Platform

Insights You Need

ColorTokens Named a Forrester Wave Microsegmentation 2024 Leader

Download Report

By Industry

By Use Case

Services

Let's Win Together!

Partner Program Overview

Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.

Learn More
Become a Partner

Resource Center

View all Resources

Asset Type

Customer Success Stories

View all Stories
What's New
Analyst Mentions, Awards, & Certifications
View All
platform-forrester-badge

ColorTokens named a Leader in the Forrester Wave™ Microsegmentation Solutions report.

Download Report

ColorTokens named a Leader again. The only vendor among 15 to achieve a perfect 5.0 across key feature categories.

Access Report

Xshield™ earned a spot on Constellation's Shortlist™ for Microsegmentation

Learn More
arrow Back
January 19, 2026 | 34 min

Microsegmentation + Network Detection = Breach Readiness

Modern attacks move fast, spread laterally, and exploit gaps across flat and complex environments. In this episode, we break down how microsegmentation and network detection and response work together to reduce breach impact and stop lateral movement.

Our Chief Evangelist, Agnidipta Sarkar, is joined by Heath Mullins, former Forrester analyst and now Chief Evangelist at ExtraHop, for a candid discussion on how attack techniques are evolving and why detection alone is not enough.

One key takeaway is clear: preventing every breach is unrealistic. What matters is how quickly you can detect malicious activity, contain the blast radius, and recover without disrupting the business.

If you are a CISO, security leader, or architect responsible for protecting modern digital environments, this conversation will challenge how you think about Zero Trust, microsegmentation, network detection, and operational security.

Agnidipta Sarkar: Hi everybody, this is Agni and I’m back with another session of Breach Ready Dialogues and today I have with me, um, heat Mullins and. He’s been someone who I’ve talked to when in his, when he was in Forrester. We had a great time then, and I’m looking forward to a great time today. But let me not steal his thunder.

Agnidipta Sarkar: Let let me introduce Heath. Heath, why don’t you talk about a little bit about yourself, what you’re doing now, and, uh, where you are, what’s going on?

Heath Mullins: Okay, well that’s an awful lot and, uh, happy day. Good morning, good evening, good afternoon, wherever you are. My name is Heath Mullins. Um, I am a former and recovering forestry analyst.

Heath Mullins: Um, currently I am at Extra Hub as the chief Evangelist. Now, what that really means is that I’m continuing the, the good work of the, uh, kind of in the analyst vein and that I’m. Talking about the big problems, I’m still having the conversations with the, the executives, you know, and what’s really bothering people, what’s keeping ’em up at night.

Heath Mullins: Additionally, I happen to be working for the leader in the NDR NAV space, um, with ExtraHop. So what we do essentially is it’s a combination of, uh. Of network performance management as well as NDR NAV Technology. So not only can I tell you where your network slowdown is, but I can also tell you what the problem is from a security standpoint.

Heath Mullins: I can do deep dive forensics, I can decrypt everything that you’re looking at, and I can provide you with a complete picture of what’s actually happening on your network as compared to just, we think something’s wrong here. Think something’s wrong there. And, and a really interesting tidbit and, and one of the reasons why I kind of came over here was, you know, ExtraHop was born in the network, right?

Heath Mullins: They were an NPM solution of think NetFlow analysis tools. So what that allows us to do that’s really different is we can look at IOCs in kind of a, a different fashion. So if you’re a standard NDR, you’re just kinda looking at the network, right? And you’re saying, oh, I, I see some lateral movement. I see something that maybe shouldn’t be happening.

Heath Mullins: Whereas we could see an IOC that may not be. Reported as a CV or something else. Something like, uh, spinning up a new instance in a virtual space. Um, a new memory allocation, new CPU utilization, because we’re still looking at the traditional network, uh, information. It also allows for, um. Uh, collapsing the stack.

Heath Mullins: So this tool can be used by the knock and the sock and, you know, set arb back and, and here’s your controls. This is where the knock guys see, this is what the sock guys see. Um, extremely powerful, especially when you’re talking about, you know, bringing everything together and reducing your overall tool sprawl, uh, across the environment.

Heath Mullins: Um, that’s my, that’s my, that’s my quick pitch, um, because, uh, it’s, it is his pitch after all. So, uh, so please, Agni, um, uh, let’s, let’s get into this. I think we’re gonna talk about some really fun stuff today.

Agnidipta Sarkar: Yes. And, and as is usual, the first question that I have for you is, uh, give us a little background with, uh, breaches and what’s been your take on it?

Agnidipta Sarkar: How, uh, you know, how are breaches, uh, how have you been experiencing breaches during your forest days and, and now, and how they’re different. Uh, and then maybe we spend some time in the end, uh, I’ll ask you again if it needs to be, but we should spend some time talking about current breaches and what do they mean to the world.

Heath Mullins: Yeah. Yeah. So the breaches have been really interesting. Um, some things stay the same, some things change over time, right? So you think of the traditional breach. We’re out there looking for a CV and unpatched system. You know, something that’s, that’s public facing or perhaps just internal, whether it’s the internal employee stealing information, or somebody that got handed a packet of money to provide a password, or, you know, piggybacking, you know, it’s all the.

Heath Mullins: All kind of what I consider bread and butter of the breach industry, which is let’s get in, we want to get in, we want to get in fast, and we want to get out fast and then leave our, our ransom, um, leave our demands, whatever they may be. Um, I, I think it’s become a little more political in, in the past couple of years.

Heath Mullins: Um. The types of entities that are being targeted. You know, it’s not necessarily, I’m just going after you for money now, now it’s, I don’t agree with your ideas, so I’m gonna go take down your site, or I’m going to interfere with your ability to perform your duties, whatever those duties may be. Um, you know, it could be, uh, metropolitan, you know, police departments, uh, fire critical infrastructure, which has been a big deal as you well know.

Heath Mullins: This keeps on popping up. Um, the, uh, I mean, well, we’ll talk about that in the recent one, but please go ahead, Agni.

Agnidipta Sarkar: No, no, I, I, sorry, I interrupted, but I was actually trying to add to what you were saying. I, I read about, oh yeah, please. The water systems that got attacked, um mm-hmm. Last year, I guess. And, um, the total population that that water system was serving a lot of 15,000 people.

Heath Mullins: Yeah.

Agnidipta Sarkar: That, that’s really nothing.

Heath Mullins: Yeah. To me, that’s a dry run, no pun intended.

Agnidipta Sarkar: Yeah, I understand.

Heath Mullins: System

Agnidipta Sarkar: understand. But still,

Heath Mullins: yeah. Yeah.

Agnidipta Sarkar: You were right because you were saying that, you know, people are no longer. Um, I mean, people are intending to shut down systems because they just don’t agree with what you do and what you, how you do.

Heath Mullins: Yeah. And, and how much of this is just for fun, you know? It’s not just, it’s not just script kitties sitting in the basement now, you know, that are just trying stuff out that they pulled off the dark web or some, or, or Reddit or something like that. These are, you know, semi cohesive groups. With a similar interest and these groups fluctuate.

Heath Mullins: People come in, people go, and today’s target may not be tomorrow’s target, but the target from three years ago, they may wanna revisit because everybody knows how slowly the response typically is, especially when dealing with like civic systems, government systems, um, they’re a very attractive target because there’s a good chance that the remediation.

Heath Mullins: Probably didn’t catch that little, that little perfect little nugget that you left sitting in that network somewhere that’s just dormant. It’s not doing anything. It’s just sitting and waiting, excuse me, and then it pops up again and you’re like, well, we thought we got rid of this, but now you’re going back through the same cycle again because you may have patched external facing systems because that was the, you know, perhaps the ingress point.

Heath Mullins: Um, but you may not have had the funds or the wherewithal or the knowledge to completely patch the internal systems as well.

Agnidipta Sarkar: In fact, uh, you made a very good point. This is something that I talk to many people usually that, you know, if you look at the Mitre layout and I divided the Mitre layout into four parts, all the 14 tactics, I divide them into four parts.

