Martin Hinton (00:06)
Welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News, Martin Hinton. And our guest today is Kimber Spradlin. She's the Chief Marketing Officer for Greylog. What does all that mean? Well, we're going to have Kimber explain that. But what we brought her in today to sort of center on was the need for clear communications in the broader context of cybersecurity. ⁓ It's something we all need to understand. Every employee, every person is a part of that world. So without any further ado,

Kimber, thanks so much for joining us today. One of the things we touched on in the recent article that we have featured you in is the importance of understanding. And we started with a really fun mention of your mom. We've all got moms. So tell us again what that means and how your mom and MFA relate to each other.

Kimber L Spradlin (00:53)
Yeah, so of course, everybody loves to use the anecdote in technology, of explain it so my mom or my grandmother could understand. I don't know why we never say fathers or grandfathers, but they're equally ⁓ relevant, I believe. What we were discussing was the really the upleveling of knowledge around cybersecurity. So that is, think, one of the positives that I've seen. It's taken a lot longer than I would have liked.

I've been working in this space for a long time. ⁓ But my mom came to me, gosh, I think I was telling her about deep fakes and AI and how voices and video can even be cloned. And she was very proud to tell me that she had turned on MFA, multi-factor authentication, on all of her apps and devices. And so that was a big moment for me that she knew what that technology meant, knew what the acronym meant.

⁓ and that she understood the importance of it. And in many ways, I think that has been successful over all of our worries about passwords and educating people about the length of the password, the complexity of the password, because multi-factor authentication in many ways is easier, right? Putting it on their phone. And there's lots of evidence around it's not just children that are addicted to their phones. It's all age groups. And I know my parents don't go anywhere without their phones.

Kimber Spradlin (02:20)
So I think it's not just kids that are addicted to their phones. There's lots of data out there that every age group doesn't go anywhere without their phone attached. So the beauty of multi-factor authentication is it is more secure and ⁓ it's actually easier to use for people of all generations. So that's been a big win over the last few years.

Martin Hinton (02:46)
So that sort of moves us into your role as a ⁓ CMO, which is not Chief mom Officer, but Chief Marketing Officer at Greylog. And one of the things that you discussed in the article we did was that you've spent two decades trying to convince everybody with sort of plain language about the need for this sort of thing. So take me through sort of what Greylog does and, you I use the phrase in human terms, I think, explain to me what happens because

Kimber Spradlin (02:55)
Yeah.

Martin Hinton (03:15)
This is one of those things that occurs and those aren't techie. All the things that make this work that are invisible to us and all the digital existence that swirls around us in a sort of way, really. ⁓ These are things that happen all the time. And the gray log, the log being the important part, is something that's involved with cybersecurity, forensic analysis, incident response, cyber insurance claims, these little bits of information.

sort of like telltales or clues or data that can help understand what went wrong and how to fix it. And I don't know if I've got any of that right, but tell me about Grey Log. Put it in your terms.

Kimber Spradlin (03:53)
Yeah, so Greylog, the company, ⁓ we offer log management and cybersecurity solutions, security information and event management. So those are the technical terms. Let's set those aside. Not everybody speaks geek that way. ⁓ So really everything that happens in a digital world leaves a footprint.

There are traces, there are sensors that the technical folks have installed everywhere along the way to try and figure out what happened. The reasons for that vary. Sometimes it's where was there a performance blip, right? ⁓ Where did a transaction fail ⁓ in a banking transaction, for example?

⁓ Where did something take too long and I lost business if you're talking about a online ⁓ retailer, ⁓ so abandoned carts, right? There's all sorts of reasons. The area that I focus in is on the cybersecurity reasons, right? Who did what, where, when, how? ⁓ And all of that is recorded in very different ways by different pieces of the technology.

The applications record it differently than the hardware. Each piece of hardware records it differently. So your phone, your laptop, your computer records it differently than the server from the vendor that's providing you that service. And all of that needs to come together and talk to each other in order to uncover the story of what happened. The very, very basic example is something like user name. Are you Martin?

Right? That seems very simple. And yet every piece of that digital footprint encodes it differently. So Hinton, Martin Hinton, underscore Hinton, user, user ID, ⁓ first name, last name. And so all that data cannot tell the story if you don't bring it into one place and ensure that the system understands that that all refers to a specific individual.

Martin Hinton.

