Evan Peña, Global Proactive Services Function Lead for Mandiant, a Google Cloud Company and Den Jones

Speaker 1 (00:01):
Hello and welcome to Get IT Started. Get IT Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyans Chief Security Officer, Den Jones, speaks with Evan Pena, Managing Directorate Mandiant with years of experience in cybersecurity and leading covert Red Team operations. We hope you enjoyed Den’s discussion with Evan Pena.

Den Jones (00:28):
Hey, everybody, welcome to another fantastic episode of Get IT Started. Get IT Done, Banyans at adventure into podcasting. Uh, if we’re not selling software, I guess this is our fallback. Uh, so just lucky for us, our software is pretty decent, I guess. Uh, so every episode I bring in some fun guests to talk about all things related to security strategy, um, wor- worldly learnings and other bullshit, nonsense and things like that.

(01:00):
So this week we’ve got one of my good friends, uh, but I’m gonna allow him to introduce himself. So Evan, why don’t, why don’t you take it away and just share with everybody who you are, what you do, uh, and what’s fun about you.

Evan Pena (01:15):
Well, thanks Den. Uh, yeah, so like Den mentioned, uh, Den and I have been longtime friends for a while. I am a, uh, managing director at Mandiant right now. We recently got acquired by Google last year, 2022. November 1st was our official start date at Google, of which now I think our title’s changed. I’m a practice leader for the Global Red Team, uh, at Mandiant.

(01:39):
So my primary focus is running the, the Red Team for, for Mandiant and now Google Cloud. So that’s gonna be like offensive operations, essentially ethical hacking for companies. And, uh, before that I was doing a lot of incident response at Mandiant, so kind of have two, two hats there where I did incident response for a while now, uh, largely invested in the, in the Red Team side.

(02:01):
So it’s been fun, very interesting, very interesting world for me. Um, yeah, that’s a little bit about my professional career. Uh, I don’t know, Den if you want me to get into anything personal or not, but that’s, that’s fine.

Den Jones (02:13):
Oh, well, you know, we’ll get in, we’ll, we’ll get into your personal stuff as we go through the conversation. You don’t want to reveal all the secrets too early on, I guess, right? So, so, um, yeah, you and I, (laughs), you and I met some time ago. Um, I’m, I’m going to not share circumstances, but I, I will share at some point we, we also done a Red Team engagement and, um, during that time, you know, you and I got to hang out a little bit more, grab some drinks together, shoot the shit.

(02:43):
And, and you know, one of the things that always impressed me was, you know, like y- you have, you have this not just ability to run teams and lead people and think of the strategic thing, thing side of the house, but you’re also deep technical in the weeds and, and you’re chasing the fires and, and you’re right, you’re right there.

(03:05):
Um, and, and that for me always fascinated me because you get to see things and attacks and breaches and incidents. The that for me, I was just like, “We, we read it in the news, right?” Normally we’ll reach it in the news. And you’re like there months and months before in the trenches trying to help dig this poor victim out of their shit.

(03:29):
Um, so, so kind of with that in mind, of the last 12 months, what would you say has been some of the bigger themes that you’ve seen as you’ve seen companies be attacked, and whether it’s nation states or other a- attackers, what are those themes that you think we all need to be aware of and paying attention to?

Evan Pena (03:51):
Yeah, I would say, uh, that’s a great question. I get asked that pretty commonly. And I think some of the biggest things to note are what’s the, the most, the most prevalent initial factors that attackers are using to get into networks today. And what that means is an attacker from the internet, how are they compromising companies and, and what is the most common ways?

(04:14):
So like your top three to five, uh, number one is gonna be exploits. So you see a lot of zero day exploits out there right now. And just to kind of explain what a zero day means, it means that, that it was that same day, so zero day that it came out. So there’s no patch for it, there’s no solution for it.

(04:31):
You have to, the vendor has to understand what that zero day exploit was, what they were vulnerable to, and then issue a patch afterwards. Um, so it’s difficult to protect against zero day exploits because there’s no patch for it. You know, it’s usually gonna be attackers that are researchers reverse engineering software to identify any sort of vulnerability or misconfiguration in the software itself that would allow them to export an externally facing system that then gives them initial access into an environment.

(04:59):
One that just came out like a week or two ago was in, uh, Barracuda’s Email Security Gateway. Uh, that just came out like, not even like, I think it was like May 19th when they identified this. They already issued a patch that was released, I think like a couple days shortly after that. But it, you know, we observed being abused in the world and attackers being able to get remote code execution on these gateways that would then, uh, give ’em access to their, to anyone who has that specific platforms security, uh, or internal network.

(05:32):
So like, that’s a pretty big deal, um, depending on where the placement of that Barracuda Gateway is, right? If it’s on your internal network, is it in a DMZ, you know, wherever it was, the impact of that could be great, or it could be minor, just depending. Um, so that was a very big one that came out very recently, but there has been a ton of zero day exploits that have been coming out within the past couple years that we’ve observed this, again, the number one initial vector back in 2022 and in 2021 that attackers are getting access to internal networks.

