Inside the World of Cybersecurity with eSentire: Uncovering Threats, Solutions, and the Future of Protection
When you think about that, you take a step back, and I go to there was the it was Boston. I forget which hospital group in Boston, then they had ransomware, and they had to call it the National Guard. The National Guard was helping them reimage the computers. I don't
Brent:I figured I heard of that one. Okay. So this
Max:was I'm trying to date it in years. Everything, like, blurs together. There was you know, it was a ransomware that had been around long enough that, like, people you know, you should, like, know what was going on. And then they go into this thing where they had to reimage all of the computers, all the devices in order to get back on, and they didn't have the staff.
Brent:And so they literally had national guard I mean, like, fatigue wearing National Guard in the hospital with boot drives, like, helping them reimage the systems. Well, that's, hope is not a strategy, right, at that point. You're looking at a bad situation. I guess they're not paying the ransomware. Right?
Brent:And so What do you think?
Max:I mean, what percentage of people actually pay? I mean, I mean, this is one of those, like, big no no's that people don't talk about, but it feels like it's gonna be a lot higher than people wanna accept. Well, I
Brent:think if they pay, they don't want to disclose that because what happens is if you pay I mean, if you really think about the bad guys, okay, getting into the network, it's usually something innocent, a phishing email or Oh, yeah. 100% hold on. A vulnerability that they're exploited. They get in, grab hold of it, map out the network. I always kinda, of joke around and say, Hey, if you do pay the ransomware, make sure you get a map of your network because they have a very good one, right?
Max:And they know where everything is hidden.
Brent:And they've also put back doors in. And then if you do pay they recognize you as a paying entity. Uh-huh. And so it's really do they have a backdoor that is going to be there for a long time, forever? Yeah.
Brent:And so then if they need to get in or they sell access to it, will you pay again?
Max:I remember reading, I think this was must have been like the DVR, like, 2 years ago, and it was showing the stat all of a sudden dwell time just going to almost 0 where we we had prior to that dwell time at, like, 200 days, and all of a sudden dwell time is, like, hours. In some I mean, the the the compression was so extreme. Like, oh, this is good. You know? People are detecting this stuff faster, and it's like, it's not just resonating and networking.
Max:And then you have this moment of, oh, no. No. That's actually really bad. We've gotten really good at commercializing these things.
Brent:Yeah. That that, hold well time, it I remember following it. It's got, like, 65 days and people thought, this is great. Yeah. Right.
Brent:Like, no. No. No. This is not good. This is bad.
Brent:And what happens is they actually now I mean, it's a whole business. Right? So they the guys who sell access isolate themselves from the guys who actually do the reconnaissance and take the data out and then they can actually segregate the guys that, hey. K. Now we're ready to do the ransom.
Brent:And so there's this, you know, business set up to isolate everybody from being prosecuted 100%. Right? Hey, I just sold access. I didn't do any of the malware ever damage. So there's this whole phase thing so even if you do get ransom, what happened before?
Brent:One of the
Max:things I don't like about the industry is becoming this, like, when I say industry, I'm talking about, like, this shift between, like, IT and security experts and, like, the rank and file users. You know, we're at a position now where it's like you are going to have this I mean, you know, payloads, email, like, click only malicious stuff. Like, all this I mean, they're they're it's too sophisticated. I mean, even your sophisticated users, you know, people crypto experts, you know, are getting or are, you know, are getting phished. Right?
Max:Like, it's and and when I say it, crypto experts, I mean, people with, like, huge wallets, you know, that, you know, are getting exploits. And these are savvy people. Right? I'm kinda curious because and this will go up in a tangent here a little bit. But I like mentally compartmentalize, like, you know, defensive versus offensive capabilities in your security stack.
Max:And, you know, we could talk about the c you know, CSS framework and, you know, the 5 pillars and and where we fit into one of these 5 pillars. But a lot of this of what gets installed or what gets pushed, you know, is is defensive. It's not necessarily offensive. And, you know, it wouldn't say, like, an EDR is an offensive technology. Right?
Max:Like, it's it's there to help identify stuff that's happening to you and then, you know, of course, feed signals into something else, which then can take and and correlate a lot of signals and give you a better, you know, heuristic of the entire environment. When you talk about, like, email exploits or phishing attacks, you know, and and I start I start it's like, what's the line between maintaining more of, like, a defensive posture versus really investing in things like RBI and doing browser inspection and exploding payloads and trying to see what's actually gonna run and how you know, it's like, should we be investing more in the offensive side at this point? Yeah.
Brent:I mean, it's it's interesting because there's a a market coming out. You know? Like cable go actively pen texture environment and it's still going to find holes. And you look at the funding of the guys who are setting this up, they can go buy all those tools as well. That's the challenge.
Brent:So they know what it picks up, what it doesn't. If you really look at kind of the big threat, it's companies like, for example, CrowdStrike. If I have your source code and your bug list, I know how to get around that. So even if you deploy everything that you think, hey, it's gonna go, you're right, it's a matter of time before something clicks and gets in and they can move around. If you're going on the offensive, you're only as good as what you know at that point.
Brent:Right? So it's like pen testing. The pen testers know what they know, but what they don't see is, hey, this over here is exposed, Right? Because they're not aware of it. So I think it's hard to say, you know, we're not we're not really in the offensive part.
Brent:Mhmm. Right? We're we're looking at things just like you say as they come in in real time correlating that stuff and responding as quickly as we can.
Max:Offensive probably isn't the right terminology. Right? But, you know, I I don't wanna say, like, creating I think the big misnomer I see a lot when we're talking with companies is this idea of, like, oh, we're not a target. Right? You know?
Max:Like, oh, we're not a target. And and the answer to that is it was like, nobody's really a target. Like, the only real targets are maybe banks. You know, government installations. Maybe you're talking about manufacturing real intellectual property that some nation state is trying to exfiltrate from you.
Max:Right? But, like, what's your formula for concrete? You know, that's that's important. But everybody else it's not like, oh, we're at Target. It's like, oh, no.
Max:You're connected to the Internet. Like, you're you're you're you're you don't get
Brent:to choose me. Yeah. Well, that that is true. And when they say that, I I kinda say, well, you have to understand how the business works. So I can go online today, rent my phishing email and the software, put it out to a 1,000 people.
Brent:I'm just gonna gauge you. Yeah. Round numbers. I come back in the morning, and I have 20, 25 computers that I own. And then now I look at where am I?
Brent:Am I in a bank? Am I am I in a, you know, hospital? Am I in a small manufacturing one? Right? And there's different values, I think, to them put on that.
Brent:But now their mission is to get in and figure that out. And once they've got that, they, just like I was talking about earlier, sell access to that and those have value. And it's that simple. Right? So once you're exposed and the chink in the armor is there and they have access to a node on your network, that's when they can start pivoting around and you better be able to find that stuff fast or else.
Brent:Right? And so then the ones who say I'm not a target, they just look the other way until something happens. Right? We've had folks come to us, hospitals, clinics that are really big and surprisingly big and we talked to them about what we do and how we help companies and they said well you know I think all we need is a penetration test. And then they call back 6 months later, hey all of my servers are down.
Brent:My data center is locked up with ransomware. Can you help me? You know, and I jokingly to myself say I think you failed the pen test. You know, and the reality is at that point they'd be have to figure it out and that's where it gets down to, you know, just like this, they had to look at what they had for backups. They had gotten to the backups because there was no detection.
Brent:There was no real EDR. It was just the, you know, old school antivirus signature type model and no EDR in place to see the processes, no no ability to see if anything's moving around. So they got into the backups, infected those, encrypted those. The grace that they had was they had one machine that wasn't turned on in the back of the room that had some of their data, most of the database. So they actually made the choice not to pay the ransom, but rebuild everything from bare metal and then restore and and then type in the rest.
Brent:So the event was somewhere in the neighborhood of $3500,000 in expense. Right? Now that's versus paying the ransom. But that's the risk you run when you say I'm not a target. No one's coming after my stuff.
Brent:Like you said, it doesn't matter where they are. If I can get between you and what makes your company run, will you pay? I've been asking a variation of
Max:this question for maybe 10 years now. And the the source of the question was how do you sell cybersecurity to somebody who's not buying cybersecurity? Right? And and the common answer to that one was, like, oh, you know, it basically folds into, like, an education or, like, a a FUD, you know, if you're in certainty doubt, you know, to kinda track. And neither of all really work.
Max:Right? And that example and I've seen this over and over again with an organization or going out, and somebody inside the organization is advocating. Like, let's go get this. You know, let's get an, you know, EDR. Let's get a this.
Max:Let's get a that, you know, and and improve our posture. And it gets to some point in a budget cycle, you know, or approval cycle, and somebody says, no. We're not gonna spend the money on it. We don't need to. We're not a target.
Max:We don't have risk. We keep another budget for this thing, right, which are, like, basic, you know, business decisions at that point. And I've kind of come to the conclusion that a lot of this is because IT cycles are so ingrained into, you know, return on investment and TCO. And, like, how do you actually quantify what is your return on investment an MDR service? Or, like, what is your ROI on MDR?
Max:And then people tell me it's an insurance policy. Well, it's not really an insurance policy. Insurance pays you when your house burns down. Like, your house burns down, they pay you to build a new house, and that's also not what it like, you know, anything inside the EMDR stack really does for you. So then it was, okay.
Max:Well, maybe insurance is gonna push this and force. And and we see insurance agencies and carriers starting to push more and more posture. That Fintech was probably oh, they had an insurance requirement. Somebody said you have to have a Fintech. They said, okay.
Max:Let's go get one. And so what I've kinda come to the like, what I've been wondering about, is it just scar tissue? Like, do we have to have enough houses burned down, figuratively speaking, before people start to understand, like, have to do something a little different here? And now I'm an I'm a relative I mean, I don't do this solely. Right?
Max:I'm kinda curious for somebody who's on the inside of this. Like, the sales cycle around MDR services is either somebody calls you and we've had this incident, somebody calls you and says we wanna buy this. What do you think is gonna happen here? How does this evolve?
Brent:I mean, there's so much to unpack there. Right? Like, my tongue. Really. Like you.
Max:It's an open end question.
Brent:So you have to know I mean, we could be here for an hour. Perfect. Let's do it. The reality of that is that, the cybersecurity stuff, it's like the news, right? Once the latest gets run for a while and then it goes away.
Brent:So people forget, right? So the board now, you know, everybody at some point, if you look, will have somebody on there that cares about cybersecurity. The private equity businesses, hey, I'm the investor. I gave you a $1,000,000. I gave you a $1,000,000.
Brent:I gave you a $1,000,000. Well, what are you doing to protect my investment? So then that level, it's pushing down security to places that it would have never gotten to before, which is good, right? Because those guys are going, hey, I bake bread. Cyber what?
Brent:But then the guy's like, hey, if you're baking the bread and the machines go down, you're no longer baking bread and then where are we as a company? So when you look at that, if they're not buying, right, it has to be something that I know, hey, don't touch that, it's hot. And then they touch it and then they realize, hey, okay, I might need something here. The budget cycle is an interesting thing because folks who haven't spent money on it in the past will tend to say, okay, I maybe need this and then they see something happen to their friends or they hear something and then they start to like look at it. And MDR, it's kind of like insurance because if something happens when it does someone is there to support you, right?