Martin Hinton (06:10)
So I'm hearing two things here. One is that you have to get all the things that are light together and combine them in a space where they can be all looked at. you have to, before you do that, you have to make sure that the things you're bringing in a space are all the right pieces of data. One of the things we talked about in the piece was that, and you just said it very well, there's an enormous amount of stuff and some of it matters, but a lot of it doesn't. And

that.

you need to coalesce the right information in a space and analyze it in order to understand what went wrong from any perspective, whether it's just a.

fail shopping experience or banking experience to a security issue. And the challenge here is that for security people, you get an enormous number of alerts and these things generate alerts and you have to filter out the noise. And Grey Log's role in this is filtering out that noise so that we can focus on what matters, right? You see the tree, not the forest. Is that a, I don't know, a silly layman's way or Martin's way of putting it? that make sense?

Kimber Spradlin (07:11)
No, that's ⁓ really an app's description of ⁓ it. It is an overwhelming amount of data. And we, in our industry, have run into some real challenges around that. ⁓ Customers have been limiting what ⁓ data they bring in, all of those log sources, ⁓ purely for cost basis, both in their license costs, but also in the hardware to store that much data. And just

process that data. Unfortunately, what that means is that they miss signals because they're just not bringing the data in to find them. And when things do happen and they need to go back and do an investigation, they will find that that data is simply missing. So we've been working really hard in this industry to provide a way to really bring a low-cost approach.

to bringing all that data in and then only processing the important data upfront, but retaining that full data set in case of investigation needs. And those in the cyber insurance and insurance industry in general should definitely appreciate that being able to go back in time and uncover what happened is very critical and very important. So that is a key piece of what we do at GreyLog.

The other piece that we do is really try and combine that data. So it's not just ⁓ a couple of things happened that trigger a security alert. It is combining that information with a risk-based approach around what is that alert involved and are there multiple alerts around that same entity. An entity being a human being, entity could be a specific device.

a specific address, but is there something that provides some commonality ⁓ to all of those alerts? And in that case, let's raise that threshold, that risk score. Then is that entity itself inherently important?

Kimber Spradlin (09:26)
So it's not ⁓ just about bringing everything together. It's also about finding out what is important in that information. So we've tied everything to a single individual or a single device or some other factor. But what is the value of that device itself? Is this the CEO in the company? Is it the CEO's executive assistant?

So there's some inherent ⁓ components there that also should be taken into account in calculating this risk level of a particular incident. So as you bring more and more context into the situation, you can lower the number of alerts into a singular alert that is, hey, we have a real potential incident here and this is worth investigating.

And that does two things. That really focuses your security analysts into a real investigation, which actually gives them a lot of job satisfaction. It really engages them with their job because nobody wants to just sit around and turn off false alarms all day. That is no fun. And it ensures that what needs to be investigated doesn't get lost, the classic needle in a haystack.

That is a really important component of what we do.

Martin Hinton (10:57)
I mean, so I'm a history buff. And when you talk, what I'm hearing is a scenario where it's the cyber breach that cried wolf, right? If there's too much, it just becomes, ⁓ yeah, here we go again, the alarm bells going off. And we know this about even trained human beings. If they become immune to the alarm bells, they don't hear the ones that matter because they're always on. being, again, in a very simple way,

that it's kind of hard to comprehend because in this environment, we're talking about what number like thousands and thousands of data points that may have nothing to do. You made a really interesting point that it steps outside the technical part. It's who's impacted. know, obviously if you're, we know this, that C-suite executives, CEOs, people with access to huge parts of the network are targeted more frequently. So, you know, it's quite likely that

something that's happening to someone who's higher up the food chain, if you will, or senior to people so that they have a purview and a view digitally within their environment. If their alarm bell goes off, that should get your attention, right? They're a higher priority target because they create more vulnerability if they're compromised in a digital sense. Is that sort of the one we're talking about?

Kimber Spradlin (12:15)
Yeah, and

it's not always the obvious. The C-suite is fairly easy. Anybody in accounting, in the financial, in the legal ⁓ departments are fairly easy. But there's a phrase that we've borrowed, and I don't remember its original source, but we call it very attacked people. ⁓ And the attacker community is pretty intelligent and pretty smart.

Kimber Spradlin (12:40)
it's not always the obvious. mean, yes, of course, the CEO, the legal, the accounting department. But these threat actors are very intelligent. And they've learned about certain low level positions and employees can be a very good entry point. And so we've borrowed a phrase that is very attacked people.

And so you start to look for patterns where ⁓ it's not just the obvious. It is those that that are kind of getting hammered or that are an entry point or a gateway.

into a deeper level of access into the system. those are some of your critical components to really think about when you're looking at your overall security. Don't just tackle the obvious, go where the data leads you.