(06:00):
The second one is phishing. I think the diligence of people protecting themselves against phishing has increased over time. Uh, it used to actually be number one for a while, but now it’s number two. But still, nonetheless, one of the number one ways attackers are getting in, I think in our, it was in our 2022 M-Trends report, uh, 22% of our investigations were, uh, had an initial vector of phishing, and 32% was external exploits.

(06:27):
Then number three, initial vector that we’re seeing attackers use are stolen credentials. So, for example, they either, uh, reuse credentials that, that were, you know, somehow find in some sort of data leakage, uh, or on the dark web or some sort of like, you know, public place, like in GitHub people put- putting credentials there.

(06:46):
But again, password reuse is very common. You know, a lot of people want to be lazy. They don’t want to use something like one password or some sort of password manager, CyberArk, things like that.

Den Jones (06:55):
Yeah.

Evan Pena (06:56):
And, uh, you know, they’re able to, you know, find passwords and use them externally and whether it be through an Office 365 portal, a Citrix Gateway, VPN that’s not protected, right, to refactor authentication, which actually still happens and sometimes people don’t know about it. Like there’s some sort of, you know, VPN concentrator that was out there somewhere and they, they just forgot about it. (laughs). And it still gives ’em access to-

Den Jones (07:17):
(laughs).

Evan Pena (07:18):
… some portion of their network. Um, but credentials can be used elsewhere. And then one other one that I really wanna highlight is supply chain compromise. You know, everyone else about this SolarWinds that we were, you know, being a huge part of right at Mandiant, uh, where you can’t, it’s kind of like a zero day where you can’t really protect yourself against that, right?

(07:38):
Like it’s, you, you purchase a piece of software from a trusted vendor, you put that on your network and if that is compromised, you won’t know it because it’s legitimate. It’s got that stamp of approval saying, this is a legitimate software from a legitimate vendor. You don’t know if they’re compromised or not, but if they are, then you just introduced a, a vulnerability or a, a, an ant- entryway right into your network for an attacker.

(08:03):
And the way, what I preach to everyone is this is probably gonna happen. It’s gonna happen inevitably most of the time. And I think the biggest thing is just trying to reduce the impact of that. So if, if, if an attacker gets access to your internal work via e- that, that exploits supply chain attack, whatever the case may be, you may have 30,000 employees and it’s difficult to protect yourself, you over every single one of ’em, not to click on a phishing email, right?

(08:30):
Just if that were to happen, if an attacker were to gain access to your internal network, just, you know, make it difficult for them to get further, you know?

Den Jones (08:38):
Yeah.

Evan Pena (08:39):
And I think that’s one of the biggest things that I advocate for in this, in this specific space.

Den Jones (08:43):
Yeah, it, it, it’s funny. I, um, I wrote a blog post a while ago, I mean, based on some of the experiences and even some of the stuff that you and I worked on together before was like, if you could turn your office network into a guest network like Starbucks, and all you can do is you get on the network and you can get to the internet, but you can’t, you can’t see all your peers ’cause you don’t need to see all your peers generally speaking in an office network.

(09:12):
Now, the data center network, you might argue to say, well wait a minute, some of these servers and databases need to chitchat to each other. But, but an office network, if I take all the apps and services my employees need and I publish them to the internet, like my zero trust model like we had done at Adobe, then I could take that office network, I can make that a guess network.

(09:35):
And then if my device is compromised, the ability for the bad actor to move laterally is really reduced. I mean, we really hit that in the head. Um, I used always say to Brad, my old boss, I’m like, “I can almost eliminate lateral movement.” And he said, “What do you mean?” (laughs). And I went, “I don’t have big enough balls to say that I’ll absolutely remove it.” (laughs).

(09:59):
So I’m just kinda going there like I, I need a disclaimer, right? Um, but I, I, I think it, it’s interesting when you, you talk about these themes, the supply chain one, I had a debate with someone, I’d love your take on this ’cause, ’cause there’s an element of me just being pase artist, but there’s an element of maybe truth.

(10:20):
Supply chain at the end of the day, they’re still a vendor, they’re still a company, they’re still a corporate. So if, if they can protect their employees from phishing and clicking silly links and they can protect their boundary and they can do some good source codes, you know, checks and balances, and as they build their product, then ideally they’re not going to, they’re gonna reduce their risk of them becoming a, a bad supplier to me that with compromised software or a compromised platform.

(10:57):
So I kind of look at it like, like when we work in Banyan, we don’t want to be compromised because we are the supply chain of someone else and we also have suppliers and we want them to behave in a certain way as well. So when I think of supply chain, I still sit there and think of zero days, clicking bad links, phishing, you know, poor, poor hygiene on passwords and identities.

