As we all know, technology sometimes has a few glitches and we are not immune, but we’re happy to be here with you. And we promoted this segment as one where we’re going to be talking about the network. I think you’d have your head in the sand if you didn’t realize the significant changes we’ve all gone through over the last two to three years in work style, work place.
And certainly the traditional networks that we have are not set up, designed, or built for such dynamic and diverse deployment and access options. And clearly there’s the access and effectiveness part of it, but there’s the security part of it as well. And we really, based on what we’re seeing from our clients, based on the issues and breaches that we’re needing to come in to help remediate, we really thought it was timely to focus in on the network.
And to talk about what we’re seeing and what we recommend folks think about as they look at their next-gen network, if you will, and how to secure it and how to make sure you are not creating opportunities for bad guys, and you’re defending your assets as much as you can. So Shahin, I’m going to turn it over to you and let’s talk about the changes that have gone on and why they’re so significant.
Sounds good. I’ll start out by saying we’ve really not significantly changed how we look at the network over the last 20 years. The network is the network and we keep doing the same things and we’ve tried to make enhancements and advancements in technology, but underlying we’re still fundamentally doing the same things, and the mindset is typically it’s the wire.
But it’s more than the wire. It is our lifeline now. Our applications have moved to the cloud. We use SaaS-based solutions. Our users now, since COVID, are working remote and we’re more and more starting to – the brick and mortar facilities don’t make sense anymore in tomorrow’s world. So the transition from what we used to do to where we go is more quickly happening than we have prognosticated in the past. Which we effectively, 20 years ago, I said 10 years from now, everybody’s going to be in the cloud. I was so wrong.
I was close. Everybody had a foot in the cloud or toe maybe, but not completely in the cloud. And now we’re starting to see much more full scale migration into the cloud. And what hasn’t changed is how we think about the network. We replicate that brick and mortar network in the cloud so that we can put our applications that were brick and mortar into the cloud, rather than thinking about a new way of doing things.
And so that was some of the fundamental things. And a good friend of mine, years ago, switched from a systems engineer to a networking engineer. And he said, everybody relies on the wire. It’s 100% accurate. It’s 100% true, but it’s not just a wire anymore. We have to have intelligence in that wire. We have to have security in that wire.
We have to go beyond the application level security and under the surface, be able to manage and monitor and inspect what’s happening in our infrastructure so that we can stop things like lateral movement and bad actors showing up in our network. And all those factors lead to where we are today, which is this conversation is the network just the network anymore.
And the data point that I have is a couple of years old, but we hear about phishing and all those different things that happen more on the endpoint, end user side. But if you take a look at the data, and again, this is a little bit old, but enterprise networks are being compromised every 39 seconds. And that’s old.
So this is a target. Hackers are very opportunistic. And so our role and our life mission, if you will, is to help reduce that target profile for organizations. And so let’s talk about where the opportunities are in the network for folks to think different about how they both manage it and secure it.
A good perspective to look at. We recently did a remediation for a client who had old network infrastructure and VPN architecture that was being removed from the network, but had not yet been. And it turned out that that was the point of entry into their network. It had vulnerabilities that hadn’t been patched because they planned to discontinue it, shut it off, but there were still one or two users still on the old VPN server.
So they still hadn’t configured it and moved it off. And to save the innocent or not so innocent, I’m going to leave out the manufacturers of the technologies that went to and from, but fundamentally, this is access, as you mentioned, is one of the key factors here. We have lived in a world of VLANs segmentation and it’s not. It just doesn’t do enough.
And then by the time you create your VLANs, you add a new application, and you realize in order for that application to work, you have to open up all the protocols, all the ports, and you’ll go back and clean it up later. And you keep adding applications and that keeps happening. First of all, it took you five years to build the segmentation. And after about a year, it’s gone back to the way it was.
And so the issue is some of the largest breaches in the world, the Target breach was something like 30 million credit card numbers. The reason it spread so fast and got through their network so fast and they got so much data was because their network wasn’t truly segmented. So the hacker was able to move laterally throughout their network, came in through one of their suppliers. The HVAC provider had access to manage the HVAC systems.
