Insight ON Ep. 42 - Are Your Security Teams Ready for the New Patch Cycle?

Anthropic's Mythos revealed that frontier AI models can discover vulnerabilities and build working exploits in the same automated process. Two Insight CISOs share the operational frameworks, detection tools, and incident response shifts your security program needs to survive the new patch cycle.

Anthropic's Claude Mythos changed the calculus of cybersecurity. The frontier AI model, released in limited access through Project Glasswing, demonstrated that AI can autonomously discover software vulnerabilities and generate working exploits in a single process — collapsing the weaponization window from 30 to 90 days down to hours, even minutes. Every major operating system, web browser, and software that had survived decades of human security review was found to contain critical vulnerabilities. The organizations that respond to this moment by treating it as a maintenance problem will be the ones that get hurt.

Insight CISOs Jeremy Nelson and Jason Rader are not theorizing about what Mythos means. They are operating inside the threat environment it created. Jeremy built Insight's Managed Exposure Defense program — a layered approach combining continuous threat exposure management, AI-enabled penetration testing, and a true risk score — in direct response to what frontier AI models revealed about the vulnerability landscape. The program treats every critical vulnerability disclosure as a security incident, not a scheduled maintenance task, with a 24-hour SLA for criticals and a full incident response workflow: triage, threat hunting, SIM/SOAR integration, and escalated remediation. Insight calls itself client zero — the same tools, talent, and processes proven on Insight's own infrastructure are what clients now receive.

Jason Rader addresses the question every mid-market security leader is asking: How do you defend against a threat surface identical to that faced by a Fortune 500 company, when you don't have a Fortune 500 security team? His answer centers on visibility — knowing exactly what’s connected to your network, what’s exposed, and what your SOC can actually detect and contain — and on managed security services that handle tier one and tier two operations so internal teams can focus on the work that requires organizational context. He also draws a critical distinction that reframes the Mythos threat: It isn't just that high-severity vulnerabilities are now exploitable faster. Medium and low-severity vulnerabilities that were previously deprioritized are now viable attack footholds, because frontier AI models can chain them together into a single, catastrophic exploit path.

Jeremy's risk tolerance slider bar framework captures the shift precisely. For most of the last decade, security leaders made a rational choice: Patching on a 90-day cycle was less disruptive than the alternative, and the probability of being exploited in that window felt manageable. Frontier AI has permanently reversed that calculation, and that shift demands a fundamentally different security operating model.

The episode closes with the five questions every CISO needs to be able to answer right now — the same ones your CEO and board are about to start asking. Do you have an accurate asset inventory? Can you patch at scale without breaking production? Do you know what is hiding in your open source and third-party software? Do you have the engineering capacity to remediate your own backlog? And if a patch lags, can your SOC detect and contain an exploit before it becomes a full incident? These five questions define the minimum viable security posture for the Mythos era.

If you liked this episode, share it with a colleague.

Have a topic you’d like us to discuss or question you want answered? Drop us a line at jillian.viner@insight.com

A patch update is an incident. It's a security incident. The actual disclosure of a vulnerability now represents an imminent risk, especially with potentially like hour or minute exploitation windows."

Jeremy Nelson

Jeremy Nelson
CISO, Insight

Everything, even the medium and low vulnerabilities are a foothold in another kind of attack that they can just chain together. That is the magic that AI can do in this."

Jason Rader

Jason Rader
CISO, Insight

Frequently asked questions

Audio transcript:

Are Your Security Teams Ready for the New Patch Cycle?

Jeremy Nelson (00:00:02):

So I'm going to slide my bar over here and I'm going to say I'm going to patch every 90 days because I feel like I'm more afraid of my business partner than I am the threat actors. What's happened now is that we've moved that slider bar. That slider bar, most leaders are now basically sound like, nevermind. With the tooling that they now have, I am way more afraid of the threat actors than I am of my business partners. Well, your

Jillian Viner (00:00:28):

Business partner is probably more afraid of them too now, right?

Jeremy (00:00:30):

Exactly. And that's the thing is it brings us all to the same place. We understand risk in a more unified way.

Jillian (00:00:37):

Welcome to Insight On, the podcast where you get real insight on technology decisions from people actually making them. By now, you've heard of the Anthropic Frontier model's Mithos and Fable, but do you and your security teams know how to respond? Do you know what's within your control? So here's what makes this moment different from every other security headline. The window between a vulnerability is disclosed and when it gets exploited has collapsed. We used to measure that in months and now we're talking hours, maybe even minutes. And every organization from the Fortune 500 to the mid-market has to figure out how to respond before the bad actors get the same tools. I'm Jillian Viner and today I've got two conversations back to back with two CISOs at Insight who aren't just advising clients what to do. They're doing it themselves and we're going to find out how they're already changing the way that their teams operate and I'm putting them in the hot seat with five questions that every security leader needs to be able to answer right now.

So first we're going to hear from Jeremy Nelson who explains the weaponization window, why your CMDB is probably your biggest liability right now and the framework that his team built from the ground up in direct response to what these frontier models revealed. Then Jason Rader shares how to operationalize the security response at scale and the one thing he says every security leader needs to do tomorrow. All right, let's go. It feels like a long time ago that Mythos first hit the headlines and I feel like it can be so easy for something like this to hit a hype cycle and then people immediately tune it out. When you are talking to other security professionals or leaders of other organizations, how do they feel about it today? First of all, I'm sure everybody now at least has heard of it. Do they understand the implications of it?

Jeremy (00:02:31):

Just like with everything, I think you've got a number of leaders who absolutely understand. They wrap their head around it. They recognize that the overall risk and threat that this represents to their overall operational wellbeing, depending on their size, even their viability as a company. If you don't get this right, you become the victim of a cyber incident that literally has the capability of making companies insolvent.

Jillian (00:03:03):

But that's in the case where if Mythos got in the wrong hands and cyber criminal were using it to find your vulnerabilities.

Jeremy (00:03:11):

So here's what I would kind of ... So one thing that I would say is that as with everything in technology, Mythos was just the first, right?

Jillian (00:03:18):

Yeah.

Jeremy (00:03:18):

But it just sets the pattern for whatever Wellness is going to do. We've already heard of other major releases of Frontier AI models that basically do the exact same thing. And so really mythos for all as good and terrible as it is, really what most seasoned leaders look at that is just the what's yet to come, what they can now expect and they know is being developed by the bad actors that are out there. So yes, Mythos is and of itself the very first to market is the very one to kind of show the art of the possible,

Jillian (00:03:54):

But

Jeremy (00:03:55):

It was also just a blueprint. It's just a blueprint for other people to replicate as we've seen with everything else within the AI space. But just like everything with security, I think there's a lot of people that kind of go with the more the ostrich approach like, "Eh, if I don't look at it and I pretend it's not there." Oh, you're head in the sand. Yeah, exactly. Maybe this one won't bite me. And I think if you look historically, and this is kind of one of the challenges with cybersecurity in general is that you use past performance to define future success, right? So they look back and like, "Well, I didn't overinvest in cybersecurity before. We've been doing this for 20 years. We're too small," or they go through a series of rationale on why they won't be the next victim of some type of major incident.

