Sylvain Hirsch: Cyber Forensics and Incident Response Through the Lens of Rugby

November 18, 2022 Tim Freestone and Patrick Spencer Season 1 Episode 6
Sylvain Hirsch: Cyber Forensics and Incident Response Through the Lens of Rugby
More Info
Sylvain Hirsch: Cyber Forensics and Incident Response Through the Lens of Rugby
Nov 18, 2022 Season 1 Episode 6
Tim Freestone and Patrick Spencer

While Sylvain Hirsch played on the Swiss National Rugby Team over a period of eight years, he learned much about the importance of collective collaboration and response. This prepared him for a career in cyber forensics and incident response that has taken him on an interesting journey from Europe to the Asia-Pacific region. He's worked for international organizations such as Credit Suisse in threat detection and response and has spent the past two years as an incident responder at Mandiant. His academic endeavors include serving as a guest speaker at different conferences and guest lecturer and researcher at Interpol, University College Dublin, University of Lausanne, and Berner Fachhochschule. This Kitecast episode explores various aspects of cyber forensics and incident response and what Sylvain sees as best practices and anticipates will be key advances in the field.

Check out video versions of Kitecast episodes at or on YouTube at

Show Notes Transcript

While Sylvain Hirsch played on the Swiss National Rugby Team over a period of eight years, he learned much about the importance of collective collaboration and response. This prepared him for a career in cyber forensics and incident response that has taken him on an interesting journey from Europe to the Asia-Pacific region. He's worked for international organizations such as Credit Suisse in threat detection and response and has spent the past two years as an incident responder at Mandiant. His academic endeavors include serving as a guest speaker at different conferences and guest lecturer and researcher at Interpol, University College Dublin, University of Lausanne, and Berner Fachhochschule. This Kitecast episode explores various aspects of cyber forensics and incident response and what Sylvain sees as best practices and anticipates will be key advances in the field.

Check out video versions of Kitecast episodes at or on YouTube at

Patrick Spencer 0:24 

Everybody, welcome back to another Kitecast episode, this is Patrick Spencer. I am here with my guest Sylvain Hirsch; he is an incident responder over at Mandiant. He’s a university professor, he’s done a little bit of lecturing over Interpol, you name it. He has done it, including rugby. And we’re going to touch on that subject during today’s conversation. Sylvain, thanks for joining me today.

Sylvain Hirsch 0:47 

Thanks for the invitation. I’m really glad to be here.

Patrick Spencer 0:50 

I’m looking forward to this conversation. Rarely, if ever, do we get a chance to chat about rugby? So maybe we start there. So, you were on the Swiss national rugby team? I think for about eight 9,10 years, somewhere in that vicinity? How did you get into rugby in the first place? And how did you end up on the national team? And, you know, were you traveling all the time all around the world playing in all these matches.

Sylvain Hirsch 1:17 

I mean, I love to cover rugby, because I study so many things that I’ve learned from rugby, and I’m like applying my daily job as well. I think I just started to play rugby because I was a bit hyperactive when I was a kid. And I love to be challenged. And we can also see that within my day-to-day job. I like so alive. I like working with people and also working with people to achieve the same goal, say my work or same on the rugby pitch. I like to be challenged I like to perform. So, these are all these parallels between work and rugby. Yeah, I’ve been working playing for the Swiss national rugby team for like almost 10 years traveling mainly in Europe. Yet great experience playing great players as well. And that’s proved me so many skills that I’m using in my personal life as well as professional life.

Patrick Spencer 2:13 

And for us any big match wins that you guys had during the course of your 10 years. What sticks out for you.

Sylvain Hirsch 2:22 

That was probably not with the Swiss rugby team. We’re like playing sevens with a team named Streeters playing against France, South Africa sevens. Yes, some good the challenging game. We didn’t win these two games, but we managed to challenge them well enough to be proud at the end of the day. And yeah, I mean, we’ve been what I started with the Swiss team, we were I think, like 77th on the world ranking. And just before COVID were like in the top 30. So, we’ve been like, becoming better and better. And but one day, it’s hard to reach, I don’t know the top 15 or the top six or seven to be part of the World Cup.

Patrick Spencer 3:07 

So, what position did you play?

Sylvain Hirsch 3:11 

Center or fullback but everywhere in the back, but like center and fullback mainly, I hope people know about rugby otherwise, like they would just skip like that podcast and say okay, it’s the rugby podcast. Now we’re talking about cybersecurity there as well. It’s coming to you, stay tuned.