And because of that, they had access to the Target network. Hacker came in through that access and spread through the Target network. You can have the best firewalls in the world. You can have the best policies and procedures in the world, but if you’re not creating segments so that you reduce the target for the hacker, to be able to move laterally through, to reduce how far they can get once they land on a single system, you are exposed from so many different points of entry into your network.
You’re exposed from a user who VPNs in because our traditional VPNs give them implicit access. The minute that IP is on the network, we implicitly trust them. They can be coming on a wifi network somewhere inside your infrastructure. Again, wifi sometimes is segmented. Sometimes it is not. They could be coming in through a port they plugged into in a conference room.
Again, sometimes segmented, sometimes not. So there’s so many points of entry into your network that is considered insider, but can easily be taken advantage by outsiders. And once they land, they get a foothold, they spend six months doing research, reconnaissance, figuring out where your crown jewels are. And then the day they attack is the day you notice them. And that’s the mission we’re out to solve is how do we take that six months down to six minutes.
Right. Well, and I think when we talk about – you mentioned you’re exposed in so many different places. And I think from a customer standpoint. I’m looking out there at the market and there are literally thousands of different security tools I can choose from. So I’m out there thinking, okay, I’ve selected my firewall. I’ve selected these key things that everybody tells me I need. I’m good.
But I think there’s so much more to it than that. And it’s very hard for someone who’s not in the security business, or who’s not in the networking business. I’m a law firm. I am an accounting firm. I am a manufacturer. How do I know what good is good enough? And it’s really tricky to figure that out. And you’ve got a lot of different information pieces in your ears telling you different things.
And so maybe you can talk about the conversations we have with clients and really how we help walk them through how to get to good.
Sure. There’s a couple layers. So we have this – there’s five layers to be specific in our recommended approach to security. We have this concept of digital resilience, and digital resilience for us is a combination of network security and cyber resilience. And I say cyber resilience, not cyber security, because resilience is about being able to continue to operate in the middle of an attack.
Security is about control. So having network resilience is a factor, of course, but most of us have figured out how to do that over the years. We put in two circuits from two different providers into two points of entry into our building, make sure we have redundant network stack. So we’ve got the resiliency in the network built, but the security and the network’s not quite there because the firewall and a VLAN is not network security.
It’s edge security. And it’s macro segmentation. It is not micro segmentation, which is what we need to get to. What are those five layers of security? The number one largest vector for attacks inside any organization is email. So email security is that first tier. Now everybody who’s listening right now is saying, oh, that’s good. I got Proofpoint. I got Mimecast. I got, you name whatever gateway solution – I’m using Microsoft ATP. None of them are good enough.
Those are really just doing scanning. It’s traditionally antivirus, compared to EDR. The gateway solutions are traditionally antivirus. You need to do more. You need to crawl through the inboxes and find the threats and have threat feeds that map to you. What are the minor tactics that somebody uses to do a phishing attack, to do whatever? Those are the factors that are missing in traditional gateway solutions.
Some of the gateway providers are trying to close that gap, but none of them alone are enough. So number one layer of security is you have to get your head around how to not use your users as your first layer of attack. And how to prevent phishing from getting to them. Gateway solutions don’t do that. You still get fishing attempts constantly.
Number two, once that phishing attempt does hit your user, because no control is 100% effective, once it does get to your user, they’re going to click on a link. That link is going to take them to a bad site. That bad site will download malware or it’ll have some sort of backend process that’s going to attempt to get a foothold in your network on that user’s endpoint. Easy answer, DNS defense.
That second layer of defense is block them from getting to known bad sites. Of course there’s sites that we don’t know about yet. It just popped up 10 minutes ago and we’re not going to block against those, but the ones we do know about let’s let the old phishing attempts not work. Once the Trojan lands, it’s going to probably connect to a known bad command and control site.