Martin Hinton (13:33)
All of this information in the wake of an attack, and we know that there can be often a long tail from when a breach occurs to when it's noticed and that sort of thing. All of it becomes important with regard to the compliance of an insurance policy in the cyber insurance world. The retention of data matters. One of the things that's a big deal is that this data, while we think it's all ones and zeros and just floats around in the air, actually storing it somewhere can be quite expensive and it requires

real money, it's not some make believe sort of thing. So talk to me about the role this process plays in compliance and retention and cyber insurance coverage and that sort of thing.

Kimber Spradlin (14:14)
Yeah, yes, depending on your cyber insurance policy, what industry you're in, where in the world you're located, that all combines together to give you different profiles for how long you need to retain this data and which data you need to retain. But it is it all adds up to

⁓ Even small organizations can find themselves storing terabytes worth of data if they're meeting all of their compliance requirements.

That by itself can be very, very expensive. Storing it in a way that's accessible if you do need it, just in case. And then having very high storage costs for just in case data is a really hard pill to swallow. So what we're working on is ⁓ providing that in what is known as a data lake is a very low cost ⁓ kind of semi-pro

state of data. There's enough processing of the data that when you need to retrieve little bits and pieces of it, can. You can go find

just the pieces you need to conduct an investigation or to prove compliance during an audit, but not so much that it's been heavily processed, that it's incurred a lot of cost, and then that allows you to store it in a very inexpensive storage location.

Martin Hinton (15:45)
Got it. when we say storage, is storage either on tapes or the cloud. There's a variety of ways this can happen. And depending on how much the prices can go, I mean, it can be quite high, can't it?

Kimber Spradlin (15:59)
It can. mean, depending on ⁓ what we call cold, I'll keep it simple, cold, warm, hot storage. ⁓ Hot storage is stuff that you want instant access to, right? When you click that button, you expect that data to come back.

immediately. That is obviously the most expensive and that can run in the dollars ⁓ while ⁓ the cold storage can be in the pennies. And the trade-off is generally performance and how fast you retrieve that data.

Martin Hinton (16:33)
You touched on one of the things that we've seen in the cyber insurance and cybersecurity space is that a lot of smaller and medium sized companies underestimate the threat that they face. And as a result, I guess their resilience is less where it should be with regard to cyber attacks. When you look at smaller medium sized organizations, are they under collecting or under retaining any particular types of data? Are they making any sort of mistakes that if

you're watching this and you think, I don't even know or what should I check? Is there any practical advice you could offer someone who's not sure about what they're doing or maybe not as a question?

Kimber Spradlin (17:10)
Yeah,

depending on your size, the smaller organizations, you probably want to look to an MSSP, managed security service provider, somebody who has expertise and who does this for lots of small businesses. And they can give you good advice and they can handle a lot of the complexity on your behalf.

As you start to graduate up out of that zone where you're, you you've got five dedicated security analysts in house, right? You're starting to get into a little bit larger organization. ⁓ Now you're, you're of course, wanting to collect all of your audit logs.

And you're starting to make some decisions around your performance logs, collecting them, how long to retain them. On your performance log data, honestly, a lot of that you only need to take, you only need to keep that for 24 to 72 hours. You don't need to keep a lot of that performance related data. It is your authentication data.

⁓ your audit logs out of all of your endpoints, the devices that your employees use that you want to bring in, some of your network logs, your network devices, ⁓ your operating systems, and certain application logs. That is... ⁓

not a small list, honestly. It doesn't take a very big company before that list gets to be pretty big. The other challenge is that many of us, and GreyLog is a great example, a lot of the business applications that our employees use are SaaS-based, cloud-based applications. And we don't necessarily have access to those logs and that log data. ⁓ So we can log the things that we control.

And some of those applications provide us log data, but not all of them. And that is an area ⁓ that is increasingly becoming a challenge. It's been a challenge for a while now, but it just continues to ⁓ become exasperated.

Martin Hinton (19:28)
Yeah, mean, I mean, all of this part of me is thinking that there's a lot of minutiae here, but this is the sort of invisible existence that occurs all the time in everything we do in this global digital economy. Like it's all there. And if it's not working properly or it's not recorded properly, creates disruptions that create all that friction that makes companies less profitable, like makes customers more annoyed, makes employees frustrated and causes burnout. it's again, like

Kimber Spradlin (19:41)
Thank

Martin Hinton (19:57)
Like I think I said to you, the idea that all this matters, even though it's invisible to us, is one of those things we just have to get our head around. And whether it's retention and compliance with your insurance policy or wanting to make sure customers have an efficient experience when they're doing whatever they're doing with the business you have, these things can create that in a way that it's important to know matters, even if you don't understand it, I guess, is the kind of how I think about it.

