On Episode 92 of The Edge of Innovation, we’re talking with entrepreneur Paul Rush, about how to get out of your comfort zone and overcome the first hurdle of starting your own business!
Category: Technology
SEO: How To Create Content For Your Business
On Episode 88 of The Edge of Innovation, we’re talking with SEO expert Jeremiah Smith, about SEO and how to create good content for your business!
Sections
How to Execute an SEO Plan
How Much Should You Spend on a Google Ad Campaign?
Making Sense of SEO & Google Search
Advice For Businesses Who Want To Start Doing SEO
When Would SEO Not Apply?
Why Does Your Business Exist?
Who Does Your Business Exist For?
Beginning SEO: Creating Personas
Appealing To Your Clients: What Are You Going to Do About It?
Producing Content To Match Client Personas
Bad SEO, Good Content
Defining SEO
Amazon: The New Dominant Product Search Space
How Does Search Engine Optimization Apply?
Producing Good Content To Help Your SEO
Closing
More Episodes
Show Notes
SEO: How To Create Content For Your Business
How to Execute an SEO Plan
Paul: Welcome to another edition of The Edge of Innovation. Today we’re talking with Jeremiah Smith with Simple Tiger.
So, let me ask you this question. I have a friend who owns this semiconductor manufacturing company, they make packaging for semiconductors. Not like the box but the actual little case that the actual semiconductor goes in. Now, I would imagine that we could look at his client roster and develop some personas. A lot of engineers, a lot of purchasing agents, a lot of, who knows even what, maybe product designers, things like that. How would you recommend, trying to get really practical here, that they execute an SEO plan or begin that so that they could see some positive impact?
Jeremiah: Good question!
Paul: What are your thoughts?
Jeremiah: My immediate direction that I would suggest would be to first and foremost, run – actually, this seems counter intuitive – run a paid search campaign first and foremost to see if you can sell or at least garner interest for your product to a broad audience. And the whole idea there is, that we want to cast a wide net with keywords.
The way we do that is, set up an Ad Words or Google Ads nowadays, a Google Ads count. Run these ads across all these keywords and see what happens. We are kind of testing the waters to a degree. And if we get some conversions, meaning some people clicked on some ads and then bought the product from us, we need to zero in really fast on who those people were. We need to figure out what were their demographics? Where were they? Did we ask the question “What made you decide to buy from us?” That kind of thing so we can see what their values were and that’ll help us quickly learn and gather that data around who our customer is.
Then once we know that, we’re going to be much better suited to start producing content to talk to that audience. If they primarily were in Texas and it turns out that a lot of manufactures that tend to use these semiconductors, or a couple of plants in Texas that really buy that product a lot and that’s who you’re talking to and that’s why a lot of those orders came through. Now you have a really narrow focus on like, “Wow, alright, we need to talk about semiconductors in Texas” or for this specific type of plant, something along those lines.
How Much Should You Spend on a Google Ad Campaign?
Paul: Let’s unpack this a little bit. If there’s somebody out there that has a business like this or similar, I’d like them to be able to walk away with some to-dos. Alright, so they are small companies, small, medium sized business, you know, twenty, fifty employees. Something like that. So what budget would you put together for Google Ads. What is it, Ad Words now?
Jeremiah: Yeah it was Ad Words. They changed it to Google Ads recently to make it simpler.
Paul: So, what’s the budget? Are they going to spend a million dollars, a thousand dollars, five hundred?
Jeremiah: What I like to do is get enough statistically relevant data that I can make conclusions fairly easily. So, what I’m usually looking for is typically at least a thousand clicks. If your site has a one percent conversion rate, and we know that it has a one percent conversion rate, then a thousand clicks ought to yield us ten conversions. If we have those ten conversions, then we can quickly determine a couple things about those conversions. Whatever the cost is in your industry, to get those one thousand clicks, I think will just help you a lot. It could be one hundred clicks but then you’re really extrapolating things. If you could do ten thousand clicks, then you are just more confident in your data because you’ve got a larger data set to work with. So, the larger the data set, the more intelligent you’re going to be.
I would typically recommend a thousand clicks though, which in most industries is going to range from a thousand to twenty-five hundred dollars and that should be done in typically a month. I think that you can get a lot of traction quickly with that. Hopefully, if you get a good conversion rate, you’re going to get some of the sales from it so you’re going to recoup some of the cost of this experiment but the whole idea there is to gain intelligence.
Paul: And how many ad words would you target in that?
Jeremiah: It really depends on the industry and the product.
Paul: But is it the more the better or is it no you should really focus?
Jeremiah: I would try to stay focused to relevance. I would let relevance determine that. I’d make the decision entirely based on how relevant the search seems to be. So, you could easily target hundreds or even thousands of keywords but you may start loosing relevance as you get a broader list and everything. Search a keyword in Google really quick, if it makes sense the results that come up, if they look like competitors and stuff like that, target that keyword. If you don’t see competition, it doesn’t seem like that keyword generates what you do then I would avoid that keyword.
Making Sense of SEO & Google Search
Paul: Again, people are listening to this, they’re driving, they’re thinking about this. Maybe this is something they come back to. We’ve got this business that makes these packages, I go out and do some Googling and find out when I can find my competitors, how I can find my competitors. Is that fair?
