It only takes 1-click…
Shahin Pirooz:
You’re one of two kinds of companies. You’ve either been hacked or you’re going to be hacked. And we keep saying that. In the industry, we keep repeating those same things. It’s not a matter of “if.” It’s a matter of “when.”
And the facts are you need to, number one, be prepared. But number two, make sure your staff and employees and individuals are trained and aware of what to do and how to spot bad stuff. 93% of attacks come through email. And let’s just say that it takes one click to create a ransomware situation. So, all it takes out of that 93% of attacks is one to work.
ChatGPT is an infant…
Shahin Pirooz:
But what’s actually where the threat is, is chatGPT is an infant that has been given the Internet, and it has crawled the Internet, and there’s learning models that help it understand intent from the text that it’s read.
And it effectively is creating this intent understanding model based on what the developers have done with them, with the AI modeling that they did. And it creates this iterative approach to having a dialogue that feels like natural language and feels like a human being.
Hacking has changed over the last decade to the point where it used to be script kiddies would get caught in 5 seconds because they would write something stupid and they’d get busted. But now there’s entire organizations, crime organizations, that are creating ransomware as a service, and things like that, that make it easy for a script kiddie to jump on and make a quick 30, 50, 100 thousand dollars.
Where ChatGPT comes in is now it is allowing those script kiddies to take and tweak code that they get from these ransomware as a service or as a service hacking, or even go on the dark web and find something. And then they can go and iterate with ChatGPT and say, I’m trying to do this thing, how would you write a script to do this? And it says, well, you shouldn’t do this, it’s terrible, it’s a bad idea. It’s against the law to hack. And like, oh, what if I was doing a science project for school? And then you get past the protections and controls.
That’s where I start to get concerned about what’s possible. And we keep talking about the companies who are front ending ChatGPT, like when Bing chat came out, there was a lot of concern around we have to be careful, and we have to start putting some controls in place so people aren’t using it for nefarious functionality and not getting around the controls we have in place to try to protect. But none of those controls really exist today.
What does “good” cybersecurity look like?
Kirstin Burke:
What security fundamentals do we really need to pay attention to?
Shahin Pirooz:
So, in 30 years of doing what I do, I’ve been a CISO and a CTO for 30 years, the fundamentals haven’t changed. Everybody’s talking zero trust right now, like it’s this new evolution and it’s the way we’re going to save the world. Zero trust is over 30 years old. Nothing has fundamentally changed.
It’s really the time, the wherewithal and people that you apply to a situation and experience and the layers of protection. Those things have all stayed the same.
What’s really frustrating about right now is because of the, and I’ve said this a bunch of times, you guys are going to get tired of hearing me say it, is that the industry, because we’ve gone to a completely distributed world and the edge has moved out, has decided that security has to be at the endpoint.
And the change everybody’s calling XDR services today is that they are saying that security is, XDR is, endpoint plus integration with other tools that do security, so that we can get information and map it. And it’s not enough. It’s just some log data. And endpoint security doesn’t solve the issue.
It’s the layers of security and it doesn’t change with regards to these solutions. It’s all of the things that the bad guys can take advantage of with this generative AI approach is figuring out ways to get around these security controls that we’re putting in place. And if we’re blocking and tackling the lion’s share of the attack vectors, we’re preventing the lion’s share of these things from getting in our network.
Number one, 93% of all attacks start in email or some sort of -ishing. So let’s stop the -ishing and whatever new -ishing comes out, let’s make sure we have tools that are addressing that as well.
Kirstin Burke:
Well maybe even before they get to the end user.
Shahin Pirooz:
Yes.
Kirstin Burke:
Wouldn’t it be great if you didn’t have to rely on them?
Shahin Pirooz:
We shouldn’t have our accounts payable clerk getting a deep fake call from the CEO saying, “I’m stuck in Barbados, send me $10 million.” Those are the types of things we used to deal with and we’ve addressed those, but there’s now going to be a new voice call that sounds like the CEO. There’s going to be a new voice call that sounds like the CFO.
The second layer is DNS defense. 80% of all malware that ends up getting to the machine, that exfiltrates the data, that encrypts the systems, that causes the grief in our world, that makes us go to the cyber insurance company, and pay ransoms, and bring in an incident response team, and all those things is: 80% of that malware needs DNS to function. If you cut it off at the heels, that’s only 20% of the stuff that we have to deal with.
