In this episode of Modern Cyber, Jeremy Snyder talks to Steve Stratton, a seasoned cybersecurity expert with a diverse background spanning military service, US Secret Service, and software development for classified data transfer.
In this episode of Modern Cyber, Jeremy Snyder talks to Steve Stratton, a seasoned cybersecurity expert with a diverse background spanning military service, US Secret Service, and software development for classified data transfer. They discuss the evolution of technology from analog to digital, the emergence of early cyber threats, and the complexities of modern cybersecurity. Steve emphasizes the importance of adaptability, the role of social engineering in early cyber attacks, and the need for cybersecurity vendors to integrate seamlessly into the customer's environment. The conversation also delves into the nuances of cross-domain solutions, high assurance systems, and the cost challenges faced by private sector organizations in implementing these technologies.
About Steve Stratton
Steve Stratton has had an illustrious career in cybersecurity, beginning with his service in the military, where he worked in White House Communications and as a Special Forces Senior Weapons and Communications Sergeant. He later joined the US Secret Service before transitioning to develop software solutions for the warfighter and intelligence community. Steve holds a BA in Management and numerous technical certifications from Sun Microsystems, Novell, Cisco, and others. With extensive experience in cybersecurity, Steve is a respected advisor and author, contributing significant insights to the field, particularly in cross-domain solutions and high assurance systems.
Citibank Vax Hack: https://www.cybereason.com/blog/malicious-life-podcast-the-real-story-of-citibanks-10m-hack
Jeremy at Firetail (00:02.286)
All right, welcome back to another episode of the Modern Cyber Podcast brought to you by FIERTAIL. As always, I am your host Jeremy. And today we've got somebody who is coming from a little bit of a different stage of their life and their career. And I'm really looking forward to getting into some of his experiences and some of the wisdom and the lessons learned over a really long and illustrious career. I am joined today by none other than Steve Stratton. And Steve has far too many qualifications and accolades and so on to get into.
But a few things I will share, you know, Stratton served in the military at White House Communications and as a Special Forces Senior Weapons and Communications Sergeant. He joined the US Secret Service, then left to support the war fighter and intel community by developing software solutions to access and transfer classified data and information. Steve has, I think, more credentials and degrees here than I'm really used to seeing from our guests, but a BA in Management, Debt Computer and Networking courses, Sun Microsystems, Novell, Cisco.
You know, I know some of these are vendors that we don't really hear about too much anymore today, but Special Forces, US Army Intelligence, US Army Combat Medic, I don't know where you found the time to get all of that in, Steve, but thank you so much for taking the time to join us today.
Steve Stratton (01:16.112)
Thank you for having me. I somehow got 26 hours in a day back then when I was younger. I don't remember how, but it was crazy.
Jeremy at Firetail (01:23.757)
So the physics has kind of morphed for you now in retirement as I understand it.
Steve Stratton (01:27.76)
yeah, there's a, well, I thought retirement would slow me down, but with advising, consulting, and then writing books, it's, my wife and I sort of have to check in and she's trying to retire from her business. So it's crazy. Fun, crazy, good crazy.
Jeremy at Firetail (01:42.156)
Yeah. Okay, well at least good crazy, that's what we like to hear. What I want to get into today is really kind of, as I said at the top of the show, learning from some of the experiences and the lessons learned over a career spanning the length of time that you did, because really a lot of change happened, I think, over the course of your career, right? We went from mostly analog and maybe just a few digital systems owned primarily by nation states to now everybody.
you know, including multiple devices in your pocket with you at all times. That must have been a massive technology landscape change to work through over those years. And I'm just curious, are there any kind of high level things that really struck out to you as threads or as topics and themes through that transition?
Steve Stratton (02:28.976)
Yeah, number one is being open to change, right? Not all change is good, you know, but like going from big fat, you know, cables as thick as my thumb to ones thinner than all of a sudden Wi -Fi and Bluetooth and other things like that. My adaptability to change and then to understand a bit about the technology and figure out why it might be useful was really helpful. So fighting change, you know, it's like...
you know, the whole futile, it's futile line. So change is gonna happen around you, digital transformation as we call it now. And you really have to understand it as you place it in your workspace, right? What's important to you.
Jeremy at Firetail (03:01.321)
Yeah.
Jeremy at Firetail (03:13.385)
Yeah, so you must have seen the emergence of some of the earliest cyber threats and some of the first kind of cyber attacks over your career as well, right? What were those experiences like?
