Hello everybody. And welcome to 2022. Not sure if any of you are as in amazement that I am that we’re already here, but here we are close to the end of January. I’m Kirstin Burke, joined as always by Shahin – oh gosh, 2022, welcome.
We’re just getting our game faces on here, and just want to thank you for joining us. Hopefully everyone had a fantastic holiday season and are getting in gear for a great new year. We’re excited to be here with you. And I don’t know about all of you, but one thing we start thinking about really towards the end of the year, and then going into the new year is spending, what are we going to spend on, what are we going to grow, what are we going to strengthen, and just thought it was appropriate to talk about security spending right now.
If you take a look at any of the data out there based on the research report, you read security spending is going up anywhere from 45 to 66% of organizations that are increasing their spending. Certainly, there are over 3,000 tools out there that people are probably contacting you about, “Hey, do you want to buy, do you want to buy?” So there’s a lot of pressure out there to really try to get your security posture in order. And when we talk about spending and budgets to our customers, we’ve really kind of changed the dialogue, and it’s not really if you’re going to spend, but it’s, how are you going to spend, and when are you going to do it?
And if any of you saw the graphic that we promoted this with, there were a couple of Mason jars, and one showed security spending before breach, and there were a couple coins in there, and security spending after a breach and the jar was overflowing. And certainly, there are options for how and when you spend on your security, and we really wanted to talk about that today. So Shahin, I’ll let you start off just with some early thoughts on maybe how the philosophy around spending has changed.
So we’ve all seen the shift of the CSO and the role of the CSO moving up into the boardroom rather than being delegated down to the VP of IT or the CIO at best, but that role has now become a board visible position. It’s an important position for the company, and then security spend is tied to that role. The positive side of it is that that visibility is happening at the executive team level. The negative side of it is that many organizations are still looking at spend in security as something that doesn’t affect the bottom line directly, and it isn’t until a breach happens that they realized, holy cow, we were out of business for days, weeks, months, and sometimes many months and the impact of business was huge. So the security spend commensurately goes up significantly.
But the point you made is actually an interesting one. We have multiple use cases where we have prospects or customers that have come to us in the middle of a breach. And not only did their security spend go up after the breach, but their spend wasn’t like a regular spend. The breach caused a significant spike in spend that was not planned. As an example, we’ve had customers that have been hit with ransomware that their ransom might’ve been in the hundreds of thousands of dollars, and the insurance company covered most of that with the exception of some small percentage that they had to pay. But the actual recovery was in the millions of dollars, because they ended up having to build infrastructure in parallel too, so they can decrypt the data even when they got the ransom key back.
They had lost time associated with recovery, that their people were not able to develop their products, and release their products, and manage their pipelines. So there’s more than just the spend towards security, but the impact of a breach has this massive spike that we don’t think about until after we’ve been breached and realize, holy cow, if I’d just spent another 20 or 30% more than what I was spending, I could have avoided this millions of dollars of unexpected expense.
Right. Right. Well, you mentioned something that’s an interesting point, we think about cyber security or this “cyber spend,” you think maybe of firewalls, or you kind of think about that side of the house. But what we’re seeing more and more, there is an infrastructure resilience – there’s a bleed over into infrastructure more and more, and those areas are needing more and more to be complementary, or we need to make sure that things are working well together. But the impact of ransomware, when something gets encrypted, do you have the appropriate backup and recovery strategy?
So what are your thoughts about how all of this cyber – the nefariousness of these cyber attackers is really bleeding more and more into the general operations, if you will of IT.
Well, our entire go-to-market as you know, since you’re our CMO, is about digital resilience. And I think it’s important to talk a minute about what digital resilience is. The reason I say that is I just talked about how the CSO is now board-visible and it’s become a primary role. The CSO is tied to cyber resilience, and the tagline we see all over Twitter and Facebook and LinkedIn is cyber resilience, not digital resilience. And the distinction there is cyber resilience is focused on those things that a security set of tools would address, the security controls.