Agnidipta Sarkar: The first two are happening outside your enterprise, right? Recon and resource augmentation. Um, it’s initial access when you really come to know something’s happening, and then it goes all the way up to privilege escalation. And if you see really, that’s where the entire cybersecurity market is sitting because you want to stop the next attack.

Agnidipta Sarkar: Right? So, but the problem is, it’s the third part. It is after discovery, finally people get to a stage where they’re able to get into lateral movement. And they would do that sometimes by using credentials or misusing credentials, sometimes not. But what I, what, what you just said made sense to me because if someone manages to cross the initial defenses, then the only way you can do that is by interrupting that, uh, that attack in some way or the other.

Agnidipta Sarkar: And, and as you said earlier, I’m connecting to the work that you’re doing at ExtraHop and you said that you’re able to figure out. Um, be anomalies in, in how people are spinning up an extra VM or they’re using a part of memory that shouldn’t have been used. That’s essential information about how to stop that guy from going from initial axis all the way till reaching lateral movement.

Agnidipta Sarkar: It,

Heath Mullins: yeah.

Agnidipta Sarkar: Does that make sense?

Heath Mullins: Yo. Yeah, absolutely. And, and, uh, one thing I’m gonna, I’m gonna discuss that you, um, you, you brought up several times through that, uh, that statement was, you know, we’re talking, people tend to get hung up in the idea and the concept that the, the attack is coming from a person.

Heath Mullins: Right? Yes. I prefer to think of them as entities because we can, as we have seen, you can weaponize bots, you can weaponize bots internal to your network that already have that. So we’re not just talking about privilege escalation among actual human beings.

Agnidipta Sarkar: Yeah.

Heath Mullins: This is me taking over big fix. You know, this is me injecting a new piece of code.

Heath Mullins: Uh, this is me using PowerShell, which may be allowed within the network. This is me doing a lot of things within your network that are not, it doesn’t look like a human, it looks like a standard practice. We run into this all the time in OT environments, um, where it, it looks like this is a normal, this is what it looks like.

Heath Mullins: It’s always this square, right? And if you’re not looking at that information, if you’re not looking at that traffic, then you don’t know that this square may now contain encrypted information in it. This square may have gone from its 16 bytes every 30 seconds to now it’s. 36 K every five seconds. You know, that’s an anomaly that should be looked at 100%.

Agnidipta Sarkar: Agreed. Agree.

Heath Mullins: My, yeah, my favorite, I’m not gonna say my favorite, but, uh, something that I, I quite often catch people up in is when they discuss air gapped environments with relation to lateral movement, right? And they say, oh, no, no, um, we’re secure facility where’re, air gapped. And I say, okay, um, where’s your terminal?

Heath Mullins: That that controls those systems inside that air gapped environment. Is it inside that cage? Is it behind that door? Oh no. The terminal’s right here on the sock, and then we feed it into the sim and that’s up there on the screen. I said, okay, so you don’t have an air gapped environment. You have a method for an attacker to get into an unsecured OT environment, and the only security seems to be this console or this server that you’re using to communicate back and forth, which may inherently be unprotected because people don’t think about OT like that.

Yeah,

Heath Mullins: they don’t think about it. Yeah.

Agnidipta Sarkar: Yeah. In fact, you, you reminded me of, when you talk about bots, um, what I heard very recently, in fact I think this morning, is that, uh, bots are now being used as employees, fake bots.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: So people hire, uh, software. ENC coder in some other part of the world, a software or a coder, some part of the world, and they have never seen him.

Agnidipta Sarkar: He’s not come mm-hmm.

Heath Mullins: On an

Agnidipta Sarkar: interview, and all you did was get a bot and all that. The bot needs is access to your environment and then, you know, it goes on and does something else, something malicious, but you’re, you’re absolutely right. The future does look quite, uh, awesome when it comes to all these kind of technologies.

Agnidipta Sarkar: And, and the, the work, which I think you’ve been doing, and I think the work that even I’m contributing to is to make sure that we try and figure this out faster than others. I think that’s where the main kick lies. Look at. Yeah. Look at what happened at Cantas. M-G-M-J-L-R, um, mark and Spencer.

Heath Mullins: Oh yeah, it Caesars too.

Heath Mullins: Don’t forget them. You know, Caesars too. Yeah. So, yeah, so, uh, it, it’s really interesting, uh, we’re, we’re starting to get into kind of like the, the current, uh, face of things. So, um, traditionally when you’re a, uh, a hacker, an exploiter, whatever, whatever you wanna call yourself, um, you know, traditionally you would do things around social engineering.

Heath Mullins: You know, you’re gonna go, you’re gonna sit at the airport bar, you’re gonna go to the hotels where, you know, there’s conferences where people frequent. You’re gonna shoulder surf, you’re gonna do all the normal things, right? And, and people tend to forget that these are still very, extremely effective. I mean, beyond just walking by you and, uh, and scanning your phone to try and get payment information from a, a near contact devices and stuff like that, we’re also talking about, you know, Hey, I’m sitting here, I’m surfing Insta face or face a gram, or, you know, whatever your social media of choice is.

Heath Mullins: I’m getting an idea just by looking over your shoulder. Well, who’s this person that he’s writing to? Or she’s writing to, and then I’m gonna go add them as a friend, and then I can create my network around them. So it’s not, these are, I mean, they’re pretty basic tactics. It’s almost like the, um, you know, when you start a rumor at one end of the room and you, you say it at the other end of the room and it’s a completely different story.

Heath Mullins: You can learn an awful lot from somebody five minutes sitting in a bar, um, five minutes looking over their shoulder while you’re pretending to be on your phone. You’re actually recording what they’re doing. You can get a lot of information that can help you. Push forward this breach, push forward, this password reset.

Heath Mullins: And a lot of the ones that you pointed out where they, they used vishing and Smishing and they created, you know, this whole, you know, Hey, I’m gonna go password reset down to the mannerisms that were used by that person when they were requesting or demanding in one case that their password be reset. And, and that’s just incredible to me.

Heath Mullins: This video right here could be used by an attacker to imitate us and emulate us. Very easily and just push it right on through. So it, it’s, it’s easy to forget social engineering when you become so focused on the technology. So the current breaches where they’re not only landing and expanding, they’re also getting in and you know, doing things.

Heath Mullins: They’re not necessarily doing them very rapidly. You know, they may be kind of slow rolling. If I know, for instance, because I shoulder served you, I know where you work. I found you on LinkedIn. I know who your friends are, I know the things that you’re talking about, where you are. I can very easily pretend to be you ’cause I know you’re gonna be outta the office for a week.

Heath Mullins: So I have a week to go in there. Get my password credential reset because I scanned your sim or I have an SEM or something like that. I can do the multifactor authentication. I can do all these things now. Now I’m you. And for a week I don’t go in there and just grab stuff, you know? I go in and see what I can touch, and then I see, okay, of the things that I can touch, what can I do with it?

Heath Mullins: Because I’ve targeted you specifically for a reason. You have something I want. So what else can I touch? What else can I do? I may upload an innocuous file, you know, something from icar just to see if it’s going to be flagged going up there, and I may use bits and pieces of different things to reassemble them on the other side once I’m already across your barriers.

Heath Mullins: You know, much like you bypass a firewall, you, you know, taken in segments, you send it out of order. I can do this across multiple emails, I can do all kinds of stuff. So. Don’t forget that your people are still your weakest point. And I don’t mean that in a condescending way or a, your people are terrible because they’re all highly skilled individuals.

Heath Mullins: There’s a reason why you hired them. But even the best people can be fooled by modern technology when combined with the right things that should be said to that person that they already know.

Agnidipta Sarkar: In fact, uh, good that you said. This

Heath Mullins: is it.

Agnidipta Sarkar: I I, and I was thinking as, as you were saying, you know, this whole HITL thing in ai, right?

