Dr. Eric Cole is an accomplished cybersecurity hacker and executive advisor. His career has been a mix of sixth-sense chance encounters and wisdom/foresight of the future. His uncanny ability to see the opportunity in cybersecurity combined with the wisdom to listen to those smarter than him is why he is where he is today. His interview is chock full of poignant advice and tips.
Dr. Eric Cole also has a creative side to him: he's a musician. He was a French horn player before and now, he's a drummer. He's known as the Tommy Lee of Cybersecurity.
Eric Cole's Quick List of Advice
Quotes
Getting Into Infosec
Other episodes, transcripts, a career guide to Getting Into Infosec:
https://gettingintoinfosec.com/
See omnystudio.com/listener for privacy information.
Book - Breaking IN: A Practical Guide to Starting a Career in Information Security
Follow Ayman on:
Ayman: Hi, Dr. Cole. Thanks for coming on the show!
Dr. Cole: Oh, it's my pleasure. Thank you for having me.
Ayman: Yeah, this is a great honor to talk to you. So, for those out there that may not be familiar with your experience, can you tell us a little about yourself, and what you do today, and what you've done in the past?
Dr. Cole: So, [for] the last 30 years, I started my career in cybersecurity, and I continue my career in cybersecurity. I just love solving complex problems and help[ing] to make the cyberspace a safe place for people to live, work, and raise a family.
So, I got started at the CIA, where I was actually a professional hacker for eight years. So, in my twenties, I basically was trained to break into anything on the planet. And, while some pen testers might think that's cool—and hopefully, nobody gets offended by this—after eight years of doing it, I got a little bored because you can always break into anything.
Everything has exposure points, and everything has vulnerabilities. I always joke with people: if it's a computer and it's connected to the internet, or it has any external access like Wi-Fi, or things like that, it's hackable.
It was funny. I was just over my friend's house the other night. I was social-distancing, so don't worry. And he comes up with his new Ferrari, and he's like, "You can't hack that." And so, they placed bets. What do you think it was? Three and a half minutes, I was in this Ferrari driving away, and he just, his eyes got real big. And he was like, "How could you do that?" But the point is, with functionality, there's always exposure points.
But I spent most of my time after the CIA really helping make organizations safe. I spent 20 years at SANS, building a lot of their courses. Big accomplishments. Built the number one cybersecurity core sec 401 security essentials and actually built it, ran it, and managed it for over 18 years, trained over 40,000 people, and really just love helping people understand, get into, or advance their careers in cybersecurity. And now, [I've] really focused a lot on cybersecurity leadership. I think the world needs a lot more security leaders: chief information, security officers, people that can actually speak the language, sit across the table with executives as equals, and actually put together a strategy that's needed in order to secure a company and secure the contract.
Ayman: Yeah, that's excellent. So there's a lot to unpack there.
So, it's interesting you mentioned how you got bored after eight years of hacking. I guess that dopamine and that high no longer really cut it for you. Is that right?
Dr. Cole: Exactly. Because what it comes down to is, I love challenges. I'm one of those people that get bored very easily. Nothing wrong with a lot of great professions like accountants and teachers and things like that. My hat goes off. I mean, very, very well-respected, but that's not for me: doing the same thing of teaching the same thing or that repetition. I like new challenges.
So, after eight years, we get the methodology down. You've set vulnerabilities and exposures, and it wasn't challenging anymore. It was just routine. I had a checklist, and I knew eventually, at some point in the checklist, the system would give and I would get in and I would accomplish the mission.
So, once I had the methodology built and the process that I follow, then the excitement, like you said, was gone. But what I love now being on the defensive side is there's always a new challenge. Anything we fixed today, the adversaries are going to figure out a new way into the system.
And every company is unique and different. So, every time I work with a new engagement, it's always a new challenge, a unique opportunity. And one of the things I really focus on now is customized solutions. So, that keeps the creative juices flowing.
Ayman: Nice. That's really good. And how did you end up getting into the CIA? Like, what was that progression? You know, you went from high school and like, were you hacking and they just found you? You know, how did that happen?
Dr. Cole: It's actually funny. 'Cause, it's not what you would think. Where I was like the "high school hacker," I was the high school geek. Right? I got my share of flushies and thrown-in lockers and stuff like that, but I always tell people that the best revenge in life is success.
I'm not big on high school reunions, but when you're showing up in your sports cars and private jets and everything else, and the kids used to make fun of you, aren't successful at all, it just sorta gives you a little grin in life that don't let short-term things or other people's opinion influence who you are or what you can accomplish. That's probably, sort of, one of my first things in life is: always be respectful. Don't be an a-hole to other people, but don't give a crap what other people say or think because we're unique, we're different. And if you're an entrepreneur in cybersecurity, they're just not going to get ya.
