Building Your Cyber Security Team: Blue Teams, Red Teams, and Cyber Insurance

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we're talking about how you can't do this alone.

We've been talking the last few episodes, you know, about, uh, hardening your

backup systems against ransomware.

But remember that much of that tech is only as good as

the team that configured it.

This is why Prasanna and I will talk about how you need professionals on your side.

Uh, we talk about blue teams and red teams, what they actually do, how

cyber insurance fits into all of this.

Let's talk about building your cybersecurity team.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for

over 30 years, ever since.

I had to tell my boss that there were no backups.

Of the production database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the show.

Hi, I am w Curtis Preston, AKA, Mr. Backup, and I have with me a guy

whose hair I'm continually jealous of.

Prasanna Malaiyandi, how's it going?

Prasanna,

I'm good.

Curtis, come on.

What's there to be jealous of?

you know what's there, and I'm telling you that long.

You know what, what, what does Steven call you?

Goldilocks.

Oh.

Um, yeah, so, uh, what are we talking about today?

Today we are talking about more about or more details about a previous episode

where we covered sort of 10 things you should be aware of to make your backup

or for your backup infrastructure

Yeah, the, it started with the 10 basic things.

These were like table stakes.

Like if you don't have these things.

Don't even tell me you have a backup system.

Right.

'cause you don't.

Right.

Um,

me you don't have, you have a backup.

yeah.

Yeah.

I'm telling you.

Right.

Um, and then we, and then we, um, you know, we got some, uh, some

critique on that, like suggesting we had left things out and.

I, I don't think we did.

I just think that, um, these were like literally table stakes.

Like if you don't, if you don't conform to the 3, 2, 1 rule, like, uh, you

don't actually have backups, right?

If you're not, if you're not scheduling them, if you're not managing them,

if you're not monitoring them.

Like these are basic everyday things that you need to have in your backup system.

But then the last episode, we, um, talked about hardening that backup system, right?

And, um, we talked about, um.

Uh, you know, some sort of modern password management system, right?

We talked about MFA or pass keys.

We talked about disabling or severely restricting RDP, otherwise known as

the ransomware deployment protocol.

protocol.

whatever, uh, allegedly.

And we talked about role-based access controls.

Uh, and um, and then finally we talked about potentially considering using

a service provider of some sort, everything from a service provider

to help manage and make your current system, uh, you know, more secure

to actually going with, uh, a full.

Uh, a fully SaaS based data protection system where they're

responsible for the security.

one thing that popped to mind since the last episode,

Yeah.

I wonder if you went, because Claude and OpenAI chat GT and everything else, right?

They're getting all powerful

and very useful.

I wonder if anyone's actually tried to be like, Hey, here's my backup system.

Tell me what I need to do to secure this.

Yeah.

You know, that would be interesting.

Claude.

Claude is pretty dang smart.

I use Claude quite a bit, right.

I'm literally reading right off of Claude right now.

I use Claude quite a bit.

I and Claude is pretty knowledgeable, not perfect.

You, you, you have to verify like when you're gonna use it to.

Make recommendations for your life.

Like

it definitely hallucinates, right?

Um, but it, it's pretty decent in terms of discussing backup, um,

infrastructure, uh, with it, right?

Um, backup security and, uh, suggestions and things like that.

I, I think that's actually a really interesting idea.

I like that.

Um, so.

The, the next phase here is that, alright, so you, you've,

you've, you've got the 10 things.

You've hardened your backup system in order to, uh, one

of which is immutable backups.

Immutable backups.

Immutable backups.

Right?

So that was really what the last one was about, was, you know, I, I

said in the, in the 10 things, one of the 10 things was you need to

have an immutable backup system.

And then the last time we talked about just basically continuing

to harden that system so that.

No matter what happens, you will have a copy of your data

that you can use to restore.

So now let's talk about what we can do to prepare to be able to use that system.

Right?

is it even to just prepare for what could eventually happen and make

sure, is your system truly immutable?

Yeah.

Uh, no, no, I don't, I don't know what

Yeah, because blue teaming and red teaming,

Yeah.

Okay.

Alright.

Alright.

Um, yeah, that's, yeah, that is true.

At least one of these things is, is, is a way to ensure that the things you did.

The last episode are, uh, actually work.

So the first thing that I wanna talk about, one could, you know, we just

finished, um, I literally got yesterday, I dunno if I told you this, but yesterday

evening I was sent the, uh, the QC one, which is the quality control

one copy of, uh, learning ransomware, um, response and recovery, right?