Agnidipta Sarkar: You have human in the middle, right? Mm-hmm. Human in the loop, as they say, not the middle human, H-I-T-M-H-I-T-L. I don’t know what jargon they use, but they, they want a human in the loop so that a decision can be taken, which is not autonomous, but is taken based on the context. The point that I was thinking about at that place is a, is a friend of mine, he told me that.

Agnidipta Sarkar: Their help desk have, they’ve implemented a new procedure, which is based on a capture. So if somebody wants to get something done and they pressurize, and this happened right after the, the Cantas attack because they got scared and they had access to someone, uh, who came up with this idea of capture that, uh, when they go through the workflow, uh, to reset someone’s [00:16:00] password, uh.

Agnidipta Sarkar: To fill up that they need to have a capture and mm-hmm. And this guy is continuously telling them that, you know, don’t want to capture, don’t want to capture, and so and so forth. And that triggered a whole lot of, uh, you know, concern in somebody’s mind. But, um, to your point, the human is, um, the smartest in the loo, and yet mm-hmm.

Agnidipta Sarkar: The weakest. Of the loop as well, because there are certain cognitive tendencies which are not there in a machine, uh, that exist in a human, which are weaknesses, but then there are weaknesses in a machine as well, uh, which is the ability to be predictive. Mm-hmm. So, so to your point, I think, I think the future would, would make a difference between, I mean, people would start defining, um, I’m, I’m saying those who are diligent enough to define a future with parts where you have humans.

Agnidipta Sarkar: And you take advantage of the value of the human and parts where there are machines or AI or whatever you call it, where you take advantage of the benefit of that and do away with the negatives of both. But then there could also be the both other situation where you are so predictive that the attacker knows what the AI is going to do.

Agnidipta Sarkar: Mm-hmm. And the human is so vulnerable that the attacker knows exactly how to pressurize them. Um. That’s entirely possible. But, uh, to me, the way I see it now, um, everything balances on the point that we started discussing on becoming ready for the next breach. Because at the end of the day, as, as an employee or, or as a leader of technology and risk organizations need to come up or with the B, the C or the board, they need to be able to convince their stakeholders that.

Agnidipta Sarkar: They will be sufficiently immune to the next breach. The, the good news is, is I’m seeing conversations, and I’m sure you’re, you’re seeing that too, is that people are now saying that breaches are inevitable. Mm-hmm. Which was not the case about six, seven years ago. They would say, why do we have a breach at all?

Agnidipta Sarkar: I mean, we hired you, the CISO to stop the breach, but you’re not able to stop the breach. But now I hear conversations in boardrooms where they’re saying, yeah, breaches are inevitable. Let’s see how we can minimize that. What are you hearing?

Heath Mullins: Yeah. Oh, that the same thing. I mean, the, the assumed breach used to be just associated with, um, defense in depth.

Heath Mullins: If you’re our age or zero trust, if you’re, you know, coming up these days, um, you know, you should assume breach, you should assume that the bad guys are already there. So you work on protecting your assets. Um, and it’s, it’s, it’s really interesting as we were, you know, kind of discussing this, this whole human in the loop concept and, and stuff like that, you know, it’s, at the end of the day, it breaks down to sociology.

Heath Mullins: You know, you can tell if you’re, if you’re in a situation or in a position where you feel you may be speaking to a bot regardless of how, you know, normal it is, or humid it is your organization and this, and I wear my, as you know, you know me, uh, I wear my 10 foil hat pretty tightly. Um, but there should be, I, I mean.

Heath Mullins: I don’t wanna say challenge questions, but with, in today’s remote workforce, you know, your IT department may receive a call from somebody they’ve met, never met in the flesh. This is something that is just inherent to the new world of business. You know, that you may have never seen this person known this person, but there’s somebody that does.

Heath Mullins: You know, and if you, if you get something that’s like, this is a high value target, that’s, we used to target the CEOs, right? I say we just, that, that’s not a F four and slip, I promise. But, uh, CEOs and C levels used to be targeted all the time because they had access to everything. Well, I. We learned that uh, you don’t want them to have access to everything because they may not be up to date on security.

Heath Mullins: ’cause they wanna be able to do what they want when they travel. And there’s different policies, you know, for, for the than for me. Right. So, and which is kind of a snotty way to put it, but you get the concept that I’m working with here now. They’re targeting admin. They’re targeting. It may be hr, it may be payroll, it may not be your, your traditional target, as in, I’m a knock analyst, I’m a SOC analyst.

Heath Mullins: I’m the person setting policy. It may not even be them because they may have a very specific reason for targeting your very specific, um, your very specific organization. This could be a paid attack by somebody who’s going through a divorce. I want you to go ruin their career. You know, uh, tion, I mean, human nature is, is horrible.

Heath Mullins: People are terrible. Um. But, uh, but yeah, so, um, I kind of lost my, my train of thought.

Agnidipta Sarkar: No worries, no worries. I think, let, let me bring you back on, on, I think you, you pointed out a a lot of, uh, areas that that come up, but I think I’m, I’m going back to go, I’m gonna go back to the whole design of, uh, being resilient.

Agnidipta Sarkar: Uh, and

Heath Mullins: Hmm. Yes.

Agnidipta Sarkar: And thinking from grounds up from a foundational level. If you are able to, I, I know we discussed this, if you are able to. You know, uh, design micro segments in a manner that you do it, uh, rightly, and you do it by adequate knowledge of how attackers could attack, and you build playbooks for the sock and the knock.

Agnidipta Sarkar: Then use, uh, you know, reduce the amount, the amount of noise that comes in so that the attack parts become narrower. Then what you really end up doing is if there is a cyber attack and if it comes through a supplier or it comes through the help desk. If you’ve got separate zones for them, it’s difficult to navigate the enterprise then, isn’t it?

Agnidipta Sarkar: And that means eventually what you are going to end up with is a mechanism by which you’re able to contain the attack in a part of the organization, and therefore the rest of the organization is continuing to work, being unaffected. Do you think that. That sort of, I mean, you presented a lot of threats and I think almost all those threats can be, can be, Wiki can do two things about it.

Agnidipta Sarkar: We can have an allowed part that is so narrow that only the right guys can travel. And if someone who’s not the right guy, he has to use a credit to misuse a credential to get in, and then he has to behave abnormally, which I think some of the pro things that you talked about earlier about extra hop can detect and find out.

Agnidipta Sarkar: That this is abnormal behavior and then that person could be trapped in a particular area, um, and be contained.

Heath Mullins: Yeah. Okay. So you, I, I’ve got a million things to say about this. Imagine that, you know, pure shock on your face, I can tell from here. Um, so adequate knowledge. So micro-segmentation, if you’re, if you’re well versed in, um, if you’re well versed in zero trust, and even if you’re not.

Heath Mullins: Microsegmentation. The core of it is really just that it’s, it takes the default deny, but then makes exceptions and allowances, right? So it really just lets the correct person get to the correct resource and get all the way granular down to the session data. Now, on paper, it sounds amazing. The reality is that it is extremely difficult to deploy without a tool like color tokens.

Heath Mullins: Shocker. Um, but uh, but what it really gets down to is. Where it gets really hard and, and this, you’re gonna tie this kind of into playbooks and stuff. Um, so where it really gets hard is when you start to automate some of these processes when you’re in default deny, or you’re doing network mapping or you’re trying to find out what these dependencies are.

Heath Mullins: As you’re implementing microsegmentation, you may have services that, you know, that secondary, tertiary library of commands or controls doesn’t get kicked off unless very specific things are checked within the application. So, if you go in and you’re just, you know, you don’t have a tool like color tokens or, or anybody else in the space, you don’t have something like that, well, you’re gonna start to define policies that are gonna block the routes that you see currently.