Steve Stratton (03:24.592)
Well, you know, there was the Mitnick, so just plain up social engineering. I did it too. I didn't even smoke. Go out back where the smokers were, ask for a cigarette, chat people up. You know, next thing people are inviting you in. There were attacks that actually took advantage of printer memory back in those days with the big old green bar printers. And then the most, one of the more famous ones I was involved in.
Jeremy at Firetail (03:45.8)
Yeah.
Steve Stratton (03:54.)
in working was a Citibank hack where a young lady asked a VAX administrator, you know, I really enjoy this and I want to learn this system. Could I get an account? And $10 million later, Citibank's wondering where their money went. So, you know, those days, you know, there just wasn't the, as the technology has gotten better.
it's also gotten more complex and therefore leaving more opportunity for things that aren't so physical maybe anymore. But we, you know, fishing is just another kind of, you know, instance of that kind of social engineering, right? So, you know, the old thing in a new way, so.
Jeremy at Firetail (04:22.567)
Mm -hmm.
Jeremy at Firetail (04:36.486)
Yeah. Yeah.
Jeremy at Firetail (04:41.03)
Yeah, it's funny, I just got finished with one of Kevin Mitnick's books about two, three months ago. And on the one hand, I found myself with a similar thought to you in the sense that I was listening or I did it as an audiobook and I was listening through some of the stories and I'm thinking, wow, that's just a ton of effort, you know, call after call and pretense after pretense.
into the phone companies and the police and the DMV and all the organizations that he went back to again and again. I think the IRS was another one that he used pretty frequently to gather information. And on the one hand, I was like, well, that sounds crazy exhausting. But then on the other hand, I was like, you're right. It is just kind of the back then equivalent of phishing and fleshing this information out of people through things like.
forged web forms and web pages that would be gathering the same information back to whoever's going to utilize it. So I think you're right about that. It really is just kind of the evolution. And I'm curious, you know, as we've seen these attacks and we've seen everything from printer memory, VACs, social engineering, phishing, et cetera, you know, I work for a cybersecurity vendor. We build a product around API security, but I know one of the things that you've mentioned is that, you know, by and large, a lot of cybersecurity...
companies or vendors, let's say vendors, kind of fail the customers in many ways. Where does that, what is that opinion? Talk to us about that.
Steve Stratton (06:07.696)
Chair, well, I was part of the crowd that wanted to build you a best of breed system. And we ended up with 13, 15, 18 different products that you would pay me handsomely to cobble together, glue together. And on the one hand, I think vendors are very focused. They've got to be to have a sellable product in the market. Your company focuses on API.
the companies that I've worked for lately have focused on this cross -domain space. And so you differentiate yourself, but oftentimes what can happen is that how it, how it gets implemented and would operate in the larger picture, right. Of a customer. So oftentimes I see that software vendors don't have strong consulting kind of input into the building of their product.
How's this actually going to work in the environment? How's it going to work if I've got Splunk or, you know, Q Radar or different products, right? And so, you know, it's not that their products are failures because they address a certain part of security, right? You address API, somebody addresses web, other things like that. It's that how's it going to operate and then how do I make it simple to operate and interconnect with...
Jeremy at Firetail (07:05.506)
Mm. Right, right.
Jeremy at Firetail (07:13.634)
Yep, yep.
Jeremy at Firetail (07:24.994)
Yeah, yeah.
Jeremy at Firetail (07:32.642)
Yeah.
Steve Stratton (07:35.056)
my SIM and other tools. And so we went from that whole best of breed that thankfully now we're starting to see more platform thoughts, more focused on certain APIs and sort of common ways to interconnect and collect all this data, right? Than many of it, right? So.
Jeremy at Firetail (07:45.025)
Yeah.
Jeremy at Firetail (07:54.401)
Yeah.
Yeah, look, I think that's a really good point. And I think every vendor, maybe ourselves included, we would love to think that our customers are going to be in our product all day, every day. But I don't think that's the reality of how people work, right? Because, you know, very rarely is it the case that you're selling a product that is designed to be, you know, the eight hour a day product utilization, right?
you're really kind of looking out for threats as and when they emerge within a customer's organization. That can be, let's say in our case, that can be during the development life cycle of an API, or that can be in the production environment where the API is utilized. And really the reality is like, it should really just sound an alarm when something goes wrong. But I think to your point, that alarm has to be in the place that they're going to do their job day to day. So, your product is air running, doing its thing.
and your customer is kind of living in Slack or Teams or email or whatever it is that they're using really for kind of ongoing communication, or maybe they pick tickets off a queue or whatever, but you've got to kind of feed them in the environment where they're going to be working. Is that kind of the gist of what you're saying?
