Guest: Brian Coleman, Owner, Matchstick Birmingham
Episode description
From learning the basics of technology from his computer science doctorate mother at an early age to starting up his own IT consulting business, Brian Coleman has dedicated nearly his entire life to the IT field. As such, he has a very unique perspective about how much the industry has changed over the past year as many organizations switched to a fully remote work model, and how their tech stack had to evolve to accommodate.
Listen to this episode of Where’s the Any Key? to hear his takes on modern IT security processes, as well as the dos and don’ts of using several of today’s top IT security tools in your stack.
The following is a transcription of an episode of our podcast, Where’s The Any Key? Feel free to reach out with any questions you may have in response to this recording. You can find our show on Apple Podcasts, Spotify, and wherever podcasts are available.
Ryan Bacon: Welcome to Where’s the Any Key?, the podcast where we talk shop about topics, tips, and trends for the modern IT admin. I’m your host Ryan Bacon, the IT Support Manager at JumpCloud®.
Introducing Brian Coleman
Ryan: Joining me today is Brian Coleman. He is the owner of Matchstick Birmingham, an up and coming IT firm in Birmingham, Alabama. Thanks for joining us, Brian.
Brian Coleman: Thank you so much for having me!
Ryan: Alright. Why don’t you tell us a little bit about yourself?
Brian: Awesome. So I got my start in IT and technology quite a long time ago. I was fortunate enough to be the son of a graduate student mom who was working on her doctorate in computer science and statistics, and would take me to the computer lab of the university that she was attending almost every night as she was working on her dissertation and so I got my first kind of introduction to technology from essentially sitting in the corner of the computer lab with the IBM PC that they had at the time… ran on two floppy disks, two five-and-a-quarter inch floppies. While she was off doing real work on mainframes, I was teaching myself DOS and I was teaching myself, you know, just kind of what a computer was back then. So since that time I’ve just always had an interest.
I got carried into high school years with, you know, the very first beginnings of the concept that we call networking today. Back then it was all dial up. It was all calling these BBS systems and you know, just all the, at that time, fun, new, cool technology that we’d never even seen before. And from there, it was dial-up internet connections and the internet in general. And then when I finally graduated from college, I got the opportunity to work for a telecommunications company. And that’s when I really got my feet under me and said, “This is what I want to do.” And since then it’s been one good ride. I had the opportunity two years ago, next month, two years ago to start my own IT consulting firm. it’s been the best thing I’ve ever done. I’m so happy and I’m not looking back. And, and yeah, I think that when you spend, what’s going to be almost 30 years of experience in technology, you kind of get to share some good stories. You get to make some interesting opinions. And so I’m really glad that you guys have me here and looking forward to talking about stuff.
Ryan: Yeah, definitely good to have you here too. And to go on a little bit of a tangent, right at the very beginning, I also used to frequent a lot of bulletin boards and a couple of years ago, I found out that y’all used to go on there to like to play their, like, adventure games and stuff that they would have. And I found out that there, one of the games I used to play a lot with still was still active and still had an active BBS set up. I was able to get onto, I jumped onto Puddy and connected it and like relived some of my high school days,
Brian: Somebody is running a Sage server out there that you can log into? And this is like an old MUD game?
Ryan: Yeah. It was an old MUD. So it was, yeah, it was crazy. There was definitely a blast from the past.
Brian: I remember, you know, post BBSs, but kind of before, you know, the internet was a thing. It was in that weird time when America Online was considered the internet. When I got to school my freshman year and sat down at a terminal…. it was actually a SPARC station, if y’all remember what those were…. I logged in and suddenly realized that there were like 500 other people logged into the system at the same time. I’m coming from a goofy kid, goofy nerd kid in Texas dialing up bulletin boards, where you might find a board with another person logged on, to have 500 people to interact with… it was a whole new world? I didn’t know what to do with myself for a good solid two months. I had a lot of catching up to do with grades after that.
Weighing the Costs and Benefits of Security Tools
Ryan: I imagine. All right. So going on to what we’re going to be talking about today: we’re going to talk about security tools and to kick things off, I want to get your opinion on, with security tools, so like endpoint protection, antibiotics, that sort of thing… in your mind, at what point does the benefits of the tool become overshadowed or outweighed by the resources required by the tool? So, the impact on system performance and that sort of thing.
