BSidesCharm 2025 - Building Against a Breach…. Out of a disclosure? - Liz Wharton

[Music]

Okay, I'm getting used to the volume and it coming back at me and I'm like, wow. Once again, bold move, bold strategy cotton, giving me a microphone. Uh, especially right after lunch when I can tell everyone is just a little like it's hitting. And so, y'all are going to expect me to be exciting, engaging. I'm also curious because I have these chairs and I feel like I should be So, tell me about your problems. Um but on that note, uh welcome everyone. And so the title to the talk and hopefully if you're in the right place is building against a breach out of a disclosure. I'm Liz, lawyer Liz on various social medias. I refuse to

acknowledge any changes of stuff like that. And real quick, I am a lawyer. I'm probably not your lawyer, though. Uh, I have a handful of clients. I work with startups. I have been practicing law for 20 years now. And I give terrible legal advice because y'all aren't my clients. But this is not intended to be legal advice etc. etc. But what it is going to be is a deeper dive because I am constantly curious. I want to know what lies beneath like okay there's what's sitting on the surface. We know there's a breach. We know something happened. Okay. But I also know that for example lawyers and some other folks we're lazy. We love copy pasta. So when we are

copying and pasting and using the forms that we have developed, when the PR team is getting out the messaging and the comms and we're saying all these things that really say nothing at all. In fact, there's an entire TED talk I believe where basically he says nothing. But he tells you, I'm going to use the following tone of voice when I tell you nothing. And then I'm going to get excited and you're going to hang on my every word. So if you think of what happens when there is that breach when there is an incident and suddenly you're flooded with all the information but thanks to playing around with some agents AI LLM we can take a

deeper dive and actually hear what's not being said and taking what's not being said or what is being said and the time of day in which it's being said. We can take all of that, put it together, and actually get a better picture, intentional or not. A lot of times folks don't know that's what they're doing. They're not aware because this is one of the first times we've had that perfect collision of the ability to parse a ton a ton of data faster than you or I can do it. And it's also required to be disclosed now. And we have all these aspects. And if you can crunch it through, build your own. Get a

C LLM. Run it through. Not just for red teaming cuz cool, that's fun. That's I mean, red teaming is sexy, right? I mean, they get all the glory. But what if you took it, ran it against your own network, your own system, your own company, your own things, and were able to get all these different pieces back and able to tell, oh, well, hey, let's let's plan ahead. Let's do this. Let's do that. Let's build a better playbook based on what's not being said. So, a good backdrop to this, and I know we're so tired. Adnauseium. Oh, yay. Another look at MGM and Caesars. Well, yes, but no, we're going to have a little bit of fun with it.

we're not going to do this postmortem like oh instead what we're going to look at is you have two companies who took two different approaches yet they were telling us a lot of the same stuff by not telling us so high level just for those who were asleep two years ago a year ago and God bless RSA is coming up I'm sure somebody will have marketing pieces out on this any minute But you have the same actor threat actors and you have the comm you have scattered spider they're all coming out after it so they had the same approach social engineering they go to LinkedIn they're able to get the credentials know that build all this

stuff out well okay yeah yawn they went to LinkedIn did social engineering Where it gets fun is looking at their approaches and the aftermath of how they did this. And what do I mean? Well, so right around the time that this happened in August and September of 2023, the SEC had their new rules were going into effect for these beautiful little 8K filings. Are 8Ks anything new? No. In fact, they're the one of the most commonly filed documents with the SEC. And if you want and kind of a pointer in case I forget to mention it later, by the way, the SEC through its filing system, Edgar, releases all of its data and forms that can be and they release

APIs. They say, "Here it is. We are going to throw up on the page." So you don't have to pay a lot of money for a big subscription to look at quite frankly over 60,000 8Ks were filed last year and we'll hit some of these stats again. But let's sit there and think about 60,000 documents. Well, we have Caesars and we have MGM. Big surprise, they both filed a disclosure. They said, "Hey, we've had a problem, but let's take a step back. Caesars paid the ransom." Barely a blip. Barely an inconvenience of an issue for them because they paid their 8K goes into this long word vomit. fun thing, you run the text from the 8Ks through