Patrick Spencer 3:29 

There’s probably analogies or you know, parallels in rugby, it’s a team sport. Incident Response, certainly, which is what you’re doing right now is a team sport in many ways. And it’s also a huge challenge. And rugby for anyone who’s ever watched it is not for the faint of heart, needless to say, right. So, I assume there’s some lessons learned that you can take from all the time you spent playing rugby, that is carried over into your Cybersecurity Digital Forensics career.

Sylvain Hirsch 3:59 

Yeah, I mean, I mean, thanks for bringing that topic. That’s really, it’s a bit close to my heart, honestly. So, I think there’s so many parallel, I think the first parallel I think in rugby, you can’t achieve anything. As an individual, you have to play with everyone you have to play with small, tall player, like skinny, like heavier players, strong player, rapid player, and you have to bring all these people to achieve the same goal. Also, you have like people from different backgrounds, you’ve got someone working as a worker, someone which could be the CEO and making millions like a year, and we all have a personal life and personal problems. So, at the end of the day is how can we get everyone’s strength to achieve the same goal? And I mean, I see that within my daily job. I’m an incident responder so I’m like facing internal like large cyber incident everyday like if I take the if I take like a ransomware as an example, like the client will call me and I will be the face from the company, I will be like basically the captain of the team because I’m pressing the client to lead the incident. However, there’s so many people in the background so these like all the analyst, analyzing what’s going on these also sometime we require malware analyst because we don’t have time to do a full malware investigation while investigating compromised systems. So, we just submit a sample to an outstanding malware analyst team. On top of that, we’ve got all the attribution part and the Intel part because we do incidence Incident Response driven by intelligence. So, it’s like we’re always collecting this data to we know with the Troy factors beyond that, and all this information provided by this team will make our investigation way more efficient. And, and we will be able to quickly resolve the problem investigate incidents, to limit the impact on the business. So, there’s all this team that has to work in synergy. And basically, we’re taking the best of everyone, like I can do my analysis, but I’m not the best malware analyst ever. But I’ve got that out, awesome team. So as soon as I found something complex, I send it to the team, they come back with relevant findings, what I’m working on something else. So same as rugby, in incident response, you just have to work together to achieve the same goal, which is basically investigating in rapidly to limit the impact on the business. And if I may just add something I think like over the last few years, we probably saw a shift within organization, we used to probably work, every organization was just trying to fight its own like cyber breach. But today, we see like a bigger collaboration between the public and private sectors. We saw that recently with recent cyber breach where like, for example, Mandiant will call CrowdStrike. We used to be like seen as a competitor. So, the two CEO will call each other and say, oh, have you seen that? Have you seen that admin threat that is within your network, within your client network? And together before releasing that news publicly, they just go into work together to get more information just in order to protect everyone and every organization correctly and obviously, all our clients.

Patrick Spencer 7:21 

That’s interesting, we’ll talk a little about your role over at Mandiant, now Google, that the acquisition is official, but you bring up an interesting point. So, before I lose, lose my thoughts on this topic, internal versus external notification. Your latest report, I think, is the 2022 report that was published earlier this year, actually went into some detail around geographically based as well I believe that internal notifications versus external notifications, when someone actually finds out that they have a problem? How do they find out about his internal resource? Do they discover it themselves? Or is it someone else outside the organization telling them? What trends do you see happening in this arena? And why is it trending in that direction.

Sylvain Hirsch 8:07 

So, I think it will probably have to go back to like the internal report 2022, just to provide your right number. So, I don’t have the report like handy right now. But I will say these few ways to discover a cyber breach, it could be internal, like, like it could be discovered internally. Thanks to all our technology, like if you’re going to an alert, and a sock is doing a good job to investigate them understand that something bad is going on. And if for resilience, and more mature organization to be able to detect that at the first stage of the attack, where basically there’s no impact, you don’t really want to discover that you’ve been hacked for years, and other threat actors has been stealing data for like four years. And so, you can detect cyber incident internally, obviously, we try to reduce the amount of time to detect this attack. We also can basically detect attacks thanks to like external organization like, like our companies, for example, where which monitor the dark web to like that monitor the dark web and any like any website, where for example, for doctors will sell access to any organization. So, if we see like a company X axis is getting sold on the dark web, we do victim notification. So hopefully you will be notified enough and be able to mitigate that like those threats before someone by the access from that traductors. And I will say you can also get notified by law enforcement. Or maybe one day just discovered that directly in the news, and that’s probably the worst-case scenarios where you got a threat actor that publicly announced that he’s been exfiltrating a large amount of data for years. or whatever, and that your data is available. And that’s the way you realize that you got breached.