Brent:So the goal is, hey, I need to stop this as quickly as I can and contain the threat to recover my business, right, to make yourself more resilient to what's happening in the environment. If you don't, the alternative, and we've seen this, companies will go out of business. They just can't recover. They go home. So when you talk about the ROI and the budget and how does that work, I can tell you I sat there and watched this happen in real time.
Brent:We were talking to a company about MDR, and they had an incident. It was a pretty small one. It was a business email compromise. They've gotten to a couple things, sent some emails around. I don't know the exact details.
Brent:Buy me gift cards. Right? So it raised the threat to the IT director level and they brought us in and a couple other vendors and talked to us about what we're doing. And we said, yeah, here's how you can benefit from a service like us. Here's how we would have helped you detect that quickly and stop it and, you know, contain it.
Brent:And we gave them a quote for, I think it was around, I'll just use round numbers, about $75,000 for the whole year for our services. And they decided to do nothing. They actually bought a piece of technology. So then fast forward, just like that, you know, I don't know the exact time frame. It wasn't too long.
Brent:We were back in front of them. This time, the mood was much different. They had gotten, some ransomware in the environment and we're in the room with the IT folks and the CEO. So the CEO is listening into our pitch and he says, you know, weren't you guys here before? Kind of question, like, why are we, you know, why are we doing this?
Brent:And, the the sales guy, very interesting con question, he said, so what do you do for a business? And and they basically manage mineral rights. So something not sexy. That's not sexy unless you're in the business. Right?
Brent:Then it's super sexy. Of course. But to the average person to me and you managing mineral rights means what? I think he's got a database of people and then checks that, right, when people ask. He said, how much does it cost you if your business were to go down for 2 weeks and you couldn't do anything?
Brent:And he sat there for a good couple minutes, and you can see the math happening, right? And he said it's about at least $1,500,000 in revenue, I believe. And he goes, so you help me protect from going down for a long period of time? And it's like, yeah, that's exactly what we do. And he looked at the IT guys and said how much does this cost?
Brent:And he said about $75,000 a year. And he goes why are we still talking about this? Let's go, let's get it done. And the contract was signed the next day. So it's quantifying that for someone who really hasn't thought about it that way is what it sometimes takes, right?
Brent:The guy who's running the business says, if I go down and there's a good possibility because the reason we're at the table for the second time is because he was down. Now, Ren, small bullet wound and I think good. I'm not the whole company. So they were doing some things right. That's really I think what has to happen is if you can quantify if I were to lose my business for a period of time, lose access to my data, lose access to something, or lose my IP completely, what happens to my business?
Max:Well, in that example, you had a dose of reality that it has a hit. Right? Because when we start talking about any sort of evaluation based on risk, you say, okay. If you're down for 2 weeks, it's 1 and a half $1,000,000. And then what is the likelihood of it you're gonna be down for 2 weeks?
Max:And for people that haven't had that experience of being down for 2 weeks, the likelihood of being down for 2 weeks is very low. Right? So you can quantify the risk and say it's 1 and a half $1,000,000,000 of lost revenue for you. But if perception of risk is 0, you know, why spend any money to resolve that? It's like, I don't need insurance for, like, you know, an asteroid hitting me.
Max:Right? Or me, right, coming down and getting my bill. Right? Like tell what it does. In debt.
Max:Well, you know, I mean, but then the likely go to risk is really low. Right? So private equity example that you gave was interesting because when you look at it, you say, okay. Across portfolio of investment for a fund or for a business, how much does it take before this becomes an event? Right?
Max:So if you've got 50 investments, a 100 investments, 200 investments, you know, statistically within that base of investment, you're gonna have a bad experience. And then you take step back and you say, okay. No way to quantify this risk across our entire portfolio. And what does this actually mean for us in terms of our investor dollars that we have at stake, and then it probably becomes reasonable. Right?
Max:Like, very quickly you look at it, you take a step back, and you say, woah. This isn't great.
Brent:Well, it's it's a matter of if you're putting that money in and I talk about this, you know, and I think you do too. It's balancing the risk with the budget. Don't matter what you do. I could do everything under the sun. I still have risk.
Brent:Well, how much dollars do I spend to mitigate and take out risk? Right? So if you look at it in terms of the MDR market is a perfect market for outsource. The problem solved are I can't have the people sitting there. Let's just call it looking at my EDR, looking at my logs all day.
Brent:I can't afford that, most companies, unless I can build my own security operations center, and I'm gonna invest money to have a lot of money. I can tell you it's it's more than most will invest. They're not in cybersecurity as a business. They're in the business of x, mineral rights, baking bread, whatever it is. And then if you invest all of that money into doing your own SOC and your own stuff, you only know about your own environment.
Brent:You don't see the other stuff. So then you have this kind of as a service model that has come where I have visibility across finance, legal, entertainment, all these industries, and I can take that intelligence and apply it to your business. There's a huge advantage. I'm paying a fraction of the cost. I'm getting the threat intel.
Brent:I'm giving the real time response 247. I mean, if you look at what it costs to employ a cybersecurity guy because the the way of the world is in the past, IT, right, this is how it works, we need security. So they bought a firewall and who gets to deploy the firewall? Well, it's IT and IT doesn't know a lot about security unless you got a curious guy. So they stand it up and go, lights are blinking, everything's on.
Brent:I've allowed what I think I need to allow and I've blocked what I think I need to block. And then that's it, check. So now the security guys, it's evolved, right, really. I mean, I came from the world where I saw it both ways. I remember the transition for myself going, well, yeah, just because it's up doesn't mean it's doing what it's supposed to.
Brent:And then you look at the security aspect of it and it really takes a skill set. So now some of the guys are transitioning over, they're becoming CISOs, they're becoming interested in cyber. Heck, it's really a growing space and IT is kind of, you know, it's still there. It's not sexy. Yeah, it's not like I'm gonna make a $1,000,000 somehow.
Brent:But the cybersecurity folks are now saying, hey, you need these tools. So back to what I was saying, is if I hire a guy, he still needs the tools. He's not gonna be there 247. He's not gonna not take vacation. He's got a family.
Brent:Let's just call it what it is. He's got a life where the services run around the clock. Right? We went and saw a customer and it was interesting because we sat there and talked to him and they listened to the whole thing and said, well, we have a guy who got his dad and he looks at all of our logs and all of our stuff. And we looked at our we looked at each other and there's a room of people and we're like, where's the guy?
Brent:And they said, he goes to Thailand every February for 2 weeks. So do you think he posts on Facebook or Instagram? Do you think that other people may know that he's not watching your stuff for 2 weeks in February and that might be the time things happen? I, Ali, no. Never happened.
Max:The position that we sit in, you know, we see end up talking to and evaluating a lot of service providers for our clients. I mean, this is even before they get in front of a client, right, just for portfolio access with us. And, you know, with the what what you're alluding to, you know, it's 7 bodies for 1 247 shift. Like, one shift to 7 people. So I have the same thing with service providers.
Max:You see all these MSPs, and it's usually I don't wanna say mom and pop. Like I said, it's derogatory. I worked for a mom and pop MSP when I started, and we had 12 engineers and, you know, half a dozen people in sales and account management, and and we did phenomenal work. But if you think about that in terms of, like, there isn't nobody on call. That m that MSP is not equipped to then go out and say, hey.
Max:We're a 247 cyber center. It provides SOC service to you. And I'm seeing lots of businesses push into the MDR space as a way to add additional recurring revenue because now it's like, hey. We can you know, and and it's usually attached to a firewall OEM. Right?
Max:Hey. We're gonna be palo cortex. We're gonna do the 4 in that, you know, the 40 EDR and Fortisem platform. We're gonna do this. We're gonna do that, and we can offer the service to you.
Max:And I get these conversations with with my client, and you have the same point where it's like, okay. Well, how many people are there, Sock? Like, oh, there's 3 of them. You're like, okay. Great.
Max:How does this work? You know? And it feels mostly like just an experience gap of like, oh, you know, they've got the sock and they're cheaper than the next people. So, like, why wouldn't we use them? It's like, well, you know, I mean, it's not just having a sock.
Max:You have to have a pipeline of talent. You have to have a training program. You have to have advancement. You have to have a career path. You have to have scale.
Max:You know? Like, you have to have all these different things in order to do this very well.
Brent:Yeah. None of it. There's we talk about it sometimes, mostly internally, but sometimes we talk to the customers. There's a first generation buyer. We we talked about the budget.
Brent:I don't have a budget for this, so I I need it. It doesn't matter if it's a dollar or if it's a $100. It's too much. Yep. Okay.
Brent:So that being said, if I go cheap or maybe a lesser service then but it sounds the same. I did something. It's better than what I was before. And then when that gets kind of rolling and they experience the experience and then they go, wait a minute. This is really not what I thought I was getting.
Brent:Or they have an incident and then don't recover very well and then they start to go, okay, now phase 2 kicks in. I have a budget, maybe not enough, but at least I have a budget where I can say this is what I really want and expect. And a lot of folks end up with a, you know, bigger player at that point, a bigger company that has done this very well at that point. Right? And we see it all the time.
Brent:It's very interesting to be in that position and say, like, hey. We were we were talking a while ago and then kinda went away and and then find out they, you know, went that route and then they're back talking to us like, hey, my contract is up and I need to get serious. Yeah. It is an interesting thing because if you get to that situation, really what you're getting is awards. And now you've just got 2 emails instead of 1.
Brent:Okay? I got one from the tech and I got one from my provider who's telling me the tech said something. Yep. So what you really need is someone who can take that stuff in, make sense of it, and then actually do something about it on your behalf before it gets to you. Because if you look at that, if they're relying on just strictly log events, jeez, I mean, you're driving in the rearview mirror.
Brent:Right, and if it never hits the log, you never saw it, all those bad things can happen. If you say, hey, I'm gonna see it and I'm gonna send you an email at 3 in the morning, that doesn't solve the problem because then it's too late. Right? So anyway, you get down to that. You have to have someone with the ability to take that action and that's that you pay for that.
Brent:Right? And I think, you know, there's a little thing I saw the other day. I don't know if it was at the airport or not. Right? I was at the airport a long time yesterday, and it said, cheap things aren't good and good things aren't cheap.
Max:I mean, it's it's gonna be frustrating. Like, you know, having that where you're at the table the first time and then, you know, they go so in a different direction and they come back to the table the second time because the first rate you know, it's but there's, like, you have to have, like, a certain sophistication. The buyer has to have experience. They have to have gone through this this process. People install, you know, security tool and then get alert fatigue.
Max:Right? They don't understand what that really means. And you say, okay. You know, if you're gonna get a 1,000 alerts per day, you know, how do you actually find the 3 that you actually care about? Because those are the ones that you care about.
Max:Like, that's the first one. I have a question that I ask, you know, and and the phrasing changes based on whether I'm talking to an IT person or if I'm talking to a, you know, an IT executive. Right? But it's basically, hey. You've got this tool running.
Max:Right? Yeah. And you like the tool? Yeah. It's working great, and and we use it.
Max:Okay. Great. Show me the folder in Outlook where you're auto filtering all of the alerts that come out of this thing. And, you know, so the version for the executive is is ask your IT person to show you the folder where they're auto filtering all the alerts. Works.
Max:And then it it turns into, well, why are we doing that? Well, they have a job, and they have to do their job every day. And their job is, let's say, they're looking and just reading every single thing that comes into the email trying to figure out what happens to it and then to the bigger point, and then they go home at night. Right? And and they're not on the weekend.
