Questions to Ask Security Vendors to Purchase What you Need (and no more!), featuring Alex Titze of Blue Team Alpha

Transcript

Opening

Hello, everybody and welcome to What's the problem, the podcast that explores problems, issues, considerations, and any hot-button topic in the world of cybersecurity that is going on today.

Today, we are fortunate enough to have Alex Titze joining us from Blue Team Alpha.

Conversation

Mike Krass: Alex, wave hello to our listeners.

Alex Titze: Hey, good morning.

Mike Krass: We are excited to have you here, Alex. Now, tell our listeners, why are you qualified to talk about cybersecurity?

Alex Titze: I've been in the industry for seven years, which might not sound a lot, but the world of cybersecurity moves so fast, and people come in and out of our industry. I've been on the sales and marketing side. For the last seven years, I've worked with some of the industry leaders with Gartner and Forrester, and those things have been a lot of the service-side companies, and we interact with a lot of folks in this space on a day-to-day basis through our partner channel.

Mike Krass: Excellent. If I recall correctly, Alex, the problem we were going to explore it the listeners is the education gap. For example, do I need to purchase a pen testing product or service? Am I looking for vulnerability scanning? There seems to be an issue with that education gap with the outcome of how we sniff out and ask the right questions to purchase the product that meets our organization's needs. We're not overbuying the product here; we're buying exactly what we need to handle something within our organization. So talk to us a little bit about that education gap. How do you sniff out and ask the right questions to figure out what your organization truly needs?

Alex Titze: I think it comes down to understanding your objective. Many people in the cybersecurity space are flooded with acronyms or marketing hype around certain products or solutions that will fix all of your problems and prevent every breach. We all know that that's not the case. You sold a bag of goods, which sometimes doesn't meet your objectives. For folks to focus on what they're looking for and the why behind it will help them sniff out if someone's selling them on a blinky light or something they just don't need. You brought up the example of the pen test versus vulnerability scanning. I think that's one of the most common problems in our industry. There's no unit of measure for a pen test and no common standard. NIST and ISO are probably the closest that we get to that. But if somebody tells you and presents a statement of work that says "pen test," you want to believe them at face value. Sometimes it's a scan, and you can sniff that out based on what it will cost or how much time it will take because pen-testing is an art, and vulnerability scanning is just using tools. So, rather than taking the company at face value, I recommend sniffing out and asking questions about the methodology or the types of people working on it.

Mike Krass: What measures of time start setting off yellow or red lights for you if somebody's selling you pentesting? We'll have this program up and running in a year; what are those alarm bells in terms of time?

Alex Titze: If anyone says that they can get it done in two to three weeks, have the report written and all the findings and all that's probably not as thorough of a test as you'd want. But it also shouldn't take somebody four to six months to do it unless you're doing continuous red team engagement. A pen test is probably four to six weeks on average, depending on how big the data environment is, but I'd say that's a good parameter to look for.

Mike Krass: Gotcha. You mentioned continuous red team engagement. Are there certain types of companies or stages of maturation within a business where that would make sense versus another stage that would be overkilling? You don't need this continuous red team engagement for the next three months after we finish the pen test.

Alex Titze: I think the maturity of a company in its information security program is the biggest indicator of what you need. The crawl, walk, run approach is good for most folks. If you haven't done the scanning, don't do the pen test. There's a bank robber analogy or a house robber analogy that I always hear. If you pay somebody to break into your house, you might want to ensure that the windows and doors are locked before doing some things.

Mike Krass: That makes perfect sense that I hear from you that it might sound like air quotes. If we're going to do the pen test, why don't we do some red team engagement here? But if this is new to the organization or newer, I should say to their security operations and the overall staffing, such as the internal staffing of the business. It might sound like a great idea from a security standpoint, but it's way overkill. It's buying a Ferrari and living around a school zone. You're still going to drive the same speed as the Geo Metro. No one's going faster than twenty.

Alex Titze: I think companies should make it a goal to make it hard on a tester. Blue Team Alpha guys like a challenge and don't want to just get in a few minutes; that's no fun for him. If you can do the building blocks up into an engagement and make sure you have your ducks in a row, it's more rewarding for both companies, honestly.

Mike Krass: From what you've heard from the guys on staff with the Blue Team Alpha? What are some examples of making it fun and challenging, a little bit difficult for them?

Alex Titze: I just have good patch management in place. If you have monitoring solutions on the network, those can be a fun challenge to get around, make fun things, and then just have good passwords internally. I was at a call this morning with them, and they're like, “Yeah, we got in on this internal pentest in two minutes because that's an admins password.” It's no fun.

Mike Krass: They had this username admin, and password was password.

Alex Titze: And that's super easy to remember for them. If the business says, “Oh, maybe we should think about changing that.”