Patrick Spencer 10:06 

What’s typically the breakdown there most organizations actually discovered internally, and then they tap external sources to figure out exactly what’s happening is they analyze the data and they do a digital forensics trail, or is it a growing number that actually aren’t aware of they have a problem. And then suddenly, something comes out of the news or they’re contacted by an external entity or one of their supply chain partners, perhaps contacts him and lets them know that they’ve had a problem. And there, they’re seeing some potential malicious activity happening in regards to their connections to the to the parent entity, you know, what, what’s the trend there? In terms of what you guys are seeing?

Sylvain Hirsch 10:45 

I think we see, I mean, these like, obviously, cannot all the scenario that you mentioned, to be honest. I mean, you really depend. I mean, when there’s a third party like, like a third party getting breached, or like a supply chain attack, where basically like with SolarWinds, Fire will announce that we got breached, and then provide indicative of compromised to provide visibility to other organization to determine if they could breach or not. And then you got hundreds, if not 1000s of organizations that realize that they got breached as well. So, in that case, they will get notified by third parties. So, I mean, it can come from anywhere, like I will say, what we try to do is to work with organizations to make them more mature, in order to provide them the ability to detect cyber threat and like cyber incidents early in the kill chain, in order to prevent I mean, data exfiltration ransomware being deployed, or even having any national states conducting some cyber espionage for years within the environment. No,

Patrick Spencer 11:54 

That’s very true. Great recommendations. Alright, let’s talk a little about your career. Beyond rugby, so you’re playing rugby, you’ve been in the university for a number of years, you have several different degrees. You landed over at Mandiant in 2021. Before that, you spent about three years, four years, I think over at Credit Suisse, doing digital forensics as well as incident response in several different roles and levels of responsibility. You talk about the evolution of your career, and how did you end up at Mandiant? And what are you doing now?

Sylvain Hirsch 12:31 

So good question, how did I end up there. So, I mean, I started with a master’s degree in digital forensic. And then I wanted to do my master’s thesis within a corporate organization. And I really wanted to do that master’s thesis within an organization that was not a cyber sector organization, because I wanted to understand the complexity to work for any organization, where cybersecurity is not the core business. So, it’s very easy as a consultancy company to provide the best recommendation. But when we deal with customer, we understand that these business stakeholders beyond that don’t want to, for example, improve the cyber security or to deploy technology, because they’re afraid that that could have an impact on the organization. So that’s why I started to work for a bank because that provided me the complexity of a large network. And also, to understand that cybersecurity was just an additional risk, I had the chance to work for Credit Suisse for years, first in Zurich, then in Singapore, while and after a certain amount of years working for them, I just wanted to learn from the best to improve my knowledge, and also to have the ability to see what’s most of the people don’t see to work on APT like Advance Persistent Threat. When you work for an organization, you don’t want a ransomware to happen. But as a cyber security expert, you want to be able to experience that to know how to deal with it and also to be better at preventing that type of attack. So, I joined Mandiant to really learn from the best. And over the last year, now I’ve had the chance to work on several APT attacks, the chance to work on large ransomware cases on some Linux forensic. And now actually, I’m moving on with my career, I’m going to join the strategy team to help the organization to be better prepared to face cyber incident. So really to improve the cyber maturity to improve the detection capabilities to also like conduct simulations. Yeah, just organization to choose that she’ll help and get better at protecting, detecting and responding to cyber threats. So, I will be more on the proactive side and just on the reactive side as well.

Patrick Spencer 14:56 

Interesting. So, you get to straddle both sides of the fence in a way, right? Which gives you additional experience. Now you also do some lecturing, I think over at BFH in Switzerland, what classes do you teach? I assume they’re in the area of digital forensics. And how long have you been teaching there? I think this is a recent endeavor. You know, how did you end up doing the teaching gig the university professor assignment.

Sylvain Hirsch 15:26 

So just to be precise, I’m not doing any teaching at BFH. I’m simply reviewing master thesis. And this one outstanding master’s thesis, which is coming up from students over there soon, I hope he’s going to be published. And because there’s a lot of good work that has been done over there. And actually, I’m starting as a guest lecturer next year at University of Lausanne, where I’m going to provide a few lectures about incident response, intelligence, and also ransomware remediation. So, something I mean, these two reasons why I wanted to be part of the academic world and to teach is first, I love sharing knowledge. Also, by staying close to the university, you also understand what’s coming next. And I can also right now provide some practical experience to some students.