You could even tie in potentially compliance level controls to that security, those things oftentimes map, not always in every company, but they should. And so, the cyber resilience is about the endpoint protection, the firewalling, the email protection, the DNS defenses to prevent people from going to known bad sites. Those are all things that are cyber related, but they can’t be confused with digital resilience. We define digital resilience as a combination of infrastructure resilience, as you were saying, plus cyber resilience. You need both.
Infrastructure resilience comes in a couple of forms. When we talk about the network, typically, when people think of security, they usually have the firewall management managed by the security team, not the operations team. So firewalls automatically go into the security category, so therefore cyber. But the rest of the network is still pretty critical. You’ve got your corporate assets and jewels across all of your network information, the data that will get encrypted if ransomware hits, the data that will get ransomed is across your servers, not your firewalls, and firewalls alone are not enough to protect you from getting people inside.
So the infrastructure resilience really comes into several layers. The first layer is, how do you stop at the core network level, the lateral movement of an attack? How do you reduce your attack surface? And so the first level is really segmentation. Some of the largest breaches in the world that we’re all familiar with, the big names, were directly related to a lack of segmentation, which allowed lateral movement to happen, which allowed the hackers to find the crown jewels and encrypt or steal the crown jewels. So that’s number one.
The second level is access to your network. So especially now after COVID, people have gone home and now that people are remote and distributed, and most companies are saying, we’re going to be some percentage, we’re not sure what yet, staying remote. Maybe it’s 50%, maybe it’s 70%, don’t know. But when you think about that, that’s very different than the maybe 25% of remote workers we had before COVID. So that massive increase now means that the secure access, secure edge has really pushed out to the home.
And the implication of that is traditional VPN doesn’t work. Traditional VPN is the opposite of zero trust. It’s full trust. The minute a device gets a VPN IP address on your network, unless you have solid segmentation and application segmentation, that IP address now has access to your network. They’re fully trusted and implicitly trusted versus explicitly trusted in a segmented or zero trust model. So that’s the second layer, is how do you protect your corporate assets if somebody’s home machine is compromised and they drop onto your network?
And then the final layer above and beyond all that is recovery, which you were hinting at. So you created this set of controls and tool sets to protect assets so people can’t get to them, so encryption doesn’t happen. There’s no control, that is foolproof. There’s always going to be something that happens, and you need to be able to recover. We had a recent incident with one of our customers, which lateral movement spread rapidly to about 700 systems in a very short period of time. Because we were in there and we are managing their endpoint security for them, we were able to stop it before it did any encryption and caused any impact across all of those endpoints. But one of the servers in the roll back and recovery was corrupted, and so they had to restore one server from backup.
Now, that sounds like a huge win, that sounds like, oh my God, only one server out of 700 systems was impacted and had to be restored from backup. And thank goodness they had a solid backup strategy and they were able to do that. If they didn’t, that one server would have to be rebuilt and whatever data was on it may or may not be recovered. There may have been lost business, there may have been lost productivity. So that’s the things to think about when you think about a digital resilience budget, as opposed to just a cyber budget, or just an infrastructure budget. Your IT and security teams have now split, but there is definitely some correlation between those two teams and the spend to make sure that not only are you protecting the crown jewels, but you’re able to provide reliable services to your customers and your employees, and you’re able to recover if something should happen.
Sure. Right. Well, and it’s interesting. This ties into – I was doing some research just on spending this year, and a real interesting quote that I think we are seeing play out in a lot of the conversations we’re having, the analysts said cyber spending recently has really shifted from making sure you have the most current tools, the latest and greatest, but really the priority needs to be on understanding your business, understanding where your risks are, where your vulnerabilities are, and then being able to, with each of those risks, prioritize which of these are most likely or most vulnerable to attack. And which of these, if we are attacked, are going to cause the most business disruption.
