Kirstin Burke:
I am delighted to introduce Brian Moody, who is DataEndure’s Vice President of Managed Security Services, or Managed Security Services practice. Super excited to have you here, Brian. Welcome.
Brian Moody:
Thank you.
Kirstin Burke:
You’re in the hot seat.
Brian Moody:
It’s red.
Kirstin Burke:
Yes, yes, for a reason. No, thank you for joining us. I hope you all have had a great summer. We titled this TECH Talk, Small Steps, Big Protection, and we did that for a reason. We’re taking a look at a lot of the news out there, just even this week with the FBI taking down that enormous-
Brian Moody:
Botnet.
Kirstin Burke:
… botnet. We saw in August, the SEC come out with new cybersecurity rules and expectations for public companies. There’s so much activity that continues to go on out there, yet we have organizations saying, “This is so big. How do we get there?”
What we thought we would do is just peel apart, both what we’re hearing from the SEC and why that’s important, right? A lot of organizations out there aren’t public, but you see what the SEC does as the canary in the coal mine maybe, that once they start talking about things and setting new expectations, that trickles down.
It trickles down because, although you’re not public, maybe you have a partner who is, maybe you have a supplier who is. All of a sudden, what the SEC is talking about becomes very important for everybody.
So, we’ll start there, but then we’re really going to dive into what that means for smaller businesses and how you can think about protecting yourselves. Brian, when you look at what the SEC is talking about, what stood out to you?
Brian Moody:
Well, a couple of things. I think that what we’ve seen in the industry for years and years now is, what comes out at the government level, what comes out very, very high up, absolutely trickles down through the publicly traded companies, corporate companies, down into enterprise, small enterprise, and then definitely down to small business.
I think what we’ve seen, historically with the hacker community is, they have gone after the whales, so to speak. They’ve gone after the publicly traded companies. I think over the last multiple years, what we’ve seen is a dramatic change in their strategy. They’re going after small business. There’s no question.
We’re seeing more and more small businesses get attacked, get ransomware attacks. So, this SEC announcement with respect to new compliance, new reporting rules, I think that it’s going to drive from a standpoint of that maturation that we already see in, I think, the public and the larger corporation environment. It’s going to drive a direction, I think, of the attack community to even go after small businesses even more.
One of the critical things, I thought that, came out of the SEC is the 96-hour notifications.
Kirstin Burke:
Absolutely.
Brian Moody:
Most large corporations will have infrastructure in place. They’ll have security operations. They’ll have things like SIEM. They’ll have log management. They’ll have the forensics to be able to go back, to understand what happened.
96 hours, I mean, we’re already seeing a grumbling coming from the community that are going, “No way.” I mean, if you’ve been attacked within the first 48 to 96 hours, you’re just trying to figure out what happened, right?
Kirstin Burke:
Right.
Brian Moody:
You’re digging back into your security infrastructure, you’re digging back through those logs, you’re doing forensics to understand what happened. To have to come to market and say, “This is what happened to us.”
I think the other point, I think, that is going to be a huge topic of challenge is the material aspect of the attack. The SEC is saying, “If you’ve had a material attack, so you’ve had something to you that is material, define material.”
Kirstin Burke:
Right.
Brian Moody:
Right? They may have a vastly different definition of material than you might within your business. They’re saying that the investors deserve to understand this, or hear about this information based upon the material. I think it’s going to be a huge legal challenge. I think it’s going to be a huge challenge for organizations to say that, “Well, we didn’t report because it wasn’t material.”
Kirstin Burke:
Right. Right.
Brian Moody:
I think those were two of the big things that really stood out for me with respect to what the SEC said.
Kirstin Burke:
Yeah. I looked at that four-day clause as well, and just think, wow. For those folks that we’ve done incident response for, at that two, three, four-day period, depending on the sophistication and maturity of your cybersecurity environment, you can be in all sorts of different places at that timeframe. Whether you’re a large company or a small company, that’s going to be super challenging for people to adhere to.
As we think about the pieces that need to fall into place for you to even be able to attempt … Let’s take four days out of it, let’s say five days, 10 days. For you to understand that you have had a breach, for you to understand where did it originate from, what has it impacted, what goes into that?