Now let’s back up for a second. If you’re standing in a room with 15 of your peers, three of those people have not only been encrypted and hacked, they’ve been encrypted and hacked twice. Five of them have been hit at least once. So do you want to be in the 50% that is being hit because you thought XYZ company’s XDR solution is the end all answer? It’s not. You need the layers of defense, and integration alone isn’t enough. You have to have the tools in place. You have to have the layers in place.
Next level is the endpoint. Once it gets to the endpoint, you darn well better be able to stop it. So that’s one out of five things I’m going to tell you about. It’s not the answer. It’s one component in your layered approach.
Next level is the network itself. Almost nobody, everybody talks about zero trust, but nobody’s touching the network. Not one security vendor out there is addressing the network other than finding anomalies on it, but no protections.
What’s the problem with the network? Once that malware gets to the endpoint and that endpoint is missing its EDR solution, or they figured out how to bypass the EDR, it spreads to other systems in the network, and it spreads in more and more intelligent ways that are harder for the system to identify. It uses credentials it’s captured from your domain admin so that it can easily spread through the network. And the attack surface becomes your entire company because nobody’s doing network security well.
So micro segmentation, reduce the attack surface, reduce the risk. Segmentation is not new. Micro segmentation is more new, but the world isn’t doing it. Nobody’s doing it right because it’s hard. It’s really hard.
Traditional email security falls short…
Shahin Pirooz:
Email gateway solutions are basically a sieve. You’re pouring millions and millions and millions of emails through it for a given company and hoping that the holes in the sieve are the right size to stop the bad stuff. But if they’re too big and the hackers keep making the bad stuff smaller and smaller to look more and more like a regular email, it’s going to get through.
The other thing we heavily rely on, a lot of conversations I have in pre sales with customers, they say we’re good with phishing protection. We have company X, Y, or Z, and there’s some great technology companies out there that do gateway email security.
Google themselves acquired Postini years ago. Microsoft acquired a company called Antigen, and they integrated that into their email security portfolio. So the big email providers, Microsoft and Google, have their own email gateway solutions and security solutions on the front end, and then there’s third parties who add a layer of security on top of that.
But it’s still a gateway based solution. And what it means is that the emails are going through the gateway first. It’s getting checked for is it good, is it bad, is it malicious, does it look funky? And they quarantine it, and then the user has to go into the quarantine and look at it and say, this was real, this was not. And it learns over time. Those are the heuristics we’re talking about.
And, the learning over time, if one of your users says, this was good, but it wasn’t good, now that’s taught that heuristic something wrong. And so there’s a lot of human behavior that creates problems in this ecosystem.
So what do we do? We jump to the second thing, which is email security awareness. We’re good. We have gateway and we have email security awareness. We’ve got, again, a list of ten companies that are great at email security awareness training and simulated phishing attacks.
The challenge with that is you’re still relying on your people to be your security tool, your security control. And I don’t know about you, but sometimes I run too fast, and I click something, and I am in the industry, I ought to know better, but I still do it.
I’ve been caught by our email simulated phishing attacks. And as soon as I click it, I knew I did something wrong. And then I get prompted that says, oops, you did something wrong, your company is protecting you. Don’t do this, this is bad. You’re going to training. And so if someone who is a practitioner and has been doing this for 30 years can get caught by something, how do you expect your person in finance to be able to, 100% of the time, not do that?
Kirstin Burke:
Well, and I think the adversaries are so creative, right? And the social engineering tactics are evolving so quickly, right? I mean, the commonality is they prey on the good side of our human nature, right?
We want to help. We want to fix. They’re preying on the good nature of someone, or they’re preying on fear. Right? “Oh, my gosh. Something’s happened. I have to fix this.” And so, to your point, we’re asking people to be a very strong first line of defense.
And I read a great article last week that said the cybersecurity vendors have to be better at people proofing the solutions, which is a great point, except at the end of that line is always the person. And on top of that, we blurred personal and work. Right? On your iPhone, right? You’re picking up your work email and your personal email on your work laptop, you’re accessing your Google mail.