(11:28):
Like, I think of those common things and say if the supplier does these things well, they can reduce their risk so that they’re not the supply chain problem. And, and I think a lot of companies, especially smaller ones, they, everyone just still thinks it wouldn’t happen to them. You know, they, you know, a lot of people have got the kind of head in the sand, like, it won’t happen to me, I’ll be fine.

(11:53):
And, and you know, it’s an sh- cyber I think, or security, I just sees a lot of people think of it like an insurance policy. Like you don’t wanna spend the money on the thing, but you kinda have to. Um, compliance maybe keeps us in check more than anything else, right? So as, as, as we go forward now, I appreciate your insights there and, and the M-Trends report, I think it’s invaluable bit of reading for any executive or practitioner in the industry. How do people get their hands on that?

Evan Pena (12:28):
Yeah, it’s available for free, um, on our media.com website. You know, you, you can even just google like M-Trends 2023 report, which is the observations for the 2022 full year. Um, and it’s, it’s available on the, I think you have to put in some info like your email and a name, and then you get a, you get a free download PDF.

Den Jones (12:47):
Yes. Something that enables the marketing team to hound you for the next 10 years. Right?

Evan Pena (12:52):
Exactly.

Den Jones (12:52):
(laughs). Yeah. Um, now AI. I’d love, I’d love your take or what are you guys hearing about AI and how scary from a, a, a security perspective to see AI becoming?

Evan Pena (13:11):
Yeah, so I’ve seen two different, two different portions of the threat landscape here for AI. One’s gonna be users using AI in your environment when they shouldn’t. So talking about supply chain, it’s gonna be very common that software dev is gonna try to use AI to help ’em create functions or classes for their code.

(13:33):
And that’s sometimes okay, depending on how much information they provide the AI, whether that be credentials sometimes to be put into like a connection string or something like that. Or whether that be a hospital that has doctors or nurses putting in PHI information that then gets stored somewhere that they don’t know or understand, you know?

(13:53):
So that, I think that’s also really important. We, I’ve had CISOs at healthcare providers reach out to me asking what are best practices that we providing? They, they, even when as far as should we block something like ChatGPT on our web proxy, should we block the DNS or prevent users from being able to access it and putting in that kind of information, uh, should we put in data protection to prevent, you know, that kind of information from being passed over the wire? Stuff like that.

(14:18):
Like different sort of solutions that they’re trying to, to incorporate to protect themselves and their data. Yet, um… So like that’s one essentially challenge I’m seeing CISOs face very commonly. The other side is attackers using ChatGPT pretty efficiently for e- essentially weaponizing their, their attacks.

(14:40):
Uh, social engineering being a very big one, you’re gonna start seeing e- uh, phishing emails being a lot better crafted. I mean, think back where, where you would see-

Den Jones (14:49):
(laughs).

Evan Pena (14:50):
… phishing emails that are, are just garbage. You know, like these are foreign nationals, uh, generally gonna be like nation states threat actors that are trying to write emails in a second language, which is understandable. Like that’s me trying, like imagine me trying to write an email in, in Chinese for example. I guarantee you it’s not gonna be like what a native speaker would be writing, even if I use a translator.

(15:10):
Well, with, with the power of AI, you can actually write a fairly crafted, uh, phishing email and or email in general. So it helps people, you know, work internationally, but at the same time it helps attackers craft very convincing emails at the same time. So I think that’s definitely one thing that we already are observing in the wild.

(15:29):
Um, another one is gonna be, uh, essentially people doing multi-vector kind of phishing. So it’s not just gonna be specific to, uh, email. We’re also seeing like audio and video, generative AI creating, you know, content for media reports or, you know, uh, certain, uh, video that you can kind of create that kind of just helps supplement your phishing campaign there. I think that’s also really important.

(15:55):
And obviously malware development’s another one you, like I mentioned for software developers. Software developers have a huge benefit of using AI to just kind of speed up their development time. Same thing with malware development.

(16:07):
You can, I, I actually did it the other day just for fun. I created a function. I said, “Hey, I think it was for either…” I think it was Bard. Bard is our Google internal AI, very similar to ChatGPT and, and Google is created Bard, it’s very well done. And I, I said, “Hey, I want you to create a shell code runner, which, so where it would ingest this, inject this specific shell code into a process and memory.” And it actually crea- and, and I wanted to do it in, in uh, C-Sharp.

(16:35):
It came back and gave me a full function to do that, where the parameters would just take in the arbitrary shell code that I would pass it in the string and then it would, it would actually inject it use create remote thread, which is something I don’t use as much these days for show code injection. Uh, you can use something else like, not that I would use Create thread, but like Q user PC or something like that. It’s, it is a little bit better of a way in terms of stealth, but create remote thread is the most common one that we see attackers use.

(17:01):
And ChatGPT created a functional function that did it for us. So malware development’s gonna be a pretty quick one, um, that I see a lot as well. And even reverse engineering. You can provide, there’s even published plugins for IDA where it uses AI to reverse engineer specific, you know, binaries, uh, in a, in a c- in a, in an easy way.

