Augusto Barros: 0:04

Hello and welcome to another episode of SiemTalks, the podcast on many topics around cybersecurity by Securonix. I am your host, Augusto Barros, and today we have Mr. Tim Thornsberry, the Director of Information Security at Steptoe Johnson. I have many interesting things to discuss with Tim and just for us to begin, I will ask him to introduce himself and tell us a little more about what Steptoe Johnson is kind of, what type of business it is and his role in that organization. Hello, tim.

Tim Thornsberry: 0:44

Hello, good morning. How are you?

Augusto Barros: 0:46

I am good, so kind of tell us a bit more about Stepton Johnson, your role there and kind of what keeps you awake at night there.

Tim Thornsberry: 0:56

So, as you said, I'm Tim Thornsberry, director of Information Security here at Stepton Johnson. I've been with Steptoe a little over three years now. I came on board as just a security analyst and then took over the director role within just the last year. I've been in the role for a year now a little over a year. We are a national law firm. We have multiple offices across the United States and we are constantly improving our security. We end up talking to people or organizations like in industries like financial institutions, healthcare, manufacturing.

Augusto Barros: 1:52

There are very often in the news when we see breaches on all this stuff or kind of when we think about potential threat campaigns or anything. Right, of course, when we immediately think about banks, right Kind of the cyber criminals trying to get money, right Kind of fraudulent transactions from a bank or kind of stealing kind of huge amounts of kind of private information from healthcare insurance companies, for example. But I'm curious about the cybersecurity environment and the challenges in a law firm. So what would be normally kind of the major concerns, kind of the threat models that you have to keep in mind when protecting kind of a law firm?

Tim Thornsberry: 2:40

So well that right. There is kind of what keeps me up at night Working for a law firm. We have multiple practices handling multiple types of data, so adhering to all the standards and guidelines and stuff like that is a challenge because we handle so much. So that would be the challenge. Yeah, we're not limited to just financial data or HIPAA information. We kind of spread it across all areas.

Augusto Barros: 3:15

Perfect. And one thing that I often notice about law firms and even the large ones like Steptoe I think that you have almost 20 offices around the country right, and usually kind of for law firms, kind of say, the IT footprint is not as large as when you look at some of the other industries that I mentioned before. Right, it's a more lean presence, let's say kind of from the internet point of view and kind of how much technology is used as part of the business, and that naturally points to smaller security teams than kind of some of these other industries. So I wonder is this additional challenge for you right To have to keep up in terms of cybersecurity efforts and managing risk with a small cybersecurity team?

Tim Thornsberry: 4:10

Yes, for example, like when I came on board, I was the first security analyst to come on board. The role of cybersecurity was kind of spread throughout the IT department so they realized that they needed to adapt and grow. So we are constantly doing that. I brought on another security analyst to help me grow it and, of course, the assistance of the Securonix SIEM. It is a challenge being small, but I think leadership and the culture is starting to realize that no one is safe in the cybersecurity realm, so they need to do a better job of managing it and providing the right resources to do that the right resources to do that Perfect.

Augusto Barros: 5:06

And one thing I noticed with organizations that usually would have a more lean IT environment is that they often rely heavily on managed security service providers, especially for the threat detection and response part, like on security monitoring et cetera. And as far as I understand, you've been doing or you've been running that practice internally right. As far as I understand you've been doing or you've been running that practice internally.

Tim Thornsberry: 5:27

right, we do use some managed service providers, but of course with that managed part you know the cost starts to climb. So you kind of got to balance that act between how much you want to manage cybersecurity-wise or IT-wise in general and how much you would like to bring in-house. So it's not always feasible to go to the managed route, but sometimes that's the best option to do it when you're a thin team.

Augusto Barros: 5:57

Right.

Augusto Barros: 5:58

And when we have many things in-house and with a small team, one of the common barriers is the skill set, because we're looking at governance, risk and compliance, risk management, application security, data classification, security policies, and then we also start getting into the realm of the technology, so hardening and patch management.

Augusto Barros: 6:24

Then when you look kind of on the core of what I normally kind of pay attention to, right kind of due to where Securonics is, the threat detection, investigation and response part, right, so it is a very diverse and broad skill set required to cover all the bases, right kind of from a cybersecurity point of view how do you manage that? I imagine that there are probably two routes to do it. I think one is really relying more on service providers, so you can offload some of those functions you do not have that skillset to the service provider. Or then there is the alternative of having very capable resources, right Kind of that, have kind of a very broad skillset and to cover all those bases. But that type of resource is not very easy to find in the market, right? And when you find people with that kind of skillset, they can be quite expensive, right? So how do you handle that challenge?