Patrick Spencer 16:21 

Well, that’s a good segue, I was about to ask you about ransomware. There’s a lot of data on ransomware in the latest Mandiant report. And I think in the 2023 projections report, so if listeners are tuned in to this podcast, make sure you check out both of those documents from Mandiant. They’re full of very, very useful information. But ransomware trends seem to be going down a little bit. Does that mean that the threat or the risk associated with ransomware is decreasing a bit anyway? And my second question, which is associated with ransomware, is, is there a difference between ransomware and extortion? I noticed there’s a section I think, in the 2023 projections document on extortion versus ransomware. Is it the same? Is it different?

Sylvain Hirsch 17:11 

Yeah. So, I mean, it’s an interesting question on the decrease of ransomware. I’ve been discussing with a lot of friends working in the industry. And a few months back, they told me yeah, we are seeing a decrease of ransomware. And I was like, personally, I don’t. I still receive call from clients on the on a day-to-day basis. So first, before talking about the decrease of ransomware. I think it is important just to mention that we only see what we see we only see what organizations, clients, individual governments want to report. So, we don’t have the full visibility, even if we got a good visibility on the cyber threat landscape, thanks to cyber threat intelligence, and all the incidents we’ve been working on. But I think we are currently seeing a decrease of ransomware incidents targeting the US. However, we also seen an increase of ransomware incidents in Europe and in EPG. And based on the M Trend Report, or not the employment report the Mandiant forecasts report for 2023, we are expecting an increase of ransomware incidents in Europe, and in Asia. This could be related to the maturity level that is increasing for organization in the US, whereas probably Europe and APG, AIPAC are probably a bit slower, on that cyber journey. So, it is not too late. But just get ready and just get prepared. That’s why I always say is like, even if it’s like impossible to predict the future is. It is important to understand what threat actors do and to understand what’s threat like, what’s the next cyber threats like that we can get better prepared, and like improve our capability and like we can just be ready. And I mean, we’ve been seeing that with some organization. And if we take the example of Ukraine, we’ve been working a lot with Ukraine. And a lot of organizations are helping Ukraine or any other like organization getting hit by Russia, for example. And we can see that we could through readiness and preparedness were able to detect destructive attack quickly. But also, to remediate the cyber-attack quickly, all I quicker. I mean, that’s why I always say to organization, you don’t want to basically try to understand how to do a password reset or how to contain system when you’re facing a cyber incident. Get ready up this process in place of the management also ready to handle that kind of stuff. Because sometimes the management will have to take decision and this decision would have a business impact or I could let shut down the network for 24 hours. As obviously, we’ve created an impact. But like, is it better to shut down the network for 24 hours, or to have the entire network getting encrypted, and then we won’t be able to work properly. So, I will say, get ready and just go through simulation, go through simulations, improve the awareness of your management, improve the awareness of, of like everyone, because cyber security is like everyone’s responsibility.

Patrick Spencer 20:25 

And we have all heard the saying, you know, it’s not a matter of if, it’s when you’re going to experience that cyber-attack that’s successful. We’ve seen a number of instances where organizations simply didn’t understand the breadth of the attack and what had been breached. There was one about a month ago, I’m not going to name the organization. But it was an organization where they thought it was basic PII data that had been exfiltrated was being held ransom, they decided they weren’t going to pay the ransom. And then it turns out that the data that had been, was being held ransom was released on the dark web was mental health records and other things. And that was the last thing I think that they expected to see. So, you know, being prepared in advance, obviously, is highly critical and having those processes in place, but then having the right partner when it does happen to determine through digital forensics, what actually was accessed and what has been exfiltrated versus what wasn’t, is critical. And I think that instance is a great lesson. Can you speak to the fact that it’s preparation, but it’s also, you know, the day of, the day after that activity is just as important?