Brian Moody:
This all comes down to security operations. This all comes down to your incident response plan. This all comes down to your ability to leverage technology, to leverage AI, to leverage automation.
The critical part about having a mature security infrastructure is the ability for that infrastructure to first detect that something has happened, but then to respond very quickly to it. So, with that infrastructure in place, if I have an attack on a machine, if I discover someone in the network, I’m able to very quickly isolate that from the network.
If I don’t have that infrastructure in place, we’ve had instances where we’ve had a customer attacked at 2:00 in the morning, and within six minutes, two or 300 clients were impacted. We stopped that in seven minutes. So, we were able to stop the attack, pull off the infected infrastructure, and roll that infrastructure back to known good state, and have that company back up very, very quickly.
If you don’t have the infrastructure to respond like that, and it’s what we’ve seen in the ransomware attacks, is you begin to see these companies get completely encrypted, and it can literally shut your company down. It will cripple you.
Kirstin Burke:
Right. Right. So, if we roll back and say, “Those are the components we need.” If I’m an organization that is looking at these new regulations coming out, hearing what good looks like, the best place to start would be where, if you’re thinking about this in terms of steps or components?
Brian Moody:
Sure. Well, I think there’s four critical steps with respect to any organization evaluating its security posture. First of all, there’s strategy associated with security. There’s the process with respect to what security processes we’re putting in place. There’s the technology that we look at, that we look to implement in order to implement or apply to those policies, and then there’s the people aspect of it, which is critically important.
So, for small organizations that are beginning to look at, “How do I deploy a security maturity model?” First of all, let’s talk about that strategy component. It’s looking at our organization. What are the goals of our organization? How are we innovating and competing in the market? Then, what infrastructure do we have in order to implement that business strategy? What data do we have? Then, where are we most vulnerable? What are our risks?
So, this is really a risk assessment. It’s a vulnerability assessment. It’s understanding what our businesses and what our environment looks like.
Kirstin Burke:
Well, and that makes sense too, because I’m sure when you’re thinking about, where are we most vulnerable and all of those things, every business is already invested in something, probably. Right?
Brian Moody:
Sure.
Kirstin Burke:
They’ve got AV or they’ve got firewalls. As you’re thinking about the strategy, there are very few people that are probably starting from nothing. As you go through that, you’re starting to factor in, what have you already done, and what’s next?
Brian Moody:
Well, to some degree, because no one has nothing today because it’s not possible. I think once you’ve gone through the strategy to understand what are our vulnerabilities, what are our risks, what do we look like? The second component of that is, now what are the processes?
Folks have already, to some degree, done this, right? They’ve implemented the email, they’ve implemented the endpoint. To really draw a great strategy with respect to, what are our security processes, what are our security operations, what are accessible use policies, how are we going to access infrastructure? For some organizations is: do we have to adhere to a framework?
Kirstin Burke:
Right.
Brian Moody:
Do we have compliance based upon our business infrastructure? Potentially, the business that we’re in, the industry that we’re in. One of the critical, key components that’s been happening in most organizations is, what companies we’re partnering with, we’re doing business with, because they are now requiring things like SOC2 Type II. You have to have a level of security in place just to do business with us or to contract with us.
So, those processes are pretty important. Then we get to that technology part, where we have implemented technology infrastructure, we’ve implemented the email, the firewalls, the cloud security, the endpoint. That’s the technology that really maps back to the controls.
The key point here is, it’s an ongoing process, and that’s what, I think, many people don’t understand about security, is that it’s not something that it’s set and forget. So many people think, “Hey, I’ve got email in place. I’ve got my endpoint in, I’ve got my firewall in. We’ve got passwords, we’ve got multifactor authentication in. We’re doing the things. So, we’ve implemented infrastructure in order to protect the organization.”
They say, “Hey, we got it,” and it’s like they set it and forget it. It’s truly interesting how many organizations that we’ve been involved with, that have a SIEM in place. They never look at the SIEM. They aren’t actually seeing what the SIEM’s reporting. It’s like, “We’ve got a SIEM in place,” checkbox.
Kirstin Burke:
Or it’s there in case something bad happens, they’ll go look at it after the fact-
Brian Moody:
Correct.
Kirstin Burke:
… instead of using it to help them on the front end.