Kimber Spradlin (20:22)
Yeah.

Well, and the retention and the compliance didn't come from nowhere. In the cybersecurity industry, we always talk about there being a little bit of a fight between compliance and security. And being compliant does not mean that you're actually secure. But these numbers, these rules, these policies, they didn't just get invented out of thin air. They came about because of a lesson learned the hard way, right? ⁓ And so that's how

began to get written into these cyber insurance policies and become part of your PCI out of the credit card industry. There was a lot of study and a lot of thought that went into setting these thresholds of retaining certain data for a year.

other data longer. Some of it is also based on older law, right? And so there's retention laws around how long to keep your tax records, ⁓ how long you have to keep medical records if you're a medical provider.

and as everything became digitized, those same laws just transported over, right? And so if you need to keep your physical receipts for seven years, then you also need to keep your digital receipts for seven years.

Martin Hinton (21:44)
Yeah. I mean, you touched on sort of the next section and it's you've been, you've been a hyping since 1997 hygiene beats hype. And so things like identity access and patching, like there are, you know, not unlike there might be whether our own physical beings, some basic things, know, sleep, exercise, eat well, right? There are things that are, you know, standards that are not complicated. So I wonder if you could just touch on sort of that idea and, and how you might look at

that within say the budget of a company and that sort of thing. So tell me about sort of these these three pillars. don't know. Is that a way to put it?

Kimber Spradlin (22:19)
Yeah, yeah, in hospitals, it's ⁓ washing your hands before and after every patient, drawing a curtain and shared patient rooms and things like that. So your ⁓ basic hygiene will take care of 80 plus percent of your problems, right?

And so identity and access. Are you who you say you are? That goes back to our very start of the conversation with multi-factor authentication. And thank goodness, the general population, honestly, ⁓ thanks to Apple and Google and the Android phones kind of bringing this into their consumer commercials and incorporating security as one of their differentiated

or one of their selling points has really helped in that. And then, do you have the right to access that information that you're trying to access? That takes care of a lot of things. Patching, staying up to date with your security patches, always a challenge, still a challenge, that has been in my top 10 list, like you said, since 97. And it wasn't new then.

I mean, I was fresh out ⁓ of ⁓ MBA school with my accounting degree going into cybersecurity. And even then there were old hats talking about these sorts of things. So ⁓ that's a big one. ⁓ Employee education, these days, particularly with AI. ⁓

It's getting harder and harder to detect phishing emails and social engineering. And that relies on humans. There is no technology that's going to 100 % protect you from that. And it's where most of your breaches happen is an employee clicking on something they shouldn't have. So those are probably your top ⁓ things to address. Those are your hand washing items right there.

Martin Hinton (24:30)
You touched on it just now when it comes to detection, whether it's AI or a math or algorithm check, what sorts of things with regard to detection in the language that you might see out of an LLM that's generated for an attack or whether it's a math-driven detection, what about that space?

Kimber Spradlin (24:52)
Yeah, so those were all preventive recommendations. ⁓ But we all know it will happen. No matter how much you try and prevent, it's going to happen. And even if you get very lucky and there is never a breach, are still owe your company, your employees, your customers, your partners ⁓ monitoring to make sure. Because if it does happen and you're not monitoring,

then now it's unlimited access for as long as the bad guys want to have that access, right? ⁓ So threat detection is the flip side of that, right? We prevent and we also monitor for detecting. So that is a very critical component to bring into the equation. And that's really where GreyLug lives. So that's the area I'm much more ⁓ familiar with.

Martin Hinton (25:49)
One of the things that we've talked about and touched on and you did just a second ago is the idea that cyber hygiene, cybersecurity is not just IT, it's not just your CISO. There is just like an office that people might have keys to. Everyone's responsible for turning off the lights if they're the last out the door or making sure that the door is locked. And then you need to scale security beyond a few people who have that specific day to day.

responsibility because the vulnerability, because we're all in the digital space at a lot of organizations you touched on employees having access to SaaS and clouds and all these entry points that exist as a way we have this. And again, I don't want to sound too negative because the efficiency created by this sort of technology is. mean, if you went back even 40 years, people would be like, what you can do what now? And I think that that's, it's really, really important that even email is this amazing instant communication. Obviously there are.

more instantaneous places, like I guess instant messaging once was and what do we call it now, Slack. So I want to talk about how you sort of, how do you do that? You know, I mean, when it comes to that sort of thing and getting people to appreciate the importance, not unlike mom of password managers and MFA and you touched on it just then and patching, updating, know, I think one of the biggest undersells you see now is bug fixes is the reason there's an update to this particular app or software.