And a lot of it was that if you look just like regular companies, corporations, enterprises, it was heavily driven by people. And so there is a certain level of scale that you had to achieve in order to be able to go as wide as you would want to as a company. And just like the threat actor groups, they were constrained by the people and the tools that were developed in order to be able to carry out their various different cyber attacks. And what's happening now though is that the AI models have gotten so effective at both uncovering vulnerabilities, but even the methodology of discovering vulnerabilities now includes to a certain extent, the creation of exploits. What do you

Jillian (00:05:24):

Mean?

Jeremy (00:05:25):

So like if you look at the way that kind of mythos does its thing, these frontier AI models,

Jillian (00:05:31):

In

Jeremy (00:05:31):

Fact, I'm not even going to say mythos. I'm just going to say frontier AI models.

Jillian (00:05:33):

Yeah, because it could be a new one tomorrow. It could be a

Jeremy (00:05:35):

New one tomorrow. So what it does though is it goes through, it hypothesizes on what a vulnerability could look like and it goes through a series of various different events and actually tries to prove out its theory. Well, the process of proving out a theory is against a vulnerability is what creating an exploit, right? Seeing if you can actually get it to blow up the way that you expect it to blow up and what the resulting effects of that are. And so that's what makes these models so uniquely both powerful, effective, but also threatening is because in the course of discovering a vulnerability, you are laying the groundwork for an exploit.

Jillian (00:06:12):

Interesting. So it is essentially behaving as a bad actor and going into exploit code.

Jeremy (00:06:19):

With the best of intentions, right? Especially when we are talking about Mythos or some of these very commercially available model, frontier AI models that are looking to go out, they have the best intentions. They want to go out, they want to find vulnerabilities and they want to be able to elevate those to the right parties so they can effectively build patches that we can roll them out and protect the people who actively consume these software packages. But at the same time, it dramatically compresses that weaponization period. So time of disclosure to time of exploit. And what we're seeing now is with these new frontier models is that you go back 10 years and your window between vulnerability disclosure and exploit was some 30, 60 days, maybe 90 days depending on how large, complex, or maybe how targeted that particular exploit was. And then over time that's just kind of compressed, right?

Because these various different bad actors are out there, the overall dark economy has gotten much more lucrative. There's a bigger overall just value chain associated with it. And so there have been things that kind of accelerated that timeline, but it still stayed in roughly like a couple of weeks between time of disclosure and time of exploit that you would have to go out and effectively remediate. Generative AI comes on the scene and we see that shrink dramatically. Now we're talking about just a few days between time of disclosure and time of exploit because the generative AI models have gotten so much better at creating exploits, right? Reverse engineering of published vulnerability, creating code that would be able to effectively execute against that and exploit it. Frontier models, now we're looking at hours and if we can be really honest with ourselves, are we really even talking about minutes from time of disclosure to being able to go out, reverse engineer and create an exploit package that can now go out and explicitly go after that vulnerability.

Jillian (00:08:13):

Jeremy, how do you sleep at night?

Jeremy (00:08:16):

You don't. Lots of caffeine.

Jillian (00:08:18):

I mean, I think the understanding how this works and the implications of it, take away the hype. These are the facts, this is real. This is real. So what do you do with that information?

Jeremy (00:08:32):

So really what you have to do is you have to just take a step back because it's really easy to get kind of wrapped up in just what it is because it is risky. It is very scary. But then what you have to do is you have to figure out like, what's my role? I think that's the most important thing to do is to really compartmentalize and recognize what is in my control, what can I do? And so one of the things that we did is we kind of looked at this through the lens of, okay, there's really two paths. So I've got one path where I am the consumer of software packages that are going to have vulnerabilities that are going to be discovered by Frontier AI models, right? And so as a consumer of those products, what is my responsibility in that chain?

My responsibility is to be vigilant to know when vulnerabilities are discovered and published so that I'm aware of what they are and how does that directly translate to the assets that I maintain as an organization. That's step number one, right? Step number two is what are my ... I have a responsibility to effectively get whatever patch gets developed by this third party to be able to get that onboarded and integrated into my systems as quickly, but most importantly, as efficiently as possible without impacting operations, right? I need to- You're

Jillian (00:09:47):

Talking about software updates? Software

Jeremy (00:09:48):

Updates.

Jillian (00:09:49):

Those annoying little notifications that pop up and interrupt my day.

Jeremy (00:09:53):

Yeah. I mean, forget even just a popup notification. What happens if you try and ignore it too many times?

Jillian (00:09:58):

Oh, it's happened. I was actually on a call the other day and my computer was just like, yep- Straight reboot. You're done. Sorry. "You've

Jeremy (00:10:05):

Procrastinated too long, my friend." That's right. Yeah. But that's what we're talking about. So that's basically kind of cataloging those vulnerabilities, knowing where your vulnerabilities live and then developing a methodology to be able to get it deployed as quickly as possible to remediate the vulnerability.

Jillian (00:10:23):

What's the hardest part in all that?

Jeremy (00:10:25):

The hardest part about all of that, you know what? It's hard to say the hardest because if you go out and talk to most organizations and ask them, "Hey, how accurate is your CMDB?" And so CMDB meaning it's your database of various different assets, right? And most organizations say like, "It's not great." So really just having an accurate inventory of just what you have and what's connected to your network is its own pain point. And so that's something that organizations are going to have to wrestle with because you can't secure what you don't see. You're

Jillian (00:11:01):

Talking about instances where you might have software connected to your network that maybe someone deployed five years ago is no longer with the company, but it's still sitting there.

Jeremy (00:11:09):

It's still there. It's still out there, still connected, still running the same software, still doing whatever it last did five years ago when that person left it running and walked away. So having a good accurate asset inventory and then making sure that you've got good feeds that pull in vulnerability data,

Jillian (00:11:30):

But

Jeremy (00:11:30):

Even just pulling in the vulnerability data isn't good enough because the vulnerabilities when they get published, they have a severity rating kind of associated with them. It's a score and those kind of get ranked as far as like criticality and how quickly you should typically respond to get those applied. But that doesn't always necessarily apply because your organization, the context of both the business you operate as well as just the overall IT architecture that you maintain may dramatically change what that rating looks like. It may take a lower one to be a higher one or a higher one to be a lower one depending on just a variety of different factors. And so really kind of going through, making sure you got that good inventory that you're rationalizing what your risk is and that you're applying the right prioritization around the patch deployment. Patch deployment itself is relatively straightforward.

It's really more around like what is your tolerance for doing patching on a cycle that's more frequent than every 90 days.

Jillian (00:12:29):

Yeah. You mentioned that, that the timeline for that patch has definitely shifted. What was it like at Insight before and have we changed that?

Jeremy (00:12:36):

Yeah, so we definitely have. And really what we're starting to think about is how do we reimagine what that looks like through the lens of treating it for what it is.

Jillian (00:12:45):

Which is what is it

Jeremy (00:12:45):

Now? It's an incident, right? A patch update is an

Jillian (00:12:47):

Incident.

Jeremy (00:12:48):

It's a security incident. So the patch itself is the remediation, right? It's the way that we respond to and we contain and remediate a threat, but the actual disclosure of a vulnerability now represents an imminent risk, especially with potentially like hour or minute exploitation windows. And so really what we're talking about now is how do we quickly onboard a vulnerability as it gets published? How do we run it through a real quick analysis to really identify what the true risk pattern is for our organization and then how do we follow based off its criticality, elevate that towards basically incident response paths where we go through, we identify it, we triage it. We basically build threat hunts and patterns into our SIM sword to monitor for ongoing activity and then move forward to escalated remediation. So it's the same thing we do if we are sitting there and you've got a security analyst who's monitoring SIM and a pattern gets detected, it gets elevated up into an event that event gets triaged.

