I am going to imagine that Shahin has donned this costume partially because Halloween’s a few days away and also because we’re in the end of Cybersecurity Awareness Month. We’re delighted to be here and it changes the dynamic of being in person together so we’re excited to talk to each other and have some fun with you.
Anyone who saw the write-up for this TECH talk, we are dovetailing in with Cybersecurity Awareness Month, obviously something that’s near and dear to our hearts being in the business that we’re in. As Shahin and I talked about what to talk about we started talking about awareness and the difference and the importance of awareness versus preparedness. And since I’m a communications person, right? I went to talk to my handy-dandy Webster’s Dictionary and the difference between awareness and preparedness is interesting. so awareness is head knowledge: I’m aware of a situation I’m aware of something going on. Preparedness, interestingly enough, is a state of readiness, especially in times of war or preparedness for a war. And it just got me thinking that awareness certainly is great right? I am walking through a dark parking lot at night in the middle of the city. Want to have situational awareness. Want to be looking and seeing what’s around. But for me to be very safe, I need to be prepared. I need to have had some self-defense I need to have something to fend somebody off, right? Preparedness is more of an action and we really wanted to talk today about–in this month but every day of the year–let’s talk a little bit about cybersecurity preparedness and how to help companies move–and especially move your employees– from the head knowledge to “how do we make sure that employees and organizations are in that state of war” because really that’s what we’re in.
We often say internally and to our customers that security’s everybody’s job, it’s not just the job of IT; it’s not just the job of the security team and we also have a conflicting position, on that we say that “don’t make your users be your first line of defense.” It sounds like it’s kind of contradictory and conflicting, but in reality there are first lines-of-defense before the user. If you make them the third or fourth line of defense, then you’re in better shape at being able to catch those things that tools don’t. The fact is tools keep getting better, hackers keep getting better, and it’s a leapfrog game that is constantly one trying to outdo the other one– trying to catch up with the other–and there are going to be things that get through. And I was talking to the CTO of a software security company a couple days ago and he said “look, you’re one of two kinds of companies: you’ve either been hacked or you’re going to be hacked” and we keep saying that. In the industry we keep repeating those same things. It’s not a matter of IF it’s a matter of WHEN and the facts are you need to; number one: be prepared, but number two: make sure your staff and employees and individuals are trained and aware of what to do and how to spot bad stuff. 93% of attacks come through email and let’s just say that it takes one click to create a ransomware situation. So all it takes out of that 93% of attacks is 1 to work. And you take a look at the sophistication you of a lot of these email phishing attempts to come through, right? I had an email come through the other day that was from the CEO of a vendor that I work with saying, “Hey! Our address has changed, you know, please remit payments here.” And thanks to my awareness and preparedness I didn’t just take that base-value I reached out specifically to him specifically to our account manager and said, “Hey is this for real?” because we have seen–and we have had–customers experience kind of that social engineering where they’ve spent a lot of time, they were in the system, they knew kind of internal dynamics and reporting structure, and we had employees redirect funds where they weren’t supposed to go. So there really is… I mean awareness is critical, right? But it’s like what you do with that awareness as an organization and then what you have individuals do with that gets you in that fighting shape. Absolutely. I one of and and we we’ve recently started to talk a little more about our services which I don’t want this to sound like a sales pitch but one of the services we offer is security awareness training, and when I’m speaking to a prospect, they say, “We’re good! We already using KnowBe4.” And whether you’re using KnowBe4 or any of the four or five competitors to them I say KnowBe4 because they’re 90% of the market today. That’s great, that’s a good tool. The problem is most of us are using that tool for generating false attacks and then if somebody fails, we send them to training. That’s not making anybody aware– that’s only testing that they don’t make mistakes and if they do sending them to a remediation school. What we do instead with our security awareness training is we do monthly training– it’s about eight minutes it’s pretty quick– and it goes through you know fun little videos that explain a topic; it could be phishing, it could be smishing, it could be any number of business– when you’re remote, ours this month was when you’re remote–and and the idea is you want to continuously train, not just test and testing is making an assumption that the training has already happened. So I think those tools have the capability to do security awareness training but in 90% of the cases when I speak to customers they’re just using the testing and the testing is followed up by a punishment–a punitive “you have to go to class now because you failed the test” so in
