First off, cheers, and thank you everyone for joining us. Looking forward to today’s conversation, especially the wine and cheese part of it. But before we do that, we want to talk a little bit about what we’re doing for cybersecurity. But before I do, I want to introduce Bill Diekmann, who’s the Director of Security and Architecture at one of our customers, Cupertino Electric. Bill’s effectively the CSO there. He’s got role responsibility for security. And Bill, why don’t you introduce yourself real quick?
Sure. Good afternoon, everybody. My name is Bill Diekmann. I am Director of Security and Architecture, Cupertino Electric. I’ve been with the company for 12 years. I’ve been in IT and security for about 25 years. Prior to that, I was physical security. And prior to that, military. So I have lived just about every IT role that there is, and each piece of it comes with its own ups and downs, especially the security one.
So we asked Bill if he could give an intro for today’s conversation to give a little perspective from the customer side of things. We’ve seen a lot of – since March where all of us had to pack up and go home and shelter in place, we’ve seen a lot of changes. We’ve had a massive shift for folks who were dealing with 25% of the workforce, working remotely to all of a sudden 100% of their workforce working remotely, and some of the security challenges that’s created.
So I asked Bill if he could start us off by giving us a little perspective on some of the challenges he’s run into and what he’s dealing with today and what keeps coming.
Sure. I think like everybody else, late February, early March, we were looking at what was occurring. We all kind of saw the writing on the wall, but nobody really wanted to believe it yet. And then we got through the first week of March and the executive team got together Monday morning, and we looked at what the potential risk was going to be. And Cupertino Electric is – I mean, our culture number one, is for safety. We’re a construction company. We do a lot of things, but we’re all about keeping people safe. And so when somebody said that being out there can get you sick and can kill you, we all just took a step back and said, all right, that’s it.
So Monday we were all working in the office. Monday, overnight, we sent out a communication to the entire company that said, “Tuesday, don’t come back in. You’re working from wherever you’re at.” So we went from roughly 2,500 people working in an office space somewhere, whether it’s a construction job site or home, to 2,500 people working from wherever they happen to be. And this included overseas. We had people traveling who couldn’t come back. And so, my networks that I had to protect went from 150, 160 networks to 2,600 plus networks overnight.
And if you all are sitting here thinking about what your networks look like, jumping that percentage to 2,500% increase in network, the threat vectors that go with that, the number of threat signals that are coming across that, what’s on the other side of that network or that purchasing agent is coming in through a VPN connection from their personal network? What else is on their personal network? These are all things that I had to consider instantly in one day. And then how am I going to protect that going forward?
I was really thankful that we had planned for scales in our VPN environment. I didn’t have the worry that we couldn’t maintain enough VPN sessions, but I did have to worry about what did all of these new threats look like, and how in the world am I possibly going to handle the influx of all of these new signals into what I thought was a fairly well-oiled security machine, knowing what can impact us? Now all of a sudden, there’s a whole bunch of new things, and I really wasn’t sure what was going to impact us.
So it’s interesting. We had a similar – our method and our approaches have always been treat the remote user with the exact same level of protection, security, white glove services as somebody sitting in a corporate office. But that’s an easy thing to say, and it’s a very different thing to implement once you go from 25% remote to 100% remote. And we face that challenge over and over with customers. And Bill, you mentioned that one of the big risks was now all of a sudden, “I went from my traditional defense in depth approach of codifying my castle and all of the extensions of my castle to wait. They’re all sitting in their huts and the huts are having fire grenades launched at them. What do I do now?”
And it’s been an interesting challenge. And one of the things that you mentioned that we’re very – Bill and I have a lot of conversations about security. One of the things we’re very aligned on is this concept of signals and telemetry and the importance of them. And as Bill said, the amount of signals just amplified significantly.
And to that end, Bill, I’m going to ask if you could jump in as I’m going through this presentation, so we make it a little more interactive. And if you’ve got any insights you’d like to give in terms of what you experienced throughout this timeframe, please feel free to jump in and talk about it.
Absolutely.
We had this concept of what we call the trifecta prior to the pandemic. And the trifecta for us was because the endpoint is the entry level, the users are the entry level for where most impact to the company comes, whether it’s an insider threat or it’s their machines are being compromised, or they’re clicking on emails, or whatever the case may be, normally the inbound ingress point for most malicious activity comes from the end user’s perspective or point of entry. And so the trifecta was about protecting the end users from the DMS perspective to stop phishing attempts from a DNS click perspective. Then right behind that, the endpoint protection to secure the endpoint so that the viruses, or malware, or clickbait or whatever, doesn’t spread beyond a single system.