And that could mean anything. mean, may not, it bug could be, know, I, I guess I'm curious about that part of it, like getting everyone on side to use the sports expression with this being something that we all have to be party to almost. And I don't like to use these analogies, but it's almost like a warlike footing. Like there is an adversary here who is very, very motivated. There's an enormous amount of money in, being a bad guy or gal in this space and protection of a company or.

country or even your individual cybersecurity comes as a collective act, right? We serve together like a team and I guess I'm curious, what advice do you have about getting that message through to people? Because we know human beings and human error is still the great entry point. Social engineering attacks or whatever else it might be and you don't want to blame the victim but there is the ability to help people not become the victims or their company. So tell me about what you think about that stuff.

Kimber Spradlin (28:13)
Yeah, it is the biggest challenge. It is fighting natural DNA level human behavior. ⁓ It cannot be a once a year, check the box. I read my cybersecurity policy. I signed it. ⁓ I did a six hour training. Even at Grey Log, despite a whole company full of cybersecurity professionals, we do security training.

our certifications that we go through. It has to be very continuous. ⁓ Unfortunately, it means a fairly strict posture. ⁓ If you want to be really secure, you need to be pretty strict about ⁓ employees not conducting personal business on work devices.

that gets very hard on the cell phones, especially in industries where the cell phone is part of it. People don't want to carry two devices. There are ways to virtually segment and separate on the laptop and on the phone so that you can leave them. If you don't provide an employee an answer to their problem, they will find a way to work around your barriers.

best way is to provide them that convenience in some fact factor that you have some control over ⁓ and you can secure the business environment and really restrict what software they can install and what activities they can engage in. That is the very that's for your highly compliant industries or those that are you fairly at risk of if there was a

Ransomware attack, ⁓ know, not all businesses could sustain $100,000, a million dollar ransom. And they could be out of business if that happened. And so you have to have to protect against that. But it needs to be very continuous awareness building. ⁓ I can't recommend enough ⁓ hiring either if you have internal depending on the size of your organization, or it's not that expensive to hire an external company to do red

team attacks, simulated attacks against your end users. There's nothing like accidentally ⁓ clicking on a phishing email that's been put out by the company on purpose to try and collect up ⁓ these, you know, to test the system. That lesson gets very ingrained and people take that lesson to heart ⁓ and will change their behavior. But changing human behavior

is the very hardest thing that you can do. And that's true on anything. ⁓

Martin Hinton (31:13)
Yeah.

Well,

I I mean, the message I've heard and I'm hearing you repeat is that you have to do it the right way. And even then it needs to be repeated and practiced like it might occur in the real world where you have a real sense of, I don't know, pain if you click on the wrong thing or you realize you got hoodwinked. The other message that ingrains is that it can happen to anyone. And I think that, you know, this is...

part of it for me that really, really matters. Because you see from the CISO burnout stories that we see a lot to employees who talk about their own state of mind if they find themselves the person who allowed an attack to happen. And I've said, you know, this is one of the few spaces where it seems like blaming the victim is still something that happens with some regularity. And all of that moves the people who are incredibly sophisticated bad actors into a safer space, right? Like, you know, these

They're just who they are. But they exist in a world now with all the technology the good guys have, all the information about behavioral psychology and where to put the sweets and candy in a supermarket to get people to buy stuff they don't need. And protecting against that requires ⁓ consistency, right? You don't go to the gym once a year. You don't just go to the doctor once a year. And you don't take your cholesterol medicine every now and then. That sort of routine.

And the dedication or discipline to that routine is really, important. And the problem, think, from a human point of view is it's just another layer. It's another piece that has to be added to an already full pie. Companies are busy. People are busy. When you see the things that work, is there an example of like, you sort of touched on it, but is there one, I know you don't do it once a year, but is there a 60 minute training program or something like that that exists that you think is particularly effective if done the right way and on a regular basis?

this follow-up when people don't meet the standard and that sort of thing.

Kimber Spradlin (33:14)
Yeah, well, here's a little hot tip for your listeners. Be careful of unsubscribe links. ⁓ You get those spam emails. We all get inundated with email trying to sell us things at work, or at least I know I do. ⁓ And that is ⁓ a favorite little tactic as you go to unsubscribe. And it's actually the unsubscribe link that kicks off the malware. ⁓ So I don't live and breathe in the security

education space so I don't have a particular vendor or program. There are lot of frankly really good videos out on YouTube ⁓ that you could bring together for your employees. I think in evaluating these ⁓ short snippets frequently is important.