Brian: Yeah, exactly. And that’s a big thing, obviously, because not only, I mean, every year we realize more and more that security is becoming the foundation of our interaction on all the networks, whether it’s internet or private networks or whatever. So it’s a need, the need for adequate and robust security tools will never go away. But all of us, probably more than once, have had the occasion to realize frustratingly that the security tool that is being used on the machine that you’re working with is preventing you from doing the work that you need to be doing on that machine. And that could either be anything from just, you know, massive resource overutilization as this security tool scans, you know, across bigger and bigger, hard drives you know, consuming more and more CPU to do these more intense scans.
It could also be you know, to the point where application white listing may come into effect. And, you know, the, the build of let’s say Word or Excel that you just got through Microsoft Update, hasn’t actually made it to the application whitelisting, centralized, you know, knowledge base or centralized server. And it won’t let you run it. And it’s just Word, and it’s not even a weird version of Word you’d got from, you know, a back alley. It’s the Word that came from Microsoft Update. So, I think that, in order for a security tool to truly be effective, it not only has to do the job technically, but it has to do it in a way that is so non-interfering that it almost just becomes an afterthought to the user. And I don’t think we’ve quite gotten there yet.
Ryan: Yeah, I think things have gotten better, but yeah, there’s still definitely quite a ways to go. And I would imagine you run into this too, but like, we have users who are admins on their systems, you know, because it’s part of their jobs and they need it. But like, when that scheduled scan hits and it spikes their CPU, they’ll just go in there and kill the process. And that completely negates the advantage of having it there.
Brian: That it’s, in my opinion, that’s actually worse than not having it there. You know, it’s this false confidence that no, the is protected because we know it has endpoint protection on it. It’s reporting back to our console. We can see it. Yeah. It hasn’t run a scan in like three months, but we’ll get around to it. You know, that’s a far worse and dangerous situation, then a truly unprotected device on your network, because at least at that point, you know what you’re dealing with.
Ryan: That’s very true. And it could be one of those things where it becomes just a huge, it becomes a huge hindrance because I’ve, I’ve seen it happen where, you know, somebody will stop the scan, whether by killing the process, you know, rebooting their system, something like that. But, you know, it’ll just keep, the protection just keeps trying to scan. So instead of having that headache for, you know, an hour or so, while the scan happens, they end up dragging it out for days and, and it’s other, you know, the whole not having the protection and all that aside. It just becomes a huge headache for, you know, our customer, for the person using the system, because, you know, it’s causing this interference and honestly it can make the IT team look bad because it’s either, “why did they issue us this piece of garbage laptop that the fans are always kicking in and it’s always overheating,” or “why are we using this? Why are we using this antivirus thing that is horrible?”
Brian: Right. And I was just going to mention, that’s one of the kind of resource kills that a security tool can do. It isn’t so much like killing a laptop or, you know, maybe preventing someone from doing their work, but this kind of constant dark cloud that an IT department has that they’re not doing the best they can because everyone has this certain kind of baseline, cosmic radiation level of complaining, you know? So again, the best security tools are the tools that you don’t even realize are doing their jobs. And the other side of it, you know, we kind of tend to focus on, like hardware utilization and the ability for an end user to get their job done on a laptop… But, what I’m seeing more is the idea of centralized logging and the ability to aggregate all of these security events into a place, and then have that information there starts to demand resources from a different part of the company and that’s people.
So not only do you have the hardware side, possibly burning up and churning to get through the technical scanning of the zeros and ones, but now you have to have a group of people devoted to the results of that scan. And what does that mean? It’s almost an analogy to your other example of a guy that a developer that kills the scan, you know, every time it starts up and now you have this dangerous protected yet monitored or sorry, unprotected yet monitored system, the same thing is true with, you know, all this aggregated logging and scan results information. You have to have enough people to look at that information and make rational and timely decisions based upon that information, or it’s not even worth having. And that resource, that’s so resource intensive, right?
Ryan: It really is. I mean, depending on the size of your fleet and your employee base and everything, I mean, you almost, if you’re going to do this yourself, you almost need your own security operation center [SOC] running.