And then, the third part of our trifecta was what we called our – what is our SOC offering. And what happened in March was we went between March and April from traditional phishing attempts happening, and being a big problem and being the number one source of entry into a customer’s environment to those phishing attempts increasing by over 600%. So what happened was that 600% created a real challenge in terms of that has to stop and security awareness isn’t enough.
And the rest of this presentation, I’m going to talk about the FourFecta. The fourth level of that defense is now what we call the FourFecta, so I’ll dive through that. But for those of you that don’t know us, a quick backgrounder on DataEndure, we’re a 37-year-old company that has been doing solution providing in terms of system integration in technologies professional services and helping some of the largest companies in the industry.
But we’re also an MSSP. And our MSSP business is currently delivering services across 23 countries in four continents, protecting people’s security. And everything we do has always been about an outcome focus. So like everybody says, we have that trifecta. I’m using that word again – of people, process, and technology, but that triangle is core to every organization. So if you have an organization that’s doing things right, you’re thinking about those three sides of that triangle in order to make it all come together.
What we really think is a differentiator for us is that we’re entirely focused on this concept of digital resilience. And digital resilience for us is about not just having your security in play, not just having your backups in play, but all of that comes together. And it’s basically resilience plus business continuity that creates this notion of being able to survive and thrive no matter what the attack is, whether it’s the driver or the systems, or it be a user makes a mistake and exposes data to the internet, for example. Any number of those vectors for attacks, you should still be able to operate your business and thrive during that attack.
So ultimately, what we’re all about is this notion of time. Right now, time is on the malicious actor side and we try to take it away from them, or successfully take it away from them, and put that back on your side so that you can defend your enterprise. And that notion of digital resilience for us is simply that ability to survive and thrive. But how do you do that? You need to create an understanding of your governance, risk, and compliance. So who’s regulating you? What are the compliance bodies? What are the controls that you need to implement?
And then on top of that, understanding your risk and being able to manage against that risk. But the systems that store, secure, protect, mobilize and garner insights from your data are the key things that are ever changing. That’s the ever changing life cycle of the environment, and whatever you’re doing has to keep those in mind, not just the security tools, not just the business continuity plan, not just the backup technology, not just the VR technology, but they all have to work in concert.
So without too much more ado, let’s talk a little bit about what the problem is. So we have basically the market – and by market, I’m talking about IBM, Ponemon, and Gartner and other analysts are saying things like 25% of all security teams are constrained. And Bill, one of the conversations you and I regularly have is I wish I had more people. Funding is one challenge. While it has a great network of security resources, the other challenge is finding people for others.
People are definitely a challenge.
Yeah. And then what’s happening is that we see that within any typical organization, there are, on average, according to these three companies, 47 different security technologies deployed on average, which means we’re all implementing a ton of different tools to try to protect our environment. We’ve all clearly learned that one is not enough. But which ones and how are they managed?
And then on top of that, we got this 100% distributed edge that got created by the pandemic. So now all of a sudden, everything we had done, all the controls we’d bought and placed and introduced into our networks were really working great while people worked from the office and working okay while there was 25% of them remote. Now everybody’s remote. And now we need to rethink our strategy with our control sets.
And when you take a look at what’s actually happening, the results of this is that the spend that’s happening in the industry is not justifying the results that we’re experiencing. Even with the $18.4 million in annual spend, you can see from this report right here from Ponemon that 53% of IT leaders feel like they don’t know if their security controls are actually working. They believe they are, but they don’t have a good way to test and validate that.
So the industry on average is overspending. The mid market on the other hand is not spending enough, and so it’s creating this dichotomy. And then we have what we just described at the beginning of this thing, which is a 667% increase in phishing attacks just since February. And add onto that, that it takes about 200 days to identify an adversary inside your network, and then another 80 days before we identify and contain the actual attack that they were about to do. So 280 days, half a year before damage has started to impact your environment. But 280 days when an adversary is sitting inside your network or sitting on your systems trying to understand what to do and how to do it.
So it all comes back to that notion of it’s all about time. It’s all about taking time away, those 200 days away and bringing it down to minutes instead of hours, days, weeks, or months. And then on average, the cost of a breach right now is 3.62 million. And there’s about 26,000 records that are lost on an average breach. So that’s pretty significant. It’s getting bigger and bigger. And compound all of that with there are over 3,000 security vendors out there.