Max:And there's play stories about like, oh, things were triggering like crazy and nobody took action with it. That's the
Brent:like Target did that. No. She's because they
Max:had yeah.
Brent:They had the tools. They had the fire. I stopped. Yeah. And, they every alert or message came as malware blah blah blah, and then so they just ignored them.
Brent:Like you're saying, what's how do you know? Mhmm.
Max:I don't wanna say the MDR is passive, but I feel like a lot of in a lot of, like, the default is a passive state where it's like we're gonna monitor your environment. We're gonna pay attention to your EDR. We're gonna do threat intelligence. We're gonna do event correlation. We're gonna have a set, and we're gonna take all your signals in.
Max:But we're gonna tell you, like, there's something happening. Right? And it's not necessarily we're gonna take action on something happening. And I and it feels like companies are finally starting to make this shift in bigger ways of saying, hey. We're looking for an MDR partner that can not only tell us when something bad is happening but can automatically do things for us when something bad is happening.
Max:How much of a shift are you seeing with that? Well, I mean, it's interesting. Right? Max, I'm
Brent:when we started out, we've been doing this as a company for since 2000 and what. Mhmm. Right? Let's just look at it in holistic. So cybersecurity wasn't a thing.
Brent:Really? No. We were doing a lot of work for guys on Wall Street Financial Services, the company, big company customer number 1 said, hey, you know what? We have all these small networks connected into our environment. They're small companies that can't spell security even if you spot them a couple of letters.
Brent:Right? So they said if you can solve this for them, we think there might be something there and it helps us. So we started out like everybody else with the traditional logging service that we had built ourselves. And the frustrating part was we could see the things happening and they just kept walking by. Then the founder said, hey.
Brent:You know what? I we need to be able to respond. So he built the network piece out and that did full packet capture. At this point, everything's on the LAN. The concept of where I got my laptop and in front of me, that didn't exist.
Brent:So we could see everything and it gave them the ability to actually say, Hey, we see this guy here brute forcing in or this guy clicked on here, we need to stop it immediately. So we were responding way back when. The next piece was integrating EDR. So for us, we looked at a bunch of them. We thought, do we build our own?
Brent:Yeah. We kissed a couple totes along the way. We decided that it really needed to be with Sonnt that is like the instant response tools. And then the the business plan became, let's have all the instant response tools rolled out and monitored 20 fourseven and take action on those. So we started out with Carbon Black, they were the cat's meow, now, well, not so much.
Brent:But it gave us the ability again to respond very strategically, very surgically and not just start blocking stuff on the firewall. And it gave us real time feeds into the environment. So when you say reactive, I'll give you that it's not before it happens. Right? And I I talked to a company at RSA and they're like, well, we can tell things when they're gonna happen before it hits the firewall.
Brent:And I'm like, so you're selling me this concept of the boogeyman. Right? They're out there and they're gonna get you and that but if it never gets past the firewall, do I care? Right? I don't.
Brent:If the firewall does its job. So, you know, given that, you know, the guys at Gartner came to us and said, hey. You should be in our MSSP quadrant with guys that do similar stuff. I'm not gonna throw a company in anything there, which I would normally do. And we politely said, we do things differently.
Brent:And they looked at us and said, what do you mean? I said, well, we we actually take action on stuff. So they followed us around for a year and a half and came back and said, you know what? You're right. You do things differently.
Brent:And based on how you do this, we're gonna create a brand new category called managed detection and response, which was awesome for us. Hooray. We got to figure out what we did. And the reason I say
Max:that because we call that
Brent:active threat protection, collaborative threat hunting. We really didn't know how to sell this, like you were saying, to people who weren't didn't think they needed this. But we knew, right, a long time ago. So then the the difference there is Gartner didn't define what the word response means. So a response could be I sent you an email, Max.
Brent:It's not a very good response, but it's a response. So then now you have a bunch of these organizations saying we do manage detection and response to MDR too. Just like you said they're not responding or you have to still click the button to respond or they're just saying in wonderful words in marketing we do this. Well, we've been doing this from the get go. Okay, so is it evolving?
Brent:Yes, more companies are realizing they have to do some response. So you see now they're tying in to specific vendors or they have their own. There's a flaw there in that where, hey, I'm I'm running an EDR. I'm running this. I'm feeding in logs, and the only way I can respond is if you have my agent on there.
Brent:Okay. Well, let's just call it what it is. The odds are the ones that's gonna get compromised, they don't have your agent and you're starting from 0. So if there's more of that happening, there's more people trying to go soar, right, and do automation, I don't know that that gets it every time. It's simple responses, but you know, where where we look at this thing is that we we do have that human led investigation on the back end and we can make decisions and determinations because at the end of the day, you're not finding a computer.
Brent:There's a human at the other end of that who is controlling this environment. Yep.
Max:It does this for a living.
Brent:Yeah. And and if you can't figure out where they're doing or what's going on, you know, you're you're gonna miss. You
Max:know? I guess you walk into some situations at a greenfield. Right? You know, if there's a if you're talking about, like, a vendor of, like, we have the agent, and you can run our agent, and that's cheaper because we own the agent. We're not licensed it.
Brent:They're third party. Right?
Max:But, you know, as an organization matures to a certain point or certain size, like, there's a lot of stuff that's already there. You know, you get into this thing where you're no longer, like, looking at a greenfield. You're looking at, like, a game of Tetris, like, figuring out being a what kind of slot into where and what happens. And, you know, you said something earlier about, like, oh, we turn it on. The lights are blinking.
Max:It's working. I I feel like you also described, like, the majority of companies that went out and purchased d five security for Microsoft at this point. Oh, we went and we'd licensed d five, and we're in the cloud, so now we're we're protected. And there's just this whole idea of, like, oh, we're you know, everything's in the cloud. It's with Azure.
Max:It's with Microsoft 365. It's with Google Sportsbase. We're fine. We don't have to worry about this anymore. And then you're like, no.
Max:No. No. That's not exactly accurate anymore. You know? And and that was, you know, relatively also a big shift for you guys of moving into, you know, on it I mean, Microsoft is the dominant desktop platform and so when they release a security tool, right, like, there's just a certain bundle that happens.
Max:We don't have to talk about antitrust and bundle. I mean, I'll be into this world, but but Probably not. You know, there is a certain gravity that happens with that where people pull in and that changed, you know, you know, changed for you as well. Like, okay. Now, you know, we need to have a practice area around this and, you know, okay.
Max:You wanna run defenders or ER and you wanna run some military sim and you wanna run this thing where we don't care anymore. You know, it's like this. How has that changed things?
Brent:Well, I think you look at the budget again. Mhmm. Right? So there became this whole word of consolidation. How do we do more with Volantis or how do we do move to spend to different spots?
Brent:So Microsoft, you know, obviously very smart company, and they're looking for more of that market share. They're spending literally 1,000,000 of dollars on their cyber tools. Right? So while we would talk to people in the past, we we'd talk about Microsoft and they go, well, Defender, you know. And you know what?
Brent:I'll give it to them because we used to say that too where Defender, you get for free, you know, you get to pay for sometimes. It's better than nothing. Yep. And then that's where we would put that EDR tool behind. And say, yeah.
Brent:Go go ahead and run that as your piece. We're there to catch the stuff that's getting by. Right? Now we would much rather have a more robust AV because it makes less work for the guys in the SOC. Right?
Brent:Okay. So now fast forward to they've really got a a product that's up there. We evaluated it. That's how we ended up, you know, kinda getting closer to Microsoft. They invited us to be part of the program, so we're in the marketplace.
Brent:We're part of their certification program, and Defender for Endpoint is actually really good. Defender for identity, very good. I mean, you're right, it's their product. Mhmm. Right?
Brent:Defender for 365, very good. The thing that's happened in the past is I kind of harp on this, you'll hear this, the logs don't solve everything. There's a big spot for them Yeah. But Microsoft changed what went in the logs at a point. They went and said, okay Max clicked on a suspicious phishing email and in the log they used to give you the link and the URL and you could see it and you can take action and then they said we're not gonna do that anymore so it says Max clicked on a suspicious link click here to go to Defender 4365 for more information.
Brent:Okay so what did that do to all of your folks who were trying to do security through logs? It just stopped. Yeah. Correct? Yeah.
Brent:And the reason is what did I say? They're investing 1,000,000 of dollars into these tools. They want people to use the tool. Yeah. You know, they got a lot of pushback and they put it back in the logs for now.
Brent:But if you read ahead and see where it's going, that's where it's going and so we decided right that their tools are really good it gives us another response level with the Defender for Identity we can actually take action on identity again it goes back to I got you know 5 guys in IT, they go home on the weekend. If we see something happen over the weekend, we can actually stop it. Now we can disable the account or, you know, we actually have dark web monitoring now. Say we find that someone's selling credentials on the web, we can proactively go in and disable those accounts or send them up for a password reset because it's out there.
Max:As an old Microsoft guy, like started my career with NT 4 0. Right? You know? And so I mean I mean, you think about this as we were still, like we were migrating people off a token or hang on to EtherDAT. And, it was NetWare, NetWare 3 to 4 migrations group wise to you know what I mean?
Max:There's just the value of the bundle on the price point of the bundle is so compelling that, of course, it's gonna push enterprises into buying it. But, like, there's just something about paying the company to protect itself for its tools that you have to you know, it's like, oh, we we have this operating system that's running, you know, that is so complex it's gonna have stuff happen to it. Right? So then you should buy your other tool to protect the operating system that you know, you get into this, like, weird kind of circular conversation around it. Now from an from an MDR standpoint, from an MDR provider standpoint, it takes out a huge problem in your sales cycle, which is the SIEM.
Max:And, you know, you get to displace a certain amount of, like, oh, how much long are you going to ingest, and how much does it cost, and what does that go to, and how do we scale this, and how do we size it? And we don't really know how much data you're gonna get to be like, oh, hey. You're running Sentinel as your sim, and we'll just take care of it for you now. Right? Like, that's made some things easier.
Max:I had
Brent:to say. Actually, where we meet the folks you you talked about playing Tetris and it's a journey. Mhmm. I talk about that too. And usually where we meet those folks are not, I've got sentinel up and running and I know what I'm doing.
Brent:You know? Usually, it's worth thinking about going to e 5. They tell me with the E5 bundle I get some free ingestion in second, which you do. So you get 5, I think it's 5 meg per day per license you have, but it's only for certain pieces. Alright.
Brent:So if you're a bigger organization and you're looking at that and you're pulling in your firewall logs, which are Palo Alto or, you know, Fortinet, you're pulling in other pieces that are not Microsoft. You're paying for those and they make money. Right? I mean, I I'm from Texas. It's like turning on the air conditioner in the summer in Texas.
Brent:The meter's running late. Right? So whatever comes in, they're charging. They'll send you a bill. Yeah.
Brent:I mean, I think what we end up doing is talking to them a little bit about some of the alternatives because if they have a diverse environment where they're playing Tetris and they have some of this stuff, maybe that that Sentinel is not the answer. Mhmm. Yeah. Because we can provide another option where it gives them a year's worth of retention out of the box versus that 90 days they get with SENTINEL. That's a bit at a much lower cost.
Brent:You have to have compliance issues. You can't do 90 days. So guess what? There's more span there that you don't necessarily see. Yeah.
