We promoted this event as an outpouring of an internal conversation we had, but also some conversations that we have with our clients. We had a tongue-in-cheek request from one of our leaders for a glossary, an internal glossary to help us weed through all of the different acronyms that we use in our business. And, funny, ha, ha, but really when you take a look at being on the consumer side of security and on the consumer side of technology, we’re not helping our customers make decisions very well.
And while it helps for analysts, while it helps for us to categorize things, in a way we’re complicating an already very challenging situation. And so today we thought that we would kind of jump in on this. I called it EDR, MDR, SOS. Shahin was going to use another acronym. And I said no, we might have children watching.
So anyway, we’re going to jump in and talk about this, and starting with two things we all agree upon, right? Cyber threats are at an all time high, operational resilience is top of mind. So obviously, we’ve got to do something. And with all of this going on, the market is jumping in because everyone’s saying, hey, detection and response is a big deal. There’s a big market. There’s a lot of money being spent. So let’s jump in.
So now it’s complicated. Shahin, maybe lead us to how did we get here? And not that we need a history lesson, but we’ve got – we started with AV, antivirus. Now we’re at EDR, MDR. Now you’re hearing about XDR and even more. And I live in this space and I’m confused and let’s help deconstruct this a little bit. What’s going on?
So you said it best at the beginning, the analysts, the Gartners, the Forresters, the G2s, all these guys are doing their darn best to help us to figure out what tools we should be looking at in a particular category. The unintended consequence of that is the acronymization of categories. And what ends up happening is, the best example is XDR. About two and a half years ago, Palo Alto coined the term XDR, meaning, we’re not just going to do detection and response at the end point. We’re not just going to do detection and response at the network. We’re going to take all of that together and it’s going to be extended detection and response.
And we’re always trying to create a new product or a new service, or get better or add features. And the problem that we’re creating is that because of this categorizations the analysts are doing, we don’t want to be classified as endpoint detection and response. We want to come up with something else to say that we’re bigger, better, more features.
And what that ends up doing is Gartner, G2, these guys, they say, “Oh, we got a new category. We’re going to have to classify people in this new category.” And what the old EDR vendors say is, “I don’t want to just be EDR anymore. So I’m going to start calling my solution XDR.” And that’s just an example. And like you said it, EDR came from a world of being able to do – identify file-based threats based on definitions and signatures was no longer working because hackers are getting smarter. They’re not dropping things that match their signature. They’re changing signatures too fast. So it wasn’t working.
They’re also doing things behaviorally that look similar to what a user would do. So those guys can’t catch it. So we had to switch to a behavioral technology. And that became behavioral antivirus for a while for a very short period of time. I don’t know if anybody even remembers it, but that evolved into what became EDR. And EDR was all about at the endpoint, we need to detect bad activity, regardless of whether we do it with files or we do it with no files, we do it based on behavior, we do it based on the MITRE ATT&CK matrix.
We have to be able to see something bad is happening. There is a malicious activity or malicious intent going on, and then we need to be able to respond to that malicious intent or malicious act. So that’s where the EDR category came from. And then, the market started saying, that’s great. My end point is protected, but my network’s not, my firewall is not my whatever’s not, and I’m already too taxed and I’m too busy doing the – catching up with the endpoint detections that I have to respond to. Who’s paying attention to the rest of this stuff?
And that’s really – if you put all those pieces together, that’s how the evolution of these things started to come. And I would say that even today, Cisco’s identified themselves as an XDR vendor. Palo Altos, they came out with the term. So I guess we could call them an XDR vendor. And I love Palo Alto. But in general, I would say, I’ve said this before on our TECH talks, any single manufacturer is a Swiss Army knife. And while you can use the toothpick and you can use the knife, you would never open a bottle of wine with that corkscrew because it just does okay. It does the job. It gets by. You can get the bottle open, but you’re going to have pieces of cork in your wine. You’re going to break the cork in a million pieces, and you’re going to be spending a half hour at the campsite trying to get the darn thing open.
So we, as a system integrator, what we try to bring when we flag something we call extended detection response, we try to bring products from four or five different categories that are the best in class in their category for network detection, for log aggregation, for endpoint detection, for DNS blocking in defense, for phishing protection. Try to bring all those things together so that we’re not the Swiss Army knife. We are the tactical toolkit that a military would take into battle.
And that’s the goal at the end of the day, cyber warfare is real, it’s happening. The US government has spent – every government has spent tons of money on building their cyber warfare teams. And we have done that for the commercial space, for the private space. And the challenge that people face with these acronyms is it’s very easy to fall into a, for example, CrowdStrike, which is a tremendous EDR platform, is not calling themselves XDR because they started collecting firewall logs.
It’s not enough. You’re really just taking two pieces of telemetry endpoint and network and then jumping into this category because everybody wants to say, “I’m not EDR. I’m that really cool – ”
The old one. I’m not the old one.
