October 31, 2025 • 42 mins
What does NIS2 really mean for your day-to-day security operations?
In this episode of The Collective Podcast, host Jordy Decock sits down with Michael Van Horenbeeck, Microsoft Security MVP and CEO of The Collective, to unpack how organizations can move from NIS2 compliance checklists to measurable resilience.
They explore why 24-hour incident reporting demands a modern Security Operations Center (SOC), and how continuous monitoring and supplier oversight have become non-negotiable.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jordy (00:00):
It's Monday morning.
You grab your coffee, sit down at your desk and open your laptop, ready to ease into the week.
But something feels off.
Files are missing, emails aren't sending.
And within minutes, the truth sinks in.
Your company has been breached.
Panic spreads.
Your IT team scrambles to contain the damage.
But under this two, it's not just about stopping the attack.
(00:22):
You now have 24 hours to report it.
Your board could be held personally accountable.
And your customers, they're already wondering if they can trust you again.
Nightmare scenario is avoidable.
Absolutely.
Welcome to The Collective Podcast.
The podcast where we delve into the ever evolving world of corporate security to help businesses stay ahead of the curve.
(00:45):
Whether you're a small startup or a global enterprise.
I'm your host, Jordy Decock, working for The Collective, where we pride ourselves on a hands on approach, working closely with our clients to cut through the noise and deliver the solutions they actually need.
No unnecessary fluff, no overselling each episode.
I'll be joined by experts, practitioners and thought leaders diving into today's most pressing security challenges.
(01:08):
We're here to provide insights, strategies and actionable advice to keep your organization safe and secure in a digital first world.
Joining me today is Michael Van Horenbeeck, MVP in Identity and Access Management and CEO at the Collective.
Together we'll explore how NIS2 changes the cybersecurity landscape and what practical steps you can take.
(01:31):
Welcome, Michael.
Hi.
Michael (01:33):
Hey, good afternoon.
Jordy (01:34):
Thank you for joining us.
Michael (01:35):
My pleasure.
Thanks for inviting me.
Jordy (01:37):
You're very welcome.
Let's get right into the topic.
By now, most people have already heard or know about the NIS2 Directive, which is currently live.
What has changed for boards and CISOs on the 18th of October of 2024?
Michael (01:55):
So there's lots of changes, right?
From a legal perspective, that is the first and foremost.
Well, it's not the foremost, but the most important part is the liability.
Right?
The liability that actually tells that the boards can no longer hide between, you know, we didn't do the right thing because xyz they have, or at least by law, they have to do a certain number of things in order to keep their environment safe.
(02:20):
They have to do reasonable things and they have to prove that they've done everything within their power to do so.
Right.
And if they fail to do so, in other words, if they neglect cybersecurity as part of their operations, then they could theoretically be personally held responsible for that.
Now, even though the clause is there, we haven't seen any punitive damages yet.
We haven't seen any lawsuits.
(02:41):
We're far away from that.
But it does add the sense of urgency.
So I'm very happy that clause exists because it kind of really puts it in the face of some sea levels and owners and telling them, hey, you know, just like physical security or, you know, when you're at a construction yard, you have to ensure the actual security of the folks working there.
You have to do the same thing in the digital estate, right?
(03:05):
So you can't ignore it.
I think that is for boards, one of the biggest elements.
And of course, as part of that, they have to be aware.
If they don't have any knowledge, then they have to get some training and you have to show that there is some training.
So, I mean, mostly in that regards.
Now, what they have to do is depicted by all the other elements in the law or the regulation, however you want to look at it.
(03:31):
But we'll get to that in a minute, I guess.
Jordy (03:33):
Yeah, we certainly will.
To add on to that, one of the things that I've read also online is that for Essential or NIS2, Essential companies, board members or management people can actually get a temporarily ban from having a management function.
So it's really.
They want to scare people a little bit.
Michael (03:55):
I don't think it's really scaring.
It's just holding people accountable for the role they have.
I mean, it's like driving a car.
You have to drive a car responsibly and if you don't do so, you can get fined or they can revoke your driving license.
And I think that's a good thing, right?
If you show that you're irresponsible, that they take away the privilege to exert certain activities like owning or running a company, that isn't new, even when you take it.
(04:22):
Look at the fiscal laws or, you know, when there is.
When you run a company, right?
If you own a company, you run a company and there is fraud, right?
You've frauded or defrauded government, then you can get convicted.
And as part of that conviction, they can actually revoke the privileged, quote, unquote, to, you know, exert your right to have a company for X amount of years or when you go bankrupt, it's the same thing, right?
(04:45):
Once you have declared bankruptcy, there is a certain limitation on what you can and cannot do in terms of entrepreneurial elements.
And I think that's your.
That's the same thing, right?
If you are running a company or you're responsible in that company or you can heavily influence its direction and you neglect what you have to do.
From a cybersecurity perspective that leads us to a breach which ultimately leads to the demise of the company or other damages to other people, then I think it's rightfully so to say that you haven't taken up responsibility and then if you're unresponsible, then maybe you should not have that responsibility in the first place.
Jordy (05:20):
Yeah, I think you use a really interesting word there.
The damage to the people that actually are customers, for example, of your company or even your employees.
So that's, that's really interesting.
We already touched two of the main, well, main things from this deal.
(05:41):
I think the other one of them is risk management.
Maybe we could go a little bit deeper on to that and even how it translates to what am I supposed to do at this moment within my company as a ciso and are there any tools that my company might already have to do this?
Michael (05:59):
So I think when we speak of risk management, there's two distinct elements, right?
There's risk management in general, it, cyber risk management, if you will, and then there is the third party risk management, which are two elements that are part of the governance framework.
And that isn't new.
(06:19):
I've been preaching for a long time now that in order to defend your castle, you have to know its weaknesses.
Now if you don't do an assessment, if you don't identify your weaknesses, if you don't do a risk assessment, how do you know what to fix?
And so it kind of boils down to the very beginning of governing security, of making sure that you are secure.
(06:41):
It's to get an idea of what areas can you improve most.
You can always improve in every area, but which ones are the most critical ones.
So that identification, if you will, of risks, of challenges or anything or even vulnerabilities becomes the center, the first piece, the first missing piece of your security strategy.
(07:02):
And I think that the NISQ framework or the NIST law just kind of sets it in stone and says, well, you know, we do expect you as a company to do your proper risk management both internally and from a third party risk perspective, so that you can actually govern security correctly.
And from that perspective, I think it's really the very first step.
(07:27):
Take a look at the NIST cybersecurity framework.
You know, identify as the first step.
Well, it really means looking at your environment and understanding its risk profile, the challenges, the vulnerabilities, the things that you need to fix, and then prioritizing them and then, you know, taking a step by step approach, starting with the highest priorities.
But you can only do that with proper risk management.
(07:47):
And that's for your own environment.
When we didn't take a look at the second part of the law that says you have to do the same for any third party that you work with.
And when I say any third party, I don't mean the one that is delivering pens and utensils to you, right?
It's the companies that you introduce, interface with.
From a cyber perspective, where you have a hoster, where you have software running, where you have infrastructure running, or a service provider, you have to understand how do they deliver the services to you, how secure are they?
(08:18):
Do they have the same standards as you do?
If not, what are the vulnerabilities that exist on their end and how can they impact you?
Let's say that you work together with a company and as part of their service delivery to you have to set up a vpn.
Turns out that the other company is totally insecure.
They have no controls.
They have no decent controls.
Well, you know, there is a VPN into your environment.
(08:38):
How do you ensure that a breach on their end doesn't necessarily constitute a breach on your end?
And to that point, and I'm not trying to pry or blame anyone, but I think a really good recent example is what happened at Brussels Airport.
It was a third party that had a breach and that caused mayhem at the airport.
Now, is that unavoidable?
(08:59):
Probably not, right?
We don't know the specifics and I think we don't have to jump to conclusions, but it shows how important that process is.
Companies like Brussels Airport, but any other company that have a reliance on a third party need to assess how secure is that solution.
What are my ties when an incident occurs?
What are my options?
(09:20):
How does it cripple my business?
Do I have any other options?
Can I enforce specific security requirements on them?
And you do all of that to make it harder to be breached, but you also do that to understand how do I respond in case of a breach.
And people laugh at it.
But from a resilience perspective, what Brussels Airport showcased is that even when there is such a major disaster, it will cause inconvenience.
(09:43):
And yes, there were canceled flights and there was mayhem, but they reverted to the oldest trick in the book, checking in people manually.
So from a resilience perspective, I mean, they did pretty well.
Could it have been better?
Maybe.
Could this have been avoided?
Well, the answer is maybe not.
On the side of Brussels airport.
But maybe on the side of the third party, it just shows the importance.
(10:06):
And there is million and one of these examples.
When we go back a little bit more in time then we have the Solarwinds breach a couple of years back that caused mayhem, right?
Software was breached or was a supply chain attack.