We understand if it's a true or false positive, if it is determined to be a threat actor action that's happening inside of our environment, we immediately move into remediative controls to be able to isolate, contain, expel, all those various fun different things that we do when it's in response to a threat actor. Basically it's the exact same sequence now. It's the exact same workflow that gets treated through the exact same kind of documentation and compliance workflows that you would expect from a traditional incident.

Jillian (00:14:22):

I've heard you say before, like we fight fire with fire, like AI is not only a threat, but we also use indefense. Is there a role in AI in this?

Jeremy (00:14:29):

Oh my gosh, it's all over the place. So everything from basically coming in that when you think about the way that we have to onboard a vulnerability and we go through that analysis, right? The way that we're looking at going through that analysis as an organization is we first do continuous threat exposure management. It's really kind of like that connective tissue where we bring in this huge catalog of vulnerability. So if you look at like legacy vulnerability management kind of programs, if you will, really what they did is they had that inventory that we were talking about before, got all the published CVEs for the various different systems that are in your CMDB and it just creates this catalog. It's just this massive list of literally thousands of vulnerabilities across all the various different systems and it will have the various different ratings, but it doesn't necessarily mean anything to you and your organization.

So where AI plays a role is you take that and from a continuous threat exposure management perspective, you feed that into like a machine learning or an AI platform that knows those systems like the vulnerability, so it knows what it knows about the vulnerabilities, but it also knows something about the systems themselves

And the role that they play in your organization and architecturally, where do they sit? And so it's able to basically then massage those scores to be a little bit more accurate to what the risk represents to your organization. But then what we do is we don't stop there. So we create like this really high priority list based off of that AI analysis. Then what we want to do is we want to move that into penetration testing. We want to make sure that that is truly exploitable. So yes, we've got this list. Yes, from what it says, it's highly critical, but what we want to do is we want to validate, right? Trust but verify. And so now we have another AI system that's all about AI enabled penetration testing. It's continuous penetration testing that we feed those high priority items into and it goes through and actually validates the exploitability of those vulnerabilities and then based off of the findings there, we couple that together into what we call a true risk score and that is what we use to kind of trigger, are we going to go through a much more proceduralized patch management exercise or is this something severe enough that we need to treat as a security incident and run through our SLA driven patching approach?

Jillian (00:16:48):

That's very impressive. Yeah. It's

Jeremy (00:16:49):

Awesome.

Jillian (00:16:50):

We built that?

Jeremy (00:16:51):

Yeah, we did. Wow. Yeah, it's great. Again, as we were talking about before the show, it is so impressive here at Insight, like the talent, the ingenuity, the innovation that comes out of our team, that when we see a threat like this, right by the way, everything that we do is always through the lens of we're not in this alone. Yes, Insight needs to fix this problem because we're a huge operator of IT systems, but at the same time we have a responsibility to our clients. They rely on us to help them through some of these extremely severe and industry defining types of events. And so to watch people take that so seriously and to bring everything that they have, all that creativity to really create these types of solutions, it's been one of the greatest honors of my career. I think back what I've seen over the past 30 years and what I've gotten to be a part of as we've created this insight managed exposure defense program, it really is one of the highlights.

Jillian (00:18:02):

It's great to see it all because you're right, it's not just about us although I think the benefit here is that we are experiencing the same things that our clients are. So it's like, we have to figure it out first. We're testing this stuff out first. We're using our own solutions and tools before we offer it to a client and obviously we're not going to do anything that we don't believe in. Yeah.

Jeremy (00:18:22):

We call ourselves client zero

Jillian (00:18:23):

By the way

Jeremy (00:18:24):

And you're absolutely right. I love that you said that we won't do something that we don't believe in. And that is so spot on because we believe in the approach that we've come up with and the capability that we've developed, that we're entrusting our own company, like the survivability of our own company to these capabilities.

Jillian (00:18:42):

What about companies that don't have teams like this? What do you do? And at what point, I mean, you mentioned earlier the ostrich effect, putting your head in the sand. The difference between an organization like Insight is like, of course we're going to be a target because we're massive, but when you're a smaller organization of under a thousand or under 100 employees, it's a very different probably mindset and different resourcing.

Jeremy (00:19:08):

Yeah, no, you're spot on. And so that is one of the big challenges that our new CEO Jack kind of put in front of us was like, "Okay, this is great that we solve this. We've got clients who are in need and by the way, this isn't just going to be enterprise clients." And so the challenge he gave us was now that we've basically taken care of our own house, let's go make sure that we're prepared to help protect our clients as well. And so what we did is we literally took the exact same capability and when I say capability, I'm talking about the exact same tools, the exact same talent and people that are delivering for insight. We are packaging up as a managed service that we can provide to our clients who have that exact need and we're talking about clients as small as one seat all the way up to potentially hundreds of thousands of seats to be able to bring the same capability full end to end protection right out of the gate.

Jillian (00:20:04):

What has all this done for your risk comfortability or other companies risk comfortability? You mentioned earlier some sort of like slider of how that's changed.

Jeremy (00:20:14):

Yeah. So it's kind of funny. So I've had the honor of kind of discussing this with a variety of different security and IT leaders from organizations of all shapes and sizes and it was in the middle of a lunch meeting that I was having that this kind of popped into my head and I realized that what we were talking about was like risk tolerance to a certain degree because at the end of the day, like has the dynamic really changed or has the situation really changed? At the end of the day, we've been discovering vulnerabilities for a while, right? Those vulnerabilities have been various different software products that we consume, patches get provided, we deploy them when we can, but those vulnerabilities make us susceptible to attack from various different external parties who have a vested interest in making us hurt, right? So that really hasn't changed.

So when we think about this, right, what's fundamentally different now is that if you look about, if you draw a bar and I think about like a slider bar, right? We've all seen them, web interfaces, different applications that we use, we're all familiar with the slider bar and I think about that slider bar through the lens of really like, what is my risk tolerance? It's my risk tolerance slider and on one end I've got my willingness and the risk associated with being the victim of a cybersecurity incident. On the other end of that spectrum is my risk tolerance for basically having a hand in operational disruption and so when you go through and you look at these patch management programs that we run, if you were to think about that slider bar, right patching on a 90 day cycle in these big windows, right, what does that say?

Where do you think that that slider bar is? Where is your risk tolerance? Is your risk tolerance for operational impact or is it towards security incident?

Jillian (00:22:16):

Well, if you're doing a patch, you're probably going to do some interruption to the business,

Jeremy (00:22:20):

Right? 100%. Yeah. So if you're patching on a normal maintenance cycle of 90 days, that means that for 90 days you're going to roll the dice and you're going to say that, "You know what? I don't think we're going to be the victim of an incident. I am more afraid of my business partner getting mad at me for asking for an outage window to disrupt operations than I'm scared of the threat actors potentially exploiting me and executing an effective cyber attack against our infrastructure."