Brian Moody:
Proactively, to help actually grow their business. So, as their business grows, as they advance contracts, and they begin to innovate in the business that they’re in, and compete in the marketplace, that security strategy has to grow with the business.
Kirstin Burke:
Right. Well, interesting you talk about innovation. You look at why the SEC is doing this. You look at why the FBI is doing what they’re doing. The bad guys are innovating. Right? So, we’ve got the hackers, we’ve got cyber adversaries that are innovating constantly, finding new holes, new gaps, new opportunities.
Therefore, either the company itself has to try to keep up and innovate, or the technology community, the security community has to innovate, right? We’ve got to keep up with the hackers’ innovation.
Brian Moody:
Well, here’s the fine line, and the tough part with most organizations is, how strict of a security policy do we put in place, right? Companies are focused on what they do best, and they are working to innovate within their product suite, their competitive market, to compete in marketplace. They have to focus on what they do best. The hackers focus on what they do best.
So, that fourth leg of the table that I talked about, which is the people. This is the very, very important part with respect to organizations and their security strategy, because it’s not a matter of if you’re going to be attacked. You’re going to be attacked. It’s just when.
That when component is where that technology stack and then the people come in, because your incident response capability, your ability to respond to that attack is absolutely instrumental in protecting your business. The challenge, though is, as I said, they’re innovating and they’re focused on what they do best. Most of the organizations, we find, especially smaller companies, they have, maybe one or two people in the organization that are focused on this security thing.
They don’t have the resource, and many times they don’t have the knowledge to be able to fully implement a security practice, and it leaves them vulnerable.
Kirstin Burke:
Sure.
Brian Moody:
So, why wouldn’t you turn to somebody, like the hackers, like DataEndure, which what we do day in, day out, 100% of the time, 365 days a year, we focus on security and security innovation through our managed security services platform.
Kirstin Burke:
Right. Well, and I think it’s interesting if we go back to the four pieces and four layers you were talking about, technology comes third, right? You’ve got strategy, you’ve got process, and then you have technology. I think for so many people, and understandably, you feel pressure, right?
“Okay, we’re standing up this business, we’re standing up our employees, and we’ve got to make sure we’re okay.” I think sometimes you backdoor, like, “Okay, we’ve bought all these tools,” and maybe you think about strategy later. Maybe you don’t think about strategy until, maybe you’re pressured by, you need a cyber insurance policy, or you need something, and then all of a sudden … So, you have this very wonky technology stack that, maybe you have a good endpoint detection, or maybe you have a good antivirus, or whatever, but all of these things, also need to work together.
Brian Moody:
Right.
Kirstin Burke:
Right? Thinking about those working together, that could be 10, 20, 30 tools just in the security space. Think about it. You’ve got your one or two people maybe, or three or four, or however many, but you’re trying to make sure that these tools are complementary. Meaning, whatever they’re telling you is consistent, or understanding where the variability is.
Then from an innovation standpoint, each of these tools have their own shelf life. So, at some point, each of these tools are going to be leapfrogged by somebody else who’s keeping up with current threats better. So, while they’re trying to innovate in their space, there’s got to be somebody thinking about, “Well, how is this all working? Is it still working? How do I inspect if it’s working?”
Unfortunately, like you said, the hackers don’t discriminate on big, small, industry, whatever. Small or large, you’re needing to think about the same things, and it’s overwhelming.
Brian Moody:
Right. It’s absolutely overwhelming. I mean, come on. I mean, how hard can it be, right? I mean, there are over 4,000 tools in the current security tool market. Which one do you pick, right? There’s 10 email solutions, there’s 10 endpoint solutions. Every single one of those manufacturers is marketing that, “We’re best.” Right?
So, not only do you have to select the tool, but to your point, it’s so important that the telemetry, your ability to be able to evaluate that the tools work together, they complement one another. Building that stack is incredibly difficult. Even the big Gartners and the data from the industry says, especially around network security, is 90% of most companies don’t do network security correct. This is where we start talking about access, we start talking about microsegmentation, we really start talking about protecting the industry, because 70 plus percent of the attacks all involve lateral movement within the network, right?
As we begin to look at that tool sets, these companies are struggling with respect to, what tool set do I bring to market, or what do we implement now, in our infrastructure? The other aspect is, you talk about this leapfrog into technology.