Jeremiah: Yeah, I’d say that’s fair.
Paul: Okay, so I compile that list of queries and I look at that and then I go out and buy some Ad Words, Google Ads, I chose the keywords and I measure that. I think it’s important to say that there are two things that are occurring here. They click on something and that may be valuable, but do they actually then engage with your website?
You mentioned the word conversion and I want you to speak to the different types of conversions. Because clicking is one thing, and they get there and they say, “Well there’s nothing about hamsters on this semiconductor website.” Well, it was obviously targeting the wrong keywords but they get there and they may engage but they still may not buy anything because it may be a million dollar purchase. It might take a year to get through that. So, what are your thoughts there?
Jeremiah: So, we are talking about probably one touch in the multi touch phase of marketing. There are so many different ways that people are going to interact with your brand and site and stuff like that. We’ve got to keep in mind that you getting one interaction through a paid search ad or another interaction through an SEO result, may just be one step towards them doing business with you. Just because you’ve got a business from a keyword but didn’t get a conversion, doesn’t mean you didn’t get the interest and the mindshare. This person may come back and continue their relationship with you. And that goes into Seth Godin’s book about permission marketing. With these SEO results, you may actually be, over time, building relationships over time and answering enough questions to where, “Wow! I’ve Googled this problem I’m trying to solve, five different ways and every time they seem to be the one company that answers my questions.” Guess what, when they’re ready to purchase, they’re probably going to come to you.
Paul: Right.
Jeremiah: So that’s one way to think about it.
Advice For Businesses Who Want To Start Doing SEO
Paul: So, we were talking about SEO and sort of the logistics of SEO that we had covered to give an idea for somebody who’s coming at this. We all have different levels of knowledge. We all have different levels of experience and SEO is somewhat… it feels like alchemy. I’d love you to capsulize what your advice would be to a fellow small, medium sized business owner, for what their approach to SEO should be. It’s sort of like peeling an onion I think, and we’ll talk about that.
So, for example, lets pick a company. I’ve got a small company that we’re working with. Twenty-seven people. We deal with their IT. They are in the semiconductor manufacturing space. I think I might have used them as an example previously. And they sell these esoteric things to a subset of engineers that are out there. So, is that good? Or is that bad?
Jeremiah: That’s a fantastic angle. I can totally attack that. What I can’t work with is generics.
Paul: So, if I were a pizza parlor it would be harder?
Jeremiah: It depends actually.
When Would SEO Not Apply?
Jeremiah: It’s funny. There are very few instances where SEO does not apply because in almost any business model there is something about your business model that people are searching for. I would say an example of a potentially difficult angle would be a head hunter that does high level sea sweep corporate head hunting because their entire audience may be more based on relationships.
Paul: Okay:
Jeremiah: So that could be one of those examples. I’ve had one client in the past where I looked at it and I just did not see a good opportunity for an SEO perspective where they were concerned.
Why Does Your Business Exist?
Jeremiah: But attacking kind of the semiconductor manufacturer and who is appealing to a set of engineers with very specific needs and concerns. We’re going to talk about a couple different things from an SEO perspective right away. The first thing I’m interested in are the use cases or the application of whatever it is that your product or service offering does. And this can apply pretty generally to a lot of different business models but really, how are people applying or using your product or your service offering? And in this case, the semiconductors are probably built with an application specific focus. They may be built for medical grade machinery or components for hospitals or something along those lines. Then again it could be something specifically built for satellites or cell phone towers. So, if we have a specific application or angle like that, let’s start there and dig into your buyer.
I always like to start first and foremost, with “Why”. Why do you exist? Why does your company exist? That comes from Simon Sinek’s, “Start with Why.” Once we know why the company exists, then that can help us make decisions about everything underneath that.
Who Does Your Business Exist For?
Jeremiah: Once we know why we exist, the next most important thing is “Who.” Who do we exist for? And under that realm, we know that this semiconductor business is serving up – let’s just say their, “Why” is they exist to build the highest quality, maybe most reliable semiconductors for this industry that they have built them for. Do you have an industry in mind that these are applicable for or are these very general and can apply to a lot of different things?
Paul: They’re general. I think they are pretty general, unfortunately. It would be nice if they did it for medical equipment. But no, it’s fairly general and broad.
Jeremiah: Okay, cool. That’s fine. I can work with that. So, what I would do is, I would look at why the business exists first. So, we generate these because we want to be the most reliable. Let’s think of our manufacturers being the Toyota of the manufacturing industry as far as semiconductors are concerned. Reliability is key. Toyota is the most reliable so we’re just going to pick on that for this angle of the semiconductors. That said, now who are we talking to? So, we’re talking to engineers at different companies who are purchasing these semiconductors to use in the application of producing their products or even building their own internal tools or something along those lines.
These engineers, if I analyze your books, if I looked at your business and it’s an established business, and I looked at your books, I could quickly determine that, let’s say you have one hundred customers that you’ve sold to over the course of doing business. So, over all time. If I analyze those one hundred customers and I said, let’s start with the most profitable. Who are the most profitable customers? Its very rare that you’re going to say “Well everyone is equally profitable.” But that’s more of a B to C mindset. But in a B to B mindset, you’re probably going to have a very profitable few types of clients.
