Kirstin Burke:
Thank you for joining us. We have a very interesting topic this month and actually came out of just a recent headline, unfortunately. But our topic this month is we’ve called it “Breach, Repeat.” And if you take a look at some of the headlines, most recently, Change Healthcare. The big question is, how is it, and why is it, that an organization is breached and, whether it be sooner or later, after they’re breached again?
And I was telling Shahin, I’m kind of likening it to the airline industry where, say, there’s some kind of an airline incident or a crash or accident or something like that, people will say that’s the most that’s the safest time to fly because they’ve inspected the planes. They’re double, triple, quadruple checking everything. And so you can feel most confident flying then. And you would kind of think that after a company is breached, they’ve done all the things that you do to remediate to whether they pay the ransom, they’re checking everything, they’re making sure someone’s out of the system. You’d think that’s the safest time for a company to operate, yet oftentimes it’s not.
Shahin Pirooz:
It’s more than oftentimes. The metric in the industry right now is 80% of companies that have been attacked and encrypted will have a second incident and maybe more.
Kirstin Burke:
So, what is happening, or I guess more appropriately, what’s not happening, that, you know, the breach has happened. You’ve done whatever you’ve done, yet what are we missing? That they’re keeping a door open or that something is in place or not in place, that they are so susceptible to another breach?
Shahin Pirooz:
Well, I’ll answer that question in a second, because I think it’s important to understand why is a company hit again. In contrast to the airline example where once an issue happens, you know, a plane has problems, has to have an emergency landing, God forbid a crash, the inspection body comes in and they start inspecting all of the checklists, make sure they were doing them, their process. So there is an external body that is coming and doing inspections, and everybody is on heightened awareness about making sure they do the checklist. So any industrial laxing that ends up happening, meaning that over time, everybody starts to cut the edges off of process, to expedite things and move, schedules are crazy, schedules are fast. Everybody’s got to meet timelines.
It’s easy at that point to try to condense at the edges of any process to make things move more quickly, in the thoughts that you’re making things efficient. When in fact, if there is a gap that’s being created by that fluffing, you are in fact making things much more efficient because now you have to recover from an incident.
Similarly the same thing is how breaches occur. People start poking holes in the firewall to give access to a new application. People change the configuration of a server because something wasn’t working, and they just wanted to do testing to validate that it could work now. People don’t update applications. People don’t install a new tool that may have had a compromise associated with it. A user downloads something from the Internet, and that brings a compromise in.
So there’s so many factors that are cutting off process in order to get work done, which is where, you know, nobody’s maliciously, the people who are being impacted and compromised, is maliciously trying to cut process. They just think they’re moving faster.
Kirstin Burke:
Right. They’re just doing business.
Shahin Pirooz:
Yes. And it’s organizational, institutional tension and pressure that tries to make them move faster to do business. So we all, we all want to make more money, move faster, get more customers. So everybody has that same pressure.
In the airline industry, that third party prevents us from making those cuts at the edges, that third party audit body. We don’t have that third party audit body for every company in the private sector.
In the public sector, there’s more inspection. But how many cities right now are dealing with ransomware? How many counties, how many states? Everybody’s dealing with problems right now, so nobody’s immune to this. I’ve been saying for a lot of years, and it felt like it was just words. It’s not a matter of if, but when you get compromised. And we’ve thrown up metrics over the years to talk about how many people are getting hit, how often they get hit. And this metric is one we’ve said before, which is 80% of people who have been encrypted will be encrypted again. Why?
The why is that once you’ve been encrypted, that ransomware group is going to publish how they got in, what they compromised, where your files are, what the directory structure is, to the dark web. So now, thousands of hackers know where to go. They know that your security wasn’t sufficient to prevent them from getting in, and you’re a better target to attack. And if you paid out the ransomware, there’s a good chance you’ll pay it out again.
Kirstin Burke:
Right. Right.
Shahin Pirooz:
So all of that is on the dark web. So, if I’m a bad actor, why go after something totally net new? Why not go after something that I know is going to give out a reward for the work that I put in? And that sounds terrible putting it in that way, but that’s, you got to put yourself in the mindset of the bad actor.
So that’s the why people get hit more than once, because they have a floor plan. They have, they have a, basically an instruction set for how to get in and do damage to you in such a way that you will pay ransom again.
Kirstin Burke:
Would you suspect, too, that’s kind of avenue A, is there another avenue where the initial folks that got in, right, they may have been in for ten days. They may have been in for 250 days. So they’re in there. They know the environment. Have they put more than one plans in place? So, okay, I’m going to go and I’m going to attack here. I’m going to go like, it used to be that maybe the entire company or the entire infrastructure got encrypted, but now it seems like it’s more surgically striking. So maybe I’ll go after payroll or maybe I’ll go after something else, but then are they leaving things in there expecting that, yeah, I’m probably going to get caught or, yeah, after this ransom so that they can go back in?