Steve Stratton (09:08.368)
Exactly. And then allow them to understand, help them understand that, and this is maybe where they're on board, they're on board consultant, whoever that might be, would help them understand, okay, where should that flow and priority? Because with a product like yours, the more you can do, of course, in production or development, it's like,
The harder you train, the less you bleed in war. So the more we focus on security first when building or integrating systems or building new software, the less time we're going to spend on the backside. But then placing it into that helping a customer, a good sales team, right? You've got a salesperson and a sales engineer and they're showing the product, getting a technical win, then looking at funding and all that kind of stuff.
Jeremy at Firetail (09:38.493)
Yeah, yeah.
Steve Stratton (10:05.488)
And what I really find helped our customers all through my career was to come in and talk about, okay, how will this overlay into your environment? What would that mean, right? When a range of things are going on and for example, if somebody's using your products to help support the Paris Olympics and they're getting four million hits a day, people trying to probe and attack their system.
How does that fit in? And so some of those higher level CTO, senior engineering discussions can be really helpful for a customer to understand that context. Cause you've checked all the technical boxes. They like the idea. They've seen it. Thank goodness. They've seen a gap and they need your product. And so what's that next step in the evolution of how they make use of it and create the ongoing value from your product.
Jeremy at Firetail (10:45.277)
Yeah.
Jeremy at Firetail (11:05.533)
Yeah, yeah, I think that makes a ton of sense. And it's such a valuable point that I really think, you know, vendors probably need to keep in mind a little bit more than they do when they're actually building those products. So I want to take a turn for a second and talk about a domain that I know you spend a lot of time in around cross domain solutions. For those who aren't familiar, including myself, what does a cross domain solution mean and what's the problem that it tries to solve?
Steve Stratton (11:30.736)
Right, so the NSA is actually the Department of Defense's security team. And it's a Department of Defense agency, the NSA. And there's another organization called DISA, D -I -S -A, we call it, and they're the IT managers, network managers, but NSAs are cybersecurity experts in the DOD, for example. And so they defined a need early on,
Jeremy at Firetail (11:47.933)
Yep, just that, yep.
Steve Stratton (12:00.944)
And it was a whole, we called it the rainbow series. It was like 16 books on all these subjects on how to improve the security of systems that were controlling the interfaces between networks that shouldn't touch. Right. So in the military, we have essentially three types of networks. There's lots of networks that go to coalition partners and things like that. But we have what we call the unclassed network, nipper net, the secret and the top secret, just in general terms.
Jeremy at Firetail (12:14.877)
Okay.
Steve Stratton (12:29.968)
And so there was an early model that was built saying you could move data up, but you can't move data down kind of idea. Yeah. Yeah. And, and so that interface between those, they started to define these products and they come in two flavors. One is an access product that allows you to connect to one or more of those networks. And you can see into those backend VDIs, you know, RDP, whatever you've got going, you know, Citrix, you know, VMware, whatever.
Jeremy at Firetail (12:36.797)
Move it down.
Steve Stratton (12:59.472)
You can see into those back ends and you can use in that window on your screen, you can use all those systems and you could get in like in the military intelligence, you can get drone feed, you can get audio, all that, but you're in that window and you can't cut and paste, you can't drag and drop. So those are access systems. They give you access, access only. Then there's another second, which is called transfer systems. And they're the ones that inspect the data when it's going low to high.
And also in rare cases when data is allowed, like we allow intelligence officers to send the warfighter at the secret level data for the intelligence brief. They will do what's called downgrade it, make sure they're not letting any sources or James Bond type information out, and then they'll send it down through a controlled interface. And the big difference is we talk about high assurance all the time. That
It's a very predictable, repeatable process that will either do exactly what it says or it will fail. So for example, in a guard, you will actually set up a security policy saying, I'm looking at this XML data or this data stream. And if it doesn't exactly match this, if there's one bit out, right, we're going to throw it away. And so, right. So there, there are, there are transfer systems that will transfer, right. Streaming data is easy because it's fixed format.