Brian: More and more customers, you know, granted Matchstick is dealing, our customer base are smallish organizations, mid-tier organizations, anything from say 50 to 300 people. And even the smallest companies I’m working with, 25 people, they’ve already talked about SOC. They’ve already talked about getting a devoted security framework. And this could be just a 25 person architecture firm, but it’s gotten to the place where that is a common concern, even for small business owners that have nothing to do with security compliance
Ryan: Yeah. And I think that’s the reason why you see these security companies who are going up and offering, you know, SOC “as-a-Service”. So, you know, your ones that bundle it with endpoint protection, like, CrowdStrike or Sentinel One, or even ones that like, we’ll go and we’ll put an appliance in your network. So like, Arctic Wolf I think is one of them.
Brian: Yeah, Canary’s another good one. I liked the idea of these kinds of like, you know, throw-it-in-your-network honeypots because, you know, when I first heard about the idea, I was like, man, I wish I would’ve thought about myself. It’s a very low footprint thing to install in a network and it can immediately bring back some pretty strong returns on that small footprint investment.
Ryan: Yeah. And I think that if you look at the price for these things, I know that, you know, the last place that I worked was a nonprofit, a fairly small nonprofit. And, you know, I ended up talking to somebody at Arctic Wolf and, you know, the price was… it’s a very interesting balance because, granted it’s not a low ball, you know, it’s not cheap, but when you compare it to like, how much would it cost you to run your own, to have a full time security person reviewing that, then it’s a bargain. But then you come into the tricky part of explaining that to the finance department or to, you know, the executive team or whoever makes the decisions and signs off on that sort of thing.
Brian: Right. Right. That’s one of the reasons why it’s always interesting when I run into a potential client or even a customer where their internal IT division runs up through their finance side of the house. And that’s so common because IT has never been a revenue generating department. And so it falls into the business operational expense like everything else, but that means so many times those IT decisions are based on financial reasoning and sometimes those decisions may or may not work out, you know? So it is, you’re right. It’s hard to kind of get that last yard in and say, you know, “These are the things that we need to do, and it’s a great tool… might be mid-tier expensive, but here’s the rewards for them.” Now, one thing I am seeing today more than ever is that the operation sides and the finance sides of these customers are I’m working with are much more open to spending money on security and spending money on even things like a SOC, an outsourced SOC, compared to what the environment was like 10 years ago, 10 or 15 years ago, that didn’t exist. And today, now, even the CFOs are saying, “What do we need? How do I need to get us to the security position we need to be in?” And that’s really cool.
Ryan: It is. And I think a big part of that has to do with how publicly communicated a lot of these data breaches have become. And part of that, you know, part of the reporting on these data breaches is how much monetary damage was involved in that. And I think that that really does help the people who are just on the business or finance side of things really see that, “Hey, this investment is worth it.” So, I mean, I’ve been fortunate that like, I’ve only had to deal with a single ransomware attack and our, our disaster recovery program, you know, practices were sufficient to recover from it without having to pay out. And we only lost like, maybe an hour’s worth of data on a Monday morning. So we didn’t, there was really no, there really wasn’t a big loss there. So, but, you know, I got lucky. I got really lucky,
Brian: I think that the it world is full of stories that you have and that I would have about how close you were to not dodging that bullet, you know, and you don’t even realize it until maybe a few days later after you’ve done the post-work on it and you’ve gone through, and you’ve figured out exactly every second of that night leading up to your Monday morning discovery. And then you see there is that one moment in time where, had something gone just slightly different, the outcome would have been catastrophic, right? That’s good because I hope the stories that you say, and the stories that I share with customers kind of echo, and they resonate up to the leadership and it makes, hopefully it makes a difference.
Introducing Machine Learning to Make Security Decisions
Brian: I think that, kind of getting back to what we were talking about with security tools doing their job, but not doing their job… doing their job and doing their job in a way that is the most beneficial to the end-users and the management… I hope that with the ever increasing pace of machine learning and AI and the ability for, if you just feed enough raw information into some really smart, you know, to use the term poorly, algorithms, you’ll start to get some results quickly and you’ll start to get meaningful results quickly. So going back to the idea of, you know, you’ve, you’ve got a good endpoint protection strategy in place. You are collecting events and sending them to a centralized aggregation server, such that something, or someone, can look at those events; today that’s where it kind of breaks because either you have a trained staff that’s watching these things, or you have a trained staff in conjunction with some backend intelligence to kind of trigger on certain events or certain series of events, but that still requires, it almost requires knowledge of the attack before the attack.