Absolutely. Companies that have their technology, they’re born maybe in legacy-type technology, they’re having to write. So, every time the hacker community actually thwarts a tool, if I wrote that tool, I have to go back and close that gap, the Apple ideology of patching, but I have to write to it.
One of the things that, I think that’s very unique about DataEndure is, we test the tools on an annual basis to understand efficacy, and we want our tools to be in the top three tools that we implement in our infrastructure. Companies purchase a tool, and everything is subscription-based today. Right?
So, you get into 12, 24, 36-month lock-in. You’re locked in. If you’re locked into a tool that the hackers have found a way to easily thwart, your risk skyrockets.
Kirstin Burke:
Right.
Brian Moody:
It skyrockets.
Kirstin Burke:
Right.
Brian Moody:
I think that’s one of, again, the unique things about DataEndure, is if you are contracted with us, we might change that tool next year because we’ve found that a tool’s not effective as what it was before. So, that is one of the hugest challenges, I think, that our customers are going through, is implementing these technology stacks and then managing.
Kirstin Burke:
Right. Right. Well, and you’re touching on a topic. When we promoted this event, someone reached out to me on LinkedIn and asked a question, and said, “How does a company stay good enough, security-wise, yet continue to innovate?” It was interesting because as I thought about it, I thought, “Well, you could think of innovate two different ways. How do I do what everything I need to do from a security perspective, and continue to innovate in my business?” which we’ve talked about, or, “How do I do, or keep my security strong enough, and continue to innovate around that security stack?” On either side of the fence, there are challenges.
What I told him is, “It’s not that companies don’t want to be secure. It’s not that they’re not smart. It’s not that they’re not spending the right thing. It’s just, this is really, really tough. Unless it is your business to be that innovator, you’re always going to be behind, and not by any fault of your own.”
So, that’s why we see a lot of people, and we’re seeing a big uptick in folks saying, “I want to get out of this,” right? “I want to find a special ops team. I want to find someone who can walk alongside us and make sure, who have our six, who makes sure that any gaps or anything that we’re not seeing the sniper on the roof or whatever, that someone’s got that broad visibility on our ecosystem, and making sure that we’re protected, and where we might be vulnerable, we’re on it quickly.”
Brian Moody:
The aspect of that is 7/24/365. So, exactly what you talk about is, we’re on it, but to staff to that is hugely expensive. If you think about the smaller organizations, they don’t have the staff to be able to staff to 7/24, to manage this aspect. They’re trying to manage their business.
I think we’ve all been in Silicon Valley a long time. I’ve been 30 years in this valley watching the growth of technology, the growth of services. We all managed our own IT. IT went to, “Let us manage the IT for you,” collocation. “Don’t have all that power in fully? Let us do it.” Then it went to, “Let us manage it for you.”
So, you had the actual service providers. Why manage your own applications, as-a-service applications? Everything is moving in a direction, I think, that allows organizations to focus on what they do best. The infrastructure that they take advantage of, the infrastructure they need to run their businesses, let the experts, let the people who do that best, do it.
Kirstin Burke:
Right, the specialized experts.
Brian Moody:
More and more, we’re seeing in the security business that, it is moving to, “Let us in. This is what we do best. We’re the experts. We’re focused on it 7/24. This is the business that we do every single day. That we can bring that level of service to you, so that you can focus on what you do best, and you let us do what we do best.”
Kirstin Burke:
Right. Well, one of the things we had talked about was small steps, right? We’re talking about big things, big challenges, big consequences. You mentioned, there are likely no people out there that have done nothing. I might’ve done a few things. I might’ve done a lot. I might’ve not done enough.
How do we move people in those small, digestible steps, or how do we help people get to where they need to be, but in a way that, either works with their finances, or works with the contracts they already have? Let’s wrap up with, how can we help people take those steps?
Brian Moody:
Certainly. To your point, no one has nothing. I think that is every customer that we’ve engaged with. I’ve never been on the phone with someone and they said, “Oh, we don’t have anything.”
They have implemented pieces. I think what we’ve done is we’ve defined what good looks like. We have seen where the industry has gone. We’ve seen what the requirements that are really needed by almost any business. It starts with email. 93% of attacks come from email. So, gateway solutions are not working, so you have got to ramp up your security around email.