Jeremy at Firetail (14:17.821)
Yeah.
Steve Stratton (14:27.088)
It's the Word documents, the PowerPoints, the embedded everything documents that need further inspection. So we end up taking them all apart, checking the parts, checking, for example, for white font, right, hidden stenography, all these kinds of things. So I hate to use my bank as a great example, but when Capital One in your area right up there at the Beltway suffered that attack,
Jeremy at Firetail (14:41.949)
Mm -hmm.
Jeremy at Firetail (14:51.197)
Yep. Yep.
Steve Stratton (14:54.608)
If they'd had one of those transfer devices watching what was going to the cloud and back, they could have, you know, ensured that it was only that data. Had a higher assurance that it was only going to be that data that they approved that they expected to go up and go down. And so that is that, you know, there's a lot more to it, but it takes about a year of, and about a million dollars, over a million dollars to test one of these systems, to prove that it does what it does.
Jeremy at Firetail (15:10.781)
Yeah.
Jeremy at Firetail (15:23.357)
Yeah, you bring up an interesting point here and I've heard this phrase high assurance around, I guess, data classification in particular and around kind of the transfer of data, it sounds like, between these domains and the different levels of classification. Do you think that that is a paradigm that is easy for non -public sector, so for private sector organizations to understand and to embrace?
Steve Stratton (15:49.968)
I think the big problem, I'm not sure that it's hard to embrace, but the biggest problem is cost by a huge factor. So in the military, for example, in the services, let's say, the army, where I came from, these devices are few. There's enough to do the work and keep the mission running and keep people safe.
but they are few because they are such high threat interfaces. And if I was to try and do high assurance in every step of my, every place in my architecture, it would be very costly, right? I'd be doing testing, you know, just on every little bit. And the nice thing is with Zero Trust, if I start to use micro segmentation with some diodes or other things, you know, we can have some good effects where,
I don't have to, I can build these communities of trust, right? Like with Zero Trust and apply different levels of security. So if it's the CFO and the business plan, or it's the customer database, I can apply higher level security there. And then inside of customer service, the help desk, maybe I don't have to. The database that they're searching, yes. And...
One of the, I think that's something I don't hear a lot about Zero Trust itself is that you really start to talk about that understanding your data and labeling it, you know, whether it's one to 10, green to blue, whatever it is, different sensitivity. So you apply the higher level security at that high threat point, not just across the board where it would just be uncostly in your board. If you're a CISO, the board might laugh at you. So.
Jeremy at Firetail (17:26.685)
Yep, yep.
Jeremy at Firetail (17:38.717)
Yeah.
But it's really an interesting point because I understand government does it because it has to, especially across some of these activities like intelligence gathering, national security, et cetera. And yet when I talk to private organizations, they all have the concept of, well, we've got our data, but then we have our crown jewel data, the things that are really most critical to the organization. And for some that might be the CRM, for others it's like their intellectual property or their code or whatever it may be.
And yet rarely do I see to your point a kind of a different level of data classification, or then, you know, let's say a different level of data handling associated to that data. So there's gotta be some lessons that organizations can learn around that, you know, from maybe from taking, let's say that the good aspects of how it changes the way that you relate to the data. But I don't know if it's possible to do that without bringing on to your point the cost that it brings associated to it.
Are there any kind of like lessons learned or any kind of views that you formed in looking at this paradigm over time where you're like, you know what, we could actually shift that. And if you simplified it down to let's say crown jewel, not crown jewel, and you only have two levels, then maybe it's really easier or I don't know, I'm just kind of wondering what your observations are.
Steve Stratton (18:59.088)
Yeah, certainly. You know, it's interesting. There's a lot of international governments that are internet and government, right? And they don't have all that strata. Maybe some little portion of their military does, but like in Singapore, it's all the internet -based data they have, and then there's some sensitive government data. So the idea that you could use one of these controlled interfaces, these transfer devices, and a
I would throw in a diode, right? Because that way if some code gets in, it can't call home. It makes the code go one way. And you can use a separate guard. I would use a separate transfer device from a different maker on a different hardware platform. Diversity helps if they break one system, they're not automatically breaking the other one. And I would protect at that level. Like...
you know, on the Maryland side where all the big pharma is and the gene coding and all that, right? That intellectual property about that next billion dollar drug they're working on is pretty sensitive. So that's where I get nervous because firewalls are nice and we use them horizontally in the government, but we're not using them as strong enough security to like...
even have access within organizations. So we use firewalls and other sort of standard, whether if you're using Cisco, the security you can put in at the network level, all that kind of stuff. We're doing that horizontally and even now starting to implement Zero Trust. But that's not enough to, right? That's just hasn't proven enough to protect the crown jewels. And there are ways to...