Shahin Pirooz:
So the, really, the behavior, the modus operandi is going to be dependent on the hacker group or basically they’re conglomerates. They treat themselves like companies. They act like companies when you’re interacting with them in the incident response situation. They have help desk, they have engineering teams. It’s a crazy, like, nefarious business model.
And so when you’re looking at a particular bad actor group, that group has a modus operandi for how they work, for what tools they use to hack, for what systems they put in place, for what backdoors they might put in place. And when they get documented well enough that the tools in the industry can catch up, oftentimes they either collapse the hacker group and go and create a new one with a new set of MO. And so it’s really, and that’s what we call TTPs in the industry. So MO in the police sector, TTPs in the security sector. Tactics, techniques, and procedures. And that’s what MITRE has done with the MITRE ATT&CK matrix is to document the TTPs these bad actors are using, so that we as security professionals can look for those tactics, techniques and procedures. They’ve also tied them to known hacker groups. So this hacker group uses these procedures and techniques and so on and so forth.
So the short answer is yes. They oftentimes create multiple backdoors in case one of them gets shut down for their primary activity. But if you didn’t find it and you cleaned up everything and it’s still there, sure. Of course they’re going to use that and try to come back in again or sell it to another bad actor group to go and come in. You know, we’ll get, let’s split the ransom and I’ll tell you how to get in. I got a backdoor. So, absolutely, it’s once somebody has been in, they not only have an understanding of your environment, but they’ve probably planted a bunch of ways to get back in. And they’re selling that off.
Kirstin Burke:
So if I’m an organization listening to this, I haven’t been hacked yet, I’m probably more aware that this is coming at me and is likely to hit me.
Shahin Pirooz:
And given that, you know, bad actors are in an environment, on average, we said between 10 and 200, but the average right now in the United States is 200 days of dwell time. That means for six months, a bad actor. So six months ago, a bad actor could have started in your environment.
Kirstin Burke:
And I just don’t know about it yet.
Shahin Pirooz:
Exactly.
Kirstin Burke:
So if I’m someone who has been breached, it sounds like I’m going to go in and I’m going to do incident response. I’m going to do the things that I need to do according to what I should do. What is it, and it sounds like I can do that, but even if I do that, my environment’s been documented, where my jewels are has been documented. Do I need to go in and change all that? How do I protect myself from that subsequent hit? Because it sounds like incident response isn’t enough, if I’m understanding that right.
Shahin Pirooz:
The very simplest answer is sign up with us.
Kirstin Burke:
All right, bye bye. [laughing]
Shahin Pirooz:
But no, it’s incident response done properly, meaning all the way through remediation, is most likely going to be sufficient to prevent another activity. Problem is that we have very different experiences. We’ve done a lot of incident response, and we have very different experiences with the forensics teams that get pulled in.
So the way this typically works is when a company gets compromised, their first call is going to be to their cyber insurance, their cyber insurance calls the team that is doing legal for the cyber, cyber legal, specifically. They have their own forensics companies that they want to use and oftentimes their own incident response companies.
Many times we’ve been called in when we are friendly with that company, if they’re a prospect or we are delivering other services to them. And we get pulled into those to work with the forensics team from the cyber insurance because the customer says, I want to work with these guys. And in those scenarios we have seen most forensics folks are decent, they do a good job. But we have seen, just like in any it organization, just like in any security organization, there’s a huge spectrum of phenomenal forensics companies and OK forensics companies.
And the OK forensics companies aren’t going to find all the backdoors. They’re not going to really dig deep to figure out when did it start? How did it start? What’s the, what’s the origin of this attack? Not just what machine, it came from inside your network, but how did they get to that machine? If they’re not going to that level and understanding what are all the scripts that were run from that machine and when it connected to the next machine, doing forensics on that machine and getting what happened here so that they can see all the things that the bad actor did. And it’s, you know, if it’s a really good bad actor, there’s probably not a lot of breadcrumbs left because they’re cleaning up after themselves. But, you know, the forensics team is a huge factor in terms of repeat incidents or not.
But the forensics team is going to tell you, here’s what happened, here’s how it happened, here’s the compromises, here’s the holes they took advantage of. What do you do to remediate that? The remediation is the primary factor. It’s just like when somebody’s doing an audit for SOC 2, let’s say, and the company comes, your auditor comes back and gives you a list of here’s your things you got to remediate to pass. And we create, and not we, but industrially we create a set of processes that are checkboxed to say we did that thing. But did we actually implement a human process beyond it? Did we actually create automation that says we’re going to keep inspecting it on a regular basis? And it’s just like anything else. I’ve called a configuration drift for years.
