

36:35

there's use cases for this in the wild , even

36:37

in public companies . For unlocking , basically

36:40

, great glass creds , you need more than one person

36:42

to turn the key .

36:46

Okay , yeah , I've seen solutions

36:48

like that , where it's like a just-in-time

36:50

access , you know with Azure

36:53

, where you have some , you know , global admin

36:55

account or something like that and someone else

36:57

needs to approve it and you get multiple approvers

36:59

Right . Yeah , you get a certain amount of

37:01

time to actually use the

37:03

account and everything is logged and

37:05

watched .

37:07

Yep Screen recording for the full session and all

37:09

that good stuff .

37:10

Yeah , you know , we kind of

37:13

glossed over it and maybe

37:15

that's it's the most interesting

37:18

part for me is the

37:21

Stuxnet Water USB thing

37:23

. So what recently

37:25

came out Because

37:28

I've been very fascinated

37:30

by Stuxnet , you know the engineering

37:32

, the ingenuity that went into it , everything

37:36

around it , you know it just

37:38

fascinates me right . It's kind of

37:41

what even pulled my interest

37:43

into security . That was the thing

37:45

that I was like oh so

37:47

I can literally spend my entire life and

37:50

, you know , not learn everything , right

37:53

. So what's

37:55

this water USB ?

37:57

infiltration method . The

37:59

original story was that it was USB-seeded

38:02

in the parking lot . Someone picked one up and

38:04

plugged it in somewhere . Perfectly

38:07

plausible story , and relatively

38:09

recently there was some information that came out I can't

38:11

verify its authenticity , it's just an article

38:14

right that it was a Dutch contractor

38:16

working at the facility that was

38:19

being paid for this right and they

38:21

received some sort of monetary reward

38:23

, or maybe it was a service , who knows

38:25

what it was . But they used

38:27

a water inlet allegedly to smuggle

38:30

in this USB . Because they were part of the

38:32

cooling area that they knew very well and

38:34

they were able to get something physical that floated

38:37

into the facility . And

38:39

because they're able to do that , they just

38:41

were able to plug it in . And because of the way Stuxnet

38:44

worked , it spread far

38:46

and wide very quickly and it's very hard

38:48

to tell where it came from originally .

38:51

Wow , yeah , you

38:53

know , that's the part that

38:56

always kind of got me

38:58

hung up was actually infiltrating the

39:00

USB-in right

39:02

, because I mean I've been

39:05

to secured facilities

39:07

that are not at the same level as

39:09

that facility would be and I was

39:12

padded down and I had to go through some

39:14

special scanner that

39:16

takes an uncomfortable depth of

39:18

look into me . You know , like

39:20

they'll know , I have cancer , for

39:23

instance , like before my doctor will know . You know

39:25

, like

39:27

it's .

39:28

Yeah , you don't want that guy to tell you to , hey , go get checked

39:30

out on your way out . You know , go

39:32

see your doctor , man .

39:34

Yeah , yeah , I think

39:36

you got a lump . You're right . It's

39:40

like , oh you .

39:41

Yeah , you say , see you later . He says maybe that's

39:43

a problem .

39:45

Yeah , exactly , you

39:48

know like , well , that's the part

39:50

that like I always had issue

39:52

with , because I mean I

39:54

couldn't get

39:56

anything past these guys right , and I

39:58

wasn't . Again , I wasn't actively trying

40:01

to . You know , I didn't want to end up in handcuffs

40:03

. I do like my freedom , but

40:08

still , you know , thinking through it , it's

40:10

like okay , well , there has to be an insider threat

40:12

somewhere . You know that's

40:15

allowing this thing in , but

40:18

bypassing it through the water system

40:20

. I mean , that is something that's

40:25

really fascinating .