Heath Mullins: This is what’s coming in and this is what’s going out. What you’re not gonna know until somebody that has a specialized function or a different requirement that may not be kicked off, but every, you know, even, let’s just say every 15 minutes, ’cause you’re looking at a window, right? You’re just looking at a section of time to make this determination.

Heath Mullins: Traditionally, um, you’re gonna start breaking things. You’re gonna get complaints both internally and externally from customers. They’re gonna say, well, this doesn’t work now. Boom. What is the problem? And you ended up, you end up burdening your IT department, your internal help desk, and that’s a problem for everybody.

Heath Mullins: ’cause they’re gonna get overwhelmed. You’re gonna get complaints and as the ciso, as the knock director, the SOC director, you’re gonna have people breathing down your neck going, why did you just break? Literally everything on the network. And you’re gonna say, I did, I was employing policy as directed. Um, and where that becomes, and how I’m kind of tying that into the, the playbooks is you have to be really careful with playbooks.

Heath Mullins: Um, playbooks and automation are fantastic. They can make simple, repetitive tasks, very easy. Onboarding, offboarding, you know, putting a tail on somebody that has, we know they’re gonna. They’ve been given their two weeks notice, or we’re about to let them go on Friday in case they get wind of it. We’re gonna trail their network behavior and see what they do and what they access, maybe restrict access to some things, um, applying just in time access, you know, applying policies like that.

Heath Mullins: That’s fine too. I. But don’t shut down entire network segments, especially if you haven’t Micros segmented. You know, don’t ly don’t reboot the router in the middle of the afternoon because a new CVE came in. I mean, this is the human in the loop stuff right here, right? Yes, this is, this is, yes, this is table stakes.

Heath Mullins: Good Lord. Do not let people do this stuff. Right. Um. So as we, as we’re kind of going through that, you know, narrowing that path and just in time, deny by default, you know, this is a good time to talk about third party risk as well. Um, as we just saw with, um, with a major, I guess I can say it, it’s a public, uh, news.

Heath Mullins: F five got their source code stolen of all things, and that was through an attack. You know, somebody got in there, they used, you know, something. We haven’t, we don’t have all the details yet, you know, of what happened, but it’s. Prob, it’s, it’s probably pretty easy to assume that somebody got in using one of these methods that we’ve talked about today, social engineering, you know, something along those lines.

Heath Mullins: They got in, they got the source code, and now everybody out there with an F five big IP should be going, holy crap, you know, what do we do? This is such a massive problem, and how do you actually resolve this? You know? I mean, that is. I mean, geez, that, that’s literally a load balancer. All your traffic goes across it.

Heath Mullins: And do you switch to your ha ’cause you probably got an ha if you’ve got a load balancer. It’s the same thing, you know? So how are we going to decide what to move? That is a very messy problem that I’m not getting into because I don’t even want to think about it. That’s, that sounds like somebody else’s problem to me.

Agnidipta Sarkar: But, but you, you make a fair point and I think, uh, that goes back to the OT experience that you were talking about. Mm-hmm. One of the traditional methods of handling these situations is the F five kind of a situation is called a fail safe.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Means that if, think about it like you are walking into the, the, the subway and, and suddenly there’s a power failure.

Agnidipta Sarkar: What do you do? You open the gates.

Heath Mullins: Yep.

Agnidipta Sarkar: Right. That used to be, that continues to be a mechanism, especially in the OT environment where

Heath Mullins: Yeah. Yeah.

Agnidipta Sarkar: Fail open

Heath Mullins: instead of fail closed. Yeah.

Agnidipta Sarkar: Yeah. Instead of, yeah, instead of all close people are just going to remove the, the firewall from the network. The firewall is not working.

Agnidipta Sarkar: They’re going to just mm-hmm. Everybody’s gonna get connected now. So that used to be a fail safe mechanism, but in today’s world, you can’t do neither. You can’t fail block, you can’t fail open.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Because both of them are dangerous, just like you said. Don’t automate everything because you might be ending up with somebody shutting down a router suddenly in the middle of the day.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Unless you have really done the analysis and done a very clear diligence of what needs to be done, but at the same time, fail open is also a problem because then it would, because that’s what your attacker wants you to do. They just want to trigger the emergency.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: And we’ve seen this in movies as well, right?

Heath Mullins: Oh yeah, sure.

Agnidipta Sarkar: They’ve got an emergency and. And that’s when that attack, the thief walks in. In fact, you remind me of lure now, just now. Mm-hmm. The, the theft of, yeah. All that. Anyways, um, coming back to our discussion. So I think, I think what you’re saying is making complete sense to me, and I think it’s essential that today’s world, we need to think about planning for that day.

Agnidipta Sarkar: I mean, we’ve invested in cybersecurity. Let’s face it. There is enough investment in cybersecurity and investments are going up, so attacks. So I think, you know, it is time that we start looking back and thinking about, shall we focus on the investments needed to stop the next attack? I mean, we’ve got cybersecurity, we’ve got it.

Agnidipta Sarkar: We are making new digital processes. We’ve got security awareness, which doesn’t work at sometimes or rather many times. Right. And then, I mean, this is the Cybersecurity Awareness Week, and someone asked me. Uh, what do you think? I said? Look, this week is supposed to celebrate cybersecurity awareness. Not do the cybersecurity awareness.

Agnidipta Sarkar: Yeah. You should be doing cybersecurity awareness throughout the year. Every day.

Heath Mullins: Yeah.

Agnidipta Sarkar: This month. Anyways, coming back to my point, I think, um, I mean, it’s a pleasure talking to you and I’m happy to meet you once again. We absolutely, we, we talked a lot. We had fun, I think.

Heath Mullins: Yep.

Agnidipta Sarkar: Um, but what I would really want to conclude with is.

Agnidipta Sarkar: That, and I think you said that in as many words as well, is that it is, I think, time that people should think about sitting down and planning to figure out which of their investments are going to stop the next attack.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Whether they do it foundationally using whatever tools like extra hop or color tokens or whatever, but it is time to sit down and figure out do they have the right blocks, the right places, so that they can stop.

Agnidipta Sarkar: And prevent the next attack and have the, combine that with operational processes because it’s not only technology. People make the mistake, oh, I bought, I bought CrowdStrike, so I think I’m good. That doesn’t work anymore. You need to couple it with operational processes. They’re going to leverage the power of CrowdStrike to stop the next attack.

Agnidipta Sarkar: They’re going to leverage the power of extra hub. I mean, somebody can buy a box and keep it in the network. If that’s not doing what it’s supposed to do, then same is with any other tool that you buy. You need to have operational processes around that. And that’s what I wanted to say in the end, that it’s important that CISOs and decision makers think about building breach readiness as a program throughout their organization.

Agnidipta Sarkar: I mean, we are in the dialogues. That’s what we are doing.

Heath Mullins: Yeah.

Agnidipta Sarkar: And, and, and that’s, I think is, is my main takeaway.

Heath Mullins: Yeah.

Agnidipta Sarkar: Ending words.

Heath Mullins: Yeah. Uh, the only thing that I would add to that is, uh, you made some excellent points in that summation. Um, GRC used to be a bad word. Um, GRC used to be associated with, uh, I’m getting ready for my cyber insurance policy.

Heath Mullins: Let me do myself attestation, by the way. No more checkbox exercises for cybersecurity policies, everybody. Um, you have to prove it now. So when you’re thinking in terms of breach readiness and you know, what’s our, what’s our business continuity plan? What’s our, uh, recovery plans and stuff, if you’re not applying sound, GRC, and that’s governance, risk and compliance.

Heath Mullins: For anybody that doesn’t know that acronym, um, you, you should be discussing this, uh, on a daily level. At the executive level, what are we doing? What are we required to do? For via governance and compliance and what risk is associated with that. Um, as you were talking about, you know, cybersecurity is no longer just the soc.

Heath Mullins: Cybersecurity includes things like dev. If you’re still doing Agile, you should be shifting left and going to DevSecOps. I mean, there’s so many places where you can put security into everyday environments and everyday workflows because if you don’t have security as an organization, if everybody’s not sold and bought in.

