It was only a month or two ago when our TECH talk talked about last year being the year of the endpoint. With all of the movement and with all of the distributed nature of people, devices, and data, there has been such a focus on the endpoint–which is very justified–but what we’re finding is with all the focus on the endpoints, there’s a gap, and you’ve got a lot of tools and a lot of vendors talking about endpoint detection and all of the things to focus on the endpoint… and then you still have a gap, you still have issues, and you still have response-time issues. We’ve been talking to a lot of clients about this because we’ve seen breaches when people have had the tools they thought they needed, but they still had dwell-time and response-time issues. We wanted to talk today about acknowledging the importance of the endpoint, but there are a lot of things that need to come either alongside that or behind that, in which organizations seem to be missing out on. So I’ll cue that up Shahin, but maybe you can just give a high-level summary of what’s going on in the market right now.
It’s hard for me to get in this conversation and not come across frustrated at my peers, at the people who are developing technologies and products and at the marketing message that is being thrown at customers in terms of what’s effective and what’s effective security. Four years ago, Palo Alto and Gartner coined the term XDR, and that was supposed to be a better version of Endpoint or Managed Detection and Response solutions it was supposed to be extended. The problem is that it never extended beyond the endpoint and some firewall logs, and it really doesn’t do a lot more than that. The implication associated with that is that customers get this feeling that they’ve got this XDR offering therefore they’re safe and protected. It’s extended, it covers everything… It’s marketing. There are XDR solutions out there, and I’m going to be a little biased and say ours is very different: it does more and covers more things than just simply those two things. It’s a true five-layered approach to detection and response, but what has happened is when we went distributed, the world decided, “Oh my God, everybody’s not in the office anymore! My only way to get them back in the office is VPN and I can’t afford to have them have all their traffic route through our VPN and then through our firewalls so I just need to put a better endpoint security tool on these things so I can get distributed protection.” That was a good start–that was a great start. The problem is, that didn’t do anything to protect the network. The firewalls at the castle nobody’s in the castle routing the traffic through. The firewall was ineffective because it slowed everybody down, applications slowed down, so everybody started hearing split tunneling on their VPNs and now all the productions and defenses and controls that we have built that go beyond the endpoint are useless. Fast forward to today, most of us have 50% of our staff still working at home. That means 50% of your attack surface doesn’t have any protection except endpoint–that’s huge!
When I try to visualize it with marketing, they want you to be able to explain things to your grandmother. So when I think about this concept, I think about your home: you’ve got your alarm, you’ve got your barking dog, you’ve got all of these things. What’s your EDR, right? Someone gets in but the damage is already done at the point of getting in. If you’ve got those alarms and those things saying “Someone’s in!” the execution of that attack is great but it’s almost the “what’s next?” The best way to describe an ADR solution is if you go back to the days when we had the clapper (for those of us that are old enough) there were commercials about a thing you would hang on your doorknob that would buzz the minute somebody jiggled the doorknob. That was the alarm to identify somebody’s messing with your door. Guess what? The home invasion is 30 seconds away. It’s too late for that–it should have been detected sooner than that and that’s the problem with EBR. EDR is focused on the endpoint it doesn’t even do anything today, traditional antivirus solutions used to scan every file that downloaded to the machine but make sure it didn’t match signatures and definitions and we’ve discovered over the last decade that file-base defined solutions are pointless; they don’t do anything because the bad actors have gotten smarter they don’t download the bad file that has a definition or signature they download something that looks harmless and takes advantage of the systems tools to generate a scheduled task to make a call out to download the bad files do you do something and download issue systems and tools that will help them break into your environment or encrypt your environment so the EDR doesn’t actually take action until the bad act has started it doesn’t do anything for any files that are downloaded because again the tool manufacturers have taught us file based defense is durable you don’t want that you need both you need to have a balance of both and