Tim Thornsberry: 7:25

You're exactly right. Skill set is a challenge because I would say my background is more the broad scope of things. I wouldn't say I'm specialized more in one thing than the other, Also for my fellow teammate. So maintaining the knowledge base and stuff like that is continuous. It never stops. It's always changing as well, so it makes it even more difficult to keep up with it. But we still employ or not employ, but task out some help with our networking side and stuff like that. But it is for us a group effort to ensure our overall IT infrastructure and compliance. Yeah, the training is ongoing. I would like to have specialized people but you know, once you start getting specialized then you start going down a narrow pathway and they only do certain tasks. So for us, being a small team, having a broad skill set is invaluable for us.

Augusto Barros: 8:42

So yeah, and it is interesting to see that right, because we very often see debates about cybersecurity careers right and sometimes I believe the professionals have the impression that they need to specialize right or to get very deep into certain areas right of the cybersecurity realm kind of very quickly to allow them to have a fast and probably a sustained career progression.

Augusto Barros: 9:10

But there's still a lot of room for generalists, and I think the organizations and probably the profile of your group, for example, it's a perfect example of that. A generalist is very important because you have to cover multiple bases and there's no point of having someone that is highly specialized in disassembling or reverse engineering Android malware if you still need to look at all those other things like patch management and the security policies and so on. You need more of a broad coverage than actually kind of a deep one. But what happens if you need kind of that deeper view right? How do you prepare to handle situations where you may need, for example, a deeper investigation, more advanced skills in incident response or investigation, for example? How do you handle those situations?

Tim Thornsberry: 10:12

Well, if they, for example, if they were needed in like a expedited fashion, we would probably outsource to many of the reputable vendors or anything like that to bring on that specialized skill set for the duration of it. If it's more of a planning phase approach, we would probably provide the resources to get the proper training to not necessarily direct someone down a focused skill set path, but to bring that knowledge onto their general basis. Yeah, so we would try to find the resources depending on the situation. It doesn't always work like that. Sometimes you're learning on the fly, but it is what it is.

Augusto Barros: 11:03

Let me try to bring the conversation now to a little closer to the SIEM space, because one of the things that I find interesting is seeing a SIEM being used by an internal security group and have a very small number of resources. Very often we have conversations where we say that you need a lot of people to run and properly get value from a SIEM. But I think on your case you have a small team and you're getting value from it. So what is the secret? How you can get value from a complex security component like a SIEM with a small number of resources?

Tim Thornsberry: 11:44

security component like a SIEM with a small number of resources. My best example would be find something that has a lot to offer out the box. It might not be everything you need or it might be overkill of what you need, but something that you don't have to spend countless hours on worrying about the implementation and the setup. Something you want to look for, something with a small team. You want to look for something that you can manage more efficiently and fine tune, rather than going through the whole setup process Because, like you said, some require tons of resources and there's others that are pretty much plug and play and you're more worried or concerned about the fine tuning and adjusting it to your organization rather than a full scale build of it. It makes it easier when you find what fits your organization best.

Augusto Barros: 12:48

Perfect, yeah and that's a very good point, because I remember having conversations about SIEM with professionals right out of another field, other industries and larger organizations, and many times they will tell me I don't care about the out-of-the-box content that comes from the SIM right or the content that the vendor provides. The first thing we do here, when we got the SIM in, is to disable everything or remove everything and start our dashboards from scratch, build our own content, et cetera, but that requires a lot of effort to go to-.

Tim Thornsberry: 13:20

Yeah, they're gonna be. They must have the resources to handle that.

Augusto Barros: 13:27

Right, right. But then you look right and now I'm talking to someone in our organization where that out-of-the-box content is actually what enables you to get value from the solution. So it is interesting to see how there are such diverse expectations, right kind of, from the solution and of course I can see how some organizations will opt for different products depending on their needs. From the automation side, I think since I started tracking SIEM, we had some basic automation that was part of the solutions, and then we saw the convergence with UEBA and then later we start seeing the convergence with SOAR. I believe that at that point the SIEMs started to become more capable of automation, kind of taking actions after a certain condition or a certain incident kind of happens or a certain type of alert. So for your specific environment, how much automation helps you managing kind of threats in a way that doesn't require you to increase the number of resources?