Brent:We love it, but I think there's some people need to be aware unless they said, hey, I've turned this on and I know what my spend is and I am comfortable. Right? It's like when you go to the cloud and you you don't know what you don't know and how many machines and how much my bill is per month.
Max:You gotta understand that. Oh, the fun of compliance where it's like, hey. We need 13 months worth of logs. We need 25 months worth of logs. You know?
Brent:I need 7 years. And we'll do what he got in here. Well, I don't know.
Max:Ah, because somebody read some something and decided that it was a 7 year mandate.
Brent:You know, I had a customer in there, been a longtime customer, and they came to us and said, hey. We're just switching cyber insurance and the guy says I need 4 pen tests a year. And I said you know, he called us because he's like, I I think you guys are doing a lot of this stuff already. So got on the phone with him, and I went through kind of the, you know, how we do what we do and and what services they have. And he's like, never mind.
Brent:You're good. Because in his world, he doesn't know what now he knows what we do for the company, and he feels pretty good about it. So, yeah, one pen test a year, I think, is weak. I doubt you.
Max:I have a client. I'm gonna be very careful with this one, but they have that supply chain mandatory pen test thing that runs. And, you know, their client is used their customer is using one of these, like, automated web services. It's not really sophisticated. But it's hilarious because the first time it runs, it fails.
Max:You know? It always finds something. You know? Like, oh, you're running a web server. Yep.
Max:You're right. We're running a web server.
Brent:You know? That's right. You're right.
Max:You're You got me. You you got me. But what what they literally do is they they let the run first test run, which gives them the whole list of remediations that they have to do. And then they find in their log what the IP address for the pen test service was, and they just block the IP address. They say, okay.
Max:We've remediated everything. And then the pen test runs again, and they say, hey. Look. It passed.
Brent:We can't get in.
Max:And then we we resolved all the things. We remediated everything. I gotta imagine that. I don't
Brent:know how people do that.
Max:I wanna talk about this case study you sent me. Sure. And this one actually stood out because first off, it you're an architectural design firm. Right? So high-tech user, but not necessarily, you know, I've had plenty of experiences with global design firms.
Max:It's a weird business in terms of, like, everything's moved into period of design. The biggest ones are running cycles and shifts and different, you know, continents. So people work in one time zone, and it'll go work. We'll go to another time zone, and you gotta have this, like, follow the same model. They get large enough.
Max:But it's also, you know, maybe like this traditional IT isn't making us money industry, you know, mentality across a lot of architecture and design and engineering. You know, we're not a target. Nobody wants us. You know, there's nothing here to value. So it was fascinating anyways.
Max:That was the title of this this case study that you sent. And, like, immediately, it was like, oh, this isn't what I talk about. And I don't wanna steal too much thought out here. Yeah. I wanna give you some give you know, share the background.
Max:Yeah.
Brent:Well, I think it's one of those industries, like I was telling you, we started in finance and and supporting that. Right? And that makes sense. Right? The bad guys go over the monkeys.
Brent:Right? And then the kind of market evolved and realized we need this. So these guys had an existing, quote unquote provider that was doing some of the stuff for them. They got a lot of alerts. It's in the name.
Brent:Right? And so they were really kind of wondering is this the right thing that we should be doing? And so they they kind of started evaluating a bunch of folks. And I think if you you look at the case study, they even talk about this. They we kinda stood out to them, right, in terms of, the ability to do different components.
Brent:They were managing their own EDR in house. They were kind of dabbling in the cloud and the thing that they told us, like, we asked them like, what's motivating you to do this? And they said, well, we actually see our designs show up in other countries. So the design for a building they did for somewhere in Los Angeles up here in China. Okay.
Brent:Okay. That's interesting. Yeah. So when you talk about what is the loss, that's their IP. Right?
Brent:Right? So they weren't feeling like, hey. We're not secure. We're losing. We're leaking data.
Brent:And I I think, it reached the point where they used to create these big CAD drawings Isn't it? And it's an executable. And they were getting ready to do a presentation to a company, and the endpoint software wouldn't allow it to run malware. Right. So you're talking a, you know, multimillion dollar presentation and they can't kick it off.
Brent:Right? Because the IT is managing the cyber security. Right? Okay. So we we kind of talked to them about how we do things, what the structure was.
Brent:You know, their IT team, probably of about 5 folks located in the US, managing this stuff. And they really recognize that they're global, right? They have offices all over. They need the 20 fourseven, 365 monitoring. But the uniqueness to what we were bringing was the ability to respond with the tools they have.
Brent:Now we had to replace the existing vendors that were in the SIEM portion of that. We replaced that very successfully, very quickly, got up and running within a couple of weeks. And what they realized as we were pulling stuff out and kind of redoing things that they were double routing the log stuff into the current system. So their volume that they gave us was much higher than what it should have been. Close.
Brent:That makes sense? Yeah. I gotcha. So we were like, oh, okay. Yeah.
Brent:I solved that problem for you. You're not that's a big financial thing. Right. You're not double routing. Actually, there's there's another piece to that where we talked about Microsoft, which I'll tell you because I know these guys pretty well.
Brent:So we got that down, and then we put the network service in. Right? Because they have locations where they have a large amount of folks and data centers and things like that. And we were seeing a lot of the telemetry and a lot of stuff that was coming through that we were able to react to a block and help them really harden that environment. I think that's the part of my thing about the firewall.
Brent:It's on, it's working, but no one's really looking past that. So we were not getting the logs. We were getting real telemetry from that full packet capture and able to actually say, hey, we need to shut this off. Are you guys using RDP over here? Why is this port open?
Brent:Those type of questions started coming up immediately. Right? And so we helped, like I said, help them harden and tune that stuff. So we, you know, closed the doors. Right?
Brent:Right? Because ultimately, I I I say this every time, you know, it's like we I also provide vulnerability scanning to folks because we offer a service that's 20 fourseven, 365 with unlimited, you know, we you can have as many incidents as you can. Now, of course, you know, we don't like that, so we want you to harden the environment and patch these things. So we do vulnerability scanning too, right, to give them a great patching proof.
Max:You don't own the customer's environment. They hire you to help them protect it, but you don't own it. Right? You can't dictate decisions on it. Right?
Max:So when you, you know, there's when you get into situations where it's like, hey. This is running. It shouldn't be running. This is bad. Change it.
Max:Do you still get a lot of pushback from people? I'm like, oh, no. It's not important. We don't care about it. Or do you got into now a case where the you know, your customer base is sophisticated and now first had previous experiences to say, oh, thank you for finding this thing for me.
Max:Let's go and take care of it. Right? Because there is there is still that, like, disconnection between, you know, these two apps.
Brent:It's interesting for me. Right? Because you've got some folks where the CFO is in charge of IT and, typically, security. Right? Because it would well, no.
Brent:I mean, he's, like, doing Oh, that's
Max:okay. So so we're talking like
Brent:a pretty small organization. Yeah. Yeah. Like, but they're managing, you know, $1,000,000,000 in a fund. Oh, jeez.
Brent:Okay. So they're very grateful. Right? They're like, I would have had no idea. Please help me.
Brent:Right? And then they'll take as much as it and then when you got a bigger team that's more, red tape, right, there's things that take a little bit longer. Eventually they figure it out. But I remember we did a company that was a big law firm up in Dallas and we put in our network sensor and we're we're monitoring the stuff and we're kind of alerting on this. It's a QNAS system and we said to them, hey it's beaconing out to all these different countries.
Brent:Is this expected? And they ignored it. And finally we had a meeting with them and the the SOC was telling me right because I was involved in this deal that you know this this machine we're not really sure what it is but is trying to reach to Singapore, Taiwan, all these places for whatever we don't know for what. Yeah we're blocking it because we view it as a problem but they're not really saying anything. So while we're fighting that you know fire if you really look into the news and you read that became a problem because it's in the firmware to do that.
Brent:Yeah. That and if I have my storage device trying to send data out of the country is that a good thing? And with just a firewall well it's all good. I mean, look.
Max:I rant about this plenty of times, but, you know, 99.9 infinity 9 percent of firewalls are deployed or allow everything on the inside out. You know, if the request originates from the inside, it's in that device. I mean, okay, we can get really nerdy. It's the patent device, but it's designed to get you on the Internet, 1st and foremost, which is a lot of traffic from the inside, outside. And and not a lot of companies will go through and harden or restrict that ACL while traffic goes outbound just because it's a nightmare deal.
Max:Like, this isn't like out. I wouldn't even call it, like, neglect. There's a lot of things I'll say where I mean, it's just it's too hard. And that's one of the things I really like with, you know, a modern SaaS or or, you know, SWG that once it gets deployed is now you have something that's in line. You can start doing policy and enforcement and and detection on as well, and it gives you that I don't know.
Max:Maybe that starts pushing, like, my offensive question. People like, okay. You've been something is now in line that can help you out a little bit more. You know, you talk about, like, companies with you you say, like, 5 5 person IT team. You know, a 5 person IT team is probably supporting a 4, 5, 600 person company.
Max:Well, these guys have, you
Brent:know, I think just over
Max:a 1000 employees with 5 in IT. Yeah.
Brent:Yeah. 5 in IT. Right?
Max:There you go. 200 200 to 1. Right? Yeah. I mean, that's it's challenging because and 200 to 1, you know, your hair is on fire just keeping devices running.
Max:Like, forget anything on top of that. Like, it's just that's that's, like, the super you know, you're gonna get to. Like, show me your show show me your folder in Outlook where you're filtering all of your log detection, you know, events. You just you just don't have the resources.
Brent:Yeah. Well, I think they they quickly realized when we started seeing stuff on the network and then the log and then reducing the stuff and really kinda bringing that together for them. They were managing their own EDR, as I said. So they said, hey. Can you manage what we have?
Brent:And turns out we could. Right? So we were able to absorb that as part of the service. So when you now look at where we got to, we were getting telemetry from the network, from the loans, as well as from the endpoint all into our back end, which is the kind of best way to do this. If you look at it, if I just have a part of the story and no way to respond and this is where I get back to, if I just get logs and I don't have control of that endpoint, the endpoint may become compromised and not give any signals.
Brent:But the logs will tell us when they try to move around. Mhmm. So we actually have seen cases where the log triggers an event and we're able to jump in, correlate, go out to that endpoint and isolate that endpoint and stop the threat there. Now of course the question is why is the endpoint if you look at who we work with, we work with the best of the best. Why isn't that picking it up?
Brent:And that goes into now when you look at what we do in the SOIC, we are actually backed by our threat response unit, which is made up of guys that do threat intel. We generate our own threat intel. Last year it was 35%, 12% seen by nobody else, Right? So it's pretty good because of the amount of stuff we see. And keep in mind, we subscribe to, like, some pretty expensive threat feeds.
Brent:Right? And then it's also got reverse malware engineering guys. So with the new stuff that comes in like that, we're gonna break it down and figure out how did they get by this. I remember seeing one came out and the process tree was like a mile long. EDR is gonna break at some point.
Brent:And if it goes that deep and then runs some little command, they got I don't know. Even if I'm doing it, look at it myself, if you're not a seasoned veteran.
Max:You said something, though, that I wanna highlight for a second, which was I mean, the first part of it is if you're running into this and you're trying to do this internally where you're trying to outsource this to your, you know, your neighborhood MSP, right, it's not just a people resource issue. Right? It's also, like, what's behind the people and what else, you know, like, how much are you seeing? You know? You sit at a position where you see lots of stuff.