So that's sort of [the] first thing. But I did some programming. I liked technology and science. I was actually going to major in architecture because I'm fascinated with how buildings and bridges work and operate. And I still, today you look at a skyscraper in New York City, and you're like, "How the heck does that thing stand? And how did they design it and build it?" And a friend of the family actually said, "Why don't you go into computers?" This was in the eighties. He goes, "Everything's moving into computers. Why don't you major in computer science? It's a new field. You can be one of the first people that get a degree in it. And if you know how to use computers, you can then go into any field you want, including architecture."
Ayman: And did you have a computer at home at the time?
Dr. Cole: I had my Commodore 64 that I actually saved up a year-and-a-half working, and you'll laugh. It was $900! So, I have this piece of crap in my basement. My wife wants me to get rid of it, but because I spent my life savings on it. But when I was in my teens, I'm like, "I'm keeping that thing forever," even though it has no value today.
Ayman: Right. And so you were using it in high school, so you had some computer exposure in high school as well before college, right?
Dr. Cole: Exactly. So, basic programming. So just some of the programming and basic games and things like that. But yeah, I was always fascinated with computers and how they work and how they operate.
Ayman: That's awesome, that's awesome. So now, in college, you're getting this advice to kind of take on this step of looking into computers as a career, but you were considering architecture. And so, what was that thought process there? And then, what did you end up deciding?
Dr. Cole: So the thought process was, and this is one of my other big pieces of advice is: listen to people that are smarter than you and have made the mistakes before you make them. So, this is a 45-year-old engineer, who worked at Grumman at the time, who is very, very successful. And I'm like, "He probably knows what he's talking about, and it was probably a good thing." So I did listen to him and went to New York Tech in computer science. But after two semesters, I'm sitting there in the Fortran classes—cause remember: this is when it was sort of an engineering degree with a couple of programming classes. Computer science wasn't mature like it [is] today—and I'm sitting there, and I'm like, "Is this really what I want to do? Is this really what I want to do in my life?" And I thought about it for many, many weeks, and I still remember it was a Thursday afternoon and something inside me said, "You need to go to the co-op office today."
And I was like, "I'm busy. I have these other things going on."
And some[thing] just kept pushing me, so I go down to the co-op office after my class at around 3:30 in the afternoon, and they say, "Eric, it's so funny you came today because the CIA recruits on campus—once every two years—and they happen to be coming tomorrow, and we have one slot left. Do you want it?"
And I'm like, "Heck yeah!" which means if I went a day later or a week later, I would have missed out on that opportunity, which really became a pivotal part of my career. So, I went to the interview the next day, did well, got the application, and I think based on what we talked about with my resume, we know things worked out fairly well, and I ended up working for them for eight years.
Ayman: Okay, that's awesome! And were they looking for technical computer folks, or did they see that in you and decide to put you in that?
Dr. Cole: No, they were looking for people that majored in computers and technical fields because the government is usually a little farther ahead, so they had computers and internet when the rest of the world in the eighties had American online and dial-up connections.
Ayman: Yeah, that's excellent. So that was, you know, kind of an opportunity that just dropped in there. And do you ever think about your architecture days?
Dr. Cole: Not really, 'cause I love what I do so much, and I love the cybersecurity area in solving the problems. I mean, I'm still fascinated when I travel and fly on airplanes and look at bridges—especially when I go to Dubai and look at some of those crazy buildings, the tallest in the world—I'm still fascinated. But it's one of those where I definitely know deep down inside, I made the right decision.
Ayman: Okay. And so at the CIA, did you start off in cybersecurity right away? Or, you know, what was the progression internally there if you could share that?
Dr. Cole: Absolutely. So, what's interesting with the CIA is once I went through all my clearances, so they flew me down to Virginia, and I got my poly and my background and all of that, as an intern or a co-op, you have full clearances just like employees, but you are a free resource. It doesn't come out of their budget.
So now, when I'm going in and I'm interviewing at all the different offices from networking to operating system to programming to the cybersecurity, they're really trying to sell me on why I should work at the office.
Ayman: Oh, interesting.
Dr. Cole: And this is going to sound a little contradictory, but I asked everybody, my advisors, "What should I major in?"
And everyone's like, "Major in networking. Everything's going networking, networking, networking." But in this case, some told me that cybersecurity was going to be a cool area, and I was going to be able to do some things and test some things. So that's one where I decided that, you know, something, I took the advice, I listened to the advice, but I also recognize that it was one summer intern, so the risk was relatively low. If I did an intern for seven months with security and I didn't like it, I could always do networking the next summer. So, it was one of those where the risk was low, even though I didn't listen to the advice.
And then probably, the life-changing moment for me was in a big meeting in the bubble. It's the big auditorium at CIA headquarters. And it was with the entire office, all of the execs, everyone there. And they're talking about these new internet systems, putting out these systems on the internet. And I'm sitting there, in front of 2000 people, and I raised my hand, and my boss looks at me, and she's like, "Put your hand down, put your hand down."