The second aspect of that is, 70% of that 93% needs DNS to communicate with command and control session. So, we need to have a level of DNS protection now, that will allow us to prevent that command and control session. Especially in the world we live in today, DNS is somewhat broken because it’s been implemented at the firewall.
Well, we’re not all inside of our domains anymore, behind that firewall, behind that proxy, right? We’re remote. So, that DNS defense needs to be distributed. It needs to be out with the client, regardless of where they’re at.
The third aspect of that is endpoint. The endpoint is a critical component. We’ve got to have automated AI capabilities, machine learning capabilities on the endpoint so that we can react very quickly when something happens on the endpoint. It’s not if, it’s when. Then the endpoint really is the gateway to our network. So, network security is another key component.
Then I keep bringing this person-type thing back because people are so important in security today. You can put all this infrastructure in place, like I said, and people set it and forget it. For us, and you’ve heard Shahin say this 100 times, it’s like sticking the guard tower up, but you don’t put a guard in it. So, that human aspect is absolutely important.
What we’ve found, as we work with companies is, you may have put pieces in. One of the things we do at DataEndure is we create an economic roadmap for you, and we create a total cost to ownership. So, we can come in and do a security evaluation with you to understand that where you are in your security maturity model. Any one of our services can be used as a gap service.
Here’s the critical point. We’re not asking you, necessarily to change out, write a new check for what you’ve done. What we’re going to do is evaluate what you have in place and how it’s protecting your business. Where you have vulnerability and/or risk. Then if we have a service that we can gap in at a smaller dollar figure, because now you’re not replacing the whole thing, we can gap into what you have.
Then we create an economic roadmap understanding your contracts, what their expiry dates are, and then we’ll do technology evaluation with those in comparison to the services that we bring to market, and when an appropriate time might be to switch that tool out, or it may be an important and integral tool to your security model that may be something that stays in.
Kirstin Burke:
Right.
Brian Moody:
So, with our security operations and when we implement our SOCs or service to our SIEM, we can take telemetry from those tools that you have that, are important to your business, and provide that 7/24 security operations and management to that tool set.
Kirstin Burke:
Here’s what I like about that. If I’m a smaller or a mid-sized business, I like the fact that I’ve got expert eyes on what I’ve already done. By the way, it’s complimentary, right? The security health check is complimentary.
I like that someone’s looking at what I’ve done. They’re telling me, “Okay, here’s good, here’s scary, here’s this, here’s that,” but who’s walking alongside with me and saying, “Well, we can fill this gap here. We can do this here.”
I mean, I’m getting this expert’s, I just keep saying, eyes on my business that, can help me more comfortably and confidently grow my security maturity.
Brian Moody:
Because it’s an ongoing process.
Kirstin Burke:
Right. Exactly.
Brian Moody:
This is something that, I think, most businesses really need to wrap their head around. Security is an ongoing, continuous process. You have to continue to grow and adapt to what current indicators of compromise are, or current threat vectors are. It’s not something that you set and forget.
Having those experts with their eyes on your business, they’re the ones—I mean, we get the security feeds on a daily basis. We understand what’s happening in the attack framework. So, being able to apply that to your business and show you where your vulnerabilities are, I think it’s a peace of mind that we’ve heard that lets people sleep at night.
Kirstin Burke:
Yeah. With that, I’ve received a note from our producer that, we have a question that came in. Mr. Producer, what’s our question?
Producer:
How would you suggest a small company with 100% remote employees attack cybersecurity beyond the standard AV, OS, firewall, et cetera?
Kirstin Burke:
Do you want to repeat that question?
Brian Moody:
Yeah. The question is, for a small company with, say 100 people that’s completely remote, how would we recommend that they approach cybersecurity beyond some of the standard components?
First of all, the critical aspect of that is access. For us, VPN technology is broken, and most organizations implement some type of VPN technology. Well, we’re fine. It’s in the cloud. Well, no. All we’ve done is move the concentrator into the cloud. We’re accessing that same type of technology into the cloud.
For us, the first aspect is how you’re having those folks access the infrastructure. For us, it’s critical around zero trust access. We have brought to market, and we suggest that you evaluate how they access the infrastructure versus VPN, is we utilize a zero trust model that microsegments the access.