Tim Thornsberry: 14:39

Yeah, so greatly, I would say the automation component of it greatly assists in the overall managing of it, like I said. Well, as most people or as everyone in the cybersecurity field says, don't stick with the out-of-the-box stuff. Uh, always change up settings and stuff like that and you do once with that out-of-the-box stuff. It gives you that baseline to work with, the automation baseline to work with. You don't have to worry about building rule sets, you just got to worry about fine-tuning them. The automation piece of it is great and everyone's throwing AI out there nowadays and it is beneficial in assisting with that automation. So I can't still fully trust it yet, as we've been seeing with the news articles of the recent new ai that just came out. But yeah, automation is a great help, especially when you don't have like a designated sock to sit there and just look at it non-stop. So perfect.

Augusto Barros: 15:54

Yeah, and I think we. I think we reached that record in the podcast that we touched the AI topic in 15 minutes in. I think this is the record. I believe it's been all over the news, the last couple of days.

Augusto Barros: 16:06

I know I'm normally going to try to bring that later because it usually hijacks the conversation. I mean, we spend all the time with that. But now that we are there already, let me get in From a threat point of view. How do you think that AI will affect the threat scenario that you have to deal with at Steptoe and Johnson?

Tim Thornsberry: 16:27

Well, from utilizing AI for a cybersecurity standpoint, I think it can increase the speed of correlation and potentially reduce the risk of false positives and stuff like that. From an outside perspective, worrying about AI, it's the unknown, it's the lack of knowledge for the end users using it, the potential for data leakage and stuff like that. So it's a double-edged sword right now. I would say.

Augusto Barros: 16:59

Right, yeah, we, I can. We've been seeing multiple reports, right, of kind of AI being used by threat actors. There's still a lot of say, expectations that kind of these technologies will be used by threat actors in certain manners. Some of the most concerned professionals or researchers will say, oh, they already using it is now in full blown mode. I am probably kind of one of the more conservative ones. Yes, right, if you're looking to generating kind of some good fission content using deep fakes, kind of for identity hijacking, right, and kind of trying to do the social engineering with AI technologies like that, I think, yes, that's already something that is becoming common. But when you look into, for example, using AI to find new vulnerabilities or AI to control the flow of an attack, I think that's still something that it's probably possible. We're probably going to see that, but it's still far from becoming kind of a day-to-day concern.

Augusto Barros: 18:02

Now, one thing that you mentioned I think that's probably kind of more it's closer to our day-to-day headaches, right that is the use of certain AI technologies by users, then the data leakage and so on by users, then the data leakage and so on.

Augusto Barros: 18:22

How do you see a security group like yours going to try to control or prevent data leakage by users trying to use those tools in their day-to-day. I think it is very close to when we start seeing cloud things and even the Google Office type of thing and then kind of Microsoft kind of moving also kind of to Microsoft 365, suddenly, kind of all our kind of Office tools kind of went out to the cloud. So those that were concerned about data going to the cloud, right kind of they suddenly got desperate, right, because now, kind of the tool set that you use to generate, to manipulate et cetera, now kind of the tool set that he used to generate, to manipulate et cetera, data is in the cloud. So it's very hard to keep things entirely contained in your own kind of physical environment. But we are experimenting the same thing with AI, right. So how, with the lessons learned from the cloud push from the past, how can we, kind of a group like yours, try to better control the flow of information to?

Tim Thornsberry: 19:23

those systems. I would say the ultimate challenge with using AI is how do you control it or contain it, and understanding what you're putting into it, how it's being used, and I think that starts with the end users. For us, it's end user understanding, training, having good procedures in place on how people use it, policies, stuff like that but ultimately it boils down to what's the AI doing with your information when you put it in there. There are some emerging AI companies out there that are providing containerized AI or giving you the option to manage how your data or what how it uses your data to learn, if you want it to use your data to learn and make it public or whatnot like that.

Augusto Barros: 20:24

Like I said, it ultimately boils down to how do you control it or how do you manage it, and I think that aspect of it is growing and getting better of it is growing and getting better, and I can see right kind of from the law firm side, we're soon going to start seeing the agentic AI capabilities trying to be used kind of to build like lawyer assistants, right kind of. That will work right kind of on behalf of lawyers and clerks and so on. So are you prepared right Cause you're having kind of that small army of agentic AI on your side, kind of getting access to documents and sensitive content and working kind of as right Kind of in a similar way as people in the office, and then you are having to figure out kind of what is it doing, kind of where the information is going to, et cetera. Right, it seems like kind of almost like a nightmare scenario for a security organization.

Tim Thornsberry: 21:25

It is. It is Like right now we're limiting the use of it. We're exploring options network security and endpoint security, restricting what they have access to, trying to just limit that exposure. We are, like I said, exploring options. I would say it's in its initial phases for 2025, but, like I said, it all boils back down to ensuring there's a good understanding of what AI is and what it's capable of and, ultimately, how it's used.