And just like you’re saying, that goes beyond a firewall or a VPN. I mean, that really – you’re talking about access, but at the end of the day, we’re talking about the data. And where is that data stored? Is it in the cloud? Where are all of your endpoints? How is access granted? And these attackers have become so creative that they are very likely to be able to find where your gaps and where your holes are. So if you don’t have an awareness of that, and kind of an attack plan, or attack mitigation plan, you’re kind of starting at a deficit.
For folks that feel like, well, I’ve already spent, right? So we’re talking about the budgets, we’re saying spend 20% more or whatever, but if we’ve already spent, what do we do? We have these tools, for any organization, for a lot of these organizations again, trust how you will in the research, but an average organization might have 20 tools, they might have 40 security tools. So I’ve spent, how do I understand – first of all, I can’t throw that spend away. But how do I leverage what I’ve got? How do I understand how to improve? Because I can’t throw the whole thing out and bring net new in.
Yeah, I’m going to shift my hat for a second to the CTO of a managed security service provider and talk to it from that perspective. This is a very biased perspective on this, but with all due sincerity, I say that if I was in the shoes of our customers, I would select a managed security service provider to solve this problem. I’ve already spent. I’ve spent years and time and money to build out the set of, and I don’t mean me, I mean, as an individual, to build out what I think are the best security controls. I’ve spent time with Gartner, I’ve spent time with other analysts to figure out who’s in the respective magic quadrants, and what tools I should pick, and what my peers say and what the industry says.
And I put all these tools together, but there is no silver bullet tool that covers all these different categories. So, you’ve got some technology for inbound email protection, another technology for phishing detection, another one for security awareness, another one for endpoint security, another one for DNS defense, another one for network threat analysis, another one for business application analysis. So all these different technologies and tools that now you have to look at 32 different lenses to figure out what’s going on in my network, and you have to hire really, really smart and expensive people to either correlate that data into another database so that you can correlate it in information – and get information out of it or insights out of it, or you look at somebody who’s already built all that, and has turnkey solutions that takes it to market.
What I just described is what we do on a day in day out basis. We have over 40 technologies we use in our stacks for our managed security services. Those technologies are worthless on a standalone basis, they don’t add a lot of value on an individual basis. They help, every single control helps, but holistically, when you put them all together, if you don’t have a lens that sees across all of them, you’re really dealing with a bunch of silos, and dealing with silos means that information is getting missed. Some tool may identify a breach or an attack or indications of compromise, but it might miss it too, and another tool might see attributes of it.
And it might not be meaningful to either of those tools, but when you correlate that data together saying both these tools saw something that looked fishy, no pun intended, then I’m going to jump in and investigate a little further. And that’s what a – I’m not going to generically say managed security service provider does, what a good managed security service provider does. That level of integration should be there. Buyer beware, there’s plenty of managed security service providers that pick one tool because it’s easy, and they come at you and say, I’ve got XDR or I’ve got MDR or whatever. That’s not enough. You need to be able to correlate many technologies together.
And a more specific answer to your question is, one of the components that I think we uniquely and very differentiated offer as part of our SOC and MDR offerings is our security controls validation. How do I know if my tools are working? And we do that regardless of what technology stack a customer has picked, where we’re testing their security controls each month and giving them what tactics, techniques and procedures from the MITRE ATT&CK Matrix successfully would have implicated them or caused an attack to be successful, and then give them remediation actions for how to close those gaps.
So having a SIM, great, SIM alone, worthless, a SIM without a SOC, completely worthless. So when you think about the stack, are we simply trying to meet regulatory requirements and mark off checkboxes saying, yes, we have an EDR, yes, we have a SIM, yes, we have email antivirus, whatever the tools are that are required. Is that enough, or are we actually trying to protect our company from an attack? And if it’s the latter, then it’s really time for all of us to evaluate. I know I picked all these tools, I know I’ve implemented all these tools. Many of them I’ve inherited from my predecessor, is it time to look at this differently and become a consumer of a fully integrated turnkey solution?