Beginning SEO: Creating Personas
Jeremiah: Well, let’s take those profitable ones, and just speaking from a profitability stand point let’s look at patterns that kind of unify them. I’m interested now, in establishing what marketing we call “Persona.” And this is where we get into the who we’re talking to. So, WHO is the most profitable customer of your company? They may be predominantly the healthcare industry. They may be CTOs making the purchasing decision of these semiconductors at healthcare organizations that manufacture these pieces of hardware that are used for hospitals. So that may be a persona. CTO at a healthcare medical device company. So that’s one persona and that’s our most profitable persona.
Maybe our second one is telecommunications and that cell tower kind of example from earlier. Maybe there is a cell phone tower manufacture that AT&T contracts predominantly and their CTO is going to be the customer you want to work with there. It may not be the CTO. It may be some engineer or someone from within the organization. So that will be persona number two.
So, after we’ve gone through these one hundred customers, we’ve defined probably a handful of personas. Now, you could keep going because towards the bottom of that list. Once you get all the way down, you’re probably going to find 15, 20 different people that don’t have anything in common. There’s no pattern to them and they only make up a tiny portion of your list. So, let’s ignore them because the ones that are really going to dominate your sales are the ones that do fall into a pattern. The healthcare industry. The telecom industry.
Appealing To Your Clients: What Are You Going to Do About It?
Jeremiah: So now that we know who we’re talking to, now let’s try to appeal to them with what we’re going to say. So, we know why we exist. We know who we exist for. Now WHAT are we going to do about it? We are going to talk to them. What are we going to say? So, the content now, needs to get into targeting some keywords that these people are going to say. So, the healthcare industry folks are going to be searching for semiconductors for medical devices and they probably have like internet of things terminology that they’re going to use. Where the medical devices need to talk to each other through the hospital. So IOT related keywords might be one category. And maybe location aware devices might be important as well. So, semiconductors for location aware devices. Now we have allocation awares category of keywords. So, these all appeal to that healthcare side of things.
Now the next one, the next persona is this AT&T procurement company or contractor. They might be looking for something that complies to FCC regulations and that’s their number one driver is that they are building stuff for the communications grid and they have to be very strictly, rigorously tested to make sure that they are absolutely FCC compliant and that they’re secure because they are sitting out there in the wilderness all day. We don’t want people being able to break in and get to them. They have to deal with high heat or very extreme cold, rain, wind, stuff like that. So, those kinds of things come into play for that persona.
Producing Content To Match Client Personas
Jeremiah: So now we need to produce content for that persona. All of this content kind of falls under keywords sets that talk to each one of those target personas but what we’ve done so far is we’ve used the 80/20 principle to tease out the most profitable set of clients that you have and categorized them into an audience that we can then talk to with a strategic focus on content that meets them where their concerns are. And when I say meets them where their concerns are, if you have a concern or you want to find out about something or you want to learn more about something, or you need help with something. Odds are you’re going to Google it at some point. So, you’re putting your concern into a search engine. And what you’re hoping to find is the solution.
So, we’re going to deliver that solution in the form of content and educate you and provide the answer that you’re looking for. And within that answer, within that piece of content, ultimately is a solution may aim to doing business with us and just coming to us, getting on a call with us, downloading this report about how our semiconductors work for the medical device industry better than anyone else’s. And that may be the tipping point that causes you to decide to turn into a sales lead and actually talk to me and have me pitch to you about why you should work with us. So that’s ultimately how I see an SEO project for a client like that going.
Bad SEO, Good Content
Paul: So, let me ask a follow on question to that. I had someone come to me and say, “Gee, I want to buy some good headphones.” And I said, “Oh you should look at Bose or if you really want to pay a lot of money look at Sennheiser and well, but, “How do I know? What should I buy? I want a gaming headset.”
So, I Googled “Does Bose make a gaming headset?” which they don’t which I was surprised. Okay that’s fine. The response to my searching for headsets or headphones was all over the place and I don’t know why but I clicked on a link and got to some tech site that wasn’t just a chat for reviews but was actually some conversations back and forth, a forum post. And one guy said “Well, I use this site.” And it was a google.com address that was basically somebody had put it in their Google file storage. I was expecting it to be something out of the 1960s or something, like when html just came out. And it was this incredible website which just went into all the detail, very plain spoken. I was like “Wow!” And it was absolutely up to date and it wasn’t a url like “Bob’s Headphone Site.” It was this generic google drive url. And I was struck by that, both by the experience of getting this relatively homogenous information initially. And then finding this several layers deep. And my gosh this is really incredible. I never knew there was so much information about headphones and so well put together.
So, what do you say to this? Because I mean, obviously they haven’t’ done SEO well at all but their content was really good?
Defining SEO
Jeremiah: Really, when you say they haven’t necessarily done SEO well, I’m always curious about that because SEO kind of carries this nebulous connotation. A lot of people think that SEO means…. SEO means a bunch of different things to a bunch of different people. Heck, SEO means a bunch of different things to me and that’s what I do full time!