Sylvain Hirsch 21:42 

I think you’re just mentioning something very interesting. And I mean, I published recently about it, I think is like, firstly, it is key to get the right partner, and the right partnership, before anything happened to know who is going to support us to conduct an investigation. I mean, so we speak about internal response retainer services, and there some great company that could help organizations to investigate and remediate cyber incidents quickly. I think it is important to understand that the cyber investigation could be very complex. And the impact to large cyberattack could be huge. So, having this partnership in place beforehand, how to speed up the entire process, what’s the role and responsibility of every stakeholder of the partner to also internally who is going to take with this decision? So, we talked some time about like tabletop exercise, which are very high level. But a tabletop exercise provides the ability, if it’s a technical term or tabletop exercise, touch base first provides the ability to the technical team to understand how they’re going to conduct investigation, what’s the step that will need to be taken to quickly remediate? How can they escalated properly to the management how to they could be escalated properly to the crisis management? And then when we talk about ransomware attacks, filtration, it goes just a level above. And that’s where we can simulate that type of attack with an ATT X executive tabletop exercise, where basically, what are you going to do if a threat actor is asking you for ransom? And if you don’t parrot them, they will publish critical data on the dark web, this poses the question and how you’re going to communicate. We’ve seen a trend and I think that’s a good trend with company and CEO and CFO publicly and proactively announce that they got breached that they got breached, that they are currently investigating the cyberattack Obviously, they don’t have much information most of the time. So first, they don’t have much information, and they don’t want to share more much information to protect investigation. So, I think that connection party is very important. And we can all get peppered. How are we going to handle that situation? Who is going to speak is that the CISO? Like the Chief Information Security Officer, is that the CEO, the Chief Executive Officer, like, what’s the lesson that we’re going to do so we can prepare like all the stakeholders proactively in order just to communicate quickly? I personally think that proactive communication is one of the best things in today’s cyber world because we’ve been we’ve seen and you’ve talked about extortion before. Right now, threat actors deployed that they call ransomware. They also conduct data exfiltration to force organizations to pay ransom. They are financially motivated, they want organizations to pay a ransom, then I mentioned it in my last presentation at NYU a few weeks back in Washington. Everyone is going to get hit by ransomware everyone is going to get breached one day, so just get prepared, like, even the most sophisticated cyber organization and firearm like, was hit by soloing, we managed to find the breach, but we got hate. That’s it. So, get to third, that’s the only thing get prepared. Get the management aware. And yeah, just simulate cyber incidents.

Patrick Spencer 25:23 

Great recommendations spot on. And it’s our local hospital a few weeks ago, it was hit guess what, with a ransomware attack. And the systems were down for a couple of days while they tried to figure out what they were going to do. It’s inevitable. Unfortunately, you brought up Ukraine. Man has done a lot of work this past year since the war in Ukraine started, can you talk a bit about some of the things that you’ve seen, you know, have we, you know, it seems that the Doomsday, cybersecurity, cyber threat events that everyone was talking about when the war started, never really seemed to come to fruition? Is that true? But what have you been able to observe in terms of the activity that’s happened outside of Russia within Ukraine itself, as well as in other nations that have been supporting Ukraine in the war against Russia?

Sylvain Hirsch 26:15 

I think we’ve seen like an increase of cyber-attacks, and especially like destructive cyber-attack, overall. And we can also expect that, basically, we can expect Russia to conduct cyber action and cyber like attack against every state that basically put sanctions on Russia. But I think we just have to be ready for that. I think something which is very interesting that just basically, like, which is linked up with what I said before, is, if we are getting ready, we see these organizations can quickly recover for it. So, I will say, even if we see like an increase of destructive attack, by having organizations getting ready in like Ukraine have been ready for years, like trying to improve its cybersecurity resiliency, because there are blackouts a few years back, I think, is 2016 2017, where they got hit. Actually, I don’t remember what type of attack was it, maybe there was one somewhere, but you get the hit, they got hit, and basically didn’t have any electricity for days. So, I think it’s very important to just understand that by simply being ready for it, and having the right process in place and understand what’s the action to be undertaken. Once we get hit, we can just quickly recover from it, it’s not going to you we no one is going to recover within like two hours. But the impact could be highly limited. And I think that’s just key. And like, again, we don’t do cyber safety for fun is like that’s why I said to my mom and like to my friends and like even to cyber security professionals, we don’t do cybersecurity for fun. We do cybersecurity to enable the business to operate properly, or to have any state to operate properly. So, I think that we just have to understand that we do cyber security to protect anything to work accordingly to the plan. And that’s it. And I think we realize that is how can we make sure that even and when that organization that will try to protect is hit by anything? How can we ensure that we’re going to move on quickly to have the right processes in place to quickly remediate cyber incidents?

Patrick Spencer 28:37 

And we hear a lot about the axis of rogue nation states or however you want to describe them, North Korea, Iran, China and Russia. So, I assume the threats posed by those four nations certainly is not going to go down in 2023. But I found something interesting in the 2023 projections report that I’d like you to comment on. And you can comment on the axis of four, if you want, but the first item in the report said there’ll be more attacks by non-organized attackers and non-nation state attackers. So, you see the trend going back in the other direction where it’s going to be cyber gangs or rogue individuals who are going to be instigating these attacks or what does that mean, in the report, I found that a fascinating projection.