Heath Mullins: Then you’re gonna fail as an organization.

Agnidipta Sarkar: Absolutely. Thank you. He You’re welcome. That was great talking, and as I said, maybe we’ll come back and talk again. I, I love

Heath Mullins: maybe.

xshield-logo

Explore the Platform

forrester-badge

Download Report

Request Your Free Customized Demo

Modern attacks move fast, spread laterally, and exploit gaps across flat and complex environments. In this episode, we break down how microsegmentation and network detection and response work together to reduce breach impact and stop lateral movement.

Our Chief Evangelist, Agnidipta Sarkar, is joined by Heath Mullins, former Forrester analyst and now Chief Evangelist at ExtraHop, for a candid discussion on how attack techniques are evolving and why detection alone is not enough.

One key takeaway is clear: preventing every breach is unrealistic. What matters is how quickly you can detect malicious activity, contain the blast radius, and recover without disrupting the business.

If you are a CISO, security leader, or architect responsible for protecting modern digital environments, this conversation will challenge how you think about Zero Trust, microsegmentation, network detection, and operational security.

Agnidipta Sarkar: Hi everybody, this is Agni and I’m back with another session of Breach Ready Dialogues and today I have with me, um, heat Mullins and. He’s been someone who I’ve talked to when in his, when he was in Forrester. We had a great time then, and I’m looking forward to a great time today. But let me not steal his thunder.

Agnidipta Sarkar: Let let me introduce Heath. Heath, why don’t you talk about a little bit about yourself, what you’re doing now, and, uh, where you are, what’s going on?

Heath Mullins: Okay, well that’s an awful lot and, uh, happy day. Good morning, good evening, good afternoon, wherever you are. My name is Heath Mullins. Um, I am a former and recovering forestry analyst.

Heath Mullins: Um, currently I am at Extra Hub as the chief Evangelist. Now, what that really means is that I’m continuing the, the good work of the, uh, kind of in the analyst vein and that I’m. Talking about the big problems, I’m still having the conversations with the, the executives, you know, and what’s really bothering people, what’s keeping ’em up at night.

Heath Mullins: Additionally, I happen to be working for the leader in the NDR NAV space, um, with ExtraHop. So what we do essentially is it’s a combination of, uh. Of network performance management as well as NDR NAV Technology. So not only can I tell you where your network slowdown is, but I can also tell you what the problem is from a security standpoint.

Heath Mullins: I can do deep dive forensics, I can decrypt everything that you’re looking at, and I can provide you with a complete picture of what’s actually happening on your network as compared to just, we think something’s wrong here. Think something’s wrong there. And, and a really interesting tidbit and, and one of the reasons why I kind of came over here was, you know, ExtraHop was born in the network, right?

Heath Mullins: They were an NPM solution of think NetFlow analysis tools. So what that allows us to do that’s really different is we can look at IOCs in kind of a, a different fashion. So if you’re a standard NDR, you’re just kinda looking at the network, right? And you’re saying, oh, I, I see some lateral movement. I see something that maybe shouldn’t be happening.

Heath Mullins: Whereas we could see an IOC that may not be. Reported as a CV or something else. Something like, uh, spinning up a new instance in a virtual space. Um, a new memory allocation, new CPU utilization, because we’re still looking at the traditional network, uh, information. It also allows for, um. Uh, collapsing the stack.

Heath Mullins: So this tool can be used by the knock and the sock and, you know, set arb back and, and here’s your controls. This is where the knock guys see, this is what the sock guys see. Um, extremely powerful, especially when you’re talking about, you know, bringing everything together and reducing your overall tool sprawl, uh, across the environment.

Heath Mullins: Um, that’s my, that’s my, that’s my quick pitch, um, because, uh, it’s, it is his pitch after all. So, uh, so please, Agni, um, uh, let’s, let’s get into this. I think we’re gonna talk about some really fun stuff today.

Agnidipta Sarkar: Yes. And, and as is usual, the first question that I have for you is, uh, give us a little background with, uh, breaches and what’s been your take on it?

Agnidipta Sarkar: How, uh, you know, how are breaches, uh, how have you been experiencing breaches during your forest days and, and now, and how they’re different. Uh, and then maybe we spend some time in the end, uh, I’ll ask you again if it needs to be, but we should spend some time talking about current breaches and what do they mean to the world.

Heath Mullins: Yeah. Yeah. So the breaches have been really interesting. Um, some things stay the same, some things change over time, right? So you think of the traditional breach. We’re out there looking for a CV and unpatched system. You know, something that’s, that’s public facing or perhaps just internal, whether it’s the internal employee stealing information, or somebody that got handed a packet of money to provide a password, or, you know, piggybacking, you know, it’s all the.

Heath Mullins: All kind of what I consider bread and butter of the breach industry, which is let’s get in, we want to get in, we want to get in fast, and we want to get out fast and then leave our, our ransom, um, leave our demands, whatever they may be. Um, I, I think it’s become a little more political in, in the past couple of years.

Heath Mullins: Um. The types of entities that are being targeted. You know, it’s not necessarily, I’m just going after you for money now, now it’s, I don’t agree with your ideas, so I’m gonna go take down your site, or I’m going to interfere with your ability to perform your duties, whatever those duties may be. Um, you know, it could be, uh, metropolitan, you know, police departments, uh, fire critical infrastructure, which has been a big deal as you well know.

Heath Mullins: This keeps on popping up. Um, the, uh, I mean, well, we’ll talk about that in the recent one, but please go ahead, Agni.

Agnidipta Sarkar: No, no, I, I, sorry, I interrupted, but I was actually trying to add to what you were saying. I, I read about, oh yeah, please. The water systems that got attacked, um mm-hmm. Last year, I guess. And, um, the total population that that water system was serving a lot of 15,000 people.

Heath Mullins: Yeah.

Agnidipta Sarkar: That, that’s really nothing.

Heath Mullins: Yeah. To me, that’s a dry run, no pun intended.

Agnidipta Sarkar: Yeah, I understand.

Heath Mullins: System

Agnidipta Sarkar: understand. But still,

Heath Mullins: yeah. Yeah.

Agnidipta Sarkar: You were right because you were saying that, you know, people are no longer. Um, I mean, people are intending to shut down systems because they just don’t agree with what you do and what you, how you do.

Heath Mullins: Yeah. And, and how much of this is just for fun, you know? It’s not just, it’s not just script kitties sitting in the basement now, you know, that are just trying stuff out that they pulled off the dark web or some, or, or Reddit or something like that. These are, you know, semi cohesive groups. With a similar interest and these groups fluctuate.

Heath Mullins: People come in, people go, and today’s target may not be tomorrow’s target, but the target from three years ago, they may wanna revisit because everybody knows how slowly the response typically is, especially when dealing with like civic systems, government systems, um, they’re a very attractive target because there’s a good chance that the remediation.

Heath Mullins: Probably didn’t catch that little, that little perfect little nugget that you left sitting in that network somewhere that’s just dormant. It’s not doing anything. It’s just sitting and waiting, excuse me, and then it pops up again and you’re like, well, we thought we got rid of this, but now you’re going back through the same cycle again because you may have patched external facing systems because that was the, you know, perhaps the ingress point.

Heath Mullins: Um, but you may not have had the funds or the wherewithal or the knowledge to completely patch the internal systems as well.

Agnidipta Sarkar: In fact, uh, you made a very good point. This is something that I talk to many people usually that, you know, if you look at the Mitre layout and I divided the Mitre layout into four parts, all the 14 tactics, I divide them into four parts.

Agnidipta Sarkar: The first two are happening outside your enterprise, right? Recon and resource augmentation. Um, it’s initial access when you really come to know something’s happening, and then it goes all the way up to privilege escalation. And if you see really, that’s where the entire cybersecurity market is sitting because you want to stop the next attack.

