We often say internally and to our customers that security is everybody’s job. It’s not just the job of IT. It’s not just the job of the security team. But we also have a conflicting position on that. We say that don’t make your users be your first line of defense. It sounds like it’s kind of contradictory and conflicting.
But in reality, there are first lines of defense before the user. If you make them the third or fourth line of defense, then you’re in better shape at being able to catch those things that tools don’t.
The fact is, tools keep getting better, hackers keep getting better, and it’s a leapfrog game that is constantly one trying to outdo the other, one trying to catch up with the other, and there’s going to be things that get through.
You’re one of two kinds of companies. You’ve either been hacked or you’re going to be hacked, and we keep saying that. In the industry, we keep repeating those same things. It’s not a matter of if, it’s a matter of when.
And the facts are you need to, number one, be prepared. But number two, make sure your staff and employees and individuals are trained and aware of what to do and how to spot bad stuff.
93% of attacks come through email, and let’s just say that it takes one click to create a ransomware situation. So all it takes out of that 93% of attacks is one to work. And the idea is you want to continuously train, not just test. And testing is making an assumption that the training has already happened.
So I think those [testing] tools have the capability to do security awareness training. But in 90% of the cases, when I speak to customers, they’re just using the testing, and the testing is followed up by a punishment, a punitive “you have to go to class now because you failed the test.”
So, in our opinion, a better approach to making your end users aware is to give reoccurring training. Make sure that they’re every month getting something new, make them understand security a little bit better. This is not a black art, but it feels like it from the outside. What we do is a lot of common sense. We look for the needle in the haystack. That’s the job we do day in and day out as security experts. Because of that, we have to be very myoptic about the things we look at and the things we see.
Users aren’t expected to be like that; so we can’t expect the users have the same mindset that we do. We have to make them aware. Do security awareness training about what are the types of attacks… what do the bad actors behave like? What do the guys who wear masks like this do so that they can protect themselves and protect the company by extension.
We’ve got this approach, this five layered approach to security that we think is what encompasses the holistic view in terms of increasing your security posture and making sure you have the proper layers to protect your environment and your users from attacks, not from internal attacks, not from others, just the basics to say, we are going to make sure that the environment is safe from an outsider coming in and doing stuff.
But the five layers are simply this. Number one, first layer of defense is email, because 93% of all attacks come in through email. Problem is, gateway solutions alone are not enough. If they were enough, we wouldn’t have seen a 600% increase in ransomware attacks starting at the beginning of COVID.
Those tools do a decent job of triaging things and finding malware that is an attachment or a file or whatever, and doing antivirus scans against the file based attack. They do not do a phenomenal job of looking for links that are going to a bad site, looking for things like that. Some do better than others, but none of them are phenomenal.
So what do you do? Our approach is we do the equivalent of NTA, which is network threat analysis. We call it ITA, which is inbox threat analysis. We crawl every inbox and we look for bad stuff. We look for things that are malicious in nature or anomalous, and we identify those anomalies and we block them. We prevent them from getting to the user to begin with.
So let’s say we take that 93% down to 20, 30, 40… We’ve taken a significant chunk out of the risk posture. The traditional email gateway solutions knock that number down to probably 50, at best. And so having a little bit more, whether it’s 10-20% more, is a significant impact that will get you some additional layer of comfort. But there’s obviously stuff that’s going to get through. So what’s the next layer of defense?
Layer two for us is DNS. Every piece of malware out there, 80% of the malware out there, or bad products, whether it’s file based or file less, they need to talk to their command and control. They need DNS to function.
So if you have DNS defense, DNS protection, then you’re protecting against another 83% of attacks that end up getting through the email. So we’ve knocked it down to about 20-30% that get through. And then of those 20 or 30, we’re going to knock it down significantly because we’re preventing 80% of those from getting to DNS.
And not any DNS solution is good enough, because a lot of hackers now do direct to IP, bypassing DNS. So you also have to have a solid IP database that says this is a known bad IP address that’s tied to this bad URL. So it’s not just URL defense, but it’s actually known bad IPs.
