Modern Cyber with Jeremy Snyder - Episode

Scott McCrady of SolCyber

In this episode of Modern Cyber, Jeremy interviews Scott McCrady to explore the cybersecurity landscape in the US and Asia Pacific. They discuss the US's susceptibility to cyberattacks due to its market size and technological integration, compared to Asia's diverse and dispersed threat environment.

Scott McCrady of SolCyber

Podcast Transcript

Jeremy at FireTail (00:02.429)
Hello, welcome to another episode of the Modern Cyber Podcast brought to you by FireTail. I am always as your host, Jeremy Snyder. I am really excited to be coming to you today with an episode that is going to cover the evolution of a particular space of cybersecurity over time with somebody who's been in that space for quite a while. So I'm really keen to learn from his experiences and his kind of lessons learned along the way. Before we get to that, for those who are joining us for the second, third, fourth, fifth, whatever time,

Scott (00:19.95)
dog barks

Jeremy at FireTail (00:30.332)
Remember sharing is caring. Please do rate, review, subscribe, follow all those good things. If you can leave a positive rating and share it with friends, so much the better. Sharing is caring. My guest today is Scott McCrady. Scott is somebody who has been in the MSSP space for a long, long time, an engineer by training. Scott built an early sock for EDS and then transitioned that to RipTec, which was then bought by Symantec and became the world's largest MSSP.

Scott built out the APJ practice while living in Sydney, then moved to DC to run the global business. Scott also spent time at FireEye in Mandiant and built their global MSSP business as well as building out the APJ Asia Pacific and Japan region for those who haven't spent time in the region, while based in Singapore. I've also spent time in the APJ region. I'm really curious to get Scott's perspective on that side of the world. We're gonna get to that later in the conversation. But Scott, thanks so much for taking the time to join us today on Modern Cyber.

Scott (01:25.264)
Jeremy, thanks for having me. Really looking forward to the conversation. It's always nice to be able to talk with someone who's also spent time overseas. So looking forward to this.

Jeremy at FireTail (01:34.01)
Yeah, I think it's really interesting. You know, we think about business as being pretty global. The internet is global. Certainly software is basically global, but there are still regional differences and those regional differences can often be really, really important. So yeah, we'll get into that in just a little bit, but I want to start with kind of the core. You know, what is an MSSP? What is an MSSP today? Because I think it's a term or a category that's been around for a little while and.

I hear a lot about MDR as being kind of the next wave of managed cybersecurity, but how do you see it from your vantage point?

Scott (02:10.705)
Yeah, sure. I think when the MSSP industry started,

it made a lot of sense on the way the model was built. And the way the model was built was really focused from very large customers because at the time they were the ones who cared about cyber security the most. Back in the early days of cyber, it was the really large global 1000s that were sort of the targets or maybe some government agencies. You remember the old hacktivist days where they tried to break into the FBI and deface their website and all that stuff. But mid markets, they didn't really even have much of an online presence. And so the MSS

Jeremy at FireTail (02:36.952)
Yep. Yep.

Scott (02:45.347)
The MSSP model was essentially taking your firewalls and your IDS logs, sending them to usually a homegrown SIM in the cloud. That's what we built at Symantec. And then sending alerts back to the customers when something bad was happening. The thing that's interesting is that model hasn't really changed in almost 20 years. So if you go talk to almost any of the MSSP's, it is still what we term as an arm's length relationship. It's, hey customer, you go do all the work,

You implement all the tools, you manage, run it all, you send us the data, we'll send you back alerts, you consume those as part of your overall SOC. And maybe that works really well still for a very large global financial company. But our view is that model really needs to change to more of an integrated relationship. Less of a don't call us, we'll call you relationship and more of a we can call each other anytime we need. And that's really sort of where we see the model change.

is to a much more integrated, much more high value service and a much less of a sim in the cloud of learning service.

Jeremy at FireTail (03:52.566)
Okay, but there's got to still be an aspect of SIM in the cloud in this, right? Because in fact, we're generating more security logs than we ever have in the past.

