We’re excited to be here, everything’s slowing down a little bit but certainly, we’ve got the time to spend some time reflecting and sharing with you what we’ve taken away from this year, and are excited to have you join us.
2022 is a super interesting year both in technology as well as in the market and the economy. We continue to see a lot of either fallout or implications of covid and how organizations are deciding to either restructure, or retool, or how they’re planning on continuing and we thought that it would be appropriate today to call our Tech talk The Year of the Endpoint and we do that simply because in talking to customers and the events that Shahin has spoken at, that is such a hot topic because endpoints are everywhere now. And even with people coming back in the office there’s such a degree of distributed technology and distributed users now and we don’t think that’s ever coming back. Oh, and not to mention that you know the majority of the security service providers in the landscape that people are going to for support and help in this space are focused on endpoint security they’re not truly creating a broader network security perspective. A broader.. the term XDR has become commonplace in the vocabulary, and security–and unfortunately for most people–XDR means firewall logs plus EDR, and that’s not what it should mean. It should be extended.. should mean more than just adding firewall logs to what we already did and for us, it’s a very different meaning and we’ll talk more about why that’s important, right?
Absolutely! So, we have two places we’re going to go with this TECH talk today, and then we will release you for, your holiday festivities. But first of all, and as Shahin was alluding to, there are some common misconceptions that we’re seeing out there as organizations are either evaluating or retooling their EDR strategies and so we thought we would just walk through a couple of those for informational purposes. But if you’re one of those organizations who’s looking at what you’ve got today and saying okay going into ’23 what should I be paying attention to? So we’ll kind of jump in there are a few key misconceptions that we’re seeing so we’ll just hop right in I think the first one that you’ve seen and talked about is failing to deploy endpoint security across all endpoints, right? And thinking that maybe one isn’t important enough or this group is okay and there’s a lot that happens when it’s not deployed everywhere. Yeah, it’s you know… it’s a combination of those two things whether it’s, you know we have Linux boxes, and Linux boxes aren’t easily compromised so we don’t need to worry about them. In the past it used to be Macs don’t have any viruses so let’s not support Macs and that’s changed. The same is true for Linux and the other side of it is, you know I have this engineer, or this executive, or this somebody who has a problem and we believe it’s the endpoint security tool that’s causing their performance issue. And so they disable it. And you know 90% of our systems are covered, so that’s good, right? I can’t tell you the number of incident responses we’ve done where it was that machine that was disabled, or those machines that were disabled, or the machines that didn’t have the agents installed on them that we’re where the hacker got their foothold. The other misconception–which ties nicely in with this–is simply that endpoint security should be enough. If we just put the basic controls in if we have endpoint security and firewalls and we have identity management, we should be golden. The reality is, an active directory isn’t identity management it’s an authentication platform and many people feel that it is we don’t enforce strict password security so the passwords are really easy to compromise. And if you take what I just said about endpoint security, it isn’t enough by itself. And tied to that that, not all endpoints have it. There’s another underlying problem, and the reason endpoint security isn’t good is that most endpoint security today focuses on file-based security. There are traditional antivirus providers that evolved into their file-based security… They’ve added behavioral techniques but at the root, their DNA, their technical debt, and everything about their technology are tied to identifying bad files and stopping those or quarantining those bad files. There are a couple of problems with that approach. The first one is that will stop the very first step in an attacker’s attempt to take over a system. It will–attackers will compromise the system and at that point, the system is compromised and there is already something running on the system. And the first thing they try to do to start spreading is downloaded the PowerShell file, PowerShell script–or a Shell script if it’s Linux or Mac–and the file-based systems often can catch–not always–but often can catch those PowerShell scripts. But they also have other techniques for moving laterally throughout the network, and they do reconnaissance when they’re inside the network. Oftentimes, hackers are sitting in your network for six months before they’re identified. I can find a lot of weaknesses in any network. In six months, our typical security assessments and health checks are two weeks, and in that time frame we show a report card to people that