Right.
Where software was breached and that software is installed in many other organizations.
Well, you have to understand that software, what its ties are into your environment.
(10:28):
And it's kind of like threat modeling.
You have to consider what's the worst thing that could happen, what if that software is breached, what does it mean for me?
So that when a breach notification is sent out into the world or when there is a vulnerability, you can more easily assess its impact, the course of actions, what you can do about it or what you need to do about it.
And that's true for software, third parties, service providers.
(10:50):
I encourage our customers to do the same for us.
Right.
You know, when we deliver services, they need to know what we deliver, how we deliver them, which ties there are and what if we are ever breached, what does that mean for them, how can they sever the ties, what does it mean for their operations?
And all of that is again a very critical part of just doing security.
Right.
Security is much more than enabling features, installing software or an endpoint detection response solution or anything of the sorts.
(11:17):
It's more than just firewalls.
It's the entire process around that.
And think that kind of cuts to the essence of the law that says you kind of have to do these things if you want, if you ever want to become quote unquote secure.
Jordy (11:31):
Okay, you already jumped into the fourth pillar as well, which is business continuity.
It's as you said, there might be some lateral movement available, which means you have to be able to know how are we going to respond, what are we going to do that all said, what is the offer that Microsoft has that a lot of companies in Belgium or in the Benelux, they already have, or 95% of those companies are already on the Microsoft stack.
(11:59):
What we notice a lot is that companies are referring to third party solutions because they don't really know what is already inside all of their licensing and how they can use every single software or product of Microsoft to complete their nist you journey.
So what are some of those things that might be a first step to take for those companies?
Michael (12:23):
So first of all, you know, understand what your risks are and understand what you need to do.
Microsoft doesn't deliver a single product that will make you quote unquote NIST compliant.
Which is one of my pet peeves, right?
Whenever I see software being sold online or a solution or a platform for that matter, that says, you know, buy us and you're NIST2 compliant, that's utter crap.
Excuse my French, but it totally is.
(12:46):
Why when you take a look and I think the CCB in Belgium, so the center for Cybersecurity Belgium has done an extremely good work with the framework that they've created, the Siphon Cyber Fundamental Framework, which is now copied by other countries in Europe.
They've gone through the list of requirements, they've mapped it to the NIST Cybersecurity Framework and said, okay, here are a bunch of technical controls in each of the different phases of the NIST Cybersecurity framework that you should do or could do, or that we require you to do as part of a NIST2 compliance, where it's essential or just a regular company, I would say, and an example thereof is that in each of the phases.
(13:28):
So we've got Identify, we've got Protect, we've got Detect, we've got Respond, we've got Recover, and then the governance capabilities, the different phases of the NIST Cybersecurity framework.
There is solutions within the Microsoft stack that can help you identify problems, vulnerabilities.
There is Microsoft Defender, Vulnerability Management, External Attack, Surface Management.
There is all the logging, all of which that can help you identify threats and weaknesses in your environment.
(13:53):
That satisfies the identification phase or the identification activities that you have to do.
These solutions deliver input that you need to do your risk management on your environment.
And then the second phase, Protect.
There's solutions plenty, like Defender for Endpoint, Defender for Office365, basically the whole Defender stack that helps you be proactive and defend your environment, protect your environment against threats from the outside, or even from the inside.
(14:17):
But under the assume breach principle, where you know things can go wrong, even a product like Defender, which is really solid, will sometimes let the things through.
You better have to make sure how to detect that, right?
If you can't protect, then at least know that you can detect then that your initial protocols, that your initial defenses have failed.
(14:39):
And again Defender XDR Sentinel, for that matter, where you can centralize all log files and detect what's happening in your environment.
Help you again, the response phase, if you detect something, well, you better know how to do to respond.
So it consists of having your procedures in place, making sure that you know what to do.
But it also is technology driven.
So we again have the entire XDR stack defender that can, with a single click on a button or even automate it, respond to threats happening in your environment.
(15:06):
There's a bunch of automations that you can build on top of Sentinel to actually take those actions for you.
And then, you know, as we progress from a recoverability perspective, even though, you know, mixed feelings about the Microsoft's backup solution, there is a backup for M365 and in Azure you've got the native Azure backup solutions as well.
So in each of these phases they have one or more products or associated suite of products that can help you achieve the goals that you need to.
(15:29):
So when you then take a look at the Cyber Fundamentals framework and they go as deep as having DLP in place, well, we've got Purview, you need to be able to do mfa.
Well, we've got Entra mfa, we've got passkeys, we've got all the modern authentication capabilities that you need for that platform, but not just a Microsoft platform.
What I believe is still a big misconception is that people think that Microsoft creates solutions for Microsoft, but at the end of the day their solutions work cross ecosystem.
(15:56):
We use the whole Microsoft stack to secure environments both in Azure and outside of Azure.
We do it for Windows devices, we do it for iOS devices, we do it for macros devices, even for Android devices.
So it covers an entire ecosystem.
So it is by Microsoft for the rest of the world rather than by Microsoft for Microsoft.
Now granted, it works best together with Microsoft products, which is kind of normal like Apple products do the same thing.
(16:21):
Apple works really great together with Apple and there is compatibility with the rest.
I think the distinction there is that Microsoft really works fantastically with their own products, but they work really well with everything else.
And that is something that you should take away.
So there is not a single one thing.
And maybe this is a very long answer to get to the point, but yeah, no, there is plenty of things within the entire ecosystem to help you achieve potential compliance with NIST at the end of the day.
Jordy (16:48):
Okay, maybe we can zoom in a little bit one of those.
Because one of the things that I read through when I was reading through the nist, you, I'll call it guidelines was the continuous monitoring.
So what does continuous monitoring really look like if you want to comply to that as a company?
Michael (17:11):
Well, let's make analogy with real life, you have a building, you have access control to the building.
And then how do you know for sure that no one is Trying to sneak in security camera.
You put a security camera.
Well, that security camera has a feed.
That feed needs to go somewhere, someone or something needs to look at that feed, determine if something is happening and whether that is malicious intent or not, and then issue a response which is either sound the alarm, call in help from external to do certain things, and so forth and so on.
(17:43):
So that analogy applies directly to your digital real estate.
It means that you have to have cameras, traps, log feeds, anything of the sorts that feed into a system.
That is the feed that system needs to monitor an alert, and then something or someone needs to look at those alerts, determine whether it's a true positive or a false positive, and then respond to the threat that is happening.
(18:08):
Now, some of the threats are benign.
Some are actual malicious activity.
What you do and how you respond, well, it really depends on the alert or the incident that you're facing at that point.
So we're ending up in these situations.
Do you, as a customer, feel comfortable enough to do your own monitoring?
To be fair, I don't think that a lot of organizations have that capability.
Right.
(18:28):
That's the discussion.
Do you need a security operations center, a SOC, to be NIST 2 compliant?
The answer is no, you don't need it.
But are you able to do it yourself?
Like, why do so many people outsource their home security, their building security to a third party?
There are companies worldwide that have built an imperium on delivering services around physical security and monitoring.
(18:50):
That why?
That's what they do best.
When we take a look at, you know, 20, 30, 40 years ago, you know, every company had their own security guards looking at the monitoring screens, potentially even 24,7.
It's not economically feasible, nor is it smart to do it yourself.
Right.
In very specific cases, maybe, but it's better to outsource that to specific parties and do that.
And that's kind of how I look at the monitoring or continuous monitoring, bits and pieces.
(19:14):
You have to make sure that whatever happens in your environment that you know how you do that, whether you do it yourself or your art servers, it really don't care.
But just make sure that you do it.
And if you don't have the capabilities, then outsource part of that to a system or to a party that can do it for you or do it, you know, partially automated, partially manual.
I mean, there is the whole plethora and a whole, you know, level of gray involved.
Jordy (19:36):
Okay, so the outsourcing part, where you say it's better that you outsource it because when you do it internally, it will, first of all, the cost will be very high.
You have to find people to do it and so on.
I do believe our SOC makes its own automation rules.
So is that one of the things that you are.
(19:58):
Hey, that's why a third party can be such a great value because they are covered over different companies and they have automation rules or they have detection rules that they see within another company that brings benefits to your company.
Michael (20:16):
Yes, that's one of the reasons you have to look at it different ways.
One of the ways is for instance, that the knowledge part, finding the right people that know how to look at an incident or an alert in an incident and respond isn't easy.
There is a shortage in skills for everyone.
(20:36):
Even for us as a specialized company, it's really hard to find the right people.
Now imagine you have to build that capacity yourself.
If you don't have it already.
It's going to be an uphill battle, it's going to be tough, it's going to take a long time.
You're going to have to train people, you're going to have to spend money and that obviously, you know, there is a cost associated to it.
(20:57):
Now there are cases where I truly believe that you have to have that in house capacity.
Don't get me wrong, there are cases where I would not necessarily outsource the entire SOC operations.