But really when we’re talking about the core of SEO, we have to keep in mind the definitions. Let’s go back to the basics here. So, the definition of SEO or search engine optimization is to optimize something for search so that it’s easier to find. I mean, I guess depending on that definition of SEO, that could apply to how you organize things in your herb cabinet or when you’re cooking, so that you could quickly and easily find Basil.
Paul: Good point!
Jeremiah: So, you just did search engine optimization for your own internal search engine. Right? So, to a degree you’re organizing something so that that information can be quickly and easily found.
Amazon: The New Dominant Product Search Space
Jeremiah: Now, we think about it in regards to Google, just because Google owns seventy percent search market share and has for twenty years. But we have another dominate player in the search space out here, specifically if you’re a product company like the ones you just referred to, like Sennheiser or Bose. And that’s Amazon. Amazon is now a dominant search engine. Most products’ search traffic is now started on Amazon versus Google which is insane to think about.
Paul: Who’d have thunk it? You know?
Jeremiah: Yeah. Like a year or two ago most product searches began in Google and that just made sense because that’s how it’s been for the longest time. But Amazon is now such a dominant player in the retail product space that that’s where most products searches just begin. That said, if you are a product manufacturer or a retailer, Amazon is actually a strong part of your strategy and if you’re talking SEO you can’t avoid talking about Amazon, if you’re in ecommerce. That’s scary for a lot of people because you could go to Google, and you could play around in Google and optimize your site well from an ecommerce perspective, in Google, and that will generate a lot of value and a lot of results and probably even a majority of it.
But if you put some effort into optimizing what is required within Amazon, you could get a dramatic amount of results out of that too because guess what? Amazon has an algorithm, a ranking algorithm, just like Google does. When you search for Sennheiser headset in Amazon, there may be twelve different retailers that all sell them on Amazon. But you’ve got one that shows up at the top. How did that happen? That happened through search engine optimization or SEO. But just for Amazon.
So, with Amazon, you’re not optimizing your site anymore, you’re optimizing your product listing and your Amazon store listing. So, it’s a different thing. That can even apply to the iTunes store for your iPhone apps. You can do search engine optimization for the app store so that you can have the best time tracking tool, for example, in the app store.
Paul: Interesting
How Does Search Engine Optimization Apply?
Jeremiah: So, the search engine optimization can apply to a lot of things. I’ll take everyone back to that. Now let’s say for a moment that we’re just talking about Google, and I swear I’m coming back to answering your question here.
Paul: No problem.
Jeremiah: So, let’s say we’re focusing on just Google. Then we have to look at Google’s purpose just as we have to look at Amazon’s purpose. For a pizza parlor, Amazon does not apply. Right?
Paul: Right.
Jeremiah: Unless we’re talking about their new local listing service and using Alexia to find the best pizza around me, then it does apply. But, if we’re not talking to that angle, we’re talking about just Google and just this semiconductor business, then I need to look back at why Google exists. Google exists, and this is their kind of stated mission statement, to organize the world’s information and make it freely accessible. If that is their mission statement, then they are trying to get all the world’s information in one place and then make it freely accessible. So, every word in that mission statement is important.
When you think accessible, you think easy to get to because it’s in Google. But it goes deeper than that. They mean accessible as in like when I do a search in Google, the first result has to be the best and then the second result has to be the second best and the third has to be the third best. That’s what they’re really trying to do is trying to make it further accessible. Accessible is a big term for Google. They want it to be really good content that they bring back to you. So that said, we have to keep that in mind when we’re looking at optimizing.
If I’m a manufacture and I’m developing products like headsets for gaming and stuff like that, I need to produce content on my site that is the kind of content that you stumbled across that really did a good job of selling you on something. I need to be producing that on my side, as my responsibility in order to do SEO properly for my specific application of what I need out of it.
Producing Good Content To Help Your SEO
Jeremiah: And so, for that, you need content and right now you still need links and you need really good user engagement on that page or on that piece of content. And user engagement is really looked at as when people click on the listing in Google and they come on to your site.
First of all, they can’t bounce. You don’t want them just disappearing right away because they didn’t find what they were looking for. You want them to scroll. You want them to click. You want them to read and kind of dwell on the site. That means that they’re actively engaging with the site and if they click around on a couple different pages, they are getting more and more engaged in the site. So, Google is watching all that they’re doing and that data is being fed back in via artificial intelligence, to a machine that then decides that that result is exactly related to the keyword search that came up so that the next time someone searches that keyword in Google, that result is going to be more likely to rank better. And that’s just an automatic process that’s consistently happening.
So really it comes down to – if we’re talking about doing SEO – that they weren’t doing SEO for Amazon or for iTunes but in regards to Google. It sounds like they were.
Closing
Paul: Well, we’ve been speaking with Jeremiah Smith of Simple Tiger. He’s an SEO expert, and they’re an SEO agency. As you can tell, there’s a lot of value here in what he said. As you’ve been listening, we’ve been throwing out book names and different things you should go and look at. All of that will be in the Show Notes so I encourage you to look there. You’ll find links to Simple Tiger and a way to actually contact Jeremiah.