Agnidipta Sarkar: Right? So, but the problem is, it’s the third part. It is after discovery, finally people get to a stage where they’re able to get into lateral movement. And they would do that sometimes by using credentials or misusing credentials, sometimes not. But what I, what, what you just said made sense to me because if someone manages to cross the initial defenses, then the only way you can do that is by interrupting that, uh, that attack in some way or the other.

Agnidipta Sarkar: And, and as you said earlier, I’m connecting to the work that you’re doing at ExtraHop and you said that you’re able to figure out. Um, be anomalies in, in how people are spinning up an extra VM or they’re using a part of memory that shouldn’t have been used. That’s essential information about how to stop that guy from going from initial axis all the way till reaching lateral movement.

Agnidipta Sarkar: It,

Heath Mullins: yeah.

Agnidipta Sarkar: Does that make sense?

Heath Mullins: Yo. Yeah, absolutely. And, and, uh, one thing I’m gonna, I’m gonna discuss that you, um, you, you brought up several times through that, uh, that statement was, you know, we’re talking, people tend to get hung up in the idea and the concept that the, the attack is coming from a person.

Heath Mullins: Right? Yes. I prefer to think of them as entities because we can, as we have seen, you can weaponize bots, you can weaponize bots internal to your network that already have that. So we’re not just talking about privilege escalation among actual human beings.

Agnidipta Sarkar: Yeah.

Heath Mullins: This is me taking over big fix. You know, this is me injecting a new piece of code.

Heath Mullins: Uh, this is me using PowerShell, which may be allowed within the network. This is me doing a lot of things within your network that are not, it doesn’t look like a human, it looks like a standard practice. We run into this all the time in OT environments, um, where it, it looks like this is a normal, this is what it looks like.

Heath Mullins: It’s always this square, right? And if you’re not looking at that information, if you’re not looking at that traffic, then you don’t know that this square may now contain encrypted information in it. This square may have gone from its 16 bytes every 30 seconds to now it’s. 36 K every five seconds. You know, that’s an anomaly that should be looked at 100%.

Agnidipta Sarkar: Agreed. Agree.

Heath Mullins: My, yeah, my favorite, I’m not gonna say my favorite, but, uh, something that I, I quite often catch people up in is when they discuss air gapped environments with relation to lateral movement, right? And they say, oh, no, no, um, we’re secure facility where’re, air gapped. And I say, okay, um, where’s your terminal?

Heath Mullins: That that controls those systems inside that air gapped environment. Is it inside that cage? Is it behind that door? Oh no. The terminal’s right here on the sock, and then we feed it into the sim and that’s up there on the screen. I said, okay, so you don’t have an air gapped environment. You have a method for an attacker to get into an unsecured OT environment, and the only security seems to be this console or this server that you’re using to communicate back and forth, which may inherently be unprotected because people don’t think about OT like that.

Yeah,

Heath Mullins: they don’t think about it. Yeah.

Agnidipta Sarkar: Yeah. In fact, you, you reminded me of, when you talk about bots, um, what I heard very recently, in fact I think this morning, is that, uh, bots are now being used as employees, fake bots.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: So people hire, uh, software. ENC coder in some other part of the world, a software or a coder, some part of the world, and they have never seen him.

Agnidipta Sarkar: He’s not come mm-hmm.

Heath Mullins: On an

Agnidipta Sarkar: interview, and all you did was get a bot and all that. The bot needs is access to your environment and then, you know, it goes on and does something else, something malicious, but you’re, you’re absolutely right. The future does look quite, uh, awesome when it comes to all these kind of technologies.

Agnidipta Sarkar: And, and the, the work, which I think you’ve been doing, and I think the work that even I’m contributing to is to make sure that we try and figure this out faster than others. I think that’s where the main kick lies. Look at. Yeah. Look at what happened at Cantas. M-G-M-J-L-R, um, mark and Spencer.

Heath Mullins: Oh yeah, it Caesars too.

Heath Mullins: Don’t forget them. You know, Caesars too. Yeah. So, yeah, so, uh, it, it’s really interesting, uh, we’re, we’re starting to get into kind of like the, the current, uh, face of things. So, um, traditionally when you’re a, uh, a hacker, an exploiter, whatever, whatever you wanna call yourself, um, you know, traditionally you would do things around social engineering.

Heath Mullins: You know, you’re gonna go, you’re gonna sit at the airport bar, you’re gonna go to the hotels where, you know, there’s conferences where people frequent. You’re gonna shoulder surf, you’re gonna do all the normal things, right? And, and people tend to forget that these are still very, extremely effective. I mean, beyond just walking by you and, uh, and scanning your phone to try and get payment information from a, a near contact devices and stuff like that, we’re also talking about, you know, Hey, I’m sitting here, I’m surfing Insta face or face a gram, or, you know, whatever your social media of choice is.

Heath Mullins: I’m getting an idea just by looking over your shoulder. Well, who’s this person that he’s writing to? Or she’s writing to, and then I’m gonna go add them as a friend, and then I can create my network around them. So it’s not, these are, I mean, they’re pretty basic tactics. It’s almost like the, um, you know, when you start a rumor at one end of the room and you, you say it at the other end of the room and it’s a completely different story.

Heath Mullins: You can learn an awful lot from somebody five minutes sitting in a bar, um, five minutes looking over their shoulder while you’re pretending to be on your phone. You’re actually recording what they’re doing. You can get a lot of information that can help you. Push forward this breach, push forward, this password reset.

Heath Mullins: And a lot of the ones that you pointed out where they, they used vishing and Smishing and they created, you know, this whole, you know, Hey, I’m gonna go password reset down to the mannerisms that were used by that person when they were requesting or demanding in one case that their password be reset. And, and that’s just incredible to me.

Heath Mullins: This video right here could be used by an attacker to imitate us and emulate us. Very easily and just push it right on through. So it, it’s, it’s easy to forget social engineering when you become so focused on the technology. So the current breaches where they’re not only landing and expanding, they’re also getting in and you know, doing things.

Heath Mullins: They’re not necessarily doing them very rapidly. You know, they may be kind of slow rolling. If I know, for instance, because I shoulder served you, I know where you work. I found you on LinkedIn. I know who your friends are, I know the things that you’re talking about, where you are. I can very easily pretend to be you ’cause I know you’re gonna be outta the office for a week.

Heath Mullins: So I have a week to go in there. Get my password credential reset because I scanned your sim or I have an SEM or something like that. I can do the multifactor authentication. I can do all these things now. Now I’m you. And for a week I don’t go in there and just grab stuff, you know? I go in and see what I can touch, and then I see, okay, of the things that I can touch, what can I do with it?

Heath Mullins: Because I’ve targeted you specifically for a reason. You have something I want. So what else can I touch? What else can I do? I may upload an innocuous file, you know, something from icar just to see if it’s going to be flagged going up there, and I may use bits and pieces of different things to reassemble them on the other side once I’m already across your barriers.

Heath Mullins: You know, much like you bypass a firewall, you, you know, taken in segments, you send it out of order. I can do this across multiple emails, I can do all kinds of stuff. So. Don’t forget that your people are still your weakest point. And I don’t mean that in a condescending way or a, your people are terrible because they’re all highly skilled individuals.

Heath Mullins: There’s a reason why you hired them. But even the best people can be fooled by modern technology when combined with the right things that should be said to that person that they already know.

Agnidipta Sarkar: In fact, uh, good that you said. This

Heath Mullins: is it.

Agnidipta Sarkar: I I, and I was thinking as, as you were saying, you know, this whole HITL thing in ai, right?

Agnidipta Sarkar: You have human in the middle, right? Mm-hmm. Human in the loop, as they say, not the middle human, H-I-T-M-H-I-T-L. I don’t know what jargon they use, but they, they want a human in the loop so that a decision can be taken, which is not autonomous, but is taken based on the context. The point that I was thinking about at that place is a, is a friend of mine, he told me that.