But for some organizations it just makes sense because that part of it, or just that in general is not part of what they do as a company, nor are they particularly good at it.
(21:17):
So you can really guarantee a certain quality of what you're building.
It's kind of like, you know, when you have to build a house.
Why do people hire a company to build a house?
They could do it themselves.
There is a reason why you kind of outsource that to someone else.
Because they have the expertise, they know how to do that, they can be cost efficient, maybe even more cost efficient than you can do.
(21:37):
Now I don't want to bring this into a it's always cheaper to outsource.
It isn't true, it isn't always cheaper to outsource, but it may be the best choice.
So it really depends from one company to another and expertise is one of them.
Now that expertise extends into different areas.
It could be the ability to understand the technology that you're working with to the ability to distinct true positives from false positives because something may look benign but might not be, or vice versa, and they can probably get faster to the root of an alert or an incident at that point.
(22:07):
So that's added value, right?
The meantime to response.
So the time you take to respond to an alert and then the meantime to, I'm not going to say acknowledgement, but to identify whether it's an actual true or false positive needs to be assured as possible.
And that is what you're buying from an external soc.
Now, how do you do that?
I sincerely hope they do it in a smart way.
(22:29):
I hope they don't have 150 people sitting in front of a screen waiting for an alert to come in and then frantically start clicking a portal.
In order to do stuff to be efficient, we have to do smart things.
We have to involve technology, we have to make automations, we have to automate as much as possible to respond as quickly as possible.
And that is part of the experiences that we have.
That's the automation that we build, that's the technologies that we leverage.
(22:51):
Now could anyone else build the same thing?
Absolutely.
Will they?
Well, do they have the expertise, do they have the time or do they spend the time to do that?
That's a different story, but absolutely, hands down, one of the many elements that you get from quote unquote, outsourcing your security operations center or part of that.
Jordy (23:10):
Is there any example you can get onto of how automation can reduce an incident response time?
Michael (23:19):
Oh yeah, absolutely.
An alert comes in, you apply some logic, whether it's binary logic of if this, then that and such and so, or whether you even include these days AI agents that will reason over the data that you feed it.
Jordy (23:34):
I think there's one for phishing emails or something I saw lately, but, and.
Michael (23:38):
I mean, you know, but it's a good use case, right, when there is 50 shades of gray where you have multiple interpretations.
And if this, then that doesn't really work because if you want to build that, then you're going to go through hundreds of permutations of if this looks like that, then this is fishing and if that looks like that then it's not fishing and blah, blah.
And because we're reasoning over text most of the time you can feed that into an LLM agent, right?
(24:01):
And just tell it, okay, so here's a bunch of text.
I want you to reason over this and it's not really reason but you know, go faster over a certain decision loop and come back with a verdict whether this is according to you and according to parameters, you have something malicious or not.
So there is a very good use case of an LLM for doing analysis or initial analysis.
Right.
I wouldn't trust any LLM to do 100% automation.
(24:24):
You always need some verification afterwards.
But in terms of automations, a really good one is where you have an alert that comes in on an endpoint, let's say defender for endpoint in this case.
And turns out there is malware that wasn't downloaded, or worse even, you know, something was downloaded but then executed.
And it's during the execution phase that defender says, oh wait a second, I noticed that something's running here that shouldn't have been running and it tried to kill off the process, but it didn't succeed.
(24:51):
Whatever, you can take that information from the timeline, then you could jump to conclusions and say, you know what, we're going to just isolate the machine and do that as an automated action so that the alert comes in.
There's a bunch of, you know, if this thens that you go through, then based on that you make the decision whether you automatically isolate the device.
And that's kind of what Microsoft built with attack disruption, which is a built in capability into the platform that will reason over the data, look at it and make a decision for you.
(25:19):
Disable accounts, reset passwords, disable devices, isolate them in order to contain the incident that may be happening.
Now with any automation, with any logic that you apply.
Just like humans are prone to error, there are permutations where the automation may fail, may not have gotten the right parameters or worst case, made the wrong decision.
(25:41):
Whether it's part of the flow that you've built that is flawed, or whether it's just a set of elements, permutation that you haven't encountered before and it will make the decision to isolate something that it shouldn't have.
Well, when I look at that from a CISO perspective, sometimes I'd rather isolate a device too soon than too late.
(26:03):
Now the challenge that you have there is that lots of organizations, CISOs have very difficult time trying to explain that to the rest of the company.
Typically when it involves C level executives like, you know, I don't want my device to be, you know, locked never because you know, I'm traveling, blah, blah.
The end of the day it's all down to risk, right?
If you don't want your device to be automatically isolated, well, you know, if ever something happens, do you sign up to be the owner of that risk, Dear C level exec, whatever or management don't care, the answer is yes, sure, you know, sign here and whenever something happens on your device, I'll hold you accountable.
(26:35):
To it.
Once you present people with that option, they're less inclined to agree and they'll be like, yeah, you know, just go ahead and you know, isolate.
Now when you do that, when you take a decision to take an automated action, make sure that you have a process in place to undo that activity as soon as possible, especially if it's a false positive.
You shouldn't let people hang in there because you've jumped to conclusions for all the right reasons.
(26:58):
You should be able to get them out of that quote unquote misery if you need to.
And there has to be a well understood, fast process as well.
Jordy (27:06):
Okay, great.
Let's take a step back.
We already talked a little bit about supplier access or suppliers chain and so on.
But why is it that supplier access is such a big focus of nistio?
Because you already kind of mentioned the fact that they have certain possibilities into the lateral movement into the system of the company they are providing the software to.
(27:33):
But are there any other reasons why NIST you would want to focus on the supply chain?
Michael (27:39):
I think that is the main reason.
The front door, back door kind of scenario.
What good is it that you have a house that is fully secured where the front door closes and you close the back door?
You make your house as secure as possible and then you have a window that goes to a third party.
You leave that window wide open.
There's plenty of examples where a supply chain attack, a third party breach has led to a breach at another company, whether it's intentional or as part of collateral damage.
(28:07):
There were the ransomware attacks.
I'm not sure if it was the MSC terminals back then where the Port of Rotterdam were collateral damage because there was a VPN or something of the source.
And again, you know, it's just one of the many examples.
Brussels Airport is another one.
Solarwinds another one.
The Microsoft attack they had, that was a supply chain attack in a certain way.
Right.
There were no directly impacted third parties when attackers got access to some parts of the source coordinate.
(28:35):
But it does highlight that what if there was some sort of access to the production environment than they get into.
And it's true for any third party that has some sort of cyber that delivers software that has a connection or something of sorts.
You have to make sure, and that's part of your due diligence.
It's your responsibility to understand if you are running any risks through that third party, if so, what the risks are, how they could materialize and when you have to take action or how to take action to mitigate those risks.
(29:07):
And because of all the examples, I think that's the only reason why they've put it into the law, because it is a really important part.
Jordy (29:15):
The reason why I wanted to take the step back and rediscuss this is because we do see with a lot of companies that it is something that is most forgotten.
They are so focused on their own environment that they forget that everybody who has access to their environment might just be a risk at itself.
(29:36):
One of those things is the amount of admin roles that providers have.
We do see that a lot.
Now what makes.
Michael (29:46):
So let me respond to that.
Right.
It is a critical concern, it's a really important one.
But when you take a look at where some organizations are in their journey, is this the third first thing you focus on?
Yes or no?
Many organizations that we work with are not mature enough to start worrying about other people's risk yet.
(30:06):
Now they'll have to, right?
The law kind of forces them to.
But it takes a lot of effort to understand what's happening and what's out there.
And it's more than just sending out questionnaires and getting answers back.
It's, it's, there is a lot of work involved if you want to do it right.
But they haven't even enforced MFA on all their endpoints, for instance, or, you know, on all the platforms they use.
They are still debating whether, you know, to upgrade to the latest Windows version.
(30:30):
As long as you're still stuck with some technical old school challenges, then, you know, worrying too much about third party risk is probably not the right thing to do.
Now I'm not saying that you shouldn't care.
You should.
But it's probably for some not the first thing that you're going to jump into if you don't have your own house in order now there is a balance to strike.
(30:51):
You have to do a little bit of everything, right?
You have to understand and identifying the challenges is maybe step one, you may not be able to actively do something about it, like revoking permissions.
I love the idea.
And you know what my stance is on this, right?
I'm very strict about this.
But the number of times that we just talk to vendors, third party service providers and tell them, well, you're not going to get Global Admin or this, and they're like, well then we can't deliver the services, that's a problem.
(31:15):
Now what if a vendor comes to you and says, well, this is what I need and this is how I deliver my services and if you don't give me this, I can't deliver my services.
Do you have an option?
I had a discussion last week where about the same thing where you could err on the technological side and the security side and tell them, well, you know, if you're not using global admin, then I'm not giving you access, end of story.
(31:39):
Well, what if the business needs it?