So we’ve got people already that can be fooled. We’ve got devices that are working with both personal and corporate data. And so even if the company is doing a great job with their email, I go to my personal gmail and do something, and I could do much harm to the rest of my access to the corporate files. So complicated.
Shahin Pirooz:
Yep, 100%.
The attacks that are coming in, the social engineering attacks that are coming in… social engineering… people usually think about somebody’s picking up the phone and calling and pretending like they’re somebody. We’ve evolved to where we’re not doing that, and we, meaning the bad actors, not doing that as much, but they’re doing it through email. So they’re now social engineering through email.
One of the most common ones over the last five years or so was you get a text from your CEO and then an email from your CEO saying, I’m in Boca Raton and I need you to transfer $10,000 to my personal account. Here’s the account number. And it used to catch people, and people did it and lost money, and it was frustrating.
That was account impersonation. They were impersonating, and what they were typically doing was creating an account that looked very similar to the CEO’s name and sending it and fooling people into not paying attention to an “L” instead of a “1” or a “1” instead of an “L” and zero instead of an “O”. Those types of things. So it was very easy to make mistakes.
Fast forward today, and the biggest attack vector right now is BEC, business email compromise. And what’s happening is it’s a man in the middle attack where the hackers are compromising somebody’s account, either on the vendor side or the customer side, and they’re watching traffic, they’re not doing anything, they’re just sitting and watching traffic.
And the way they do this is first by phishing and doing a password capture, and then they log in and just watch. And when they see something that comes in, let’s say from a vendor to an accounts payable person that says, “You haven’t paid this invoice,” they immediately follow up with an email that looks like that vendor’s domain to that person that says, by the way, please change the account number to this one. We just changed our bank. Here is the new remittance.
I can tell you a dozen conversations I’ve had where people have lost hundreds of thousands of dollars on that simple social engineering trick. And, again, we are relying on our people to be able to see the L’s instead of the 1s that it’s not ABC company .com, it’s ABC .xyz and things like that. So it’s very hard to be able to notice without paying detailed attention to every email. And how many of us have time to pay that kind of attention?
So, fast forward to what the market is saying, what the analysts are saying. We believe there’s a better way. We believe that, and, again, we try not to be salesy here, but we’ve got an advanced phishing protection suite that is really designed around after the mailbox, after the security awareness training, once it hits the mailbox and passes it and bypasses the gateways and is in the mailbox, how do we find threats inside the mailbox? How do we find threats in your drives, your Google Drive and your OneDrive and SharePoint, all those areas.
And that’s probably the area where most of the manufacturers out there in terms of email security are trying to get in to, but they’re not doing a great job at it yet. They’re really coming from a mindset of traditional AV versus behavior and EDR.
So being able to spot impossible logons, being able to spot a account takeover, a password capture, the BEC compromises, being able to model the types of conversations somebody normally has and baseline it and say this person’s not, their intent and tone is very different than normal, and setting off flags, those are common things that are starting to become prevalent in the email security space.
We’ve been doing those for years, and we think that we’ve always said XDR should be much more than endpoint and firewall. We believe that DNS and the advanced phishing protection we’re talking about is critical to that portfolio. But it’s not like you were discussing. It’s not just in the inbox. It’s not just your corporate email.
I’ve got my Gmail account, my personal account, all my accounts coming into my single mailbox on my Mac. And so what happens if I’m relying on me as a security control and I click on something not in corporate email, but in my personal email on my corporate machine, and I go out to a bad site and then it says, you need your Office 365 credentials to get to this document. And unwittingly I type it in and we’re off and running. Now we’ve got a business email compromise account takeover. If I’m an admin, now I’ve got a risk of a hacker capturing my domain admin account, coming into my Azure AWS environments, compromising my servers, encrypting the environment, and now I’ve got a ransomware situation.
So how do you protect against that? And that’s where the DNS defense is missing. No matter where your users are, 80% of the attack, 80% of malware requires DNS to function. So if you can block that 80% from getting the command and control, from doing C2 callbacks from bypassing DNS, by going to IP directly, you’re going to take the lion’s share of those phishing attacks and cut them off at the knees.