any AI model and one of the first things they'll spit out is, yeah, this is formulaic. In fact, this was probably written by an LLM because it's copy pasta. Again, keep in mind, we're lazy. Difference is sometimes we're lazy in different ways. So, we've get Caesars. Caesars wants to tell you all about it. Well, then you also have their AK, which again didn't tell us much. I mean, it told us something. Didn't tell us that much. Keep in mind, other states require you to file things if there's been a data breach. So, they had to put out their state filings where they disclose a little bit more. And but what was interesting, they forgot to mention,

let me just say forgot that pesky little thing called ransomware in their filings. They were like, "We've had an incident. We're having it. Maybe some data got exposed, my dudes. They were about to have you buy the Keeping it PG, maybe a little G. Uh, but they you just paid the ransom." So, okay. Interesting. Interesting. You did the filings, you gave a look. Well, then we have MGM. Anyone remember how much they eventually reported as their losses? 100 million. 100 million. And so, by the way, this was their AK. That that that was it. Like that's it. That's all they told us. Their world is burning to the ground. They can't operate their elevators. They had to pull all of their

sports betting online offline and they said, "Hi, we're having an incident. Read our press release. Thank you and good night." What in the world? So again, we've got these we've got Caesars. that's telling you everything, filing everywhere, doing all these things and MGM going, "Please see our press release." But it's a reminder that the world of documents and information that is publicly available that they are putting out. And by the way, this is their press release. It used keywords. If you're taking notes, kind of file those key words in the back of your mind. incident investigation law enforcement impact. Hold on, let me get my readers out. In the press release, we say, I'm doing this for dramatic effect

and also because I need a new prescription. MGM Resorts recently identified a cyber security issue affecting certain of the company's systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cyber security experts. We also notified law enforcement are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing and we are working diligently to resolve the matter. The company will continue to implement measures to secure its business operations and take additional steps as appropriate. Hi, your world is on fire. Your AK said see the press release. Your press release said that. It said nothing. So while Caesars said nothing, MGM also said nothing. And to

delve a little bit. So they didn't just file the first one. As we talked about, there's over 60,000 of these get that get filed a year because once you start doing the investigation, you start additional information comes up, you have to update and you have to update. And by the way, these are not just for cyber security incidents. There's a whole slew of other filings that can tag those. But again looking at the fact that they mention okay we're here's a helpline maybe some information some of the data and yeah we're estimating 100 million you know it was more than 100 million but this is just a statement they're putting out for their investors. Again not really saying

much but reminder are you taking notes? We've set the scene. We've given you these two companies, their press releases, their filings, and there's going to be a couple more things. They're gonna They've had their federal filings, they've had their regulatory, they've had their state filings, they've had these press releases. Oh, and keep in mind this is in September. What happens at the end of the year or in Q1 start releasing their annual reports, their financial statements? Because again, these are publicly traded companies. And if you're sitting there stretching back going, "Yeah, that's nice, Liz. You're about to tell me how they actually told us everything we needed to know in this. They're a publicly traded company. I

work for a startup. I work for a small municipal government. Yeah, that's nice. So did I. Except for mine wasn't small. I worked for city of Atlanta. I worked for the world's busiest airport trying to secure their systems. Did we have to do some of this stuff? Nope. But did if you go back and look through and you want to find the things that the releases, the press releases, don't say look at the contracts we entered into right after a breach happened. H fascinating. Look what became things. So, if you're taking notes, like there's so much more to this than what we've seen, right? I mean, here we are. So, again, with that in the

background, let's talk about what else is going on. So, that's the filings. That's all this. Well, you look beyond the suits like or look to the suits. Don't look at the IT department. Y'all are working as hard as you can. Don't look at the sock. Don't look at the CISO sweating bullets right now, you know, doing all these things. Keep in mind all the people who are not necessarily security focused. Oh, those are the suits. Those are the business operations. That's the legal department. In-house, outside counsel, that's the HR recruiting. in-house outside that's the PR the marketing teams the finance teams none of them are top of brain going hey you know we should be doing cyber

security no they don't care they're like what are the financial reports look like legal is going yeah what are the contracts framed as and when's our next reporting due and PR teams like hey what's the website traffic going now that's not related to the breach how are we going to run our numbers So, what they're doing, the noise they are creating are, for example, one of my favorite places to find out who's about to get geared up for some massive litigation. I go to the job postings. I want to know who is hiring council. For example, I'm not saying metaw what um but when somebody's getting a new project, they're about 6 months out. They start hiring lawyers