What if it is critical to keep your business up and running?
And whether it's global admin or domain admin permissions, it's always been a debate, right?
Because these permissions, they just seem to work.
That's the biggest problem.
And it's not an easily solvable problem, especially if it's a business critical application or if it's part of a really important business flow.
(31:59):
At that point the businesses approved it.
And as such as it's not your job to stop the solution, it's to find the best possible way to make it secure.
But for that you have a reliance on the third party.
Now this is a great example of third party risk management.
Let's say that you have a solution that you have to deploy on premises into your active directory and that solution uses a global admin domain admin permission.
(32:24):
Okay, great.
Well, you know, that's one step away from total domain dominance.
What's the third party risk look like?
What's the exposure?
What's the likelihood of certain things happening?
And then at some point you have to realize, what are my mitigation strategies?
Well, I can put in additional detection assuming that you can't revoke the domain admin permissions because the application will break and the only thing you can do is detect that abuse is happening.
(32:47):
In other words, are other systems using that domain admin account, can you regularly reset the password to keep it somewhat secure?
What else can you do to secure that?
Knowing that you can't maybe protect it whilst you're doing the detection and response capabilities and increasing them to kind of hope that, you know, you're early to the game.
(33:09):
If some abuse is detected, you have to work with that vendor to tell them you really have to get off the main admin permissions.
Now when there is alternatives in the market.
Let's say that you use application X and there is Y and Z as well that you could just as well use.
You have leverage, you can go to that company and tell them, well, you know, we just bought your solution or we bought it many years ago, but we're going to move off to another solution.
(33:31):
If you don't fix this, you have leverage, but there's plenty of software out there where there is basically no alternative.
Or it's so engraved and engrained into the operations of an organization that there is no alternative.
Well, at that point you lost your leverage and all you can do is prepare for the worst, hope for the best, and try and put as much pressure as you can.
(33:51):
Because moving away from those applications and just bullyingly tell them they have to change stuff, it's never going to work.
Jordy (33:59):
Okay, it's a great insight and really adds value for those who are looking for it.
But I also wanted to go into deeper a little bit of what Collective can provide to customers around this deal.
So I really want to ask you, like, are there any solutions that we as a company have right now?
Michael (34:20):
Sure.
Plenty.
Really depends on what your needs are.
Right.
So from our services perspective, as I mentioned earlier, there is our soc that can satisfy the continuous monitoring bits and pieces where we can take over the monitoring of your environment, of what's happening and then respond to that.
So you satisfy the continuous monitoring and the installation incident response capabilities within the environment without breaking the bank, without having to do it yourself.
(34:44):
There is our security baseline service, which is more on the security, well, not protection side of things, where we manage security baselines in Azure in M365 on your endpoints to ensure that you're as protected as possible, but also that we can detect deviations from those baselines.
So that kind of ventures into the detection and response, protection, detection and E, even response scenarios.
(35:06):
Same thing goes for our Azure managed service where we manage the cloud in a secure manner.
So we protect the cloud, we make sure that it is as secure as possible and that we can ensure that we can detect again deviations that are happening, all without taking away the flexibility of building the solutions that you have.
So those are typical services that we deliver that have a direct relation to what you need to do within the NIST framework.
(35:31):
But outside of that, every organization is different.
Sometimes you have just a need to build a governance framework in Entra where we can help you to automatically govern identities across the entire stage.
Well, you know, we have that expertise in house.
We can help you automate more to do things smarter within the licenses that you have of the Microsoft stack, for instance.
(35:54):
And so there are a plethora of elements, but operationally it would be our managed services or different managed services.
And then anything outside of that is a custom bespoke work from a consultancy perspective where we can definitely help what we won't do, however, is, you know, write all the policies with you and you make you a paper compliant company.
(36:16):
We, we have a very pragmatic approach to nist.
I've seen some companies lounge hundreds of thousands of dollars into a process of becoming NIST2 compliant, which I think kind of beats the purpose because I don't think the law is created to make you spend more money.
I just think that the law helps you determine your priorities so you can take them.
So I'd rather have an organization do something than do nothing and be very pragmatic about it.
(36:41):
And that's definitely what we're focusing on.
Jordy (36:44):
So actually what you're seeing right now is, hey, the NIS2 government or guidelines are there, but it's not for the NIS2 that you should be or going or looking at security.
It's just because you have to be secure.
We're not in the period anymore where nothing is happening.
It's every day there's something happening.
Michael (37:07):
Yeah, I mean that's wishful thinking to be fair.
Sure.
We look at it and we always say to ourselves inside the company, you know that, right?
Do the right thing.
Just make sure that you do what you have to do in order to secure your digital estate.
At the end of the day, do what you have to.
There's companies that really, really don't care.
So I'm glad it's a law because that law kind of forces them to do stuff because if not, there's a law that tells you're breaking a law.
(37:34):
So I'm happy that it exists as a stick, but look at it as a carrot.
Right.
It helps you focus on the things that you need to.
It has to become a mindset of doing the right thing.
Now why is it wishful thinking?
Look at gdpr.
When it was introduced, everyone was like, what is this thing?
It's a nuisance.
Now I don't entirely agree with the law and all the specifics around the GDPR law and all the things that you have to do, it's too convoluted, it's too complicated.
(37:58):
Which is why lots of organizations today still don't do it.
Right.
However, aside from how difficult it can be to achieve quote unquote.
Again I use that term, quote unquote quite a lot.
But aside from that compliance with gdpr, the challenge is that lots of organizations, they just don't give a fly.
(38:20):
That's a problem.
And we need to address that plot and problem.
And again, the law, the NIST2 law, regulation kind of addresses that.
If you are someone who really doesn't care, then they have that big stick that they can hit you with.
They could.
It's a law.
There's lawsuits, there's procedures.
I'm going to wait patiently for the first case where some fines are going to be written to companies and how they will respond, because that only then we will see other companies sometimes move and do the right thing.
(38:55):
We saw the same thing with gdpr.
I'm not, you know, I'm hopeful that it will be different this time, but I just know that some organizations will only, you know, really do something about it or really do what they have to once, you know, it becomes real.
Now, this being said, there is a balance to strike.
As business owner myself, when I see what we spend just on cybersecurity alone, I don't think that makes economical sense.
(39:20):
I'm ingrained with a sense of urgency, ingrained with a sense of rightfulness that, hey, this is the right thing to do.
But from a business perspective, I'm pretty sure that some business owners would be like, well, why the F do you do that, Michael?
Because you're just throwing away 50k this year in profits because you did this and that and you could have done without.
And the answer is, yeah, probably so.
(39:41):
There's a thin line to walk between what's doing too much, what is doing just enough, and what is doing too little.
And that's something that every business owner kind of has to consider for themselves.
The law doesn't say that you have to spend more money on security.
It says that you need to do the things that are reasonably within reach and possible.
And there's a bare minimum that you have to do, obviously, right?
You have to invest something into becoming secure, because that's the reality that we live in.
(40:06):
But I don't think it means that you have to overspend.
And it's very simple to start overspending.
Just take a look at some cybersecurity solutions out there, because everyone's riding the wave these days.
There are some solutions that are way overpriced, in my opinion.
But that's just capitalism and economics, I guess.
True.
Jordy (40:26):
We already mentioned services that a collective provides.
Are there also, or can customers contact us for any assessments?
Can we help them with the risk assessment, for example, or so?
Michael (40:38):
Yes and no.
Right.
When it's pragmatically, then we're more than happy to help them kind of navigate them the right way.
But will we do the full risk assessment of their environment.
Will we do the whole paperwork and stuff?
No, I think there's other companies that are better suited to do that when they need a pragmatic approach.
I'm more than happy to walk them through the tooling that we use and how we do things and kind of set them up their way in order for them to do it in a. I'm not going to say it, lightweight because our isms, right, our information security management system is very thorough, but it's well thought out.
(41:08):
We are a small company.
I don't have, you know, hours and hours a week to go everything.
So I need to have a pragmatic system that helps me do the right thing.
More than happy to share that with anyone and to show them how do we do that so that they don't break the bank and they do what is needed and they do it really well.
But I can imagine that there are certain types of companies that need much more help in drafting policies and creating policies and building an entire risk framework that works for them and across the organization, I think there's other companies better suited for that.
Jordy (41:37):
Okay, thank you very much, Michael, for your time.
Michael (41:39):
My pleasure.
Jordy (41:49):
For everyone listening, if you only do one thing after this podcast, just map your incident report chain now.
Ensure your logs are all centralized.
Check supplier access, what vendors have access to your system.
And if you want, just contact us.
We can help you leverage the Microsoft licenses that you have to see if you already can use some of the software to help your journey on this too.
(42:13):
So that brings us to the end of today's episode.
Again, a big thank you to you, Michael, for sharing your valuable insights and of course, thank you all for tuning in.
We hope you found today's discussion helpful.