So now as an IT team that is already stretched, as a security team that doesn’t have enough people, we have to figure out how to find the right tools to close all these gaps. What technology fits the best – is the best for the hole that we have, for the gap and the controls that we have, to solve the problems that are in front of us. And every day, there’s another security vendor coming out. Every day, the security providers are changing what they say something is. It used to be called one thing two weeks ago. It’s something totally new. And Gartner grabs onto that and it’s a new technology. Exact same thing painted in a new way.
So we have a challenge in trying not to get our hands around this ecosystem of tools and technologies. And this is where the shift in our conversation is going to be where we think we add a lot of value. We’re really talking about that traditional conversation of core versus context. Managed security, and security tools, and technologies are core to what we do and we effectively are doing research and development on each of the categories that you see up here to figure out which tools are the best for us to be able to deliver our managed services underneath these categories. So rather than you and your team having to go out and do all the investigation, we spend tons of cycles on this stuff and a significant amount of time.
Bill, we were just recently looking at micro segmentation for your environment. And it was a conversation that started around the February timeframe, I think, actually, right at the beginning of this thing.
Yeah, that’s correct. It was the next evolution of what else do I need in my security environment to protect the organization. To me, working with DataEndure, this is one of the advantages that I get out of it is I’m still going to go do my due diligence. I’m still going to go look at solutions. But just looking at this slide here, the sheer number of possibilities of solutions out there, there’s no way I can evaluate these readily. And to be honest, that’s not my job or anybody sitting in my position, that’s not our job in any organization. That’s time away from what we need to do.
So having somebody who knows how to look at these and evaluate them, and bring what makes the most sense to my organization, that’s where I get the best benefit out of this. I love having talks with you because I can just ask you a straight question and you go, “Well, here’s three ways I would do it that make sense for you.” Getting that answer, as opposed to me spending three months in vendor demos, I’ll choose having the conversation with a partner that I trust versus sitting in 100 hours of evaluations.
Yeah. One of the things that makes us unique is we’re both a reseller and a managed security provider. So on the one hand, we’re doing the due diligence from technologies that we want to resell, and we believe solve these categories from a technology and solutions perspective. On the other hand, we deliver a lot of managed services behind all of these categories and close many [inaudible 16:43] controls for customers, as well as offer compliance services.
And so we have to understand these things for ourselves to be able to go to market with these services. So we’re both a customer as well as a partner with these technology companies, as well as in some ways, competitors on some of these categories. So it’s an interesting dichotomy and that’s why when we have dialogues, we’re able to quickly talk about “Here are some options. Here’s how we do it.”
So with that, I want to jump directly into the topic for today and this notion of modern layer defense in depth. When we started our managed security business, it’s not as old as the company. Our security practice is about 15, 16 years old, but our managed security services started out with our SOC offering and that was a little over three years ago. And so we started out thinking that what we have to do in order to find and stop the adversaries in their tracks is we need to be able to quickly identify and take away those attackers’ advantage of time and give that time, take that dwell time away and give that time back to the IT team and the security team so that they can clean up the systems and get rid of whatever first foot in the door, the adversaries had inside the network.
So what we did to develop a solution for that – and this came from – the reason we built this platform was this came from several of our customers in a very short period of time getting hit with ransomware, and we helped them with incident response. And while that’s great, and that we were able to be there for them and help them get through it and resolve the problems, the reality is it’s expensive, it’s painful, its impact to production, its impact to productivity, and it takes you off of what differentiates you from your competitors.
So we said, we need to get ahead of this and we need to build out a service that prevents this from happening rather than responding to it when it does happen. So effectively, we built our SOC offering, and our security operations center as a service is really designed specifically, like I said, with about 15 technologies embedded in what we do. And it’s both reactive in terms of log analysis and traffic analysis, and EBA, and UEBA, and MTA functionality to be able to identify adversaries very quickly, but it’s also got proactive capabilities in it to help close gaps inside your security controls. That question, at the top of this, which Ponemon said 53% of security experts aren’t sure if their security controls are doing what they need.
One of the key features of our SOC offering is we do pen testing every month and we call it our security controls validation. It’s specifically designed to attack from the inside and determine if your DLP solutions are working, your firewalls are working, your endpoint security is working, and we give you a report with remediation activity on how to prevent, how to close those gaps.
And Bill, you’re on our SOC service. Could you take a minute and talk a little bit about how much, if any, that’s helped you?