Sylvain Hirsch 29:27 

I think the big four as they were recently called like Iran, Russia and North Korea and China are still going to conduct even like destructive attacks like for Russia mainly. And like China is going to continue doing some cyber espionage to gain some intelligence property from organization, but also to do to gain some intelligence and also to again, maybe to disrupt a bit some election there’s a lot of election coming up in Asia for sample and we know that like China has been conducting surveys for years so we can still expect these big four to steal conducting disruptive and like intelligence or like information gathering type of attack. I find it very interesting to see the new trend coming up because we usually do, we’ve got kind of two main type of attack to group is like an APT, Advanced Persistent Threat actor group, which is often linked to a nation, or we’ve got financial motivated for that. But yeah, we see currently, some gang we can call it like some cyber criminals, that are conducting cyber like activities, obviously, they could be a bit financially motivated. But it is proud to announce that the breached into a big organization, so they will then use a light and publish on the dark web or on their telegram group that they bring into the organization. That is That was super easy. And they just they just proud like. So, I think it’s very interesting to see this younger, basically unstructured threat actors conducting cyber incidents that could have a massive impact. And I think that’s very important to understand that. Like, the kids’ piano keyboard, like a smart kid’s piano keyboard, with enough time, and resource and knowledge can breach into many networks. And obviously we see like, some of them will be easily to like easily detect detectable because they don’t use good security operations kill. I’m just really interesting to understand how it is emergence of threat actor group, where are they going to go? Like, what are they going to do next? Are they just being happy to bring this to a network? Or are they going to become the next financial motivated threat actor group.

Patrick Spencer 32:01 

Reputation not financial gain is motivating this next generation of cyber hackers? It sounds like.

Sylvain Hirsch 32:09 

It sounds like that, to be honest, I haven’t faced recently any like type of type of attack. But like, yeah, we’ve seen more than that, thanks to our great intelligence team that provided some great data yet. That’s why That’s why we’ve been that well. We’ve seen I’m not going to the Dark Web every day. But we’ve got researcher, we’ve got guys on the dark web every day, that are basically monitoring specific chats, threat actor blogs. And they’ve been seeing that they’ve been seeing that increase. And they see that every day. So, it’s really interesting also to discuss with them to understand what’s next. And that’s where, I mean, you just came back to knowing what’s next helps a defender to better prevent and detect cyber incident. That’s why I always speak about intelligence driven incident response. But it’s just like, intelligence driven cyber operation, because it’s not only intelligence, enable us to prevent, to detect to response and remediate cyber incident properly. So, we have good intelligence on the threat actors with good collaboration between public and private sectors, and to have this intelligence sharing, we can just all together, prevent and limit the impact on the society.

Patrick Spencer 33:27 

Speaking about the impact on society, for the last few years, both of us have read the articles and seeing the news reports around industrial control systems, Supervisory systems SCADA, and that they’re a prime target for particularly the rogue nation states, maybe even for these who are seeking, you know, a reputation bringing down a big water plant, bringing down a power plant and so forth. Do you see an influx in terms of attacks on these systems because more and more of them are being exposed to the internet? Previously, technically, they weren’t exposed and we know that they found ways to go in through the electrical grid so forth, even hack some of those systems in the past. But, you know, where are we in regards to attacks on these systems? But then how does that equate to the preparedness we have from incidents Incident Response standpoint when protecting them?