You can fix and remediate the hole right now, but how did that hole get there? Configuration drift is how that hole got there. Somebody made a change to the infrastructure to support a business reason, a legitimate business request. That’s going to happen again.
So if you’re not doing continuous pen testing, if you’re not doing continuous security control validation to see what happens if one of your systems are compromised, you’re not, you need breach and attack simulation and posture management in order to have an understanding of what’s my risk level. And it can’t be once a year, it can’t be once a quarter. It has to be continuous.
Kirstin Burke:
Well, and it sounds like, particularly for someone who has been breached and make the assumption, like you said, that whatever an attacker learned is now on the dark web, so now everybody knows. It seems that you’re going to be more of a target. And so if you’re not doing that continuous testing and assessment, that because you’ve got more people coming at you, there’s more of a likelihood that someone is going to find something.
Shahin Pirooz:
Absolutely. And, you know, just like any other engineer, these bad actors are effectively engineers. Some of them are going to be better than the others, and they’re going to find something the other ones didn’t. Once they know that there’s a potential for success somewhere, there’s blood in the water, for lack of better terms, just like sharks they’re going to go after that blood in the water.
Kirstin Burke:
Now, you said kind of tongue in cheek a few minutes ago the way to resolve this is to work with us. Sure, we’d love to have you work with us. Let’s talk about why it’s different, because you went through some steps, you went through forensics, you went through incident response. Where is it and why would an experience with DataEndure be any different than something they might get from their cyber insurance company or anybody else?
Shahin Pirooz:
So a lot of times there’s a lot of these forensics companies are also becoming an ongoing managed services company to be able to close those gaps. But they’re not experts at this space. Their expertise and their tremendous talent is forensics. And so they’re doing tools they use to do the forensics can be tools that stay around and be a decent EDR for a company, but then they either sell you the tool and you have to manage it and you have to train up and you have to do whatever.
For us, when we do forensics, when we come in and do an incident response rather, we bring in partners for forensics. When we do the incident response, we’re using the same tool set that we use in our ongoing security services. So we deploy the same toolset, we do the cleanup, we do the isolations, all the incident response that needs to happen. We do incident command for customers to help them understand all the pieces and parts they have to do.
We work with the forensics teams and take the indications of compromise or the TTPs from the bad actors and load them across our tools. So now all of our customers are protected across it. And if that company decides to stay on as a customer, all of that work and all of the previous incident responses we’ve done have the tactics, techniques, and procedures that we’ve seen in the wild, as well as in production running against their environment.
So that same attack is unlikely to happen. New attacks, there’s always a possibility, but because we have taken what behaviors a bad actor does, and because we take telemetry from multiple different sources, we’re able to narrow in with our correlation engines and get very quickly to this looks like an attack. And we have taken, on average, that six months of dwell time down to six minutes. So the longest has been about three or four days. But we’re, on average, coming in the six to ten minutes, from the time the bad actor starts doing their investigation inside your network.
Kirstin Burke:
Got it. So it seems that folks who work with us benefit from, let’s say, a more kind of cohesive experience where things have already been built to work together. Partnerships have already been established. And it’s not necessarily a tool solution rather than a service based experience that factors in all of the different things that need to be done, both in the short term as well as kind of setting up for success long term.
Shahin Pirooz:
100%, and it’s, you know, if you are working with a company that’s going to sell you a technology, it’s a net new setup and configuration. You’re not getting any benefit of any previous anything. It’s the only benefit you’re getting is it’s probably a good tool because they probably pick a decent company to partner with. Let’s assume that’s 100% accurate. It isn’t, but let’s just assume for a second that’s accurate. You’re still having to customize that tool to fit in your environment, do all of the fine tuning of the alerts that are coming out of it so that there’s not too much noise, so your team can’t get buried in the alerts and get alert fatigue.
You still have to set up security properly based on that tool. Set up whitelisting and blacklisting and configuration management. What things should be alerts that aren’t alerting? What things should not be alerts that are alerting? There’s so much work that goes into that maintenance.
Kirstin Burke:
For one tool.
Shahin Pirooz:
For one tool. Picking a company like us, our enterprise security stack is 40 technologies, ten of which are open source, that are already configured, already up and running. There is no setup time. It’s a 30 day onboarding, and you have a full enterprise stack in 30 days.
Kirstin Burke:
So, security zero to 60 in 30 days.