Max:You're getting lots of data. You're seeing lots of networks. You see a much bigger, like, position of the Internet of what's happening at any given time. And a lot of that, you have internal proprietary, and then you also subscribe, you know, keyword. You buy data from other organizations to give you augmented information on top of that.
Max:And, you know, like, a little MSP, it says I've got 3 people on my security team, then they're not spending the money to do this kind of correlation. Because, again, they don't have the resource to even think about doing it or or they can't aggregate it because they're not equipped to to aggregate either. So I
Brent:think that's that's also, I don't know how
Max:to, like, educate or talk or talk about these things in terms of, like, what those scales actually, you know, and sizes. You gave a number earlier, and this was an example of, like, hey. Our cost for the year was $75,000 to this organization. That number stood out to me for a couple of reasons. And the first one is when you talk about, like, average salary for an IT practitioner, and then you can do it, like, weighted based on, you know, taxes and everything else.
Max:Right? Location. Right? But, you know, it it's pretty common to say you have a 60 to $80,000 range for an IT professional inside the company. And it's not like a super senior person.
Max:This is just, you know, in your in your IT team. So from an from an efficiency, I think that the the dirty thing that happens that people assume, like, outsourcing or bringing in service providers, like, you're coming out for the jobs. And it's like, well, no. You're not coming out from the you're trying to augment and let you, like, live a better life in the you know? But at $75,000, that's roughly 1 IT person worth of expense.
Max:Let's just, you know, approximate. And if you say, okay, that's 200 devices at the high end of the scale for a lot of people in terms of protection. 200 users to 1. You know, your your your coverage ratio and I'm inferring a lot here in my head. Right?
Max:So correct me that the coverage ratio in terms of devices to cost to, like, what it would actually take you to run this internally is probably way more efficient than people even understand. Well, like, I
Brent:I give you that number, right, as a as a baseline because that's the actual number in the game. And that included the hardware, software, 20 fourseven, 365 support. Mhmm. So if I if I get one guy and and a security guy is more
Max:expensive, then just call it what
Brent:it is. Yep. That's more mine. And how do you retain them? No.
Max:They don't they don't stay. That's the thing people don't understand. It's not even about hiring them. It's about retaining because your job sucks. Like, I'm looking at your logs.
Max:Yep. And that gets cannibal. Yeah.
Brent:So, yeah, I mean, it's it's way more efficient in in terms of that. And you're right. We're not coming after their jobs unless they said, hey, I built a SOC and they kind of are no good, then, yeah, then we are. But the reality is is that we need guys on their side in IT or with some security hat that they can put on that says, hey, we saw this, we've responded in this way, we've isolated this host. There's also problems over here or business email compromise, right?
Brent:That's the big threat that's kind of real scary actually. I got into your email and then now I'm emailing other people as you and that you they know you, they like you, and they trust you. Yep. And I'm posing as you and then I have these rules set up to delete those sent messages so that you can't kind of figure out what's going on. You know, we can detect that stuff and and help with that.
Brent:It's very tricky, right, because that it's about finding those rules and those auto forwarders and those things that are in place and then looking at logins and where things are coming from. You know, the customer at that point has to have the savvy to say this is happening. Let us know so we can look at it. So, yeah, I mean, it gets down to I can't even hire a guy for what it costs for the service, granted, you know, you can buy the whole menu and make an argument, but I'm gonna bring the hardware and the software in most cases. If you say, hey, I already got my own software, Microsoft.
Brent:Okay, great. Then the argument comes there, but you still, you know, need the management and the people with expertise to understand that, Right? Because if you give it to an IT guy and it said, well this trigger went off. I don't know what that means. And you better have the ability to find someone who can help you.
Brent:Right?
Max:I do this a lot in terms of, like, what's the maturity of the buyer? What's the maturity of the organization? I mean, I've been to this for 25 years. I mean, I was like this personality. It's like you have a, you know, maturity curve where when you're at the beginning stages of that, you want to do everything yourself.
Max:Yeah. And there's a certain of, like, well, I wanna figure this out. I wanna learn how to do this. This sounds, like, fun. I wanna buy this box.
Max:Like, you know, and and it's not necessarily I wouldn't say, like, malicious is the right word, but it's not necessarily, like, bad. Like, then like, there's no bad intent behind it. It's just like, I want I wanna do this thing. Right? And then as the maturity in this time and and industry extends, the shift becomes, my value to the organization isn't buying the box and typing on the keyboard anymore.
Max:It's executing the program to keep the business functioning and and growing. Right? Like, that becomes a big maturity shift, okay, for a lot of people in the IT space around if I can bring resources on that are more efficient than what we could do ourselves, That's a win. Right? It's a win for me because I can take vacations
Brent:Yeah.
Max:Without my cell phone and my computer. And, it's a win for the organization because the organization gets what it means. Right? And then and then, of course, it's more efficient resources and things like that play out. So that goes back to the earlier question, right, which is, you know, how do you sell this to somebody who's not buying it?
Max:Or how do you sell this to somebody who's not already had an a bad experience either with a another MSSP or MSP or try to do it themselves? Or oops. We did have the incident that people told us we were gonna have we didn't think we're gonna have because, you know, we're an HVAC contractor for Target and we're not a Target. It's a fun pun non intentional output.
Brent:It's a circular, what you call it, benevolent. Right. Right? You know? What pushes that conversation?
Brent:So well, I think what's happening, you mentioned it earlier, right, is that cyber insurance is getting more and more stringent on what you have to do to have it. Mhmm. So some of these companies who just like you said, hey, I'm gonna buy an insurance policy and do what I want can't do it anymore. They can't pencil whip that stuff in. Now if you look at what we see with cyber insurance they're saying you have to monitor your logs 20 fourseven, 3 65.
Brent:You have to monitor your EDR endpoint. You have to have EDR in it. Okay? So you have to have network protection in place. All the things we've been doing for years, they're now saying you can't get a policy with us unless you're doing those things.
Brent:We sat down and talked to a guy and he was like, well, my cyber policy is gonna go up either 75% or 300%, but I need to do the things you do. How do I get on your softening?
Max:I I need to do the things you do as a baseline
Brent:just to only get the 300%. To hit the 75%. Yeah. So, you know, the guy was with it. So you're saying 75 percent is a good thing?
Brent:He's like, it's an unbelievable thing. Yeah. And so they're getting tired of pain. Okay. Let's just figure it out here.
Brent:That's so they're pushing it down. Compliance and privacy are pushing down more and more. You have to be able to show and prove these things. So in the smaller organizations, an HVAC company, unless they're getting really bigger an organization and bought up by someone, we see this a
Max:lot, mergers and acquisitions. Lot of PE activity ad kind of industry right now. Yeah.
Brent:So I bought Joe's AC, and now I'm bringing him under my umbrella. And now he's part of my risk. And then we'll, we actually will evaluate it for them and say, holy cow, you need to really and some of them have it it really ironed out. Right? When they're going, you're gonna do this and here's how it's gonna go and everything's coming into our back end and they've got like a, you know, network in a box.
Brent:Okay. So so we got a couple of different ways of solving it, but that's really what is happening is the insurance, the guys who say, I can just buy insurance and I'm covered. I mean, you remember the guys they've had on the whiteboard, you know, don't turn on your computer today. You remember that whole thing? Right?
Brent:I mean, it's a while ago. It's these these are, you know, today, you know, that that's a reputational thing. You can't pull back. Right? And and so that's part of it too.
Brent:I mean, I think if you look, right, Max, at what we did, we bought a company that that was an IR company. Mhmm. They had some cool software that allowed us to do some things in in an incident response that, you know, faster, better, whatever, all that stuff. The real reason I think that we were interested in acquiring that is because it's a great source of leads for us. The guys who don't believe and they get beat and then they end up in this IR world where they're paying literally 4 or $500 per hour for someone to come in and try to figure out what's going on.
Brent:Yeah. To figure out
Max:how bad it is. And then
Brent:they go, well, tell us about this MDR thing that you talked to us about earlier. Yeah. It we weren't designed to kinda after the fact come in and do something. Yeah. So if the MDR was rolled out, the odds are we saw it, we put out that fire.
Brent:Yeah. We saw it here, we correlated it here, yeah, we we put out the fire before it became an event. Right? Now I'm not gonna tell you that we don't see things like you can go to my website and look under I tell everybody this because I I think it's a actually really interesting story. The threat response unit has a page called resources that has videos of things that bad things that happen to good people.
Brent:Right? And there's there's one on there that we actually wrote a detection because we saw how the the bad guys were getting around stuff using living off the land binaries, right, and using stuff that looks like on the processes. And we're doing our thing and that trigger went off. And so it created the investigation in the SOC. The guy started looking at it and then said, wait a minute, this is actually the worst thing that could be happening.
Brent:And so as it got escalated to the incident handlers, right, they peeled back the view and said this is on 200 plus computers. It's 3 in the morning. Okay? No alert's gonna do anything. Mhmm.
Brent:So the guys in the SOC made the decision to isolate all of the machines. They dug into the registry because they had actually put a logic bomb in there to encrypt. And it was a scene for mission impossible. I gotta un you know, unwind this stuff before the timer hits 0. And they were able to do that successfully for the majority of the machines.
Brent:And when so when the customer came in in the morning, they had no idea. I mean, that's if you can't understand what could have happened, that company would have gone away at night. And it it's not fear, uncertainty, and doubt. It's, yeah, it's fact.
Max:And I had a client hospital, county funded, and, you know, I was out of the engineering operational side of it. At that point, I was talking with them, and they had renewal firewalls that had never been patched. And, I mean, you know, like, your traditional your typical traditional typical low like, just not a lot of budget. Right? You make the best.
Max:You you you do what you can with the budget you have kind of so and part of that was just not having that technical expertise and resources necessary, you know, to take care of certain things. And I got into a conversation that was basically like, I will come in and do this for you for free. Like, let us help you solve some of these basic problems. Like, you need to do some you need to update your firmware. I mean and then there was like a known exploit on this particular firewall manufacturer.
Max:My firmware was like, let it like I personally will come tonight to your hospital and sit in the computer room with you and show you how to oh. And I think the networking chair was on vacation was the other part of it. I was telling the CIO, like I will do this with you. Like you will you can stand there with me and watch me do it. You should do not have to pay me.
Max:Just let me do it. You know, it was kind of the thing. And they ended up they ended up with Petra. And they ended up because they were a trauma center, and their entire system went offline, you know, half you take and put people on the ambulances and transfer them to other hot you know, other other facilities. And fast forward, you know, some so I mean, that that I'm giving this story like linear.
Max:I mean, there's there's gaps in time here. You know? From from the, like, please let me help you to, like, something bad happened. It wasn't, like, the next day. I mean, there was Yeah.
Max:There was a significant gap of time. But then after something bad happened and they were going through recovery on it, it was we can help you recover this. Basically, it was like like, I'll just let's just show up and just, like, set fire to everything, basically. Just rebuild your environment from scratch. Like, right now, like, let's just get started.
Max:And the CIO was, oh, we need to hire, you know, we need to hire a team to come in and go through and figure out what happened and how we prevent it from happening. No. You don't. You don't. You you're what happened is you had nothing running and you weren't doing anything about it and you were patching.