It is important that that they're well done and entertaining Right so to get your whole employee base ⁓ You know we we at Grey Log because of these this particular training system that we use Have all sorts of inside jokes about some of the characters that are involved in our training videos And and so slack messages will definitely Though they'll be the occasional. Hey, did you did Didi get you right and so

So developing that kind of culture, obviously much easier to accompany that is full of developers and security professionals. I even I running Marketing started in accounting and as a cybersecurity consultant before I moved over into the vendor world. So I will fully admit that we have it a little easier, but it is that kind of

baseline cultural involvement that is critical. And then after that, it's following your standard adult professional education best practices that are pretty well known. And it is, like I said, continuous, short, engaging.

Martin Hinton (35:24)
You make a really good point there. One of the things that I've said to people who know I do this, they're like a lot of people, don't quite think they know it matters, and they've got the same password for maybe every streaming app, because then they can share it, and people don't need to know, and all that sort of thing. I often say, imagine you're called up onto the stage at a David Blaine or some other illusionist magic show, and he makes you think that he really knew what you were thinking, or what card you'd picked.

You would never, watching that in the audience or being a participant in that as the person on stage, be able to discern what had happened to con you. But the history of people being conned by other people goes back hundreds of years. it's that idea that it's some new thing is something I always encourage people. If this isn't new, there are always going to be people who try and trick you and set aside that you're up against something that isn't. You just have to think about it a different way.

And you made a really good point there, the idea that you almost gamify it. If you got conned and you're winning the, know, like admitting you, you, can't believe Jimmy and a captain, he never gets hoodwinked by one of the characters you mentioned. That idea that it becomes part of the culture of a company to talk about why this matters is something that, you know, I've heard other people say, it really, I mean, I, from my point of view as a journalist stress the idea that if your company isn't cyber resilient as a part of its culture.

your business is in jeopardy, right? The idea, particularly if you operate online, like every company does, but if you're in the retail space or you do a lot of business online, if you're not secure in that environment and you don't have a mindset within every employee that being secure is something we may be close to now, but it's a consistent thing. Like you're never, I don't know, you're never, you're a runner, you always want to run a little bit faster or you're, you you've read a book, but there's always another book to read.

there's always another thing you want to do or another thing you want to think about or another place you want to visit. It's a very, very similar thing. And that can feel burdensome, but it's the reality we live in and we live in reality. I just, again, like absorbing that, like you just described, it seems to me like something that is, you know, it's, it is work. It's not, it's not, it's not easy. Like you said, you have it easy to drive a security company, but it matters. And the idea that you sort of put the hardship in the light.

Kimber Spradlin (37:21)
you

Right.

Martin Hinton (37:47)
and along with the solutions and you make people think, okay, we can get this done. Because I'm an optimist generally and people are brilliant. And I feel like this is a time where we can really dial up sort of people's awareness about this problem. You know, my 11 year old niece, one of my nieces, she goes to public school in New York and part of our health class is cybersecurity. Why passwords matter? Don't use the same one, MFA. And that idea that you sort of build it from the ground up.

Whether it's a small company or large company seems like a great way to sort of make people aware of it, put it in the front of their mind, not a secondary thing. I sort of rambled on, go ahead, pardon me.

Kimber Spradlin (38:23)
Yeah, no.

I love that that is happening in the school system. And I think it is an important part. And I find it interesting that that's part of her health class. And yet it really makes sense to me when I sit and think about it. And you start to think about digital literacy and how to know when somebody is asking you for information that they shouldn't be asking you for. The deep fakes are.

getting better by the minute. ⁓ That is challenge.

Martin Hinton (38:59)
Yeah, know, it's

sort of a sideline, but it's a great point because I always, when she told me about it, I obviously didn't ask her, but I assumed it was an offshoot or an evolution of the security training kids were given for their digital lives was always about becoming the victims of some sort of predator, right? Like someone asking for something you don't want, it's not your bank account, it's photos of you and that sort of thing. But I wonder.

I also, health class is sort of this big bucket now. think we probably used to call it home economics, right? Like you can throw anything in there that people think you need to learn and the curriculum is, know, cause health, what does that mean? It's everything, right? know, health, what? Healthy bank account, healthy heart. Yeah. Yeah. So, ⁓ but she, she, she's brilliant, but she really rattled off like all these things. I was like, I should probably have you on the podcast. ⁓

Kimber Spradlin (39:37)
Right? Mental health, physical health, yeah.

That would be fantastic. That would be

so good.