Shahin Pirooz:
Exactly.
Kirstin Burke:
Well, and, you know, on top of that, something you kind of breezed through, but I think is really interesting. This is the area where you really want to benefit from what everybody knows, right? So if I’m trying to do this on my own, I’m using my team, my experts, my configuration experience, what I’m learning, but something you mentioned is every time we’re doing some kind of incident response, every time we learn more about all of our customers – the techniques – it’s rolled out to all of our customers.
And so on an ongoing basis, their security maturity and their attack surface is dwindling because they’re benefiting from all of the customer experience, not just what they’re learning on their own.
Shahin Pirooz:
Yeah, I’ve always said, I’ve been in this managed services, managed security space for 30 years now. And I’ve always said, if you take somebody who’s in a managed services, because in the beginning, it was a big fight about, why should I outsource to you I have really smart people? That’s not really a dialogue that happens anymore. It’s kind of a foregone conclusion. I want to stay core versus context.
But I’ve always articulated that having an individual who’s doing, who’s the smartest guy in IT, or security, or pick a field in one company, compared to an equally smart person in a company that is supporting 500 companies, is a very different skillset. That person who is doing security for one company only has the experiences and context of that company and their tools and their attack surface and the things that are targeting them versus the person with the 500 companies now has 500 ecosystems to pull in knowledge and experience from.
So that’s one of the values of managed services and managed security services is it’s not narrowed in, blinders on, looking at one organization. It is really taking the world into account and bringing all the experiences from that world to there.
Kirstin Burke:
For sure, for sure. So you mentioned 40 plus technologies that our enterprise security stack has. We know there are really smart people out there, we know there are people that know security, that may have already bought tools or that might say, hey, I think I can do this myself. When I hear you talk about all of this, I guess my thought would be, well, of course you could. But why? If this is something already available that gets you to maturity in 30 days at a dramatically reduced cost, that helps your people focus on the alerts that matter or on the security things that they need to focus on, why would you not do something like this? Is it because of the investments you’ve already made? Like, why?
Shahin Pirooz:
So there’s a couple of factors. There’s, and this is, this is the traditional technologists, we have chips on our shoulders.
Kirstin Burke:
Well, you like to build things.
Shahin Pirooz:
We like to build things. And so if somebody comes to me from outside my organization and says, I have a better mousetrap, my first reaction is, prove it. So you want to take the time and cycle to prove it. Once you get into it, you’re like, you didn’t do anything special. I can build that.
And then that’s the moment where I learned decades ago the concept of, you know, a build versus buy analysis, a proper build versus buy analysis. What are the actual advantages to me and my company of building this versus simply consuming it? And there was a great article that Chad Dickerson wrote when he was the CIO of InfoWorld. And he basically talked about his transition from being a provisioner of IT to a consumer of IT. He happened to be a customer of ours back in the day, Kirstin and I were at the same place, but that transition for him opened his eye to this world of where he now can positively impact and benefit those things that made InfoWorld different versus doing IT really well.
And so, same concept here. It’s, yes, you can probably build this, but not probably, you absolutely can recreate what we did without question. Given enough time, money and resources, you would be able to build this. We’re not magicians. We didn’t come up with some crazy new AI that does this stuff. There is plenty of AI in the platform, but that’s all something anybody can accomplish.
But does that investment in time and resources and continuous – I would tell you the frustration of having to continuously train new staff has got to be enough to make somebody not want to do this, because security people come in, learn, and then move on. And it’s very, as a leader, it’s something you would love to grow and groom people, but we’ve had many transitions and we kind of that’s shielded from our customers because that’s our problem. We continue to hire, train, grow, and keep building the team. That’s something you would have to do yourself.
Doing the evaluation of the technologies, those 40 technologies, every year you have to say, is this tool in this one category still effective? And if not, is there another tool that does it better or are they all ineffective? If there’s something better, what’s my process and mechanism for transitioning off of this tool to that tool, and what data do I lose and what policies transfer? And what features do I have that I don’t get on the other side?
That is literally a 24 by 7 job for three people in our organization. All they’re doing is shootouts, the entire year, between these 40 technologies and what’s new in the category and evaluating new companies. That alone is at least a full time job for a person to continuously do evaluations. And a lot of CIOs feel like I can do that myself. If you are doing it yourself, you’re not doing it service. I’m just going to tell you that right now. It takes a team to accomplish what I just described. You have to do POCs, shootouts, testing, and it’s continuous.
The next level is once you get the tool, you have to install it, you have to configure it, you have to deploy it to a test group, and you have to start planning rollout and how you’re going to roll it out. Once you roll it out past the test group, you start to see that you forgot something. There’s some tweak or configuration or whatever that you have to do to make sure you don’t stop the business.