It kind of goes back to the whole, like zero day vulnerability issue. It’d be wonderful if at some point in the near future, that SIEM [Security Information and Event Management], that log aggregation technology in the background, isn’t just looking for signatures or a series of events, but actually getting smarter everyday, kind of thing. Cause then you can just turn the service on and say, “All right, let’s go. Let me know when things get bad and that’s going to be a big point because at that point, if the agents on the end points, aren’t consuming the end points to death, and you don’t have to devote 25 or 50 eyeballs, 25 people looking through all of your logs, you can, you can start making big headway.
Ryan: Yeah. And I think that… we’re going through a process of evaluating vendors for this sort of thing right now, you know, ‘cause it’s always a good idea to reassess what you’re using and what is out there. What I’ve been seeing is that they are definitely making progress and, you know, leaning in on the whole machine learning side of things. And that kind of alerting is, I think it’s closer than we may think, but in my mind, where the problem, where the big disconnect happens is in the remediation part of things, because, you know, whether you get your alerts, whether it’s from, a signature is detected, or you have one of these machine learning platforms going, or, you know, just however you get the information, then what do you do? How do you know how to best deal with these, especially when you start getting these, you know, self-replicating, and these really intelligent types of malware?
It’s not a simple matter of killing a process, deleting a registry entry and deleting some files… you have to know where the stuff is. And this is something that, you know, that I saw that really like dawned on me severely during some of these demos that I saw, because I look at, you know, they give examples of some of the remediation steps and even the person doing the demos say “It’ll take me 30 minutes to an hour to do this,” but you know, the team that works on it that does this all the time, that 50 eyeballs of people looking at this, that do this, like how can, you know, they can do it quickly, but how can an internal team, probably a very small team, how can they manage to keep up with that sort of thing?
Brian: Right. That’s a great question because I mean, I think more than ever today, the response to an incident is going to be incredibly heavy-handed, and that may be good. I don’t really know where I land on that. I mean, if we’re looking at this conversation through the lens of security shouldn’t get in the way of people doing their work, well, at the point where I have to come take a laptop from somebody because it’s triggered all sorts of security events, I’ve pretty much prevented them from doing their work in a security manner. Right? But then you have to weigh in what you just said, the intelligence, well, the ever increasing intelligence that attackers are using almost requires a pretty strong response from the get go. You can’t wait very long to kind of figure out what you’re dealing with because by that time it could be too late.
Building Security into the Operating System
Brian: And so that would be a great next advance in security tools, endpoint protection, especially would be, with the help of that highly specific intelligence built into the back end to detect threats. Then the next step would be to have that intelligence tell the endpoint to react to the threats and do it in a way that mitigates the problem but doesn’t like completely ruin the user from ever being able to do anything that day. And I may be just talking science fiction here at this point because I’m not even sure how I could imagine that would happen. So… but that’s a great thing. I mean, I, you know, in my mind as a technical kind of problem solver, I’m starting to think about, well, maybe we can just virtualize it. We can containerize everything in a laptop. So if you have an issue with a part of it, you just shut the container down and never worry that again. And something else could pop up in this place, but even that isn’t going to really solve what we’re talking about. But, I feel that should be the end result. I think that the full cycle of detection, well, not just detection, the full cycle of attack, detection, decision on action, and remediation has to be incredibly fast and almost invisible to the user. And, at that point, we will have a solid like security footprint. That may be something that needs to be built into OSs coming down the road.
Ryan: Yeah, true. Oh man. But then that comes, I think with building it into OSs, how much of, or one of the things that we have to look at when we’re evaluating these kinds of products and these kinds of platforms is, what happens locally, and what happens on the cloud? How much of this analysis happens on the machine on the client side?
Brian: I don’t know. And that goes back to the argument that will never be one, which is, do you want to have incredibly powerful endpoints, you know, ever faster processors and ever faster RAM in endpoints in order to keep up with the needs of security tool, or do you try to offload that and let those decisions be made in the cloud and, you know, trust on connectivity and other things to make that circle of attack, detection, action, mitigation work? I don’t know. I mean, there was to kind of speak to my old-man experience in IT, when cloud, as we know it today really started to take off, you know, when, when Amazon and Microsoft were trying to kill each other on who was going to own cloud, I was that guy that was like, “Nope, Nope. Physical data centers. Nope. I don’t want to spend a dime on cloud,” and looking back on it, I realized that was an idiot decision to make.