Mike Krass: Circling for a final question on this topic. We talked about how time can't be too short, can't be too long. That's a red or yellow flag that you might be being oversold. What about the price? We're just sticking with the pen test example. What prices have you heard in the marketplace where they're either so low, and it can't be that accurate and thorough, or so high that they must be slipping something in here that this can't possibly be just a simple vulnerability scan or an early stage pen test engagement with no ongoing?

Alex Titze: It can be a tricky question, depending on how big the organization is. But I'd say, a general rule of thumb is if you're a small to mid-size business, and you're probably looking at five to $10,000 for an external pen test and a little bit more for something on the internal side. If you're getting quotes for 1000 or 2000 bucks, it's probably just a vulnerability scanner, and they're doing some quick tooling. But if you're getting $ 40 to $50,000 in your small or midsize business, just a couple of IPs and under 300 employees are now giving you something you probably need.

Mike Krass: Got it. Alex, I'm going to call myself a liar because I have one follow-up question on this topic. Could a timeout crawling, walking, running, and a vulnerability scan be a good first step for a small business? Not even a midsize, like a small business, before they even get to a penetration test engagement? Or, in your professional opinion, do you think someone should just go straight to a pen test and involve some human factors outside the tool?

Alex Titze: Pentest or vulnerability scanning is a perfect first step just to see what you have and to do that ongoing before you involve that human element.

Mike Krass: Got it. Yeah, that just came to my head of if you're being sold a pen test, and it's a bone scan, obviously an issue. But it also seems that could be a good first step if you've never engaged as a small business in any of these services. From a security standpoint, you're probably relying on your vendor's security measures. If you're a Microsoft 365 business, in terms of your business applications or Google business applications, you're just relying on whatever they have built. You're not configuring or purchasing anything additional. So a bone scan could be a good first step in putting your toe in the water and seeing where you might be exposed. There might be an attack surface that exists.

Alex Titze: Absolutely. That goes back to the original point of understanding your objective. I was on a call yesterday with some folks, and they wanted a pen test because they heard that’s what they should do. And you start to dig in and understand the objective behind it. It was just really to take a look under the rug and see their vulnerabilities across the business, and that's more of a risk assessment, so just understanding the why behind what you're buying and what you're hoping it will accomplish can go a long way. If you find the right vendor to work with and avail, understand that too so they can help you through it.

Mike Krass: Awesome. Well, we are at the heart of our recording, where we get to the last fun question that puts a smile on most people's faces. Alex, tell us about a terrible haircut you've had at some point in your life.

Alex Titze: The one that stands out to me was when I was 10 or 11. It was summer, and I headed out to a family reunion to see all my cousins, all the cool ones from California. So really hyped up, and my dad was giving me a haircut in the kitchen, and he sneezed or coughed or something. He had the razor right by my head, and the blade fell off. I get this nice chunk taken out of my head. I had to wear a hat and hide and shame the whole weekend because I just had this big old chunk out of the back. I don't think my dad's ever lived that one down, but that's probably the worst.

Mike Krass: I love it. I went a little short and just one very specific area, which could only have looked terrible.

Alex Titze: I knew it was extra bad because back then, I was a cool kid with the long skater hair. I was cool back then. It was a really big deal.

Mike Krass: Yeah, that sounds like my early days of college. I had long hair down my shoulders. I was way cooler than I'll ever be again.

Alex Titze: According to myself, my wife thinks upset, but I think that was cool for me.

Mike Krass: Awesome. Well, Alex wanted to just thank you for joining the show and providing some of your expertise to our listeners. If folks hear something on this show, and they either want to reach out to you personally or want to hear more about what Blue Team Alpha is about, how do they get in touch with you? What's the best way for them to contact Blue Team Alpha, whether through yourself or somebody else at the organization?

Alex Titze: Always happy to answer any questions or field any. They can shoot me an email directly, reach out on LinkedIn or just find me at blueteamalpha.com and hit the chatbot. Lots of different options to reach out.

Mike Krass: Perfect. Listeners, you heard it here. We'll include Alex's LinkedIn profile so you can connect with him professionally and talk about cybersecurity. Then, the Blue Team Alpha website has a chatbot that will speak to you. If you ask enough questions, I'm sure you'll get a human to respond. So just keep pushing those questions and eventually stumped the logic of their chatbots. A human comes and talks to you.

Also, for our listeners, if you have any questions about sales or marketing, With regard to the cybersecurity industry, MKG is here for you. We're easy to find. You just go to mkgmarketing.com and you can also hit our chatbot and stump the logic and get to humans as well. So, to our listeners, thank you for joining in and listening to What's the Problem, the show that explores problems, situations, scenarios, and more in the world of cybersecurity. I appreciate having you.