Kirstin Burke:
Hello, and thank you for joining us! Today, we’ll talk about getting “beyond the basics” of layered security and why it’s important – recent studies show in 2022 76% of organizations were targeted by a ransomware attack; out of which 64% were actually infected. Only 50% of those organizations managed to retrieve their data after paying the ransom. Additionally, over 66% reported to have multiple, isolated infections.
Shahin Pirooz:
So if we are going to combat this – we have to go beyond the basics.
Kirstin Burke:
Right, right. We, between us talked about the basics. We started talking about layered security, and that really seems to be a phrase out in the marketplace. It seems commonplace, but interestingly enough, the same report talked about how 30% of the respondents were very misinformed or misunderstood some key topics like malware, like phishing, like ransomware. So it made sense to me to start with, let’s define the basics, right? So if we’re talking about layered security, and layered security is perceived as being the basics, what is that? How do we define layered security as really the table stakes for the organization ought to be thinking about?
Shahin Pirooz:
The common leap that most people make when they hear layered security is defense in depth. Because that’s the mantra and concepts for the last 30 years we’ve been saying, “You got to have defense in depth,” and then now it’s changing the terminology into zero trust model. And what does all that mean? It literally meant you have to have security controls that go beyond a single layer of your infrastructure. Email security controls, DNS security controls, network security controls, endpoint systems, identity, all of those are layers of your infrastructure. Peeling back each layer of the onion, there’s another layer. So if you only have defense at one level, once they get through that, if there’s nothing else, you’re really getting all the way through the stack. So layered security is all about making sure that you’re not protecting one vector, but you’re protecting all the vectors that have access into your network that have access, and network is kind of becoming an amorphous term these days. The network is the internet at this point. So network is wherever your endpoints and your people and your data and your assets are. Those are the… Think of that as your network more holistically as opposed to inside my data center.
And many of the tools today don’t focus on layered security. They focus on endpoint. And I complained about this in our last tech talk, talking basically calling out my peers in the industry saying, “You’re misleading people.” And I believe that’s the case. And it’s a lot of people will focus on implementing a great gateway email security solution. And there’s a lot, there’s three top players in the market and they all do basically the same thing and they implement one of three great email security and simulated phishing solutions. And then they implement a great firewall with good DNS protection on it, and then they implement a great endpoint security tool.
What else do we need? A lot. There’s much more. And what’s more important is each of those tools becomes the silo. Each of those tools interacts in its own world, in its own AI, and nobody’s pulling together the telemetry and the visibility across those tools to be able to do what we like to call, layered defense. And I think layered defense is much more than just having the controls in place, but also getting the visibility at each layer and being able to plug the gaps to say something coming in from this vector also got to this endpoint and is using something that’s related to the type of attack it was using, the indications of compromise or the APTs associated with that type of attack. And I’m using acronyms, so I apologize for those things don’t make sense to, but it’s hackers effectively, the playbooks are small.
There’s only about 250, 300 tactics, techniques and procedures hackers use. So it’s the combination of how they use them, the order they put them together, that changes them. And then we have kind of become stagnant like we did with our traditional antivirus solutions on the endpoint where they were doing file-based security. Our email security today is doing the same thing. And I think that’s a big flaw in terms of the way we go to market and how we mislead consumers of security services or security products. The traditional file-based security model is important. It’s a necessity. You have to have it. You shouldn’t get rid of your antivirus solution, but you need to have behavioral at every one of these defensive layers, and behavioral modeling is understanding things like this user’s intent and tone and the way they write all of it is different than the last time we saw messages of the last 200 times we saw messages from them.
This is probably not the same person. Or they’re logging in from a location they’ve never logged in from or two impossible locations.
And many of the new modern tools identify those things, but they don’t bridge it back to that email landed a payload on the endpoint and that endpoint now has something on it. So that triage of information for the full stack and then how it interacts on the network, that machine is now talking to other machines on the network and it’s trying to do lateral movement. It’s trying to capture data, whatever is the way you root out and weed out the fat actors that are sitting inside your network for 200 days or more.