But I just never had the belief that you could do what needed to be done, you know, in this completely outsourced, you know, cloud data center thing. I think that there’s no other way around it these days, that you’re always going to have to have some component of that security cycle, that circle I was talking about, in the cloud or in some way to be able to aggregate that data and make decisions upon it. But yeah, I don’t know if the answer is to just make hardware better and better. I mean, obviously that’s going to happen because that’s the way you get new laptops every year. But maybe you shouldn’t just leverage that new hardware to, you know, make your security tool consume a little bit more CPU cause it can get away with it. I don’t know if that made any sense.
Using Remote Wipe and Backup to Simplify Security
Ryan: Yeah. Well, I’d say one thing that’s kind of along these lines is with Chromebooks. I mean, you get, I remember not too long ago, if you mentioned Chromebooks in an IT sense, people would stare death at you, but I will say one thing that they do really well is, you know, you can take the “nuclear” option on them, and they recover from it so quickly. You can erase it and you log back into it and all your stuff comes back down. So, you know, it pretty much sets itself back up. So, at that point, I mean, if it were me and if I had an office of people who were using just web applications and, you know, I guess you could say standard office work where they could do their word processing and stuff like that on like either on G Suite or on Office 365, on the online tools…. I would so push out a fleet of Chromebooks. But the fact of the matter is that there’s practically no offices that are just like that. And especially like here at JumpCloud where, you know, you have development teams… I will say Chromebooks have gotten better on that side, but there’s still not… you know, there’s still some stuff to be desired on them. And there’s just some things you can’t do.
Brian: Yeah. I mean, they will always be considered a tool, or a toaster, right? And that’s fine. It’s funny that you mentioned you know, you don’t see an office like that, but well, one of my biggest customers here in Birmingham uses a fleet of a hundred and something Chromebooks in addition to a pretty big Mac footprint. But the primary role of those Chromebook users is they do a lot of voice over IP calling and a lot of interaction with like SMS and texting and stuff like that. And so there’s a standard stack, and it all works within the browser, it all works within Chrome. And so we issue out Chromebooks and you’re right. The management is so amazing on that. Like you can nuke one from orbit and no big deal, right. Or I’ve never had a fear of some strange attack vector on a Chromebook because they only do what they do. I mean, even if somebody wanted to use a Chrome exploit to get into the shell on a Chromebook, like you say, all you do is just zap it, and you’re back to where you started. I hope that at some point, some of the, like what we kind of jadedly called like a “real laptop” and that’s no disservice to Chromebooks, but the real laptop could kind of have that same functionality.
One thing that’s super interesting to me, and I’ve talked with others about this with… sorry, tangent, bear with me: with the introduction of Apple Silicon, and Apple making their own, you know, down to the guts hardware, there is this kind of bubbling rumor that Apple is going to come out with some sort of Chromebook-like competitor something that’s not a tablet, but it’s not a MacBook Air. It’s a MacBook SE or something like that, you know? And I can not wait for that because my hope is that it will have not only the horsepower to kind of outshine, outclass some Chromebooks, but also have that ability to manage it like I can manage a Chromebook today using Google Workspace. If I can manage this new hypothetical Apple product through the MDM framework that is really growing and really getting stronger and stronger every year, that is going to be a game changer. And I would go back to my client that’s running, you know, 100 and something Chromebooks and I would say, you know, the next time we start talking about a hardware refresh cycle, let’s think about throwing this Apple product in…
Ryan: And honestly, yeah, I would push for that too. And I was thinking along those same lines, like with the direction MDM’s going in, how long until we get to that point where you can have essentially a Time Machine backup that works through MDM? So you have your managed Apple IDs in Apple Business Manager and so if the person gets issued a new laptop, they log into that Apple ID and it just pulls that image on there.
Brian: Just like a cloud-based Time Machine backup, right?
Ryan: Exactly! And I mean, I know it’s a pipe dream, but I mean it’s starting more and more to seem like it’s in the realm of possibility. And I would jump on that in a heartbeat.
Brian: Yeah, I think it would just be truly amazing because like you’re saying before, you know, in the security cycle, if you do run into something where you feel that this, you know, this hypothetical Apple thing is compromised, like you do with the Chromebook, you just whack it. And in the back end, you could have intelligence that’s scanning through those, what we call the cloud-based Time Machine backup, scanning through that thing to make sure that it’s clean such that when the machine gets brought online, it is restored to a clean state. I mean, that means the response and mitigation for something like that would be in the matter of minutes. And how cool is that, right?