Jillian (00:22:47):

Sure, because this is almost a guaranteed financial impact. 100%. Something goes down for even an hour, it's going to impact business. Correct. The likelihood of an incident is like being struck by lightning. I'm going to take my chance. I'll walk

Jeremy (00:22:59):

Through the store. I'm going to slide my bar over here and I'm going to say I'm going to patch every 90 days because I feel like I'm more afraid of my business partner than I am the threat actors. What's happened now is that we've moved that slider bar. That slider bar, most leaders are now basically sounding like, nevermind with the tooling that they now have, I am way more afraid of the threat actors than I am of my business partners.

Jillian (00:23:25):

Well, your business partner is probably more afraid of them too now, right?

Jeremy (00:23:27):

Exactly. And that's the thing is it brings us all to the same place.

Jillian (00:23:31):

We

Jeremy (00:23:31):

Understand risk in a more unified way. We're more together on our assessment of what risk really looks like to the ongoing operations of our IT systems. And so that's really where we're starting to see that slider bar as it moves to the left, that means that we fundamentally need to do something different when it comes to managing patches inside of our environment. We can't wait 90 days anymore.That's too much on this side of the risk bar. This

Jillian (00:23:58):

Goes without saying, but I'm going to make you say it anyway. Patch maintenance is going to be an ongoing forever priority from now until the end of time because of these frontier models.

Jeremy (00:24:08):

We're going to consume software forever. Are we ever going to stop consuming things that are written with software?

Jillian (00:24:13):

I doubt it.

Jeremy (00:24:14):

There you go. Me too.

And so if software exists, vulnerabilities are going to exist. And if vulnerabilities exist, we're going to need a way to patch to remediate them. And what's interesting with these frontier AI models is, is that with Project GlassSwing and everything that's kind of come about to provide early access to this tooling to some of the most critical software developers that create the technology that underpin our communities, our society, our economy, know that there's literally thousands of vulnerabilities, critical vulnerabilities in every major operating system and browser that have been discovered. So there's two angles to kind of what your question was. Number one is that there's going to be a front end level of effort unlike anything we've ever seen before in order to be able to get these patches that are being produced right now implemented across our environments, right? But that's like a big-

Jillian (00:25:08):

It's like a tsunami of- Exactly.

Jeremy (00:25:10):

We just have to survive this tsunami,

But the thing is, is that this also fundamentally changes a new steady state, right? I think there is a certain flow of patches that we saw. We used to have patch Tuesdays, right? Everyone's familiar with that terminology. I was joking with somebody, I said, "Yeah, it's patch 11:00 PM."That's literally what we're going to start seeing now is that the overall flow of patches and patch releases is going to be very different than I think what we've experienced. And I think that's another one of the reasons why we talked about really kind of transitioning into this patch as an incident methodology is that what happens if a critical vulnerability that is highly exploitable with our environment gets disclosed at midnight on a Friday before a three day weekend.That type of a situation warrants an incident style response. We need to act and we need to act with urgency and so in order to do that, we can't follow the same process.

We can't add it to the backlog. We can't have an emergency cab and maybe in 72 hours get it deployed. It needs to be deployed within 24 hours on a holiday weekend.

Jillian (00:26:19):

So I imagined that a lot of security professionals are really feeling the heat these days and they're probably getting asked a lot of questions from maybe their CEO, from the board, from governance. There's five questions that they probably should know the answer to. We're going to make this a litle bit of a speed round. All righ I love it. Let's do this. So I'm going to throw you the question that they should be getting asked and if they're not, they probably just need to go proactively.

Jeremy (00:26:49):

Hey,

Jillian (00:26:49):

We're giving them a jumpstart. If they haven't

Jeremy (00:26:50):

Been asked, that means that they've got a window to get their answer together.

Jillian (00:26:53):

That's right. That's right. So again, I'm going to ask you the question, you tell me how a security personal should answer this. So question number one, do we actually know what we have and do we know where we're exposed?

Jeremy (00:27:06):

Yeah. I think based off of being in this industry for as long as I have been, especially most security leaders will say like, "We do not. " They'll give you a percentage. Won't pomp in the chat. So they'll usually give you a percentage. They're like, "We're about 60% accurate. We're about 70% accurate." In all my years of doing this, I've never had anyone come to be and be like, "We absolutely have a 100% accurate accounting of every IT asset."

Jillian (00:27:37):

Don't trust that person.

Jeremy (00:27:38):

Environment. Don't trust them. They're wrong. I'm just

Jillian (00:27:40):

Going to tell you right now, they're

Jeremy (00:27:41):

Wrong because you just don't

Jillian (00:27:43):

Know. So it's okay to admit that we don't

Jeremy (00:27:45):

Know. 100%, but the big part of that is that openly admitting it gives you the opportunity and the vehicle to say like, "But we need to fix this. " It allows you to elevate that urgency and to get probably the investment that that security leader has been looking for for a period of time to come in and to help close that gap. And again, I know I've already said it once before, but it really is as simple as I can't secure what I can't see. And if I don't have the tooling that allows me to go out and effectively do discovery in our environment to figure out every single asset that is out there, whether it's owned or not, because I think that's the other big thing is that a lot of organizations end up being surprised on what they don't own that's actually connected to their environment, not necessarily malicious and intent, contractors, but there's the scenario that you used before, you got somebody who brings something in from home, hooks it up, is connected to your network, but isn't actually a company asset,

Jillian (00:28:45):

Right?

Jeremy (00:28:47):

So

Jillian (00:28:47):

You literally take the first part of what you said and just paste that into an email to your CFO.

Jeremy (00:28:52):

Yes. Yep.

Jillian (00:28:53):

Give me the budget for the resources. Question number two, can we patch fast enough at scale without breaking production? This is that angry business owner you mentioned.

Jeremy (00:29:04):

Yep. And there's two pieces to this. Number one is I think that this creates a great opportunity for everyone like we talked about before to get on board, understand what do these frontier AI models mean and to help them just not necessarily full on fear mongering, but to at least make them recognize this is the reality of our situation and to help them recognize that they have a role to play. And there's two different ways that you can kind of approach that conversation. Number one is, is that, look, you just got to give me outage windows so I can implement patches. That may not be the right answer and I'm going to tell you why because at the end of the day, even security is funded by the business and so we need to make sure that the business continues to function at a level that allows revenue and things to function the way that they do in order to be able to remain viable ourselves to continue to fund security.

And so what that conversation does lend itself to is that, okay, why do we have to take down ... On this entire platform in order to implement a patch. Let's have a conversation around high availability or disaster recovery that allows us to maintain some level of operational state in the middle of a patch cycle. And so it doesn't just have to be around, I need you to get on board with this organizational change around this patches and incident methodology and you need to be able to give me on a moment's notice authority to take down a production system. There might be some of that, but I think the more compelling way to approach this is how can we partner together to create better resiliency in our IT operations around these critical systems?

Jillian (00:30:40):

Great advice. Question number three, what's hiding in our open source and third party software?

Jeremy (00:30:46):

Yeah. So I didn't even go down the second track. I focus so heavily around third party products that we consume that we have to patch, but a lot of companies write their own code. And so there's an element there around the same types of vulnerabilities that get discovered in commercial products are just as susceptible inside of the products that we develop in- house. And a big component to that is really the open source software libraries that inevitably make their way into our own code bases, whether we know that or not. And it's more and more often that we've seen a variety of different threat actor groups who are actively trying to insert vulnerabilities into these open source libraries proactively, but there's some that are just embedded in there just by sheer nature of being written by a human being. And so the first thing is, is just understanding what your software bill and materials looks like, what is your actual software supply chain, what are the vulnerabilities that are hidden inside of that and then really creating a plan for remediation and creating patches yourself.