So every one of these things are things that if you’re building a new system, you’re going to go through with each technology versus if you’re using a system that’s already been vetted, already has an ecosystem of 23 countries and five continents and 120,000 endpoints, there’s probably all those things are sorted through. I’m not saying we’re perfect. Every once in a while we find a hiccup. It’s like any technology company, but you’re not having to start from scratch. So to those who want to build it themselves, more power to you. I would not want to go back and start over from 2018 when we started this journey and rebuild this thing from scratch.
Where we are today is a completely curated, consumable enterprise security stack that customers don’t have to worry about the tools. They don’t have to worry about how it’s being operated, how it’s being monitored. They just know that the output of this thing is we’re going to find bad guys as fast as we possibly can and point them out and isolate them and block them if possible, or tell you the things you need to do to isolate and block them on the network or whatever.
Kirstin Burke:
Well, and I think it’s interesting too, because, you know, we know that it doesn’t matter what company size you are, right? You are a target, period. And so if you think about the resources that might take a smaller business to have the proper security posture as maybe a midsize or larger business, right?
The beauty of this is I can be a pretty small business, I can be a startup, I can be whatever, and at a very approachable price point, and within 30 days, I can be just as mature as maybe my competitor, who’s four times the size, right? And so it’s not that it’s a competitive advantage, but your customers expect this of you. Your board expects this of you, right? You are now expected today to be an effective steward of your data. And if, and when, and really if, or when, something happens to that data, right? For you to be able to stand up and say, here are all the policies I have, all the things I have to be able to show that you do take this seriously is a big deal.
And so it’s really a leveler out there for businesses of any size to say, hey, I’m just as secure, if not more, than the other people out there, so you can be confident in working with us.
Shahin Pirooz:
I have a friend who’s got a small company, three or four people, and the conversation he was asking me about what I do for a living, and we were talking, and the conversation was, I’m never going to spend that kind of money. And I said, what kind of money do you think it is? And he, he laid out a picture and I said, well, first of all, it should cost you a lot more than that to build it. But secondly, what if you can do it for about the price of a cup of coffee a day for each of your employees? Would that be appealing to you? He said, yeah.
And that’s what we’re talking about, folks. We’re not talking about breaking the bank. We’re talking about literally a system that gives you, even for a company of three people, an enterprise security stack you could not possibly invest in for anywhere near the price we’re going to bring you. And our largest customers are 30,000 seats. Our smallest customer is one seat.
Kirstin Burke:
Yeah. So it’s pretty amazing.
Shahin Pirooz:
It scales up and down, and there is no limiter. If you’re bigger than 30,000 seats, we’d love to have you, but there is no limiter in terms of size up or down. And the price point is just hard, hard to compete against. Because it’s pre-built.
Kirstin Burke:
Exactly, right. So I guess we would close with this offer then. If you’ve not been breached yet, good, for you. If you’re not sure, you don’t know if there’s someone in your environment, if you have been breached, right? There are all of these different scenarios where we can help.
We’ve got some, complimentary tools where Shahin talked about some assessments, he talked about, you know, being able to go in and see from penetration testing, from all these different areas, how your business stacks up right now, how your environment stacks up right now. We would love to do that for you.
You know, it is in our best interest, just as human beings, to help other organizations be safe and be secure. And that’s really what we care about. So if that’s something you’re interested in, we’d love to offer that to you.
The other tool that we have, or the other complimentary assessment we have is you’ve probably already spent money on something. So you’re already out there, maybe you’ve bought a tool, maybe you’re paying for a service. We can take a look at what you’re already doing. We can take a look at the cost of what you’re doing. We can take a look at the coverage of what you’re doing and let you know maybe where some gaps are, maybe where you look good, and help you build a roadmap to get to that security maturity that maybe you desire.
So we can do things for you without you having to sign on any dotted line, but just really to help you understand maybe where you are and what’s next. So, you know, I would throw that out there and just say, you know, let us know, reach out.
Shahin Pirooz:
It can’t hurt. And you walk away with at least a quick scorecard of where you stand. And, best case scenario, if you go through the economic roadmap modeling, you have a three year plan for deciding to transition or not to transition to something new, something better. And, I’m biased, but I’m going to say something better. But really, the logic behind all of the things we’ve done is to your point, all of what we built was built out of frustration with the lack of proper security posturing by the industry for consumers. And we just felt there had to be a better way, and we think we’ve created it.
Kirstin Burke:
What a great way to end. Thank you all for joining us. Have a happy rest of April, and we will see you next month.