Incorporating the Remote Wipe into Regulatory Certification
Ryan: Yeah, that would be awesome. And going back to like how, how advanced and complicated these attacks and this malware is getting, I mean, really, for those of us IT people who are not spending all of our time dealing with security threats, us normal IT people, I mean, really it becomes the nuclear option really is the only way to be sure.
Brian: And I do appreciate, and I concur with your assessment, that security folks are abnormal. Completely kidding, all of my security friends.
Ryan: I adore the people in our security team.
Brian: ‘Cause you know what happens if you don’t! But really, I think that not only, you know, for the overworked IT staff, the nuclear option starts to become more realistic, by the minute, but also I’m working with a lot of customers that have to have some pretty strict certification, regulatory certification: HIPAA, HITRUST, things like that. And in those security frameworks, that is the only answer. Like if you know you have a compromised machine and you want to maintain your HITRUST attestation, you just whack it. You boil it down to the bare metal. And in a lot of cases, they don’t even let you bring the bare metal back online. Like, in a lot of cases that thing’s just gone, just go shred it. So in those environments, the idea of, of, you know, the nuclear option, it’s not nuclear anymore, that’s just the option.
And if you could, you know, in this hypothetical world with this magical Apple device that can download the Time Machine backups, but if you could, you know, go through the efforts to get that process certified, get it to pass attestations, that would be, that’d be such a winner. You know, if you could say that this hypothetical, zapping of the device from afar and then reloading it with a known clean image, satisfies the requirements… Oh man. I mean, it would be a new world, you know, because there’s so much stuff that happens on the backend when you have a compromised system and some of these regulated environments where you’ve done the right thing, you’ve pulled it offline. You’ve nuked it, there’s nothing left, but then there’s all of this kind of like post-mortem work to show that the things never kind of come back online and, and, and to prove that you’re doing all the right thing, if you could just, you know, in 20 years when this thing that we’re talking about comes online, show that you clicked the button, the button did the thing, and now the thing is back to the way it needs to be, and that satisfies all of the promises and regulations? Oh. Off to the races, man. There’s nothing better than that.
Ryan: Okay. So whoever’s out there that sets this thing up? Remember who you heard it from?
Brian: That’s right. That’s right. I just want 1%, just 1%, we’ll split it. Me and Ryan.
Ryan: All right. Sounds good. Oh, it’s so interesting to think about where things are going, and I mean, what we want, what our wishlist is and taking it, looking back, like, look at what your wishlist was 20 years ago and look at where you are now.
Brian: Yeah. So, my wishlist 20 years ago was just to have connectivity that was consistent, you know, that didn’t require weird cabling and nine volt batteries and junk like that. And now my wish is, like, maybe we don’t need that connectivity like we used to be wanting so bad. Maybe I need a different kind of connectivity. But yeah, you’re so, so right. You know, the way things are changing is amazing and I’m excited and it gives a guy like me who, you know, makes a living and enjoys technology as a hobby and just kind of lives in technology. It gives a guy like me, a ton of excitement to see what’s coming down the road.
Making Security User-Friendly by Using More Flexible Policies
Ryan: Yeah. And to loop it back to the security tools and kind of what you were saying, you know, it goes about having it be useful, secure, and still accessible. It goes to that saying that’s thrown around everywhere that you can’t have something be secure and user-friendly at the same time. And I, in some regards, I disagree. In other regards, I agree with it. So the part that I agree with is when it comes to the actual security tooling. So when it comes to the antivirus, the endpoint protection to, you know, EBR, everything like that… that’s not quite to the point of being able to be like, “it’s secure and it’s user-friendly.” It’s secure and it’s invisible, but I liked how you put that.
Brian: Yeah, yeah. Secure and as invisible as it can be. Yeah. And I think we’re shooting for secure and invisible and yeah, I agree with you. I think the end goal is secure and user-friendly, and we just have a ways to go.