Preparing for the inevitable…
Shahin Pirooz:
The common leap that most people make when they hear “layered security” is defense in depth, because that’s the mantra and concepts for the last 30 years. We’ve been saying you got to have defense in depth, and then now it’s changing the terminology into a zero trust model.
And what does all that mean? It literally meant you have to have security controls that go beyond a single layer of your infrastructure. Email security controls, DNS security controls, network security controls, endpoint, systems, identity… All of those are layers of your infrastructure. Peeling back each layer of the onion, there’s another layer. So if you only have defense at one level, once they get through that, if there’s nothing else, you’re really getting all the way through the stack.
So layered security is all about making sure that you’re not protecting one vector, but you’re protecting all the vectors that have access into your network, that have access. And network is kind of becoming an amorphous term these days. The network is the Internet at this point. So network is wherever your endpoints and your people and your data and your assets are. Those are the, think of that as your network more holistically, as opposed to inside my data center.
And, many of the tools today don’t focus on layered security, they focus on endpoint. And I complained about this in our last TECH Talk, basically calling out my peers in the industry, saying you’re misleading people. And I believe that’s the case.
And it’s a lot of people will focus on implementing a great gateway email security solution, and there’s a lot, there’s three top players in the market and they all do basically the same thing. And they implement one of three, great, email security and simulated phishing solutions. And then they implement a great firewall with good DNS protection on it. And then they implement a great endpoint security tool. What else do we need? A lot. There’s much more.
And what’s more important is each of those tools becomes a silo. Each of those tools interacts in its own world and its own AI. And nobody’s pulling together the telemetry and the visibility across those tools to be able to do what we like to call layered defense.
And I think layered defense is much more than just having the controls in place, but also getting the visibility at each layer and being able to plug the gaps to say, something coming in from this vector also got to this endpoint and is using something that’s related to the type of attack it was, using the indications of compromise or the APTs associated with that type of attack. And I’m using acronyms, so I apologize for those things don’t make sense to.
But hackers, effectively, the playbooks are small. There’s only about 250, 300 tactics, techniques, and procedures hackers use. So it’s the combination of how they use them, the order they put them together, that changes them.
And then we have kind of become stagnant, like we did with our traditional antivirus solutions. On the endpoint, where they were doing file based security, our email security today is doing the same thing. And I think that’s a big flaw in terms of the way we go to market and how we mislead consumers of security services or security products.
The traditional file based security model is important. It’s a necessity. You have to have it. You shouldn’t get rid of your antivirus solution, but you need to have behavioral at every one of these defensive layers. And behavioral modeling is understanding things like this user’s intent and tone and the way they write, all of it is different than the last time we saw messages or the last 200 times we saw messages from them. This is probably not the same person. Or they’re logging in from a location they’ve never logged in from, or two impossible locations.
And many of the new modern tools identify those things, but they don’t bridge it back to that email landed a payload on the endpoint, and that endpoint now has something on it. So, that triage of information for the full stack, and then how it interacts on the network. That machine is now talking to other machines on the network, and it’s trying to do lateral movement, it’s trying to capture data, whatever… is the way you root out and weed out the bad actors that are sitting inside your network for 200 days or more.
It isn’t about the tools…
Shahin Pirooz:
No matter how many times we talk about it isn’t about the tools. Conversations with prospects always go to the tools. And the reality is that we in tech have grown to tell me how the tool works, what it does, what the mechanics are. I want to make sure we’re picking the right tool.
And what we really need to back up to is it really isn’t about the tool. There is 4000 security vendors out there and each of them has varying scales of good, bad, or ugly. The approach really should be to make sure that you have the layers of controls and there should be due diligence gone into selecting those tools.
That doesn’t have to be you internally. If you have a partner that does that due diligence and is picking the right tools, and they have a track record of showing they can do that well, have some faith in that partner and put trust in that partner. But inspect that the results are there. Inspect that when you’re getting your reports and your data, that things are being blocked, that they’re identifying things. Those are all the layers of things to think about as you’re thinking about a solution.
The challenge to the complexity to what we just described is if you go and try to implement that five layers of security that I discussed, and there may be many many more layers, but we just covered five. And when I say there may be, there is. There’s so many other things we can do to better protect our environment depending on the type of business we’re in. But to implement those five could take a long time with tool selection, evaluations, implementation.
