Secure Your Business From Cyber Threats with 360 SOC (Guest Chris Ichelson)
Think about a storm. If there was a storm and every Microsoft customer came in today and said, I wanna use Microsoft Dynamics, and I want it to be used the way you show it to me in the demo, the world would collapse. We don't have skill sets. Very few know how to build on it. The way you see it in is not how it works out of the box.
Chris:And you run yourself in these situations where there's no direction but in order to figure out another path. Right? For security, I think this automation, and I think it solves a lot of what you're talking about and looking, you know, and what we're talking about here around how do you make this stuff more effective? How do you drive costs down? How do you make it more efficient than for the customer?
Chris:Because at the end of the day, they're scrambling.
Max:Let's start with some softball questions, Chris. What do you do?
Chris:Well, a lot, I guess. So I'm trying to do less, but I'm the CEO and founder of a company called 360 SOC. We're an award winning managed security company focused primarily around the security operations center. But I like to say that I'm more probably the chief everything officer because I do a lot of different tasks. I support a lot of my teammates, whether it's in the SOC, whether it's day to day sales, operations, being the bad guy, being the good guy.
Chris:You know, all of the above kinda coincides with, you know, this, you know, island based role that all of us CEOs sit on, especially in these fast growing companies. So
Max:Yeah. So when you say a security vendor centered around SOC, like, let's let's expand on that. Get into that a little bit. What does what does that mean? What do you what services are you offering, and what problems are you solving?
Chris:Yeah. Definitely. So we offer primarily security operations center as a service, which in the old days, we used to call managed detection and response. So what we encompass is an, you know, kind of a point everything to us type of security approach, and we will take on the all eyes on glass monitoring using a stack of tools to meet what we call or to meet the Gartner SOC Triad methodology, which we've see being kind of the gold standard for the security operations center. And then everything that coincides with that is involves products, services, you know, audit, compliance.
Chris:You know, it kinda just sits down below those day to day activities. We see that operations center probably being the most critical element next to designing the right technologies for each, you know, independent entity or customer more or less. So
Max:One of the biggest bifurcations to see in the space right now does the client have to run and integrate with your SIEM? Are you managing their SIEM? How does you know, as a company is looking at and saying, okay. We wanna go to a SOC as a service, and we'll we'll get back to that in a moment. But what is the what is the, like, the prep work and the deployment work in order to turn you on?
Chris:Us, we're we're unique in this space because we really do have 2 go to market strategies within the security operations center. 1 is being a plat we call it security platform as a service provider effectively. That's where you bring all your own technology. We don't care what SIM you bring. We don't care what EDRs and DLPs and, you know, scanners and everything else within your security stack.
Chris:You point all of the APIs at our platform, and then our platform will ingest all the alerting. We'll pivot into your platforms when need be, but we'll manage that 247. So that's one option. So you don't have to bring any, you don't have to use any of our technology besides our medium, our GUI. Our GUI is effectively a full service security orchestration automation response platform often referred to as a SOAR.
Chris:The coolest thing about that is that we do enable live chat within that SOAR GUI, for our customers. So within 5 minutes, our team, our analysts will be inside any alert working live with a customer 247. So that's one way. And then you also have the other side of the coin where customers don't have a lot of their own technology. Maybe they only have their EDR solution and a firewall, and they don't have a SIM, and they don't have network detection response.
Chris:They don't have a data lake. In those situations, then we have our 2nd offering, which is our SOC as a service offering, which then encompasses or brings to the table the SIEM. It brings UEBA in a data lake. It has a forensic agent on the endpoint. And then, and on top of that network detection response fully managed by our team.
Chris:What I'm often seeing with that element or that product set is that customers say, cool, man. I I need you for SIM. I already have dark trace, so I'm gonna plug that in. And then, you know, I'll use your forensic agent for collection, and then your team manages it, etcetera. You know?
Chris:So those are the typical use cases I'm seeing now, but, yeah, we're making us a little more unique. We don't our customers don't have to use our tech, and they also can augment our tech into what they're currently doing if that makes it better too. So lots of flexibility, lots of integrations.