Jillian (00:31:50):

That sounds like a lot of work.

Jeremy (00:31:52):

It is a lot of work.

Jillian (00:31:54):

Job security.

Jeremy (00:31:55):

Yeah. Job security much. All

Jillian (00:31:58):

Right. Question number four. Do we have the engineering capacity to remediate our own backlog?

Jeremy (00:32:02):

Yeah. So this one falls right off of the previous one is, okay, now that you've found out where the vulnerabilities are in the code that you've developed is what's your plan to remediate? And here's why this one is so uniquely interesting is because when you think about the capacity and the investments and the staffing that we have in order to be able to kind of develop that software, it's usually very tightly aligned with our own release cycle. So we've got features, services, functions that we're trying to deploy and release because they've got a direct business objective associated with them, right? Generates revenue, has ROI, all those good things. As soon as we get into this path of uncovering vulnerabilities that exist within our code bases, now we've got two competing priorities. We have potentially high vulnerabilities that exist, like high risk vulnerabilities, as well as a feature release that we've made other commitments to.

Do we have the software development and engineering capacity to do both? Most likely not. And so what organizations are kind of saddled with is I need to look at the limited resources that I have access to and do I reprioritize them off of scheduled release cycles

Jillian (00:33:14):

And

Jeremy (00:33:14):

Assign them to vulnerability patch development.

Jillian (00:33:18):

Which again, you're potentially impacting revenue. And

Jeremy (00:33:20):

Now I'm potentially impacting revenue or again, it's our slider bar. Am I more afraid of business impact because I delay this feature release or am I more afraid of being the victim of a cyber incident that maybe they won't find this one and maybe they won't exploit me, right? But can you really afford that? And so that's really what that one is all about is do I have the capacity to do both?

Jillian (00:33:43):

Yeah.

Jeremy (00:33:44):

And if I don't, how do I prioritize between the two?

Jillian (00:33:48):

Question number five, if a patch lags, can we detect and contain the exploit before it becomes an incident?

Jeremy (00:33:55):

Yep. And this is the SOC one. So I talked about how the SOC is the foundation and this is really the role that they play is that the one thing that is inevitable, inevitable when we talk about this new Frontier AI model is that there will be a point where a vulnerability is discovered and either A, there's no patch available or for some reason we aren't able to implement it immediately.

Jillian (00:34:18):

You're a sitting duck at that point.

Jeremy (00:34:20):

You got your window, right? Like this is 100% exploit window and so you need to defend yourself. You can't just be like, "I hope this works

Jillian (00:34:29):

Out. " Hop and pray. Yeah.

Jeremy (00:34:30):

That's really where the stock comes in. It's really all about continuous monitoring of telemetry data across all aspects of your IT estate, looking for those various different patterns that are associated with known threat actor activities and actions. Also taking feeds from those vulnerabilities to be able to build packages inside of your SIMSOR, to be able to quickly identify exploits associated with this unpatchable vulnerability that you have at the moment and to be able to take quick and decisive action to contain and expel any threat actors who might take advantage of that in that gap period.

Jillian (00:35:12):

You mentioned before that typical patch period today is 60 to 90 days driving more toward an SLA driven patch. I think just a moment ago you said 24 hours.

Jeremy (00:35:22):

24 hour SLA for criticals. Yep.

Jillian (00:35:25):

Do you think the 24 hours is going to be the new standard?

Jeremy (00:35:29):

I think that's where we're going to try and create the benchmark now. I don't think that's going to be the new standard.

Jillian (00:35:34):

It could be- I

Jeremy (00:35:35):

Think we're going to be talking about like eight hours. When you and I come back in like six months and we revisit this topic, I'm going to be like, "Holy cow, I can't believe I thought it was eight hours." We're now on a patch cycle of one hour for critical vulnerabilities. I hope that's not the case. That is holy cow. The level of effort, the automation. The good news is that there is a lot of automation built into this platform, technology and approach that we've created that allows for us to accelerate it at that kind of a rate. But man, it's still a tremendous amount of change to be introduced into a system like that.

Jillian (00:36:12):

What is your closing advice to anybody who is leading security at their organization and hasn't made any changes yet to how they manage their security?

Jeremy (00:36:23):

You already laid the foundation for this. It's the five questions. Start with those five questions and just ask yourself honestly, like what is my response to these five? Do I know my inventory and what my actual asset exposure looks like? What is my true ability to patch? When these things come out in the volume that we're expecting, what's your ability to respond to that? But most importantly, what's your ability to respond to this being the new normal from a patch cycles perspective?

Number three is if you write software in house, do you really know what you're consuming from an open source and third party library perspective and what the risks are associated with that? Are you using the most current versions? Are they exploitable? Number four is where's that talent coming from? If it's all in house, that's fine, but you just got to make sure that you've got a plan and a defensible plan on when vulnerabilities get discovered in your own code, how are you going to prioritize resourcing? Is it going to be towards feature or is it going to be towards remediation? And the last but not least is go back, review your various different security operations, procedures, protocols, relationships that you might have with third parties and really try to hone in on how are they taking feeds from vulnerability, threat and tell, and feeding that into your various different threat detection platforms and building out processes and procedures for rapid response and containment actions.

So

Jillian (00:37:54):

Really

Jeremy (00:37:54):

It's those five questions. You got to ask yourself those five questions because at their core, that is how we are going to protect the organizations that we're responsible for.

Jillian (00:38:05):

That's a great way to end. Jeremy, thank you so much for your insights.

Jeremy (00:38:08):

Thank you, Jillian. This is great. I love coming on.

Jillian (00:38:12):

So Jason, as a CISO, you're not only advising clients on what to do about Methos right now, but you're also having to respond to it and to shape our teams to be able to respond to it. So what are you doing? Is there anything that you're doing differently?

Jason Rader (00:38:27):

So it does put us as a provider into an interesting situation and it's one that I'm kind of pleased about because as we solve these problems for ourselves, we can take those solutions to our clients. So one of the other cool things about Insight is we leverage our own managed services. So our managed security services is something that we've been using. They fit very well into our team and it's not just because it's insights, security services fits with Insights security team. They naturally blend into the stack that we use, which is the Microsoft stack. So what's cool about that is it makes it easy for anybody running that same stack to kind of integrate in the same fashion. And I think one of the other cool things about the way our managed services works is you own that instance, like the Sentinel instance that you use and all the Microsoft tools, that still belongs to us.

It still belongs to the clients. And if they chose to go with a different provider, it's not like they have to start over. They're still running their own platform, which is really good. But that client zero aspect I think is so important to me because we've proven it. And that doesn't mean we've proven it like it's awesome and it was super easy. We've proven it because we've worked through all of those things, leveraging our own managed services the same way that a client would, and we can talk about that journey. And that to me is one of those things why you would leverage Insight, kind of know where you're coming from. We consume the exact same services that you would use and I think it gives that ability to, again, exchange information. I tell all of our people in the field, when cool stuff happens and we innovate for a client, I want to hear about that because we need to bring it back.

So it really is kind of gratifying from a security perspective of, yes, there's this terrible threat that exists, but we're kind of all in this together and we're happy to share the way that we're attacking it and it gives that kind of camaraderie, which is not very common in a lot of other areas of the business. So that's my favorite thing about being client zero and leveraging our own services.