Well I want to thank you, thank you for spending the time with us and who knows, maybe we’ll have you back soon.
Jeremiah: That would be awesome! I’d be happy to come back! Thank you so much for everything, Paul. It was an honor to be here.
Paul: Alright, thank you!
More Episodes:
This is Part 3 of our podcast with Jeremiah Smith. Stay tuned for Part 4, coming soon! We’ll be talking about if SEO is really worth it or not!
If you missed Part 1, an “Introduction to SEO With Jeremiah Smith,” you can listen to it here! And you can listen to Part 2, “SEO: Google & Artificial Intelligence” by listening here!
Show Notes:
- Watch This Episode of The Edge of Innovation on Our YouTube Channel Here!
- Simple Tiger’s Website
- About Simple Tiger
- About Jeremiah Smith
- Contact Jeremiah Smith at Simple Tiger
- The Simple Tiger Blog
- Find Simple Tiger on Twitter
- Find Simple Tiger on Facebook
- Find Simple Tiger on LinkedIn
- Find Jeremiah Smith on Twitter
- Find Jeremiah Smith on LinkedIn
- “The 2 Secret Parts To Good SEO” by Jeremiah Smith
- “Push vs. Pull Marketing & Push and Pull Strategy Tips” from www.morebusiness.com
- Seth Godin’s book “Permission Marketing: Turning Strangers Into Friends And Friends Into Customers”
- Grow Your Business With Google Ads
- “Why You Should Choose SimpleTiger As Your SEO & Inbound Agency”
- “Evergreen Content: How To Write Content That Will Always Be Relevant” by Jeremiah Smith
- “SEO Rankings: Why You Should(n’t) Ignore Rankings” by Jeremiah Smith
- “Start with Why: How Great Leaders Inspire Everyone to Take Action.” A Book by Simon Sinek.
- Simon Sinek’s Website: “Start with Why”
- “The 80/20 Rule And How It Can Change Your Life”
- “Amazon is the new Google for Product Search”
- “Amazon SEO: How to Rank Highly for Amazon Searches”
- Link To Savior Labs Assessment
SEO: Google & Artificial Intelligence
On Episode 87 of The Edge of Innovation, we’re talking with Jeremiah Smith, CEO & founder of Simple Tiger, about SEO, Google, and Artificial Intelligence.
An Introduction to SEO With Jeremiah Smith
On Episode 86 of The Edge of Innovation, we’re talking with Jeremiah Smith, CEO and founder of Simple Tiger, an SEO and marketing agency. He’s sharing with us an excellent introduction to Search Engine Optimization!
Computer Security: Is the Sky Falling?
On Episode 85 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard, about whether there is any hope for computer security.
Sections
Is There Any Hope For Computer Security?
It’s Not Possible to Stop All Breaches
Understanding What To Protect When It Comes To Security
Why Security is Not Getting Better: A False Sense of Security
Why Doesn’t Tesla Let People Fix Their Teslas?
Autonomous Vehicles & Security
The “Integrity” Computer Operating System
The One Piece of Technology That Can’t Be Hacked
Closing
More Episodes
Show Notes
Computer Security: Is the Sky Falling?
Is There Any Hope For Computer Security?
Paul: So let’s flip the coin over now. Is there any hope for computer security?
Adriel: I don’t know.
Paul: Yeah, that’s a fair. So, you know her. Both of us know her very well — Chicken Little. Is the sky falling?
Adriel: It is. Yeah.
Paul: I mean, are you saying that because you’re on a talk show or…?
Adriel: No.
Paul: Because you can only say that a certain number of times and then people say, “Oh, you know, he wasn’t right,” or whatever. Or we’re overreacting, or we’re trying to inflame the situation. So talk about that a little bit.
Adriel: Yeah, so the sky is definitely falling and the security industry as a whole is perpetuating it which is a pretty bold claim, but a lot of the real researchers and real hackers are fed up with the BS in the security industry. I think maybe I talked about this previously, but if you look at the security solutions that exist today, they don’t really solve anything. They’re maybe partially effective at best.
I was walking through the airport — and actually one of the reporters from Gizmodo actually wrote a story on this. They walked through the airport. They saw the same thing. There was this sign up on the wall for Barracuda, for a web application firewall, and it said, “Stop breaches today,” or something like that.
It’s Not Possible to Stop All Breaches
And I’m thinking, you’re a web application firewall, and you’re talking about stopping breaches? And it was pretty inclusive. It was kind of like “Stop all breaches.” You know, people are going to buy that because they’re going to think that it makes them safe. And we’re just going to social engineer somebody and compromise the entire infrastructure anyways. So, you have the security industry selling technology and blatantly promising things or marketing things that people believe, but those things aren’t even close to being true.
You know, another case in point is, not to pick on anybody, but FireEye — because they deserve to be picked on — they were being used by Equifax. We all know this. This is public knowledge. If you read FireEyes’ literature — do a search for “FireEyes zero-day block or prevention” — they clearly say that they’re going to stop zero-day exploits from putting you at risk and compromising your systems. Well, maybe they didn’t pick up the Apache Struts vulnerability that resulted in in Equifax being breached. Maybe as my partner would say, “It’s because it was a known vulnerability and not a zero-day.”