says, “here are all the areas we think there should be energy and focus.” So in those six months, the hacker will find the engineering machines or the executives’ machines that don’t have antivirus, they’ll deploy their scheduled tasks into those systems, and at this point, they’ve probably already compromised the domain admin password so they can crawl around. And once they do, how they deploy the PowerShell on that system, and the PowerShell because there’s no endpoint security on it, will be able to run remotely against all of their Windows hosts, and then they begin encrypting… then they begin causing problems and you know there’s a combination of things that are problematic once that starts. If you’re all on virtual platforms and specifically Hyper-V, the minute the underlying OS is, the host OS gets compromised. Every VM above it is compromised and we’ve had many incident responses where the backup servers were sitting on top of Hyper-V and the domain controllers were sitting on top of Hyper-V, and the entire server infrastructure was encrypted and there are no recovering passwords, there are no changing passwords. There’s, you know, doing restores from backup and you’re stuck paying your Ransom at that point and it all comes back to that one machine, right? That didn’t have any virus installed, right? And all it takes is one. Well… and I think, I think what you’re saying here too, and it’s kind of the third point that we had, is we see a lot of organizations–either you know–maybe they’ve got regulatory pressures or maybe they’re trying to hit certain levels so they can be insurable. So it’s a checkbox thing for a lot of organizations, and okay “well I got this, I got this, I did this, I did this,” and so kind of looking at the bare minim right? So how much do I have to spend and how easily can I get this done? So I think what we’re also seeing is you’ve got to have a bigger picture, right? If you aren’t putting together security policies and practices and training… I mean if this isn’t part of your DNA if you’re doing business it’s a lot easier for vulnerabilities to appear that maybe you don’t even know about because you checked your box and you’re not going back in inspecting it. It’s not part of a regular inspection that you’re doing you know maybe talk about what we’ve seen a little bit in that area so a security program is more than tools and controls. It’s like you said, you have to have policies, and not only do you have to have the policies, but you have to.. those policies need to have controls tied to them where now the security controls come to play so we’re going to have two-factor authentication–as an example, as a policy–so we’re going to go out and purchase an identity management solution, or use as our AD or whatever the case may be. To implement that two-factor authentication, we’re going to have employee security as a policy so we go out and buy an endpoint security tool and deploy it. But what’s missing oftentimes is the policy, the core policies are written whether you know some smaller companies will grab the CIS top 20 because it’s easy. There are 20 policies and those policies are easily mapped to controls and so it makes it a lot quicker to get the policy checkbox done, and then the controls checkbox done, but what happens when something happens? There’s.. there are multiple procedures and policies that should be documented that aren’t like, at the art plan, an incident response plan, a what do you do when a system gets encrypted, what do you do when a system gets compromised, those… all those factors are components of a security program that are missing in many, many cases that we run across when we’re doing incident-response. And there are some customers, larger customers admittedly, that have their incident-response plan and we jump in and help and join the incident-response. But there are those customers that we end up having to take the incident-response command role so it’s all over the place, in terms of somebody’s security maturity level which is one of the things we try to help customers understand: where they are and where they go, right? But the… if you tie what I just said you have to have a program and your endpoint security should just be a component without that within that program it should not be the program and to outline that there was an organization-independent study done to see the efficacy of a prevention-based approach with endpoint Security in mind. And, and the problem was in this particular evaluation 10,000 systems were tested and they all had endpoint security tools deployed to them. Different ones, and they–in one particular study which was traditional file-based endpoint security and prevention-based so there was some behavioral–but it was a traditional file-based approach to it. In the first hour, more like within the first hour, 70% of the malicious software was missed by the endpoint security. So one hour it got deployed to 10,000 endpoints, and for those 10,000 endpoints, only 7,000 of them, or seven thousand of them didn’t get noticed. Only 3,000 of them got noticed within the first 24 hours. So one day later only 66% of the endpoints saw the attack, so you still have another you know little 34% left that are still exposed. That’s 24 hours–a full day later–and the software sitting on