Which

Which is, your new

Which is my new book with, uh, uh, Dr. Mike Saylor, uh,

friend of the pod, obviously.

Uh, and one of the consistent things that I got was that.

I think that to a certain degree you can harden your backup system without

a ton of professional, uh, help, right?

Meaning that you can just make sure you, you go with certain vendors and

certain features, make sure that you have those features immutability,

real immutability being one of them.

But the more I worked with Mike on.

Actually when we need to use the system, and not just a backup system, but our

overall IT system and security system to actually respond to a ransomware attack,

the more I began to develop the feeling that this is really not something that you

should be trying to attempt on your own.

This is what, what were those old.

The, you know, the, the events on this show are done by a professional sunriver.

Oh yeah,

Please do not, attempt them at home.

Right.

Uh, I don't remember what that was from, but that's where I, and so when

we talk about getting a, a company to help you to do this, what term

do we use to refer to that company?

So normally we call them the blue team.

Yeah.

Yeah.

We're gonna talk about it the other team in a, in a minute.

Right?

But I really think that.

Before you need one, it's time to contract a blue team.

Right?

So they can go through the checklist that we talked about, uh, everything that we

just talked about in, in the previous episodes of making sure that your,

your backup system is, is functional.

I do think someone like me, I'm not the only one out there, but someone like me.

Who is backup system security specific?

Uh, there are things about your backup system that only a backup expert will

be able to help you, uh, look for, but then to take the overall security of

your entire environment and make sure that you have the, the defensive tools.

Tools like XDR, SIEM, SOAR tools.

Right.

Um, to have those things in place.

And then let me ask you a question Prasanna.

What good is an improperly configured XDR system?

Uh, you might as well not have one.

Exactly right.

Um, I would say the biggest issue with an improperly configured XDR

system will be, uh, false positives.

Yeah, why?

Why, why is that a problem?

Why is that worse than not having one at all?

Yeah, because what'll happen is you'll keep getting all these

alerts and then you'll be like, oh, I'm just gonna turn it off.

And then you just shut down the entire system, which means you

might as well not have had anything

Yeah.

Your, your, your alerting system basically becomes Henny Penny.

Do you know who Henny Penny is?

I was gonna say the boy who cried wolf, but

Henny Penney's the story of the person who kept saying the sky is falling.

Oh

Um, and uh, then when this guy actually was falling, nobody, nobody believed him.

Same thing, I think with the boy who cried Wolf.

Yeah.

Um,

the, the, so I know you talked about tools

like the Blue team can help you with

that, I think, and we'll maybe cover this in more detail a bit later,

but in addition to tools, they can also help you around processes

and other things

yes,

yes, Because you know, people, process and technology, right?

Technology is the last one, right?

Because if you, if you don't have those processes down, what

will we do when we get alert?

What will we do when we get.

When there's something that is suggested that, um, you know, that it looks like

we've got some sort of actual attack, what do we do when we have a new system?

What do we do when we have a new person?

What is our onboarding procedure?

What is our offboarding procedure?

There are.

Uh, um, security reasons to look into that.

There are legal reasons to look into that, right?

What is your offboarding process?

So, um, yeah.

And they can help you with all of that.

Help you develop your runbooks, uh, to, to make sure that you have the procedures

and your playbooks to go into the individual, um, procedures so a blue team

can come in a couple of different flavors.

You can have sort of a one time, which I think would be a really, again,

better than nothing, but security is kind of like backup, is it?

If you just do the one time thing, uh, it's very easily for that, for

the configuration to waver over time and for you to be less secure than

you were, uh, at that magical moment.

Right?

Or the people and processes change over time and

now you're, you have gaps.

Yeah.

Your processes change as your company changes, as the, what you do for a company

or, you know, what you do for a business.

Uh, changes.

I actually think back to, uh, there was this company, um, I'll just say it was

a, it was a company that made things.

They actually.

If I said what they actually were like, there's like one company that's like

this, that it, it would really, but they, they actually made something, a physical

thing that you may have actually had in your house and they were using, um.

The, you go back, this is again, this is gonna date this story of course, but

you remember BCVs, you remember EMC and BCVs, and then there were off host backups

using like, so if, if you had, at this time it was net backup, and you could

actually, you could split the BCV, which was a business continuance volume, and

then you could back that up directly, uh, and, and so you could back up your volume

both like offline and, well, not offline, but disconnected from the primary system

and in a way that didn't affect the, the performance of the primary system.