Kirstin Burke:
So if we back up just a step, we talked about layered security really as those specific security controls or tools that need to be at every layer, that there is no single bullet, that we’ve got to have a layered effect to make sure that we’re reducing the efficacy of an adversary at every layer and combating them because we know in some cases they’re going to get through. That’s just the nature of the beast. So when we talk about layered defense, so we’ve got layered security as kind of tools, really controls. Layered defense, is that the connective tissue at every layer that helps you be more aggressive or proactive or insightful about what’s going on? Not just at one level but at multiple levels? Can we give a definition of advance, of layer defense and then a scenario?
Shahin Pirooz:
Yeah, I’m going to do that backwards. I’m going to do the scenario first. To build a proper security stack, you need about 30 of those security controls we’re talking about. Any typical enterprise of over a hundred seats has about 30 tools in their portfolio that they’re using to build their defense and depth approach to security. That’s all the areas I covered. Email, DNS, endpoint, network, identity, all these pieces and parts come together. Data leak prevention, all these assets, facets all come together to create a security control that tries to prevent a bad actor from crossing that plane, crossing that layer. What’s problematic with that is those are 30 different tools with 30 different databases, with 30 different AIs, with 30 different controls that you have to implement and policies you have to set. So it becomes a nightmare to manage. So people want to hear that beautiful, there is one pill and that pill is this EDR solution that is amazing or this XDR solution that’s amazing and it’s all you need. You don’t need anything else.
There’s one particular vendor, which I will never call out a vendor on this show, but there’s one particular vendor who drives me crazy. They do basically application white listing and blacklisting and they say, “You don’t need EDR if you have our tool.” And it would be equivalent to saying, “If you put your PC in a closet and turn it off, it’s totally secure.” And so it’s very frustrating that market terms and communications mislead people to believe they’re buying something. That’s the answer. That’s the cure. Defense in depth is about that layered security. Layered defense is you need to make sure that that connective tissue exists and that you are understanding what happened in layer one at layer five or at layer 10 or at layer 20, and be able to bridge the communications between, or the alerting and correlation of information between all those layers.
And the minute I say correlation, everybody’s head jumps to SIEM–short, that’s a good tool for pulling that all together. But I can tell you one customer I know that has had a SIEM and has looked at it to root out the bad actors that are dwelling in their network. They look at the SIEM when an event happens for forensics data. So when they become one of that 61% that gets encrypted, that’s when they go look at the SIEM. And that’s not the time to be starting to look at the SIEM. And having a SIEM without having the view of 24 by seven operations, threat hunting, digging deep, all of that is super problematic for individuals that I think they have a security model, they’re sleeping at night feeling comfortable with their security at night, but they don’t know who’s in their network, who’s crawling around in the dark, who’s hiding in the corners.
Kirstin Burke:
Well, it’s like you’ve put a guard on the guard tower after everyone has broken in the tower.
Shahin Pirooz:
Exactly.
Kirstin Burke:
And so they’re watching the tail end exactly of what’s going on instead of out there making sure nobody gets in.
Shahin Pirooz:
Exactly right. And it’s like, hurry up and run, climb the tower. We’ve got people breaching the walls and it’s a little late for that. It’s way too late for that.
Kirstin Burke:
Got it, got it. So it seems to me, if I’m listening to this, I’m thinking, okay, so I can wrap my head around layered security, right? Because there’s typically a tool or tools attached to each of those layers. And so if I think about layered defense, just in terms of executing it, right? You’ve mentioned a SIEM, but how is it my mind as a consumer is starting to get confused, right? Okay, I’ve got all these tools for layered security. Now what do I have to add to build in layered defense? So what’s extra or what are the trade-offs so that I can actually make this happen in a meaningful way?
Shahin Pirooz:
So it starts with something like a SIEM, but then because of the wide variety of tools and ecosystem that’s out there, it’s very difficult to have any one SIEM that understands the data and telemetry from all the tools that you’re going to be using. Now, if all of us use the same tools in the market, it’d be super easy and the correlation rules would be built and all the SIEMs would be the same. So it requires a lot of care and feeding to create the correlation rules to actually understand the telemetry that’s coming in from these six or seven different sources, or 20 or 30 depending on how you look at it. And so the constant fine-tuning of the SIEM is a factor. And like I said, most people buy a SIEM, it’s a checkbox for a compliance thing and it sits in the corner and nobody runs to it until the cords are over the wall.
