Honeypots and canary files are two of the most underused tools in cybersecurity — and in this episode, Dr. Mike Saylor and I break down exactly how they work and why you should be using them. The short version: they're tripwires. They tell you a bad guy is poking around your network before anything gets encrypted.

Mike walks through his layered security analogy, explains the three different ways organizations use honeypots — learning attacker tactics, distraction, and testing — and then we get into canary files: what makes them different from a honeypot, how they beacon home when stolen, and why clock synchronization matters more than most people think if you ever want that evidence to hold up.

We also cover how to stand one up without a big budget, what tools are available, and why something is absolutely better than nothing. Plus, Mike and I have news about our new O'Reilly book, Learning Ransomware Response and Recovery.

0:00 - Intro and book news

1:09 - Meet the crew

3:45 - Security is all about layers

9:22 - What are honeypots and canary files?

11:00 - Three ways honeypots work for you

13:17 - Real-world examples: bait cars and glitter bombs

15:20 - Making your honeypot convincing

19:11 - Honeypot tools and options

21:13 - Something is better than nothing

24:10 - Monitoring and notifications

25:05 - Canary files explained

27:03 - How canary files beacon and track attackers

28:03 - Don't forget to sync your clocks

29:05 - Final thoughts

Network segmentation to prevent ransomware isn't just a nice-to-have — the UCSF ransomware attack proves it's what separates a contained incident from a catastrophe. UCSF got hit. Their segmented network kept the damage from spreading across their entire operation. That's the difference we're talking about in this episode.

Dr. Mike Saylor — my co-author on Learning Ransomware Response and Recovery — joins me and Prasanna to break down exactly how network segmentation works, why it matters for ransomware defense, and how to start doing it without breaking everything in the process. (Not that I've ever done that. Much.)

We cover what segmentation actually is, how VLANs make it manageable, the "need to talk" principle, and where microsegmentation fits in — and when it becomes overkill. We also get into the complexity trap: more rules and more layers don't automatically mean more protection. Sometimes they mean nobody can troubleshoot anything when the house is on fire.

If you're an IT admin trying to make the case for better network architecture, or you just want to understand what would actually stop ransomware from ripping through your environment, this is the episode.

Chapters:

00:00:00 — Intro

00:01:40 — Welcome & Guest Introductions

00:05:17 — Case Study: UCSF Ransomware Attack

00:08:13 — What Is Network Segmentation?

00:12:32 — VLANs Explained

00:19:50 — The Need to Talk Principle

00:30:54 — Complexity vs. Security

00:31:09 — Microsegmentation

00:38:55 — Action Items: Where to Start

00:42:05 — Monitoring VLAN Traffic

Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow Copies

Ransomware deletes shadow copies using your own built-in Windows tools against you — and if VSS was your backup plan, you just found out the hard way that it wasn't. In this episode, W. Curtis Preston (Mr. Backup), Prasanna Malaiyandi, and Dr. Mike Saylor break down exactly what shadow copies are, why they don't qualify as a real backup, and how attackers are weaponizing vssadmin to wipe your recovery options before you even know you're under attack.

If you've got Windows systems and you've been thinking "eh, we've got shadow copies," this episode is for you. We cover the history of VSS — what it was actually designed for, why it became a crutch, and why using it as your primary backup strategy is a bad idea on multiple levels. Performance, the 3-2-1 rule, and the fact that one attacker with admin rights can delete every single copy in seconds. We also get into the living off the land angle: how attackers do recon on your shadow copies, how they use them to scope out valuable data before going full ransomware, and what you can actually do to detect and respond to this behavior using EDR tools.

The bottom line: VSS is a great tool. It was just never meant to be your backup. Get a real one.

Chapters:

0:00 — Intro

1:39 — Welcome & Book Talk

3:26 — What Are Shadow Copies and Why Do People Use Them as Backups?

9:14 — Performance Problems with VSS as a Backup

10:19 — Living Off the Land: How Ransomware Uses VSS Against You

12:36 — Can You Monitor or Lock Down VSS Admin?

14:26 — Why Shadow Copies Fail the 3-2-1 Rule (They're Not a Backup)

18:01 — How to Protect Yourself: Configuring Your EDR

21:31 — The Local Admin Problem and Security Culture

27:00 — Virtualization, Snapshots, and Shadow Copies

29:00 — Final Thoughts: Just Don't Do That