It was a really cool thing back in the day, but it was complicated and I

had it configured and it was amazing.

And then I left and like a month later it didn't work anymore.

And they were like, he didn't configure it right.

I'm like, I'm sorry, but I have videos of it actually, uh, working.

So, yeah.

So I do think that what you should be doing is having a regular relationship

with an MSSP who can help you, if nothing else, just regularly look at

what you are doing and make sure that you're doing things in the, the most

secure way that your budget can afford.

Can you define what an MSSP is for people?

we did that already, but I will do that again.

Managed security service provider.

Right.

And again, uh, you know, this is sound like I'm shilling from a friend

there, from my co-author, but, you know, like black Swan Cybersecurity,

which is, uh, Mike Saylor's company.

So, um.

I think that's you need, even if all you do is create the relationship

now, vet your vendors now so that when you get attacked, and I'm

gonna say when you get attacked, you can then just call them in, right?

You, you get a $0 purchase order.

All of those things.

So that you could just call them.

But definitely what's better is to have them, um, you know, part

of the, the day-to-day routine.

And also, especially if you're a smaller company, they could potentially bring

in, they probably have volume pricing with things like XDR tools and SIEM/SOAR

tools, uh, by the way, so that's, uh, extended detection and response, SIM is

security information and event management.

A SOAR tool, a security orchestration and response, right?

Um, and they potentially have, they most certainly have volume discounts

with tools that they know, they know how to use, they know how to configure

it properly, and you could potentially get a good tool through them, properly

configured for less money than you could potentially go buy a very similar

tool, uh, and improperly configure it.

So, yeah, so big fan of getting an MSSP, uh, to, uh, to learn how to

defend against, a ransomware attack.

And going back to sort of the people and process, so you just touched on the tools.

One of the things MSSPs also bring to the table.

No pun intended is tabletop exercises.

Right.

And Curtis, do you wanna talk about a little about what a tabletop exercise is?

Yeah.

So basically we literally sit around a table and we define a scenario, right?

You know, of like, you know, you just, you just got, um, you know, you just

got attacked by this kind of ransomware.

This system did this, this system did this.

Now what do you do?

And, oh, by the way, Curtis got hit by a bus.

So Curtis isn't available.

What do you do?

Right?

And because your, your, uh, your runbooks and playbooks need to have

all of these scenarios in there.

Good.

I think a good, uh, MSSP will be good at coming up with these

scenarios because they've been in the middle of those scenarios.

Mm-hmm.

Yep.

Yeah,

they're down in the trenches

and they understand what these look like.

Yeah.

And, and a good, uh, I think a good tabletop should be fun, should

not be, uh, the degree to which sometimes a DR test can be not so fun.

Right.

This is something you could do much more often.

You by creating, we, we talk about creating an environment or

a culture of, of recovery, right?

And so this is something so that you keep cybersecurity and ransomware

protection, uh, front of mind, right?

And closely related to tabletops is actually the next

level, which is an actual.

Recovery test.

Right.

How, how is that different than, than the tabletop?

Well, because a tabletop, you're just sort of.

Talking through how you would go about addressing, say you got hit by

ransomware versus a DR test, you're actually doing some of these actions and

actually, uh, implementing and executing on your runbooks and playbooks to

make sure yes, when this thing happens, will it actually work?

It's like we talk about with restore testing, right?

It's, Hey, I created these runbooks playbooks.

Is it gonna work when I need it?

Yeah.

And, and you, you need to be, I, I think this is, I think this is possibly the best

argument for a cloud-based backup system because so many of them have this idea

of an automated, uh, disaster recovery.

Uh, process, right?

That you can literally push a button and fail over and, um, you just need to

pick your recovery point and fail over.

I, I will say that ransomware breaks a lot of that, right?

Breaks a lot of automation, but that doesn't mean we can't like, use

that for, for a ransomware attack.

But at the same time, I think you need to.

Remember that recovering data is just a small portion of the overall

ransomware recovery scenario, and

so

you need to make sure that yes, you might be able to fail over

and test your data recovery, but what about all the other things

? Yeah.

So much.

Right.

I'm glad you brought that up because, and, and, and I think this, to go

back to what I was just saying, right.

At least make sure that you know how to restore.

Right?

Right.

Make sure that your DR system works because it will be the easiest part, or it

should be the easiest part of recovering from a ransomware attack because it will

take days to weeks to months to isolate.

What actually needs to be restored, right?