Let’s block that. Let’s not let it talk to its command and control. If the malware – 80% of malware needs a command and control connection to function. So they need DNS to work. So if you block that, you’ve taken down 93% of the inbound attacks from email, 80% of the malware attacks from DNS. And now you’re left with 20% of attacks that your EDR tool has to handle.
Notice. I said, EDR, not next-gen AV, not AV. Traditional antivirus, I’m not going to name them off here, but you all know who you are. They don’t work. They are definition and file based. Attacks are not file based attacks anymore. Nobody’s downloading a bad file onto your machine that will get blocked. It will behave in a bad way. And so your tool has to be able to determine the behaviors and stop it in its tracks. So the third layer of defense is a solid EDR solution.
The fourth layer of defense, almost everybody fails on. And that’s what we started this conversation about. It’s the network. It’s network security. It’s being able to segment your network down to not just a single node, but a single process on a single node. Micro segmentation at the process level, so that you can say the only systems that are allowed to get to Tomcat on this one server are these other two servers that are the frontend web application. Period, nothing else.
And that way, if something lands on those two frontend web applications, they can’t do anything but get to the Tomcat process. And if you have a Tomcat patch, they can’t do anything there. So segmentation, micro-micro segmentation, not hypervisor, not network, not any kind of policy based segmentation that applies to only a subset of your environment, but down to the individual process on a single system segmentation.
And the second part of that network component is access to the network. Traditional VPN is broken. We’ve been using the same stuff for 30 years. We have a gateway box that sits in our network. Users as an agent, they connect to that gateway box and they have an IP address on the network and they’re able to crawl around and do whatever they want.
If that user’s machine is compromised, the hacker now has a trusted IP on your network and can do whatever they want. So the next layer is true ZTNA and buyer beware, every VPN provider out there has rebranded their VPN, VPNA, and all they did was move the concentrator into AWS and say, we’re a ZTNA provider.
It’s still a concentrator. It still only drops you into the network. It still gives you a trusted IP address. It hasn’t changed anything other than the location of the concentrator. So you need to be able to have device trust and user trust verification, so that that device has Knack-like functionality. It is being prevented from connecting, not just at the session set up, but throughout the session if something changes, they stop decryption. They stop encryption rather. They stop the EDR process. They stop something that you’ve determined to be your proper trusted level for endpoints, they get disconnected immediately.
If their user authentication gets disabled, disconnected immediately. You need a solution that’s constantly checking to make sure this user’s valid. And if they’re not valid, stop them. This machine is valid. If they’re not valid, stop them. And so traditional VPN does not at all do that. So that’s the second part of the network layer.
And the final piece of the five layer pie we’re talking about here is you have to have somebody who’s watching all these consoles and correlating all the information from them and finding threats. That is a 24/7 security operation, SIEM. Eyes on glass looking. And obviously the right tools, it’s a bygone. We all have decided that we have to have a SIEM at this point. But most of us don’t look at the SIEM.
You have to have a team that’s looking at the SIEM. You have to have a team that’s fine tuning the SIEM. You have to have a team that’s making sure we’re getting the telemetry we need from all of the different layers I just described. And by the way, I just described probably 20 or 30 tools to you in a five layer approach.
So having one individual looking at 20 consoles, doesn’t cut it. 24/7 correlation, correlation rules to determine these are the things that pop up and should pop up, or these are the things that should be quieted, that fine tuning we’re talking about. So without that five layer approach, you don’t have digital resilience. You can’t survive and thrive in an attack.
And there’s too many times where we have to do remediation for customers. And they effectively become a customer afterwards, which we’re grateful for. But I keep saying in the sales cycles, I built this business because I felt like an ambulance chaser. We were going in and helping customers. And while we were doing all the right things by those customers, we were coming in after they were hurt and then giving them a bill.
And it just felt dirty. So we decided to get ahead of the game and help give time back to the good guys and take it away from the bad guys.
