We thought that we would start the year reflecting a little bit on last year, but also as we looked forward into 2023 talking about the key priorities of the key things we saw going on in the market as we go into this year, and so we’ve identified three–we’re calling it our top three list and just really wanted to share with you what we’re hearing from our customers, what we’re hearing from our partners and our technology vendors in the hopes that it’s meaningful and helpful for you. So where we’re going to start is really, how do we plan for uncertainty and if nothing.. if we see nothing in the last five years right, between a pandemic, economic uncertainty, nothing stays the same and I think as IT organizations we’re hearing more and more: how do we plan for uncertainty right? You try your plan for what you know but how do we plan more for what we don’t know and how do we be both more proactive but more responsive, as Shahin and I were talking about this, a military term came to mind, and really in the cybersecurity space a lot of things kind of are similar, right? We have an attacker, we are creating defenses, we are creating response plans, simulated attacks, and so really kind of a military philosophy applies in a lot of cases and so why don’t you share with us kind of our first phrase yeah the thinking around creating plans is that you’re trying to plan every possible outcome and address those outcomes and respond to those outcomes, the challenge is and this is the construct that comes from the military is that no plan survives contact with the enemy and the reason that’s an issue is that the enemy is also making plans, so it’s not a one-sided.. we’re not the only ones sitting here planning, the adversaries have been planning. That’s why they have new techniques, that’s why they have new tactics, that’s why the Miter attack Matrix, Matrix keeps growing, that’s why there’s new malware, that’s why we, you know talk about metamorphic malware a couple of sessions ago. And all these things are happening because the enemy has determined what our tactics in response are to their attacks, therefore they adjust their plans, they make tweaks to their plans, they anticipate our responses and they create plans that react to those responses. And similarly, we have to work in that construct, and the other attribute or notion is that a good offense is the best defense, and/or vice versa the best defense has been offensive. And part of what that means is that I mean if you attack first, obviously you have an advantage so that makes all kinds of sense. But the other side of that is that if you’re understanding the tactics of your attacker you can better defend against those and so if you’re anticipating what you would do if you were the attacker then you can make decisions about “if I ran into this wall I would go and make this decision instead if I ran into this other wall I would make this decision” and it’s very easy when you’re the defender to determine what those walls are and how somebody’s going to get around those walls because you’re implementing those. So that’s part of the–if you take those two constructs of best offenses of the–or best defense is good offense also no plan survives contact with the enemy. If you put those two together that’ll start to give you context around how you should create your plans for incident response for business continuity, for whatever. Well, and I would seem–based on what you’re saying–the things that come to my mind, right, are that your plan has to be adaptable or agile, right? And we’ve seen this, right? Does everybody have to go home on one day how do we get how do we how do we go from 20 remote workers to 100? Or you know, there’s an economic situation going on out there, how do we continue to do what we need to at a security level, at a lower cost, or with fewer people? So you got to be adaptable.. it would seem to me that you would need to have a way of inspecting testing or inspecting on an ongoing basis so if we know the enemy is constantly changing, or if we know you know tools are sometimes working and sometimes not, it would seem that you’ve got to have a way you know the almost real-time but on an ongoing basis to say “okay is what I think working, working?” and if not, I need to be alerted quickly rather than say for an annual podcast and then it would seem on your response you have to be able to deploy that response in a lot of different ways right? , it’s almost impossible to predetermine your response the best way to think about that response is muscle memory and again stealing from law enforcement or the military–the way that a true plan–a raid, is that they build a mock-up of the facility they’re going to raid and they will run through that raid many times until they successfully hit the time window they said they would. And the objections, or the object of target that they intended to get so if they’re trying to save someone, they’re running through a repeated scenario that scenario in different ways until they say “we can accomplish this in this many minutes, as many seconds” or whatever the answer is and that same thing translates to the cyber-world, we when we talk about incident-response plans when we help customers develop them or our incident-response plans are all triggers for actions you need to take so when X this thing triggers and a series of steps might follow that thing that triggers and the series of