Jillian (00:40:29):

Most security leaders by now have heard of this thing or should have heard of this thing called Mythos. It's from Anthropic, it's been in the headlines. Let's kind of set the playing field here. What do we need to know about this limited release of Mythos Preview? What are we seeing from it? What has it done? What is the top three things that security or really any business leader right now needs to understand about Mythos?

Jason (00:40:54):

That's a good question. So do you want my conspiracy theory answer or?

Jillian (00:40:58):

I want both, but ...

Jason (00:41:00):

Well, I think Mythos, when they were training that model, there was no intent for it to be this mythical, maybe they named it appropriately, but it was never supposed to be this massive hacker tool. Who trains a model for that particular purpose? What they found is they wanted it to be a coding model and they found that as they trained it on all the code, it got really good at coding. And the frontier models now are really capable of if I want to do something and I don't have the capability or can't find the tool to do it, I'll just make the tool. And that capability, the ability to go really fast and the ability to, here's the key that makes Mythos awesome, is it'll look at a situation and then be able to chain that to the next thing, writing code,

Doing what it has to do to do the exploits. And so it's really good at just breaking into anything because it just looks at it as a bunch of separate problems. It'll write the code and bounce, bounce, bounce, and it's pretty pragmatic about it. So that's scary because it takes people a long time to figure that out. So the speed it's able to execute and its capabilities, which again, Mythos probably was unique at a time, but is not unique in that capability. Now, every frontier model that comes out from here on out is going to be in a similar situation. So that's what became mythic about Mythos. And then there was a certain amount of, maybe this is a conspiracies here, but there's a certain amount of marketing associated with it as, well, this is super awesome and we're going to keep it just for ... We don't want to release it to the public because we don't want to destroy the universe kind of thing.

And I think people say that it wasn't necessarily the performance hadn't been set up so that a whole bunch of people could access it. So they leveraged it well regardless. So whether that's true or not, they gave it to the government, they gave it to some providers that I think were good choices because those providers have pieces of software or equipment that are protecting everybody. So, hey, let's get the people who are the protectors set up so that they can find all the vulnerabilities that this tool is going to be really good at leveraging. And in doing that, they made the Project GlassWing was the name of that project. These Glasswing participants, and of course there were financial institutions, they included more folks as time went on. That's a good project. And I've talked to some Glass Wings participants and they're revealing exactly what I expected that, wow, it found a lot of stuff, especially when you put it inside your organization versus outside of your organization because there's a different profile of what's available and accessible, but it is significant and it's real.

So this isn't a bunch of hype, but there may be some hype around it, but it's legitimate and real,

But this is Pandora's box. It's never going away. So this threat, whether it's Mythos or the next thing that's out there, it exists, it's here, we've got to deal with it.

Jillian (00:44:13):

It does feel like we're in the next Avengers film. We are. This is like end game.

Jason (00:44:17):

A symbol.

Jillian (00:44:19):

You just mentioned that it's different when you have it inside the org versus out. And really what you're talking about is Mythos is literally look at the source code and all the pieces of assembling that versus a hacker on the outside of the organization trying to infiltrate. Why is that distinction different?

Jason (00:44:38):

Well, Mythos can look at the source code or it could just scan an environment looking for open ports. So when I referred to that inside the network aspect, I was talking about, okay, it's probably not just scanning source code at that point. Now it's just looking for all the stuff you have vulnerable. I keep hitting this, but looking on the inside and being able to see everything that's exposed from the inside of environment

Gives a lot of people a little bit of pause because, and I say this a lot, we've got a strong perimeter, most organizations do, but once something gets on the inside of that, which myth those other frontier models are really good at, then it's, what do I want to do today as far as gaining access to that environment and keeping access to that environment? So that's why I said the profile is typically different. So when these GlassWing participants that are like financial institutions, they're looking at their own source code for sure, but also they're just having it scanned data repositories just like we do and seeing, wow, there's a lot of data that's out there. There's a lot of data that can be aggregated. And then once it's aggregated, what kind of questions do I want? What can I derive from that? How can I use that for a competitive advantage?

How can I take that IP and leverage it?

Jillian (00:45:52):

You're thinking like a hacker. What can I do with this information?

Jason (00:45:56):

Yeah, sorry. I naturally do that and then we try to put the appropriate perimeters around that. And again, all of this stuff, there's nothing that should be, "Oh wow, I never thought of that. " I never thought of all of this stuff happening at the same time. We've kicked projects down the road, data classification, data normalization, cleanup, getting the right access to people, managing identities appropriately, making sure that people have the right amount of privilege in an environment. All of that now has to be done because it's game on.

Jillian (00:46:27):

Yeah. It's going to find any minute weakness that it maybe is easy for a human to overlook, but this is a machine that does not tire. It looks at every single ... We're talking millions, millions of lines of code that it can just go scope out.

Jason (00:46:41):

Without any problems.

Jillian (00:46:42):

Definitely sounds terrifying. And I know that obviously you're talking to a lot of clients, but you're not just advising clients on what to do because you were also having to face this at insight. We're an organization we're just as vulnerable as the next. So how has this changed the way that our security team operates? How has it changed our priorities?

Jason (00:47:04):

I think the priority that changed for us, which is probably going to change for everybody is no Fortune 500 organization or just most organizations in general, there are vulnerabilities that exist that are known, that are in every environment. But it's one of those things where the likelihood of that being exposed or exploited is low because perimeters exist or it's in a non-production environment.

Those are the kinds of things that we can do higher priority things, but now that tools like Mythos can be used, everything, even the medium and low vulnerabilities are a foothold in another kind of attack that they can just chain together. That is the magic that AI can do in this is chaining these things together, putting things together that you never thought. It's kind of like a master chef walking into your kitchen and making something really good. You're like, "How'd you do this? " "Well, I just used the same ingredients that were on your shelf. I just used my expertise to make them awesome. "Mythos is good at that.

Jillian (00:48:07):

Let's talk about this means for the mid-market in the special, because I feel like this is a unique group of organizations where you have a security team and I know that you just made the comment of you didn't have to go out and buy a bunch of people. You just sort of operationalized what we had leveraged AI. But when we're talking about defending against something like mythos, we are seeing more software updates get pushed because they were talking about security patches. How does a mid-market organization keep up with this?

Jason (00:48:39):

So that's a great point and realize we're a Fortune 500 organization. We have a lot of people on our security team compared to most mid-market organizations and there's a lot of people that wear dual hats in those environments. The compliance person's probably also a security person and maybe has another collateral duty. So I think that one of the things about Insight that allows us to get to the things that we, even thogh we're a Fortune 500 organization, is we leverage Insights managed security services. We use Insights Managed SOC capabilities because they're good at that. They're doing our tier one and tier two and then we handle the tier three things. I think everybody should take a look at what they can get out of the business of doing that really isn't key to what they're trying to do from a business perspective and running your tier one and tier two security operations, I don't think anybody thinks that's the coolest thing they've ever experienced.

So watching a bunch of alerts, checking out a bunch of false positives, let a team that's really good at that and being able to tweak those false positives out of your alert, all the alerts that you have to chase after, that's a good way to do it. So I think taking a look at that to get some of the load off I've also been, this was a while ago, but been in organizations that got so many alerts, they just quit looking at them. Well, we get alerts all day long.