that have a specific expertise in whatever it is the project the product is about to roll out. Um if they're gearing up for litigation, they're about to sue someone, suddenly they're hiring more people for that kind of litigation. So those job postings, it's only that, but if you think about how detailed some of these job postings get, fascinating. But what if you can pull them offline? What if you can pull them off LinkedIn? What if you can start comparing them against oh let's just say the annual report you know the annual report that also lists out who does what that also lists out where their biggest factories are where their biggest offices are where are they

leasing a lot of space. Oh that's interesting. Where are they not renewing leases? Where are so is it starting to click of all the different ways and if we can start comparing them against that breach information h let's see let's see so I keep talking about 8ks forgetting that not everybody's in my world of documents getting paper cuts yes I still print stuff out and when I talk about this so like I said 67,000 were filed in 2024 for to the point where the SEC released guidance. They said, "For the love of all that is good, stop it. Please have mercy on us. Not everything is a material event." And so we talk about material

event. Keep in mind what the SEC is out for. They are not out there to make sure that you are meeting all the latest NIS standards on maybe back of their mind what they're looking for is they're like hey do investors do the public have the information they need to be able to trade on this company. That's who they're looking out for. So when you talk about all right that's the background. They're not going to do a deep dive analysis. Well, okay, sometimes they do. Solar wind says what? Um, and they will come after in different things, but again, that's not their focus. So, when you have all these rules, so they updated the rules. They said, "All right, tell

us about within 4 days of an incident, suddenly you have you need to tell us of a material." Again, it's evolving. You don't know. Four day four days into Atlanta's ransomware attack, I was trying to figure out how to recreate contracts that had statutory requirements. And because I'm a nerd and I had saved some stuff to various thumb drives so that I could take them between my airport office and my city hall office, I was able to recreate some of this stuff because I love backups and redundancies and I kept everything segregated. Yay. But I'm not thinking, oh well, I wonder if we've identified and perfectly disclosed all the information. Have we done all this? But

that's what the SEC wants to do. So, you can imagine this caused quite a big stir, but they don't say anything. As we saw, they're not saying anything. I mean, you can close your eyes in your sleep and you can write the press release that says this. We've identified an issue on our systems. It may impact data. But this is when again I talked about the copy pasta. It's when people deviate from that or are they not deviating and are they sticking so close to what the form language is that they use because fun fact all of them look the same but when it doesn't look the same when you haven't said something. So, and again, so you've got those SEC

filings. Well, we talked about, don't forget the press releases, and again, these aren't just publicly facing companies that are doing this. Congratulations, you just closed your series A funding or guess who's sponsoring a booth at insert conference. Of course, not Bides Charm. Besides Charm sponsors are fantastic, but you think about all these press releases, there's only a handful of companies of professionals that are doing that. If you can start noticing the similarities, yeah, put that in the back of your mind. We'll get back to that. But that's what the people who are not focused on security are doing. They're also doing the job postings. Are they thinking about, hey, maybe we shouldn't put this in the job posting and save

this for the interview? Nah. Nah. They want to get it out there. They want to make sure that when they turn the list of candidates over to you or when the AI um LLM itself has scraped through all the resumes, what have they found? Right? That's what they're looking for. That's what they're doing. The focus is not on hey are we telling people a little too much or what are we telling by posting these jobs for example and okay yeah I circled back and I picked a little bit on MGM and Caesars because again we're doing this all compar they're both hiring these were as of today available things they have listed and um h the legal and administrative I

wonder who But you know who transitioned out? What roles are they looking for? If you're going to start social engineering, where are the weaknesses? Weaknesses may be in the role of the person who is just punching the clock until they're done. Or the person who's now covering three different roles because the other person got fired and hey, we're not going to give you a raise, but we're going to ask you to take over these responsibilities until this. And so when you start getting that fishing attack, you really care, right? or or you're checking the box because f them, they're not giving you, you know, they didn't give you a pay raise. H interesting stuff that you can just

easily scrape. Well, then we have the financial reports and taking from MGMs and you look at the table of contents. One, they're giving you all of the details on the cyber security incidents. They're right there. Table of contents. They're telling you whose roles and responsibilities. They're telling you what happened because they're a publicly traded company. These are all on their website. They're not hidden behind a payw wall. You can find them. You get the right things. You get the right keywords. Suddenly, we're finding we're finding the similarities, right? We're finding what is being said without being said because again, who's assessing? Who's in charge of the risk? What are their priorities? What is their background?