And I was young and stupid, and I kept it up. And I asked the simple question that changed my life, which is this: "How do we know these systems are secure? How do we know that they're protected?"
And they looked at each other, and they said, "Eric, thank you for volunteering to solve that problem."
And I said, "I wasn't volunteering. I was just asking."
If you ask hard questions in the government, then you get tagged with solving it. And that's what put me on the journey of really hacking, being a professional hacker for eight years, understanding how the tech really works. So, I can then do the defensive solutions that I do now. And that's probably the biggest piece of advice to anyone in cybersecurity or that wants to get into cybersecurity is: be willing to put yourself out there. If I didn't raise my hand and expose myself and ask that question that you could argue, might've been a silly question, I would have never been given that opportunity in order to be able to work for the CIA.
So, I know so many people in cybersecurity are super good at the tech, and they asked me, "Eric, how do I get promoted? How do I start my own business?"
And I say, "Well, start asking your friends and neighbors. Start talking to your boss."
And they're like, "I can't do that."
I say, "Why not? Why can't you do that?"
For some of my best relationships that I have, [it's] because I sent that email. I picked up the phone, or I put myself out there. So if you really want to be successful in this field, take some risks in your real life, put yourself out there, and see what opportunities are waiting around the corner.
Ayman: Yeah. And you know, that's something to be said, you know, it took a lot of courage for you to raise your hand in that big auditorium. So there's a certain level of entrepreneurial spirit, I would say, right? I mean, all this risk and courage: that's all part of the entrepreneurial spirit. Wouldn't you say?
Dr. Cole: Exactly. It's all about looking at calculated risks, understanding pros and cons, and taking chances.
Ayman: Yeah, and then also, part of you seems—kind of sub positioning here, but feel free to fill in the blanks—but you know, part of you actually had a concern of like, "Hey, you know, how do we know these systems are secure?" Whereas opposed to someone [who] either may not have that mindset to question and to see, you know, how an attacker can get in or just may not care, right? And so, you know, taking the initiative and really having some concern, you know? Wouldn't you say?
Dr. Cole: Exactly, 'cause I always look at everything, and it's a good skill in cybersecurity. It drives my kids and my spouse crazy, but I'm always looking at how can you break things and make them better. What are the exposures? What are the risks? What are the things that can go wrong? And then, what are some better options or better solutions?
Ayman: Yeah, I think they should have support groups for spouses of cybersecurity professionals because it seems to be a common thing here.
Dr. Cole: I think you're in a big business model. They could probably make a lot of money with that.
Ayman: Yeah, I think there needs to be something cause, you know, I mean, my kids have adopted it, but you know, my wife was like, "Why would you even think that way?"
I'm like, "What are you talking about? That's my job," so it's quite extraordinary.
Cool, so that's good to know that even in the CIA when they were recruiting you, like, cybersecurity was not necessarily the default. And what was it called back then? What was that department called? Was it called cybersecurity? What was it called?
Dr. Cole: It was actually called the office security, and then the subtitle was actually InfoSec. So, InfoSec was sort of the big word, and then it's sort of some people still, like, I'll still use that. I date myself, and [people] know I came from the government because that's more a government term. And nowadays, we tend to use cybersecurity.
Ayman: Well, yeah, you have the purists out there that, you know, try to stick with InfoSec, so it's good to know Government did use the word InfoSec at some point in time.
Dr. Cole: Yeah, exactly.
Ayman: Great! So now, doing security at the CIA gave you tremendous exposure to the field and everything, especially since it was very nascent, you know, probably a decade or two ahead of everyone else in the private industry.
And so, how was your shift from Government to private industry?
Dr. Cole: For me, it was a very, very positive one. And the reason is simple: when I left the agency, I realized that I also have an entrepreneurial bug in me where I love building, starting companies. And I think it goes sometimes with people that are really good at something: they don't work well with bosses that don't necessarily know as much as them.
So, I sort of got really good evaluations on all my technology, but I remember at the agency, I used to get: "*ning* doesn't play well with others. Doesn't share his lunch at lunchtime and doesn't necessarily listen well to his bosses."
'Cause, there were a lot of cases where I'm like, "Okay, this is the wrong thing to do."
And they're like, "I know, but I'm your boss, and I'm telling you to do it."
And I'm like, "But it's the wrong thing to do. We're going to crash the car." Now, I've learned better on how to deal with that. But that is a challenge for me.
So, when I got out and [began] starting and building companies, [it] gave me an opportunity to sort of be [my] own boss realized that being a boss is a much harder job. Then, you realize and [it] give[s] you a different perspective, but it's one of those things. I never regret working at the CIA. Was one of the best things I did, but I never regret leaving. Was also one of the best things I did. So, it was one of those where that chapter in my life needed to come to an end, that I needed to then explore the commercial side of business.