Scott (04:02.322)
There is always that. So the ability to take data from lots of different things and correlate that and be able to tell and validate is obviously there. The key piece though is after you find that, what do you do about it? And that's really where we take a much different approach, which is we want to do response on behalf of the customer because it makes sense. And we also want to be able to talk to the customer and have the customer talk to us about things that are important to them around their security posture.

Jeremy at FireTail (04:14.549)

Jeremy at FireTail (04:30.133)
Got it, got it. So it's really kind of getting, in fact, it's kind of getting more deeply embedded with the customer in the sense that you're now taking on response capabilities and response responsibilities. You know, things that in the past would have been like your classic run book, if X then, you know, execute Y, that's now in the hands of someone like you.

Scott (04:39.889)
That's right. That's right.

Scott (04:50.162)
That's exactly it. We call a lot more outcome based, right? So the outcome should be, how do we, if something bad happens, which is inevitable, how do you contain that and respond to it and remediate it at a speed that keeps it at an incident and not at a breach, right? As we like to say, we try to keep it so you never have to call insurance. So it's inevitable that something happens, but...

Jeremy at FireTail (05:07.668)
Yep. Yep.

Scott (05:14.001)
wouldn't it be nice if when that something happens, even if it's complicated, somebody bopped it on the head, fixed it, and you didn't have to worry about it at three in the morning.

Jeremy at FireTail (05:18.964)
Yeah. Yep.

Yeah, well, one of the things or one of the questions that that brings to mind to me is that I've worked with a lot of, you know, SOC teams over the years. And one of the things that I always hear from them is that when there is an incident or the let's say the first indicators of an incident, there's always two activities that that have to be followed or to need to be completed in order to respond effectively. Number one is you need to gather the data.

and you need to have, you know, kind of all the relevant data or as much of the relevant data as you can gather. And number two is then putting that in the business context so that if you're figuring out that I've got, okay, production system of, I don't know, customer facing e -commerce or whatever it may be, my response doesn't actually make the situation worse or I understand the level of context to know that, okay, if I need to take a certain response that let's say might take that production system offline, what's the process for that?

And so I'm curious from your perspective as an outside provider, how do you manage that? Because you're really getting into kind of understanding the business alignment of the organization that you're serving.

Scott (06:30.259)
That's right, that's right. When we built SolCyber, we were advantaged in the fact that we didn't have a lot of legacy baggage. So that's really important. And most of the legacy providers out there, because of the way they built their solutions, are still really IP based, right? So it's 10 .10 .x .y. And the ability to have fidelity around what that asset is, is very difficult. We built a system from the ground up,

Jeremy at FireTail (06:49.489)
OK. Yeah, yeah, yeah.

Scott (06:59.892)
focused around identity. And so to us, identity was going to be the future battleground. And so far, that prediction is playing out relatively accurately. As you can imagine, if you're focused on identity, and so when something happens to Scott's email, that also happens to an EDR that's on Scott's laptop, and then that laptop moves home, and now it's communicating outbound to no malicious URLs, and we can track that via DNS security on the laptop.

Jeremy at FireTail (07:09.521)
Yeah. Yep.

Scott (07:29.236)
there's a lot of different telemetry that all ties back to me. And so that gives the SOC, it puts them into a position to understand the underlying need and response capability. And so it's relatively easy for us, relatively, to understand the difference between Scott's laptop and a server supporting.

your customer base, right? And that is a really fundamental difference on how we go about the service. And it allows us to have different levels of capability. So we'll actually go through and tag executives so that we have better insight into BEC and ATO. We'll go through and tag certain types of individuals that have a higher risk of the abuse of admin capabilities. And then we can also go through and say, okay, this set of assets are server -based, right? Or are

Jeremy at FireTail (08:18.702)
Yep. Yep.

Scott (08:19.334)
production -based. Because we do that based on identity, it really sets us into the position to be able to have a different differentiated level of response. That's a very technical nuance that obviously once customers come aboard they love. But during the sales process you're trying to explain it to them and some of them get it that are more technical.