So having somebody fine-tuning it is a 24 x 7 operation that you need to keep maintaining. Every time you see new alerts, you need to look at is that alert real? Is it not? Do we need to make adjustments to it? Every time you feel that an alert should have happened that didn’t happen, you need to go and look to see why it didn’t happen and create custom rules to catch that scenario. So it’s not just the weeding out the false positives, which is what most people believe fine-tuning means, but also identifying the false negatives and raising those to the top. And then a SIM alone isn’t enough. Sending emails to a guy who’s asleep in the middle of the night to take a look at something or back in my days, I got a lot of gray hair, paging the guy’s asleep in the middle of the night isn’t going to work.
So you need a 24 x 7 operations to be looking at that alert data, investigating the alert data and determining is this something that really should wake up Bob and get him to the table or can George take care of it in the morning? And so the reality is the simple answer to the thing is, its people, it’s skilled people. It’s having those who know security, who understand security, who are looking at all the advanced threats in the market and creating custom correlation rules and policies to catch those. And then having a team that is monitoring that and continuously fine-tuning that and learning from it, and then investigating it to see if it’s real in the middle of the night when the hackers work. Because the hackers aren’t going to do something when all of it is in the office. They’re going to wait till Memorial Day weekend and, or Labor Day weekend, and they will do it on Saturday where they have two days to do the damage they can before getting caught. Because everybody’s out on the boat, drinking beer, enjoying themselves.
Kirstin Burke:
So this all sounds great and it all sounds important. If I’m an organization out there, I might think, “Well, gosh, I’m not a global brand or I don’t have HIPAA regulations.” So companies like that. I get why they have to do this, but do I have to do all of this? I’m thinking is advanced or is layered security enough for me? Or is part of both of these okay for me? Are there trade-offs? Or if I were to prioritize something, would there be something to prioritize? Or is the answer, if you really want to have a mature security posture, this is what you do.
Shahin Pirooz:
Yeah, the short answer is this is one of those places in human reality that there is no prejudice. They don’t care if you’re small or big or whatever. They don’t care if you have regulation or don’t literally shotgun blasting email communications out to everyone, anyone they can. And then they moved from one person to another, so they compromised somebody. I literally, I had a friend who sent me a message in Facebook the other day that said, “Hey, look at this car accident video. This is somebody we both know.” I’m like, “First of all, this doesn’t sound like, and wouldn’t send it this way.” So I click on it and sure enough, it takes me to log in to your Facebook to see this. And I started in Facebook. And the reason that I got it was because this individual had put in their credentials when they got that same prompt and then it went to his friend list and then it’s going to go to the next person’s friend list and it’ll keep going.
And fortunately I was able to see it and call and say, “Hey, go change your password right now before it causes a problem. And by the way, here’s the people that you communicated to go send them messages. And so I think it’s very easy for us to think it’s not us, it’s them. But the attacks aren’t just coming in the corporate environment. They’re coming in from Facebook and our users are putting the same credentials in Facebook that they put into their Office 365 that they put into their G Suite because it’s easier for them to remember. And we tell them, go use password managers. And then we have the last pass breach that everybody’s like, okay, don’t use password managers anymore or not that one. So we end up having this back and forth of do this, don’t do this. And so it confuses people and what are they going to do? They’re going to put a sticky back on their desk with the password to all of their accounts and I don’t have to remember anything, and I don’t need a password tool because this is the best password tool right here.
Kirstin Burke:
Or my address book in my purse.
Shahin Pirooz:
And I don’t know if you remember the whole Hawaii missile alert that happened. The reason that that guy was hacked was because he was interviewed weeks before the hack and he had his password on a sticky on his monitor and his picture was sitting in front of his monitor and the hacker zoomed in, figured out his password, most of the characters, and off they went.
Kirstin Burke:
Wow.
Shahin Pirooz:
I mean, it’s that simple. This isn’t rocket science. We’re not people in the security space on the dark side or the light side are not magicians. We’re not creating stuff out of thin air. This stuff is just a couple of tactics, techniques that help us bypass security. On the gray side or white side of that banner, we understand those things so that we can prevent those things. On the dark side they want to get ransomware because it’s much shorter path than having to go write codes or whatever.