Augusto Barros: 22:08

Right, yeah, fun times ahead for sure Like it's becoming more prominent.

Tim Thornsberry: 22:19

So it's one of those things you either get out ahead of it now or you're going to be behind the curve.

Augusto Barros: 22:25

It may not be the case that kind of things are happening right now, but they will happen soon, right? So we need to work in advance so we are prepared when they happen, right?

Tim Thornsberry: 22:34

Correct.

Augusto Barros: 22:37

Tim, let me ask you I think I have a standard question right, kind of for all the guests here at the podcast. We very often look into cybersecurity and we are pretty good in finding things that are not working or not doing what we would expect them to do blame users or blame certain pieces of technology, etc. But what I like to ask is what is working? If I had to ask you what do you think the cybersecurity community or the cybersecurity industry currently does well, what would you point as what we are successful at? What do you become good at in cybersecurity?

Tim Thornsberry: 23:19

As a tool set or knowledge skill set.

Augusto Barros: 23:23

It can be any. You can see a process, a practice or maybe even a class of tool or solution, but where do you think we are doing?

Tim Thornsberry: 23:32

well, so EDR is great, I'd say. One place to improve because it kind of goes along with the AI and stuff like that is email security, but I would say that's one area that can improve. The phishing campaigns are getting more sophisticated and one thing that we've been seeing as a challenge that I'd like to see get better is the use of reputable domains and stuff being used for malicious reasons, and that's a hard thing to stop with email security right now.

Augusto Barros: 24:15

Right, but I think you are pointing to things that we have to improve, right. But if you had to point to something that you believe, oh, we are in a good state or we're doing a good job, right, what would that be?

Tim Thornsberry: 24:26

I would say endpoint detection.

Augusto Barros: 24:28

Endpoint detection.

Tim Thornsberry: 24:29

Right yeah, With things constantly changing and evolving, I feel it's in a good state and it's doing a wonderful job at preventing a lot of stuff.

Augusto Barros: 24:43

And you know it is from an historical perspective. It's very nice to see it because about, let's say, probably about 10 years ago. Right, we were in a stage where if we had to ask where endpoint security was, the responses wouldn't be good. Right, there was a time where the solutions that we were using were probably going to be referred to as antivirus, right, or anti-MAUR Gartner will call right, the endpoint protection platforms. But we were not happy with them.

Augusto Barros: 25:16

Right, they were getting bloated by adding a lot of things like kind of oh device, like a removable device management, and personal firewall, anti-spyware, all those things, and malware was still kind of quite successful in getting in right kind of the endpoints and executing and kind of elevating privileges and doing whatever right kind of malware was trying to do at that time.

Augusto Barros: 25:40

Then we started seeing the emergence of the EDR technologies, almost like kind of a bandaid to try to address things that the endpoint security tools were not doing. And we after that, right that EDR starts to become so strong as a component of your cybersecurity architecture that the end of ended up becoming incorporated again into those big endpoint security packages, but it improved them in a way that today, like you're saying, we have the perception that we are doing a good job on the endpoint security. So it's very interesting to see right on these let's say 10, 15 years time maybe how our expectations or our reality in endpoint security have changed in this way where we now see it doing a far better job than it was doing before. Right.

Tim Thornsberry: 26:34

Yeah, and I'll just put a thought out there, just something to consider, maybe get some feedback on. I think endpoint is a great tool, or endpoint detection, but now that we're moving to the cloud and things are not being done so much on endpoints, how is that shaping up for endpoint detection?

Augusto Barros: 26:57

Yeah, that's curious, right, Because every time they start getting good at something we move away from that thing, Right? You know, I remember I was a Gartner at that time when the pandemic hit us right, and I would have calls with companies that were just finishing or kind of working through their implementation of network detection and response or network traffic analytics things, and they said, well, okay, what should we do now? I said, well, do you have anyone working in your office? And I said no. So what type of traffic are you monitoring with these things? And there was nothing, because suddenly, kind of all the traffic that those devices, those technologies, were supposed to monitor was now outside the environment where those technologies were deployed. So it was kind of a sad situation where they had gone through all the effort of putting that instrumentation in and then the traffic was not there anymore. The traffic moved somewhere else.