Yeah, exactly. “I’m this cool new thing that Gartner is highlighting and we should be classified here.” And so that’s the real challenge as a consumer. If I turn my hat around and now I’m the CTO versus – or the CSO versus the CTO of DataEndure is I’m evaluating what technologies to look at, it gets really hard to identify is this really an XDR or not? And you have to pull the covers back to figure it out. And that’s the complication.
We were joking about it, but the WTF of what do I use is really, it’s what detection technology and what response technologies are right in order to do the job. I’m not trying to get on a bandwagon of this is the coolest, shiniest, newest thing. I’m trying to get on the bandwagon of what is the most effective thing. How are we going to be able to detect malicious activity, and not only stop it, but eradicate it and resolve it, so that the user can get back to productivity.
Well, that’s a great point. I think it leads us down a couple of different paths but one – and I think this is a market reality now. We’ve talked about it for a while, but the conversation has changed from, well, if we ever get breached, if we ever have something happen, and I think we’re all in agreement now, it’s not if, but when, and for how long, right? And we know that bad actors can compromise a system and that they linger there for 270 days, right?
There’s the side of the technology or the strategy that you want to catch something after it’s happened. But there’s this offensive posture that organizations are needing to say, how do we get ourselves in shape before it happens so that we can maybe ward off a good number of those attacks or we can find them sooner before the damage is done and that we have to respond or that we have to recover.
And I just go back to these acronyms and I go back to all of these different postures out there. And how do we help an organization really understand based on who I am, based on maybe the requirements that I have, or the regulations I have, or the customer expectations I have, based on that, based on the data that I’ve thought, what is right for me? And to your point, let’s get rid of the acronyms, but how do I make the decision for what’s right for me?
At the end of the day, the only way to accomplish this is you can take guidance by the analyst in terms of what technologies to evaluate, but you can’t get away from evaluating. And that’s the problem. I don’t know a single peer, and I don’t mean just in the managed security or service provider space, I mean, in the technology role, CIO CTO, CSO. I don’t know a single peer that has on face value taken an analyst recommendation and just said, I’m going to take the top one.
It’s a safe bet because you can always point back to that. Just like IBM, it was the safe bet back in the day. You can always point back and say, “Gartner said they were best. I thought I was doing the right thing.” And the problem is you can’t get away without evaluating in your new environment because every tool is a little bit different in terms of how they operate, how they work. One of the challenges that I have as a service provider is I need to be able to have a tool that works agnostically across any environment and is as effective as the best tool in a restricted environment.
So when we do evaluations, we’re going endlayers deeper than most because we have to think about it that way. What’s happened in the past 18 months is this little COVID bug sent us home and effectively made it so that everybody now has to think like that. All C-level technology people have to think about, okay, how do I protect and update and manage these endpoints that are sitting in – if I have 10,000 employees, 10,000 different networks. They’re no longer in my bastion of security that I’ve created in our headquarters, in our geo offices, I have no control over that network. I have no control over who can get to them. I have no control over how they set it up. Is it secure? Is it not?
And so the challenges that I tried to develop for our customer base is really in the context of your end users and the endpoints should have the same level of service, whether they’re sitting in a Starbucks, a customer site, a home office, in a field location, or at your headquarters. There shouldn’t be any difference in terms of capability. And that doesn’t mean reduce the level of service to them. So that you – but don’t buy a shitty tool to make it equal everywhere. Give them the same level of service they have at headquarters everywhere.
And that’s really how we build. That’s really how we evaluate. And to answer your question more specifically, for any technology leader, any security leader, you cannot get away from the evaluation of technologies. What DataEndure brings to the table is we’re doing that level of evaluation on your behalf and picking the best in breed technologies. And that’s the real value of a managed service provider, a managed security provider is that we – that playing field isn’t equally either.
That’s another acronym that you got to be careful of and evaluate carefully, but you need to make sure you’re picking somebody who has a roadmap. who has a thought-through product process that they’re integrating things properly, that they’re not just jumping into bed with a Cisco or a Palo Alto and saying, “We’re a managed service provider,” because ultimately you get the same thing. You’re just getting people managing it. But in – go ahead.
I was just going to say you brought up a great point as you started talking about really the only way around this is to evaluate. My head jumps to a slide that we have, that we use with clients, which shows all of the cyber technologies out there. And this isn’t all of IT. This is just in the category of cyber or security. And I don’t know, maybe there are 3,000. And we –
There’s over 3,000. I’ve lost count, yeah.
Right. And we jokingly say, how hard can it be? Well, if I’m that person listening who just heard you say, “My only way around this or through this is to evaluate,” I start getting hot under the collar because that is time, that is resources. And part of this cyber security issue is time is not on our side. And so, if I’ve got to spend my time, my talent, my resources testing versus standing something up that can secure me right away, that’s a challenge.