40:26

Who's going to check it right ? Who's going to filter

40:28

the incoming water to make sure there's not floating USB

40:30

sticks in it ? Right , Real

40:33

edge case stuff , man . But there's almost

40:35

always like a way in , and

40:37

that's a pretty good example of it and I'll

40:40

give you another one . Right ? So those the scanners

40:42

you keep talking about . So , for I

40:45

did lots of consulting , so for years I would

40:47

fly , fly in my poor backpack

40:49

, finally gave up the ghost . One day the strap broke , so

40:51

I grabbed my wife's and

40:53

I started flying it and think anything of it and

40:55

I just fly into like two , almost

40:57

three years and the backpack went

40:59

off in a scanner . I was having like already a

41:01

bad day and things kind of went

41:03

sideways with a client

41:05

. Like it was not a great situation . So

41:08

I'm already like irritated , which doesn't justify

41:10

what happens next , but it's just like

41:12

a precursor on on , not a bad person

41:14

, let me . Let me add some some

41:16

, some story here . So I go

41:18

through security and through the security of this backpack

41:21

many , many , many times , like two or three years of

41:23

traveling and it flags All right , whatever we

41:25

go through the random check and it's fine . And

41:27

we got to send your bag back through . All right , whatever they

41:29

send the bag back through , they're looking through it like

41:31

really extensively . I have the whole thing inside it out

41:34

, everything out , like separated individually on the table

41:36

. So I'm getting a little irritated . I got

41:38

like another like five or 10 minutes for have to be anywhere

41:40

, so it's fine . And they send it through again . Same

41:43

rigor , merold . And they call some new people over like

41:45

hey , what's going on here ? Guys , I've been using this bag for

41:47

almost three years now . Can I , can I get to my flight

41:49

? And everyone there was like really sympathetic

41:52

with me , except for this one person who's just like

41:54

there's something in this bag , I just know

41:56

it . So they send it through like two

41:58

more times and eventually their

42:00

face just lights up and they reach into the bag

42:03

and like they're really in there and they

42:05

pull out a box knife that I had no idea

42:07

was in there , because my wife used to work

42:09

at Target , you know , 10 years ago , and

42:11

it was her bag and it'd

42:13

been in there for almost three years and the TSA

42:15

never caught it . So like even

42:18

pretty good systems don't always

42:20

work , yeah .

42:23

I I hesitate to call the

42:26

TSA a good system . Um

42:30

well , it's not like , I suppose

42:32

. Yes , it does beat nothing . Um

42:38

, the reason ? The reason is because , like I read some report

42:40

by uh , what was it ? It was like the , the federal air marshals

42:42

or something like that , where they actually test

42:44

, you know if TSA is going to catch something or whatnot

42:46

.

42:49

Right , I'm

42:52

sure they were able to get in no issue , right .

42:55

Yeah , I mean they said that they were able

42:57

to , like , smuggle guns through TSA

42:59

and knives , and you

43:01

know they said that there was basically

43:03

no limit to it , like they could get through

43:05

anything that they wanted and TSA

43:08

it was a staggering amount . It

43:10

was something like 96 , 97% of the

43:12

time TSA would let it through .

43:15

Another example . Yeah , I

43:17

mean I don't mean interrupt , but I uh I long

43:20

story . I was flying , I was in Atlanta

43:22

to visit my um , my grandfather , and

43:24

he had this like really like

43:26

old school pair of like sewing . So there

43:28

was like huge meaty , like giant

43:31

scissors and without thinking about it , I just

43:33

threw them on my backpack , went to the airport . You know

43:35

, I on the plane , going into my pouch

43:37

, kind of you know looking for a snack , I see these gigantic

43:39

metal scissors . I'm like how did TSA

43:42

not find this ? This looks like a huge knife

43:44

on the X-ray Right , like

43:47

they're huge . There's no way to miss this Like

43:50

this big .

43:52

Yeah , it's , uh , it's

43:54

crazy , but they'll find the water bottle . You

43:56

know that you forget was full .

43:58

They'll get . They'll get bad every time . But they

44:01

won't get the weapon Like also

44:03

get your energy bars , because you , if

44:05

you take more than like a , like a half

44:07

dozen energy bars on a trip , apparently

44:10

it looks like a plastic explosive at the

44:12

bottom of your bag .

44:13

What .

44:14

Yeah , I eat a lot of energy bars . They're

44:17

convenient food on the go . I'll just throw them all

44:19

in the bottom of my bag and then head off and uh

44:21

, I don't do this anymore Cause like I

44:23

got stopped and it was like the whole rig room roll

44:26

, search , big delay . And then

44:28

they call some other people out to look through the bag real

44:30

carefully and it's just like those are just

44:32

like cliff bars , guys , come on , what's

44:34

going on here ?

44:36

Wow , you know

44:38

, james , we , we , we

44:41

just went like 44

44:43

minutes right and we didn't even talk about your

44:46

, your company , you know

44:48

. So let's uh , let's

44:50

talk a little bit about what you're

44:52

doing now . You know what , what the company

44:54

is and everything like that , what services

44:57

you provide , and we'll dive into that .