steps are where you need to be adaptable because not every time somebody is using the same attack is the steps I think it’s not going to be the same, especially today with the metamorphic malware which is changing the way it behaves. It might look like a single attack, a simple attack on the front end, but it’s changed the way it behaves throughout the attack cycle, and now it’s a different attack so you have to change your tactics in terms of how you respond with them–do it so where the incident-response plans fail are most people sit down and say “when we get attacked, Bob is going to do this, Joe is going to do this, Steve is going to do the other thing” and it’s about the responses we’re going to do to the attack and we categorize ransomware as an attack. Ransomware is not one attack, there are so many different types of ransomware. Most attacks today are starting from email: 93% of all the attacks start from email, and 80% of the malware that ends up on an endpoint has a requirement to connect to a command-and-control so that it can become ransomware. So when I say 80% attack you got to imagine there are tens of thousands of different ways to accomplish what I just said, and we need to be able to identify and block them. There are whole nation-states and hacker communities out there that are attempting to create ways to bypass the security controls we built so tediously and tried to implement solutions that block.. make these walls effectively so ultimately you can’t plan the response to something that isn’t unknown but what you can do is you can look at your known unknowns versus your unknown unknowns–“I know that the hacker is going to come in and attempt to take access of a system, attempt to take the credentials of an admin and use those to move laterally across my network” and there are limited sets of things they can do to do those things. There’s there the technology isn’t as complex as it sounds when you break it down into its moving parts. The first step is to compromise the system. That’s unfortunately the easiest thing because our weakest security tool on the market is our users. You just had a great conversation with a family member trying to help them through not calling Microsoft because something popped on their things and call Microsoft our end users are our biggest weakness in security control no matter how much we train them, no matter how much security awareness we give them, they’re still going to make a mistake. It’s a fact so that’s why 93% of all attacks originate in email because the attackers also know this. So you know the compromise of the system at some point is going to happen. Somebody will click something bad and they will download something malicious on their environment, the next thing you know is that that thing for it to spread needs to go get malicious code or needs to connect to a command-and-control center to be able to do the next thing, so you start looking for those things so it’s it and it builds like that so you can’t respond against ransomware but you know the basic movements of ransomware, it’s first kind of land, then it’s going to try to evolve, then it’s going to try to spread, but it also needs credentials.. so it’s also getting credentials. So all of these things are happening in parallel, and usually, the adversary sitting in our Network for 200 days, on average, in the industry that’s six months–they have to do these things and the faster we find them the faster we can react. But the response plan is not about “I need to, as soon as I see ransomware on a machine, I need to do X” it’s when I see things that look to appear malicious they should trigger these activities. If you go to–if you’re implementing an incident-response client it’s too late–something bad has already happened. You’re probably encrypted at some place the ransomware has taken hold and the hacker is triggered–whatever attack they have, that is way too late to respond, and oftentimes you’re going to end up with systems encrypted. Hopefully, the controls you put in place will address that and stop the impact from a large-scale perspective, but those things are all facts. Everybody will get some level of system encryption in a ransomware attack, so that’s a lot. Yeah, right.. yeah and you can understand why as you’re out there talking to people as our team is out there talking to people this is top of mind right because there are so many moving parts, and there are so many you know, different paths to go down so that that certainly makes sense.
We’ll move on to the next one which is–before this applies–to everything but–Before we move on to the next one, it is a lot and part of why it’s top of mind is that I feel that a lot of manufacturers, vendors, and even competitors in the industry, have done a disservice to security because they try to simplify. This–it’s not simple, and when we try to simplify something, we’re trying to, you know, Barney it down so it’s easy to understand. And the problem with that is we have a false sense of security that “Just implementing this one thing this vendor sold me is going to solve the problem because I’ve got [fill in the name] that [fill in the name] promised me that it’s going to be good and they gave me a million dollar ransomware warranty that if I get ransomware they’re going to pay me money”–there’s a lot of tiny, tiny print on that warranty so buy everywhere. And it does this disservice to the community