so the where we go fast forward to today that endpoint security solution that we have going on in our environment today and there’s some great tools out there that are EDR tools they can call themselves MBR XDR or whatever at the end of the day they’re all endpoint detection and response tools they collect Telemetry they collect forensics they behaviorally monitor what’s happening on the device and they have automated actions which many of them are calling AI that respond to a set of Behavioral artifacts that look like an attack so let’s stop this thing let’s roll it back and let’s you know isolate the system those kinds of things. The problem is it’s too late. The actor is already on your network and probably has been there for 200 days to your point, on average and they just decided to pull that trigger on your entire environment and move laterally, and all it takes is one, two, or three systems that the endpoint security tool is not working–it is out of date, it failed, and it’s not checking in anymore, or it’s a new machine that nobody installed the tools on yet. All of those factors say endpoint security is ineffective by itself, so you have to be able to monitor Network traffic between systems; you have to be able to monitor from the endpoint communication that’s going outbound to known bad sites the known bad IP addresses not just when they’re inside your network not just when they’re VPN’d in but always no matter where they are at home at Starbucks at whatever and the problem with an endpoint security solution and endpoint focused security solution which all the players in the market today are even the ones that are calling themselves MDR XDR and sock offerings are all endpoint based and I’m not going to call out names but my peers in this space if you’re listening to me you frustrate me because we’re leading people down the wrong path endpoint security alone is insufficient it doesn’t do the job because it’s basically the century and you’re smoking a cigarette and not paying attention until it gets hit in the back of the head and he might have his hand on the alarm button and pushes it he might not so that’s the grandma description of an endpoint security tool and I think we are as a collective the security industry the majority of us are feeding the constituents who are consuming those services false data about production protection has to go far beyond just the end point well it seems when we’ve had conversations about this just between the two of us you know if you were to think about kind of the tool or subject boxes right you’ve got on point detection response a lot of people have some kind of a sin right or something that helps them collect the forensics act on the forensics figure out you know what was it that happened so you kind of have these two bookends if you will right and it seems to me what you’re saying and what has frustrated us the most with where we’ve seen issues is around kind of that dwell time and the threat hunting that needs to go into reducing that that dwell time and it’s really not even like if you think about it right now dwell time is around six months right even if you cut that in half that’s not good cutting the dwell time to three months or even one month right you don’t really affect damage unless you can truncate that dwell time at moments and to your point we’re not equipping or informing organizations a that they need to do it and B the best way to do it just so we’re clear by we mean the industry.
100% accurate let’s go through some numbers real quick: 50% of companies are getting attacked so if your room in a room with 15 of your peers seven or eight of them have been attacked of those 50 75 of them have successfully been encrypted so now we have five people in that room that have successfully been encrypted of those five people that have been successfully encrypted eighty percent of them get hacked again so now we have three people that have been hacked more than once if our endpoint security tools if our email Gateway tools if our firewall tools were working if these security controls that the market was talking about and pitching as this is the only thing you need we’re doing what they’re supposed to do those numbers would not exist the World Economic Forum, we talked about it in January came out and said it’s going from a three trillion dollar business this year to a 26-27 trillion dollar business and we mean cyber security attacks in two years that’s a huge IP and if these tools are actually working how could that possibly be and I’m saying my frustration I told you up when I warned you all I’m going to get frustrated this conversation is the tools are not working they’re not enough and you need a full security portfolio you need a comprehensive set of security tools not just endpoint security not just endpoint Security Plus firewalls not just endpoint security firewalls and email security it’s even all of that together is still not enough and so the missing piece in the in the dialogue we were just having is all of our tools have become reactive in nature the