Ayman: Okay, so you went straight into entrepreneurship when you left the CIA. It's not like you went to a private job or corporate job necessarily, is that right?
Dr. Cole: I did a few little startups. So, I worked for a few because this was right in the .com 1998 time period. So, I did a few of those little stands: six months here, six months there. And after about three or four of these, I started recognizing patterns and saying, "Okay, it's not that every single boss on the planet is an a-hole. I just don't do well with authority in those cases." And that would be another big piece of advice I would give to folks is: I believe in life, you're forced to repeat lessons until you learn them. So, start looking for patterns. If you see things repeating itself, but if you see the same problem happen over and over again...
I have a friend of mine. I kid you not, he's going on his ninth marriage. And I'm like, "Dude, there's a pattern there that you need to pay attention to that you're not seeing. And then the other thing that's tied together with patterns is if you really want to grow and be successful and be an entrepreneur or successful in any field, you have to accept responsibility. And that was the other big thing [I had to learn] is I have to stop blaming my bosses and blaming other people for being stupid and recognize that I wasn't doing what I was supposed to. Accept responsibility for that. And then, create a scenario where I could use that as a positive instead of a negative. And that was essentially finding some partners and starting my own companies.
Ayman: That's awesome. And I think you hit it really well. They're accepting responsibility. Taking it on yourself. You know, we're in security. You're trying to advise people and help people do the right thing. If you're internal and people are not listening to you, you probably need to try something different, right? You know, just being creative and getting around the problem where people are not listening to instead of doing the same thing and just getting frustrated and going nowhere, right?
Dr. Cole: Exactly. One of my favorite quotes that I actually allow all of my employees at my current company to call me out on it, and it's Einstein's definition of insanity, which is "doing the same thing over and over again, expecting different results." And I find myself get caught up in that, but I see so many entrepreneurs where they call me in for coaching. And I'm like, "You don't see this, you've done the same thing six times in a row, and it doesn't work. What makes you think if you do it a second time, it's actually going to work? You need to do [what] Edison did, which is try different things."
I'm all about failing a thousand times because you're going to get that, but you need to do different things [with] each failure. You can't do the same thing over and over again, expecting the results to change.
Ayman: Yeah, I love that quote. It's hard sometimes, you know? You're in your own bubble, and it's hard to step out of your bubble and see what you're doing. You know, I think for those trying to get into security, a lot of times they're getting frustrated, maybe sending the same resume over and over again and getting no results. But, you know, being able to pivot, right? Try to change up your resume or change your tactics or learn something new, right? I think the same would apply there as well.
Dr. Cole: Exactly. The other thing I push that I'm also a very, very big fan of is: have advisory board members for your life and have coaches because there are certain things that you can not see. And there are certain perspectives that you're not going to see. And the analogy I give is [to] watch the PGA tour. You have the best golfers in the world. And when those golfers are on the practice range, before they tee off, they have three to four coaches around them, having them adjust and tweak and modify things that they can't see. So, if the best professionals in the world have coaches, why shouldn't we? You need to have people around you that can say, "Hey, this might be silly," or, "Here's an alternative."
And I find—especially in cybersecurity because people in this field are very, very smart and they tend to be more on the introvert side—that they don't want to ask for help or get help from others. And that's probably one of the biggest mistakes I've seen. That's going to hold you back from really growing and getting to that next level.
Ayman: That is really profound, you know. You see these professional athletes, but behind the scenes, they have multiple coaches. That is really profound. I think I'm going to have to ponder that for a little bit. That's really good. Good. So now, pivoting a little bit. So, now you're helping CEOs. How do you work with people when they don't take your advice?
I know you worked with President Obama as well, and, you know, Government can be pretty bureaucratic as well. So, are there any things you can share? Frustrations maybe [from when] you've worked with people, where you try to give them advice and try to [tell] them, "Hey, the best practice here... maybe we should do this?" but they don't listen to you?
Dr. Cole: Yes, that happens a lot. It's happening less and less because I figured out a little secret, which is this: if people are not listening to your advice, 99% of the time, it's because you didn't answer the right question. You didn't actually give them the advice that they're looking for. And this was one of my mistakes that I made the first time.
It was actually President Bush. [He] was one of the first presidents I advised with. I'm like all comped, I'm going into the oval office. This is going to be awesome! This is going to be great! And they said, "You have three minutes." So, I had my three-minute speech ready to go. And I don't even remember what question he asked, but I went into my three-minutes, and I gave my speech, and it was polished, and it was good, and it had analogies.
And I remember they said, "Okay, thank you, Dr. Cole."
They went to escort me out, and I respect them a lot for saying [that], but President Bush looked at me, and he said, "Dr. Cole, that was great. But you didn't answer my question." And it hit me when I left.