to say that this tool is that silver bullet, it is that pill that is going to make you lose 100 pounds overnight. Those things don’t exist. Security is all about defense and depth, again another military construct: it is all about layers of defense and there is no single tool in your stack that will solve the problem. It takes many–an average one, another industry metric, and an average properly prepared security organization is running about 30 to 40 Tools in their stack. That’s a lot of consoles to manage, so give that a thought when you’re thinking about “I’ve got [fill in the blank] right, and it’s solving my problem and what all of what I’ve done on on this community the last few minutes is a lot of moving parts”–it is a lot but it’s because it’s a complicated set of things that have to happen and work well together to help defend against it, right? We don’t have one of the world’s largest militaries in the United States because it’s easy…
Good point. Well, and that’s a good segue because the second thing that we wanted to talk about is really how the insurance industry is adapting to this complexity, to this sophistication of our attackers, to the realization that for businesses it’s not if–it’s when. And so you’re now not insuring for a small percentage of occurrences, you’re insuring for when it happens to everybody. And so you know as any spark–smart business does right if they continue doing things the way they are they will go out of business. So let’s talk a little bit about how the insurance, cyber-insurance industry, is responding because we’ve had a lot of people come to us and say “wait a minute–either I was insured but now you know, I’m seeing to renew, I have to up my security game” or if I’m new to cyber-insurance for me to even be insurable, there are things I have to do and it’s very different than even been a year or two ago. Yeah, we’re seeing, from our prospect and customer base, two to four hundred percent increases in insurance premiums for cyber insurance. Why that’s the first question we ought to be asking ourselves and what’s happened is that going into Covid, three things happen: the first one is ransomware spiked to 600% of what it was before March of time. Overnight, it blew up and it’s been growing at a steady scale–not 600%, but it has been growing at a steady scale. It is now a crazy amount larger, it’s something I think like a thousand percent compared to where we were in March of 2020. But it’s–the reality is that factor means that the hackers got wise that our people are going to be working from home and they don’t have firewalls protecting them anymore, so now a click on the link will allow malware to get the DNS connection it needs because their home firewall probably isn’t going to protect them, so there’s a much better chance. So it was the splatter approach, it was a shotgun approach–“let’s let’s splatter as much as we can on the wall– something’s bound to stick.” So that was the second factor, is everybody went home. The third factor is that everybody decided, okay there’s a much bigger risk and they brought cyber-insurance even if they didn’t have it, so those three things happen. Fast forward to ‘21 and ‘22. One out of every two companies was hacked. Look left, look right, one of those people was hacked–maybe it was you. So fact number one. Fact number two: 75%, three out of four systems, that are targeted are successful. Fact number three: of those three out of four systems that were compromised, one of them is encrypted, so you’re looking at a 25% attack success in an encrypted environment. And if that wasn’t enough, 80% of the people that were compromised are compromised again, they’re hacked again. So those factors all came into a bear so insurance companies are finding themselves paying out, and it’s no longer on the insurance side’s benefit. If you think of insurance like–I hate to say this and looking at it like you’re going to a casino–the house is always stacked to win, insurance companies have always been stacked to win, that’s why they’re a business, that’s why they’re in the business they haven’t been not for cyber-insurance, so what happened? They decided “we need to go back as an industry and figure out how to deal with this because this is real, this is no longer a joke… it’s not it’s not child’s play anymore” and the outcome of that was that you know 10, 20-question questionnaire that they sent you to get you signed up for cyber-insurance is now 300 questions. So it’s much more complex and it requires a lot more things they’re not accepting. I have antivirus, and they want to know that you have an EDR solution, they’re not accepting that you have a firewall they want to know that you have a next-gen firewall, and let’s be clear–they don’t always know what those things mean but the manufacturers have whispered in their ears and given them brands to put in the categories, so fill in the blank has done a good job of saying “I’m this, but these companies are not” and so you’re now fighting against vendor selection in terms of your insurance because the traditional antivirus solution that you’ve used which now says their EDR isn’t EDR like we talked about in a previous talk, and now you have to think about “okay I gotta change that technology” then there’s we’ve historically built out this model, it’s like this planning approach, right? My regulation–whether it’s industry, governmental, or our own embedded–says