Martin Hinton (39:53)
I know it's

an idea I've kicked around with their parents. We'll see. We'll see. So we've touched on a lot and we've encountered some technical issues. So I really appreciate you sticking with it. As we wrap up, is there anything we didn't get to or anything you want to touch on again before I ask you a couple of last questions?

Kimber Spradlin (40:10)
Yeah, well, I think we're going to wrap up with a little bit more on the AI topic because everybody's talking about it these days and we can't ignore it.

Martin Hinton (40:19)
Yeah, so.

So when it comes to AI in this space, what are the things you think that matter, that people need to know?

Kimber Spradlin (40:29)
I think it's really important to understand, and this is me living down in the weeds, so we're going to get technical again. ⁓

AI, what we as consumers, as the general public think of it as AI, are these newly emerging LLMs, large language models. They're not mathematical models, and they're probabilistic models. They're breaking words down into partial words, calling them tokens, combining what's the next most likely token to go together. But again, it's a probabilistic model. And so ⁓

The LLMs are really good user interfaces. I can see a world in which a lot of this pretty application UI, these websites and these mobile apps kind of go away. And you really just talk to what you want because those user interfaces are just about ⁓ getting me to either an answer or a bit of enjoyment around a game or something along those lines.

So that's great when we are dealing with language. ⁓ The LLMs are hugely beneficial to me in the Marketing world because I deal with language. Now I have to fight with them a fair amount to tone it down, get rid of the buzzwords, because they've learned from past corporate speak, right? And I'm a big believer in plain speak and being pretty straightforward with your words. ⁓ And so that's great.

However, there's another aspect that's kind of, it's been around for a very, very long time. We didn't call it AI. The geeks of the world will call it machine learning. And that's a very mathematical based approach. And so that is a very calculated approach. So when you're looking for...

particular set of information. I want to know on a digital footprint basis everything that Martin did yesterday, right? I don't want a probabilistic. I want everything Martin did and I don't want to be unsure about whether or not I have everything that Martin

did yesterday because I'm conducting an investigation. ⁓ In our world, we have a big area called anomaly detection. So it is not enough to know Martin didn't type his password correctly eight times. And that set off.

⁓ a little alert, right? And now that contributes to the 10,000 alerts a day. Those poor security analysts have to go track down to see if somebody was attempting to hack Martin's account or Martin just tried to log in without having his first cup of coffee. So. ⁓

So in that case, you want a very mathematical approach. And that's not your AI and your LLMs. And I find there's a lot of kind of merging of those concepts and blurring of those concepts and overselling ⁓ what an LLM can do when you really want a very mathematical approach to, hey, you know what? It always takes Martin eight times to get his password, right? So this is not worth a

flag,

okay? ⁓ But, you know, hey, he, you know, this time it took 20 tries and then it okay now that's out of normal. That is not normal for Martin specifically. For Kimber, it's different.

Martin Hinton (44:10)
Yeah.

Kimber Spradlin (44:16)
I have a very long, very complex password and I can type it without even looking at this point and I very rarely type it in wrong to begin with. ⁓ So if I mess it up six times in a row, now maybe that throws a flag for me. And so that's an area that ⁓ we're gonna have to work on as an industry is explaining that to people ⁓ and not overselling one to cover up for the other.

Martin Hinton (44:47)
Yeah, well, you I mean, again, what we're talking about is very, very new. But one of the things that I know, I spent six or so years doing military history documentaries. And one of things that I was able to do was, you know, be out in places like the southern Philippines with special operations and special forces like Green Berets. And I remember lying in a cot one night and, know, in the middle of the jungle. And there was a Green Beret doing his he was on the night watch. And I was watching him and he was just wandering around. And the next morning at breakfast, I was like,

You you were sort of wandering around. He goes, well, routine is a death sentence. If you do the same thing every time in this space, it becomes predictable. And you sort of touched on this there. If Martin always takes eight times to do his password and that's not a problem, right? We know that about Martin. That's Martin telltale. If suddenly Martin's taken 25 or getting it right in one even to move the other direction, that is a giveaway. If he's outside his norm, then there's a chance that the person who's conducting that action

Kimber Spradlin (45:35)
Thank

Martin Hinton (45:45)
isn't who we think it is or isn't who it should be. And so these concepts of security exist in the physical world in a very real way. I mean, the example I've used in the past to extrapolate out is that MFA is like having an apartment door with a deadbolt and a second lock. And you have two keys. You've got to do two things to access the secure environment where your things of value are. That's easy to comprehend when it's your apartment and your dog's in there and maybe your stereo and your TV and your laptop.