Jeremy at Firetail (20:23.722)
Yeah.
Jeremy at Firetail (20:32.842)
Yeah. Yeah.
Jeremy at Firetail (20:46.122)
Yeah.
Steve Stratton (20:49.52)
further isolate that capability so people can get access and then you only transfer exactly what you think you're going to transfer out, you know, what you need out. And so, but it does take a different mindset, right? Then, okay, I'm going to use the Palo Alto, what I call platform now and plug all these products that they've got, plug your product in. I'm going to have this good baseline and then I'll just sort of.
Jeremy at Firetail (20:59.178)
Mm -hmm.
Steve Stratton (21:17.392)
you know, through IA, you know, authentication and stuff, identity, I'll just sort of restrict access over here. Because we have seen so many times that once the bad guys get in, going horizontal doesn't prove so hard for them, right? Once they've got one set of credentials, then getting horizontal is not so hard. So I think there's some good lessons to learn without having to go to the...
Jeremy at Firetail (21:25.768)
Yeah.
Jeremy at Firetail (21:32.84)
Right, right.
Jeremy at Firetail (21:39.592)
Yeah, and it's.
Steve Stratton (21:43.344)
the full we're protecting lives, like secret to top secret kind of thing. Yeah.
Jeremy at Firetail (21:46.985)
Yep, yep, yep, yeah. And it's interesting because when you think about two types of controls that you mentioned there and that we can think about, one is of course network control and the other one is identity -based control, we're actually increasingly living in a world where all infrastructure is software defined and it's actually easier than ever to add these layers of controls in. If you've ever spent time designing a VPC on AWS, you know that you've got...
I think five or six different filters and control types that you can add between subnet to subnet, and you can very easily define a hierarchical structure where you go from a less privileged to a more privileged subnet through both network controls and identity controls. And so, you know, I think that that point that you raise about thinking about it, okay, in this way really makes a ton of sense.
It leads me to my next question, which is, you know, if government's been thinking about this for a long, long time and they've been implementing systems like this, is there some level of government that is actually ahead of private organizations in terms of cybersecurity? Because like, you know, the common wisdom that you'll hear is, government, they move so slow, they're behind, they never have the latest and greatest, you know, and here in the beltway area, it's this kind of colloquial thing about everybody who wants to go after public sector. It's a three year slog.
before you win any business and you start really having anybody using your product, I don't know, you must have seen both sides of this over your time, right?
Steve Stratton (23:15.376)
Right, right. Both being in the government and then as the contractor to the government, you know, looking at and investigating these kinds of products. And, you know, it really on this high end of assurance, the government leads the NSA's, you know, there. So, like I say, literally for one of these transfer devices that does structured data, it's not even looking at, you know, Excel spreadsheets and docs and everything that can be embedded in all the word, you know, and stuff like that.
Jeremy at Firetail (23:19.686)
Yeah.
Jeremy at Firetail (23:43.846)
Yeah. Yeah.
Steve Stratton (23:45.872)
the, the amount of time the NSA will take, it's a solid nine months of testing, three months of documentation, out briefs, all those kinds of things, a whole chunk of money. But then you get assigned a risk rating. So even after that, the NSA may say, well, you could use this product, but you've got to do these things in the network or set it up a certain way. So, it's not like it's the products are no risk. They're just reducing the risk.
Jeremy at Firetail (24:08.102)
Right. Right.
Steve Stratton (24:15.984)
more than a traditional commercial product can at this point. And I often, when I was still working, I was talking to several folks like in the firewall space that, you know, we could take some of this code that we use and make it a sidecar. Cause they do a lot of, you know, marketing around the fact that they do a lot of inspection. But you know, that lot of...
Jeremy at Firetail (24:22.148)
Right. Right.
Steve Stratton (24:43.088)
inspection is only so far into the stack, right? It's not into the data stream. So at least it was when I was still working. And so there's opportunities for some of these companies to pick up on that with some of these vendors who've got these pieces of code that could, because a company I was at, when we came together, we actually ended up with the old Sidewinder firewall and then actually a finished firewall. So.