our opinion a better approach to making your end-users aware is to give reoccurring training, make sure that they’re every month getting something new make them understand security a little bit better it’s you know this is not a black art but it feels like it from the outside. What we do is a lot of common sense. We look for the needle in the haystack. That’s the job we do day in and day out as Security Experts. Because of that we have to be very myopic about the things we look at and the things we see. Users aren’t expected to be like that so we can’t expect that users have the same mindset that we do, we have to make them aware: do security awareness training about what the types of attacks are, attacks what do the bad actors behave like, what do the guys who wear masks like this do so that they can protect themselves and protect the company by extension. Well, and we talked a little bit about organizational preparedness, right? so we’re focusing it on the employees, we’re focusing on their behavior–which is really important, we know that endpoints are super susceptible especially given what’s happened in
the last three years–so the other thing that, from an organizational awareness standpoint is, to your point: let’s not make the battleground be with the employees. So what are the defenses we help put in place ahead of time to narrow down those (bad actors) that do get through? And maybe you can talk about that: the relationship between what we do expect the end-users to do or what we want to enable them to do, but what we recommend the organization takes charge of before it even gets there. Absolutely. We’ve got this approach–this 5-layered approach to security that we think encompasses the holistic view in terms of increasing your security posture and making sure you have the proper layers to protect your environment and your users from attacks. Not from internal attacks not from others, just the basics that say, “We are going to make sure that the environment is safe from an outsider coming in and doing stuff.” There are other things we do in terms of insider attacks and somebody who gets in the network but the 5-layers are simply this: number one, first layer of defense is email, because 93% of all attacks come in through email. Everybody says, “I’ve got cool tools for that I’ve got Proofpoint, I’ve got Mimecast I’ve got–
you name it, pick the product and stick it in there. Problem is, gateway solutions alone are not enough. If they were enough, we wouldn’t have seen a 600% increase in ransomware attacks starting at the beginning of Covid. Those tools do a decent job of triaging things and finding malware that is an attachment or a file or whatever and doing antivirus scans against the file-based attack. They do not do a phenomenal job of looking for links that are going to a bad site, looking for things like that. Some do better than others but none of them are phenomenal. So, what do you do? Our approach is, we do the equivalent of NTA, which is Network Threat Analysis, we call it ITA which is Inbox Threat Analysis. We crawl every inbox and we look for bad stuff, we look for things that are malicious in nature or that are anomalous and we identify those anomalies and we block them. We prevent them from getting to the user to begin with. So let’s say we take that 93% down to 20%, 30%, 40%. We’ve taken a significant chunk out of the risk-posture. The traditional email gateway solutions, knock that number down to probably 50% at best. And so having a little bit more whether it’s 10%-20% more is a significant impact that will get you some additional layer of comfort but there’s obviously stuff that’s going to get through. So what’s the next layer of defense? Layer two for us is DNS. Every piece of malware out there–80% of the malware out there, or bad products whether it’s file-based or fileless–they need to talk to their command and control. They need DNS to function. So if you have DNS-defense, DNS protection, then you’re protecting against another 83% percent of attacks that end up getting through the email. So we’ve
knocked it down to about 20-30 that get through and then of those 20 or 30 we’re going to knock it down significantly because we’re preventing 80% of those from getting to DNS, and no DNS solution is good enough because a lot of hackers now do direct-to-IP, bypassing DNS so you also have to have a solid IP database that says “this is a known bad IP address that’s tied to this bad URL.” So it’s not just URL defense but it’s actually known, bad IPs. So those two layers come together (in terms of the first two layers)–by the way, the so-called XDRs in the world are missing those two layers 100%. They do endpoint and they do some logs. Which brings me to our next layer, which is Endpoint. you have to have a solid endpoint solution. And are all endpoint solutions cut the same? No. Absolutely not, and if you pick one this year, is it going to be good three years from now? No, absolutely not. We’ve constantly changed our endpoint solution and we do it on behalf of our customers because we’re not a typical MSP, MSSP–we don’t resell the technology and then manage it. When we replace it, we replace it across all of our customers and they get the benefit of our research and development to change those things out. That endpoint solution is so critical we do shootouts more often on the endpoint than we do on any of the other solutions. We do regular shootouts on every single product in our categories and we’re up to about 13 to 15 products these days. But endpoint probably gets more attention than anything else. There’s a huge reluctance to change from something people are comfortable with, and I see a lot of customers that are using well-known–I’m not going to name any of the brands– but well-known products that are traditionally antivirus solutions that have added behavioral-based modeling to their stack and those solutions often are the ones–when we go do an incident response for a new prospect–those are the solutions that are in their environment. Those are the things that they are using to protect their environment and they’re like the puppy dog or the big dog you have that is a lover– and every time the bad guy comes in your house– wants to go and play and lick their hands. That’s what those antivirus-solutions are like. They don’t do a darn thing, they don’t protect you at all, but they look good and you got a check box that says “I’ve got endpoint security.” That is probably one of the most critical things: you have to stop the attack on the first endpoint it lands on and not let it encrypt, not let it spread.
