Ransomware in SaaS: When 3 Levels of Redundant Backups Failed | John Goecke | CEO, StratusVue


In this session, John Goecke (CEO) discusses with Venky how everything changed for StratusVue after a ransomware attack in 2018.

He shares how the construction industry is a soft target as there is no regulatory oversight, unlike in banking and healthcare, and security is always an afterthought for business owners.

Along with all this, he explains complex terms like zero-day, zero-trust, FedRAMP, etc., in a highly rudimentary way.

Key highlights from the discussion :
  • Cybersecurity in the construction industry
  • API protection processes at StratusVue
  • The story of 2018 ransomware
  • Trust but verify your security!
  • IT security spending in construction companies
  • Becoming security compliant for Federal projects
  • Country-wise data sovereignty
  • Verifying, knowledge sharing, and auditing for security
  • Security - a business enabler & not an after-thought


We are a construction technology firm based out of the Chicago area in the United States. StratusVue manages construction projects worldwide.Everything that used to be a piece of paper and a workflow, like an architect would draw plans or write specs is turned into a PDF, an Excel, or some Autodesk product.

What we’ve done over the last years is to convert everything that used to be a piece of paper and those workflows and put it up into the cloud for people to be able to manage construction.

We are a 100% SaaS platform focused entirely on construction and real estate. So not just do the building process, but we also manage to tie together the information when a building operates.

When I got out of school, I worked in construction printing, and that’s back in the day of blueprints. There used to be big rolls of paper around and lots of stacks of paper, and that was in the 80s and 90s.And we saw the evolution of paper going away. From that, we started writing technology, probably from 2000 to 2003, in parallel with the printing companies.

Then in 2008, the printing companies were consolidated. They bought all of our companies.

They also thought at that point that the Internet was a fad, and they didn’t like it. So they let us take the software and convert it from a product-based e-commerce purchasing system to a workflow and document management system, digital rate, etc. So, it was an interesting segue from the analog to the digital world.

It took a few years to transform it from e-commerce. I would say it was 2012, 2013-14 after we survived the craziness of 2008, and everybody was looking for efficiencies or the ability to save a dollar.

So what we did was we educated the industry and how to convert from distributing mass amounts of paper to distributing the FTP sites. It was probably all done by 2015 when it hit the full SaaS model.

So, we have contracts and agreements in North America. We have some in Mexico, Canada, and the United States; part of our 2023 and 2024 efforts are to expand.

We have hosted projects in the EU. What’s interesting is that when we have specific projects, participation happens globally.

We were the software used for Skyscraper of the year, accessed in 26 countries. For the engineering that was done all over the world.

The agreement was based out of Chicago or the United States, but the amount of collaboration happened globally. At this point, we actively have participation in 65 countries

From the hosting perspective, we have our own data facility. we have an active-passive where we roll over into the public cloud, AWS, Azure and OCI Oracle.

We do create redundancies depending on the customers that we serve too. And as far as the tech stack, it’s a nearly three-tier – business layer, application layer, and presentation layer.

All of this was in Microsoft stack when we started. The biggest change I’ve seen over the last 5 to 7 years is switching around from the frameworks that are a little slow and sloppy to API-driven and much more functional or user-friendly user interfaces.

We have a big process going over to react.js for our web apps.

We’ve worked in React Native for mobile for the last three years, and before that, we made device-specific applications.

Correct. We built in ETL that enables all of our APIs to be consumed in a metered and monitored format, pretty protected in what we do.

But what we did when converting, we’re still a Microsoft stack and do the traditional frameworks.

Having converted to an API service method made it much more consumable by integration partners, by clients with their analytics.

We have protected APIs that you need specific keys to get to, and we rotate or role keys regularly. For the testing of the application, we use Indusface.

We have a security group that monitors who has access. Although users may be able to see an endpoint, they can’t access anything without going through a security review.

We pay attention to that all the time.

Here is a little back story:

In July 2018, we were crypted. We compromised on three of our five brands. It was interesting because we had been under a regular scan through different parties or pen-testing for the OWASP top 10. But they could come in through a known Microsoft flaw.

At that point, we changed our security methods to our access methods. I know that the buzzword out there these days is zero trust. It still comes down to humans in eve ry regard.

Our production environment is hard-locked. When somebody comes in from a development perspective, we require three stages of security review to get into our environment:

They start in a staging or a development environment, then go to a QA, which is the big security review. And then, ultimately, QC is the last step before we get to production.

So, we have put in a solid framework and access point. Regarding the injections, every week, we actively look at the opportunities for the injections with authentication and without. Because there are some interesting ways now that people used to get in.

We take a lot of a prognostic approach to ensuring that we’re in a good environment when people access data.

Everything changed.

Before that, we had a full-time security consultant and somebody internally dedicated to this process. From an executive or C-suite level view, I trusted that everything we had established over the years was being followed.

2018 taught me to trust but verify. And it introduced the lowest level of access at a much stricter level and segmenting of who and what.

So, from the hardware standpoint, we broke that down into three steps. From the software standpoint, we broke that down into three steps. From the audit standpoint, we broke that down into three steps.

Originally what we had bullet pointed of maybe five key things that we monitored suddenly became 15, and no single person could access all 15.

Logically, again, I think most failures come down to human failure. And in 2018, it was for us; it was a human failure.

Even though there was a known vulnerability in the Microsoft stack, there were steps to mitigate that risk. And the steps weren’t necessarily followed. So instead of trusting everything was being done, we went through a release level, a quarterly level, a semi-annual level, and a much deeper annual level of third-party eyes.