Jeremy at Firetail (24:57.156)
Mm -hmm.
Jeremy at Firetail (25:07.844)
Mm -hmm.
Steve Stratton (25:12.656)
It we looked at actually applying applying a sidecar. And so because we use sidecars in the transfer devices, like there'll be a sidecar that will check a specific, you know, like like Word documents. There's companies that will take it all apart, do that for us. So we didn't have to build that code as the head of product management. I could partner and save us time and cost instead of building code. And so.
Jeremy at Firetail (25:29.122)
Mm -hmm.
Steve Stratton (25:42.16)
There's definitely opportunity. The one problem that commercial has is that often these products are ITAR restricted. And that means that only U .S. personnel can operate them. Now you and I can, anybody can use the data that goes back and forth, but the person who touches and manages that system has to be a U .S. citizen. It's an international traffic and arms regulation. It's like, wait a minute, this is not a rifle or a missile going to Ukraine.
Jeremy at Firetail (25:56.546)
Mm -hmm.
Jeremy at Firetail (26:08.002)
Right, right.
Steve Stratton (26:11.44)
but it's the level of sensitivity about the code. And so that has been a, historically has been a roadblock, but a lot of the customer or a lot of the vendors are starting to make commercial versions of these products. And great example, there was a television organization, a broadcasting organization, I should say that broadcast a very serious event and was really worried about.
that transfer from production into transmission. And they were very seriously, we were a little bit late to this big event that they do yearly. And so didn't get put into the system, but they were very interested in that controlled interface and knowing that that's the only thing that's going into the transmission system, AKA somebody can't take over the transmission system through this route. So the opportunities there, and I think,
Jeremy at Firetail (27:01.057)
Mmm.
Jeremy at Firetail (27:07.585)
Yeah.
Steve Stratton (27:09.68)
I think, you know, the other thing that is, it's been interesting over the course of my career is also seeing the startup of, cause I worked with Chubb way back, on and talk to them about cybersecurity insurance. So oftentimes, right. Organizations will say, well, I'm going to spend this much on cybersecurity. It's good from a legal perspective. We're doing what we can, and then I'll ensure for the rest. Right. They're not going to.
Jeremy at Firetail (27:38.655)
right.
Steve Stratton (27:39.44)
their budget because insurance is cheaper. So interesting byproduct of the market that you don't have unlimited budget. There's a certain level to which an organization will go and then they'll insure for the rest of the potential threat.
Jeremy at Firetail (27:59.135)
Yeah, I think this insurance question, look, when you boil it down, and I've had this conversation on the podcast with many people, it's like, ultimately, you can never 100 % guarantee security. And that is true for both physical security as well as cybersecurity. And I've had one guest on the podcast who said to me, you know, the safest computer in the world is the one that's turned off, unplugged, encased in a block of concrete and at the bottom of the ocean. And even then, I'm not 100 % sure.
Steve Stratton (28:28.88)
Yeah.
Jeremy at Firetail (28:29.246)
Right? And you know, you could even concoct like James Bond movie type devices that are sonar scanners that can read, I don't know, you know, digits off of a disk and reconstruct a data set in scientific science fiction land or what have you. Right. But it is all about kind of risk management and understanding the level of risk that your organization is comfortable with. And then to your point, the insurance is kind of, OK, you know, these are the things that we're going to do that make sense, that make
since both in terms of we can still operate, but they cover the most likely risks or the risks that we're the most worried about. And then for the unforeseen circumstances, we get insurance. And it's actually very similar to how we think about driving, right? You know, we want everybody to be licensed. We want them to go through a level of training. They need to know how to follow the rules of the road. They should have cars that are inspected that are safe to operate, et cetera. And then we have insurance for unforeseen circumstances.
So I think like, you know, seeing the development of that and seeing that develop in the cybersecurity ecosystem has been really, really interesting to watch. I will say as somebody who has worked primarily in cloud and emerging technologies like cloud and API and so on for the last couple of years, I don't think that the insurance industry has kept the cyber insurance industry has kept pace with the most modern threats and the ones that are, for instance, leading to some of the largest data exfiltrations and data thefts.
from organizations. When we look at a lot of cloud breaches, admittedly, many of them are caused by customer error in terms of leaving things accidentally exposed to the internet. And in the case of API breaches, it's almost always somebody leaves an authorization check either incomplete or omitted altogether. You know, these are massive data breaches typically. They expose entire data sets and they tend to be, you know, kind of 10 to 100 times.
larger than the average data breach. And I'm not sure that the insurance industry has really appreciated that yet.