Max:I can tell you what happened already. You don't don't go spend $1,000,000 to be told that you had nothing in place to then try to figure out how to start recovering from it because all you're doing is you're just delaying your recovery 5, 6, 7, 6. It was a really interesting frustrating experience for me to sit through of, like, the that, like just that, like, mentality on the other side of the table. And, I'll never forget it. I mean, it's just it's it's I mean, of course, I'm just like, for all the ships, just let's just go in, you know, and and get you up.
Max:Alright. This isn't difficult. They weren't that big. It wouldn't have been that big of a thing. Like, you know, we're we're talking about, like, a 1000 devices.
Max:You know? It would suck, but
Brent:it wouldn't have been that bad. Well, if they had, you know, backups with the ability to restore,
Max:if they had any sending
Brent:that would've though. I I their backups are corrected. You know? Yeah. That's the the thing that they don't get.
Brent:Right? If they're not watching that, then they know, like, if I can get to your backups and I can kill those or they've never tested them. The initial yeah. The odds are you you go up that you're gonna pay. I mean, they have better tech support than, you know, we're giving them.
Brent:Right? Let's just call it what it is because they want you to pay. They want you to have a good experience and come back again. Right? Repeat.
Brent:Customer service is at its optimal there. But I think that, you know, sometimes we've had that where folks, you know, we're telling, you know, the service and the guy is like the decision maker. The guy, okay, says, this is good, but I need you to do a pen test first. And I say, well, you know, you can take that money and invest that into the solution and we're like looking at this stuff in real time all day every day. Much better than a pen test.
Brent:And he's like, I understand what you're saying, but I can't get it approved until you show me there's a problem. Blood in the water. Oh, genius. And so we do the pen test, come back with the results. He's super happy.
Brent:Right? Like, okay. And you found the vulnerabilities that's gonna get me the money to do. Now that is a reality of where they're saying, you know, we don't have an unlimited budget and no projects and nothing's going on in the world. They do have budgets and some of them don't have a budget.
Brent:So to show them here's the problem, and that's an extreme case where the problem is you have a problem. Yeah. But we run into that too.
Max:I mean, how often is that? Right? Because from an evaluation and onboardings, you know, you can go through and put a a network sensor on and forget, like, deploying an EDR or re or repositioning the EDR to point to you. Right? Like, just putting a network sensor in and running it for a while and seeing what comes back.
Max:I mean, how often is that in a sales cycle, like, the linchpin in the sales cycle? Saying, okay. We put a sensor out. And by the way, did you know that your NAS is sending all your data to some other country?
Brent:Yeah. Well, I can tell you a real life story. Mhmm. We had a a big, grocery wholesaler that signed up for the network service. They already had something for logging and they already had an endpoint.
Brent:We put it in. The first thing that happens is we stand it up and we go into a tuning mode. Now the tuning mode means that everything is guilty until proven innocent. Right? So first weekend, we turn it on.
Brent:We call them up and say, hey. You have 18 machines infected with trickbot malware. And their response was interesting, kind of like a dog, you know, like, tilted his head. Like, that's impossible. And we said, here's the forensics.
Brent:Right? Like, here's Chase. There's AT machines. They're checking in. Right?
Brent:And they said we said, why is that impossible? I said, well, we have Cylance, and and Cylance solves everything. And so we said, okay. Here's here's the forensics. Here's the you know, we'll figure that out.
Brent:And then then we reconvene on Monday, and they said, okay. Silence. And that we have it configured wrong. And then, we said, oh, by the way, do you know you have 4 active tunnels to Southern Amer? And they were like, no.
Brent:Shut those off immediately. So that led to a much bigger conversation about why is the endpoint not picking this and and why is it misconfigured? And we thought it, you know, according to marketing, solves 99.9% of our problem. So, yeah, it ended up being that they switched over, brought us in to do the endpoint immediately, and then, you know, the log was already on the schedule. You know?
Brent:Sometimes, like you said, hey. We have this technology, this tech net. We have to manage it for a certain point. The beauty of it is at that point we were already doing the network service, proving our value in the first two days. And then that moved to an EDR piece where we're bringing that in more telemetry and then the logs when they switched off.
Max:I mean, there's a phrase. Right? Just defense in-depth. Right? Like, this this blind, like, mark I mean, I hate tech marketing.
Max:Like, it's it's it's one way. And then going back to, like, 98, 99 where it was trying to be like, hey. We need a cluster for a database, and what is cluster? You know, I'm like, oh, everything's a cluster. Yeah.
Max:I was like,
Brent:there's another word for that.
Max:Yeah. Everything. You check the box. Right? Do we do clustering?
Max:Yes. We do. Check. Yeah. You're like, okay, now evaluate this technology.
Max:But, you know, like, you can't really assume that any one thing is gonna be infallible or or be perfect. Right? And and that's why it's like, you need to have a security eval gateway, and you need to have, you know, a network sensor, and you need to have an EDR, and you need to have this, and you need to have that. And and then, of course, it becomes, well, budget and then priorities and how do you layer this stuff up in in in what order. Right?
Max:And, I mean, email vulnerabilities are key. And the SaaS was like, it's hard because SMB and the smaller side of the SMB market, you know, like the sub two hundred user, It's hard to get them tools that they need because they don't have the budget. They know the experience. They don't have the, you know, resources for it. And you're like, okay.
Max:Well, I know you're on the small business version of 365
Brent:or
Max:on Google Workspace because you're 200 people. But you really need to be on the enterprise version of it because you need to get access to this feature in order to bring this other tool on top of it in order to protect you what you actually need. Like, you know, a conversation a couple weeks ago. Real estate GP, small team, sponsoring multimillion dollar deals, and they wired money out to an LP that they thought was the right place, and it wasn't. And, like, they knew what like, it was not a game.
Max:And, like, you know, I mean, after the fact, he's like, they knew not to do that kind of stuff and it still happened because it just it just finally, that one moment took place in the right like, timing just conspired against them just perfectly and they got the money back, thankfully. But, you know, that's pretty weird. But they're a small team. You know? You're like, okay.
Max:15 people, you know, 20 people.
Brent:Like, they don't have the the capacity for tools for that. Well, I think it's a false sense you mentioned earlier about I put it all in the cloud. Right? I switched I switched to that, and I'm all good. Right?
Brent:Well, you know, I mean, you read the agreement. They're protecting their stuff, not English stuff. It says a point blank. It's a shared responsibility model. Mhmm.
Brent:And so if you do things badly, it's on you. Right? So, yeah, I mean, email gateways and and work to a certain extent. And I always tell people, like, I joked about the firewall earlier. I never gonna walk in and say throw out your firewall.
Brent:Oh, I do.
Max:Let us do it. Hey. That's doing something. Right? Keep it there.
Max:Let us help you. For the record, I do tell people to throw
Brent:the firewall.
Max:Oh, okay. Alright.
Brent:So I know. But I but
Max:I want them to replace it with something else. Yeah. Right?
Brent:Yeah. Okay. I get it. I can I can get behind that? You know, for us, yeah, we would love to to have that too because if they're running something they'd have, you know, or, you know, I don't have it configured properly.
Brent:Mhmm. It's more work, right, for us. Like, it's we're already looking for a needle in a stack of needles. We might as well cut out as many needles as we can. Right?
Brent:So, but yeah, when you switch to the cloud and they go, we're all secure, we're all safe, and or I got an email gateway. If we have an email gateway that solves everything, why are we still dealing with business email compromise? Yep. Right. So it gets down to, I remember hearing a guy give a talk, and this was the most interesting story because he was talking about an attorney who had gotten his email and things bad things were happening.
Brent:And you know that the law firm, they know a lot of things about Lado, Roligan, and CF. So he was talking about how, you know, I don't understand how they got in. I'm you know, it's all in the cloud. It's all hosted. And then they as they dug into the forensics, he was, like, told, like, it was because your Yahoo email was compromised.
Brent:When was the last time you changed your email address on your Yahoo personal email? And he goes, I have never changed that since college or whatever. Framework. End story. He's yeah.
Brent:He goes, tell me it's not me and the guy, I mean, it's you, you know? Like, so even though you're in the cloud and your users aren't doing good hygiene and they're sharing passwords I mean, we've seen that. We walked into actually, we walked into a customer in Southern California, that's just down the road here, And, the guy, yeah, we're meeting with, right, just, you know, we're talking to him about new stuff because we always bring out new stuff. And the guy in the back goes, he sent tires here. You know, when I come in and say he goes, oh, I love those guys.
Brent:And he he goes, what what happened? He goes, just this morning, they gave me a notification that my employee in the UK had been phished. And I called the guy in in the UK and I said, hey. Did you just change your password on, on your Apple ID? And he goes, how did you know that?
Brent:And he goes, did you click on a link to do it? And he goes, yeah, I did because they said I had a problem. And then he said, Well, hopefully you're not using the same password for my corporate ID as your Apple ID because I'm kicking you off the network right now. And we were able to detect that and give him the notification in a timely fashion that, I mean, we've all had that.
Max:I so this is where I was saying earlier, which is really smart people make bad decisions. And when you have really smart people that are just on the on the unfortunate receiving end of a professional who has experience at scale, Right? Like, you just you you don't stand a chance. Like, you just you you know? And especially if, like, you know, the wrong timing of circumstances conspire against you because that person is, like, late to go to his, you know, child's dance recital and is, like, struggling to get out the door.
Max:And then something else is going on, and the dog's in the hospital, and, like, the car's in the shop, and then something else is going on. And then they get this thing, and they're like, okay. I just can't deal with this right now. I'm just gonna click it. Right?
Max:And you just got that moment. And it's like so they're, you know, the cause of it. But, you know, you just you you your your thread envelope increases. You know, each each person you hire, each device you put on your network, you just, you know, you have this, you know like, it just gets worse and worse for you. You know?
Max:And you can't you can't protect now. I mean, my argument against that specific example is, you know, hardware based 2 factor authentication, you know, which is so many companies don't wanna roll these things out because they're perceptually a pain in the butt, right, to manage, but it's really hard to take advantage of somebody's hardware based 2 factor authentication mechanism into your network because you can't use Cyrillic lettering and fake it URL bar that people think is the same because the hardware piece and going, no. That's not the same website. Am I giving you my credentials?
Brent:Yeah. Well, I think what happens is in companies that, traditionally don't use security Yeah. The guys who wanna adopt it are the ones that have the most risk. Oh, jeez. Yep.
Brent:Right? And you think the law firm. Yep. Right? Everybody's doing some sort of 2 2 factor authentication except the the guys.
Brent:Yeah. The main people that are at risk. They're like, it's too hard. I'm not gonna
Max:do it. Yep. Take it off. Well, the quote I got was, that sounds like a drag.
Brent:Yeah. Well, you know, it's it's never really you know, that's the challenge. Right? Is that how much is enough, how much is too much, and when does it become an inconvenience? And a lot of it has to be someone has to get Mark to really get to that point.
Max:Well, I mean, I don't know what the exact math is. Right? But if you're talking about an architecture firm who's finding their buildings being built in other countries Yeah. You know, I mean, the value for a building is half a half a $1,000,000,000, let's say, in construction costs. Right?
Max:So it's, like, your $50,000,000 architecture fee. Like, these are high rises. Yeah. Right? Not small things.