Jeremy at FireTail (08:32.206)

Jeremy at FireTail (08:37.134)
Yeah, but actually I think the thing that you said at the very beginning should make it pretty clear, I think to our audience in particular, basically what do you focus on? IP addresses and IP ranges or identities? And certainly you hear this adage, identity is the new perimeter. I think I've heard it in, well, candidly I've probably heard it in a thousand marketing pitches over the last 10 years or so, but I think there's a lot of truth in it. One of the things that I observed just from the standpoint of somebody who spent a lot of time in the cloud is,

Scott (08:47.669)
That's right.

Scott (08:56.788)
That's right.

Jeremy at FireTail (09:06.157)
getting a contiguous IP block is pretty much a thing of the past. And so if I'm gonna try to block off, I don't know, a slash 16, a slash 24, what are the unintended consequences of that? And does it even mean anything? Because by the way, hackers have cloud too. And so you block one IP address, you're just playing a game of whack -a -mole. They're just gonna pop up wherever else. And you know, there are VPN and there are Tor nodes and there's any number of places that people can pop up. So IP.

Scott (09:09.854)
That's right, that's right.

Scott (09:22.709)
Mm -hmm.

Jeremy at FireTail (09:33.709)
IP -based defense systems just don't seem like the right approach from my vantage point either.

Scott (09:40.469)
They're not, I mean, even in the outbound, you could still get some good telemetry on IP -based outbound traffic, but most of the adversaries have moved to URLs that they can tear up and tear down relatively quickly, and so you actually need pretty dynamic URL detection when it comes to security, and again, if you're IP -based, then how do you connect your URL to your IP that's relevant to the underlying machine? So the key, and the reason why a lot of people don't do identity, it's actually harder to set up. The tooling that you need,

need in the background is significantly more advanced. But the benefit in the onboarding, sorry, the difficulty in the onboarding, the extra work on the onboarding gets you the benefit in the future around much higher fidelity, much fewer false positives, and candidly just a way better customer experience.

Jeremy at FireTail (10:28.074)
Yeah, that makes a ton of sense. So I'm curious, you know, we talked about identity. You talked about kind of starting from, you know, from a baseline of square one where you didn't have legacy that you had to support. Obviously, identity is a huge focus for how you're designing the defense mechanisms. But I'm curious, like, as you see the landscape changing, not so much the cyber threats that you're addressing, but just the technical infrastructure that your customers are using.

Is that also bringing, let's say like new attack surfaces and things that they're coming to you with and they're saying, hey Scott, can you and the SolCyber team look at this brand new thing that we just onboarded for marketing campaign this or new AI use cases that, and they're bringing to you new technologies that you've never seen before and how do you work with customers through that process?

Scott (11:17.143)
So one of the reasons why customers love us is because of the integrated nature of our capabilities, we do what we call light consulting or tap you on the shoulder services. And so the easiest way to think about this is you're an organization, you've got 5 ,000 employees, and you've got some security staff.

and you're looking at a new service or capability or tool or whatever and what do you do? You walk down to floor two and you tap your security guy on the shoulder and you say, hey, have you ever heard of this tool and do you know anything about it and how well could that integrate into what we do?

you are welcome to call the SOC for any of those types of asks, believe it or not. So we help customers with all kinds of things. We help them with security profiles on new tools. We've helped them with zero trust architecture concepts. We've helped them with audit and attestation documentation. We are not a full blown consulting service. So if you said, let's take zero trust, we're not gonna build out an entire zero trust architecture and deploy that for you. But if you said, hey, you know,

know, we're looking at Zero Trust architecture and it's got these different pieces and we're sort of looking at Zscale, there's Appgate and some other components. You are more than welcome to call into the SOC and set up a conversation around that. So that tap you on the shoulder capability that we have is one, again, one of the things that customers love that really separates us because there's no MSSP that we know of where you can call into the SOC and say, hey, if you got 45 minutes, we'd love to pick your brain on this topic.