So listening to you say this, I put myself in the shoes of maybe somebody listening, and if I’m, say, a relatively large enterprise, let’s say I’ve got 1,000, 2,000 employees, we’re all over the world, I might be resonating a lot with what you’re saying, because maybe I’m thinking I’ve got my teams, I’ve got this, I’ve got that. If I’m a smaller company, I might be thinking, I don’t need this. Why do I need this much of a complicated solution? What would you say to an organization that is, I don’t know, 100 employees or 200? I mean, what would you say to those that are a little bit smaller that say that’s too much, that’s not what we need?
We recently had a customer that’s 10 employees get compromised. And their leadership team had recognized that they had very large – well, let me rephrase that, they have very large contracts with very large industries, and part of those contracts were they had to have particular security controls in place, so they recognized they had to do something and they implemented our solutions. That was post-compromised. So that was, again, what we said upfront. The hackers are indiscriminate when it comes to shotgun blasting, who they attack.
They’re throwing – there was an article I read that said 45% of attacks in ‘21 were generated from hacking kits. So not people who are hackers and are good hackers, people who went out on the dark web and bought a hacking kit, and think of it as ransomware as a service model, and implemented an attack. These guys aren’t necessarily all – it basically says half of them aren’t brilliant, they’re just wanting to try and earn an extra buck. And they don’t care if that comes from a 10 person company, or if it comes from a 3,000 person company. The reality is if you have customers and you’re delivering a service, and you can’t deliver those services, what does that mean to your business?
A smaller company is at a much higher risk of losing everything than a large company that may have some buffer. So I would say, the financial position of everything we’re talking about, our managed security services is that it’s way more appealing for a small company than it is for a large company. For a large company, it takes time to implement managed services because you’ve already made these investments, as you described. And you have to bear those investments out to make cost justification for what will you do, so when it’s time to renew your endpoint security, it’s a great time to look for a managed service provider for that service, for endpoint security.
When it’s time to renew your SIM or your SOC, if you’re outsourced already, that’s a great time to reevaluate if you’re using the right SOC, or if you should look at a SOC as a service offering. So it’s different in terms of buying cycle for an enterprise versus a small company, small companies usually are using traditional antivirus or consumer-based protection devices, and they’re using single office or home office type equipment for firewalling. They’re not super well-protected, so they are more the target of an adversary than a large company who has some enterprise class systems like Palo Alto firewalls, they’ve got CrowdStrike, for example, as a protection tool.
But even so, for the enterprise, we get back to the 32 console problem, for the small business, we get back to how do you cost effectively get 32 products, and managed in a simple model so that you can consume those services. And for the small company, it’s a no-brainer decision from my perspective to go with an MSSP. For the large company, it’s really looking at the TCO, understanding you made this investment, when is it time to make that shift? And it always is usually around whenever it’s time to renew or refresh technologies.
Well, and what’s the opportunity cost for them of how their people are deployed, what they’re focused on, and does that bring the most value to the business, or can those teams be adding more value doing other things? The interesting thing about the small business too, is there might be a mindset that we’ve got this data, and if they get in, whatever. But it’s not necessarily just about your data, it’s about if someone gets in and understands your invoicing or who your AP or AR person is, and then is able to attack your customers through breaching your systems, then all of a sudden, maybe you don’t feel the risk to you is that large. But if they’re going out, and if some of your customers are larger customers, that attack can have severe consequences on that customer.
So it goes back also to that supply chain that you can’t just think about it in terms of you and your business, but all of the other people that are upstream and downstream of your business.
And how many stories have we heard that somebody got phished and paid a large sum of money to what they thought was one of their contractor companies, when in fact it was a man in the middle? Somebody saw invoicing dialogue, they jumped in the middle of it, and they looked very much like they were coming from the contractor company, and a not a ransom, but a payment was made to that company, and sometimes large payments, which is very hard to recover because they do a good job of covering their tracks.