Yeah, absolutely. We run into in our sales cycles the common pushback to check us out, evaluate us. We have a series of health checks which are very quick evaluations of what we do. And typically, a managed service provider can’t really give you a taster because it takes too much work to implement a managed service provider’s technology into your environment and make it work.
I remember, Kirstin and I, we’re both at a very large managed service provider, one of the first in the country. And Kirstin pushed me for years to do a POC. And I kept saying there’s no chance we’re doing a POC. There’s no pilots. And today, we’ve created a concept of health checks, which is – and when I talk about health checks to a customer, the first reaction is “We don’t have time for that right now. We’ve got 62 other POCs going.” I’m like, all I need is two hours of your time to set it up. And in 14 days, we’re going to show you results. So three hours of meetings and you’ll know if we have any value to add or not. And they’re like, “Really?” And I say, “Yes, that’s all we need. It doesn’t take much and we get it.”
And so that, to speak to your point of not only is time not on our side, but these leaders are in fact in POCs with so many different products. And one of the reliefs, I would say, that our customers feel is when we’re having dialogues about what do you do in your SOC? They can knock out the – I’m going to call out, rather than technology is the acronyms for them, the MTA functionality and there’s seven different products or 10 different products in that category. They can knock out the user behavior and entity behavior analysis.
There’s another 15 products in that category. They can knock out the vulnerability assessment. There’s at least four top products in that category. So I can keep rattling off all the acronyms that our SOC alone covers. And by the time we get done with the features and capabilities of our SOC, and then add on our EDR offering, and then add on our advanced phishing, and then add on our DNS, they literally knocked out about 10 products that they would have to evaluate and test.
And they probably, in most cases, have anywhere between five and seven of those in POC at the moment. The comment and the conversation that I usually have with prospects is “I know you’re doing this and I’m not telling you don’t, but you have to understand that in order for me to put this in front of you, I had to do that. I had to figure out what was the best to put into our solutions. And I have to do that every year to make sure that the product that is in our solutions is still the relevant product and somebody didn’t leapfrog them.”
So our customers get the benefit of us doing that evaluation and replacing tools when they’re no longer the best.
Wow! That seems like a huge benefit. Just given the rest of the IT world that they have to deal with, and not just this, to know that that is something that’s taken care of. Let me ask you this. I know we’re running low on time. Is there any situation – we talked about this progression of AV, EDR, or MDR. Is there any situation where I’m an organization out there and maybe I have an older AV or maybe I have had some kind of an EDR solution. Is there a scenario where you look at that and say, that’s fine. Stay where you are. You don’t really need to start thinking about MDR or XDR? Or is it dependent on the organization or industry, or is this something that as an organization, they really do need to move with the market to stay secure?
So you bring up a good point. Let me highlight a couple of things. So MDR is an acronym that is incredibly overused. It’s as bad as cloud was for a long time, and maybe still is. MDR stands for managed detection and response. And what that effectively means is the managed service provider is deploying an endpoint solution to your endpoints and using that telemetry to find issues on those endpoints and resolving those issues.
That’s literally what managed detection and response is There’s been a crossover confusion between MDR vendors and SOC vendors. MDR is not SOC. While there is a SOC managing that endpoint tool, you’re only getting telemetry from the endpoint and maybe some telemetry from a couple of devices outside of that. The SOC should be collecting telemetry from your applications, from your identity system, from your active directory, from DNS, DHCP, from all of your routers, switches, firewalls.
So SOC should be much more feature-rich, much more telemetry. Because I think we’ve said before on these conversations, telemetry is the only way you find bad guys. The only way you can triangulate in on malicious activity and where it is and how to hone in on finding it and eradicating it is by having more points of telemetry. So when an MDR provider is coming in and collecting your firewall logs and has an endpoint tool, that’s not enough. That’s just MDR.
We offer an MDR. Our EDR, offering the top version of it, is MDR, which is fully managed, endpoint detection and response. But that is what an MDR is. We also have sensors and pen testing in our MDR offering, which most don’t offer. But to answer your question, coming back to the specific root of the question, which is should everybody change to a DR, Detection and response solution or are they fine with AV. AV doesn’t work anymore. Traditional AV when we did our shootout this past year for what endpoint detection and response solution is best, we went through five rounds of testing and we used the MITRE ATT&CK matrix with about 160 different tactics, techniques, and procedures.
So those are the TTPs that hackers use to compromise systems as classified by MITRE, which is the US’s investigation arm of the cyber defense. And so in that evaluation, all of the traditional AV solutions, McAfee, Sophos, Symantec, they all fell out in the first round of evaluation and they fell out because they couldn’t detect the behavior.