Jeremy at FireTail (12:46.823)
Yeah, yeah, that makes a ton of sense. So changing gears for a second, let's go back to our old stomping ground in Singapore where you and I both lived. And I think we figured out that we were like either overlapped by just a brief period or we just missed each other from our years there. You know, as you were setting up the MSSP business in that part of the world, did you see big differences, let's say in the levels of sophistication or in the types of threats that customers faced? Because I had my experiences, which I'll share in a minute, but I'd love to hear from you first.

Scott (13:00.311)
Mm -hmm.

Scott (13:15.99)
completely different. The... I mean...

At the end of the day, the US is the largest market, contiguous market. So whatever we are, 24 trillion. And it's all relatively speaking, same language, same laws, same contracts. Because of that, we also tend to be the most forward leaning when it comes to new technology. So what does that mean? Well, there's asymmetric reward for doing anything nefarious in the US, right? Whether or not that's a nation state or whether or not that's monetary.

Jeremy at FireTail (13:25.829)
Yep. Yep.

Scott (13:49.96)
attacks. You're going to get more bang for your buck by attacking US infrastructure. And when I say infrastructure, I mean that in the broadest sense possible. That could be, you know, just companies.

Jeremy at FireTail (13:57.637)
Yeah, yeah.

Scott (14:00.79)
Because of that, there's just so much more focus. I mean, at the end of the day, if I can make a million dollars attacking one company in the US and I can only make 100 ,000 attacking a company in Asia, obviously, where am I gonna spend my time? That was probably the single biggest difference. Asia, obviously, due to its historical situation, is culturally diverse. You've got language diversity, you've got cultural diversity, geographic diversity, as much as Singapore is awesome, Sydney's awesome, Hong Kong's awesome,

Jeremy at FireTail (14:23.525)
Yep. Yep.

Scott (14:30.696)
Hong Kong's amazing, I love Tokyo. Obviously, the Japanese businesses are very different than a Hong Kong business. And so, what we saw was much more dispersed attack patterns against the Asia companies, and because of that, a different sort of concern around security. There was oftentimes in the mid -market significantly less concern around security because they weren't really as online and as prolific from a digital...

Jeremy at FireTail (14:44.965)

Scott (15:00.599)
footprint standpoint as you'd see a mid -market company in the US.

Jeremy at FireTail (15:02.053)

Yeah, I will second that. And it's been granted, I think it's been 11 years since I left Singapore at this point. So things may well have changed and likely have changed a lot in certain regards. But I saw that firsthand quite often. One interesting thing that I saw from the digital native companies that I was working with a lot at the time, and I was with AWS for part of my time over there, the volume of targeted DDoS attacks was way higher than anything that I observed here.

or even that I continue to observe here. Here I see much more, let's say, fishing campaigns, targeted fishing campaigns, a lot of bot -based reconnaissance and probing for vulnerabilities, et cetera. But a very common thing that I saw with, let's say, companies in the digital gaming industry and things like that was whenever they had their peak kind of projected player events, and there were a lot of kind of online events organized around like,

Scott (15:32.823)
Mm -hmm.

Jeremy at FireTail (16:00.037)
everybody plays in this tournament, kind of honestly, kind of an early predictor of what Fortnite would come to be, right? With these kind of like winner takes all tournaments. It was very common to see a targeted DDoS attack against that platform at the time of the planned event. Or while the...

Scott (16:06.103)
Mm -hmm. Yep.

Scott (16:17.687)
And why do you think that was Jeremy? Like why was that happening over there and you didn't see it over here?

Jeremy at FireTail (16:22.021)
The thing that I heard in talking to some of those business owners was what they always suspected but could never prove that it was their competitors basically targeting them. Basically, kind of a wallet targeted attack in effect. Let me deny you a revenue opportunity. And we would see a variety of IP -based sources of the DDoS traffic, certainly some originating from places that you might think about like mainland China.