We’ve seen companies that are on a multi year journey to achieve what I just described. And they’re not the size of MGM. They are not the size of MGM. We’re not talking… We’ve seen customers in the 50 to 100 seats that are struggling with picking the tools and making it cost effective. Mostly because the vendors don’t think about those guys, they think about MGM. So they don’t make it cost effective for the smaller companies. They have minimums that make it hard to onboard the right tools. So you have to settle for tools that do support the small ecosystem.
On the flip side, we see companies that are 100 to 1000 seats that are on this multi year journey and they pick a tool and they start implementing, and by the time they get to the next layer, that first tool is no longer effective. And they have to now evaluate a new set of tools. And they don’t work well together. Or the tool they pick for layer two conflicts with the tool for layer one.
So there’s so many moving parts to making it happen that delays and prevents, and the meantime, hackers sit inside networks for 200 days on average, figuring out where your crown jewels are. I heard a report the other day that it’s now 300 days on average, not 200. So think about somebody sitting in your network for a year and looking at where your systems are, what they are, where your good data is. So the complexities prevent us from keeping up with the hackers.
So what can someone do? I mean, the simplest answer, and, again, this is the bias of somebody who built this infrastructure. Find somebody who did what we did. We have… the five layers of security can be implemented in your environment with a 30 day onboarding guarantee. In 30 days, you have those five layers of security, and you’re now being protected against what’s in the market.
We have customers who, insurance has come back with 200, 300 question questionnaires, and they turn around, they’re like, what do we do? And we’re like, send us the questionnaire. And it’s check, check, check, check all the way down. And we knock out 90% of those, and some of them are HR people process type stuff that we can’t touch, but the technology controls are all checked with very little effort.
Getting to security maturity…
Brian Moody:
No one has nothing. And I think that is every customer that we’ve engaged with. I’ve never been on the phone with someone and they said, “Oh, we don’t have anything.” They have implemented pieces.
I think what we’ve done is we’ve defined what good looks like. We have seen where the industry has gone. We’ve seen what the requirements that are really needed by almost any business, right?
And it starts with email. 93% of attacks come from email. So gateway solutions are not working. So you have got to ramp up your security around email.
The second aspect of that is 70% of that 93% needs DNS to communicate with command and control session. So we need to have a level of DNS protection now that will allow us to prevent that command and control session. Especially in the world we live in today, DNS is somewhat broken because it’s been implemented at the firewall. Well, we’re not all inside of our buildings anymore behind that firewall, behind that proxy, Right? We’re remote. So that DNS defense needs to be distributed. It needs to be out with the client, regardless of where they’re at.
The third aspect of that is endpoint. The endpoint is a critical component. We’ve got to have automated AI capabilities, machine learning capabilities on the endpoint, so that we can react very quickly when something happens on the endpoint, it’s not if, it’s when.
And then the endpoint really is the gateway to our network. So network security is another key component.
And then I keep bringing this people person type thing back because people are so important in security today. And you can put all this infrastructure in place, like I said, and people set it and forget it. For us, And you’ve heard Shahin say this a hundred times, it’s like sticking a guard tower up, but you don’t put a guard in it. So that human aspect is absolutely important.
So, what we found as we work with companies, is that you may have put pieces in. So one of the things we do at DataEndure is we create an economic roadmap for you, and we create a total cost of ownership. So we can come in and do a security evaluation with you to understand where you are in your security maturity model. Any one of our services can be used as a gap service. So, here’s the critical point. We’re not asking you necessarily to change out, write a new check for what you’ve done.
What we’re going to do is evaluate what you have in place and how it’s protecting your business, where you have vulnerability and/or risk, and then if we have a service that we can gap in in order, at a smaller dollar figure, because now you’re not replacing the whole thing, we can gap into what you have, and then we create an economic roadmap understanding your contracts, what their expiry dates are, and then we will do technology evaluation with those in comparison with the services that we bring to market, and when an appropriate time might be to switch that tool out. Or, it may be an important and integral tool to your security model, and may be something that stays in.
So, with our security operations and when we implement our SOC as a service to our SIEM, we can take telemetry from those tools that you have that are important to your business and provide that 7 x 24 security operations and management to that tool set.