Agnidipta Sarkar: Their help desk have, they’ve implemented a new procedure, which is based on a capture. So if somebody wants to get something done and they pressurize, and this happened right after the, the Cantas attack because they got scared and they had access to someone, uh, who came up with this idea of capture that, uh, when they go through the workflow, uh, to reset someone’s [00:16:00] password, uh.

Agnidipta Sarkar: To fill up that they need to have a capture and mm-hmm. And this guy is continuously telling them that, you know, don’t want to capture, don’t want to capture, and so and so forth. And that triggered a whole lot of, uh, you know, concern in somebody’s mind. But, um, to your point, the human is, um, the smartest in the loo, and yet mm-hmm.

Agnidipta Sarkar: The weakest. Of the loop as well, because there are certain cognitive tendencies which are not there in a machine, uh, that exist in a human, which are weaknesses, but then there are weaknesses in a machine as well, uh, which is the ability to be predictive. Mm-hmm. So, so to your point, I think, I think the future would, would make a difference between, I mean, people would start defining, um, I’m, I’m saying those who are diligent enough to define a future with parts where you have humans.

Agnidipta Sarkar: And you take advantage of the value of the human and parts where there are machines or AI or whatever you call it, where you take advantage of the benefit of that and do away with the negatives of both. But then there could also be the both other situation where you are so predictive that the attacker knows what the AI is going to do.

Agnidipta Sarkar: Mm-hmm. And the human is so vulnerable that the attacker knows exactly how to pressurize them. Um. That’s entirely possible. But, uh, to me, the way I see it now, um, everything balances on the point that we started discussing on becoming ready for the next breach. Because at the end of the day, as, as an employee or, or as a leader of technology and risk organizations need to come up or with the B, the C or the board, they need to be able to convince their stakeholders that.

Agnidipta Sarkar: They will be sufficiently immune to the next breach. The, the good news is, is I’m seeing conversations, and I’m sure you’re, you’re seeing that too, is that people are now saying that breaches are inevitable. Mm-hmm. Which was not the case about six, seven years ago. They would say, why do we have a breach at all?

Agnidipta Sarkar: I mean, we hired you, the CISO to stop the breach, but you’re not able to stop the breach. But now I hear conversations in boardrooms where they’re saying, yeah, breaches are inevitable. Let’s see how we can minimize that. What are you hearing?

Heath Mullins: Yeah. Oh, that the same thing. I mean, the, the assumed breach used to be just associated with, um, defense in depth.

Heath Mullins: If you’re our age or zero trust, if you’re, you know, coming up these days, um, you know, you should assume breach, you should assume that the bad guys are already there. So you work on protecting your assets. Um, and it’s, it’s, it’s really interesting as we were, you know, kind of discussing this, this whole human in the loop concept and, and stuff like that, you know, it’s, at the end of the day, it breaks down to sociology.

Heath Mullins: You know, you can tell if you’re, if you’re in a situation or in a position where you feel you may be speaking to a bot regardless of how, you know, normal it is, or humid it is your organization and this, and I wear my, as you know, you know me, uh, I wear my 10 foil hat pretty tightly. Um, but there should be, I, I mean.

Heath Mullins: I don’t wanna say challenge questions, but with, in today’s remote workforce, you know, your IT department may receive a call from somebody they’ve met, never met in the flesh. This is something that is just inherent to the new world of business. You know, that you may have never seen this person known this person, but there’s somebody that does.

Heath Mullins: You know, and if you, if you get something that’s like, this is a high value target, that’s, we used to target the CEOs, right? I say we just, that, that’s not a F four and slip, I promise. But, uh, CEOs and C levels used to be targeted all the time because they had access to everything. Well, I. We learned that uh, you don’t want them to have access to everything because they may not be up to date on security.

Heath Mullins: ’cause they wanna be able to do what they want when they travel. And there’s different policies, you know, for, for the than for me. Right. So, and which is kind of a snotty way to put it, but you get the concept that I’m working with here now. They’re targeting admin. They’re targeting. It may be hr, it may be payroll, it may not be your, your traditional target, as in, I’m a knock analyst, I’m a SOC analyst.

Heath Mullins: I’m the person setting policy. It may not even be them because they may have a very specific reason for targeting your very specific, um, your very specific organization. This could be a paid attack by somebody who’s going through a divorce. I want you to go ruin their career. You know, uh, tion, I mean, human nature is, is horrible.

Heath Mullins: People are terrible. Um. But, uh, but yeah, so, um, I kind of lost my, my train of thought.

Agnidipta Sarkar: No worries, no worries. I think, let, let me bring you back on, on, I think you, you pointed out a a lot of, uh, areas that that come up, but I think I’m, I’m going back to go, I’m gonna go back to the whole design of, uh, being resilient.

Agnidipta Sarkar: Uh, and

Heath Mullins: Hmm. Yes.

Agnidipta Sarkar: And thinking from grounds up from a foundational level. If you are able to, I, I know we discussed this, if you are able to. You know, uh, design micro segments in a manner that you do it, uh, rightly, and you do it by adequate knowledge of how attackers could attack, and you build playbooks for the sock and the knock.

Agnidipta Sarkar: Then use, uh, you know, reduce the amount, the amount of noise that comes in so that the attack parts become narrower. Then what you really end up doing is if there is a cyber attack and if it comes through a supplier or it comes through the help desk. If you’ve got separate zones for them, it’s difficult to navigate the enterprise then, isn’t it?

Agnidipta Sarkar: And that means eventually what you are going to end up with is a mechanism by which you’re able to contain the attack in a part of the organization, and therefore the rest of the organization is continuing to work, being unaffected. Do you think that. That sort of, I mean, you presented a lot of threats and I think almost all those threats can be, can be, Wiki can do two things about it.

Agnidipta Sarkar: We can have an allowed part that is so narrow that only the right guys can travel. And if someone who’s not the right guy, he has to use a credit to misuse a credential to get in, and then he has to behave abnormally, which I think some of the pro things that you talked about earlier about extra hop can detect and find out.

Agnidipta Sarkar: That this is abnormal behavior and then that person could be trapped in a particular area, um, and be contained.

Heath Mullins: Yeah. Okay. So you, I, I’ve got a million things to say about this. Imagine that, you know, pure shock on your face, I can tell from here. Um, so adequate knowledge. So micro-segmentation, if you’re, if you’re well versed in, um, if you’re well versed in zero trust, and even if you’re not.

Heath Mullins: Microsegmentation. The core of it is really just that it’s, it takes the default deny, but then makes exceptions and allowances, right? So it really just lets the correct person get to the correct resource and get all the way granular down to the session data. Now, on paper, it sounds amazing. The reality is that it is extremely difficult to deploy without a tool like color tokens.

Heath Mullins: Shocker. Um, but uh, but what it really gets down to is. Where it gets really hard and, and this, you’re gonna tie this kind of into playbooks and stuff. Um, so where it really gets hard is when you start to automate some of these processes when you’re in default deny, or you’re doing network mapping or you’re trying to find out what these dependencies are.

Heath Mullins: As you’re implementing microsegmentation, you may have services that, you know, that secondary, tertiary library of commands or controls doesn’t get kicked off unless very specific things are checked within the application. So, if you go in and you’re just, you know, you don’t have a tool like color tokens or, or anybody else in the space, you don’t have something like that, well, you’re gonna start to define policies that are gonna block the routes that you see currently.

Heath Mullins: This is what’s coming in and this is what’s going out. What you’re not gonna know until somebody that has a specialized function or a different requirement that may not be kicked off, but every, you know, even, let’s just say every 15 minutes, ’cause you’re looking at a window, right? You’re just looking at a section of time to make this determination.

Heath Mullins: Traditionally, um, you’re gonna start breaking things. You’re gonna get complaints both internally and externally from customers. They’re gonna say, well, this doesn’t work now. Boom. What is the problem? And you ended up, you end up burdening your IT department, your internal help desk, and that’s a problem for everybody.