Steve Stratton (30:30.768)
Yeah. And isn't it amazing? We talk exactly what you said. We talk that way about the physical world, right? After at a certain, you know, it's like, well, there could be a tornado, but we're in Montana. So, you know, it could happen, but the likelihood is not right. So we take that. And as we got into computer security, information security, cybersecurity, we brought that physical mentality over, like you said, to risk analysis, risk assessment. And then.
But similar thing, I mean, 15 years ago, I was at a bank in Texas. They had put out, it was after the Oklahoma city bombing and they had dolphins out there. Their security was top notch and they were barking about how good their security was. And it was a out of the box password on a Cisco router that let me in in a stupid amount of time that they didn't believe. And I had to prove to them that, you know, it was a...
Jeremy at Firetail (31:25.242)
Yeah.
Steve Stratton (31:28.368)
Yeah, human error is still a huge part of that. And I think also something we've addressed lately or in the last five, 10 years pretty well has been privileged to count, right? Privileged to count access and then also monitoring of privileged accounts like the whole thing with, now I can't remember his name, but he's still in Russia. You know who I mean, NSA when he had access.
Jeremy at Firetail (31:55.351)
Snowden. Yeah.
Steve Stratton (31:56.656)
Yeah, Snowden, when he had, yeah, he was a database administrator and he had access to terabyte of data when it should have been split up. So.
Jeremy at Firetail (32:05.239)
Yeah, yeah, yeah. Well, Steve, you know, we're coming close. We've got about 10 minutes left in the episode. And I've got two things that I want to talk about still. One is I'd love for you to share with the audience what you write about, because I just looked this up and learned about it. And I'd love to hear more about it. But the other is I kind of want to hear there was something in your background when it was sent over to me that I thought was really interesting. We see a lot of people coming out of the armed forces into cybersecurity.
You went through a similar transition. What is it about that background that kind of, I guess, you know, brings people or gives people a motivation or an attraction towards cybersecurity? And what was that journey like for you?
Steve Stratton (32:47.12)
Well, back when I joined the Army in 73, I was a radio repairman that actually had to also operate the radios at the White House. And the president traveled all that. And just over time, I went from there to the Secret Service. Now I'm off of radios. Now I'm into security systems. And I remember in 1980, when I left, they were just trying to computerize the physical alarm system around the White House.
And it was an IBM project. And so, you know, a month later I'm on a Commodore 25, Vic 25 or a Commodore 64, I forget. And I just, it's like computers. look what we can do. You know, and I just being a techie and definitely nerd before nerd was the word. I just got into this, I got excited about this new opportunity and now.
Jeremy at Firetail (33:31.67)
Yeah.
Jeremy at Firetail (33:37.942)
Yeah, yeah.
Steve Stratton (33:42.8)
I ended up being like, like I said, Novell, DEC, some of this son. But along the way, I would just go visit other people. And it's like there was a guy who was working on a security assessment for an IBM mainframe when I was working at one place. And I'm like, what's that? And so curiosity, you know, didn't kill this cat. And that's sort of how I got into information security. The...
I've done several podcasts and I'm a big proponent of military people going into cybersecurity because number one, they're used to following SOP, right? Standard operating procedures, they're used to usually, whether they've been in combat or not, they're used to some stress. And not everybody in cybersecurity has to be a penetration tester, a hacker. Like I was in product management, gathering requirements, helping...
Jeremy at Firetail (34:18.995)
Right.
Steve Stratton (34:38.928)
work with the developers. There's just a lot of opportunity. And as you well know, we are critically behind in cybersecurity staff. And I know a gentleman, he was an actual gun shooting ranger. He worked for ground branch in the CIA. I mean, these are not techie guys. These are get it done kind of guys. And in New York, he was able to get a mentorship kind of idea that...
Jeremy at Firetail (34:47.603)
Yeah. Yeah.
Steve Stratton (35:06.032)
He went through the course for the company and he did well on the final test and they gave him a job. And now he's like doing, you know, intelligence, you know, cyber intelligence work and stuff like that. And also learning about the systems. So there's great opportunities for veterans, for anybody actually, it is, there's a huge gap between the need and the number of employees, you know, in the space for sure.