The next layer of defense is missing in 99.9% percent of customers I speak to and it’s hard, it’s probably one of the most difficult things. It’s Network, and by Network I mean Microsegmentation and Network Threat Detection. A lot of people will say “I’ve got Dark Tracer” I’ve got whatever that does NTA-like functionality. That’s great, but those solutions are not creating segmentation, they’re identifying the problem. You have to have a combination of segmentation, threat analysis, honey-potting, and deception technology–all of those things have to play together. Our MDR offering is designed to reduce the attack-surface by saying: this application-group is 10 servers and if it gets attacked it’s only 10 servers that are going to be attacked. It’s not going outside of that. The first reaction most people hear when I say segmentation is, “Oh my god, that’s really hard.” You know the joke we’ve made before is that segmentation or microsegmentation is where CISOs go to die. I have no intention of dying on this hill. The technology we’ve deployed–what we do with segmentation–gets you up and running with at least one application but up to 10 within 90 days. Literally having segmented network, understanding your environment, understanding the traffic/flows and then having honey-potting functionality. So even if you don’t create the segment, if we see malicious activity, we redirect it to a honeypot. When you take those four layers in conjunction, that is really, holistically, what an XDR should be, and
you might guess that’s what our XDR solution does. And the last thing, the fifth layer is the People. I’ve probably worn this record out, but I say, “Having a SIM without a SOC is like having guard tower without a guard in it.” And it’s pointless because you can’t see the hordes coming at you from the other side of the wall until they’re up at the top of the wall. Or if you randomly decide to send someone up there at some point and see they’re at the edge. And it’s too late at that point. You can’t do anything. You can’t put fire in the moat and stop them there. You’re stuck. Your castle is under siege. The sixth attribute–it’s not a sixth–but the key attribute that works most importantly across this ecosystem is that you have to be able to do this all distributed. The edge is gone, we don’t have an edge anymore. The edge is the device that you’re sitting in front of. That could be in Starbucks, that could be in your home office, that could be at a customer site, that could be in a trailer at a field location, or that could be in the corporate office. It doesn’t matter where the device is, you need to be able to extend these layers of security to the endpoint and not rely on them being behind your firewall. Traditional DNS defense is firewall-based, so the 50% of your people that are still working from home are not protected. Traditional endpoint security mostly works when they’re off campus but it relies on some sort of on-prem solution to do better, to get more logistics, to get constant updates. So if you have somebody who’s never coming in the office, you hope that they VPN in to get their updates. Or you hope that you have a SAS solution that lets them get their updates from wherever they are. Distributed is the key attribute of all of these layers working well in today’s distributed world. Well I think that Distributed Factor goes back–all the way back– to why awareness is so important. Because in the past, in the not-so-distant past, we were in a building. We could go run over to an IT person and say, “Hey! What about this? Should I click on this” or whatever, but you don’t have access to that anymore. And you know, maybe you can send an instant message to them over Zoom or whatever but you don’t have that access to help the way you did and so end-users are kind of fending for themselves a little bit more, and if they have to do that we have to give them more sophistication, more intelligence, and more preparedness to be able to act in that framework. It’s interesting, and when I hear you talk, there’s a certain phrase that I hear you repeat all the time– which I think is very significant when we talk about tools, when we talk about layers, when we talk about all of this–the phrase I keep hearing is it’s not enough. Right? And at whatever layer and whatever tool, the fact is: security and securing your organization, there’s no silver bullet. There is no one technology. There is no one facet that is going to put you in a position where you should sleep well at night. For organizations out there–and we know from the folks we talk to–they have 10, 20, 40 security tools, just security tools, trying to manage all this. So they know one tool is not enough, but the response that we typically get is “we’ll just add more tools.” But when you don’t have a framework, and when you don’t have the perspective of what plays well together, and what integrates well together, and we know. And I would imagine that any of those tool vendors that you talk to would say “Our strengths are here. And where we aren’t as strong is here.” That’s just how it is with any tool, so it’s not really being disparaging but with any tool, you have your strengths. What our Managed Security Services try to do is account for those areas that either: the tool set isn’t as strong or where we know there may be gaps in between the tool sets, or; we know if you’ve got a tool, you don’t have the right person correlating these tools. And so we’re really trying to up-level the tools, we’re trying to up-level the experience, and the attention that you’re putting on all of this coming together. For an organization to do that themselves, it’s near impossible because even if you have unlimited funds, even if you have unlimited staff, is that your core business is where you want to be spending time. And so I think it’s not enough. I would imagine folks out there are feeling that somewhere within the security puzzle, they’re trying to figure out because it’s one of those areas where you kind of feel like Sisyphus, it’s like ” I bought this, but it’s still not enough, I’m sliding back.