Has it helped me? Yeah. It’s a heck of a lot easier to have an output from a bunch of skilled people that says “Here’s what is, and what isn’t working.” I do not want to be in that 53%. No. So any head of security who’s unsure if their controls are working, better figure out how to test it real quick, right? And I take advantage of our monthly engagements there, knowing what we put in place, looking month over month what’s improved, what are the critical points that we should be looking at, where do I make an investment?
Going back and looking at our change logs, I go, what changed and did it have an impact between tests? Yeah, there’s no way I could do that today without having a service like this. I think anybody who’s running an IT organization, specifically on the security side, we all want to have our own SOC. We all want to build it. I mean, you’re probably not doing IT and security if you weren’t already curious about how all of these things work. So it’s interesting and engaging to want to go and build it. But once you sit down and you start thinking about what you really have to put into it.
If you don’t have the staff today, like I didn’t have the staff, what am I going to do? I’m going to have to go out and build a facility for it, find the software solutions for it, hire the people and train the people, and whether your business is a nine to five business like ours is, security never stops. Who’s watching the screens overnight and on the weekends? I would have to run a 24 by seven operation, which is not core to our business. It doesn’t make sense.
So having DataEndure’s SOC involved in this – when I was looking at the number of signals – I mean, year to date is 2.7 billion signals that we’ve had. How am I supposed to train my own SOC to be able to sort through 2.7 billion signals to get down to the 93 items that I have to take action on? That is not what my business is about. That’s what the SOC business is about. So having DataEndure’s SOC delivered to me the 93 incidents that my team has to go and investigate, that’s where I get my value, absolutely.
Thanks, Bill. So as we think about this now, now that SOC has become that fourth layer, the final layer of defense. So after if the adversary gets through every single one of your security controls, there has to be that catch all that is identifying them and letting you know that something’s wrong, there’s anomalies on your network, that is really what we designed the SOC for, that final layer defense.
But as I mentioned, this conversation is about a FourFecta. So let’s start at the front of this with the first layer. We all have tools like KnowBe4, or PhishMe or other technologies to help do security awareness training for our users. And effectively, we’ve created this comfort level that our users are being our first level of defense. The reality is that they make mistakes.
One of my top engineers got suckered into clicking on a link. He realized it and quickly changed his password, but he went through and logged into his Google account and gave up his password. So he had to go change passwords on a bunch of different systems in order to protect himself. And this is one of my network engineers who is supposed to be a super smart guy and not make mistakes like this.
So it’s very easy for any one of us to get fooled and click on a link and then realize, oops, we did something wrong. So what we decided is we need to take a different approach to phishing protection, and we need to take an AI and apply it to the mailboxes. And we do that for Office 365. Our advanced phishing protection scans all of your emails and finds threats. Just like the anomaly detection on your network, we do anomaly detection inside of your mailboxes on Office 365, let you know what threats have existed there, present those threats to you, and then prevent them from getting [inaudible 24:21] users going forward. So we’re blocking them before they ever get to the user.
The next layer of defense is if it gets through this, there is no fallible defenses, which is why we all have jobs in security – infallible, excuse me. Every defense is fallible. There is no infallible defense. So if it gets past this layer, the advanced phishing protection, the second layer defenses don’t let those users click on clickbait and go to a command and control connection. Don’t let them be able to go to a bad side, prevent that from happening.
So what comes to bear is our DNS protection. Our distributed DNS defense replaces the traditional defense in depth concept of content proxies and web proxies that are usually implemented in data centers or office locations. This solution effectively gives you distributed DNS at the end point. So even if they’re sitting at Starbucks, even if they’re sitting at their home office, even if they’re sitting in the field at a customer site, they’re still going to get the same level of protection, the same level of content production, as well as blocks from known bad URLs and IP addresses.
So what happens if we get through both of these layers of defense, the next layer of defense is really intended to stop the attack before it leaves that endpoint. So at this point, the user has clicked on clickbait. It’s not a known bad address, so it’s gotten through, and they’ve got some malware that has either executed remotely against their machine or installed some sort of rat or something else that will start to do some damage. So our endpoint detection and response is the next layer.
The biggest challenge in this space is there’s a lot of AV and nextgen AV solutions that are trying to close the gap here. We evaluated in each of these categories. In this one in particular, we evaluated the top 10 solutions in the market and ended up with the solution that was most effective. The attacks I mentioned, we used the MITRE ATT&CK matrix to develop the pen testing synthetic attacks that we do in the SOC. We ran about 150 TTPs against the endpoint solutions to see which one was the most effective. And we ended up selecting the technology of the platform. We built out a solution around it in a managed offering that prevents the attacks from spreading, regardless of where your user is again.