(17:24):
Why is that important? Most times when people think of reverse engineering, they’re thinking, I’m gonna reverse engineer malware so I can create detections and start looking for evidence of compromise in an environment. Attackers use reverse engineering all the time to identify those zero day exploits or vulnerabilities in, in software.

(17:44):
Do they have to reverse engineer to see where can I abuse this software to actually exploit it? So it’s not just for like malware reverse engineering, reverse engineering is a trade and, and a specific skillset that you use for even attackers, you know, where they wanna create exploits for vulnerabilities that they identify in software.

(18:02):
Um, so if you haven’t used it for reverse engineering, it’s actually pretty cool. Um, and again-

Den Jones (18:07):
(laughs).

Evan Pena (18:07):
… IDA has plugins. (laughs). IDA has plugins for this as well. So it’s, uh, it’s pretty cool. So long story short, um, to kind of answer your question, Den, even though I, I provided some examples. I see AI changing the game when it comes to speeding up the way attacks happen and, and crafting malware, phishing campaigns and several different parts of the attack lifecycle, including methodology.

(18:33):
If I have a newer Red Teamer, which is the same thing if I was a nation state threat actor and I had a team of well-funded people because I’m stealing money all the time and I have this new guy at a college who has like a software dev background or maybe he has a IT background very similar to someone on my Red Team for example, and he’s still not quite good with the methodology yet, you can use AI to help you, especially if we put in our knowledge base into that AI.

(18:59):
So if he’s like, “Hey, I just got access to this system from a phishing campaign, I don’t know what to do next. This is my level of privilege, what do I do?” And then the eyes shout, shoot out, this is the command that you run to escalate privileges to the system, or this is the command that you run to persist that system. Or hey, you wanna move laterally if you’re not in dense network, of course, do you wanna move laterally? This is the command that you use to like use WMI or RDP or SMD exec or whatever flavor of of lateral movement you wanna use to the next system.

(19:27):
Um, that I definitely see it def- increasing the efficiencies of attacks. Uh, as the same time for defense probably as well. But in terms of what we’re observing on the attacker side, it’s, it’s speeding up, speeding up the game a little bit.

Den Jones (19:43):
Yeah, it’s, it, it, it is crazy for me ’cause I think of the speed of the attacks. I think of the personalizations of the attacks. Like if you could do a, a phishing campaign with a million people, and it’s the same email, but to a million people, I think in the future you’re gonna get a million emails each personalized to a million people. So it’s, it’s, uh, the email I get would not be like, oh, your subscription’s about to expire. It, it it’ll be way more personalized and maybe have more detail information about me or my habits.

(20:24):
And I, I, I, I think anything that makes the, the audience gets sucked in quicker and more convincingly. So I, I can’t remember you, and you might know this off your head, but I think the, a phishing campaign has like a 1% success rate off the bat.

(20:43):
I can’t remember if it is 1%, but, but I think it’s like 1%. So like you’ll buy a campaign in the dark web, you’ll pretty much fired it off and for very little money you like investment, you’re going to start to see this return on that investment with a 1% click rate on a million people.

(21:03):
I, I can imagine that number in the future being like 20, 30, 40, 50% because like you say, the emails are gonna be more convincing, the quality of the graphics will be better, the personalization will be better. And, and I think the hard thing is defenders is especially when you look at like Google, Microsoft, Apple, the, the players that this stuff is using their platforms as the transport, I’m hoping in the future that they’re just gonna get a lot better, uh, detecting and weeding this shit out in real time. I mean-

Evan Pena (21:44):
Oh yeah.

Den Jones (21:44):
… some of them, they’re not bad. They’re not bad right now, but, and they’ve got better than they were five years ago, but I think they’re gonna have to step up their game like tremendously.

Evan Pena (21:54):
I, I agree. And, and I know they’re already working on doing that. Uh, you know, they, I know that Google and Mandiant were putting a lot of AI into our detection technology and now CrowdStrike and others are doing the same. But it’s, it’s, uh, I it’s always funny because I don’t, and I, I’m maybe biased because I’m more on the attacker side than I am the defender side, but I always feel like-

Den Jones (22:17):
(laughs).

Evan Pena (22:18):
… it’s, it’s a lot faster. Like, we run a little faster and, and then the Bluetooth’s trying to keep up. But at the same time, we only have to be right once, you know, we-

Den Jones (22:24):
Yeah.

Evan Pena (22:25):
… right once we get in, we get our job done and we get out. Um, but it’s, it’s gonna be challenging Den. And, and that whole like social engineering aspect of it, you know, the e- the phishing emails that we mentioned. The, the audio and video generative AI is, is quite incredible as well.

(22:41):
Like for example, right now, if you wanna validate your multifactor authentication, a lot of people are moving to like, oh, if I call at the help desk and I said, “Hey, I lost my token,” you know, I I flushed it down the toilet or something like that, whatever. Like it’s, it’s gone. And I need a, uh, temporary token. They’ll oftentimes now video conference you in and say like, let me just make sure it’s you and then we will give you like a temporary token or something like that for multifactor authentication.