Heath Mullins: ’cause they’re gonna get overwhelmed. You’re gonna get complaints and as the ciso, as the knock director, the SOC director, you’re gonna have people breathing down your neck going, why did you just break? Literally everything on the network. And you’re gonna say, I did, I was employing policy as directed. Um, and where that becomes, and how I’m kind of tying that into the, the playbooks is you have to be really careful with playbooks.

Heath Mullins: Um, playbooks and automation are fantastic. They can make simple, repetitive tasks, very easy. Onboarding, offboarding, you know, putting a tail on somebody that has, we know they’re gonna. They’ve been given their two weeks notice, or we’re about to let them go on Friday in case they get wind of it. We’re gonna trail their network behavior and see what they do and what they access, maybe restrict access to some things, um, applying just in time access, you know, applying policies like that.

Heath Mullins: That’s fine too. I. But don’t shut down entire network segments, especially if you haven’t Micros segmented. You know, don’t ly don’t reboot the router in the middle of the afternoon because a new CVE came in. I mean, this is the human in the loop stuff right here, right? Yes, this is, this is, yes, this is table stakes.

Heath Mullins: Good Lord. Do not let people do this stuff. Right. Um. So as we, as we’re kind of going through that, you know, narrowing that path and just in time, deny by default, you know, this is a good time to talk about third party risk as well. Um, as we just saw with, um, with a major, I guess I can say it, it’s a public, uh, news.

Heath Mullins: F five got their source code stolen of all things, and that was through an attack. You know, somebody got in there, they used, you know, something. We haven’t, we don’t have all the details yet, you know, of what happened, but it’s. Prob, it’s, it’s probably pretty easy to assume that somebody got in using one of these methods that we’ve talked about today, social engineering, you know, something along those lines.

Heath Mullins: They got in, they got the source code, and now everybody out there with an F five big IP should be going, holy crap, you know, what do we do? This is such a massive problem, and how do you actually resolve this? You know? I mean, that is. I mean, geez, that, that’s literally a load balancer. All your traffic goes across it.

Heath Mullins: And do you switch to your ha ’cause you probably got an ha if you’ve got a load balancer. It’s the same thing, you know? So how are we going to decide what to move? That is a very messy problem that I’m not getting into because I don’t even want to think about it. That’s, that sounds like somebody else’s problem to me.

Agnidipta Sarkar: But, but you, you make a fair point and I think, uh, that goes back to the OT experience that you were talking about. Mm-hmm. One of the traditional methods of handling these situations is the F five kind of a situation is called a fail safe.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Means that if, think about it like you are walking into the, the, the subway and, and suddenly there’s a power failure.

Agnidipta Sarkar: What do you do? You open the gates.

Heath Mullins: Yep.

Agnidipta Sarkar: Right. That used to be, that continues to be a mechanism, especially in the OT environment where

Heath Mullins: Yeah. Yeah.

Agnidipta Sarkar: Fail open

Heath Mullins: instead of fail closed. Yeah.

Agnidipta Sarkar: Yeah. Instead of, yeah, instead of all close people are just going to remove the, the firewall from the network. The firewall is not working.

Agnidipta Sarkar: They’re going to just mm-hmm. Everybody’s gonna get connected now. So that used to be a fail safe mechanism, but in today’s world, you can’t do neither. You can’t fail block, you can’t fail open.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Because both of them are dangerous, just like you said. Don’t automate everything because you might be ending up with somebody shutting down a router suddenly in the middle of the day.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Unless you have really done the analysis and done a very clear diligence of what needs to be done, but at the same time, fail open is also a problem because then it would, because that’s what your attacker wants you to do. They just want to trigger the emergency.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: And we’ve seen this in movies as well, right?

Heath Mullins: Oh yeah, sure.

Agnidipta Sarkar: They’ve got an emergency and. And that’s when that attack, the thief walks in. In fact, you remind me of lure now, just now. Mm-hmm. The, the theft of, yeah. All that. Anyways, um, coming back to our discussion. So I think, I think what you’re saying is making complete sense to me, and I think it’s essential that today’s world, we need to think about planning for that day.

Agnidipta Sarkar: I mean, we’ve invested in cybersecurity. Let’s face it. There is enough investment in cybersecurity and investments are going up, so attacks. So I think, you know, it is time that we start looking back and thinking about, shall we focus on the investments needed to stop the next attack? I mean, we’ve got cybersecurity, we’ve got it.

Agnidipta Sarkar: We are making new digital processes. We’ve got security awareness, which doesn’t work at sometimes or rather many times. Right. And then, I mean, this is the Cybersecurity Awareness Week, and someone asked me. Uh, what do you think? I said? Look, this week is supposed to celebrate cybersecurity awareness. Not do the cybersecurity awareness.

Agnidipta Sarkar: Yeah. You should be doing cybersecurity awareness throughout the year. Every day.

Heath Mullins: Yeah.

Agnidipta Sarkar: This month. Anyways, coming back to my point, I think, um, I mean, it’s a pleasure talking to you and I’m happy to meet you once again. We absolutely, we, we talked a lot. We had fun, I think.

Heath Mullins: Yep.

Agnidipta Sarkar: Um, but what I would really want to conclude with is.

Agnidipta Sarkar: That, and I think you said that in as many words as well, is that it is, I think, time that people should think about sitting down and planning to figure out which of their investments are going to stop the next attack.

Heath Mullins: Mm-hmm.

Agnidipta Sarkar: Whether they do it foundationally using whatever tools like extra hop or color tokens or whatever, but it is time to sit down and figure out do they have the right blocks, the right places, so that they can stop.

Agnidipta Sarkar: And prevent the next attack and have the, combine that with operational processes because it’s not only technology. People make the mistake, oh, I bought, I bought CrowdStrike, so I think I’m good. That doesn’t work anymore. You need to couple it with operational processes. They’re going to leverage the power of CrowdStrike to stop the next attack.

Agnidipta Sarkar: They’re going to leverage the power of extra hub. I mean, somebody can buy a box and keep it in the network. If that’s not doing what it’s supposed to do, then same is with any other tool that you buy. You need to have operational processes around that. And that’s what I wanted to say in the end, that it’s important that CISOs and decision makers think about building breach readiness as a program throughout their organization.

Agnidipta Sarkar: I mean, we are in the dialogues. That’s what we are doing.

Heath Mullins: Yeah.

Agnidipta Sarkar: And, and, and that’s, I think is, is my main takeaway.

Heath Mullins: Yeah.

Agnidipta Sarkar: Ending words.

Heath Mullins: Yeah. Uh, the only thing that I would add to that is, uh, you made some excellent points in that summation. Um, GRC used to be a bad word. Um, GRC used to be associated with, uh, I’m getting ready for my cyber insurance policy.

Heath Mullins: Let me do myself attestation, by the way. No more checkbox exercises for cybersecurity policies, everybody. Um, you have to prove it now. So when you’re thinking in terms of breach readiness and you know, what’s our, what’s our business continuity plan? What’s our, uh, recovery plans and stuff, if you’re not applying sound, GRC, and that’s governance, risk and compliance.

Heath Mullins: For anybody that doesn’t know that acronym, um, you, you should be discussing this, uh, on a daily level. At the executive level, what are we doing? What are we required to do? For via governance and compliance and what risk is associated with that. Um, as you were talking about, you know, cybersecurity is no longer just the soc.

Heath Mullins: Cybersecurity includes things like dev. If you’re still doing Agile, you should be shifting left and going to DevSecOps. I mean, there’s so many places where you can put security into everyday environments and everyday workflows because if you don’t have security as an organization, if everybody’s not sold and bought in.

Heath Mullins: Then you’re gonna fail as an organization.

Agnidipta Sarkar: Absolutely. Thank you. He You’re welcome. That was great talking, and as I said, maybe we’ll come back and talk again. I, I love

Heath Mullins: maybe.