Ryan: Yeah. I think, I think where you start, where I would start putting the pushback is not necessarily on the tooling, but on policy and practice. So I think that, you know, you can kind of try to offset the security tooling. That’s not very user-friendly with more user-friendly, like, IT practices. So, for example, you know how you respond to people who have been compromised and everything like that, and then it really comes down to the mindset that you go on. So like here at JumpCloud, we’ve mentioned this before on other episodes, but it can’t be said too many times, our internal stance on dealing with compromise, with situations where somebody, you know, clicks on the wrong link, loses their laptop, something like that is the fact that accidents happen. It happens, people make mistakes. And we don’t, you know, we try to foster that environment where you’re not going to get in trouble by just by letting us know what happened. Where the problem is going to be if something happens and you try to hide it.
Brian: That’s a really good point you’re making. Yeah.
Ryan: That makes it, and we get, you know, it’s very common. I’ve had it happen a few times today already where people are like, “Hey,” you know, they’ll, they’ll reach out to me on Slack or an email, be like, “Hey, can you take a look at this email or something like that,” you know? And, and we’ll do that because we’ve established that relationship with everybody in the organization that you can come to us; we’re not going to judge you. We’re not not going to yell at you because you clicked on a link or you lost something or something’s going weird on your system. And that right there, I feel helps offset the, at least, the stress that can be involved with the security thing and makes the process more user-friendly so they can come to us. And also it’s good for us because if people are coming to us and not trying to hide things, then we catch more things.
Brian: Yeah, I was just going to mention that when you think back to, say again, like 20 years ago, when the idea of threats and compromised systems was real, but still a little bit new. I remember many occasions when someone would get an issue, either a compromised system or compromised account, and wouldn’t report it because they were afraid of the consequences. They were afraid they were gonna get in trouble. And, you know, compare that to today. When I think now more than ever people understand that security is the work of the entire village. And so the concept of getting in trouble doesn’t really exist anymore. And I think to kind of tie this back with what we were talking about, you know, the hypothetical best security tool is the one that does its job, does it invisibly, but also encourages people to react appropriately, to report issues that they see happening, and not be afraid of reporting either because there’s not a negative consequence to reporting, but also they’re not going to… let me see how I can say this, they’re not going to “get in trouble” for reporting, but they’re also not going to lose the productivity that they’re needing in that day.
Let’s see if I can make an example, you know, yes, we have a user. The user has, has clicked on a phishing email, probably has gotten at least some credentials compromised and understands that they need to report that to their management or to their IT department, but also understands that means that their laptop is going to get confiscated. Their accounts are going to get suspended if not shut down and deleted. And that’s going to ruin their ability to get the thing done they needed to get done so they could go on vacation that day. And so they don’t say anything and they just cross their fingers. That’s terrible. You know what I mean? Because even in an environment where you’re encouraging people to, to, to not worry about, you know, “getting in trouble,” that pressure of not being productive can weigh in so strong on that, on their decision to report or not. And so, yeah, I mean, again, to tie it in, if we had the ability to mitigate some of these, some of these threats, you know, after detection in a way that doesn’t really take away any productivity, then now you’ve got the silver bullet solution.
Adapting Security for a Remote Work World
Ryan: Yeah. That’s so true. And I know that when we were in an office, it was a lot easier because, you know, we could have that new laptop to the person and up and running and in a matter of minutes, whereas now, I mean, you know, it’s one thing I could meet somebody down at, at our office and hand them off a laptop and an hour or so assuming both of our schedules align, but what do I do for the people who are on the other side of the country? Exactly.
Brian: Yeah, I think that the pandemic has really shown some of the cracks in a lot of organizations’ remote working systems deployments. It also showed a lot of interesting new opportunities. Security is one of them, you know, it, it goes back to what we were, you know, dreaming about: the ability to complete the security cycle in a way that now doesn’t involve hands-on, which it used to all the time.That’s something, that’s a challenge that we’re, that everyone’s going to be facing pretty soon.
Ryan: Yeah. And also the old practice of, you know, having a hardened perimeter, you know, you’re where your office is secure and all that, and you’re ironclad as long as you’re on the office network… that’s a bygone era nowadays in my mind, because, you know, 2020 has shown us that remote, if you’re able to do it, if you’re able to support a remote workforce and you’re able to do it well, then that practically guarantees business continuity. And we can’t go back. I know it completely changed how JumpCloud views it.