Max:I mean, that's a pretty big deal, you know, with a lawyer if you're involved in any sort of M and A activity. Right? You have not you have you have nonpublic information that's going on about a company that can then be used to manipulate a stock price. Right? So that's actually spawns a question, which is board has a has a a fiduciary duty, right, to the the stockholders of a company to make decisions in the best interest of a company.
Max:Right? And a 1000000000 years ago when we were dealing with, you know, BCDR, so Southern California, it's always the 10 o earthquake is the thing. Oh, we have to be prepared for the 10 o earthquake. And it became this exercise around, what do we have to do to be ready for the 10 earthquake? Okay.
Max:We have to have a second data center. We have to have this. We have to do that. We have to do this whole thing. And I've written more business company disaster recovery plans in my lifetime than I I ever wanted.
Max:I mean, like, if I never write another one on a big one, you'll be okay. Very happy. It was really frustrating as an IT guy because I didn't really understand that the exercise wasn't implementing the plan. The exercise was writing the plan and then letting the board say, oh, it's too expensive. We're not gonna do it.
Max:But we stamped our fiduciary duty to say we evaluated the plan. Right? It's not. How do
Brent:you think
Max:that's gonna shift now? Because there becomes this this thing of, like, oh, you know, again, risk risk tolerance. Well, the risk of the 10 o happening is so low that it probably isn't gonna be a thing, and we shouldn't spend this money because we won't see a return on it. But cybersecurity isn't like I'm gonna say like it's a good guarantee you're gonna have an event,
Brent:but it really feels like we're we're getting to the point where it's a guarantee that you're going to have an event. And the question is just how severe is it? So when do we cross over and start talking about now are we at personal liability within the board and the c suite if certain things don't happen? Well, that that comes from regulations, right, and the teeth that they can do. Like, if you look at the SEC, right, they would they had guidelines and then kind of things, and now they've switched over to now where you have regulations and things you have to do and then you have to report.
Max:Well, they have the reporting requirements kicked out. Yes. Yeah.
Brent:And then now there's fines associated with things because we we run into companies. Right? That was our bread and butter when we started. Mhmm. And they said, well, I'll just pay the fine.
Brent:That's my answer because it's cheaper than your service. You know what I mean? And so No. It's not. Yeah.
Brent:Well, anyway, if that's what their thought was, they're they're not switching. Right? Yeah. Because there's more, of that. I don't know the answer to that.
Brent:Right? Like, that is an interesting topic. But, if you look at the guys like SolarWinds, when that whole thing went down, you know, the c suite pretty much was that was all cleaned out Yeah. At some point. Right?
Brent:So you you had your it it was a resume generating event. Right? I know he's a
Max:he leads a security team for a large company, And, you know, he had an experience with his boss where it was, okay. Give me the laundry list of what you need. You know, put the plan together. And not to say they have no security, but, like, he came back with a very comprehensive plan around what was necessary. And, of course, it was rejected.
Max:It was like, you can't we're we're not gonna give you the money to do this. You know? Figure figure you know? I'm like, if you want this much, we're gonna give you this much and, like, figure it out. It was a conversation that was happening with him, you know, really came into this, like, sense of, like, he, you know, was collecting a good paycheck, but he was well paid to be fired Mhmm.
Max:Is how he kind of expressed it to me. Yeah.
Brent:You know? Well, there's there's the acronyms. Have you heard those for the CSO. Right? It's a chief scapegoat officer or whatever.
Brent:I forget the exact thing right now. But in the past, they they didn't really have a program to become a CSO. You were just promoted into that. I had to care about it because you were the one they were going to, you know, put out there for everybody that you've missed the mark when if something, you know, happened. So now it's changed a little bit.
Brent:Right? Because if you really look, though, those guys are the average tenure is about a year and a half, and and they'll move. Yep. And then the guys who've been through an event where they've lost their rats and more and all, they they don't wanna do it again. No.
Brent:Of course not. Right? And so they'll come in. I mean, we see a lot, right, where guys will move companies and bring us along. Yeah.
Brent:Right? And that's how we've moved upstream a lot. Right?
Max:Well, this frankly. This is the beginning. Right? Like, this whole, like, scar tissue. So you have to have enough experiences with this, like, directly can we have locks on our doors.
Max:Why? You know, how many people have been you know, their house has been robbed, or is this just like institutional memory that's passed down over, like, multiple generations of, like, yes. Lock your front door. You know? A little more complicated that in cyber.
Max:Like, you can't just lock your front door, so
Brent:to speak, anymore, but the windows are open then.
Max:I will have free credit monitoring for the rest of my life. I got a letter I opened up last night. And this, of course, is, you know, the the our 3rd party cloud processor, you know, had a breach or whatever, and I won't name who it is. But, you know, at this point, everybody's probably knows, you know. And, you know, blah blah blah blah blah blah.
Max:You're reading through the paragraphs and, you know, it's like and they didn't actually disclose what was lost. But, I mean, I know everything. It was everything you have on. It was like, oh, but you're click click this link with this code to get your free credit. It's just like, great.
Max:Wonderful. I mean, I mean, literally, fuck. You know? But that has, like, a scaled risk mechanism. And I wonder if it's like, okay.
Max:Is insurance not the default for insurance? Like, is an insurance company is gonna buy Experian at some point because it's cheaper for them to offer the free credit monitoring package if they actually own the credit bureau? And and you
Brent:didn't ask for them to do anything with your data.
Max:I didn't want them to have my data in the 1st place, but but but then you get to this whole thing where you're like, you know, what's it actually cost them at scale to negotiate credit monitoring? You know, they're spending $5 on me for the year for credit monitoring.
Brent:Well, it's way less than doing nothing and then having, say, some lawsuit form and all of that fun stuff. So, yeah, it's a de facto thing. I'd have quite a bit of credit monitoring as well. I think my phone company just sent me one for another year. Yeah.
Brent:Right?
Max:And they're free credit monitoring for life.
Brent:You know? And so the good news is I already kinda have it through, I think, one of my credit cards that I have, and they just anytime they send me an email, I'm afraid it's a fish. So I go to the other source and go and I log into that app and I look and see what the difference is. And I'm actually it's interesting, right, because you can make $1,000,000 a month and your credit score could be, you know, 500. But if you're in debt, you
Max:know, your credit score is pretty good.
Brent:Right? So that's a
Max:it's a little bit of a of a interesting paradigm there. But, yeah, I'm always kinda wondering who drives this. This. We see some of it being the insurance companies driving it. They're like, you know, insurance companies don't wanna pay out.
Max:Right? Of course, in the business, in order for them to make money, they have to not pay claims. So this becomes more and more restrictive. And right now, you you know, it's like, okay. You have to run a security mail gateway.
Max:You have to run an EDR. You have to do security awareness training. It's like check, check, check. Right? And people go out and check those boxes.
Max:And it feels like the next step of that's gonna be like, okay. You were running an EDR, but you didn't configure the EDR, or you didn't look you know, like like or, you know, like, that's how you get more and more stringent, right, is my perception on these things. What I'm curious about becomes the like, when does the DNO insurance get pierced? You know, pick pick any major exploit that's happened or compromised. You know, people lose their jobs.
Max:That's that's usually the result. Right? You know? Like, maybe there's some, you know, some plug in the organization that maybe stops it for a while, but eventually, Sony Pictures, you know Yeah. Present would lost her job over that hack.
Max:Right? It's some point somebody goes. But when does it actually shift from or do you think does it shift from, okay. You lose your job, that becomes personal liability to, like, oh, you didn't invest in basic things. Like, now you're personally liable.
Max:Not like your insurance is gonna defend you, but, like, you've now breached, you know, like a like a basic responsibility of, like, you are personally liable because you said, no. Let's not go out
Brent:and buy the EDR. Well, I mean, I I think people would reconsider those jobs if that became a personal thing. But, I mean, to some extent, your reputation is there. You know, I know I would look differently if I was hiring someone from
Max:one of
Brent:these companies that really got owned bad and it came out that they weren't doing the right things or not patching their Apache servers. I would suggest that that's a problem that the interesting thing is, yeah, I I don't know the answer to that. I haven't really thought about that, Max. Right? Like, when does it cross over into you're saying I'm signing up for that and if if you try and do the right things.
Brent:And I'll tell you what, we've seen it in, like, where we had a company that we talked to for quite a bit. This is I don't know how much time I got.
Max:This is a very good way of flying time. Let's hard it scale. Alright. So Jesse won't he can start flashing a light at me, but we're we're gonna keep going. Alright.
Brent:So here here's the situation. A trading company.
Max:Okay. Right? We said trading like like brokerage stocks or trading like okay. Can I go ahead?
Brent:They're a trading company. Can I and they're they're doing that that as their business? So they have a cyber security folks. Right, they have networking folks, and they said, hey, we need to get the posture. We wanna bring you guys in and we wanna do these things.
Brent:And then the network sensor was the first thing to be put in. Well, you say equipment? Yeah. So Cybersecurity guy said we're doing this. The networking guys in Chicago said to himself, I used to work at a MSP and how terrible it was because they didn't have the support.
Brent:So his personal feelings of how we would do this affected his judgment. So he put us in on a switch 3 3 layers deep monitoring, like, 4 or 5 users so that when they evaluated, you know, at the one month mark what we were seeing, we were seeing nothing. It was like we're sitting there, kind of in the conversation before the meeting saying, why are we not seeing any traffic? Why are we not blocking anything? We we should be seeing something, a lot of things.
Brent:We didn't know he put us there at the time. So then we had to go back to the security guy and say, you know, we're really not seeing anything here. You know, this is, like, odd. We're not sure. Yeah.
Brent:And so the security guy was like, okay, let me find out what's going on. And he came back a week later after he figured out what had happened. And he basically said, hey. I'm leaving this organization because they are not gonna do the right things. They're not gonna protect themselves.
Brent:So he actually put in his resignation with no job and went and found another job. That company got breached a while ago because they we basically decided we weren't a mutual fit right at that point. Right? Because if if we weren't adding value Mhmm. And they were not willing to do the things, right, let's just call it what it is.
Brent:Yeah. But he was right, and he made his personal brand decision based on what he saw the reaction when that he figured out why we weren't seeing anything. He went to his higher ups and said, this guy did it this way. There's no chance. And they just said, we're we don't care, kind of was the attitude.
Brent:And I don't know if they just still wanna spend the money. Right? I don't still don't know the answer, but we did see him make that personal decision to get out before the breach. Because if you've lived through the breach, you know it's it's
Max:no fun. It's kinda like it's not like when you're gonna have data loss. It's just how bad is it gonna be. Right? It's not when you find out that your tape backup isn't working.
Max:You know, stats are so scary, which I think has gotten to a point where people, like, just don't don't believe the stats anymore. You know, like, x percentage of companies are gonna get breached, and x percentage of those companies are gonna go under with an x percent of, you know, with x months of time. I mean, and and you're like, okay. You know, maybe if the stat was like, oh, it's 15%, you know, people would believe it more. But you're like, oh, no.
Max:No. No. The majority of companies are gonna get breached. The majority of those companies are gonna go under, you know, and and that's just the end of it. And then, of course, you get some of these that become these really just, like, unbelievable visuals, colonial pipeline, you know, where people are, like, have tarps in the back of their pickup trucks putting gasoline in the tarps.
Max:Like, you know, like, what is going on here? You know? And then I'll never forget the quote. I was really impressed, actually, that it was, you know, the me, the news, the Wall Street Journal, I had to interview the CEO, and and it was we paid the ransom. And the decision to pay the ransom was because we didn't know how bad it was.