If you did, don't forget to subscribe and share this with your colleagues, helping us reach more people who are just as passionate about building a safer digital world.
We'll be back next time with another important topic in corporate security.
(42:36):
Until then, stay vigilant, stay secure, and let's keep working together to shape a safer future.
It's Monday morning.
You grab your coffee, sit down at your desk and open your laptop, ready to ease into the week.
But something feels off.
Files are missing, emails aren't sending.
And within minutes, the truth sinks in.
Your company has been breached.
Panic spreads.
Your IT team scrambles to contain the damage.
But under this two, it's not just about stopping the attack.
(00:22):
You now have 24 hours to report it.
Your board could be held personally accountable.
And your customers, they're already wondering if they can trust you again.
Nightmare scenario is avoidable.
Absolutely.
Welcome to The Collective Podcast.
The podcast where we delve into the ever evolving world of corporate security to help businesses stay ahead of the curve.
(00:45):
Whether you're a small startup or a global enterprise.
I'm your host, Jordy Decock, working for The Collective, where we pride ourselves on a hands on approach, working closely with our clients to cut through the noise and deliver the solutions they actually need.
No unnecessary fluff, no overselling each episode.
I'll be joined by experts, practitioners and thought leaders diving into today's most pressing security challenges.
(01:08):
We're here to provide insights, strategies and actionable advice to keep your organization safe and secure in a digital first world.
Joining me today is Michael Van Horenbeeck, MVP in Identity and Access Management and CEO at the Collective.
Together we'll explore how NIS2 changes the cybersecurity landscape and what practical steps you can take.
(01:31):
Welcome, Michael.
Hi.
Michael (01:33):
Hey, good afternoon.
Jordy (01:34):
Thank you for joining us.
Michael (01:35):
My pleasure.
Thanks for inviting me.
Jordy (01:37):
You're very welcome.
Let's get right into the topic.
By now, most people have already heard or know about the NIS2 Directive, which is currently live.
What has changed for boards and CISOs on the 18th of October of 2024?
Michael (01:55):
So there's lots of changes, right?
From a legal perspective, that is the first and foremost.
Well, it's not the foremost, but the most important part is the liability.
Right?
The liability that actually tells that the boards can no longer hide between, you know, we didn't do the right thing because xyz they have, or at least by law, they have to do a certain number of things in order to keep their environment safe.
(02:20):
They have to do reasonable things and they have to prove that they've done everything within their power to do so.
Right.
And if they fail to do so, in other words, if they neglect cybersecurity as part of their operations, then they could theoretically be personally held responsible for that.
Now, even though the clause is there, we haven't seen any punitive damages yet.
We haven't seen any lawsuits.
(02:41):
We're far away from that.
But it does add the sense of urgency.
So I'm very happy that clause exists because it kind of really puts it in the face of some sea levels and owners and telling them, hey, you know, just like physical security or, you know, when you're at a construction yard, you have to ensure the actual security of the folks working there.
You have to do the same thing in the digital estate, right?
(03:05):
So you can't ignore it.
I think that is for boards, one of the biggest elements.
And of course, as part of that, they have to be aware.
If they don't have any knowledge, then they have to get some training and you have to show that there is some training.
So, I mean, mostly in that regards.
Now, what they have to do is depicted by all the other elements in the law or the regulation, however you want to look at it.
(03:31):
But we'll get to that in a minute, I guess.
Jordy (03:33):
Yeah, we certainly will.
To add on to that, one of the things that I've read also online is that for Essential or NIS2, Essential companies, board members or management people can actually get a temporarily ban from having a management function.
So it's really.
They want to scare people a little bit.
Michael (03:55):
I don't think it's really scaring.
It's just holding people accountable for the role they have.
I mean, it's like driving a car.
You have to drive a car responsibly and if you don't do so, you can get fined or they can revoke your driving license.
And I think that's a good thing, right?
If you show that you're irresponsible, that they take away the privilege to exert certain activities like owning or running a company, that isn't new, even when you take it.
(04:22):
Look at the fiscal laws or, you know, when there is.
When you run a company, right?
If you own a company, you run a company and there is fraud, right?
You've frauded or defrauded government, then you can get convicted.
And as part of that conviction, they can actually revoke the privileged, quote, unquote, to, you know, exert your right to have a company for X amount of years or when you go bankrupt, it's the same thing, right?
(04:45):
Once you have declared bankruptcy, there is a certain limitation on what you can and cannot do in terms of entrepreneurial elements.
And I think that's your.
That's the same thing, right?
If you are running a company or you're responsible in that company or you can heavily influence its direction and you neglect what you have to do.
From a cybersecurity perspective that leads us to a breach which ultimately leads to the demise of the company or other damages to other people, then I think it's rightfully so to say that you haven't taken up responsibility and then if you're unresponsible, then maybe you should not have that responsibility in the first place.
Jordy (05:20):
Yeah, I think you use a really interesting word there.
The damage to the people that actually are customers, for example, of your company or even your employees.
So that's, that's really interesting.
We already touched two of the main, well, main things from this deal.
(05:41):
I think the other one of them is risk management.
Maybe we could go a little bit deeper on to that and even how it translates to what am I supposed to do at this moment within my company as a ciso and are there any tools that my company might already have to do this?
Michael (05:59):
So I think when we speak of risk management, there's two distinct elements, right?
There's risk management in general, it, cyber risk management, if you will, and then there is the third party risk management, which are two elements that are part of the governance framework.
And that isn't new.
(06:19):
I've been preaching for a long time now that in order to defend your castle, you have to know its weaknesses.
Now if you don't do an assessment, if you don't identify your weaknesses, if you don't do a risk assessment, how do you know what to fix?
And so it kind of boils down to the very beginning of governing security, of making sure that you are secure.
(06:41):
It's to get an idea of what areas can you improve most.
You can always improve in every area, but which ones are the most critical ones.
So that identification, if you will, of risks, of challenges or anything or even vulnerabilities becomes the center, the first piece, the first missing piece of your security strategy.
(07:02):
And I think that the NISQ framework or the NIST law just kind of sets it in stone and says, well, you know, we do expect you as a company to do your proper risk management both internally and from a third party risk perspective, so that you can actually govern security correctly.
And from that perspective, I think it's really the very first step.
(07:27):
Take a look at the NIST cybersecurity framework.
You know, identify as the first step.
Well, it really means looking at your environment and understanding its risk profile, the challenges, the vulnerabilities, the things that you need to fix, and then prioritizing them and then, you know, taking a step by step approach, starting with the highest priorities.
But you can only do that with proper risk management.
(07:47):
And that's for your own environment.
When we didn't take a look at the second part of the law that says you have to do the same for any third party that you work with.
And when I say any third party, I don't mean the one that is delivering pens and utensils to you, right?
It's the companies that you introduce, interface with.
From a cyber perspective, where you have a hoster, where you have software running, where you have infrastructure running, or a service provider, you have to understand how do they deliver the services to you, how secure are they?
(08:18):
Do they have the same standards as you do?
If not, what are the vulnerabilities that exist on their end and how can they impact you?
Let's say that you work together with a company and as part of their service delivery to you have to set up a vpn.
Turns out that the other company is totally insecure.
They have no controls.
They have no decent controls.
Well, you know, there is a VPN into your environment.
(08:38):
How do you ensure that a breach on their end doesn't necessarily constitute a breach on your end?
And to that point, and I'm not trying to pry or blame anyone, but I think a really good recent example is what happened at Brussels Airport.
It was a third party that had a breach and that caused mayhem at the airport.
Now, is that unavoidable?
(08:59):
Probably not, right?
We don't know the specifics and I think we don't have to jump to conclusions, but it shows how important that process is.
Companies like Brussels Airport, but any other company that have a reliance on a third party need to assess how secure is that solution.
What are my ties when an incident occurs?
What are my options?
(09:20):
How does it cripple my business?
Do I have any other options?
Can I enforce specific security requirements on them?
And you do all of that to make it harder to be breached, but you also do that to understand how do I respond in case of a breach.
And people laugh at it.
But from a resilience perspective, what Brussels Airport showcased is that even when there is such a major disaster, it will cause inconvenience.
(09:43):
And yes, there were canceled flights and there was mayhem, but they reverted to the oldest trick in the book, checking in people manually.
So from a resilience perspective, I mean, they did pretty well.
Could it have been better?
Maybe.
Could this have been avoided?
Well, the answer is maybe not.
On the side of Brussels airport.
But maybe on the side of the third party, it just shows the importance.
(10:06):
And there is million and one of these examples.
When we go back a little bit more in time then we have the Solarwinds breach a couple of years back that caused mayhem, right?
Software was breached or was a supply chain attack.
Right.
Where software was breached and that software is installed in many other organizations.
Well, you have to understand that software, what its ties are into your environment.
(10:28):
And it's kind of like threat modeling.
You have to consider what's the worst thing that could happen, what if that software is breached, what does it mean for me?