(23:09):
We’ve seen generative, I being able to take clips of somebody and even text to speech and be able to craft a specific sentence with that person’s voice and or even video to like try to, to get them. And so there’s enough content out there of you, Den, we’re gonna, you know, with all the podcasts, there’s enough-

Den Jones (23:28):
[inaudible 00:23:29].

Evan Pena (23:29):
… for an AI to actually create a specific conversation that you want them to that’s coming from you. It’s, it’s, it’s crazy. It’s crazy.

Den Jones (23:36):
It is. Yeah.

Evan Pena (23:37):
We’ve seen [inaudible 00:23:38] do that.

Den Jones (23:39):
It’s, it, it’s crazy. I, I don’t know if there’s enough swear words online yet for them to truly mimic me, you know, they need to be able to like, have shit, bullshit and other expressions that I use a lot. So, you know, they’ll, they’ll, they’ll get there though. We’re, we’re working on making sure there’s enough cuss words online that I’ve said.

(23:59):
Um, yeah, it’s, it’s, yeah. It’s a little alarming. And it is funny you say this like, you guys as a Red Team only need to get it right once and poor defenders. It’s like, yeah, if you screw up once, you get it wrong once. And, and I describe it to people, like as practitioners, we’re playing Russian roulette. You’ve got 40,000 people in your organization, they’re clicking links, they’re clicking links every bloody day.

(24:28):
So the reality is there’s no amount of training you can give them that’s going to result in people not clicking links. And the more sophisticated the, the campaigns get, the better the crafty, the social engineering is, then the, the harder it is for those humans to decipher the links.

(24:48):
And I, I used to also say the same thing about things like, um, data, data tagging and data classification. And like, there’s 40,000 people in an organization or 100,000 people like Adobe and Cisco, right? Big companies. I don’t think any of those people knew the classification of the data.

(25:08):
So the reality is educating people to give a crap about your corporate environment is harder and harder and harder, especially with all the other things that, like the other real work they’ve gotta worry about. Now talking about work, um, or let’s not talk about work for a little minute. Actually, I’m gonna, I’m gonna end up on the, the professional stuff with one, one thing. What advice would you give a CISO who’s, who’s focused on their security program, if they were gonna put all their eggs in an investment basket right now, like this year, what do you think they should think about?

Evan Pena (25:53):
That’s a very good question, Den. Uh, so, so what I would suggest and, and what I think they should invest money into is, number one, we’ve, we’ve harped on this several times throughout this one podcast, is the inevitable is likely that you’re gonna get breached as sad as that may sound.

(26:12):
So what I, I would focus my time and money on is the post breach, you know, sort of attacks that could happen. That lateral movement, that privilege escalation that could happen. So many CISOs put so much money into technology when it’s three things, right? It’s people, process and technology. They throw millions of dollars at te- technology and sometimes they don’t even know what comes out of the box.

(26:36):
They don’t fine tune it, they don’t tweak it, they may not know, they just trust that it works just perfectly. So what I would encourage CISOs to do is as a few things that one is being proactive. You know, like I not, not to be such a big advocate for my own stuff, right? But in terms of Red Team, but performing these Red Teams and, and Purple Teams and, and pen testing to see how effective you actually are.

(27:01):
Is your infrastructure hardened? Is your are, is your infrastructure or your network architecture actually hardened as well? If someone were to reach you, would they be able to get domain admin? Can you actually answer the question unless you go through it? Yes or no? If you’ve never actually gone through it, you don’t actually know the answer.

(27:17):
And, and it’s not with a company that’s like a scan and, and, and report company, like truly like a boutique style, hands on keyboard, kind of like, you know, we’ve, we’ve seen this experience before then where it’s, it’s truly understanding your network architecture and abusing it to see how it can be abused. I think that’s really important.

(27:34):
And then number two is gonna be not to play whack-a-mole. So for example, if, if we were to have gotten domain admin on your network just hypothetically because it wasn’t perfectly architected, well, and we give you some recommendations around, okay, um, we were able to get domain admin because you had a misconfigured active director certificate services template and we were able to, from a standard user, uh, get domain admin privileges because we were able to issue a certificate on that on behalf of that, a domain admin user.

(28:04):
And so that specific system may be like, okay, go fix that one certificate and create the right permissions around it so that someone can abuse it. But how do you know that the CISO admin’s not gonna go create another certificate tomorrow that does the same exact thing? The problem is not just that one certificate, right? It’s the process you have in place to create those certificates.

(28:23):
So that kind of stepping, taking a step back and looking at the strategic problems that are identified from some, from these proactive security assessments are something that I think is really important and could prevent major problems from happening in the future.