That defeatist mentality can creep up and especially now that, hey, the sky is falling, I don't want people to feel like that. And I do think that just about everybody, us included, are going to need some help to get over the hump. It's zombie apocalypse. We got to figure this part out. Let's get the wall up, understand a little of intelligence of how these guys operate and then maybe we can get back to doing what we do. And that's what I think a lot of people are going to need. So I think it's just from economics and just a business perspective, it's good to leverage somebody who understands you, who can get this thing done, get it off your plate and allow you to focus on the things that not everybody has the time to focus on.

Jillian (00:50:40):

So staff augmentation, like in this moment of time-

Jason (00:50:44):

That's the uncool way to say it, but yeah, it is the equivalent of that

Jillian (00:50:47):

For sure. Yeah. And let's talk about the timing.

Jason (00:50:50):

I didn't mean you were uncool.

Jillian (00:50:52):

Thank you. Let's talk about the timing because this is fairly new. Project GlassWing is underway. So organizations that their software in particular is just so deeply embedded in organizations that if they were to get infiltrated, it could be so detrimental to every organization that uses that, which is why those patch updates and software updates are so critical. How long do we think this is going to go on for? Is this like we're looking at the pandemic of software updates and patch updates?

Jason (00:51:24):

That might not be too far off the mark because I do think there's going to be a equivalent of, there's a time period where everybody's going to be like, remember that time we

Jillian (00:51:35):

Had

Jason (00:51:36):

The Patch of Gedden that happened to us. I really think Glasswing, like you said, has been going on. Folks like Palo Alto and CrowdStrike and those guys have been, they're taking a look at their source code, they're finding a lot of things and they're patching them. Everybody is going to have to apply those patches before any of that work matters. And this is an ongoing thing. It's kind of like saying a recall on your vehicle, had a couple recalls on vehicles. Dude, that's a huge pain. I got to take my vehicle in. They take it for a day, they send it back. Didn't cost me anything. Yeah, but I had to sit in your waiting room for a long time before you fix this. That same thing's going to go down. This doesn't cost anybody anything from the patch

Jillian (00:52:25):

Being

Jason (00:52:26):

Provided.

Jillian (00:52:27):

But it's disruptive.

Jason (00:52:27):

It is crazy disruptive. And then even inside ourselves, we're reevaluating how we apply patches. We can't wait a long time to apply patches. It's not prudent.

Jillian (00:52:36):

Okay. But even if we do do that, I'm thinking about how many times my computer has been like off update, do it later? Yeah, do it later because I'm busy. I got stuff to do.

Jason (00:52:47):

So busy.

Jillian (00:52:47):

Right? And now before I know it, a week and a half has gone by and IT is hounding me like, Jillian, you stop delaying your updates. This doesn't feel like something that can be delayed right now.

Jason (00:53:00):

And that's a good thing that you realize that. So realize that if IT were so inclined, they could make you apply those updates. So I think our IT are pretty confident about knowing the profile and editing given the time I do see people who haven't applied patches. There's a list, by the way.

Jillian (00:53:17):

I hope I'm not on that list. I probably have that list.

Jason (00:53:19):

But that's okay. And in our environment we've designed around the fact that the user workstation, that's the biggest threat vector to the organization is people who are going to click links and emails or not apply the patches. We understand that pretty well. So those aren't the patches that we really care about. It's the patches for your network gear, your website, your different components of that website. I mean, even AI models that we're leveraging on our website, all of those things are coming back into play. And it's not that we didn't do due diligence to put those things into operation, but now it's like, whoa. I mean, it's a big deal. And to be fair, there are going to be movers and shakers, people who get this done, get it done early and empower people and there are going to be people who are being pulled along.

I don't know if those guys are going to last because I'm not going to use a vendor that didn't take this seriously enough to get the patches out. Even if it was overwhelming for me, I at least want to know what I'm up against, not like, okay, we got all the patches applied. What? We got this extra one that comes in. Why didn't those guys let us know?

Jillian (00:54:29):

Yeah. So there's a couple different layers to this. There's the vendor patches and you named a couple, mostly big security providers that were hoping that they're doing their due diligence and pushing out these patches. That's the biggest important layer. The other layer is the software updates that you've got people ignoring. Not to freak out even more, but we're talking about security. You even talked about people who click on links and stuf. When news breaks that a weakness or vulnerability has been discovered, that feels like painting a great big sign over to the hackers to say, "Take advantage of this. " I would imagine that you're going to probably see a swell of phishing attempts taking advantage of people who are kind of aware that something's going on and they're trying to be good stewards and then in doing so end up doing something really horrible, which is clicking on something that wasn't actually an update.

Jason (00:55:25):

Yes. So I think that threat vector is absolutely fair. That's going to happen just as much as what you stated before that, the real threat of a patch existing, it hasn't been applied yet, and the bad guy's taking advantage of

Jillian (00:55:41):

That

Jason (00:55:42):

Is in game too. I mean, there are services out there you can subscribe to that when a vulnerability comes out, you just log on to this place and you do a search, it scans the internet five times a week and it just gives you a list of the 20,000 people that have this vulnerability. So it's like-

Jillian (00:56:02):

Wait, wait, wait.

Jason (00:56:04):

Oh yeah.

Jillian (00:56:04):

It will tell you who has this vulnerability.

Jason (00:56:06):

Yes. There are known services. I'm not going to name them by name, but I might even have a subscription. But yeah, it's one of those things where if these guys are scanning every internet accessible IP address and all of the ports that are open and they basically can figure out what services that you're running based on those ports that are open and they catalog

Jillian (00:56:26):

That. You're a sitting duck.

Jason (00:56:29):

You are at a disadvantage if you don't know what that's exposed you to.

Jillian (00:56:35):

Yeah. Okay. Well, now that we've properly scared everybody,

Jason (00:56:42):

But that's a tale as old as time. That's been around for decades at this point. The issue now, and we talked about this a little while ago, is that when patches get issued, guess what? The bad guys are going to disassemble those patches and see what was patched. They'll see what the vulnerabilities are and then they'll go write exploits to pon the people that haven't applied the patches yet. So there's an ecosystem that's going on in here. As soon as somebody fixes something, the guys want to figure out what they fixed and they're going to go out and try to exploit that. So again, that's what zero day is. Zero days, there's a patch that exists, or excuse me, a vulnerability that exists that there's no patch for zero Because usually what people will say is if you get owned by somebody's exploit, a lot of the vendors will say, "Well, that patch has been out for a hundred days or so long," meaning you should have patched, but all these zero days are these vulnerabilities exist and no patch can be applied to fix that.

And there's opportunity from a hacker perspective. Now, one of the good things that I think we should say is hackers don't technically have access to Methos right now. That's something that's controlled from an API access perspective and all of the big models that are out there, they require API access as well. I hope that there's going to be some control where somebody who's trying to orchestrate some evil leveraging an API call to a well-known frontier model that they're going to keep some of that down, but that still doesn't stop the people with local models, but it's just at least on a less level of scale. Microsoft did just come out with a harness, if you will, security harness called MDASH that allows you to use hundreds of agents with a number of models to basically do everything that Methos does. So again, there's already stuff that's out and that's available.