email security the Gateway security the firewall something happens we take action they don’t react until there is an event or an incident the start of the attack and the Sim is used on the flip side of that the book end of that to after the attack starts I need forensic data and nobody’s looked at the SIM for six months so I’m going to go back and look and get the forensics data to see where it started so I know where to plug the hole where to solve the problem that hacker has been sitting inside your network for six months messing around finding your family jewels your crown jewels and taking advantage of the attack surface in your environment and planning when they’re going to trigger the event but they’re not DB they’ve already exfiltrated the data they’ve already set up the tools to trigger the attack and they know they’re not going to get 100 encryption but they’re going to get enough that you’re going to pay the ransom and they’re going to show you proof of Life by showing you the files they uploaded so what do you do you call cyber insurance and you pay the money and you’re you have down time trying to recover from the encryption when the key doesn’t work we do a lot of incident response for customers prospects that have gone through it not customers prospects that have gone through it and help them to recover and get back to business but it’s never plain it’s never without impact it’s never easy we in many ways make it easier but it still is a lot of impact in the company what was missing what Kirsten was hinting towards what you were talking about is we need to take that dwell time of six months away we need to take the time away from the hacker and I’m talking we as an industry right now we had data endure on average take that dwell time in our customers from six months to six minutes we identify a hacker within minutes not and I’m not talking in two digit minutes in one digit minutes from the time they hit the ground because we are collecting so much Telemetry across the customer’s environment that we correlate the information from multiple facets multiple perspectives have many lenses on it and have a full comprehensive set of security tools there’s over 30 Tools in our security stack and you have to have that having a firewall EDR and email security is only three tools that’s not enough and so that’s really the challenge with security today is we’ve created this world that we need to become experts in so many different Technologies and platforms and complicate that with the fact that there’s 3 000 security manufacturers out there trying to tell us their Solutions the only thing they need right and you’re all the ones I’m frustrated at by the way, I have a lot of love for manufacturers because we use 30 of their products in our stack but I also have a lot of frustration because it’s this misleading approach and every manufacturer now is trying to get into the managed space because there’s it’s lucrative to get into a recurring business model versus a one-time sale so everybody wants to get into that subscription and if the customer says if you’re already I’m already subscribing to your tool can’t you just manage it and the common answer is how hard can it be one of you guys in the room and we start managing them right there’s obviously far more to it than that and while we use the same tools the manufacturers use themselves you can compare our capabilities with theirs and you will see there’s a significant difference in just that one tool what we do versus what comes direct from the manufacturer so overall I would say the topic today is don’t be fooled by the marketing hype that this Mutual this one tool this amazing tool is going to solve all your security problems just because we’re not in a castle in a traditional mode doesn’t work does not mean we don’t need a fully comprehensive defense in-depth approach the only difference to defense in depth that has happened over the last decade is you have to add the word distributed in front of it so it has to become a distributed defense in depth and that does not mean put EDR on the endpoint and do all the same stuff inside here now well and it’s interesting listening to you I think there’s an element too as consumers and we see this very complex problem, right? We know that hackers are always changing, we know there’s this dynamic force out there, yet we have this desire to make something simple, right? Like “I don’t know how to handle it I just need something to make it simple for me!” I think at the end of the day, cybersecurity isn’t simple–it can’t be passive–and I think there might be some misleading out there that say, “Well if you get this tool, and get this tool, and set it, it’s going to do the work for you.” Some of that AI language and AI is great to support the things that you need to do but if no one’s paying attention to AI or if no one is understanding what it’s saying then you’re treating it as a passive tool and so I think there is an element of active versus reactive active versus passive that it is just hard for almost everybody to sustain.