Sylvain Hirsch 34:21 

So, I think from like an incident response perspective, it doesn’t change much because most of the time to be able to access this OT system, you need to first breach an IT system. So basically, these OT systems are the crown jewel of this organization. So, if I compare like a water plant and a bank, the crown jewel of a bank is probably its trading systems is like online banking platform. So that’s a crown jewel, but that’s still within the IT environment was formed by water plant, the crown jewel is all these OT environments that will provide the ability to conduct all the operations to distribute water through a city or country. So, I will say, obviously, these specific measure to tank in order to, I mean, to create like a strong boundary to create like a strong security between the IT and OT environment. So, it doesn’t really change the entire process is like, if you secured properly your IT environment and you put some, like some relevant security system, at the perimeter of the OT environment, you limit the impact, but then it’s always it’s always come to a point is, how are we like the ability to detect an incident proactively, don’t wait until you got an impact on your OT, to be able to detect it try to detect when the threat actor is within your IT environment. Also, we just have to understand that security services not can’t be solved by buying a great tool, the great tool has to be properly implemented. And people has to know how to use the tool people are still understand how this is integrated within the system, etc. So, I will say back to the OT question. I mean, it doesn’t really change the game, I think are a bit of complexity, because most retirement is OT system, you can’t really deploy like two basic cybersecurity control that you will be able to deploy on any servers on a workstation. But you got some mitigation to protect them properly. But then it’s like, we see like the energy crisis going on in Europe. And our next question is, for example, is Russia going to try to impact any electric like organization in Europe, to add a bit more pressure on all the states supporting Ukraine? So, these are these questions. And that’s something that I really found fascinating about cyber security. When I started to study cyber secure, like, probably 10 years ago, we saw cyber security, like a small field in in the IT department. I think right now we see it as a global issue where there’s more than just an IT like issue or just the business issues, we say like cyber security is not a not an IT problem to business in life problem. But I think it’s even broader than that. There’s all these geopolitical issues like, what are you going to do? If you know that Russia is like is conducting some cyber operation against your state? What are you going to do if China is conducting some cyber espionage against my critical system? And that can’t be answered by the cyber safety community only it has to be on set by a politician. And then it’s more like an issue of relationship or international relation between states, to we close our eyes to we pretend we haven’t seen, like China, collecting some espionage. And these Yeah, all that point about, like doing some partnerships with, with some organization that we don’t really know how they how they work up just I was in Switzerland. I’m Swiss, originally. And right now, Switzerland signed a partnership with Alibaba cloud. And I’m, personally, I’m a bit concerned, because if you understand the complexity of this environment, and the ability that China could have to basically monitor or maybe have access to that cloud environment, we don’t know. I don’t know. But I mean, is it a wise decision? People take decision without having the like, the broad picture. So, we don’t have all the answers. But I think it’s very important to understand that cyber security came from like a small IT department and nowadays, this massive, like, global issue where it has to be sold by like public company, both public sector and also the politician has to like sometime, we’ll have to follow up on that and to take decisions that organization can’t take.

Patrick Spencer 39:08 

Yeah, that’s very, very true. Speaking of, you know, being an international problem, we’ve seen a rise in compliance regulations and standards over the past, you know, five or six years GDPR, the California Consumer Protection Act, I think there’s another couple states in the US where those are going to go into effect. We’ve PIPEDA up in Canada, and so forth. Those are being implemented to help ensure that organizations have best practices and standards in place so that the likelihood of malicious breaches taking place are mitigated, but some of those actually extend into incident response as well. You not only need to be prepared and trying to prevent a malicious breach from taking place, but you also need to be ready to respond to one can you speak to how those compliance regulations really affect both sides of the spectrum.

Sylvain Hirsch 40:00 

the spectrum. So, I think, I mean, we’ve seen so many regulations. And I think that’s sometimes the biggest challenge for an organization like, for example, from highly regulated industry like banking. Because they have to, they have to deal with the CMS in Switzerland, we’ve liked the MIS and Singapore, like we’ve all the regulation, I think there is a large complexity over there, I think the main two objectives of all these regulations is first, to improve and increase the cybersecurity of the organization’s overall, but also to force organization to publicly announce or at least announce to the regulators when they could breach. So, I think I think there’s some large advantages to all these regulation in place because it follows organization to implement and spend some money. And to understand the complexity of it. I think it’s important to be careful not to be compliance driven to try and to check on the compliance or other regulation to say, okay, cool, I’ve got a firewall, like it was my technology properly implemented. So, I think it’s like very important to follow regulation and standards, but also just to ensure that we’re not doing that to be compliant. But we are doing that in order to improve our cybersecurity posture and cybersecurity resiliency. So, I just want to ensure that the organization will do that to become more cyber resilient in terms of just comply to any regulation. And I think these like some good stoner like, like the Cesar is doing some work, great work ever, like these new company like shields up, or they just publicly announced and released a great work about, like critical, disease critical infrastructure securities like system to put in place. So, on top of being compliance, like organization could rely on some great work done by like, for example, the CISO in terms of how can we implement some security control, and these like some, some good stuff happening where like, that’s the minimum standards, that organization should, should have to also where they understand the level of efforts. We’d like to take in consideration the level of effort and the cost of implementation like that people could just quickly prioritize these on quickly. And I mean, like, I’ve seen, like, so many organizations without multifactor authentication. I mean, today, if you can access your organization with a simple, like credential, like email address and password to access your entire organization remotely, I mean, that’s a massive mistake. We’ve seen so many organizations getting breached by not adding MFA in place, obviously, if you still have MFA, and like you multifactor is like an SMS. This is like obsolete right now. But I will still provide the ability to the organization to make it more complex for the threat actors to breach into the network, build first strong foundation, and then improve from there move from there. Don’t try to like for everything and like within one year to like improve globally, your cybersecurity is like no is not going to work is like we see organization like trying to do zero trust is like zero trust a new trend. And like people say, oh, which product can I buy? Zero trust is not a technology. Zero trust is a concept. So, most organizations already have in place elements to do zero trust, like to have a strong identity and access management. And like that kind of stuff. How can we build a zero trust, don’t try to be zero trust within the next six or 12 months? Because you want to get a promotion, build like a three years program, where you build first strong identity and access management. And then you check exactly what’s your device? What’s the data, and like you put them all together, and then you can build from it.