So, the next time I went in—and he gave me another chance because he saw that I knew what I was talking about—I just had a little maturity issue to deal with. So the next time I went in, he asked the question, and I spent a minute and a half asking him follow-up clarifying questions. And then, once I really understood what he was looking for, I gave less than a 60-second answer. And then I remember getting up, and he goes, "Eric, that was one of the best answers that I ever heard. And that's exactly what I needed. We're actually going to act on that." And [I] walk[ed] out.
So, a lot of times, we want to impress people with how smart we are, but we're not really giving them the answers they're looking for. So, one of my other favorite quotes that I got at the time is: "Smart people know the right answer. Brilliant people ask the right question." So, when I'm working with executives, and I'm working with other folks, I have a role. I cannot give an answer unless I ask them three questions, and then that just forces me to clarify and understand what they're really looking for.
Ayman: Yeah, digging deep into it. Okay, that's great because maybe not everyone is able to articulate their question properly because it's still stuck in their head, and so, that's part of communication. Not only do you have to listen, but ask clarifying questions. Okay, that's really good.
How was it? You know, just on a side note, how was it walking into the president's office for the first time? Can we expand on that?
Dr. Cole: Sure. I mean, it's very nerve-wracking, and it's sort of a balance between ego and emotion. At least, for me, one of the highest privileges is to actually speak and give advice to the President of this great country. So, the fact that you got asked out of hundreds or thousands of candidates, your ego, you got to keep that in check the whole time. And then, you're very emotional because you're like, "Okay, what if I screw this up? What if I give the wrong answer? What if I do the wrong thing?" And then, it was funny because the first time I go in, I did exactly that. But when I realized after that first encounter, second and then over the years, I got to know him a little better, George W. Bush.
And what I realized is yes, he is the President of the United States, and he is the most powerful person on the planet, but he's a person just like you and me. He eats three to four meals a day. He has kids, he plays with his dog. He's still a person. So, when you recognize that, whether you're dealing with the President of the United States or Bill Gates or Elon Musk or Richard Branson, yes, they've achieved amazing, miraculous things that we all envy, but at the end of the day, they're really people just like you and me. So, the more that you can humanize and treat them like people and interact with them like they're a friend or somebody else asking for advice, the more effective you're going to be overall.
Ayman: Gotcha. That is really good to say. Yeah, sometimes, when I'm meeting someone high up, for example, for the first time, I do get nervous myself, right? Even though I've done it before. And so, being able to acknowledge that this is just another person, same as you—as long as they're not, you know, a big a-hole really—but just understanding that they are human. That's really good advice.
I appreciate that.
Dr. Cole: I just pulled on that string a little more. Ultimately, if an executive or the president or somebody very important either asked for a meeting with you or they accepted your meeting, that means that they believe at some level, you can help them. Because, let's face it: if they did not think you can help them or they did not have a problem that they needed help with, they wouldn't have taken the meeting because they're too busy and they have too many things. So, that's the other thing that I always remind myself is: "Okay, they have a problem in which they need a solution. I need to figure that out as quick as possible because as quick as I can figure that out, I can help them. And the sooner I can help them, the better the meeting's going to go."
Ayman: Yeah, at the end of the day, cybersecurity is about solving problems, right? Figuring out how to solve problems, how to make things safer. We kind of want to make things better. At the end of the day, we're all trying to solve a problem, whether it's a human problem or a technical problem or a process problem.
Dr. Cole: Exactly. And the only clarifying thing I would add to that is: the good cybersecurity professionals solve problems. The great cybersecurity people solve the right problem.
And that's what I see. Probably if there's one big disconnect that I see in the era of cybersecurity is very often, we're solving good problems that will help the organization at some level, but it's not the right problem: that's [the] highest priority that they really need.
Ayman: And so, [when] you work with leaders, when you're working with CISOs, do you work with them on advising them who to hire? Like, what to look for when hiring people?
Dr. Cole: We can do that, but normally, what we focus on is a little more strategic. So, what we're going to work with a CISO on is: "Okay, do you really have an effective plan that the executives understand? And do you really have the right metrics and dashboard in place? So, this way, the executives understand what you're doing, they'll support you, and that you'll have the right resources in order to do that."
And then, we'll go in and identify what the skill sets are that they need on their staff, but I usually don't get involved at the actual interview and hiring process. In a few cases where they were key positions, we did, but most of our focus is really making sure you have the right strategy because I'm a firm believer.
I'm from New York. So, I am not a fan of the New England Patriots, but you gotta respect Bill Belicheck because one of his big things is: you don't need the best players. If you have a great, consistent playbook, you can turn them into great players.
And that's what I like doing with a lot of our clients is, let's get a really solid playbook that's proven, that we know works, that we know is valid. And then, let's train the team on that playbook so they know it inside and out, and then they operate in a consistent matter.