This is another area of frustration for me. I’ve long been saying that I don’t believe the acronym AI properly reflects what we are actually experiencing in the market. The perspective is changing a little bit for people now that ChatGPT is hitting the market, and it’s doing what seems to be natural language conversation or research with individuals and coming out with some pretty cool stuff. It’s impressive–I’ve been impressed with every interaction I’ve had with it, but AI is used in security tools–it should be called AA, first of all, not AI. I don’t believe in the term Artificial Intelligence, I believe in the term Augmented Intelligence; it’s doing something more than what a standard intelligence might do within an individual. It’s got access to more information. I say AA because it’s actually Augmented Actions: it’s a set of workflow rules, it’s if-then statements. Most artificial intelligence that we see in the market or AI we see in the market is really nothing more than putting together a series of things so we get fooled by this notion that there’s this beautiful machine brain that’s watching our Network and it’s not it’s been trained to if you see this do that so it’s an if then construct the impact of that is that hackers know that and they say well we’re not going to do this so we don’t trigger this and we’re going to do the other thing first and therefore it’ll never trigger the if and that’s why you can’t be passive that’s why you can’t rely on we can’t rely on the same security tool we have to change our security Technologies the manufacturers those 30 tools aren’t static for us they change constantly we’re in the middle of changing three of them right now this quarter and they change because they’re no longer affected they were the best when we picked them but I said before on average a security tool is only good for about five years and they can’t keep up with the changes and there’s many factors that go into that technical debt the what they’ve invested in the platform the structure they built can’t be tweaked easily which ties back to that technical debt and the hackers don’t have any of those restrictions they’re coming up with tweaks and modifications to hacks every day and that’s why if you look at the apts in the world there are so many of them there’s so many different threat actors with so many different indications of compromise because they keep coming up with new ways to do things and yes we see the same tax over and over again because they it says splatter approach and for those attacks yes these tools will conduct but it’s the new one that they don’t have big plan that you’ve got to worry about yeah well you bring up something interesting that maybe a topic for a future TECH talk we’ve kind of talked about chat GPT and we’ve talked about it on the good guy side, right? We’ve talked about manufacturers trying to use it and leverage it and things like that but you’re also hearing a lot in the Press about the bad guys starting to leverage ChatGPT for attacks oh yeah and write me a script that takes advantage of this vulnerability, right? Guess what it does right and so I think there’s going to be even more pressure on both manufacturers and organizations as these you know chat GPT four or five or whatever it is on and however it evolves the bad guys are going to find ways to tap into that probably faster than the good guys and we will continue to be responding to whatever it is they figure out what to do but that aaai whatever you want to call it is going to be leveraged from the bad guy side too they’re going to get better fishing they’re going to you know go out and take a look at all the social profiling that you have out there and be able to make something much more effective than maybe someone you know in Eastern Europe with their language and what they’re thinking it will be it may be smoother it may be it may be more compelling for you because they can say more about you so that’s going to come at us too and how tools respond but how we as people respond to both on the technology side how do how do we equip our teams and our tools to discern that and then how do we continue to train our people and I don’t think the training changes that much right it’s like do you know who this is do you know what this is we’re training them you know do not click on here no matter what if they say it’s your bank they’re going to be some fundamentals that don’t change whether it be on the I.T side or the end user training side but you know just a real-time example of something new that’s coming at us that that probably we aren’t going to be fully prepared for exactly yeah maybe future maybe future talk I think that’s a great thing there’s a lot of attacks that are coming that are unique and different we keep getting smarter in the training but at the same time we got to recognize that as I I’ve been fooled by our own security awareness training internally which of course is super embarrassing but I should be proud but I’m embarrassed but I’ve clicked on the phishing emails from our security awareness platform and it’s you know the it just goes to show that these things still work which is why it’s so important to have that multiple facets to security and it’s not simply the training it’s not simply the blocking the phishing emails because you can’t block some of these things they look totally legitimate and it’s hard to identify but it’s past that once the email has gotten in the inbox the Gateway solution stopped they don’t do anything so how are you evaluating what’s already in the process are you scanning your inboxes the answer is most people it’s no I’ve got I’ve got one of the name three top Gateway Solutions they have ai they have fishing protection they have image protection they’re not enough 93% of all attacks come in through email and they still come in through email and still you’ve got those three people that keep getting in in that room that you’re standing in well this has been great information for me I learned something new every time we talk but for those of you out there who are listening we would imagine that you’ve already invested in some tools you’ve already invested in some technology in some solutions but certainly if this is giving you Food For Thought or if you’re kind of wondering based on you know what you’re currently doing how might you strengthen or grow that maturity we have a number of different ways we can help you whether it be a health check or we can even take a look at the tools that you’ve got and help show you a model for helping mature that over time given the current Investments you’ve already made so different choices different options these are complementary for you we really consider it our mission to help take that time away from the bad guys right I mean we really want to help organizations get into a position where they’re at that three minutes they’re at that six minutes and really don’t have to go through the pain of what happens when a breach and attack goes deep and disrupts your business.