Right, for sure. Well, that is such a thorough description. It’s so helpful to see where the network plays in terms of that, of the five layers. And as you describe it, we see the world of threats out there and the goal is to funnel them down as much as possible. So at every layer, eliminate a big chunk of them, eliminate a big chunk of them. So that that next layer doesn’t have to work as hard and doesn’t have to work with that large universe of attacks or threats coming in. And it makes sense.
I’m curious, when we talk about the network and you mentioned that this is the area that’s most neglected, if you will, is it because people are thinking more about those first couple layers as security priorities? They’re not really thinking about the network. They’re used to thinking about the network in terms of resiliency, not security. Is that why? Or is it just that it’s really complicated and it’s hard to figure out. If it’s so important, why are we not better at making sure that it’s taken care of?
It’s a combination of three factors. The number one is we do typically think of the network in terms of resiliency. And the security at the network is always thought of at the edge of the network, the firewalls. So we spend a lot of money on firewalls. And those firewall manufacturers, again, I’m not naming, you all can insert any name you want here, they’re all the same. They do a really good job of saying they’ve got your network protected. Their marketing is brilliant. They’ve got your edge protected. They don’t have your network protected.
And many of them will, I’m going to use the word “claim” to have segmentation, that they can go to a micro segmentation level in your network, but to actually implement those solutions, it’s very difficult. It is a five-year project. And when people – there’s a saying that segmentation is where CIOs and CISOs go to die. That’s because of those large scale segmentation projects. They’re very complex, lots of parts, lots of time understanding your network, and no good tools to understand your network. So that’s the first level.
The second level is we think of security generally as controls. Not holistically as it all has to play together, it’s not just a bunch of controls. Yes, the controls will block email. Yes, the controls will block DNS. Yes, the controls will block attacks on the endpoint. Yes, the controls will block the edge with the firewall.
But if those things aren’t in concert and you can’t say, I saw this attack coming in through email, then I saw DNS block it, then something landed on this EDR on this machine, and it tried to go out the firewall and the firewall blocked it. Unless you can correlate all that information quickly and easily, you are giving the bad guys a ton of time. So that’s number two.
Number three is it is really very complex because of the confusion that the networking manufacturers put into the market. It’s hard when you go look at, for example, do I pick company A or company B or company C, they all sound amazing. And each network manufacturer has leapfrogged the other over the years. And like, what’s the one I pick? And you can’t go wrong with 3 of the 10 manufacturers out there. Pick any of them and you’re probably fine.
But they are just like I’ve always said about all security tools or any tool, they’re a Swiss Army knife. They do one thing super, super well, they have a good knife. That’s why it’s called a Swiss Army knife. It’s not called a Swiss Army corkscrew. And their corkscrew’s terrible. Their tweezers are terrible. The toothpick is, okay, you might be able to do something with the toothpick.
But the reality is you’re not – that tool is multifunction, which means it only does one of those functions well and the other stuff is convenient. So do you want to pick a partner based on convenience or do you want to pick a partner based on inconvenient configuration of all the best tools that makes it convenient for you? And that’s what we bring to the market.
And it’s hard to do that. It’s not rocket science. Anybody given the time, money, wherewithal, and resources could do what we did, but they don’t. Because it’s easier to pick one manufacturer. And that’s where networking security fails is that one manufacturer isn’t good throughout the ecosystem.
Got it. Well, and you reference what DataEndure does and what our services bring to the table, which you mentioned as you went through the stack, on average, a company has 20 to 50 security tools. Whether you are large or small, it doesn’t matter because you still need the same functions and you still need the same layers. So I could be a 100-person shop. I could be a 1000-person shop, but I have the same needs.
And so those complexities are there, no matter who you are, and the bad guys are there, no matter who you are. I’ve said this so many times that I do not envy being a business leader in today’s times because the distraction and investment that you’ve got to make in security that draws away from your business but is necessary to keep that business going, it’s really a tough road to walk.
I think the reason that we put this data out there certainly is to inform you so you can make the decision, do I want to build and implement? Do I want to consume? But to put the information out there, so you have it and you can make informed decisions, but for more and more people, the decision is, I don’t think I want to stay in this game anymore.