Brian: That’s interesting because, yeah, it completely starts on a whole, like, clean slate for BC and DR [Business Continuity and Disaster Recovery] plans. An organization I’ve worked with a lot recently never intended to be a remote workforce organization, but what they were doing as just a job perk was allowing a quarter of their workforce on any given day to work from home. So it was kind of this rotating schedule, and they were doing a pretty good job of communicating that, and people could schedule around it and, and they were a huge Zoom adopter back in the day, which is kind of fortunate now. And when in what was it early March, 2020, mid March? When lockdowns really started to happen, the transition from in-office to fully remote was seamless for this bunch, because everyone had been in practice, you know, everyone had spent their specific days working from home, so it was as simple as just saying “Starting tomorrow, everybody works from home.”
Ryan: Yeah. That’s, that’s pretty much exactly what happened here. I mean, we were office centric, but remote friendly, that sort of thing. I mean, we had a couple people who were full-time remote, but you know, really it was you were in the office, but also being a cloud forward company helped out a lot. We didn’t have a lot of on-prem stuff to worry about.
Brian: Yeah, perfect. You know, and that’s probably one of the foundations for this kind of new idea is that physical anything needs to be done away with for the most part. But what I was going to follow up with is what I’m seeing now that we’ve got a year and some months behind us doing this is when I’m asked by a potential client or even a current customer to help them come up with a BC/DR plan, I immediately say, “What would it take to get all your people remote, working remotely? Are they doing it today because of the pandemic? And if they are, then that’s your DR plan. Just put it down in writing, because what you’ve been doing for this last year is a perfect DR Plan.” And, you know, in a lot of cases, I say that, and you know, some of these COOs, or, you know, or some CEOs kind of take a step and then they think, “Wow, yeah, okay. That’s perfect.”
Because in their mind they were going down that path of like, “We need an alternate office location; we need alternate services. We need the ability to coordinate all these users and employees to go to a different place and do these different things.” And I was like, “No. No you don’t; you’re already doing it.” And, and the best part about a DR Plan that’s basically “send everybody home” is that if you do like that client of mine did before and let people, like you said about JumpCloud; you’re remote friendly. Let people work one day a week from home, you essentially are testing your DR Plan, like continuously. It’s CI for a DR Plan, which is awesome, you know, because the only way to find out your plans don’t work is to try them. And yeah, I think that that’s going to be the wave of the next decades is how a business can quickly accommodate something like that.
And just in line with what we were talking about, how does security follow it? One of the things that’s really weird right now is that the health regulations and security frameworks have some pretty, how do I say this, have some pretty direct language about physical security and today I’m 99% sure. No one’s homes have the kind of security that you would need to attest to HITRUST. Now, Ryan, maybe you have a badge reader on your bathroom door, but most of us don’t, and certainly you’re not logging who is coming and going from your workspace. So that’s going to be an interesting thing to see evolve with this. Are they going to relax the security frameworks to allow, you know, what’s happened today to keep going, or are we going to see some new, interesting technologies to enforce those frameworks, but in a person’s home, you know?
Closing Remarks
Ryan: Yeah. I mean this, the whole shift to remote work really has kind of thrown a monkey wrench into a lot of things, and I am excited to see how all those smart people out there who solve these types of problems are going to solve needs.
Brian: Yeah. Yeah. It’s going to be some really interesting and unique solutions. I, if it’s going to be anything like, kind of, the bleeding edge that we’ve seen before, some of the things we’re going to see, you’re going to be a little cloogy, right? And it’s going to be like, “I don’t know… that seems a little fragile.” And then over time, it’s going to start to kind of come together. So I’m looking forward to it as well.
Ryan: What is it, Amazon’s Ring security system, the drones in the Ring stations… stuff like that!
Brian: Yeah, I mean, nothing to worry about. Just an army of AI-controlled drones making sure that the people that are in your house are the right people. That’s all.
Ryan: Yeah, exactly! Awesome. All right. So that’s all the time we have for today. Again, our guest is Brian Coleman. Thank you very much for, for joining us today, Brian.
Brian: Well, thank you so much for having me. I’ve really appreciated the conversation. I know we, we took some weird left turns here and there, but we got to where we wanted to go. And I thank you for inviting me here.
Ryan: Thank you for tuning into Where’s the Any Key? If you like what you heard, please feel free to subscribe. Again, my name is Ryan Bacon; I lead IT at JumpCloud, where the team here is building a cloud-based directory platform that provides frictionless secure access to virtually any IT resource from trusted devices — anywhere. You can learn more and even set up a free account at jumpcloud.com.