And that's how you can turn good people into an amazing team.
Ayman: Yeah, more specifically—so I understand that you work at the strategic level more specifically, and I think you hit it on there a little bit—as a CISO, is putting together a strategy. You know, there's a lot of times I'm sure many are having trouble executing on that strategy and finding those skillsets. So what I really want to ask you is what are the skillsets that you're seeing out there? That are in need by a lot of the CISOs out there today.
Dr. Cole: Probably the biggest need that I see for a CISO is to be able to speak the business language, is to really be able to sit in the executive boardroom with the CEO, COO, and CFO, and actually be able to have a conversation that they understand. Most CISOs can't read balance sheets. They don't know profit and loss statements. They don't know financials, which, I know, it sounds crazy, but I'll just give you a short example. If you don't understand the financials of a business and you don't know which products are making the most money, how do you know where to spend the money and how much the span?
Is a million dollars a good budget? Well, if the company is only making 800,000 in revenue and you want to spend a million on security, they're going to laugh you out of the room. On the other hand, if you want to spend a million on security and it's a $3 billion company, they're also going to laugh you out of the room 'cause it's too small.
So, most security people don't understand how you evaluate the business to understand the critical data, to identify the exposures tied to revenue. And if that's how you have to build your plan, because if it's not tied to the business, that's why so many CISOs get fired and so many companies that spend so much money on security get breached: because they don't really understand and align security with how the business operates.
Ayman: Yeah, I think that's well said. And then digging in a little bit, but the CISOs that are looking to execute and they've kind of put the strategy together, from a resources perspective, like from a skills-hiring, where are they having trouble? Where do they need the most skills? Do they need more security analysts to kind of do the threat hunting? Do they need more engineers to build the security systems? What have you seen out there like today?
Dr. Cole: Definitely the biggest gap I see is on the monitoring detection and analyst side because most companies do a pretty good job at preventing attacks, at stopping the attacks, configuring the architecture with the land, segmentation, firewalls: all that technology in place. But the problem they're having today is when an attacker gets in and breaches all their measures.
A lot of companies can't detect the attack for two or three years. So, they need a better set of people that can actually analyze, respond, react, and really what it comes down to is the ability to prioritize and focus on the high exposure areas. 'Cause, the problem we see with most of our clients is they're getting 3000 alerts a day, and you can only analyze 300. So, if you're only looking at 300 and you're getting 3000, you're going to miss it, and no one's willing to go in and say, "You know something? If our staff can only analyze 300 alerts, then we need to tune the tech to only generate 300 alerts."
Now, I get pushback where people say, "But Eric, if you do that, you're going to miss some attacks."
"Yes, but today, we're missing all the attacks. So wouldn't you rather have a security solution that catches the top 30% of all breaches than a solution today where you're analyzing so much noise that you're catching nothing?"
Ayman: That's well said. Cool. So, Dr. Cole, you've seen a lot of things out there. Can you share with us a couple of war stories that you've seen and, you know, lessons learned from there?
Dr. Cole: Yeah, that's a great question. I have so many. I'm trying to sort of distill down.
Ayman: We could probably record another episode with all the war stories that you have.
Dr. Cole: Just a clarification. Are you looking at like war stories on catching attackers?
Ayman: Yeah, like breaches you've experienced or anything that's out there that really—you know, there's so much out there—but we'd love to hear, you know, either a scenario where [you've been] involved in a breach and found the attacker or really bad mistakes that you've seen companies make.
Dr. Cole: Awesome. So I'll jump in.
One—this one was from probably about 10, 15 years ago, but it's still a great story. It gives great examples: don't overlook the obvious—so, I got called into a Fortune 500 company that we knew had an insider threat that was stealing information and giving it to a competitor. And, not only did we have proof [of] that because the CEO of the other company actually called up this company CEO and said, "Listen, you have an employee who's stealing information from your company. And he wants to come work at our company. We're not hiring somebody who has that poor morals and ethics, but we just wanted you to be aware that he's stealing the data." So we had a pretty good case. Here's the problem: we couldn't figure out how he was doing it because the CEO from the feeding company said he won't testify in court. So, we needed to find the actual proof on the network.
So, we're monitoring his computer; we're monitoring his email. We put on filters on the inbound and outbound of the internet. I mean, we are watching all the traffic, and we could not find anything. And we are like, "How is this person doing it?" that this person has to be, like, uber James Bond spy material, because we are just not catching it. And I remember it's about 1:00 AM in the morning, and I'm working in the company, and we're with the engineers. We're trying to figure this out, pulling an all-nighter. And all of a sudden, I hear from outside my office: (printer sounds).
And I walk outside, and I'm like, "What is that?"
And they're like, "Oh, that's the fax machine. Like, as soon as they said that it was like the heavens opened, you heard choirs of angels."
And I was like, "You gotta be kidding me."