(28:39):
So again, it’s not just playing whackable but also looking strategically and making sure that like, for example, deliverables that are given to you from your security practitioners or consultants are looking at that strategic level as well. So to answer your question in a shorter way, I think the biggest thing is one, to be proactive and two, it’s not just technology, it’s people and process and network architecture is key.

(29:02):
And, and Den, you are an expert in this space, you know, given the experience that we’ve had together, you’ve our architected networks in a very secure way, in my opinion. And, uh, you look beyond just the technology, you, you know, you take the technology you have and architect it well to really hinder an attacker that if they were to compromise the elector.

(29:20):
Like you said, you can almost say like 99% sure they won’t be able to move laterally. Why is that? Maybe you’re implementing the principle of least privilege. You have zero trust, you know, all these things that’s important to truly validate as well.

Den Jones (29:33):
Yeah, yeah. And it’s, it’s funny, right? I, you know, I would say I was blessed with a great team, a great organization of people, you know, when we were working together. Um, ’cause anyone who knows me, they know I don’t really do any work, right? So I, I do love, I mean I do love the whole thought though. I mean, what you’re really hitting at is there’s defense and depth.

(29:54):
So from a strategy perspective, you’ve gotta have this concept of defense and depth. But then ultimately it’s, it’s not about spending a trillion billion on technology, it’s about making some strategic investments and things that, you know, are the basics and fully executing on those. And then once you’ve got that stuff good enough, then you can think about doing some other stuff.

(30:20):
And I think I’ve seen a lot of CISOs and executives where they look at the sands top 10 and they’re like, “Okay, I need to go and do it,” dah, dah, dah, dah, dah. And they try and do all of these things all at the same time and they don’t do any of it right. They don’t, they spend money on technology that’s 5% deployed. They’ve not really taken advantage of the technology.

(30:43):
They’ve overwhelmed their staff, their staff are dying under the like bundles of technology investments you’ve made with half our processes that don’t bloody make sense and they don’t connect together.

(30:59):
And, and for us it was like if we got our directory services environment good, if we got our SailPoint, our identity management platform, good, if we got our CyberArk environment good, if we got MFA plus device posture and all these things in place, and then we went down the path of let’s start to look at the network segmentation and really dig into like simplifying that, but yet take that office network and make that like a guest network.

(31:33):
Like all of these things, they’re all, they’re all journeys, but the reality is, is get the basics done, right? There’s too many people I talk to that they still haven’t finished doing MFA all over the, all over the company. At, at least, at least to all of the stuff you care about. There may be some shit you don’t care about. And that’s cool. But the reality is, is um, like if your domain admins, if your domain admins are not protected in your CyberArk platform doesn’t have MFA, (laughs), then you know, just hand the keys over, man.

(32:05):
I’m like, “Yeah, shit, you’ve already screwed it up, right?” (laughs).

Evan Pena (32:08):
Yeah. And that’s a perfect example, right? Like CyberArk, you know, a great technology, but it has to be configured properly to be secured, right? Same thing with multi-factor authentication.

Den Jones (32:18):
Yeah.

Evan Pena (32:18):
You can buy multi-factor authentication, but they don’t tell you you need to put it on these exact servers and this is the exact place is that, you know, you should implement it. That, that takes, you know, again, security, best practices, architecture, making sure you have good security architects, like a good team that understands where you should do it, and then again, actually testing the effectiveness of these technologies in your people, in your process as well.

Den Jones (32:39):
Yeah. Yeah. And I do like, I do like, you know, a good Red Team exercise, a good tabletop exercise as well, you know, like you, you’ve got these proactive things. It’s like people say, you know, take a backup but test your backup. It’s like, yeah, yeah, that’s, that’s a good thing too.

(32:58):
But that for me falls in the same bucket of being proactive, like a tabletop like a Red Team, you know, like looking, you know, an annual risk assessment and you’re starting to look at like what is it you’re really fighting against and what do you need to protect? So thank you for that.

(33:15):
Outside of work. Um, I always think of you as one of my friends who’s kinda like James Bond, right? You get, you get to do all this spy like daytime job, but then the weekend, you know, from flying planes to, uh, riding boats and scaling mountains or some shit. I don’t, I don’t really know, but why, why don’t you share with us a couple of, a couple of the hobbies and then help, help, you know, maybe share a little bit about things you’ve learned during the journey of your adventures that you bring back that help you personally and professionally.

Evan Pena (33:54):
Oh yeah. Well, I have quite a bit of hobbies I guess. So, you know, I, I, I guess you touched on one, the flying planes. I, I, uh, I, during COVID there’s this flight school, like right by my house. And during COVID I was traveling all over the world, like for work, you know, pretty often. And whether that be for customers or whether that be even internally going to different offices to, to have meetings with various different teams. It was, it was a lot. And, uh, I enjoyed it. I

(34:22):
t was kind of like an escape, you know, from my reality, uh, at home. And, uh, so when all that stops, I was just putting up so much time into work. And that’s not a bad thing. It’s, it’s work is like my hobby at the same time as it is my professional career. And I think the best of us are those that truly enjoy the, the trade that, you know, that we do.