Paul: Or they could say, “Well, we didn’t mean that one.”
Adriel: Right. Well, so in their literature, they also say, “We block things that conventional systems won’t.” I’m sorry. Snort’s pretty conventional, and Snort was very successful at detecting that vulnerability. So, and it’s not to say that FireEye doesn’t work. It’s not to say that these technologies are useless, because they’re not useless. They are useful but only to a degree. And what needs to stop happening to stop the sky from falling is they need to stop telling their clients that they are protecting them. They need to stop saying that they are entirely effective. Because what that does is that produces a false sense of security. And so when people have a fear, they go and they buy this technology. Then they feel safe. But it’s kind of like buying body armor that’s made out of cardboard and thinking you’re safe in going to battle. You’re going to get shot. You’re going to get killed. Right?
And you see companies being breached left and right as a result of this.
Paul: Right. Interesting.
Understanding What To Protect When It Comes To Security
Adriel: And then the second thing that people are doing that is causing the sky to fall — and businesses are as guilty of this as everybody else — is they’re building their defenses based off of generic ideas and assumptions. They think that they understand what they have to protect, and they think that they understand how they’re going to be breached. And they think this without actually having any exposure experience to how hackers are going to breach them. And they think that they know this because they might have purchased a lightweight penetration test or perhaps they read some kind of threat intelligence report. But they’re always wrong. And the way that you know that they’re wrong is because if they really knew how to protect themselves and if they really knew how they were going to be breached, then they wouldn’t be. These breaches wouldn’t be happening.
Case in point. We were testing a fairly large client of ours, actually, located here in the US. They had a relatively secure network except for the printer. And what my team ended up doing, was we found out that we could access the printer. When we say that the printer had an email address, that it was configured to send printouts or to email documents to when they were scanned in. And so we said, “Well, alright. Let’s check this out. Let’s see what these credentials are.”
So we were able to change the SMTP server to a server that we controlled. And we were able to get this printer to authenticate to us. And, of course, we captured the credentials. Low and behold, those were domain admin credentials. We took the entire network.
So they protected all their assets. They were using state-of-the-art technology. There was this new company that came out. They have this AI product that they talk about. They were using that product, and they were using some other technologies. And they protected what they thought was everything — except for the printer because who cares about a printer. Well, we do.
Paul: When was this? Was this a year in the past year or…?
Adriel: This was probably six months ago. Five months ago.
Paul: So this is a contemporary story. It’s right now. It’s not like “Oh, this was six years ago.”
Adriel: No, it’s today. It’s right now. And so this AI technology that was supposed to detect all this anomalous activity, it didn’t report on anything that we did.
Paul: Well, it wasn’t anomalous.
Adriel: And the reason why it didn’t report anything is because when we breached the network — just like when the bad guys breach a network — they mimic the behavior of your admins. So if I break into a network, and I’m doing what your admins do, and I’m using his account or her account, why is it going to trigger? You tune that out.
Paul: Exactly.
Adriel: I’m in your network. You have no idea. So, the security industry would say, “Oh, we’ll sell this solution that will detect everything and make you feel good, and you’ll protect everything.”
The client buys it, and they think, “Oh, this is wonderful.”
And the hackers are like “Yeah, no. Not really. And here’s why.”
Paul: They just go in the back door. So they bought a very good front door.
Adriel: Right. Yep, they bought a very good front door, and they didn’t think that they had to worry about the trash can hiding outside because it was a low priority thing. But they also thought that nobody would put anything inside of the trash can. So when they brought the trash can in the house, it would blow up.
Paul: Right. Exactly. That’s a good analogy.
Adriel: Yeah. That’s really what it is at a very high level.
Why Security is Not Getting Better: A False Sense of Security
Adriel: And so those are the two reasons why security is not getting better — well, two of the primary reasons, anyways — why security is not getting better. It’s because the security industry is perpetuating a false sense of security of products that are marginally effective, and it’s not to say that they’re all equally bad. There are some that are pretty good, but they’re still not 100%. Nothing is 100%. And then the second issue is people believe they are protecting their networks based on what they think is important without contacting a team, like ours for example —without contacting a team that can hack them, really hack them, show them how they will be breached and then provide them with intelligence about how they will be breached.
And I tell you, when we told that customer “Hey, you’re compromised. You’ve got a main through a printer.” They thought, “Whoa. Wait a second. We’re going to look at this differently.” And that’s how every single business is. Every single business today, this is where my credit card information is stored. This is what I have to protect. Well, that’s great. I’m going to go through this guy’s desktop instead because he opens every email I send him anyways. You know? It’s almost always that way. People tend to focus on what they think is important, and they tend to lose sight of the other things that kind of hang off the edge, the low-hanging fruit. And that’s how hacks happen.
We get in through the easiest path. We move laterally, horizontally, depending on what we have to do. And go from one lower privilege area to the next higher privilege area, and we keep on getting more and more privileges until we have full control over everything. And by the time we finish breaching an infrastructure, we quite literally have more control, more access, and more authority than anybody else in the business.