So that when a breach notification is sent out into the world or when there is a vulnerability, you can more easily assess its impact, the course of actions, what you can do about it or what you need to do about it.
And that's true for software, third parties, service providers.
(10:50):
I encourage our customers to do the same for us.
Right.
You know, when we deliver services, they need to know what we deliver, how we deliver them, which ties there are and what if we are ever breached, what does that mean for them, how can they sever the ties, what does it mean for their operations?
And all of that is again a very critical part of just doing security.
Right.
Security is much more than enabling features, installing software or an endpoint detection response solution or anything of the sorts.
(11:17):
It's more than just firewalls.
It's the entire process around that.
And think that kind of cuts to the essence of the law that says you kind of have to do these things if you want, if you ever want to become quote unquote secure.
Jordy (11:31):
Okay, you already jumped into the fourth pillar as well, which is business continuity.
It's as you said, there might be some lateral movement available, which means you have to be able to know how are we going to respond, what are we going to do that all said, what is the offer that Microsoft has that a lot of companies in Belgium or in the Benelux, they already have, or 95% of those companies are already on the Microsoft stack.
(11:59):
What we notice a lot is that companies are referring to third party solutions because they don't really know what is already inside all of their licensing and how they can use every single software or product of Microsoft to complete their nist you journey.
So what are some of those things that might be a first step to take for those companies?
Michael (12:23):
So first of all, you know, understand what your risks are and understand what you need to do.
Microsoft doesn't deliver a single product that will make you quote unquote NIST compliant.
Which is one of my pet peeves, right?
Whenever I see software being sold online or a solution or a platform for that matter, that says, you know, buy us and you're NIST2 compliant, that's utter crap.
Excuse my French, but it totally is.
(12:46):
Why when you take a look and I think the CCB in Belgium, so the center for Cybersecurity Belgium has done an extremely good work with the framework that they've created, the Siphon Cyber Fundamental Framework, which is now copied by other countries in Europe.
They've gone through the list of requirements, they've mapped it to the NIST Cybersecurity Framework and said, okay, here are a bunch of technical controls in each of the different phases of the NIST Cybersecurity framework that you should do or could do, or that we require you to do as part of a NIST2 compliance, where it's essential or just a regular company, I would say, and an example thereof is that in each of the phases.
(13:28):
So we've got Identify, we've got Protect, we've got Detect, we've got Respond, we've got Recover, and then the governance capabilities, the different phases of the NIST Cybersecurity framework.
There is solutions within the Microsoft stack that can help you identify problems, vulnerabilities.
There is Microsoft Defender, Vulnerability Management, External Attack, Surface Management.
There is all the logging, all of which that can help you identify threats and weaknesses in your environment.
(13:53):
That satisfies the identification phase or the identification activities that you have to do.
These solutions deliver input that you need to do your risk management on your environment.
And then the second phase, Protect.
There's solutions plenty, like Defender for Endpoint, Defender for Office365, basically the whole Defender stack that helps you be proactive and defend your environment, protect your environment against threats from the outside, or even from the inside.
(14:17):
But under the assume breach principle, where you know things can go wrong, even a product like Defender, which is really solid, will sometimes let the things through.
You better have to make sure how to detect that, right?
If you can't protect, then at least know that you can detect then that your initial protocols, that your initial defenses have failed.
(14:39):
And again Defender XDR Sentinel, for that matter, where you can centralize all log files and detect what's happening in your environment.
Help you again, the response phase, if you detect something, well, you better know how to do to respond.
So it consists of having your procedures in place, making sure that you know what to do.
But it also is technology driven.
So we again have the entire XDR stack defender that can, with a single click on a button or even automate it, respond to threats happening in your environment.
(15:06):
There's a bunch of automations that you can build on top of Sentinel to actually take those actions for you.
And then, you know, as we progress from a recoverability perspective, even though, you know, mixed feelings about the Microsoft's backup solution, there is a backup for M365 and in Azure you've got the native Azure backup solutions as well.
So in each of these phases they have one or more products or associated suite of products that can help you achieve the goals that you need to.
(15:29):
So when you then take a look at the Cyber Fundamentals framework and they go as deep as having DLP in place, well, we've got Purview, you need to be able to do mfa.
Well, we've got Entra mfa, we've got passkeys, we've got all the modern authentication capabilities that you need for that platform, but not just a Microsoft platform.
What I believe is still a big misconception is that people think that Microsoft creates solutions for Microsoft, but at the end of the day their solutions work cross ecosystem.
(15:56):
We use the whole Microsoft stack to secure environments both in Azure and outside of Azure.
We do it for Windows devices, we do it for iOS devices, we do it for macros devices, even for Android devices.
So it covers an entire ecosystem.
So it is by Microsoft for the rest of the world rather than by Microsoft for Microsoft.
Now granted, it works best together with Microsoft products, which is kind of normal like Apple products do the same thing.
(16:21):
Apple works really great together with Apple and there is compatibility with the rest.
I think the distinction there is that Microsoft really works fantastically with their own products, but they work really well with everything else.
And that is something that you should take away.
So there is not a single one thing.
And maybe this is a very long answer to get to the point, but yeah, no, there is plenty of things within the entire ecosystem to help you achieve potential compliance with NIST at the end of the day.
Jordy (16:48):
Okay, maybe we can zoom in a little bit one of those.
Because one of the things that I read through when I was reading through the nist, you, I'll call it guidelines was the continuous monitoring.
So what does continuous monitoring really look like if you want to comply to that as a company?
Michael (17:11):
Well, let's make analogy with real life, you have a building, you have access control to the building.
And then how do you know for sure that no one is Trying to sneak in security camera.
You put a security camera.
Well, that security camera has a feed.
That feed needs to go somewhere, someone or something needs to look at that feed, determine if something is happening and whether that is malicious intent or not, and then issue a response which is either sound the alarm, call in help from external to do certain things, and so forth and so on.
(17:43):
So that analogy applies directly to your digital real estate.
It means that you have to have cameras, traps, log feeds, anything of the sorts that feed into a system.
That is the feed that system needs to monitor an alert, and then something or someone needs to look at those alerts, determine whether it's a true positive or a false positive, and then respond to the threat that is happening.
(18:08):
Now, some of the threats are benign.
Some are actual malicious activity.
What you do and how you respond, well, it really depends on the alert or the incident that you're facing at that point.
So we're ending up in these situations.
Do you, as a customer, feel comfortable enough to do your own monitoring?
To be fair, I don't think that a lot of organizations have that capability.
Right.
(18:28):
That's the discussion.
Do you need a security operations center, a SOC, to be NIST 2 compliant?
The answer is no, you don't need it.
But are you able to do it yourself?
Like, why do so many people outsource their home security, their building security to a third party?
There are companies worldwide that have built an imperium on delivering services around physical security and monitoring.
(18:50):
That why?
That's what they do best.
When we take a look at, you know, 20, 30, 40 years ago, you know, every company had their own security guards looking at the monitoring screens, potentially even 24,7.
It's not economically feasible, nor is it smart to do it yourself.
Right.
In very specific cases, maybe, but it's better to outsource that to specific parties and do that.
And that's kind of how I look at the monitoring or continuous monitoring, bits and pieces.
(19:14):
You have to make sure that whatever happens in your environment that you know how you do that, whether you do it yourself or your art servers, it really don't care.
But just make sure that you do it.
And if you don't have the capabilities, then outsource part of that to a system or to a party that can do it for you or do it, you know, partially automated, partially manual.
I mean, there is the whole plethora and a whole, you know, level of gray involved.
Jordy (19:36):
Okay, so the outsourcing part, where you say it's better that you outsource it because when you do it internally, it will, first of all, the cost will be very high.
You have to find people to do it and so on.
I do believe our SOC makes its own automation rules.
So is that one of the things that you are.
(19:58):
Hey, that's why a third party can be such a great value because they are covered over different companies and they have automation rules or they have detection rules that they see within another company that brings benefits to your company.
Michael (20:16):
Yes, that's one of the reasons you have to look at it different ways.
One of the ways is for instance, that the knowledge part, finding the right people that know how to look at an incident or an alert in an incident and respond isn't easy.
There is a shortage in skills for everyone.
(20:36):
Even for us as a specialized company, it's really hard to find the right people.
Now imagine you have to build that capacity yourself.
If you don't have it already.
It's going to be an uphill battle, it's going to be tough, it's going to take a long time.
You're going to have to train people, you're going to have to spend money and that obviously, you know, there is a cost associated to it.
(20:57):
Now there are cases where I truly believe that you have to have that in house capacity.
Don't get me wrong, there are cases where I would not necessarily outsource the entire SOC operations.
But for some organizations it just makes sense because that part of it, or just that in general is not part of what they do as a company, nor are they particularly good at it.
(21:17):
So you can really guarantee a certain quality of what you're building.
It's kind of like, you know, when you have to build a house.