Max:Right. It wasn't like we paid the ransom to get recovered. It was like we just don't even know how like like, what what recovery looks like. And so we're at, you know, $11,000,000 based on what we knew at that point, but or whatever the it was $11,000,000 was cheap because we just didn't even know how bad it was. And then, of course, they they start trickling down, like, what was the cause and what was the original exploit?
Max:Like, all these different things. You're like, man, like, really basic stuff anywhere along the chain here would have prevented this from happening. And I think that's the worst thing is actually is looking at that after the fact and knowing, like, really basic things, not expensive, really basic things along the way, you know, and solve these problems for people.
Brent:Yeah. And the the checkbook comes out right at that point. Right? We're we're either going away or we're not. And I think the one the stat, you know, you mentioned that's really weird is when they issue, like, the Verizon report and stuff, and they go, how many 1,000,000 of dollars a ransomware event would cost you?
Brent:Right? And the smaller organizations, you know, that really are they don't believe it. They're the target because they're the gateway into other bigger organizations. Right? They don't believe that.
Brent:Mhmm. They look at that and go, what do you mean? It's, an average event is $2,000,000. And and I don't know the number of the latest report, they'll honestly. But I know it's something like that.
Brent:Right? Yeah. And they're just like, there's no way. Like, I don't even have $2,000,000 in the bank. Right?
Brent:And so they don't think we're going away at that point.
Max:Yeah. Well, it's, your your incident response team that you have to hire is really expensive. Your loss of revenue is really expensive. Your loss of customer goodwill is really expensive. You know, I mean, like, it's Credit monitoring is expensive.
Max:It's expensive. Yeah. You know, I mean, that's why I've kind of come to this idea of, like, is it just scar tissue? Right? You know, it's like if you see your neighbor lose their job because their company didn't have something in place, doesn't that, like, you're, like, hit home a little bit and say, oh, wait a minute.
Max:Maybe we should be doing this because, you know, that's important to me, and I don't wanna lose my job. Or the pressures on, you know, supply chain being a real thing, I see a lot of this now where and and and actually, I don't I don't some of the some of the the compliance specs and things you have to adhere to are a little, you know, interested. I have a friend I helped us with, and and he's in the motion picture, you know, business. And so he has to hear at TPN. And and he's a single practitioner.
Max:He's a he's a soul. Like, it's just him, like, doing what he does. Right? But, you know, in order to get him what he needed in order to meet the requirements for TPN, like, you know, some of these things you have to license at quantities that, like
Brent:Yeah. Right? We we run into that. Like, it's a minimum of x.
Max:Yeah. So he you know, so the best package the best thing we found was, you know, we could license this suite for him at 25 users, you know. And it's like, well, he's like, I've got you know, it's like it's a janab. And it's like, well, your parents are gonna have the best cybersecurity program that he could buy. Just like, literally, it's like your parents, you know, your your your wife's parents, you know, the guy your neighbors you really like, just, like, you know, look them all up.
Max:You know? Yeah. That was just it, you know? But he had to have it
Brent:in order to conduct business.
Max:So, like, it was also this interesting thing you see with the actual impact of noncompliance. I think people try to, like, you know, fudge compliance a lot. But in this case of, like, you have to have this in order for us to pay you. And it was like, okay. Great.
Max:Let me go get it right now. How quickly can I have this? Because I wanna I wanna get paid. And, you know, I've seen that a lot in manufacturing. You know, it's like, oh, you know, you're a subcontractor or subcontractor to subcontractor making an assembly for this big company.
Max:And guess what? It chains all the
Brent:way down that line of you have to now do x, y, and z in order to get. Yeah. Well, I think, you know, when you really look at what MDR offers, it becomes table stakes for a lot of those small companies. They have to be doing it and need to do business because we we walked into a law firm, we had a great meeting, talked about stuff, and, they said, well, what's motivating you to do this now kind of question. Mhmm.
Brent:Right? Like, they they were buying. Right. Yeah. So it's not answering your question.
Brent:They were buying. But the reason they were buying was because he points out the window and he goes, see that big building right there with the big shell on top? If I don't get this, they're not gonna give me my contract. Yeah. So that motivated them to take it seriously is that it pushed down from their, you know, big vendor that they're doing business with.
Brent:Look. Obviously, there's outliers within this and people that actually get it. You know? Small trade, you
Max:know, hedge funds. Right? They understand it. You know? Small investment banks, they understand it.
Max:Right? You know? And then you get to this weird thing where it's like, you know, maybe there are only 20 people or there are 30 people or 50 people. Right? And and they have a very different program.
Max:But the average 50 person company is investing in this stuff. What you know, what's your feel in terms of sizing? What point are people, you know, large enough they start looking at this thing a little differently? You know, is 200 seats, 500 seats, a 1000 seats? Like, what what becomes like that entry point where people have matured to the point where they're looking at the Sirius and M?
Brent:I think it boils down to a couple things. Is it like what industry are they? If they're washing windows or doing plumbing, they don't care so much because they've got a a platform that does the scheduling and does the billing online, and everything should be taken care of. Right? And they get in, someone gets in their email.
Brent:Now the risk there is that they send the payment to the wrong place. Right? Like, my wife works for a company, and she does the accounting. And she came home and said, oh, I gotta send this wire to this guy. And he gave me this email, and I said, well, boy.
Brent:I mean, like, hold on a minute. Like, have you valid have you spoken to him on the phone? It either she'd never considered the fact that this can be a, you know, scam. Yeah. So so what does it take, right, at that point?
Brent:Now she's Uber aware now. Yeah. Right? Like, Uber aware because, like, you know, the the space I'm manning, the stories I told her Yeah. Really, that's that's kind of what it takes, I think, is that that one person who can stand up and say, you know, this is what we need to be doing.
Brent:These are the risks. Because if we send the money to the wrong place and it's gone, that's how much of our remedy that's our payroll for the week or whatever. Right? That would you're impacting families. Mhmm.
Brent:So I've seen where guys funny stories, you know, that you get during this stuff. I mean, I touch a lot customers as you
Max:can imagine.
Brent:Yeah. Yeah. And I and I got a pretty good memory. And, you know, I remember talking to this company, and, they were like, yeah. This all sounds great.
Brent:Let me see what we can do. And they just kinda went away, faded away. And then they called up out of the blue and said, okay. We're ready to go. And I and I we talked to him and said, what changes?
Brent:He says, well, our CEO went on a, trip to Hawaii and went to a meeting. They talked about this, and they said you have to do it. So he came back and it was his idea, so we're doing. And what does it take? It takes the the right people to stand up and go, you know, it's worth it to have the protection.
Brent:And I go back to simplistic story. Okay? So I'll kinda help you answer the question in a nontechnical way. Please. Okay.
Brent:So one of the sales guys I work with had a plane ride with the, you know, guys, the CIO, CISO level of a company, and he what do you do? Oh, I sell cybersecurity. And what do you do? And then tell, oh, well. And he goes, well, like, so explain to me what you do.
Brent:And his his thought process was not to go into the pitch. Right? Probably, this is easy to do. Right? But he said, so if I could bring to you a guy who handled your cybersecurity and looked at the network and the endpoints and the logging events, and this guy had a bunch of friends that all came with him so he could do it around the clock.
Brent:He had all the software and hardware as part of his deal, and he never went on vacation. He never got sick. He never wanted to get a certification and leave. Would you hire that guy? And the guy goes, yeah.
Brent:I'd hire him right now. And he goes, that's what we do. I love that as an in me point to this.
Max:I can keep going. I'm sure we can spend another hour here. I think that's an excellent point just to end on where it's I hope that when we talk in the future, things have matured to the point where people understand they're going after and they're investing in this in a much more serious way. Right? And that just becomes what level of investment is reasonable for the type of business we're running.
Max:Right? Not do we need an EDR or not, or do we need this or not, or do we even need this in the first place or not? It's at what extreme event do we go to. Right? We get into conversations around is micro segmentation appropriate for you or not.
Max:You know, like, I hope to see that soon. I mean, not all of us say I hope to see that soon. But Yeah.
Brent:Well, I think everything evolves and there's usually events that happen and that create action. I think that's the the matter of that. Right? It's like when when you don't know you need it, that event will take place. And like you said, hopefully, it's not you.
Brent:It's your neighbor. And then you you're able to say, hey. I did the right things because I see the guys who are customers, and they go send me an email. Hey. You know what?
Brent:You guys just saved the bacon again. And that's nil. A, fulfilling for him because he's he's done the right thing. Yeah. It's filling for me because I know our organization's doing the right things.
Brent:And the IT guys, right, they're happy because they're not dealing with this big huge deal. It's like, hey. I gotta go reimage Max's machine. Right? I I you know, a lot
Max:of people, I don't think, actually really take it to that level or really understand it. You know, a lot of these events besides, like, losing access to your data, losing access to your systems, or not being able to function as a business, your remediation requires you to go out and touch every single thing in your network at a specific level, you know, in sequence, and then you start figuring out how much data that you lose in the process. And, you know, coming back and recovering and saying, you know, let's just go on the small side. Right? Give a 1,000 users.
Max:If 2,000 or 3,000 devices plus, you know, easy. Right? Like, it's that's a pretty easy ratio. Like, okay. Let's go spend 30 minutes a device times 2 to 3000 devices.
Max:And that's what it takes to bring that business back online before you can figure out what your data loss is and where your data, you know, recovery point is. And you don't even know what you have as you're going through that process of, like, be that I mean, it's easy to talk about it because we have war you know?
Brent:Yeah. We we definitely War source war stories? War source? One of these things that,
Max:you know, get back into self soothing and they start rocking here. It's scary to talk to companies that haven't been through this, that don't have any experience with it and try to quantify and say, hey. You know, this is what you're brilliant. Like like, what you're trying to protect against is, you know, it's like, oh, it's a hyperbole of, like, you're gonna go out of business. It's it's more of like you know, let's say you don't have a business.
Max:You know, what does the action take you to bring your business back online? What does that look like? Yeah.
Brent:Well, I mean, I'll I'll we'll wrap it up, Brian, because, I appreciate the time. Yeah. I'll say one one thing about Meaty and how I ended up here. I wasn't looking for a job. They reached out and said, we feel you'd be a perfect fit for this organization.
Brent:And I was, like, sitting there at my desk looking at an email, from LinkedIn that says you should never turn down an interview. The phone's ringing. Probably what? Heck. And I listened to them, and I listened to the pitch.
Brent:Mhmm. And the first guy was kind of interesting. The the technical guy, when he broke it down for me, I said to myself, nobody else is gonna do this for the small, midsize organizations at this level. Yeah. So I joined the organization 8a half years ago, and I'll tell you what.
Brent:It's a long run. I've watched it change already. I've seen the adoption, which is awesome. The branding of MDR, which is great, and it's the market is just, you know, really just getting started. So I think I made the right choice.
Max:Well, we know MDR is is hitting a certain saturation point because now, of course, a lot of other companies are trying to claim that they do it. And now, you know, we've hit a different cycle of, like, are you investing with a company that can actually deliver what you think you're buying? Yeah.
Brent:Heal the big guys that are traditional product guys are coming in space. That's what's happening.
Max:Yeah. I appreciate it. Thank you very much.
Brent:You got it. It.