So I immediately went and pulled the logs of the fax machine, and sure enough, that's how this individual was getting all of the data out of the company. He was printing it. And then faxing it out to either personal accounts or competitor's accounts. And I hate to say we spent three and a half weeks analyzing all the network traffic because we assumed that he was using email... and that was a false assumption. And if we would have stepped back and said, "Okay, what are all possible scenarios?" and "Let's do a validation and spot check." We probably would have been able to find the individual a lot quicker and a lot faster, but we just jumped to conclusions. We made assumptions, and we ended up missing the most obvious.
Ayman: That's hilarious. Well, good old fax machine. There was a bias already in there so, go in with no biases. That's a lesson learned, I would say.
Dr. Cole: Exactly.
Ayman: Gotcha. And any mistakes you've seen companies make? Really bad security mistakes?
Dr. Cole: Probably one of the big ones... and this was a large government contractor, and as you know, government contracts today are almost all electronic. So, the bids, the due dates, all of that is all done electronically. They're not actually distributing paper anymore.
So, they had a scenario where they're bidding on a fairly large contract. There's about an $80 million contract, and they receive an email about two weeks before the proposals due saying, "Based on changes in scope, we've extended the due date by three weeks." This happens fairly often. This is common in this space. They didn't think much of it.
So they said, "Great."
So they took the extra three weeks, and they submit it the day before it's due. And the government comes back and says, "The due date was three weeks ago. You missed it. You're not eligible."
And they said, "No, no, no. You extended the due date."
And they said, "No, we didn't."
And they forwarded the email, and the government said, "That wasn't from us."
So they, once again, assume that "Okay, our mail server must be compromised."
So they went in, and they signed up for some of these government proposals via personal, like Gmail accounts, and they were getting the correct information with the correct dates, but the email that was coming into the inbox of the proposal team had false information, false data, false dates, and it was starting to really impact the business.
They were losing several contracts, and the company wasn't doing well. So they said, "Okay, our email server is compromised."
So they went in and hired Microsoft. They bought brand new mail servers, had Microsoft configure exchange, they spent $2.5 million rebuilding their entire email infrastructure from scratch. Brand new systems, brand new servers. And when they finished the [deployment], the same problem was happening. The same thing was occurring. So, they call me in, and they're like, "Eric, can you help us?" They explained everything that I just went through.
And I asked him a simple question. I said, "How do you know it's the mail server?"
And it was sorta one of those awkward moments because they're all looking at each other. Like, "I thought this guy was smart. And why is he asking such a stupid question?" And they're like, "Eric, of course, it's the mail server if we're getting older mail and we're not receiving the mail that we're supposed to."
And I said, "Question: you realize that when mail comes in, it goes through your ISP? That boat actually could be compromised. It goes through your external router, which could be compromised. It goes through several other pieces of network gear that could be compromised, and then it arrives [in] your mail server. So I asked you again, how do you know that it's the mail server?"
And once again, it was one of those moments where they're all like, "Wow, we never ever thought about that." So we did analysis, and we went to their external router, and I did a show running-config, and no covertness here, as plain as day, there was a GRE tunnel. It was set up that was routing all the mail ports to an IP address in Germany.
So, to make a long story short, essentially, somebody broke into their external router. Now all the mail [was being sent] to Germany, and then they will altering and modifying the information and sending it back in. And here's the best part of the story: when we did the analysis, I came back in—and I didn't know any history on the company—so I said, "Yeah, it looks like somebody broke into your router and was siphoning all your email to Germany."
And they're like, "What country did you say?"
I said, "Germany. It's not like it's Russia or China. What's the big deal?" And like, everybody started freaking out because it turned out there was a German company that was trying to acquire this company, and they were trying to underbid them, and they didn't want to negotiate a lower rate. But since they've been losing all of the contracts, they will going to sell the company at 40% below what they were originally asking. So, it turned out to actually be competitive espionage, where a company was trying to devalue the company so they could get all the contracts at a lower value.
Ayman: Wow, that is insane. This stuff is real, huh?
Dr. Cole: That's why I liked it. 'Cause everyone's like, "Okay, that story had to come from a Tom Clancy," and I'm like, "No, it was real and documented." And the scary part is I work on one of those every week or so. The attacks are real. People just are not realizing it because they're not looking in the right place.
Ayman: Uh-huh. So this still happens today? You see this happening today? I'm going to ask the dumb question. I just want to know, but yeah. So this is happening today.
Dr. Cole: Yeah, and I know the data that the media pushes out says anywhere from 18 to 22 months, it takes a company to detect an attack. But I will tell you: we worked on over 30 Fortune 100 breaches that had over a hundred million records each, and in every single one of those cases, it took the company over three years to detect the attack. And these are companies that spend over $10 million on security and have teams of over a hundred people. And it is still happening today where companies are doing the wrong thing in the name of security, and they're missing the attack completely. And these attacks are going on for significant amount of time before anybody notices.