Why do people hire a company to build a house?
They could do it themselves.
There is a reason why you kind of outsource that to someone else.
Because they have the expertise, they know how to do that, they can be cost efficient, maybe even more cost efficient than you can do.
(21:37):
Now I don't want to bring this into a it's always cheaper to outsource.
It isn't true, it isn't always cheaper to outsource, but it may be the best choice.
So it really depends from one company to another and expertise is one of them.
Now that expertise extends into different areas.
It could be the ability to understand the technology that you're working with to the ability to distinct true positives from false positives because something may look benign but might not be, or vice versa, and they can probably get faster to the root of an alert or an incident at that point.
(22:07):
So that's added value, right?
The meantime to response.
So the time you take to respond to an alert and then the meantime to, I'm not going to say acknowledgement, but to identify whether it's an actual true or false positive needs to be assured as possible.
And that is what you're buying from an external soc.
Now, how do you do that?
I sincerely hope they do it in a smart way.
(22:29):
I hope they don't have 150 people sitting in front of a screen waiting for an alert to come in and then frantically start clicking a portal.
In order to do stuff to be efficient, we have to do smart things.
We have to involve technology, we have to make automations, we have to automate as much as possible to respond as quickly as possible.
And that is part of the experiences that we have.
That's the automation that we build, that's the technologies that we leverage.
(22:51):
Now could anyone else build the same thing?
Absolutely.
Will they?
Well, do they have the expertise, do they have the time or do they spend the time to do that?
That's a different story, but absolutely, hands down, one of the many elements that you get from quote unquote, outsourcing your security operations center or part of that.
Jordy (23:10):
Is there any example you can get onto of how automation can reduce an incident response time?
Michael (23:19):
Oh yeah, absolutely.
An alert comes in, you apply some logic, whether it's binary logic of if this, then that and such and so, or whether you even include these days AI agents that will reason over the data that you feed it.
Jordy (23:34):
I think there's one for phishing emails or something I saw lately, but, and.
Michael (23:38):
I mean, you know, but it's a good use case, right, when there is 50 shades of gray where you have multiple interpretations.
And if this, then that doesn't really work because if you want to build that, then you're going to go through hundreds of permutations of if this looks like that, then this is fishing and if that looks like that then it's not fishing and blah, blah.
And because we're reasoning over text most of the time you can feed that into an LLM agent, right?
(24:01):
And just tell it, okay, so here's a bunch of text.
I want you to reason over this and it's not really reason but you know, go faster over a certain decision loop and come back with a verdict whether this is according to you and according to parameters, you have something malicious or not.
So there is a very good use case of an LLM for doing analysis or initial analysis.
Right.
I wouldn't trust any LLM to do 100% automation.
(24:24):
You always need some verification afterwards.
But in terms of automations, a really good one is where you have an alert that comes in on an endpoint, let's say defender for endpoint in this case.
And turns out there is malware that wasn't downloaded, or worse even, you know, something was downloaded but then executed.
And it's during the execution phase that defender says, oh wait a second, I noticed that something's running here that shouldn't have been running and it tried to kill off the process, but it didn't succeed.
(24:51):
Whatever, you can take that information from the timeline, then you could jump to conclusions and say, you know what, we're going to just isolate the machine and do that as an automated action so that the alert comes in.
There's a bunch of, you know, if this thens that you go through, then based on that you make the decision whether you automatically isolate the device.
And that's kind of what Microsoft built with attack disruption, which is a built in capability into the platform that will reason over the data, look at it and make a decision for you.
(25:19):
Disable accounts, reset passwords, disable devices, isolate them in order to contain the incident that may be happening.
Now with any automation, with any logic that you apply.
Just like humans are prone to error, there are permutations where the automation may fail, may not have gotten the right parameters or worst case, made the wrong decision.
(25:41):
Whether it's part of the flow that you've built that is flawed, or whether it's just a set of elements, permutation that you haven't encountered before and it will make the decision to isolate something that it shouldn't have.
Well, when I look at that from a CISO perspective, sometimes I'd rather isolate a device too soon than too late.
(26:03):
Now the challenge that you have there is that lots of organizations, CISOs have very difficult time trying to explain that to the rest of the company.
Typically when it involves C level executives like, you know, I don't want my device to be, you know, locked never because you know, I'm traveling, blah, blah.
The end of the day it's all down to risk, right?
If you don't want your device to be automatically isolated, well, you know, if ever something happens, do you sign up to be the owner of that risk, Dear C level exec, whatever or management don't care, the answer is yes, sure, you know, sign here and whenever something happens on your device, I'll hold you accountable.
(26:35):
To it.
Once you present people with that option, they're less inclined to agree and they'll be like, yeah, you know, just go ahead and you know, isolate.
Now when you do that, when you take a decision to take an automated action, make sure that you have a process in place to undo that activity as soon as possible, especially if it's a false positive.
You shouldn't let people hang in there because you've jumped to conclusions for all the right reasons.
(26:58):
You should be able to get them out of that quote unquote misery if you need to.
And there has to be a well understood, fast process as well.
Jordy (27:06):
Okay, great.
Let's take a step back.
We already talked a little bit about supplier access or suppliers chain and so on.
But why is it that supplier access is such a big focus of nistio?
Because you already kind of mentioned the fact that they have certain possibilities into the lateral movement into the system of the company they are providing the software to.
(27:33):
But are there any other reasons why NIST you would want to focus on the supply chain?
Michael (27:39):
I think that is the main reason.
The front door, back door kind of scenario.
What good is it that you have a house that is fully secured where the front door closes and you close the back door?
You make your house as secure as possible and then you have a window that goes to a third party.
You leave that window wide open.
There's plenty of examples where a supply chain attack, a third party breach has led to a breach at another company, whether it's intentional or as part of collateral damage.
(28:07):
There were the ransomware attacks.
I'm not sure if it was the MSC terminals back then where the Port of Rotterdam were collateral damage because there was a VPN or something of the source.
And again, you know, it's just one of the many examples.
Brussels Airport is another one.
Solarwinds another one.
The Microsoft attack they had, that was a supply chain attack in a certain way.
Right.
There were no directly impacted third parties when attackers got access to some parts of the source coordinate.
(28:35):
But it does highlight that what if there was some sort of access to the production environment than they get into.
And it's true for any third party that has some sort of cyber that delivers software that has a connection or something of sorts.
You have to make sure, and that's part of your due diligence.
It's your responsibility to understand if you are running any risks through that third party, if so, what the risks are, how they could materialize and when you have to take action or how to take action to mitigate those risks.
(29:07):
And because of all the examples, I think that's the only reason why they've put it into the law, because it is a really important part.
Jordy (29:15):
The reason why I wanted to take the step back and rediscuss this is because we do see with a lot of companies that it is something that is most forgotten.
They are so focused on their own environment that they forget that everybody who has access to their environment might just be a risk at itself.
(29:36):
One of those things is the amount of admin roles that providers have.
We do see that a lot.
Now what makes.
Michael (29:46):
So let me respond to that.
Right.
It is a critical concern, it's a really important one.
But when you take a look at where some organizations are in their journey, is this the third first thing you focus on?
Yes or no?
Many organizations that we work with are not mature enough to start worrying about other people's risk yet.
(30:06):
Now they'll have to, right?
The law kind of forces them to.
But it takes a lot of effort to understand what's happening and what's out there.
And it's more than just sending out questionnaires and getting answers back.
It's, it's, there is a lot of work involved if you want to do it right.
But they haven't even enforced MFA on all their endpoints, for instance, or, you know, on all the platforms they use.
They are still debating whether, you know, to upgrade to the latest Windows version.
(30:30):
As long as you're still stuck with some technical old school challenges, then, you know, worrying too much about third party risk is probably not the right thing to do.
Now I'm not saying that you shouldn't care.
You should.
But it's probably for some not the first thing that you're going to jump into if you don't have your own house in order now there is a balance to strike.
(30:51):
You have to do a little bit of everything, right?
You have to understand and identifying the challenges is maybe step one, you may not be able to actively do something about it, like revoking permissions.
I love the idea.
And you know what my stance is on this, right?
I'm very strict about this.
But the number of times that we just talk to vendors, third party service providers and tell them, well, you're not going to get Global Admin or this, and they're like, well then we can't deliver the services, that's a problem.
(31:15):
Now what if a vendor comes to you and says, well, this is what I need and this is how I deliver my services and if you don't give me this, I can't deliver my services.
Do you have an option?
I had a discussion last week where about the same thing where you could err on the technological side and the security side and tell them, well, you know, if you're not using global admin, then I'm not giving you access, end of story.
(31:39):
Well, what if the business needs it?
What if it is critical to keep your business up and running?
And whether it's global admin or domain admin permissions, it's always been a debate, right?
Because these permissions, they just seem to work.
That's the biggest problem.
And it's not an easily solvable problem, especially if it's a business critical application or if it's part of a really important business flow.