(34:44):
And, um, but I told myself I really needed to like, get outside, like everything was closed. The gyms were closed, even you couldn’t get ’em to get a haircut, you know, like it was just like you’re stuck at home for a while. And I, the, the, the flight school was still open, so I always thought it would be cool to go learn how to fly.

(35:01):
And honestly, I didn’t even do it to get my license. Like I, I just went to like take a day trip to go fly around and it was like a fun activity for the day that, and something that was actually still open, but I got so hooked. And for those of you who aren’t familiar with like aviation, it’s, it’s extremely challenging just to, to get into, it’s not like, oh, let me go get a car and learn how to fly to Oregon, even a boat and just, you know, get my voter’s license or, or even not, and just be able to try it.

(35:30):
It’s, it’s so, there’s so much into learning and it’s a never ending learning game, whether it be aerodynamics, whether even, uh, mechanical and engine, you know, information. You have to multitask quite a bit, uh, whenever you’re flying. So I, I really developed a passion for that and I kept going on, I’m actually about to finish my commercial pilot’s license.

Den Jones (35:53):
(laughs).

Evan Pena (35:53):
And, and not that I’m changing my career, but I’m just doing it ’cause I wanna be able to fly better planes, um, than, than the smaller ones. So it’s, it’s just something that I got hooked onto. So I do it then sees me all, I’m sure often flying and he’s probably like, man, this guy is like, James May takes his plane and goes wherever he wants. And it’s a fun, it is a fun passion and hobby to be, to be honest with you. Um, I do enjoy water sports as well.

(36:19):
So like the boating thing is, you know, I like wake surfing, wake boarding and uh, just, I kind of like just fishing in, in the lake and that, that sort of thing. Kind of an outdoorsy guy. It’s a beautiful, uh, time of year. So, you know, you’ll find me outside as, as, as if I’m not at work, uh, or bury myself at work.

(36:37):
Um, and then I think this is probably the biggest growing sport in the country right now, and I don’t want to sound cliche, but I, when I was in college, I played racquetball for, for my university and we would go around traveling and competing and I, I played it since I was probably like in middle school.

(36:55):
So like I’ve been playing forever. Or like pickleball is like a huge thing right now, right? So like they created these pickleball courts at my gym recently. And so I just started playing for like a cardio. I like to stay active and, and, and just healthy and uh, just went to go play a couple times after and I got hooked on it like I guess everyone else does. So that’s another big-

Den Jones (37:16):
(laughs).

Evan Pena (37:16):
… thing of mine right now is I’ve been playing a lot of pickleball, but I guess staying active, staying healthy, finding a passion outside of just work was also help- helpful for me. Um, ironically enough, Den, some of my best friends including Marshall, uh, are, are people that I met through racquetball before even coming to Mandiant. And that’s how actually-

Den Jones (37:37):
Oh, wow.

Evan Pena (37:37):
… what led me to come to Mandiant. Uh, I played racquetball with Marshall and he was the one who convinced me to come to Mandiant. Before I was a, a hacker for the DoD specifically on the Marine Corps Red Team. And Marshall was a Marine before some of the Marines had went, we went to go play racquetball, they invited Marshall.

(37:54):
Long story short, these connections that you make through these random hobbies sometimes are get, can be interconnected. Um, and that’s actually what landed me here at Mandiant like 11 years ago now, I guess, or it, it something, it was like quite a while before the fire acquisition, before the Google acquisition back in, I was living in D.C. at the time, um, so this is back in the old headquarters and, and before remote work and all that kind of stuff.

(38:19):
So it’s quite an experience in journey, but, and I have many other hobbies I guess I could, (laughs), say-

Den Jones (38:25):
(laughs).

Evan Pena (38:26):
… but those are like my main, my main three right now.

Den Jones (38:28):
And, and, and it’s funny because they’re three pretty diverse. I mean in the sense of, you know, boating, boating’s a bit more leisurely. You don’t need deep skill really to, to ride a boat and stuff. I mean, there’s a little bit of skill and tech, tech, tech involved, uh, but then, you know, flying a plane is deeply technical, a lot of immersive learning and, and also a higher risk.

(38:57):
I mean, it’s like, if, if one thing goes wrong in that plane while you’re in the sky, then you gotta be on it. You gotta react, you gotta be like pretty calm as well under stressful situations. And, and you know, and, and, and I think of your work, there’s a lot of parallels between that. Like, you get pulled to work into stressful situations and you gotta be levelheaded and, and I think a lot of that fr- from the flying and then, um, multitasking as well, right?

(39:29):
I mean it’s, there’s a lot of place you’re juggling and stuff in your professional life, so I kinda see that parallel as well. What, what, what’s, what’s the one thing you’ve, you’ve learned in all of your personal life that you think is best served in your professional life?