Augusto Barros: 27:53

And I think what you described about the endpoint is similar. You may not have endpoints to install EDR anymore and I think and that kind of may even kind of sound like in my commercial plug for Securonix, but I think that applies to any SIEM. That's why SIEMs are still out there and strong, because the SIEM is almost immune to these changes. Of course we need to be able to ingest data from new telemetry sources et cetera. Edr, for example, became one of the most common data sources for SIEM, but the SIEM because of its nature of being neutral, right to environments et cetera every time that you have a shift like this, as long as you're able to direct the telemetry from those new environments, new technologies, to the SIEM, you are still able to have a certain level of monitoring, a certain level of threat detection capability being done by the SIEM right. So what do you think about kind of that right, the SIEM role, considering all these changes, kind of in where the data is, where the users are working on, etc.

Tim Thornsberry: 29:05

Yeah, now everything is shifting to. They call it cloud security now. So feeding the SIEM with the cloud security is extremely beneficial. Yeah, because it's that single pane of glass and now you're feeding this in with EDR cloud security and it's correlating those events. So, yeah, it's extremely beneficial.

Augusto Barros: 29:33

You mentioned the single pane of glass. I think for so many times some vendors are going to try to sell that idea that it became almost like something bad to say. If you say, oh, we want to become the single pane of glass, you see the customer roll in their eyes, but I think the same remain as a foundational component of cybersecurity architectures. What is actually? It is, if not the single pane of glass, it is the main pane of glass for most organizations out there and I think that's why we end up seeing this stickiness factor where, as I say, SIM refuses to die. It may evolve a lot, but I think its role as the main pane of glass and this very strong data gravity it has, like kind of organic signals from all over the place, he ends up being making kind of it kind of a very important component of secure architectures yeah, and especially with small teams.

Tim Thornsberry: 30:31

some people, some organizations have the resources to set someone in front of their edr console or their SIM console or you know whatever other security console they may be using, network whatever. But for a small team who handle multiple roles and tasks and projects, if you have that one place that you can go to to at least start looking, it's a huge benefit, because then it drastically reduces your time from switching to multiple consoles trying to correlate events and stuff like that. So for a small team, I'd say extremely beneficial, but for the larger ones, if they have the resources you know it's endless for them Perfect.

Augusto Barros: 31:24

So, tim, we're getting close here to our time. I want to first kind of thank you again for joining us here on the podcast. But I also want to ask you the final question here Can I afford other people just getting in their jobs, kind of as in charge for very small to very small security teams? Sometimes it's a single job, it's a single person job kind of in many places out there. So if you could give just one piece of advice for them, what would that be?

Tim Thornsberry: 31:55

Oh boy, If they're just getting into cybersecurity. I'd say learn as much as possible If they're already established. Go into an organization with an open mind. Don't go in with the mindset oh, I'm going to change everything that's already in place to improve it or establish it. Learn the organization, learn the current infrastructure, their security posture and get that base, foundational knowledge of it, and then find the gaps and then start improving from there. If you go in with the idea of a full-sale change, it's not always met with the best intentions, Having an open mind and having a good understanding.

Augusto Barros: 32:53

Right, yeah, I think that's kind of quite important and I think, especially the people that are probably in their early stages of their career in cybersecurity is sometimes they are so focused on cybersecurity itself that it's almost like they're trying to make the organization work for security, while in truth, right, and it's the other way around right, and we are enabling the business. We're not trying to make the business be a cybersecurity organization right, kind of we want to be and that's kind of probably kind of where many people have difficulty in understanding Like we want to be invisible. If we could be fully invisible and transparent, right, and people do not realize that we are there, that would be the ideal work. Right, kind of protecting the organization without them realizing we are there. We know that's not possible. Sometimes our controls will be or will bring a certain level of disruption, but I think that's the beauty of thing, right, kind of trying to do things being the least, bringing the least possible disruption or friction to the business, while kind of keeping risks under control.

Tim Thornsberry: 34:08

Yeah, and you don't have to try to reinvent the wheel. The frameworks and the policies may be in place or they might be lacking some. So, yeah, you got to understand where those gaps are and work from there instead of oh, we're tearing everything down and we're going to build it back up.

Augusto Barros: 34:22

That's right, tim. I'd like to thank you again for coming to the podcast. It was a really kind of fun conversation. Thank you, I hope to have you here again sometime.

Tim Thornsberry: 34:33

Yes, thank you for having me. I appreciate it.

Augusto Barros: 34:35

All right, and let's keep having fun. Cyber security is hard, but it's fun right.

Tim Thornsberry: 34:45

Very much so.

Augusto Barros: 34:46

It's an ever-evolving world and it never gets stagnant. Perfect, Okay, Thank you, Tim. Thanks everyone for listening and stay tuned for the next episode of Simple Talks. Thank you.