When you move it into an invisible space of ones and zeros, it's a little bit harder, but think about it like your iCloud and it's all your family photos since your child was born. Right. That's, that's the sort of way I think about it. Yeah. I mean, that's a really, really good point. The idea that there is, you know, the LLM thing is really, really fascinating. I have a joke total aside. I think one of the reasons they write the way they do is because some of the early stuff they had access to, because they didn't have to worry about any copyright was press releases. So that's why they write so much like Marketing and press releases because they had a

Kimber Spradlin (46:22)
Right.

you

Martin Hinton (46:42)
That's one of the things they could get. not having to worry about someone coming at them for copyright. And so they write every, like the superlatives are super, you know, that kind of thing. ⁓ Well, that's really, really interesting. I appreciate it. So anything else before we wrap up?

Kimber Spradlin (46:43)
Thank you.

⁓ I think we've covered a lot today. I hope everyone learned a little bit about my world and it does overlap in the insurance world, ⁓ cyber insurance in particular. And if you're making business decisions about risk and.

Payback and ROI, you've got to understand what's sitting underneath it, as you said, that hidden layer below the forest in order to really understand and properly measure what level of risk you're taking.

Martin Hinton (47:38)
So I'm going end with three quick questions. What hygiene habit to mandate tomorrow?

Kimber Spradlin (47:44)
Ooh, that's a good one. I'm going to go ahead and assume that you're implementing multi-factor authentication. Because most of your vendors have probably just about forced it to happen on your end users. ⁓ And so I think my next one would ⁓ be what we talked about quite a bit, which is the continuous education of the end users, giving them real world examples

of ⁓ deep fakes and phishing emails that are not the Nigerian prints and very obvious and easy to detect, ⁓ but the ones that are a lot more sophisticated these days. That would be my number two.

Martin Hinton (48:30)
Is there one AI claim you never want to see again?

Kimber Spradlin (48:35)
We'll see if I'm proven wrong in the long run, but all of these claims about fully autonomous SOC security operation centers and ⁓ fully AI security analysts, I am not comfortable with that ⁓ at this point. ⁓ I think there has to be humans involved.

⁓ making some decisions, telling it what to look for, telling it what it got right, what it got wrong, ⁓ making value judgments about how important or critical.

something is. I really, think those claims are very overblown. And I think now, I mean, that's not to say that there won't be fewer humans needed. ⁓ But there's always got to be a human oversight, or we just we lose control and we lose visibility.

Martin Hinton (49:33)
Yeah. ⁓ One retention rule that's worth the cost or the bill.

Ha ha ha.

Kimber Spradlin (49:41)
Let's see, there's so many. ⁓ One retention is the year plus a day of retaining your audit logs. ⁓ After that, mean, obviously legally, if you must, you must keep them longer than that. But ⁓ we have seen so many attacks in which the attack wasn't uncovered until three, six, nine months that they had been poking around.

And if you really want to learn how they got in to begin with and what damage and what path they followed along the way because they didn't start with the crown jewels, right? They didn't walk right into the vault. They started somewhere else out casing the building will take the bank robber analogy, right? Observing where the cameras are located observing the guard rotations ⁓ Power utility usage all those sorts of things and so

if some of these are low and slow, and so if you don't retain that log data for a year and a day, maybe 13 months, you're very likely to be unable to have a full traceability around what happened.

Martin Hinton (51:03)
I mean, you touched on it again, and I keep doing this, but you keep inspiring the thought. The inside bank job or armored car heist, they don't convince the inside man the day of the robbery. They convinced them a year earlier, six months earlier. And seeing that first phone call or getting the security camera or the credit card receipts from the first time they met at a bar and bought beer or whatever it was, that's how you understand what the hell went wrong.

Kimber Spradlin (51:26)
Faking

a background, getting a job with the company. ⁓ and so that is fairly important on the cybersecurity data.

Martin Hinton (51:39)
Yeah. Well, Kimber, thank you so very much for the time. It's been a real pleasure to chat. And again, thank you very much for working through the technical errors. We'll have to check the log to figure all that out.

Kimber Spradlin (51:49)
I appreciate it, Martin. I really enjoyed it. Thank you.

Martin Hinton (51:54)
Well, Kimber Spradlin, the Chief Marketing Officer for Greylog. Thanks again for all the time. I'm Martin Hinton. This is the Cyber Insurance News and Information Podcast. If you've got a question or you're wondering about something we touched on, it's probably down in the show notes. If you've got a question or anything like that, throw it into the comments. And when I can't answer, I'll revert to Kimber and try and figure out if we can. Very, very grateful for the time today. Thank you so much. Enjoy the rest of your day.