Paul: That’s funny.
Adriel: Right? Yeah. So thank God we’re the good guys. But there are bad guys out there that do the same things.
Paul: Yeah, of course.
Why Doesn’t Tesla Let People Fix Their Teslas?
Paul: So this is a little bit of a tangent, but let me get your thought on this. Something I hadn’t considered. But I stumbled on this guy on YouTube. His name is Rich Benoit. He’s from Massachusetts, and what he does is he hacks — not really hacks. I mean, yes, in your definition of hacking and in my definition of hacking, he hacks Teslas.
Adriel: Right.
Paul: And what he wanted is he wanted to build his own Tesla. So he bought a burned Tesla and tried to fix it. Now, he seems like a genius because he was able to fix it. But he stumbled on something that Tesla doesn’t make any information available. There’s no service manuals. There’s no parts. There’s nothing. And in Massachusetts, we have a Right to Repair law, which says that you have to be provided the information to be able to repair your technology or whatever it is. But there’s a catch in there, which I didn’t realize, that it says they have to… So, let’s say Apple has to provide the same tools that Apple provides to its dealers. And so for a car repair, they have to — like GM, if they’re going to give their dealer this tool, you have to, as an individual citizen, have to have the privilege to be able to buy that. Tesla doesn’t give any tools or any documentation to its dealers. They do all of those service themselves.
And so you’ve got this guy out there, and he’s been relatively successful. It’s really, from your definition of a hacker — somebody who is going to be doing something you’re not supposed to be able to do —and really disassembling it and taking multiple Teslas and taking them apart and putting them together. But just what are your thoughts on that? Because it was an interesting curveball that I thought Tesla was pretty progressive, and I was really shocked like why wouldn’t they let people fix their Teslas?
Adriel: I don’t know. So one of my friends, actually had dinner with Elon Musk at DEF CON. I don’t know much about the dinner that went on, but the fact that Elon Musk went to DEF CON made me think, “Well, jeez, this guy must really care a lot about security.” And hearing him talk and things like that about security also makes me think that he’s very passionate about it, and he cares a lot about it.
My suspicion is that Elon Musk sits at a very high level in the company, and there are a lot of people that sit between him and the cars.
Paul: Yeah, that’s true.
Adriel: And I’m wondering if, perhaps, some place in between there, his passion for security is sort of defeated by the drive for the business or the need to keep things proprietary or things like that. But I’m not sure. I believe that Tesla has a bug bounty program now. So, from that perspective, they definitely condone the hacking of their cars from a security perspective. And honestly, if this guy is tearing apart broken down Teslas and building up new Teslas, he comes across a bug, I’m sure he could approach Tesla and say, “Hey, here’s a vulnerability.”
I don’t know why they’re not making it easier to do, though, given that they have a bug bounty program. It could be just a political disconnect internally or there could be ulterior reasons that we’re just not aware of.
Paul: Sure. Absolutely. It was an interesting thing that I hadn’t anticipated.
Autonomous Vehicles & Security
Paul: So, I’ll get the next question. I think this might be one of our last ones. It is what do you think about autonomous vehicles, given the security profile?
Adriel: So I know that I can kill you if you drive a car that is 2006 or older, just because of how vulnerable the networks are. I think that autonomous vehicles are a great and very convenient idea — and I use the word “convenient” deliberately. Convenience is sort of the anti-security. Convenience is what drives people towards vulnerability. A case in point. Critical infrastructure systems were not designed to be connected to the internet. But how convenient is it that we can connect them to the internet so we can get readings off of these systems from afar as opposed to getting close to these systems and picking things up locally.
Well, you look at autonomous vehicles, and the state of security as it exists today, it terrifies me. I think it’s a great idea. I think it’s something that’s necessary, especially as people age. As I get older, I don’t want to be stuck at home because I can’t see or I can’t drive safely. And I know I don’t want to drive if I can’t drive because I’m not able. I’d love to have an autonomous vehicle. But I would not love my autonomous vehicle to be hacked so that it drives at 120 miles an hour into the side of a building. You know? That’s not a good idea.
And the fact that these things are being built on vulnerable technology, it really terrifies me. I do think that if we’re going to be building autonomous vehicles, that we should be building them on a platform that’s made by something like Green Hills Software.
The “Integrity” Computer Operating System
So Green Hill Software is a partner of ours. We’ve done a lot of work with them from the past, and we still do. They make an operating system that’s a real time operating system that’s called Integrity. Integrity is the only computer operating system — in fact, it’s the only piece of software that I’m aware of — that received an EAL6 certification from the NSA.
So, to put this into perspective, if you look at things like Microsoft Windows and every other operating system, they’re all EAL4 certified. What EAL6 means is, the fact of it, there is no vulnerability. Now, when we first met with Green Hills, we actually took one of their devices, and we spent a lot of time trying to hack one of their devices. I put eight of my zero-day guys on it. And these are guys that tear apart telephones. They tear apart everything.
After several months of them trying to find something, they all became very frustrated it gave up because they could find nothing.
Paul: Wow.