It's all out there. And then, okay, cool. But now we're talking about the other stuff that's out there. The other stuff that is building this massive trove of little tidbit nuggets that again are not are the lawsuits. So if you look at for example the ad current administration is let's just say targeting law firms going after. Did they pick these law firms randomly? No, they pick the law firms that are doing certain things. If you look at there's only a handful of big law firms that represent VC funds. There's only a handful of law firms that represent certain tech companies. There's only a handful. So, if we start being able to figure out which law firm is

representing someone because they filed lawsuits, it doesn't even have to be related to. So, you've got all these little things because again, what is the theme? Copy pasta. Lawyers copy and paste from their filings into the next one because we're billing by the hour. Or we're doing a flat fee. And for the love of God, my bonus is going to be based on how many hours did I bill. And if I can put in five hours for this, but only actually have to do an hour worth of work because I copy and pasted from the last one I did. You will start to see the patterns that are created when I have copy and pasted because I'm going

to use the same terms or I'm going to pull the same pleadings, the same corporate reports, the same different things from the last one I did. And sometimes, not that I would ever do this, but sometimes lawyers even forget to change the client's name in a document. Well, that doesn't take you having to run it through an LLM, right? I mean, that's just right there. Oh, let me guess. That's who your client is. Now, I can add you to this little spiderweb that I'm building of connected tissue that is going to make it easier as an attacker, but also make it easier on the defensive side. Because if you're trying to figure out, oh, this law firm

just got targeted by whatever, a breach, something, and they have poor security practices. Oh, but that's the law firm that has all of our stuff. I'm going to flag it. I'm going to pay attention to anything, any traffic coming in and out because again, so what? All right, all the stuff, not my circus, not my monkeys. I'm not a suit. I'm just sitting here defending, you know, I'm just going about my day, making sure the systems are going, the trains are running on time and all of that. And sure, okay, you said maybe an attacker's looking at that. Well, okay. Here's how you frame it to the suits to the seauite. you remind them that

BEC business email compromise um created 2.9 billion in losses. So this hits the bottom line of the company. So maybe give me some more budget because I'm going to tell you how to fix it. and you know 500 million in losses and that you know fishing spoofing complaints over 18 million just in when you start like just based on 300,000 you start thinking okay okay sure that hits the bottom line at this or that but we start talking about them it's the data disclosures it's the social engineering aspect. Again, MGM Caesars, LinkedIn. They were getting it off of LinkedIn. They were finding this information, finding all these little nuggets that are out there. Well, okay. 78% of organizations who paid a

ransom were hit by a second attack. So, okay. Yeah, we got hit once. Yeah, we learned our lesson. We've strengthened, hardened, did this, did that. Who cares? Yeah. Well, that's when you go remind folks, hey, but it's coming back. It's coming back around because did we did we were did we fix everything? One of my favorite things was with City of Atlanta and we had to actually like burn down our architecture. Yes, that is a joke about burning and Atlanta. For those who got it, thank you. You're old like me. Um, but what one of my favorite things is we had consultants coming in. They're like, "You know what we're gonna do for the bargain basement price of

insert really high price? We're going to do pen tests and we're going to do this." I'm like, "Oh, that's great. That is great because by the way, it's going to take a month for city council to approve the budget. It's another month to implement whatever you found from the last one. Then it's going to take another month to even just be able to figure out where the equipment is or where the hardware is or where the software is or what subscription do we have the right subscription to patch that. Oh, we patched it but uh it was patch Tuesday and now we have to patch something else that deals with that and oh by the way we're at this we're at the

end of the quarter so therefore you're going to start doing the next quarterly pen test. And my response to them was great. If y'all aren't copying and pasting the pentest you gave us last quarter, I want my money back because I guarantee we haven't fixed that. So if you're not saying, hey, you still have this broken. So again, this is why start because you don't know from the sea level did are all of our vulnerabilities or all of our like you know stuff that's exposed did it get fixed or is it about to be? So that's how you frame. But what happens when you start looking beyond what are the words on the page? Because