45:00

Oh sure . So , uh , I found a DSE

45:02

back in 2019 after doing a

45:04

lot of work for the big four and

45:06

I kept kind of asking myself , like , why

45:08

isn't there a smaller organization doing active

45:11

directory security like this ? I mean , there's there's

45:13

no reason to pay all this overhead for the big

45:15

four , you know , financing

45:17

their , their leases and their 30 foot table

45:19

and all the commercial real estate , when we

45:21

could start an org without those things and offer a

45:23

better price for our customers with the

45:26

same quality of service . So , like

45:28

, let's do it . So we , we , we found it in 19

45:30

and that's kind of what I've been doing ever

45:32

since , transitioning from being highly

45:34

technical to the absolute

45:37

uh , uh , battlefront that is

45:39

, trying to be a leader and a mentor . It's a

45:41

. It's a much , much different job and it's been very fun

45:43

and I've learned just a ton over the past couple

45:45

of years . But we , as I alluded to , we specialize

45:48

in a security run active director . We have

45:50

a active degree security health assessment

45:52

program , our AD Shaw . Basically

45:54

, we use a lot of the tools that actors use . We

45:57

come in as if we were a threat actor . We , we

45:59

show you where the holes are , we prioritize

46:01

them by difficulty to resolve

46:03

and criticality . So you can kind

46:05

of prioritize , because you're not going to be able to fix everything no

46:08

one is it's . It's impossible to fix everything

46:10

, but you got to get the big stuff right , the

46:12

main arteries , anything that's critical

46:15

you know , get those solved and that's going to prevent

46:17

the majority of the threat actors , and that every

46:19

threat actor is an APT right . A lot

46:21

of them are newer and amateurish

46:23

at best and they're just using off the shelf tools

46:25

and if you can stop the majority

46:28

of those , it gives you a much better chance

46:30

against the , the APTs

46:32

and the more you know financed

46:34

threat actors that are out there . In

46:36

addition to that , we do AD migrations

46:38

as well , kind of an emphasis on security . There A

46:41

lot of orgs will just dump everything from point

46:43

A to point B and that really is

46:45

a recipe to bring some pretty bad exploits

46:47

into your environment . If you you don't know what

46:49

you're , what you're doing , anyone can migrate

46:52

a directory environment , doing it without

46:54

compromising the . The final

46:56

destination that is . That is kind of the

46:58

sticky part . That's who

47:00

we are , that's what we do . If

47:03

you want to reach out , we're on dseteam

47:06

and LinkedIn and obviously the

47:08

social gambit there .

47:13

Yeah , absolutely

47:15

. I have a question around

47:17

the mentality of starting

47:20

a consulting company . I

47:25

started mine in 2019

47:28

and I've been fortunate enough

47:30

to have a couple of customers here and there . When

47:35

I started it , I was like

47:37

, okay , this is

47:39

stupid , nothing's going to come of it . Who

47:41

would trust me to pay

47:44

me to come in and

47:46

give them any sort of advice ? They probably already

47:48

have the experts internally . What am

47:50

I doing ?

47:51

And posture syndrome . Man , it's powerful

47:53

.

47:54

Yeah , absolutely , and

47:56

I'm glad I still went forward with it

47:58

, I still went down that path

48:00

and still did it and everything else like that

48:03

. But how

48:05

do you overcome that ? Because I

48:07

feel like it might have been a little

48:09

bit different , if it existed for you at all

48:11

, because you worked for Microsoft

48:14

and now you're starting a consulting firm

48:16

that specializes in AD

48:18

security . So

48:20

I mean , at least for me , if

48:22

I was going to start a consulting firm in AWS

48:25

and I already worked for AWS

48:28

, I don't know Maybe I would

48:30

feel like , okay , I got this thing

48:32

, there's nothing that they can ask me that

48:34

I won't be able to answer . But

48:37

did you experience anything like that , or was

48:39

it a different sort of feeling

48:41

for you ?

48:42

No , I think I'm pretty sure everyone

48:45

gets imposter syndrome . It's just not everyone

48:47

admits they have imposter syndrome

48:50

. It's scary man , it's scary

48:52

. But you have to kind of just take

48:54

yourself and what I do . This works

48:56

for me and your mileage may vary . I

48:58

just throw myself into the fire , right ? Whatever the

49:00

new thing is , I'm just going to put myself in a situation

49:02

where I have to learn it and I have to figure it out , and

49:05

typically I come out of that on top

49:07

or I learn something , and

49:09

either way that's a win and

49:11

a long enough time horizon . But

49:14

it's tough , right , it's tough to put yourself in a situation

49:16

where you're giving answers as an expert

49:19

early in your career because you may only have a couple years

49:21

of experience . Right , you

49:23

may only know what you know and that's

49:25

okay . Right , that's how you learn . Go out

49:27

there and make mistakes . Take that job

49:29

you don't think you're qualified for

49:31

and just learn the crap out of it and really better

49:33

yourself in your career there . It's hard

49:36

. It can be very stressful . I've

49:38

certainly had plenty of stress running

49:41

a business , like actual physical

49:43

problems from the stress , like heart issues , you

49:46

know , hair loss , like

49:49

you stress yourself out enough and your body will

49:51

make you slow down . You won't have a choice

49:53

in it , and that's kind of how I find

49:55

my limits is . When I run up against

49:58

that wall , I'm like , okay , well , I

50:00

physically can't go on , I need to dial it back and

50:02

get more intelligent about how I'm

50:04

doing this . But absolutely imposter syndrome

50:06

every single day of my life . It's

50:08

always there and I'm thankful for

50:11

it because I think it motivates me to a certain extent

50:13

to be better , because there's always someone smarter

50:15

, faster , better , stronger

50:17

, more wealthy out there and the goal is

50:19

trying to catch up to them as quickly as you can .