It's private preview right now, but it's one of those things that I think Microsoft plans to release it for free to folks that are out there. So at least there are tools that are coming. There is support that's coming, but security is a rough industry to be in. I mean, if you think about it, if somebody breaks in, the police come. If your place is on fire, the firemen come. But if cyber happens, nobody helps. So I think that's one of the things where you've got to figure out what your support system is for that. And it's usually the vendors, it's the solution providers, people who can come in and help you figure those things out, hopefully in a preemptive fashion, because it's way better to prevent fires than to fight fires,

But it's one of those things where ... And that's where I think the mid-market is kind of in a rough spot because they're exposed to the exact same threats that the big guys, the governments that everybody's exposed to and they don't have the same resources. And I think that's one of the things. Security's hard even with the same tech stack in the same vertical, same size company, it's different in organizations. So it's not like this easy, I Oh yeah, easy peasy, one size fits all kind of thing. It is hard even when you got the budget, even when you got the people. It's even harder when you don't have those things

Because how many shots do you have talking to the ELT or executive leadership team with your budget and those kinds of things? I mean, we're operating on our budget for this year that we said we were going to do back in October. Those kinds of things. I mean, you've really got to play the security game for covering the most bases that you can cover with the budget that you're given. Now, of course, if there's something really bad that goes down, you'll typically get some type of budget from an emergency perspective, but that's rough too. But then when you do, where do you go? I've got, hey, you couldn't buy a lifeboat on the Titanic kind of thing at a certain point. It's one of those things where you've got to figure out what your approach is going to be. And it's a lot of non-exciting work in a lot of cases to figure out what your risk profile is and negotiation.

We do a lot of negotiation with our internal operations people. Do you need to use this particular feature? Do you need to use this particular product? Could we use a different product? We have that negotiation with the business, not because we're trying to keep them from doing cool stuff that they want to do for the business, but sometimes the level of access, even though it's controllable, it throws up a flag like, "Man, if that were to go bad, it would go really bad." We call that the blast radius.

If something goes bad here, it's going to hurt a lot of

Jillian (01:01:35):

People.

Jason (01:01:36):

And we've tiered that out. It's more obviously things that are regulated like our Sarbanes-Oxley, our SOX kind of environment with financial reporting, can't mess that up. So those things, anything that's going to go in that area has a lot more scrutiny. But again, we're already talking about a lot of meetings and things that go on that you have to do before you're going to do anything to secure. So I didn't mean to kind of play this defeatist kind of thing, but it's a lot of work. And even if you did it all, there's still stuff to do tomorrow.

Jillian (01:02:09):

Well, but what I'm hearing from you is that now is the precise moment as always to evaluate what is your defensive strategy? What needs to be updated there or patched? Do we need to call in some reinforcements for now? And also should the worst happen, which every security person I've ever talked to have always said it's a when, not an if. When that happens, who's on our emergency contact list to call to bring in? Something happens. But you said something earlier that I want to go back to, which is that the bad guys don't have access to mythos yet. Right now we have the most powerful weapon. We have the bigger tool, but I think it's safe to assume that that's not always going to be the case. Totally correct. So we need to do everything in our power right now to just get ahead and stay ahead.

What's the one thing that a security leader needs to do tomorrow?

Jason (01:03:03):

So the one thing, I'm hoping they've already done this, but the one thing is to make sure you've got visibility. I mean, before Methos, visibility was still our concern. Can we see what all these agents are doing in our environment? Can we see, oh, we want to start using new protocols where our agents talk to agents from other companies and all of that. Do we have visibility of this? We have new standards that are coming out or they're not really standard yet, but we're still developing and going to market with them. Visibility is key. If you can't see it, you can't protect it.

Jillian (01:03:33):

And that's true even if you don't have AI. If you're an organization that doesn't have agent in your workforce yet, you still need visibility over identities, over-

Jason (01:03:42):

Yes, yes and yes.

Jillian (01:03:42):

All of the things. Everything. Okay.

Jason (01:03:44):

So making sure you have that visibility. That's not a checkbox. That's something that takes, because you've got visibility in your network, your identities, like you said, there's all these different layers. And is that the same person that's looking at all of those or is that a team that looks at them? I mean, that's why again, outsourcing our tier one and tier two visibility basically from a managed SOC perspective

Lets those guys kind of deal with ... Now they're leveraging our platform, but it is one of those things where they can deal with the ankle biter kind of stuff that's going on. We can deal with the big stuff and that, in my opinion, is the way to roll as far as security goes. But if you've got visibility in place, then what are you doing with that? So let's say you have that situational awareness of what's going on. How are you using that? How are you operationalizing the intelligence, the threat intelligence you're getting? Methos is out or this is out or that. I mean, because there's a lag between I'll routinely get emails from executives saying whatever they saw on the news yesterday or today, are we okay with that? And I fully respect that. I'm not dogging that at all, but if I'm hearing about it for the first time when they ask the question, we're doing it wrong.

And that's happened. It's rare, but it has happened. But I think that's where threat intelligence is a huge thing. So being able to get that intel in, at least when it's announced, but there's always the person who's going to get gotten first and then hopefully we can learn from that and kind of secure. You don't want to be that first person.

Jillian (01:05:28):

Great way to close it out. Jason, thank you so much for your time today.

Jason (01:05:31):

My pleasure. I hope to see you again.

Speaker 4 (01:05:33):

Likewise.

Thanks for listening to this episode of Insight On. If today's conversation sparked an idea or raised a challenge you're facing, head to insight.com. You'll find the resources, case studies, and real world solutions to help you lead with clarity. If you found this episode to be helpful, be sure to follow Insight on, leave a review and share it with a colleague. It's how we grow the conversation and help more leaders make better tech decisions. Discover more at insight.com. The views and opinions expressed in this podcast are of those of the host and the guests and do not necessarily reflect on the official policy or position of Insight or its affiliates. This content is for informational purposes only, should not be considered as professional or legal advice.

Learn about our speakers

Headshot of Stream Author

Jillian Viner

Marketing Manager, Insight

As marketing manager for the Insight brand campaign, Jillian is a versatile content creator and brand champion at her core. Developing both the strategy and the messaging, Jillian leans on 10 years of marketing experience to build brand awareness and affinity, and to position Insight as a true thought leader in the industry.

Headshot of Stream Author

Jeremy Nelson

Chief Information Security Officer, North America, Insight

Jeremy has over 25 years of experience in the information systems industry with a specialization in Cybersecurity. Over his career Jeremy has held a diverse range of roles and positions encompassing help desk technician, technical engineer, security auditor, Enterprise Architect, and a P&L owner. In his current role as Chief Information Security Officer for North America, Jeremy is responsible for the security of Insight's full portfolio of client facing services with the guiding principle of ensuring that "our clients should never be less secure because they chose to partner with Insight."

Headshot of Stream Author

Jason Rader

Chief Information Security Officer, Insight

Jason assumed the role of Insight’s chief information security officer in 2021 after joining the company in 2015 to build the security consulting group. Today, he builds upon more than 25 years of experience to develop Insight’s end-to-end security consulting portfolio and share Insight's transformation journey with fellow security leaders.

Subscribe Stay Updated with Insight On

Subscribe to our podcast today to get automatic notifications for new episodes. You can find Insight On on Amazon Music, Apple Podcasts, Spotify and YouTube.

Subscribe Stay Updated with Insight On

Subscribe to our podcast today to get automatic notifications for new episodes. You can find Insight On on Amazon Music, Apple Podcasts, Spotify and YouTube.