Evan Pena (39:49):
So this is gonna sound, again, I don’t want to, I don’t wanna be cliche, but like this is very true. Is not to sell out, not to, to, to truly be genuine. I’ve gone through so many different transitions in my professional career, especially coming from a services company, it’s like I’m a consultant, I’m a practitioner at heart and my number one priority is gonna be my customer and what is in their best interest.

(40:13):
So for example, if we get bought by FireEye as a product company, Google product, company engineering, if we’re starting to get pushed down the road, that’s uncomfortable for me. Like for example, you know, I just need you to start selling product and become a salesperson and take away what’s in the client’s best interest. I want you to start selling something, not selling out to something you don’t believe in.

(40:36):
And, and, and honestly like I have gone through these experiences where I would say no. Like, hey, this isn’t what I believe in or, or this-

Den Jones (40:44):
Yeah.

Evan Pena (40:45):
… it only whenever it seems like a natural fit. And i- it was a little bit risky initially ’cause like maybe that’s going against what the overall OKRs are for the company, you know, which is a bigger thing than just, you know, my services organization.

(40:59):
Um, and then over time, you know, that paying off and dividends because in a, in a lot of ways my leadership supported me on this, which I thought I respected quite a bit. And then number two is we became the trusted advisors. Think of Mandiant as a brand. Two, a lot of our customers because we weren’t those, we weren’t just, you know, one of those that’s gonna be, you know, drinking the Kool-Aid and saying, yeah, you know, everything’s gonna be product now we wanna just, you know, automate what we do and, and, and just to improve our efficiencies and money.

(41:32):
‘Cause it wasn’t about that. It was about what’s truly in our client’s best interest, what’s gonna be for the best interest of them. And that’s what made them wait our brand. And, and sticking to that and being honest and genuine about it, I think was probably the number one key, you know, to, if that answers your question of, of what I’ve-

Den Jones (41:50):
Yeah.

Evan Pena (41:51):
… learned in my career, it’s not-

Den Jones (41:52):
Yeah.

Evan Pena (41:52):
… not just doing it for the wrong reasons.

Den Jones (41:55):
I mean, yeah, I totally, I mean it is, I, I think that’s one of the things for you and I how we connected so well is like, you want to, I surround myself with people who I respect, people who I believe have level of values, integrity, but a work ethic and a drive intelligent people and, and fun people, right? For me it’s like I’m, I’m a kinda work hard, play hard kinda guy, right?

(42:23):
But, but I don’t, when I, when I’m hanging out in that, if I’m gonna spend my time with people, I want to be with people that I enjoy spending time with. And, but I also, you know, I f- I find myself in this situation, in my current role in Banyan where we are a product company and a services company.

(42:43):
We, we deliver something which I was a customer of. So I, I, I know the quality of the product we deliver, but I find myself dancing that fine line between am I part of the sales and marketing engine, which I kind of am or am I still a practitioner, which I kind of am, but my practitioner quality of practitioner time isn’t nearly as much as it used to be at Adobe and Cisco because I was running bigger organizations and the challenges were different.

(43:21):
Um, so yeah, like, like you, my brand, my reputation, my integrity is, is vitally important to me that I sustain that because I always see these as these are jobs that we’ll have in our career path. It’s not necessarily the last job we’ll have. So I’ve, I’ve gotta have a reputation that sustains beyond one company to the next.

(43:47):
And my moral and judgment doesn’t, doesn’t drop just suddenly because, you know, they’re gonna pay me more. Um, I mean, I like money, Money’s good and all, but, you know, I, I actually like my integrity a lot more. So, cool.

(44:03):
Hey, I know we’re, we’re up on time. This is Evan. It’s been brilliant catching up. It’s been long overdue. Um, I do prefer catching up in person where we’re probably grabbing drinks and we’re really shooting shit where we’re not being recorded. That, that, (laughs) that, that tends to be way more juicy and way more fun.

(44:23):
Um, so I do look forward to catching up again in person, uh, hopefully Black Hat DEFCON, if you’re making it. I’m definitely there for anyone in the audience that wants to catch up. Um, otherwise we’ll probably catch each other on a, a telephone soon. (laughs).

Evan Pena (44:43):
Yeah, well hopefully I’ll, I’ll make it up to Black Hat. It’s is my plan and we’d love to catch up with you there. Uh, it was really good seeing you at RSA as well. Always a pleasure.

Den Jones (44:53):
Mm-hmm.

Evan Pena (44:53):
And uh, thanks-

Den Jones (44:54):
Yeah.

Evan Pena (44:54):
… for having me. I really appreciate the opportunity.

Den Jones (44:57):
Yeah. Hey, thanks for coming on the show, man. Really, really grateful. Appreciate it. Cheers, Evan. Thank you.

Evan Pena (45:03):
Cheers. Take care. Bye.

Speaker 1 (45:09):
Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to UrbanPunks for providing the music for this episode. You can find their track, summer silk, and all their music at urbanpunks.com.

 

Close Transcript