Kirstin Burke:
Sure, sure. So if the answer is for everybody, this really is what you’re facing. This really is your reality and like it or not, if you really want to be assured that you are secure, this is what you have to do. The next step is, well, I’m not going to hire five people just to staff the alerting and how do I buy the tools and the technology and how do I keep it up to date because the minute I buy one of them, it’s not going to be the right one. So we often talk about managed security services as a leap frog to get to good without having to go through all these steps. So to accelerate it to help you do it at a more reasonable cost. Let’s just quickly wrap with how you feel or where you see managed security services really on the layered security and layered defense side. Really kind of helping change the game for organizations versus the bad guys.
Shahin Pirooz:
Yeah, honestly, it’s just like the military creates special operations teams to do unique types of tasks. The same thing has to be true in IT and security. And for years we’ve gone back and forth with security as part of IT, security separate, security reports to the CEO, security reports to the CIO. It’s an and all this movement is because we don’t understand where the best fit is. But the real answer is you need to have specialized teams that understand what the bad actors are doing, how they’re doing it, and you also need to have specialized teams that they know how to operate the environment.
Operating the environment is making sure systems are patched, making sure the backups happen, making sure the users can access what they need to. Those are critical skills to keep a business running, but those skills don’t translate to how do we keep somebody out of that stuff. And so what we’re able to bring to the table for the IT organizations, whether those are MSPs or those are individual companies themselves, is the ability to take and sleep at night. I have partners and customers who say, I can finally sleep at night because I know there’s a team of people 24 by seven keeping an eye on this stuff and you guys tell me when something’s going on. When it starts, not after it’s happened.
Kirstin Burke:
For sure. Well, and I can imagine just the level of investment. You talked about 30 security controls, 30 different tools, right? Add to that, the people, add to that, the SIEM. And if all of that can be consumed versus built and bought.
Shahin Pirooz:
Exactly.
Kirstin Burke:
And one thing we talk about often is the shelf life of tools and that it doesn’t take much to expire that tool and that all of a sudden the one that you spent all that money and all of that training needs to be replaced. And if that burden shifts to your managed security provider versus you so that you don’t need to worry about what’s current, what’s not, do I have the right thing? That that’s all on the manager security provider to make sure that we’re just continuing to deliver that solid security platform that you need. I mean, I would imagine more and more overtime that is going to be where this goes, because it’s just becoming too heavy a lift in all sorts of areas for people to really do it on their own.
Shahin Pirooz:
Yeah, we mentioned it I think that a few months ago on one of these topics we were talking about the fact that some of the biggest security resellers in the space come and sit in front of you with a line card of 3,000 security tools and a here, what do you want? We have it all. And the challenge for any organization is, yes, you can do what we do. Without question. There’s no magic here either. It’s time, resources, and wherewithal and you have day jobs, you are in fact trying to keep the business operating and running.
And what we do is we focus on how do we continuously identify best in class technologies and focus on the productization of security services in such a way that we’re delivering features and capability, and competency to our customers, our organizations, so that when the tool does expire, when it runs out of life, you don’t have to worry about, oh my God, I have to go do another POC. I have to go look at five new vendors. I have to go do an RFP. Well, all of that pain is lifted. And for me, I’m biased obviously, but I feel like that is the true future of how to take advantage of consumption based security.
Kirstin Burke:
Well, thank you. You’ve given all of us a lot to think about and hopefully people can still sleep at night after you’ve shared all that you have. But we offer this at the end of every tech talk. We have a number of different assessments and health checks that we’re able to offer organizations complimentary just to help you understand where you’re at. So if you’ve already invested in things and you’re just wondering, “Hey, do I have gaps? Where do I stand in terms of this layer of security?” If you’re really more interested in, “Gosh, I really haven’t thought about their defense and the way you talked about it,” we can help you evaluate where you’re at.
And whether or not you work with us or not, we certainly would love the opportunity, but we really want to help inform organizations out there so you know how to better secure your organization. We are the good guys. We are on the side of the good guys, and we will do what it takes to help, know what path to take to secure yourself. So reach out to us if that’s something you’re interested in. And other than that, thank you very much. Thanks to all of you. Have a safe Memorial Day and we’ll see you next month.
Shahin Pirooz:
Thanks, everyone.