I’ve done this, but I’m sliding back.” You wake up in the morning and the rock’s back at the bottom of the hill. Right, right. That’s accurate. I had a conversation with a CISO this week and we went through our services and our products, and he wanted to get a deep understanding of what tool we use right now. And I said, “I’ll share with you what we use because we’re not hiding it, but please understand that we’re constantly refreshing this stack with what is the best-in-breed.” Rather than developing our own tools and trying to keep up with the Jones’, we’re using best-in-breed and letting each individual component stand out as what it does best. And then oftentimes, one of our products may be made up of three or four commercial products together underlying OEM capabilities. Our EDR solution as an example, it’s not one product, it’s three. And so when people say, “You’re using SentinelOne, I could use SentinelOne,” I’m like, “You won’t get 50% of what we do if you use SentinelOne on your own.” I mean, let’s just say we only use SentinelOne. You won’t be able to get what we get even if you’re using their diligence team. And the reason for that is: we’re going so far above and beyond in terms of creating policies and rules and correlations in the platforms that we use, that every time we see an attack in the market, whether it’s our customers or we hear about it in the news or we’re reading it in the SISA
releases, we basically take and create those IOCs across every one of our customers. So that attack will not happen without us noticing it inside our customer-base. So every customer is benefiting–the global customer base is benefiting– from anything that happens to any one individual customer. And we’re securing customers across 23 countries and four continents. We’re seeing a lot of things that a small MSP will not. That a tool provider who cares about the efficacy of the tool, not Manage Services or this security approach we’re talking about. We’re seeing things that they don’t see. We care about things that they may not care about because everything we do is all about making sure that we keep the end-user safe, the end-company, our customers. And I think I’ve shared this with you, I’ve talked to many customers about this, when they say, “What made you get into this space?” and I said, about six years ago we saw multiple customers get hit with ransomware and many of them paid millions of dollars to recover, even if the ransom was only a couple hundred thousand, they still paid millions of dollars to recover. And ransoms are now a million dollars or more. At the end of that, we helped them. We did the incident response. We helped them recover. We got them back up and running. We put better tools in place. We rebuilt their infrastructure for them. We did all the things that seemed like the right things. We came in and we did disaster-relief but I still felt like an ambulance chaser because the poor customer was bloody and lying on the ground and I came in and handed them a bill and said, “Hey, here’s your bill for the work we just did.” And so we decided at that point as a leadership team, the right space for us to get into is to get ahead of this and to prevent this from happening to any of our customers. That’s the mission we’ve been on. For sure, for sure. And on that mission point, and as we wrap up, we’ve talked about preparedness, and we’ve talked about tools, we’ve talked about if you’re an organization out there doing anything, you likely have invested in some tools, because you are aware that security is important. You are aware that you are a target. We have put together–I’ll call it an assessment or health check–where we are able to help organizations kind of assess based on the Investments they’ve made, based on what they’ve got, and based on some of the vulnerabilities we can see how might they move from good to better, better to great, and what does that roadmap look like. Can you tell us in 60 seconds–can you talk a little bit about that? Because I think–especially in the Cybersecurity Awareness Month–”How can I be better prepared?” Something like this might really help organizations get a handle on what’s next. And, “How do I move to that next level?” Yes. There’s two–there’s three things actually. We’ve got many complimentary health checks that we do, and those complimentary health checks are in the areas of email security, network security, security holistically. Our security health check covers all those pieces. Those things require a little bit of engagement with us to deploy an appliance and a couple of agents in your environment so that we can run scans and run some tests and give you a report card, if you will, of what the things look like. Our complementary approach to this is we give you the top 10 things we find. We also do an External Posture Assessment, a security assessment which is “how do I look like to the world?” Is the key thing to think about. That one requires us to install nothing on your premise just you giving us the go-ahead and we can run that and give you a very quick External Posture Assessment of your world, what the world sees, and what hackers see when they’re looking at you as a target. Those are very easy things to do. We’ve also got, what Kirstin you were talking about, which is–we call it our Economic Roadmap–and the idea behind our Economic Roadmap is: first of all, let’s do that Health Check and get an understanding of how you look across the tools. “What tools are you using? What’s the state of your tools? Are they effective? Are they blocking the attacks that the hacker would do?” And then if the answer to that is yes, fantastic. You get a gold star and we move on. But if the answer to that is no, you could be doing something better here. This Economic Roadmap is designed to say: if you have a tool that’s expiring its contract in two years, and then another tool that’s expiring in three years, and you have something that is expiring tomorrow, we can talk about how to transition over your life cycle into that five-layered support model, that five-layered security model that I talked about. So you can go from maturity level wherever you’re at, to maturity level five with this Economic Roadmap and know how to budget it, when to budget it for the years to come. Awesome, awesome. Did I get that in 60? Close enough!