keep in mind, you're uploading documents to court filing systems. You're doing all these things. And if you think that the PR firm, if you think that the lawyers took the time to strip out the metadata before they put it up and posted it somewhere, I love how you think we are that that conscious of these things. I love the faith you have in us if that's what you think. We don't. They don't because that's not what people are focused on. So again, we're building out all of these different data points. What happens when now you can strip this out and it's not you doing it by yourself, but there's APIs that give you that access and

what what starts to be learned from that because Okay, cool. I got some stats. No, you just figured out what contractor someone's working with. Even if the contractor's name is not on the document because you can compare it against all these other things because there is a document somewhere they left their name on. You can now look at and running through some of these filings, I can tell you what time of day. Take that. Now I know, oh well, it's this law firm. And if it's this law firm, it was probably this lawyer who did it because that lawyer tends to not work on Fridays. And this lawyer is the one who always files it if it's on

Friday at 4:00. Oh, by the way, Wednesdays and Fridays are the two days uh for all the SEC 8Ks that are bad and it's after 4:00. After 4:00. So now I know what impacted business, what didn't impact. If you told me something, it has no business impact. Oh yeah, it did. It absolutely did. But now let me pull in the data from all these other places and suddenly I know. And also what are the future attack vectors? Well, I know what you're hiring for. I know who's gonna be the new person on the block and I know what they're going to be able to when they get the email from the CFO saying, "Hey, I'm in a meeting um and I can't

access something." So, can you just out of band um send me a wire transfer or authorize this? And um yeah, I just can't find your My favorite one was at the last company I would get once and it was from the CEO, of course. Um the CEO can't find my cell number. I'm like, nice try, dude. You're texting me on my cell phone right now. So, not today, Satan. Not today. But and again, okay, cool. We have one or two. No, MGM has 25 years of press releases available on their website. Your company probably does similar. I guarantee for as much money as they may have paid for that press release and is excited as that PR and

marketing team is about it, nothing has died on the internet. It's there. If you're scraping in the right places, it's out there. You've got it. Now you're running it through again. I'm just having fun poking at MGM and Caesars and yeah, again. So cool. Cool. All the vendors who are out there telling you like, "Oh, we're going to tell you how to use the right AI powered vulnerability scanners and this is how you can do it." Yeah. All right. What does this have to do, Liz, with what you're talking about? Like what? Like that's what they're selling me. I'm like, "Yeah, what about Bob? What about what if you ran it against your own self but you ran it in

a way that you were looking at the information that you have had leaked? What if you start applying that? What if you look at the trends? Did my company do this before or after the SEC? Like how many days did we respond? Because if it was a regular 8K filing that really wasn't going into depth into too much depth over a material breach or cyber security incident, then we were probably going to wait a little bit longer. But suddenly we've got something we know it's on fire and we know it's on fire and we want to get ahead of this because we don't want to have the SEC come after us later and find us for

something or say we didn't do it. So, we're going to make sure we get it out quicker. Oops. Is that telling more than we thought it was? And you know what if we start using things like material, immaterial, undetermined uh or no statement at all is to the materiality. H when you have certain cyber related keywords, suddenly suddenly you can tell. And what about if we start using boilerplate language? What if we start repeating that boilerplate language such as the investigation is ongoing? Yeah, everyone says that the investigation is always ongoing. Well, okay, but what if we start seeing certain words that always pop up and now we can run those words that are always popping up against

what we know after the breach. What if we start paying? We go, "Oh, that was a really significant incident." We knew they were like their hair was on fire and they were panicking. Now we have that pattern. Now we know or now I know. And the words have meaning. What are the words that when you start scraping through, let's just say hypothetically every 8K filing ever because you're bored and there was an API that allowed me to do it and I run it through. What happens when I start seeing certain words pop up? What happens when I start see that that word salad and now I can go back and compare? But also, what if I can

then run it against what my own team is doing? Again, keep in mind we're building a playbook. We want to know how to do better. We want to know what other people are seeing and what they're doing. And why is this? So what happens when you look at so in blue we have you run companies. All right, how same are all of their filings? So when you look across different filings, how same are they? And you start seeing a lot of them are kind of similar, right? The higher the score, the more similar they are. What is that telling me? That's telling me they're using the same forms. They're using the same format. But when I look