that “I have to have a SIM” so it’s a checkbox box “I got a Sim.” It’s collecting logs, and not one person looks at it but “I got a Sim and I made the checkbox” and “I do log collection and aggregation–I’ve got endpoint security, I’ve got a fill-in-the-blank on that one”–they’re now saying “prove to us that you’re looking at it. Please prove to us that you are doing something with it and it proves to us that you’re correlating information from all these different systems” and they’re—not only have the premiums gone up but to Kirsten’s point, because of the 300-question questionnaire, there are companies that they have said we’re no longer going to insure you unless you do these things you’re not eligible for cyber Insurance there are Industries which in entire providers have said we’re not touching that industry because they have been hit more than anybody else and the risk is too high for us, right? The house will not be stacked if we insure them. Yeah, so so the if you think about all of those factors that are coming in and if you think about the planning conversation we had, they kind of are falling in line with each other which says, you know we’re not talking about two of the strategies from a or priorities that you should be thinking about for 2023 is “what is my plan and approach when my premiums increase for cyber-insurance and what–how am I going to modify my plans to not be focused on response but rather than actions that we take, and phone calls that we make, and things that we do, and that everybody’s trained” and we’re doing those things when the incident happens because we’ve been saying for decades: it’s not if something is going to happen, it’s when. And the metrics I just threw at you, if you look left and right and there’s two of your peers that have been hit or one of your peers that has been hit, how long can you expect before it’s you that’s standing in that hot seat? And everybody has had attacks. It’s do you have all of the tools that tell you what holes to block? what happens if an attack gets through? How you can respond, and the efficacy of the response when something gets through, those are and that’s why real security stocks are 30 or 40 Technologies in concert not in isolation. Yeah, well, and I think I think in the past people maybe heard that number and call it 10 or 20 or 30 or whatever you call it, I think a lot of organizations in the past “still doesn’t apply to me, I don’t need that right, it does you know, I’m not–I don’t–I’m not that sophisticated, I don’t do X, I don’t do Y” but I think what we’re seeing in both of these, you know number one and number two and sticking with the poker analogy right, a more mature security posture is now table stakes business to do whatever you’re doing, and you know a lot of organizations don’t go into business thinking that or planning that, or you’re putting your business plan together right? “Have I put the line items in there for the staff, the technology, that all of that” so I think this shift just continues to happen that puts more of a burden on organizations to develop this as a competency and there are a lot of organizations saying “wow this is a hamster wheel that you know it is necessary but boy can it detract from the business” and I think that takes us to number three? before we get to number three though, there’s another factor that is in this cyber change because the cyber industry is also saying that a big part of this risk is coming from your supply chain. Yes, so supplier risk assessments are something that they’re enforcing, which means now you have to have not just the tools, but you have to have a security program that is going and inspecting that the people in your supply chain also are doing all these things that you’re supposed to do. So not only is your security team having to think about internal, what are the best technologies, and you know how much is this going to cost us, and what’s the impact from a budget perspective, but now you have to spend the cycles to go and talk to your air conditioning manufacturer, your you know anybody who’s in your supply chain of technology, whether it’s supporting your facilities that has access to your facilities, to technologies that you use to deliver your service and how they’ve secured their technology. You now have to go and inspect them to make sure they’ve done these things, right? So and it’s not yet where cyber-insurance is going, to say if you don’t have a supplier-risk plan or assessment in place we’re not going to insure you but I would place money on next year we’re going to be talking about “that’s the new new thing that cyber-insurance is enforced” right, and if you’re on the other side of that, if you’re not the entity that needs to check their suppliers, if you are one of those suppliers, suddenly you’re having to meet this threshold, you know? that that you know may not be relevant to your business, but for you to do business with the people that you want to, you have to hit that and you also have to have cyber insurance to protect your customers right? This in turn means you have all these 300 questions to answer which in turn means you’ve got a security program to build, right, which in turn means you have to go inspect your suppliers. And it’s this domino-chain effect. Yeah so so this change in insurance approach to addressing this market is pretty significant, it’s the–premium change is not the biggest part of it because, yes, your premiums will go up but to even get to pay those premiums, your security spend is going to go up.