Scott (16:30.252)

Scott (16:37.176)
Mm -hmm.

Jeremy at FireTail (16:49.061)
but then a lot coming from Tor exit nodes or from VPN sites and data centers that were known to serve VPN services and so on. And at that time, IP addresses were a little bit more fixed than they are nowadays where a 52 dot whatever could be on any AWS data center anywhere in the world and you really can't do much in the way of geographical location.

Scott (17:02.777)
Mm -hmm. Yeah, of course. Yeah.

Jeremy at FireTail (17:13.573)
you know, there was a strong suspicion that it was always just the competitive nature of those businesses. And I found it to be really interesting to observe because it was almost viewed as a legitimate business tactic, like a legitimate competitive business tactic. And that was just an eye -opening experience for me.

Scott (17:18.745)

Scott (17:26.937)
Yes, that's right.

Scott (17:33.595)
It is funny that to the cultural nuances, you know, I explained this one time and people sort of don't believe it, but generally speaking, you know, the U .S. intelligence agencies aren't logging into foreign national automotive companies stealing their plans for the car and handing it off to a U .S. auto manufacturer. It's not really sort of the game that we play. And it's culturally sort of unacceptable to do that. Even citizens wouldn't appreciate that. We like that's just cheating. Right. But.

Jeremy at FireTail (17:52.133)
Yeah, yep.

Jeremy at FireTail (17:57.253)
Yep. Yep.

Scott (18:03.514)
Internationally, that type of model is oftentimes completely acceptable to a lot of the nation state actors.

Jeremy at FireTail (18:09.989)
Yeah, yeah, and I think that's one of the other things that I observed was there was probably as much nation state sanctioned, if not directly sponsored activity as criminal organization, you know, spending time with customers on that side of the world. And that was also kind of surprising. I haven't spent time looking at kind of the current state of things. And I'd be, I'd be a little bit curious to see how that might've changed because certainly from our perspective, working on API security, one thing that we see is that,

Scott (18:23.804)

Yep. Yep.

Jeremy at FireTail (18:38.981)
First of all, like security by obscurity is dead. Don't think that you can just kind of float under the radar because you are a mid -market, middle -sized company who's only partially digital. You know, hackers have cloud, hackers have automation. Everybody is a target at this point in time. Every time we put an API online for testing purposes, it gets traffic within three minutes maximum. And this is just random API, random IP address from a cloud provider.

Scott (18:42.332)

Scott (19:02.715)
Wow. Wow.

Jeremy at FireTail (19:08.325)
and it picks up traffic. And so I just think like, you know, you have to be, you have to have the expectation that that is going to be the case. And anything you put out there is going to get not only probed, but probed with a level of intelligence. I'm not only looking to see, do I get a response? I got a response. Well, let me check what it's running. Does it respond to targeted WordPress queries or, you know, insert whatever system log for J, whatever.

Scott (19:08.635)
Mm -hmm. Yeah.

Scott (19:15.835)
Mm -hmm.

Scott (19:21.339)
Mm -hmm.

Scott (19:27.099)
Mm -hmm.

Jeremy at FireTail (19:34.693)
And certainly probing for known vulnerabilities, default username passwords, all these types of things. We see that regularly with every environment that we stand up. Yeah. Yeah.

Scott (19:44.347)
yes super interesting thing to do anything i'd say about a day is you're really seeing places like singapore take a leading

approach to cyber. The way they approach cyber is very sophisticated as a country and you're starting to see a lot of the other countries sort of take and follow their lead. So when they come out with new regulations or policy or standards, you are starting to see that. And so there are certain countries now in the Asia Pacific, specifically region that are sort of taking a leading role in setting standards that you're seeing a lot of the other countries follow along.