Adriel: Now, to kind of get an even deeper perspective, this system has gone through mathematical tests. So Integrity has gone through tests, and those tests demonstrate true separation between processes and they really demonstrate at a very, very high level — you know, layman’s terms — that there is no vulnerability in this technology.
And so if you’re going to be using technology in cars, don’t base it on some Linux derivative or Windows or what’s being used today. Go and base it on Integrity. Integrity is currently used in our fighters. It’s used in submarines. It’s used by the military in lots of different places because it is that secure.
Paul: I see.
Adriel: So they actually have quite a big user base. In fact, they’re using in many of the Boeings now so they’re really used in different places where people actually care about security.
If these companies were to use something like Integrity, I’d feel pretty good about the autonomous cars as long as they couldn’t be fooled by putting something in the road. But if they don’t and these cars stay hackable and everything stays as vulnerable as it is, I really don’t want to have anything to do with it because I don’t want to see what happens when somebody exploits something and causes my car to do something crazy.
Paul: Wow. Yeah, I can just see Windows on a car. Or any operating system, really. That’s cool.
Adriel: Right. Yeah.
The One Piece of Technology That Can’t Be Hacked
Paul: So Green Hills.
Adriel: Yeah. Green Hills Software. They’re a close partner of ours. We’re actually trying to talk about them more and more only because they quite literally have the only piece of technology that we have ever seen that has never been vulnerable to anything. If you look up Integrity OS, I think it’s in the National Vulnerability Database, you’ll see every other operating system has vulnerabilities, and they’ve all had vulnerabilities. Green Hills software, their Integrity platform, zero vulnerabilities ever in history.
Paul: Wow. Now you earlier said there was only one piece of technology that you could never hack. And is this, that?
Adriel: That’s it. That’s the only one.
Paul: Oh, cool.
Adriel: That is the only one. And trust me. We have tried, and we were convinced, when we first saw this thing, “Oh, there has to be a vulnerability somewhere.” But I can’t tell you how they do it, but if they were to explain to you how they do what they do, it would make a lot of sense. You’d say, “Well, of course there’s no vulnerability in this.” It’s really pretty remarkable. But we were convinced that we could find a flaw in something because you give us a page of code, and we’ll find a mistake.
Paul: Sure.
Adriel: The way they do it is they’re… I mean, it’s really brilliant. It feels weird for me to say this, but there’s no vulnerability.
Paul: That’s really cool. So it’s possible. There is a place where the sky hasn’t fallen completely.
Adriel: Yeah. Well, it’s possible because it really boils all the way back down to Dan O’Dowd, who is their founder and CEO. He had an idea about how to make things secure, and he did not bend. He did not waiver. And so when he implemented this idea, everything had to adhere to this idea. And he was right. He said, “This is how we are going to make software, and this is what this software will do, and this is why it will never have a vulnerability.” And he’s right. The amount of energy they put into making their technology and developing their software and the degree of security around it is phenomenal. So it’s really an impressive thing.
Now, could anybody else do this? I don’t know. I really don’t know. And not without completely resetting everything and doing everything from scratch. I mean, they’d literally have to just get rid of everything they’ve ever done and start from scratch.
Paul: Sure. Of course.
Adriel: Because you can’t go backwards once you’ve made mistakes like that.
Closing
Paul: So, cool. I think we’re getting close to the end of our time. Any things you want to leave our audience with?
Adriel: Not really. I mean, I’ve kind of covered everything. If you need good penetration testing, you can come to us. Visit our website. We’ll hack you. We’re not just going to scan you. We’ll actually hack you and show you how you’re breached.
Paul: Very cool. Well, all of the show notes will have all of the links and everything we’ve talked about today. And I want to thank Adriel Desautels from Netragard and I really appreciate you coming on. And look forward to doing it again soon.
Adriel: Sure. It was my pleasure, Paul. Thank you.
Paul: Alright. Thank you.
More Episodes:
This is Part 3 of our interview with Adriel Desautels.
If you missed part 1, about what’s new in the world of cybersecurity, you can listen to it here! You can listen to Part 2, “Why Does The Hacker Hack?” here!
Show Notes:
- Watch This Episode of The Edge of Innovation on Our YouTube Channel Here!
- Netragard’s Website
- About Netragard
- Contact Netragard
- The Netragard Blog
- Find Netragard on Twitter
- Find Netragard on Facebook
- Find Netragard on LinkedIn
- Find Adriel Desautels on Twitter
- Find Adriel Desautels on LinkedIn
- “The Art of Hacking” – SaviorLabs Podcast interview with Adriel Desautels
- “Private Market Growing for Zero-Day Exploits and Vulnerabilities” from TechTarget
- “Thoughts on the Latest Apache Struts Vulnerability”
- Rich Benoit of Rich Rebuilds on YouTube
- “The Guy Who Salvages Ruined Teslas and Puts Them Back on the Road”
- 2014 Massachusetts Right To Repair Act
- Elon Musk: Tesla
- “7 Arguments Against the Autonomous-Vehicle Utopia”
- “The Wired Guide To Self Driving Cars”
- Green Hill Software
- Green Hill Software: Integrity Operating System
- Integrity-178: The First EAL 6+ RTOS Operating System
- Link To Savior Labs Assessment