Right, right… And so the third topic is: at what point does it make sense for an organization to get help? And it’s kind of like all you know other areas that the businesses have at some point said you know important have to do it not core to our business and manage security providers are starting to move into that realm, right? The challenge there is, there are a lot of different people saying that they play in this space, and you again, buyer beware, right? But you know at some point you had mentioned earlier that you know, I think we’ve been conditioned as technology buyers right? “I’m buying tool X, and I have an annual contract. I have a three-year contract and we know now that these tools don’t stay they don’t have the same efficacy year one as they do year three” and so when you’re buying your tool when you’re committing to something that long, right, for you know–and you’re buying 10 or 20 or 30 in that stack, it’s almost like the battery efficacy of your phone, right, after a while it starts dropping, but I still have a year left and so you think about the workload, the tool buying, the tool efficacy, the staffing, the monitoring, and I know we don’t have too much more time on this one so we won’t go too deep into number three, but let’s just talk at a real high-level where and how, if you’re an organization, does it make sense and maybe if you’re not sure it makes sense you know what is the economic state for even thinking about it, like, let’s just explore it. Let’s talk about that. Yeah. The biggest challenge in this last one is as technologists we like to build things and I’m talking as individuals, not as a state, and or Shahin, we like to build things because we’re we like playing with gadgets, we like playing with tools, we like shiny new things, we like we like learning, and we like growing. and the problem is we also have a day job which is differentiating our company from the competitors, and I’m talking all of us in the IT, information security space, our job is to make sure that we’re delivering quality services and user experience to our customer base, and at the same time, staying ahead of the Joneses, and completely differentiating what we do from everybody else so we can stand out, so our customers will continue to understand our customers, we have to earn your business every day, and whether I’m in the insurance industry, or I’m in manufacturing, or whatever, my job as a technologist should be to figure out how to differentiate. The company problem is many times we’re dragged into the muck with things like, we just described, which is our insurance premiums went up, and you have to do these 30 things, so all of those projects that would differentiate us, the financial systems, the automation, the whatever, the manufacturing floor systems, those get put on hold because we’re focused on closing this gap for this audit, or to finish the cyber-insurance review, or… you name it, fill in the blank for this. The impact of that is we don’t have time to be experts in anything, we have to move quickly, we have to rely on the expertise of our partners who are selling us technology, we have to rely on the fact that they’ve done the due diligence, and know which tools are the best, and they’re not driven by which has the best margins or revenue for them, and it’s a tough thing. And that’s why people end up building relationships with someone they feel has never screwed them–excuse the French. But ultimately, to come back to the question, to get an understanding of your economic robot, you really should be doing evaluations of technology. You really should be understanding the timeline of tools and their efficacy. For example, there’s no possibility, and it hasn’t happened in my career–if somebody has a different opinion, there’s no possibility that one manufacturer can stay the best in class for any more than five years. I have not seen it happen. There’s always somebody who will leapfrog ahead of them and stay. Technology-wise, they’ll do an enhancement and if we tie it back to that military approach we talked about, why does the military spend so much darn money on weapons, on planes, on radar, on defenses? Why do we keep advancing military tech? Because the enemy does too. And so if the–if you pick endpoint-security tool fill-in-the-blank, that tool is probably not as effective as it was five years ago, and it is probably not best in class anymore, and that changes that there–somebody rises to the top and they can’t stay at the top for more than five years. In my experience–and this is 30 years of experience in security–and the reason for that is, everybody is trying to do something different, and they don’t have the technical debt that particular manufacturer has, they built something great five years ago but all of that underlying code underneath the surface is still dragging them down, doing the same thing, and they’re trying to figure out how to plug in new ways to address new attacks and new techniques, whereas–all of a sudden–the shiny new company pops up three years into their life cycle and has addressed the current, what is the current landscape of security threats that is designed for whatever is the new thing. you know there may be some, completely crypto-based or a bit current-type approach to attacks in the future that