So that comes into the areas of phishing and phishing protection. And it’s more impersonation, which not all phishing solutions do. It also is covered in the areas of security awareness training, so you can help identify what things people are looking at, and how to identify something that looks a little fishy. This time the pun was intended. But that story unfortunately is way too common. I hear it all the time, and it’s – unfortunate is the best word to use for it, because usually it’s not until after you’ve pulled the trigger and wired the money, that you find out, oh, that was a mistake. So as the company who is being spoofed, that’s a terrible experience because now your customers don’t want to work with you anymore because you’re not secure.
As the company that was the target of the spoof, they’re beyond pissed off because they just paid some amount of money that they will never recover for the hard work they’ve been doing as a company. So on both sides of that equation, a good, solid cyber resilience and infrastructure resilience plan would have helped. And in the small business case, that’s a very difficult thing to build on your own. And most MSPs, because most of the small businesses growing the MSPs, most MSPs aren’t capable of giving that level of service. They’re really good at doing help desk, they’re really good at doing server and PC management, and patching, email management, but when it comes to security, that’s not necessarily their forte.
Well, I guess the takeaways from today then are, when you think about your budget, when you think about spending, maybe not having a tool-centric perspective, but a need and vulnerability and impact perspective, that these attackers, whether they’re nation state, or they’ve just bought a kit, are equal opportunity. So they don’t care how big you are, they don’t care how small you are, they’re out there looking for someone to bite. And so, although you may, depending on where you feel you are, everyone’s in that same boat.
And the other takeaway would be having a clear understanding of what your vulnerabilities are, and maybe the things that you need to prioritize is critical. So in thinking about that, you talked a little bit about our security, how – well, you talked about a security controls validation, but we always like to close with an action you can take. And I think for sure, something folks can take away from this is our office for our viewers to take advantage of our security health check. And I’ll let you go into that, but that kind of gives you a roadmap, but also there is a cost analysis that comes out of that, that can say, hey, this is how you might think about doing this if you thought about a managed service. So maybe just in a few minutes in closing, you can share what folks might expect from a security health check.
Yeah, to start with, what you said is spot on. We need to shift to thinking in a risk-based approach as opposed to a tool-based approach. So what are the risks of the company, and which risks are we willing to accept versus which risks we’re not willing to accept, and then what is the action plan to resolve those risks we’re not willing to accept, or to treat them in other words. Our security health check is really designed to do three things. It effectively is based on identifying vulnerabilities in your environment, and it does that in a combination of ways.
It does vulnerability scanning, it does internal penetration testing using the security controls, validation concept I talked about, and it does an external penetration testing of your public facing assets. And the outcome of that is really to show you here’s the gaps and it’s complimentary, and in the complimentary form, we give you the top 10 of the things that we see, so that you have at least an idea of what are the top 10 things in my environment.
Now, what’s handy and valuable about what I just shared with you is that that is no cost as part of our service. We do that monthly for all of our customers, and we share that data with them so that they have visibility into what their risks are, and can build those risk matrices and risk plans, and treatment of those risks into their business processes. That takes the focus away from being tool-centric and worried about, is this tool protecting me or not, and rather focusing on, okay, the biggest risk to our business is X, Y, or Z, and here’s the treatment we’re going to implement to address it.
Great. And from that also, I mentioned, because we did talk about costs and maybe what would a small business be thinking about versus a larger business. And certainly as part of an outcome, I guess, of that security controls or security health check that we do, there is – usually if a customer is interested, a follow on conversation that can say, “Hey, given what we’ve seen, given what you shared with us, this is how we could build this out for you, depending on what it is that they’re interested in, and the help.”
So as always, we offer our services to you, and we take pride in helping organizations strengthen their security posture. We take pride in helping organizations successfully weather whatever attacks there are out there, be they cyber, or be they a natural disaster, we really are in business to help other companies stay in business and thrive.