Patrick Spencer 44:18 

And I have one last question for you. You brought up zero trust and the network, and the fact that it’s a concept. And it’s proliferated partially because of Palo Alto Networks and the fact that it came from them. It’s about the firewall. It’s about the network, but organizations pretty good like with the executive order 14 Oh 28 That came out from the White House. Last year, I guess it was that we had a couple of subsequent memorandums come out associated with it. There’s the realization that’s much broader in scope, and it’s extending into the arena of content, right. bad actors typically try to breach the network because they’re trying to access private, critical content that is actually meaningful and they can hold for ransom they can sell on the dark web and other malicious activities. How do you see, you know, zero trust extending to content as a concept that, you know, who accesses content, when where with what device and so forth? Will have least privileged access apply to it from a zero-trust standpoint?

Sylvain Hirsch 45:20 

I think you almost you almost answer your question while asking the question. I mean, I think first is like, it’s really like, understanding what your assets and what I mean, asset is not only like data, but it’s like, as I said, like identity device network data. And obviously, there’s all the power of like, do you have the right visibility within your network? Can you monitor that? And, and after that, once you understand all your assets and data, it’s like zero trust is just about verifying constantly in saying, okay, that user want to access that data. Let me verify his identity first. But then he’s like, I’m just going to provide them the least privilege. So, to only access that, if that’s, like user want to access something else, it will probably have children state, again, are a sudden, like, within like, again, and sometimes the contribution has to happen, like every 510 minutes. So, I will say like, it just about limiting access and provide up and providing minimum privilege. And as you say, it can be confusing because it just came from like Palo Alto Networks. So, people say, oh, cool, I’m going to buy that great product. But again, it and especially about zero trust, everyone is trying to move with their thing. That’s, that’s a good trend. To take your time, like, don’t wait 10 years. But I will say build strong foundation, before moving there. Because if you don’t build a strong foundation, if you don’t understand the type of data or do an entity first, I mean, you’re going to build something that’s not going to be able to work. So, I mean, zero trust is a complex topic and I love that topic. And I will say like also in that journey, maybe ask for the help of, experts in that field. How can we build that because if you never build a zero-trust network before, how it’s always hard to build it the first time? So, some good company helping to build that and some great experts who hire grid experts or work with a consultancy company. It’s all about foundation, we understand the complexity of it. But also, why don’t rely on a single protection. We will speak about defensive depth. And I’ve been reading about like for years about that. And like last year, we saw that almost 40% of the initial vectors for cyber-attack were was an exploit. I mean, you won’t be able to detect that. But you are will you be able to detect these, like previous exhalation the next step on the threat actors like, hackers trying to move laterally. So even if you don’t manage to identify a specific step from the threat actors, just try to catch him at the next phase. That’s why we’re centering a purple team exercise, which is by the way, purple team exercise, that’s my favorite type of exercise. Because when you go strong and mature organization, the best way to be able to improve it is to have a red team trying to breach into your network. But also, we provide the ability to have the blue team understand and like being able to detect. And if there’s one step missing, if we’re not able to detect these, like, do we have the logs, too, we have the right tool for that, too. We have the right logic beyond that. And if not, you can build from there. And as I always say to client, there are some stuffs that are like hardly detectable. But don’t focus too much on that. Because even if that step is like very hard to be detected, these few steps before and after. So just focus on that focus on where you can other large in parties. If I might just add one more thing there’s so many TTP’s is like so many tactics, techniques and procedures used by threat actors to conduct cyber incidents. But focus on the TTP doesn’t matter. They are TTPs that are heavily used by threat actors to conduct cyber incident. So, focus on these TTP’s and ensure that you’ll be able to detect them. Because if you are able to detect TTP’s you are able to detect I don’t know let’s, say like 80% or 90%. Don’t try to focus on detecting a TTP which is used. I mean, we just was just like once, like last year, while like once last year, there’s no point but don’t get me wrong. There’s no point but like focus on what’s next. Yeah, that’s it.

Patrick Spencer 50:01 

This wraps up another Kitecast episode.

Viewers, we appreciate your time. If you’re interested in watching other Kitecast episodes, go to Thanks so much. I appreciate your time today; it is a great conversation.