And then, here's the scariest of all: out of all 30 of those cases, 28 of those cases... so over 90% of those cases were detected because IT noticed performance issues on the server. It was never because the security technology actually caught the attack. It was after three years. The attackers got greedy. They tried to steal a lot of information, and it impacted [the] performance of the server. So, most attacks are being detected because of performance issues. Not because the security software is too correct.
Ayman: And then, some of these attacks are simple. I mean, a GRE tunnel. That's like, quite simple, you know? So, are a lot of these attacks that you've seen, you know, generally simple?
Dr. Cole: In the last three years, absolutely. And that's what I say: we got lucky. If you go back 10 years ago, companies were patching. Companies were doing a pretty good job, and most of the attacks had to be 0-day and really complex attacks. But because companies got so sloppy, most of the attacks we're seeing today... our three categories: one is servers that are missing patches accessible from the internet and have missing patches for multiple years; second is critical data not being encrypted, or if it is encrypted, the crypto key is stored with the data. So it beats the whole purpose; and the third one is senior-level people are falling victim to phishing attacks, giving up critical credentials that allows the attacker to the network.
So while I have some interesting and cool stories, most of the attacks we've seen over the last 18 months are simple, basic attacks where companies are just not doing the foundational items they need to do.
Ayman: Wow. That's really helpful. So, do you have any creative sides to your traditionally creative sides, I guess to you? I asked that question 'cause I have a follow-up question for that.
Dr. Cole: So, yes. Avid musician in high school and college. I was actually a French horn player. So, I played in duets, trios, quartets. Very well accomplished there, but my favorite instrument now, when I play in different bands, is I'm a drummer. So I call myself the Tommy Lee of Cybersecurity.
Ayman: Nice. Yeah, I found a lot of security experts also have this creative side to them. So, I think there's something to be said about creativity in the field, and I'm doing some research in that area. So, I'm finding some really interesting things in that area.
So my last question is: what was the most creative way you got out of a problem in your whole career? And it can be technical or non-technical.
Dr. Cole: Good question. These get me smiling and thinking because really, knowing that, so the most creative... probably I would say one of the most creative situations, and it goes back to one of my other quotes, is it's never a lack of resources. It's a lack of resourcefulness. So, I had a situation where [I] did a very big job for a client, and the client ended up filing bankruptcy, and I was fairly new in my business, and this was a pretty significant contract, and I didn't get a deposit. I didn't get paid upfront. So, if they didn't pay, it would have put my company in jeopardy. It will really put the ability of my company to survive in huge jeopardy. So, I had to get super, super creative, and I'm trying to talk to the bags and talk to everyone else, and I'm like, "Eric, there's a long line of creditors in front of you, and they're going to get the money before you do."
So I went down to the data center, and they were actually going in and auctioning off the servers and all the equipment. And I went up to the bank, and I said, "Listen, I'm on the list of creditors here, and I know you normally don't do this, but I'll buy the servers at a premium price. And you just offset what the company owes me against it."
So they were auctioning them off, and it was a larger amount. It was something like 200,000. And I said, "I'll buy it for 400,000, and then you offset the difference of it." But I still had a $300,000 that I had to raise in order to buy those servers.
So, then I went to another friend—I know it's gonna sound like a Ponzi scheme, but I went to another friend—that I said, "Hey, listen. If you can lend me $300,000, then I will go in and pay you back with interest within 45 days." And then what I ended up doing [was] taking all of those servers, and this was just eight or nine years ago when they were building out a lot of the data centers. I went to one of the data center companies who are trying to get servers, and they will all on backlog. It was taking 120 days. So, I ended up negotiating a deal where I sold the servers to that company for 1.1 mill. I paid my friend back with interest. I got my money from the company, and I ended up walking away with 100K out of that.
Now, all my friends said, "But dude, you could have lost everything."
And my answer to that was, "My company was in jeopardy, and I was going to lose everything, so why not?"
Go in and take some very high-stake calculated risks in order to do that, and it was just sort of like, all the moons aligned. So, to me, that always taught me that if you have a plan and you believe in that plan, you can convince other people to follow along with it. And if you don't give up—trust me, I've given you the short version—but there were nights where I'm sitting there at 11:00 PM with my bottle of Jack Daniels saying, "What the F did I do? I'm going to lose everything." But you just keep pushing it through, getting creative, and ultimately, things do work out in the long run if you don't stop believing.
Ayman: Wow. That is pretty creative. That's pretty cool. Well, Dr. Cole, thank you so much for joining me today. I think it was quite enlightening, and I love all the different quotes. And I believe everyone would definitely benefit from your story in this interview.
Dr. Cole: My pleasure. Thank you so much for having me on the show.
Ayman: All right. Thank you.