Jeremy at FireTail (20:22.757)
Yeah, I would agree with that. I recently was at RSA conference and I was, I happened to be sitting at breakfast one day next to two people and I kind of picked up the Singapore slang and the Singapore accent a little bit. So I was chatting with them a bit and they work for an organization that works on behalf of the Singapore government and they do their best to kind of scour the world for leading tools, leading technologies, leading approaches. They have a kind of hybrid mission of.

some commercial, but also looking heavily at the open source side for things that they can bring into their arsenal. And then I've seen, I work on a project right now with another nation state in Asia Pacific who is just making a massive investment in bringing their cyber capabilities up to speed and just huge amounts of money and manpower thrown at it. And so that's been really encouraging and interesting to watch.

Scott (21:15.038)
Yeah, absolutely. I love the region. I really have a passion for Asia. I love Europe. I love there as well. But Asia just has an energy that's contagious. That's really sort of second to none right now, in my opinion.

Jeremy at FireTail (21:18.981)

Jeremy at FireTail (21:29.349)
Yeah, I think I'd agree with that. Just so much growth and potential and a ton of innovation coming out of that side of the world as well that I think people don't, may not know unless you're spending time in the region. So I would encourage all of our audience, if you get the chance, definitely take the time, take the trip. I wanna close out on something. I've been running the Modern Cyber Podcast now for several months. I've really enjoyed the experience of actually learning from our guests. I know our audience get to learn a lot as well.

Scott (21:35.486)
That's right.

Scott (21:40.094)
That's right. Yep. Yep, sorry.

Jeremy at FireTail (21:57.605)
but I do myself. I know you have your own podcast, Security Shorts with Scott. I'd be curious to hear, you know, what's the goal? What's the targeting? What's the mission of that podcast?

Scott (22:01.246)
That's right.

Scott (22:08.19)
The, what we set out to do was, because we spent a lot of time in the mid -market, so think of it as like 500, you know, 500 employees up to like 5 ,000 or 10 ,000 seats, whatever.

what we found was that there were a lot of questions about specific topics. So it could be like API security, it could be encryption, it could be, and so it could be cyber insurance. What we were trying to do was take the most interesting components and information around this specific topic and synthesize it into a high value podcast, right? And so if you said, okay, we try to keep them under 10 minutes, so think seven to eight minutes, and if you want to know about cyber insurance,

Jeremy at FireTail (22:24.741)
Okay, right.

Scott (22:49.986)
then this would be a beautiful seven minutes and all of a sudden you're like, wow, I feel like I really got the 80, the Pareto principle of information. I got the 80%, that's the most valuable information on cyber insurance and how it works and how do you get value out of it. Same with encryption, same with API security, so that it's a great landing spot for people that are like, I really wanna get to know about this topic. And if I wanna go deep, then there's lots of information out there. But if I wanna get a really juicy, interesting,

summary, this is a great place to get it.

Jeremy at FireTail (23:23.477)
Awesome, awesome. And for those who are interested, we will post a link to the show in the show notes of today's episode. But where can people find that? I assume it's on the kind of the standard Apple podcast, Spotify podcast places.

Scott (23:37.057)
It's on all those, SolCyber .com is out there, LinkedIn as well, so lots of places to find it.

Jeremy at FireTail (23:41.364)
Yep. Awesome, awesome. Well, Scott McCrady, thank you so much for taking the time to join us today on Modern Cyber. It's really been a pleasure. I always love traveling down memory lane and talking about our old haunts and some of the great times that we spent over there. It's great to hear that you did as well. And for those looking for more information on you specifically and some of the work that you're doing, obviously SolCyber .com, but where else can people find you? X, LinkedIn.

Scott (24:06.85)
LinkedIn primarily and obviously Scott at SolCyber .com. They can always email me your ping me there.

Jeremy at FireTail (24:13.812)
Easy Breezy. Scott McCrady, thank you so much for taking the time to join us on Modern Cyber. To everybody listening again, please do take the time if you've got a second, rate, review, share, all that good stuff, and join us on the next episode of Modern Cyber. Bye bye.

Discover all of your APIs today

If you can't see it, you can't secure it. Let FireTail find and inventory all of the APIs across your organization. Start a free trial now.