50:21

In my opinion , yeah

50:25

, it's

50:27

difficult to overcome . You know that

50:29

, just getting into that mentality

50:31

of , okay , I don't know what

50:33

I'm doing today , but tomorrow

50:36

I'm going to know more than what I do today , you

50:38

know , and that's positive

50:40

, that's positive movement , you know , that's going in the right

50:43

direction it's really difficult

50:46

to kind of get into that mentality

50:48

and just accept it and be like , okay

50:50

, I'm not going to know everything , but I can find

50:52

out . And I think that was , I think that

50:54

was the biggest thing for me

50:56

when I got those first couple of customers . You know , I

50:59

was providing consulting on a solution that personally

51:02

I hate . I absolutely hate everything about

51:04

the solution . I wish I

51:06

didn't get the experience that I did , because

51:10

even to this day , you know , I

51:12

get calls of people being like , oh

51:14

, do you want to work on this solution ? Just name your number

51:16

and like , no , I actually

51:18

have no interest in

51:20

doing anything with this solution . And

51:26

you know one , I think

51:28

one of the biggest selling

51:30

points was hey , I know

51:32

, you know all the key players at this

51:35

company . If I literally cannot

51:37

figure it out , I'm going to go ask the guy

51:39

that made it , you know , and get you the answer

51:41

that you need . And that

51:43

was something that no one else was able to offer

51:45

them . You know , because you have all these

51:48

other bigger consulting firms that

51:50

are kind of more reliant on

51:52

the internal talent and skills

51:55

and you know that internal talent

51:57

and skills is getting trained by the experts that

51:59

built it . But they still don't have that . You

52:02

know that connection to where they can go

52:04

and ask that person . You know on

52:06

demand , like hey , what is this thing

52:09

, what is it doing ? What's the snippet of code

52:11

? How do I get around it ? Things like that

52:13

. It's

52:16

an interesting mentality that you have to have , I

52:19

feel , to feel like you're capable

52:21

, you know , of providing

52:23

services that are worth money to

52:26

some company that can , you know , dissolve

52:28

your company overnight .

52:31

Yeah , yeah , I mean absolutely

52:33

like working with some larger organizations

52:36

like Fortune 500 , fortune

52:38

100 , it's very scary because

52:40

you and your you know entity of like

52:42

50 people are a rounding error to

52:44

them , right ? If there's any sort of you know

52:46

legal issue , it doesn't matter if you're on the

52:48

right or wrong , they're going to outspend you . So

52:51

all you can do is do the

52:53

right thing , do as much of it as you can

52:55

and do as best as you can , and

52:57

it's been working out so far for me . Growing

53:00

up thought a lot of extra money helped with this mentality

53:03

of figure it out , because you know

53:05

as really young it was . Hey , my car's broken

53:07

. Well , I can't afford to have it fixed , so

53:09

I better figure it out . Right , pick

53:11

up a wrench , order some order , some parts

53:14

and , okay , let's figure out how this thing goes

53:16

together . It's just like Legos , right ?

53:19

Yeah , yeah , it's a , it's

53:22

a skill set that helps you in a lot

53:24

of different areas . At

53:26

least , that's that's my opinion of it . But

53:29

you know , james , I

53:31

always try to stay on top of my time with

53:34

all of my guests , you know , because I know everyone's time

53:36

is very valuable and whatnot

53:38

. But you know , I really enjoyed

53:40

our conversation . I feel like we

53:43

could easily go another two , three hours , you

53:45

know , and not drink a sweat

53:47

, but you know , that just means

53:49

that I'm going to have to have you on in the future . Anytime

53:53

man or you know we can talk

53:55

about anything . We can bring you on and talk about

53:57

cyber news or anything like that , but you

54:00

know it's a fantastic conversation

54:02

. I definitely really enjoyed it . And

54:05

before I , before I let you go , how

54:07

about you tell my audience ? You know where they can find

54:09

you if they wanted to reach out to you , where they can find

54:11

your company . You know

54:13

what all that information is so that they can

54:15

, you know , reach out if they wanted .

54:18

I just , you know , go out to your your favorite

54:20

browser and dseteam

54:22

that's a Delta , sierra Echo just dot

54:25

team and all of our contact information

54:27

is out there . You can get ahold of my phone

54:29

, email , linkedin , you

54:31

know , twitter , whatever your your preference of communication

54:34

is , and we'd be happy to talk to you and

54:36

help with whatever you got going on .

54:39

Awesome . Well , thanks everyone . I

54:41

hope you enjoyed this episode .