This is where all of these tools and, you know, and, and different backup

systems have different capabilities here, uh, is to figure out what

actually needs to be restored.

So once you've done that, you should be able to just push a

button and restore that thing and bring that thing back online.

Um, and so I'm guess, so what I'm saying is it can't all

just be tabletop exercises.

We need to actually do recovery testing Now, I don't think.

I, I think this would be a great one to, to bring Mike on and talk about.

I think there is the concept of using in a isolated environment, actually introducing

real ransomware and seeing what it does that's like next level, right?

Um, but, uh, but it again.

The restore should be the easiest part.

So at least make sure that you have that down cold right?

Because you are a hundred percent right that,

um, it's gonna be the, well, it'll be the easiest part, right?

Uh, it's gonna take you a long time.

Well, and even for the restore piece, it's.

Right.

We've talked about this on the podcast before.

It's how do I know what is a good valid restore point that I can actually

recover from?

Yeah.

That, that's gonna be, that's gonna be your, uh, and we do, we

do talk about that in the book.

Um, but, uh, but like I said, once you decide what that is, you

should be able to push a button and magic should just happen.

So what about, uh, people that are gonna prove you wrong?

Oh yes.

So we talked about the blue team.

Right.

They're here, they're helping you, but you have this immutable backup system that's

been hardened, and you want to figure out how hardened is it and are there gaps?

And this is where you go and you hire a red team,

Yeah,

and these are people who are going to attack your system.

They're on your side, don't worry,

yeah.

right?

But they're gonna look for flaws.

It kind of reminds me of white collar where Peter hire hires Neil

Caffrey.

Yep,

to kind of do the same sort of thing.

It's like, Hey, what are the vulnerabilities in the security

system or in this thing so we can identify, fix 'em

before the bad guys come.

Yeah, exactly.

It also reminds me of course of sneakers, right?

Which, if you haven't seen sneakers, go see sneakers.

That is really a red team that is specifically attacking cybersecurity.

I mean, some of the stuff in there is a little silly, but it

really goes into things like, um.

Uh, social engineering and things like that.

Right.

So, um, the, and we had Dwayne LaFlotte on here and, uh, hopefully

I can put a link down in the show description if you haven't listened

to that episode about Red Team.

And do you remember what he said about backup systems?

It's his favorite source to attack.

Yeah.

He is like, I love it when they have a good backup system.

Right.

Actually was so fascinated by that exchange that I actually

quoted it directly in the book.

I actually put it directly in the book.

And, um, yeah.

So a good red team, this is something that you use occasionally to, you

know, you think, you, you, you, you, blue team does the thing.

You've, you've hardened everything.

And then the red team goes and finds out, you know, they shows you that you put in

the wrong TV in your, um, in your lobby.

And then, uh, they used it to hack your environment.

Yep.

The things that you'd never think about.

Um, so yeah, so I, I, I do think the idea of red teaming your backup infrastructure,

I think is a really good idea.

And we are talking all about.

Process tools, right?

Um, we've also talked about, uh, red teams and blue teams, but all of these

things must be super expensive, and when you get hit by ransomware, your

bills are probably going to skyrocket.

So is there anything com organizations can do to sort of help 'em defer

or absorb some of these costs?

Yeah.

And, and that's really where cyber insurance comes into play, right?

If we go back in time, um, cyber insurance, well, this isn't that long ago.

This is like five years ago, right?

There was a time where the only role cyber insurance played was paying the ransom.

You're seeing that becoming less and less the case and that the role that the

cyber insurance company is playing is basically part of your blue team, right?

They're helping you to build the defenses.

They're giving you a checklist of things that you're going down to

make sure that you are doing these things in order to be as resilient

against ransomware as you can.

Um, and yes, they, uh, are the company that then.

Funds, the, you know, the, you know, the, the actual process of hiring the,

the blue team to bring them in, right.

The incident response team, because that will be very expensive, right?

Um, and the incident response team, the, the blue team also, they're

going to know, and the re the, um, the cyber insurance people, uh, as

well are going to have access to, uh, essentially hostage negotiators, right?

Um, and so they, they actually, uh, what do you call it?

Um.

Negotiating with ransomware threat actors is a thing.

Right.

Um, and, uh, I mean, I still don't like the idea.

Right.

But depending on the scenario that you're in, you may have no

other choice either, uh, do the thing or, or go out of business.

Any, any thoughts on that?

you probably need to get cyber insurance if you don't have it already

today.

And then also make sure you are strictly abiding by the terms

of what's in there and that you are actually doing what you say you are doing.