that machine trying to do stuff and that sounds bad. Within a week later, a full seven days later, only 72% of the systems identified this malicious software. That means you still have 28% of your systems–that’s 2,800 systems out of 10,000– that have this software sitting on them a week later. Yeah, it’s doing stuff every day, it’s every minute, every five minutes, it’s got it.. their scheduled tasks these things are creating. And then if that wasn’t bad enough, a month later, a full month later, 93% of the systems identified the malicious software. So there are still 700 systems in that Network that did not see the scholarship software. It took a full six months before 100% of the systems identified the malicious software. That’s a little over 200 days that this software sat in the network and was doing things, creating scheduled tasks, and at any point in time when it reaches out and talks to its command and control, the hacker can push a button that says detonate, and that’s 10,000 systems down. Right, right. Well I think, I think what you just described is this isn’t easy and, unfortunately, it isn’t easy. I mean we would love to sit here and tell you, “hey you know what? Just do these three things and you’re good,” right? But it’s not that way, and it’s why we’re in business, and why we’re so passionate about talking to people about this. it is such a dynamic environment, and these bad guys are you know… this is there, this is their job, right? This is what they do, and so they are spending every moment trying to find creative ways to penetrate to engage to deceive and so even if you’ve gone through that list and checked your boxes, right, within any given time range, that adversary has done something different that makes whatever you deployed a little bit weaker, and over time a little bit weaker, and so you’ve got to have organizations have to have a better way of staying on top of this, and staying on top of it in a way that it doesn’t take all their time and all their resources. It’s difficult to stay on top of it because these attacks are no longer simple malicious files with bad code in them, that’s what they used to be. You know when we were talking 20 years ago, traditional antivirus was great because we had a database of definitions and signatures that if we see the signature, this is a bad film, stop it. Quarantine it. Be done with it. But today, the attacks, the malware is polymorphic and that simply means that it’s a shapeshifter. It changes how it behaves in the middle of its attack. It will attempt to do something, and it does that so that it can evade detection. Detection evasion is the key thing that the malicious actors are focused on these days so that they know that Miter has written up, you know, hundreds of tactics, techniques, and procedures that these guys used to use and they’re able to reuse them because people didn’t know about them. But now it’s public and every endpoint security tool today is using Miter as a framework to find malicious activity. So what do you do for your bad guy? You change behavior: you don’t do the same behaviors, you tweak behaviors. You change the order of behaviors, you change the tactics and techniques you use with the tactics. You mix them up, and anybody who came from a traditional signature-based endpoint security model is going to create signatures or definitions for how behaviors happen, and what order they happen in, and those systems are flawed because hackers don’t do the same thing twice. If they do, they’re going to get stopped and they know it. Yeah, yeah well that kind of leads us to the next segment, and I think we’ve already covered a lot of it but important to restate the question or the comment that we had is, you know for folks out there you know, is endpoint security, plus firewalls, plus you know IDs, is that enough, right? So does that comprise a security posture? Does that comprise you know, the tool and the process and plan that we need we talked a little bit about it, and you know we covered you know, just that these traditional AAD players, right? , that first of all deploying new signatures and doing all that takes way too long the bad guys are way way too far in front of them, too often, and too fast, we talked about polymorphic malware–I like calling them shapeshifters better just because I think that’s cool, but they’re not cool, they’re bad so you know the fact that over 90% of the attacks out there come from polymorphic malware right? You cannot be using a solution that can’t combat that, right? Which is 90% of the solutions out there, right? There are a couple of factors here. The answer to the question is simply no. It’s you know, just just, going with an XDR solution, that the rest of the market is calling XDR, which is not enough because they are endpoint-focused. They’re missing critical factors about the network. They’re.. they don’t have a significant amount of network telemetries. A few of them have better visibility than others, but what’s one-hundred percent missing is segmentation because the attack vector is only one aspect of how an attack happens. How they came in, how they got started, but the attack surface is how much impact they’re going to have, and the impact when that 10,000-endpoint environment, the attack surface is 10,000 endpoints that–over