If you think about 2018, when they crypted us, the transference of bitcoin was illegal; you couldn’t put it on a credit card and go buy Bitcoin and do everything.

And we did end up paying a portion of it till we were under security.

If you think about the process that was involved in getting it back.

  • Step one was remediation.
  • Step two was verifying.
  • Step three was analyzing where those mistakes were.

So ultimately, it came down to trust, but verifying at a corporate level was what we had our biggest change in.

When we get to the bigger agreements we have for enterprise-type access, that conversation is now required.

In 2018 there was no requirement, and 2018 was the beginning of the big crypto stories we heard back then. It was occasionally, and nobody liked talking about it.

Construction companies are not known for spending on IT. So, they were particularly vulnerable over the last year. A lot still are.

Depending on the firm’s size, if you build $10 million worth of buildings every year, you’re considered very small, and you maybe spend a 10th of a percent or 2/10 of a percent on IT.

Well, what it ended up being was that construction became a big target. Because typically, even though it’s $10 million and that’s small in volume, it still gives you the ability to get in the middle of a cash flow of $10 million.

So, the little guys are aware and fearful, but they still don’t necessarily take the steps.

Since the whole adventure began in Ukraine with Russia, we have seen an elevated approach in construction companies.

Every construction company needs to get insured and bonded and have certain controls in place from insurance companies. Insurance companies are now putting a requirement in for them to get their bonding and insurance to have a method to guarantee security.

I see now the evolution of the insurance companies, and the people who control the money are getting into the game.

Now, the federal government started mandating in the states called DFARS. It’s a NIST compliance. And if you were to do any work for anything federally funded, you need to have certain security requirements.

The billion-dollar companies are the ones that do 400 or 500 projects yearly that are 5 million to $50 Million. They’re spending 10, 12, $14 million. And when you have that backstop, you can be better suited to deal with intrusion detection and prevention.

So, it’s very relevant. It’s coming to market in our space more than it ever has.

If you talk about finance, banking, insurance, everything that involves a dollar that’s regulated, and once you’re regulated now, you only need to confirm to a set of standards.

But construction data is non-regulated, although there are accounting and ERP systems, which are typically not front-facing to the web. But their financials, which are more around job cost, not true accounting, is unregulated information.

So when we did our integrations into these accounting systems, the number of reviews we had to get into to be able to write via API through the ETL into their environment is why we have you!

We need somebody to look at what the APIs push and what the APIs consume. So, construction companies on the web are starting to tap into the water of regulated data.

And it’s interesting, I think there’ll be a paradigm shift in 2025 and 2026 where there will be the haves and the have-nots. And it’s all going to be based on technology.

Australia is very strict that if you are building and data management has to be within Australia’s borders.

Saudi Arabia has data sovereignty, building that 20-mile-long high rise over the next 15 years. That will be the new shocking building of the world the contractor is involved in; we’re familiar with them and the steps they’ve had to take.

When you talk about data sovereignty, we’ve run into it where we’ve made decisions based on places where we can provision in a web Gartner and Forrester environment to have an instance running in Australia or have an instance running in the EU. Everybody’s got data sovereignty.

When we did it, it was running in that environment. We would make provisions specifically for an entity. And when I say we have multiple brands, we’ve got two big front-end brands, the StratusVue, and then we’re a white label for one of the ERPs.

But the other white labels, one of them is very specifically related to data sovereignty and a foreign nation where it could not be hosted in our environment. So if you look at that, everybody has their version of a FEDRAMP.

When you need to go through the security, you need to make it run; you need to prove it up. And then once you make it through their certification, you’re good to run in there. Their environment is under sovereignty laws.

I think the most important thing is to let an external entity verify.

I think that there should be security teams internally. You’ve got your application, but you also have your systems, and somebody needs to have a broad knowledge of what you may do. And it’s not just for SaaS; this is for everybody.

Everybody is going to online accounting now. And whether that’s a little guy who’s using QuickBooks or a big guy who’s using Oracle. Oracle spins you up a provision, and it’s up to you at some level to understand that.

I still think the most important thing is exposing yourself to somebody else. You can trust your people but have somebody else verify it. Trust but verify.

In a bootstrap or a seed round of a startup coming to market that they go out and think that they can get an application that will test for them, or they can buy a piece of software and run it against their code, and they think that they’re covered. It’s not true.

Everybody goes, I ran the application, and it checked against OWASP top ten, so I will release this to production. That is an enormous risk.

So when I talk to people about going through and getting a pen test, I’m like, “Have you had a pen-test?”

And they’re like, Yeah, they weren’t able to get on our network.

I’m like, That’s not a pen test. A pen test is giving them administrative credentials into your environment and seeing what they can do with those.

And they like, Oh, I would never do that.

So, when I talk to peers or startups or whatever it may be, I know that money is always tight. It’s just the way of the world.

But there’s also a certain amount of comfort in being able to sleep. Because if you are the purpose of somebody logging into a corporate environment that causes disruption, either through malware, crypto, or compromise of any level, you’re out of business, and that sticks with you.

So, startups and smaller entities think that they can buy a piece of packaged software, and they think that that has protected them because they hit all the punch lists on this application.

Yes, it can be more than a couple thousand dollars. It is worth your time and effort to Trust but verify!

Next, Backups!

We’ve seen every entity get compromised. You still need that final check to make sure it happens. And pay someone else to do it. If it’s in AWS get a service that sends you a tape once a month to an offsite facility. Yeah. Back up your data.