Because the last thing you wanna do is pay insurance and then them finding

that, oh, you didn't do X, Y, and Z

and therefore now they're not paying out.

Yeah.

Yeah.

That would be, that would not be a very good day.

Right.

Well, sort of a summary statement, the recurring theme in the book was

these things that you need to do and, and this goes back to the past

three episodes, including this one.

They're really easy, most of them, they're really easy to do.

Um, they might not be free.

Well, they, they won't be free, but they're not, there was nothing that

I recommended in the book that was like, oh my God, it is just gonna

be near impossible to do this right.

Near impossible.

I mean, possibly from a backup and recovery and

disaster recovery perspective.

Possibly the most difficult thing is, is some automated system.

To recover your data.

Right.

Um, we, we did cover in the book how that, I think that the better way to

do like a full scale restore because of how difficult it is to wipe.

Um, because it, it's very easy for the system, a system that you're

backing up to get infected before.

You know that it's infected, so restoring it from a backup from

yesterday will just reinfect it.

Right?

So as much as a fan, as I, as much of a fan as I am of backup, I, I think that

the idea of like re-imaging systems from a golden copy that you had from, you

know, the last time you reconfigured the OS at all, and then just restoring the

database, the applications, and the data.

Individually or separately from the backup system.

I, I think that's a much stronger, um, you know, thing.

And I think we could probably have an episode just on that.

Yeah.

And I agree it's probably stronger, but it may take significantly more time

Absolutely right.

There's no may about it.

It will take it, it's definitely a. I don't think it's a situation of

throw out the baby with the bathwater.

But it's definitely a significant change in infrastructure, right?

If you're not used to doing golden images, if you're not

used to doing that sort of thing.

And again, you need a process there because every time you update

the operating system, you need to update the golden image, right?

Um, and, but it, it's, it's another one of these things where

that, if you get good at that.

Um, again, you can just push a button, right?

Um, but it's, it's, it is totally doable.

But what I, where I was going with just a few minutes ago was that all

of these things are, they're doable.

They will definitely not be free, but they're doable with

time and effort and concern.

They all have to be done in advance,

Yes.

It, it does, it is like, one of the jokes I continually make is remember,

it doesn't matter when you invent a time machine, but it matters very much when

you implement a good backup system, when you implement a good cybersecurity system.

Right?

It, it doesn't, you know, it's sort of like, uh, you know, vaccines only work if

you take them before you get sick, right?

Uh, yeah.

Very

and just the one thing I wanted to add to that is you don't need to implement

everything we've talked about day one.

Good

You can, right?

We've been talking throughout this, these last three episodes.

Good, better, best, right?

You're on this journey to get to the best, right?

Or to better wherever,

based on cost and other things like that for your organization.

But you need to start somewhere, right?

So just start the journey.

You will eventually get there, and you'll be much better than where you are today.

Yeah, really good point.

Prasanna, it might take you a year.

It could take you longer than a year to get from where you're

at to where you want to be.

This is again, where I think professionals can be very helpful

because they can help you prioritize.

Right.

Like if I looked at your backup system and I saw that you, you weren't doing

3, 2, 1, I'd be like, dude, you gotta at least get another copy off the system.

And I would also say, if you're not currently doing immutable backups, that's

like number two, number 1, 3, 2, 1.

Number two would be immutable backups if you, and actually immutable, not just

something that's branded as immutable.

Right.

And then I would help you understand, well, what, and I'd be like, I'd

help you look at the product and go, well, when they say immutable.

They don't really mean the same thing.

I mean, right.

And then the same thing with, uh, an MSSP can help you do that, and then

once you get to a certain level, or maybe, maybe you start with the red

team, you have the red team hack you and you know, and go and, and just,

you just know how bad things are.

And then, you get a, a hit list of what you need to what, where

you need to, uh, start, right?

Yeah.

Uh, it, it, it's a process and it's a, it's an iterative process.

It's a never ending process.

Um, now the, the theme song from never ending story is now on my head.

So I hope it put it in everybody else's head.

And, uh, I want to thank you, Prasanna.

It's been another great episode.

I enjoyed this one.

I, I like these sort of quick hits where it's like, Hey, let's

focus on a couple areas and figure out what to do, how to help

people.

Yeah, me too.

Uh, hope, hope you folks enjoyed it.

Uh, I'm sure we'll hear in the comments if you didn't, um, and what we left out.

Uh, and uh, you know, that's why this is also an iterative process that is a wrap.