at the green and I start seeing companies being very similar to other companies, what can that start telling me? Um, maybe you're using the same people. Maybe you're using the same boilerplate language. Huh, that's interesting. So, what happens when you deviate from it? What happens? So now I have both the attack vector of you're using the same companies. If this company gets popped, in other words, this law firm gets popped, this CPA firm gets popped, this something gets popped. Now I need to know, huh, am I probably going to get popped because that's who we use. Even though nobody goes and tells uh the tech team, the security team, oh, by the way, this is who we use

for our law firm on the following cases. This is who we use as our CPA. This is who we use. No, you don't see that. But what if you can find it out because you've looked at those similarities and you've tracked it yourself? Because if you can find it, I guarantee some bored kid in the com has found it. They've done it and they're selling it. Do I recommend going and buying it off of the dark webs? No. But build it yourself. It's not that hard because all that data, all those disclosures and leagues aren't just for the publicly traded companies. Yes. Yes. Each and every one of us are special little snowflakes who can do something with this information

because the goal is again to manage and mitigate. You are not unique and that's a good thing. But you are and that's even better because you can find out where in all of these data points by running these LLMs and turning it and looking at yourself. You can build a better playbook because you can find where are we falling in the norms? Where do we use that language and where do we where does that become let's just say interesting you know and what so again use the tools assess all the different channels don't just focus on look at what find out who you're working with what you're doing the timing are we releasing statements that if it's

critical we're releasing it at 4:00 on a Friday but if it's not critical. We're releasing it on a Thursday or a Tuesday, which are the two days that nobody does. Um, and also let's let's pay attention to what what phrases we're using because build better, update the game plan, meet the players. Do you know h have you had those conversations? Create a scouting report. like go through when you run it and you see we're using these words. We're using this phrase and we only use this phrase when it means this one. So, how about this? How about you feed the press releases into the system so that you know, hey, we just sent out a press

release. It did the following things. We've just flagged ourselves. So, hm, now we know. Now we have the scouting report. We know who's doing what. set up alerts because you figured out who the law firm is, who the CPA is, who are these other folks that you're using when they get popped, when they get breached, wouldn't you like to know like a a tsunami warning that, hey, our law firm just got breached, we may need to tighten up some controls. Someone in our industry who uses the same law firm just got breached, huh, maybe. And review the place. Look at what you're doing from either past incidents. Look at how it compares to what some of the other folks

are doing as well and run the place. Practice the tabletops don't have to be just for like what oh breach. What happens when you can run it and now you're running against well I saw what Caesar's did. I saw what MGM did. I saw how they released something at the same time. All right. Maybe we need to update. Maybe we need to Hey, are y'all aware that when y'all do this at a certain like the boilerplate sometimes boilerplate is good? Sometimes boilerplate lets people know um yeah, no, we're working on this. It's yawn, it's no big deal. We don't feel like our hair is on fire. See, we released this at a Thursday. we released

it and we did this and or just know like hey making the team going back making sure that like are y'all aware that you do this? Hey I can't help but notice that uh you didn't strip the metadata out of the documents you're filing on our behalf. Yeah, we're going to build this into the contracts and requirements that you do this. we can't help but notice that you did a special marketing campaign and you linked back to something we did that was proprietary or like hey maybe we don't do that or hey can't help but notice that in our financial disclosures you probably went a little bit further and told them or in the job postings hi maybe we don't need

to list all the systems that we use as a requirement in the initial job posting. Or maybe maybe we pepper a job posting with some other some kind of not red but false flags, red herrings. Or maybe we do this, maybe we do that. But you know how you get to know that? By the way, lawyers, we are scary. We do bite. Yes, but we won't bite you if you're our client most of the time. I may want to smack you a little bit, but get to know them. Get to know those familiar faces so that they have the trust in you, you have the trust in them, and y'all can have that dialogue because the last

thing you want is the first conversation you have with someone is like, "Hey, so I know we've never talked, we've never spoken, we've never emailed, but by the way, it's on fire." Or, "Hey, good job. Kudos, you just did all this." Running those elves, figuring out where those leaks are coming from, that drip drip drip and building the relationship to patch it is what gets you well a better it gives you a better playbook. Look at the breaches you've had. Look at the breaches others have had. Look at how you're running them. Build the better playbook and update the game plan. Because again, it seems boring, right? It's the stuff nobody thinks about. But we have the capabilities with all like