So those two layers come together in terms of the first two layers. Those, by the way, the so called “XDRs” in the world are missing those two layers 100%. They do endpoint and they do some logs. Which brings me to our next layer, which is endpoint.
You have to have a solid endpoint solution. And are all endpoint solutions cut the same? No, absolutely not. And if you pick one this year, is it going to be good three years from now? No, absolutely not. We have constantly changed our endpoint solution, and we do it on behalf of our customers because we’re not a typical MSP, MSSP. We don’t resell the technology and then manage it. So when we replace it, we replace it across all of our customers, and they get the benefit of our research and development to change those things out.
That endpoint solution is so critical. We do shootouts more often on the endpoint than we do on any of the other solutions. We do regular shootouts on every single product in our categories. But endpoint probably gets more attention than anything else.
There’s a huge reluctance to change from something people are comfortable with. And I see a lot of customers that are using well known, I’m not going to name any of the brands, but well-known products that are traditionally antivirus solutions that have added behavioral based modeling to their stack.
And those solutions often are the ones, when we go do an incident response for a new prospect, those are the solutions that are in their environment. Those are the things that they are using to protect their environment. And they’re like the puppy dog or the big dog you have that is a lover, and every time the bad guy comes in your house wants to go and play and lick their hands.
That’s what those antivirus solutions are like. They don’t do a darn thing, they don’t protect you at all, but they look good. And then you got checkboxes that say I got endpoint security. So that is probably one of the most critical things. You have to stop the attack on the first endpoint it lands on and not let it encrypt, not let it cause damage, not let it delete.
The next layer of defense is missing in 99.9% of customers I speak to, and it’s hard. It’s probably one of the most difficult things, it’s network. And by the network I mean micro segmentation and network threat detection. So a lot of people will say, “I’ve got whatever that does NTA-like functionality.” That’s great. But those solutions are not creating segmentation, they’re identifying the problem.
So you have to have a combination of segmentation and the threat analysis and honey potting and deception technology. All of those things have to play together. So our NDR offering is designed to reduce the attack surface by saying this application group is ten servers, and if it gets attacked, it’s only ten servers that are going to be attacked. It’s not going outside of that.
And the first reaction most people hear when I say segmentation is, “Oh my God, that’s really hard. I did one.” The joke we’ve made before is that segmentation, or micro segmentation, is where CISOs go to die. I have no intention of dying on this hill.
The technology we’ve deployed, what we do with segmentation, gets you up and running with at least one application, but up to ten, within 90 days. Literally having segmented network, understanding your environment, understanding the traffic, the flows, and then having honey potting functionality. So even if you don’t create the segment, if we see malicious activity, we redirect it to a honeypot.
So when you take those four layers in conjunction, that is really holistically what should be in an XDR solution. And you might guess that’s what our XDR solution does.
And the last thing, the fifth layer is the people. So, I’ve probably worn this record out, but I say having a SIEM without a SOC is like having a tower, a guard tower, without a guard in it. And it’s pointless because you can’t see the hordes coming at you from the other side of the wall until they’re up at the top of the wall.
Or if you randomly decide to send someone up there at some point and see, “Oh my God, they’re at the edge,” and it’s too late at that point. You can’t do anything. You can’t put oil and fire in the moat and stop them there. You’re stuck, literally. Your castle is in siege.
But the key attribute that works most importantly across this ecosystem, is that you have to be able to do this all distributed. The edge is gone. We don’t have an edge anymore. The edge is the device that you’re sitting in front of that could be in Starbucks, that could be in your home office, that could be at a customer’s site, that could be in a trailer at a field location or that could be in the corporate office.
It doesn’t matter where the device is, you need to be able to extend these layers of security to the endpoint and not rely on them being behind your firewall.
So traditional DNS defense is firewall based so that the 50% of your people that are still working from home are not protected. Traditional endpoint security mostly works when they’re off campus, but it relies on some sort of on-prem solution to do better, to get more logistics to get constant updates.
So if you have somebody who’s never coming in the office, you hope that they VPN in to get their updates, or you hope that you have a SaaS solution that lets them get their updates from wherever they are. So distributed is the key attribute of all of these layers working well in today’s distributed world.