This is a hamster wheel. It’s a time suck. It’s a money suck. And I still am not confident I’m doing the right thing. And so managed services are becoming more and more attractive. Managed security for those folks who need to get to good, they need to get to great. They need to get there fast. They want that time advantage. And they just don’t want to have to do it on their own.
When I first became a CISO 25 years ago, I had to worry about a firewall, antivirus, anti-spam, and VLN. That was it. Those five technologies solved my security problems and those were the controls I needed to do. Today to do what we do at DataEndure to bring those five layers to life for our customers, there’s about 60 tools that get incorporated into the services we bring to market.
And those 60 tools have to have subject matter expertise. They have to have deep knowledge of how they work, how they function, how they interact together. And deep knowledge of how to correlate the information from all of those different backend tools in a meaningful way to be able to find threats and weed them out in six minutes, not six months.
Right. Well, if I am listening or viewing this right now, AI might be overwhelmed but we started this out talking about the network and how we got to think different about the network. Resiliency. Yes, check. Important. But security as important. And if I’m someone who’s curious about my business, about the investments that I’ve made and what might be the best foot forward, what next step, if they were to call you and say, okay, hey Shahin, here I am. What would you advise them to do next?
One of the things we’ve been saying in all of these sessions is we have a complimentary security health check. Our security health check keeps evolving and getting better. Today our security health check does an email security scan if you’re on Office 365. It does penetration testing inside your network, penetration testing externally, and vulnerability scan inside and outside your network. And it gives you a quick view of what the state of security is in your world.
So it’s become much more rich over time and it will continue to get richer and richer because we are a Kaizen culture. We’re continuously improving the tools and technologies and services that we bring to market. So I always would say start with that, but something we’ve been doing recently is when I talk about the tools, many people have made investments in technologies and solutions that they want to see their TCO complete before they make a change.
So the approach we’ve taken is putting a roadmap together with a customer, which is the change roadmap. So let’s do change planning with you. Let’s identify, here, you’ve got an EDR solution today and it will meet your needs for the next N years, whatever that is, whatever you have left in your contract life. Let’s figure out what services we can complement that with and then plan for when that transition time comes. And we can show you a roadmap that says, by the time you finish the transition, you’re going to be at a security maturity level of four or five, and have these capabilities that we’ve put in place.
So if you take those five layers of security as bread and butter components, just having the tools gets you probably at a maturity level of three. Next level is do you have segmentation? So the first three tools, email DNS, and the endpoint security plus firewall, that’s maturity level three. You’ve got the core functions and technologies. Maturity level four is do you have real segmentation in play? Do you understand every application on your network? Have you done an application dependency mapping? That takes you to maturity level four with segmentation.
Maturity level five is have you correlated all the information from all these different tools and applied a security mindset to it, to find stress and anomalies. And that takes you to that security maturity level of five. We can give you on an individual silo a maturity level five. But the more pieces you put together, one on one equals three for every addition. So the more we do, the more telemetry we have, the faster we can find the bad guys.
So that’s a compelling offer. First of all, if you go the security health check route, you can see what’s my current security state. So I can understand, do I have any hot buttons? Do I have anything that I got to take care of right away? And then depending on where I’m at, if there’s a way that I really want to move fast, I can go path A. If there’s a way that I need, to your point, to work over time and transition things, that there’s that roadmap that can help me get there.
So I would just like to put it out there as we do every conversation. If this is something that’s interesting to you, if you, like many folks we talk to, have that worry bead in the back of your head that maybe you don’t know what you don’t know or that you’d like to turn your confidence meter up a little bit, we would be happy to talk to you. We would be happy to help you.
We really want to make sure that more and more organizations out there are in a position to thrive and are in a position to repel the attacks that are coming against them. And so we welcome these conversations. You can go to DataEndure.com. You can go to contact us and let us know.
With that Shahin, thank you as always for joining us. I love these conversations. We thank all of you listeners for joining us and we will see you again next month.