(31:59):
At that point the businesses approved it.
And as such as it's not your job to stop the solution, it's to find the best possible way to make it secure.
But for that you have a reliance on the third party.
Now this is a great example of third party risk management.
Let's say that you have a solution that you have to deploy on premises into your active directory and that solution uses a global admin domain admin permission.
(32:24):
Okay, great.
Well, you know, that's one step away from total domain dominance.
What's the third party risk look like?
What's the exposure?
What's the likelihood of certain things happening?
And then at some point you have to realize, what are my mitigation strategies?
Well, I can put in additional detection assuming that you can't revoke the domain admin permissions because the application will break and the only thing you can do is detect that abuse is happening.
(32:47):
In other words, are other systems using that domain admin account, can you regularly reset the password to keep it somewhat secure?
What else can you do to secure that?
Knowing that you can't maybe protect it whilst you're doing the detection and response capabilities and increasing them to kind of hope that, you know, you're early to the game.
(33:09):
If some abuse is detected, you have to work with that vendor to tell them you really have to get off the main admin permissions.
Now when there is alternatives in the market.
Let's say that you use application X and there is Y and Z as well that you could just as well use.
You have leverage, you can go to that company and tell them, well, you know, we just bought your solution or we bought it many years ago, but we're going to move off to another solution.
(33:31):
If you don't fix this, you have leverage, but there's plenty of software out there where there is basically no alternative.
Or it's so engraved and engrained into the operations of an organization that there is no alternative.
Well, at that point you lost your leverage and all you can do is prepare for the worst, hope for the best, and try and put as much pressure as you can.
(33:51):
Because moving away from those applications and just bullyingly tell them they have to change stuff, it's never going to work.
Jordy (33:59):
Okay, it's a great insight and really adds value for those who are looking for it.
But I also wanted to go into deeper a little bit of what Collective can provide to customers around this deal.
So I really want to ask you, like, are there any solutions that we as a company have right now?
Michael (34:20):
Sure.
Plenty.
Really depends on what your needs are.
Right.
So from our services perspective, as I mentioned earlier, there is our soc that can satisfy the continuous monitoring bits and pieces where we can take over the monitoring of your environment, of what's happening and then respond to that.
So you satisfy the continuous monitoring and the installation incident response capabilities within the environment without breaking the bank, without having to do it yourself.
(34:44):
There is our security baseline service, which is more on the security, well, not protection side of things, where we manage security baselines in Azure in M365 on your endpoints to ensure that you're as protected as possible, but also that we can detect deviations from those baselines.
So that kind of ventures into the detection and response, protection, detection and E, even response scenarios.
(35:06):
Same thing goes for our Azure managed service where we manage the cloud in a secure manner.
So we protect the cloud, we make sure that it is as secure as possible and that we can ensure that we can detect again deviations that are happening, all without taking away the flexibility of building the solutions that you have.
So those are typical services that we deliver that have a direct relation to what you need to do within the NIST framework.
(35:31):
But outside of that, every organization is different.
Sometimes you have just a need to build a governance framework in Entra where we can help you to automatically govern identities across the entire stage.
Well, you know, we have that expertise in house.
We can help you automate more to do things smarter within the licenses that you have of the Microsoft stack, for instance.
(35:54):
And so there are a plethora of elements, but operationally it would be our managed services or different managed services.
And then anything outside of that is a custom bespoke work from a consultancy perspective where we can definitely help what we won't do, however, is, you know, write all the policies with you and you make you a paper compliant company.
(36:16):
We, we have a very pragmatic approach to nist.
I've seen some companies lounge hundreds of thousands of dollars into a process of becoming NIST2 compliant, which I think kind of beats the purpose because I don't think the law is created to make you spend more money.
I just think that the law helps you determine your priorities so you can take them.
So I'd rather have an organization do something than do nothing and be very pragmatic about it.
(36:41):
And that's definitely what we're focusing on.
Jordy (36:44):
So actually what you're seeing right now is, hey, the NIS2 government or guidelines are there, but it's not for the NIS2 that you should be or going or looking at security.
It's just because you have to be secure.
We're not in the period anymore where nothing is happening.
It's every day there's something happening.
Michael (37:07):
Yeah, I mean that's wishful thinking to be fair.
Sure.
We look at it and we always say to ourselves inside the company, you know that, right?
Do the right thing.
Just make sure that you do what you have to do in order to secure your digital estate.
At the end of the day, do what you have to.
There's companies that really, really don't care.
So I'm glad it's a law because that law kind of forces them to do stuff because if not, there's a law that tells you're breaking a law.
(37:34):
So I'm happy that it exists as a stick, but look at it as a carrot.
Right.
It helps you focus on the things that you need to.
It has to become a mindset of doing the right thing.
Now why is it wishful thinking?
Look at gdpr.
When it was introduced, everyone was like, what is this thing?
It's a nuisance.
Now I don't entirely agree with the law and all the specifics around the GDPR law and all the things that you have to do, it's too convoluted, it's too complicated.
(37:58):
Which is why lots of organizations today still don't do it.
Right.
However, aside from how difficult it can be to achieve quote unquote.
Again I use that term, quote unquote quite a lot.
But aside from that compliance with gdpr, the challenge is that lots of organizations, they just don't give a fly.
(38:20):
That's a problem.
And we need to address that plot and problem.
And again, the law, the NIST2 law, regulation kind of addresses that.
If you are someone who really doesn't care, then they have that big stick that they can hit you with.
They could.
It's a law.
There's lawsuits, there's procedures.
I'm going to wait patiently for the first case where some fines are going to be written to companies and how they will respond, because that only then we will see other companies sometimes move and do the right thing.
(38:55):
We saw the same thing with gdpr.
I'm not, you know, I'm hopeful that it will be different this time, but I just know that some organizations will only, you know, really do something about it or really do what they have to once, you know, it becomes real.
Now, this being said, there is a balance to strike.
As business owner myself, when I see what we spend just on cybersecurity alone, I don't think that makes economical sense.
(39:20):
I'm ingrained with a sense of urgency, ingrained with a sense of rightfulness that, hey, this is the right thing to do.
But from a business perspective, I'm pretty sure that some business owners would be like, well, why the F do you do that, Michael?
Because you're just throwing away 50k this year in profits because you did this and that and you could have done without.
And the answer is, yeah, probably so.
(39:41):
There's a thin line to walk between what's doing too much, what is doing just enough, and what is doing too little.
And that's something that every business owner kind of has to consider for themselves.
The law doesn't say that you have to spend more money on security.
It says that you need to do the things that are reasonably within reach and possible.
And there's a bare minimum that you have to do, obviously, right?
You have to invest something into becoming secure, because that's the reality that we live in.
(40:06):
But I don't think it means that you have to overspend.
And it's very simple to start overspending.
Just take a look at some cybersecurity solutions out there, because everyone's riding the wave these days.
There are some solutions that are way overpriced, in my opinion.
But that's just capitalism and economics, I guess.
True.
Jordy (40:26):
We already mentioned services that a collective provides.
Are there also, or can customers contact us for any assessments?
Can we help them with the risk assessment, for example, or so?
Michael (40:38):
Yes and no.
Right.
When it's pragmatically, then we're more than happy to help them kind of navigate them the right way.
But will we do the full risk assessment of their environment.
Will we do the whole paperwork and stuff?
No, I think there's other companies that are better suited to do that when they need a pragmatic approach.
I'm more than happy to walk them through the tooling that we use and how we do things and kind of set them up their way in order for them to do it in a. I'm not going to say it, lightweight because our isms, right, our information security management system is very thorough, but it's well thought out.
(41:08):
We are a small company.
I don't have, you know, hours and hours a week to go everything.
So I need to have a pragmatic system that helps me do the right thing.
More than happy to share that with anyone and to show them how do we do that so that they don't break the bank and they do what is needed and they do it really well.
But I can imagine that there are certain types of companies that need much more help in drafting policies and creating policies and building an entire risk framework that works for them and across the organization, I think there's other companies better suited for that.
Jordy (41:37):
Okay, thank you very much, Michael, for your time.
Michael (41:39):
My pleasure.
Jordy (41:49):
For everyone listening, if you only do one thing after this podcast, just map your incident report chain now.
Ensure your logs are all centralized.
Check supplier access, what vendors have access to your system.
And if you want, just contact us.
We can help you leverage the Microsoft licenses that you have to see if you already can use some of the software to help your journey on this too.
(42:13):
So that brings us to the end of today's episode.
Again, a big thank you to you, Michael, for sharing your valuable insights and of course, thank you all for tuning in.
We hope you found today's discussion helpful.
If you did, don't forget to subscribe and share this with your colleagues, helping us reach more people who are just as passionate about building a safer digital world.
We'll be back next time with another important topic in corporate security.
(42:36):
Until then, stay vigilant, stay secure, and let's keep working together to shape a safer future.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.