aren’t there today. I mean where those types of things, those activities that are happening in the world today from decentralization, can have a major impact in terms of how attacks can happen. But we think about it as security. Sure but if it’s security, there’s probably a good way to take advantage of it for other things as well, and so the next evolution of attackers and tools that they attack with, will not be addressed by the technical debt that’s in the tools we use today. So that constant evolution, and replacement, and refresh of technology, that life cycle of systems, is the thing that takes most organizations down, and that’s when the hackers have the best success at the end of that life cycle because those tools are long in the tooth that doesn’t do what you’re supposed to do. I had a customer who got compromised because they were using a SaaS that had not been updated, and the hacker came in through the ASAs from the edge, done on their network, and spread it, and. Cisco best in class security company they are one of the people we think about when we think of security, but if you’re not staying current, if you’re not using the new technologies, if you’re not refreshing, it doesn’t matter that you have a brand name. So a managed security provider–if you’re working with the right one–right when you think of technical debt, and when you think of refreshes, all of that starts being done in the background right, and so if you’re working with the right one, so instead of buying tool a and you’re stuck with it for three years or whatever, right, you have got someone on your behalf who is constantly evaluating that stack, who is working something in who is phasing something out, and in theory, is keeping you at the leading edge of where the attacker is versus that backend where you have more gaps. Yeah, the way to separate the ideal comment I made how to parse that, is if you’ve got a managed security provider, a managed service provider that is selling you technology, reselling technology, and then managing it, they’re not doing that refresh for you. Yeah, same issue, yeah. They are selling you technology based on whatever they believe is the best at the time, which may change over time, but now you are tied into evaluating if that technology is the right one or not, that’s where you know it’s nice to have a company that has technologies that address all of the control segments you’re trying to address, but again why are we aware if it’s a single manufacturer? Refer to my previous conversation which is they can’t stay at the top of their game, right, it’s hard to be the best in every class, so you know an approach we take which isn’t unique but it’s close to unique, is that we continuously improve our technology stack. We’re always looking and always doing shootouts to figure out “is this tool still the most effective tool at solving this problem?” and if it’s not, we replace that across our entire ecosystem at no cost to our customers, at no cost to a, no TCO required, no change in pricing–it’s just embedded in the way we approach bringing solid Security Services to market. Well, let’s end this January segment. you know, faced with all of this and starting kind of halfway through last year and you know, you brilliantly led an initiative to put together an economic planning roadmap that our clients could use, or not–you don’t have to be a client to use it, but –and we would like–going into 2023, we would like to offer this to our listeners, and so maybe quickly as we wrap maybe you could just describe a little bit of the elements of it, how it might benefit them–no strings attached, but as you look to plan for Challenge One challenge, and Challenge Two, you know we would like to offer you this as a benefit to help you think about where you are, and how you are going to plan your improvements. Yeah the, as you can imagine there’s a lot that goes into that process of figuring out when and how to swap out technologies. When you’re doing this continuous improvement approach, so taking that decades of experience and putting it into a tool, we created this economic roadmap which–with a simple input sheet that will collect what tools you’re using in your technology stack for security, what the what the counts are on those tools and what your spend is, if you’re willing to share that, and in a in a complimentary–meaning that we offer it to you in a complimentary way–we will take that data and we’ll process it through the the analysis that we do and come back with a recommendation, and a road map, and a timeline that tells you based on when the licenses expire, how many you’ve bought, what you’re spending, here’s options for you to consider at these times and that that is an ideal time for a tool refresh, that is an ideal time for looking at a different way of approaching it, and that roadmap is laid out for you for your three-year strategic plan for security to take you–the whole intent is to take you from whatever security-maturity level you are to a security-maturity level of five. Sure and then in some of those cases, right, for those organizations that are thinking about when and where might I want to pull myself out of this and bring a managed security partner in, part of those options are: you can continue to do what you’re doing, or you know if you look at a managed security provider, how and where that might impact both your spend and your licensing, and all that.