So all three of these services are designed to protect the completely distributed world. No matter where your users are, they’re going to get protected, and we’re going to try to prevent those attacks from ever landing and spreading within your network. If it should, that’s what our SOC offering is for is the last line of defense. Not only is it the last line of defense from all of these frontend endpoint solutions, but it is the last line of defense for all of your security controls. So no matter what you’ve put in place already, we’re able to identify and remediate depending on which of our services you have in place, and the endpoint solutions will help with remediation. But we’re able to identify and quickly escalate.
Something Bill said was important. We’re dealing with billions of events across those 23 countries that I talked about, and those events are being pared down on average in our customers. Bill, I think we send no more than one or two events a month for your team to investigate or something to that effect?
Yeah. That’s about our average.
So we’re not like the traditional. There’s a lot of players out there that calls themselves a SOC as a service. And what we end up doing is we really try to go a lot further and do a lot more on the investigation, and only escalate those things which are meaningful and actionable events.
I’m going to jump – fast forward a little bit. I have some detail which we can share with you, but we’re a little bit behind schedule and we want to get to the wine and cheese tasting. So I’m going to fast forward and not go into detail on each of these services. What I’ll do is I’ll jump ahead to our SOC offering and give you a perspective. There’s a lot of players out there that are doing a lot of different things. They call themselves SOC. And our approach has really been around this – completely around this notion that telemetry is king. And there’s a lot of players out there that will talk about features, but they don’t really take features, telemetry and integration all together in mind.
We have customers that came from implementing a SIM, to need a control, to some that had managed SIM, which was a third party was managing their SIM, to some that had outsourced their SOC that brought their – the SOC brought their own SIM and their own tools and they managed it. What we’ve built goes far and above that, as you can see by the check boxes here. We’ve built capabilities that are not only on the reactive side, which is everything from intrusion detection, behavioral monitoring, asset discovery, being able to fingerprint and do traffic analysis. Log management is obviously core and SIM.
We also give our customers access and visibility into all of this. So this is shared accountability as a key component but what really differentiates what we do is the proactive side of things. We not only do vulnerability assessments, continuous vulnerability assessments, but we do a daily update of the CVE definitions. And so, we’re able to take those CVE updates if there’s a new vulnerability and look back in whatever is in history in the scans and see if that CVE was ever inside your network. And so we’re able to identify that.
We also correlate that along with all the log data and everything else, behavioral analysis, network traffic analysis, and are able to see if an attack is targeted towards a machine that has a vulnerability. We classify that as a higher risk and escalate that immediately. So vulnerability integration is a key component. But then, like I said, our simulated attacks are probably there. I have never seen another SOC offering do this. We run about 50 TTPs inside your network every month and give you the results of all 50 of those TTPs, which ones succeeded, which one failed, and the ones that succeeded, we give you remediation actions for.
So we believe that you have to be both proactive and reactive. Most SOCs today are very reactive. They collect log data, they analyze the log data, and they escalate those events to you. We believe that you have to get far deeper than that, and we’ve basically created a model where we think we’re standing aside from everybody else, and we don’t believe that all SOCs are created equal, and we don’t believe that a SIM alone is enough. The 47 tools are too much, but a SIM alone is not enough. And so being able to do much more than triage and help desk is what’s important in being able to help our customers to identify problems in their network, anomalies in the network, and read them out.
So with that, we have a complimentary health check that we’re offering out to all of the attendees today. If anybody’s interested in getting a complimentary security health check, please reach out to your sales rep who invited you today. And we’ll happily provide one of these that takes about two hours of your time to get it set up and about two weeks for us to run it and give you results back, not just on vulnerabilities and your security controls checks, but also gives you a demo of the SIM that you will get access to on our SOC offering.
So with that, Bill, did you want to add anything in closing on the security services?
I mean, one thing in particular, Shahin, because for me I’m always nervous about services and it doesn’t matter what it is. If it’s something I’m bringing inside, if it’s a piece of hardware, it’s a piece of software, a third-party service, if it’s proprietary, I always view it as a black box, and as black boxes you rarely get to see what’s going on inside, which makes you question, is it really doing what it’s doing? I just wanted to say that DataEndure’s SOC to me is one of those few things that is not a black box. I get to know what’s going on in there, and seeing it in action and being able to interact with it just like it was my own NOC is probably one of the biggest comfort pieces in having a service like this.