When we downloaded a rat, they were able to identify it. So they were able to detect 10% of the attacks we sent. If you’re comfortable with nine out of 10 attacks are going to succeed in your environment, then you don’t need to change. That’s the answer to the question. And as you move up the chain behavior is king and all of the traditional AV solutions have now added behavior. But I wrote my first – I started writing my first programs when I was eight years old. I’ve been a software developer my entire life.
For those of you that are software developers, you understand the term technical debt. For those of you that are not technical, debt is as you develop something, sometimes you don’t have the foresight. Sometimes you get lucky, but most times you don’t have the foresight to realize I need to add this feature in three years. And the way I wrote my program today, won’t work with that. And I may have to completely re-architect or figure out, and here’s a technical term, how to projigger [ph] it in.
So behavioral monitoring added to traditional AV solutions is projiggered in. It came too late. It was built on a technology that was based on definitions and signatures, which you’re downloading really large files of millions of signatures and millions of definitions, so that you can say, if this file matches the signature in one of my things, and one of my databases locally, I know it’s a bad thing. But that’s a race of are we putting the right signatures out and downloading these signatures?
So that’s the problem with file based technologies. So the EDR technologies of today, the CrowdStrikes, Cylances, Carbon Blacks, all of these players have come to a place of – by the way, all four of those fell out of our shootouts as well. Where we are today is that those guys all came at this from a different perspective. They said, “Let’s monitor the activities that are happening on the endpoint from a behavioral perspective. A file was being downloaded from a known bad place. That file is being triggered by a system service, but the user didn’t trigger it. That file is starting to encrypt the entire disc.
Those are the types of things that it’s – there’s an executable that came down. That executable doesn’t look like anything. It doesn’t match any signatures, but it’s doing bad things. And that’s the real ultimate way to identify somebody’s doing something wrong is watching. Like when you’re out in the wild, when you’re out walking around and somebody starts behaving really oddly at a restaurant, your hackles go up, all your alarm systems are going off and you’re watching that person to see what they’re going to do next. And you’re at the edge of your seat, ready to react.
That’s what new behavioral technologies do versus let’s see if that guy fits a signature. And you’re not waiting to see if that guy fits a signature. You’re waiting to see if he does something that requires you to respond. And see what I did there? So short answer is, I don’t believe that anybody should sit still and accept that nine out of every 10 attacks are okay in their environment. As we said, it’s not a matter of if you’re going to get hacked, it’s only a matter of when and the more you stick with technologies that are no longer effective in today’s world, the sooner that will happen.
And I’m not trying to scare people. We just have to as technology and security leaders leap forward to keep up with the bad actors. And it’s not impossible. It’s not hard. Everybody in the security space wants to make it seem like it’s a really hard job. It’s not a hard job. You plug the holes, but you have to know what the holes are. You capture configuration drift, which is, I have one engineer changing things one way. I have another engineer changing things the other way, and you make sure that configuration drift is maintained. You patch your systems, you monitor behavior, and you’re able to stop it when it impacts a single device, a single user, not when it impacts your entire environment and your whole environment is encrypted.
Right. And we’ve had a couple of customers join us on these TECH talks. Several of them, common denominator, have said, “Really the decision is, do you want to be in the business of this? Or do you want to consume the service for someone whose business this is?” And so the decision really is, do I want to be in the business of evaluating, keeping up, making sure my team is doing everything or do I want someone to come alongside me who does the lion’s share of that work, and then who brings me in when my talent and my resources are best utilized, which is go find – we have one customer who went from 2.7 billion alerts, we escalated 93 to them.
So is my team’s time better served on the 2.7 billion or on the 93? And so I think if you’re watching this, what business do you want to be in? Where do you want to be focusing your resources? And certainly, Shahin, every time I hear you talk about how our service was built and the rigor that it goes through, I’m blown away because I would not want to be in this business if I was a business owner. And there’s just such an opportunity for them to get to where they want to be with the security posture locked in versus going through that constant struggle.
So Shahin, with that, I thank you for your time once again. And for anyone listening if you do have any concern at all, if there is any hesitation – someone the other day said to me, “Well, let’s just ask people if they’re married to their current solution. Are you married to it? Do you love it?”And I thought, well, really the question is, do you have any type – any little worry at all, any little concern that maybe things aren’t as you hoped they are, or as you’ve built them to be. If there’s any concern at all, reach out to us and let us know.
To Shahin’s point, we have these health checks. They’re complimentary, and we are able to help you understand where you truly are. If you are as healthy as you think, if you’ve got the gap, if you’ve got some gaps that you don’t know about, we’d love to come alongside you and help make sure that you’re in the position that you need to be.
And for those of you that have no worries, have us run a health check to validate where you are. That could be a report card that you could share with your team to say, “Great job team,” or it could identify gaps that you may not be aware of.