six months–they didn’t get full coverage in terms of identifying this attack, and any one of those systems, the 700 that remained up until one month could have been the system that got the right file and then spread from there and encrypted all 10,000 systems, 700 systems. just think about that, and let’s say you don’t have 10,000 systems–so let’s say you have a thousand systems. You’re talking 70 systems. Say you have a hundred systems, that’s seven–seven workstations in your environment. That’s all it takes for this attack to spread. I have many customers who use traditional endpoint security and those guys, the marketing people do a phenomenal job–no offense–they do a phenomenal job of saying that their solution is the coolest, newest thing XDR blah blah blah whatever three-letter acronym you want to throw at it. The challenge is they’re trying to sell their software. What we’ve always done is take best-in-class tools and technologies. We don’t write the software, we evaluate technology, the best-in-class technology, that is integrated and embedded in our solutions. And why that’s important, is because you can’t always be the best, you’re there’s a limited time in all the technologists out there listening to this, how many times have you changed your endpoint security over your career? How many times have you changed your firewalls over your career? Because they don’t stay best-in-class, they can’t. So any software company that says their best-in-class can’t sustain that even if that fact is true at that moment in time. So if you’re listening to this right, and probably 90% of the folks out there or more have something in place, right? So I’ve got something and now maybe I’m feeling a little bit more nervous than I did 20 minutes ago, I’m sorry! So going into next year, right, what are a few things that you would say to help them evaluate where they are and to help them evaluate if they need to do something different you know what should they walk away thinking about and what should the next step be if they need to do something? So the very easiest answer is to reach out to us. We have a set of security health checks that will quickly–within a two-week time frame–give you an understanding of your security posture internally and externally. In email and Cloud, we can get complete visibility into how you’re doing and what things are. Gaps that you need to focus on, it’s fairly comp it’s effectively the same as doing full pen testing but it’s synthetic, and it gives you the results back in a fraction of the time. So we are able to do that at a complementary in a complementary way meaning it’s complementary and it’s not about telling you what technologies were to build but it’s about what controls are working and what controls aren’t and how to address those things. outside of that, I would say, if that’s not the approach you want to take then there are you know some key things you have to do to implement in your environment. Number one, if you haven’t done one for a while, do a pen test. Understand what risks you have and create a risk register that you’re tracking those things that are potential risks. If ransomware is a risk, that’s a big deal for you, and if you can’t handle your business being down for up to 30 days, then identify that as high risk and build your plan for how to deal with that risk when it happens. not not if, but when it happens. I have plenty of customers that we spoke to you years ago and talk to them about our security services and they said, “no we’re fine,” fast forward to when they came back and said, “we just got hit, we need help.” And we had to help them through the incident response they didn’t think, they had a problem, and don’t let yourself be in that scenario. Don’t let yourself be caught not having the plans, not having the phone numbers, not knowing the people to call, and don’t put all your faith in anyone manufactured. Yeah, for sure. And like you said things change so fast, so have a way to inspect where you are on an ongoing basis, right? Because you feel like you’re okay today none of us know all the dynamics that are happening out there whether it be something internal you know something that changes the configuration, that changes, or whether it be something that happened external to your business. there’s so much happening that you need to be able to regularly inspect where you’re at to keep that degree of confidence high, and it’s you know, even though we’re, we think of ourselves as a great security player and a great partner with our customers, we have–as embedded in our offerings and four or five of our offerings–we’ve embedded continuous posture management and continuous assessment of the controls. Both ours and any of the customer own and continues down so that we can make sure that we’re closing these holes. It’s, what’s missing in security today is proactivity because it’s hard. It’s doing you know, collecting a lot of data, doing pen testing, doing continuous scans, and then evaluating those results, and doing something about those is difficult. It takes time, it takes resources, and that’s where a managed security service should help. The problem is most of the Managed Security Services are reselling you security technology and XDR technology. Monitoring those screens? That’s not enough.