Jeremy at Firetail (35:15.635)
Mm -hmm.
Jeremy at Firetail (35:32.531)
Yeah, yeah, yeah. And I see one of your books over your shoulder there. So I just have to ask, you know, tell us in as much detail as you like. I know you don't want to give the book away and I encourage everybody to go check it out. But what can you tell us about your writing?
Steve Stratton (35:49.04)
So, yeah, when I was in Special Forces, we supported seven Special Forces down in Colombia, Ecuador, South America. So I did training missions with the Colombian Army and did counter drug missions and such. So I used that experience to write a series. My protagonist is Crow Indian. I wanted somebody who thinks differently, comes from a different background than another Navy SEAL.
Love my Seal brothers, but wanted something a little different. And then I put him in harm's way right away in the first book. He's with his parents in Puerto Vallarta. They're coming back. They're heading back up 15 to Tucson when they stopped for lunch. And it was a bad idea to stop for lunch and his parents get killed. So it's a revenge book. I tell everybody it's really easy to write a revenge book. There's one thing on the person, one thing on your good guy's mind, but.
Jeremy at Firetail (36:42.642)
Okay.
Yeah.
Steve Stratton (36:46.8)
He comes through it, he goes through darkness, he comes out the other side, and they end up creating a unit around him that is a counter drug unit. And it's 1998, so I had to remember all the gear we had and didn't have back then. Yeah, so the second book takes place in 2003, now we're in Afghanistan, and the Taliban's making $400 million off of heroin. And the president says, I need this for administration, you need to go stop that.
Jeremy at Firetail (36:59.152)
Yeah, yeah, yeah. Yeah.
Jeremy at Firetail (37:08.912)
Yeah.
Steve Stratton (37:15.472)
So that's the second book. And then I just released, yesterday I released a novella that's called The Warrior's Path that is the origin story for Lance Beowulf, my good guy. And yeah, and so I've got another book coming later this year. That'll be book three in a series. So, you know, if you're interested in El Chapo's not in a Colorado prison in my series, not yet.
Jeremy at Firetail (37:21.872)
Okay.
Jeremy at Firetail (37:44.432)
Yep. Yep.
Steve Stratton (37:45.296)
but he has gotten out of prison more than once, went in tunnels, baskets, he was the master of escape. So that's what the series is about and thank you for asking, I appreciate that.
Jeremy at Firetail (37:53.36)
Yeah.
Jeremy at Firetail (37:58.415)
Awesome, awesome. So it looks like we've got Shadow Tear and then the one I see over your shoulder there is Shadow Junction if I read it right. Sanction, sanction. Okay, a little bit of a shadow or a glare there. And then we've got the Warrior's Path as kind of the origin story prequel, if you will. And where's the best place for people who are looking for these? Where should they look to find them?
Steve Stratton (38:04.72)
Sanction.
Steve Stratton (38:16.048)
Yes.
Steve Stratton (38:21.136)
Amazon for the first two books. Any bookseller, just about any bookseller will have the novella. I need to get the first two books up on a distributor that goes to the, you know, Blines and Noble and all the other places. And then the third book, Caribbean Harvest, will come out in November timeframe. And that's where Lance and his wife go to Cuba to chase El Chavo.
Jeremy at Firetail (38:35.438)
Yeah, yep. Okay.
Jeremy at Firetail (38:46.83)
Okay. Okay. Well, we look forward to seeing how that goes. I think you are the fourth or fifth published author that we've had on the podcast. And I always find that it's really interesting to hear, you know, what are the origin stories? What are the little twists? What are some of the inspirations for the work that they put into it? And Steve, it's been great talking to you today. I've really enjoyed our conversation. Remember, for those that are with us in the audience side, you can find Steve's books on amazon .com as well as his upcoming stuff.
might take a little bit longer to get out there, but it'll be available for you. Steve Stratton, thank you so much for taking the time to join us today on Modern Cyber.
Steve Stratton (39:21.776)
Thank you, it was a real pleasure talking with you.
Jeremy at Firetail (39:25.166)
All right, and for our audience, please remember sharing is caring, rate review, like, subscribe, all that good stuff, and we look forward to seeing you on the next episode of Modern Cyber. Bye bye.