So, we’re looking to add the security of the machine first, and then tying into the security of the user. So, tying into any MFA that you might be using, but also into that active directory information, so that we can constantly monitor the user, and the machine, and the security score.
In addition, we segment what those users and what those machines can see, so that if they do get breached, that lateral movement that I mentioned before can’t occur within your infrastructure.
Kirstin Burke:
Right. Right.
Brian Moody:
Endpoint technology is also absolutely important. I talked about email, I talked about DNS, I talked about endpoint. So, these are critical components that you need to make sure that, you deploy onto that technology. Advanced email protection, which is not just gateway. We recommended an advanced phishing solution. Then security awareness training is so important for users because the phishing attacks that are coming in are so ridiculously mature, they’re so good, and it takes one click, one click.
So, that security awareness training is important, and we think should happen on a monthly basis. That distributed DNS defense, I think you should look at technology associated with, “How do I get DNS defense on my remote workers’ machines, so that if they do click on something to go, we can prevent that command and control?”
Then like I said, a robust endpoint security solution is very important with respect to the additional features and protection.
Kirstin Burke:
With all of this, like you mentioned, is having some people on the backend, keeping an eye on it, the 24/7. Even if you’re 100 people, that having those people, or access to that team that is watching that environment and making sure things are okay.
Brian Moody:
I’ll come back to a point that I made. It’s all about the response. It’s all about, that’s utilizing technology, but that’s people. Your incident response is really about your organization, and your people, and how you’re responding to the attack that is going to happen. Don’t kid yourself and think that you’re not going to get attacked, because you are going to. It’s how you respond to that attack that’s important.
Kirstin Burke:
Yeah. I think if I were the person that asked that question, I think, “Okay, you’ve just mentioned three, four, five tools, people. I can’t afford it.” The beautiful thing about managed security services is that you are not buying all these tools. You are not hiring all these people.
So, not only do you have access to this mature security stack in a very cost-effective basis, where you’re paying per user or per node, this can be implemented for you within 30 days. So, you have an acceleration of services and you have an extremely cost-effective model that wouldn’t be available to you if you’re trying to do it yourself.
Brian Moody:
I talk to people on the daily with respect to their security infrastructure and what we bring to market. When I talk about what we put together, DataEndure’s XDR offering, Extended Detection and Response, which includes that mail, includes the DNS, includes the endpoint, and then includes an entire proactive approach to security and continuous incident response.
So, I talk back to the point of responding. What is your response? We provide that continuous incident response for that 100%-
Kirstin Burke:
Included.
Brian Moody:
Included.
Kirstin Burke:
Right, not extra.
Brian Moody:
The first thing that they tell me is, “This is too expensive,” because if I were to go build this, it would be expensive. That’s the right answer. The difference is, is after seven years in business, 26 countries, four continents, we bring economies to scale to our customers, and license costs to our customers that, they can take advantage of a pricing model as if they were a 20 or a 30,000-person company.
Kirstin Burke:
Yeah. Yeah. Well, with that … I’m having one more note from our producer. With that, we will wrap up. What I would offer to you folks, Brian talked about the economic roadmap. If you are listening on this live stream, if you’ve got some questions of understanding, if you need any gaps filled, please reach out to us.
I mean, as I mentioned, it’s complimentary, and we would love to help put eyes on your systems for you and let you know what’s going on. The other thing, if this was valuable to you, feel free to follow us on LinkedIn, subscribe to our newsletter. You will be advised of when our upcoming events and live streams are. With that, Brian, any closing thoughts?
Brian Moody:
I would just say, don’t feel like you’re alone. This is hard. Cybersecurity’s incredibly difficult, and the hackers continue to mature even more every day. The key to the game is making sure that you’re in the game and you’re playing. Again, as I said, it’s all about the response, and your ability to respond to the attack that is going to happen.
If that infrastructure and that’s in place, then you can protect your business. Don’t feel alone. It’s hard. Everyone has this challenge in scale, of course, given your organization, but we can help.
Kirstin Burke:
Fantastic.
Brian Moody:
We can help.
Kirstin Burke:
Thank you for joining us, and we’ll see you next month.
Brian Moody:
Thank you.