it doesn't take a lot of time and effort. This stuff is publicly available. I'm not even talking about the stuff you need a subscription for. Why not run it? Why not do build better with that? So, thank you everyone. I appreciate y'all not like groaning too much at my jokes. um happy to answer questions if I have any time because I can't see with the lights whether I have any time left or also um find me happy to answer I will be around lawyer Liz Liz Wharton I guess I should plug my own company silver key strategies because it's me anyway thank you so much

[Applause] Yes, just expanding a little bit on your premise. Um, I spent a few years doing via firework and as the consultant who would be on the phone from the tech side, normally the client who got in would uh through their insurance would reach out to an attorney, there was a set number of attorneys or firms that were approved. That group had a set number of approved uh via firearms and a set number of approved firms. Uh, and so you get these groups over and over again. You'd have match patterns. I suspect that if you were to add into your review looking for differences within this law firm using this DFR firm, the separations on how to report

would be even more meaningful than it would be if you're trying to now admittedly they seem to steal from each other across because yes. Yeah. And that's a very salient point. And so to paraphrase, keeping in mind when there is an incident and you go through your insurer, your insurer has a set pre-approved list of PR firms, crisis firms, law firms, you could only go to so many. And if you think we are just copying from our prior work, for example, back many moons ago when I worked for banks, the banks would have certain forms. they had one set of approved form that every law firm that worked for them had to use. So that does

become fascinating when you start looking at and that's additional information. You can figure out who all using which insurers and which insurers pay out, which insurers don't, what they're going to do. But that is a data point that you can absolutely scrape from as well. Awesome. We have a couple more minutes, I think, if I can read it. Yes. for the

last pattern analysis. We had a

convers and so to paraphrase on that again another salient point but it's talking about how when you have industries such as law firms that in some caseas is lawyers have been practicing forever. They have their set systems. We're building that, but it's not just lawyers, accounting firms and stuff. And you try to get them to change. Yeah, good luck. Uh because they've built the system and unless you are holding the wallet and so in this instance, the law firm was breached. Uh so like yeah, no. Yeah. Um and it happens. where you can control it is hey let's figure out are we using one of those firms and if we are then you know all right we need to on our end work in

because when it happen when a breach happens it's money and it's data and it's systems like how much is it going to cost us how much is it going to cost us to patch repair rebuild build that into the analysis make sure that the law firm perhaps should be the one holding the bag of like, hey, we're going to build this in because lawyers don't like to we don't like to part with our money just as no one else does. So, make it expensive. Put some of those put extra filters on when stuff is coming and going. But you know that because you've run some of the data analysis on this and it didn't take that much extra

effort. You automated it. You put it into them and you let the agents do their thing and see what they spit back. Yes, just a comment. You're talking about legal industry, right? But other service are doing things. Yes. And that's why highlighting and so the com is other service fighters. I'm just focusing on some of the comments because that's what I have firsthand experience in is what the law firms are doing. But as we talked about, it's the PR firms. It's the press releases that are saying everything and nothing and finding those patterns. It's I mean everything down to the swag vendor. I mean you think of it if someone outside that's what we're talking about like the business going

back and like looking at who are the suits and I'm using that very broadly to say who are the non-product tech focused people that either internally or externally that you're working with because those are the ones who are probably doing more damage of leaking than everyone else combined because most of the business evil compromise and most of the attacks are coming in through HR, finance and legal. Sorry, we ruined it for you everyone.

Yeah. Also, your adversaries are doing everything because they are target down to where they put numbers. Yeah. I mean, it's we were talking about so in the comments reminding that the media does this because what you're saying and what you're not saying, that's not the story. The story is like weaving in between and who else is impacted. They find that by doing the an same analysis. The threat actors are doing this. That's how they figure out who the next weakness is. Again, oh, you're hiring for this. You're using these vendors. You're doing that. Ah, well then, oh, and by the way, on LinkedIn, these are the phone numbers, emails, and these are the people like,

yeah, it's right there. So, so again, thank you, and I look forward to seeing what all y'all can create and share and add to this.