Max:I wanna touch on really the problem that you're solving, and I see this in a couple of ways. The first way is, a company that decides that they wanna do and take security operations and do it in house. So, you know, we've designated you know, Johnny is our security person now, and and they're for maintaining our our tools and also the investigations. Or, in my opinion, I think the ones that are actually even worse are we've engaged a small MSP who now has a security function within that MSP, and they're doing there are security practitioners now. But, you know, when you find out and you start talking to them, you know, that MSP is maybe, you know, half a dozen people predominantly doing field support, you know, your desktop and server and network infrastructure support that then say, hey.
Max:We can do your security as well. So, I'm sure you've seen a lot more than this on the and and, you know, of course, coming from the other side, running this professionally. What happens? I mean, so so what, a, what drives companies into a professional SOC, SOC as a service? And what would you say to somebody that's currently doing this in house, you know, at a small scale or or engage with a small MSP to do this?
Chris:So, I mean, there are a lot of people offering various security services. There are a lot of people offering 247 services. There's a lot of people that offer 247. It's not really 247. There's a lot of, you know, outsourcing and insourcing going on that people aren't really probably as transparent about in order to meet, you know, what they're needing to meet from a customer requirement.
Chris:I see that in the smaller MSPs. People are just dabbling as security is another service that we're gonna offer another product function. For the biggest customers out there that already have built their SOCs, I think there's an opportunity to augment the security operation center. I'm seeing, you know, more than ever those, you know, large Splunk customers, large, you know, QRadar deployments that are coming back to the service provider space, I e, SOC as a service, somebody like us, and is saying, look. We we don't necessarily need you to manage it.
Chris:We've built the team. We've got 30, 40 analysts and managers and everything, but we're running into these situations where our team is extremely fatigued at tier 1, tier 2, tier 3 levels. And for those type of customers, they can come to us and actually, augment our platform, and they'll actually use the same functionality that we offer as an MDR or SOC as a service. But effectively, instead of our team being the handoff to the management to all the way down to eradication, they handle that piece. We manage the underlying platform, the integrations, and build the automation for them, Effectively making their tier 1, tier 2, tier 3 approach 99.9% effective out of the box, just like our SOC as a service offering is by using that SOC bot 123 effectively to give your analysts a fully enriched, you know, fully enriched alert, fully enriched, conversational point so that they can actually take that and then, you know, obviously respond to it.
Chris:So, yeah, 2 approaches, 2 different address points, 2 different totally different size of customers. Both have a common use case. It's just one has it built already. The other doesn't. Or if they might be thinking they're getting it from somebody that has it built more or less, I guess, is a good way to say it.
Chris:So
Max:I see this right now, with Microsoft. Microsoft's pushing e 5, with security functions. And so you could say, okay. We've got now email security, and we've got Defender for our desktops, and we're gonna have Sentinel SIM. And now we're secure because we've got this E5 Security piece.
Max:And we kinda get into that conversation a little bit and, well, who's configuring it and who's managing it and who's alerting it and who's triaging it? And the answer is usually nobody. But I I mean, I kinda wonder what this is gonna mean for the landscape of of, you know, like, of enterprises that deploy this stuff and then, you know, turn it on. And then, well, I I mean, I gotta imagine you get a lot of phone calls. Like, we've turned this on, and now we don't know what to do with it.
Chris:It's more of the turned it on. It's got a lot of noise. We need to figure out if we need to turn that off. Like, you know, who's gonna who's gonna look at that? You know, that's the most common thing I hear probably out there is, you know, the technologies are really noisy.
Chris:They all work good, but somebody's gotta be there to sift through the noise. I think that when you look at cybersecurity as a whole and you look at kinda where the direction of the space is going, I think the space recognizes that this problem exists. Right? You know, and and the problem does exist with a solution in mind that really does focus around automation. I mean, most of what we're doing in the security operation center at a human basis can be solved with higher accuracy leveraging automation.
Chris:So if you start looking at the future of what that security operations center looks like and what what people need to do from a program and standpoint, they're going to have to do use more automation because it drives cost down. Right? And if you drive cost down, you can have more. If cost is higher in the in the service providers you're buying from, the software providers you're buying from aren't leveraging these type of technologies, they're also working behind the 8 ball too as well, always playing catch up. So I think, you know, security of the future and kind of where these companies all go large, small, is really they have to adopt automation.
Chris:Now that creates another problem. We just went from 3,500,000, you know, skilled gapped individuals with open jobs in the space they claim. You add in automation to that conversation. We don't have enough professionals that understand security automation in order to hit the objectives that the corporate ecosystem's gonna require. And if you look at it from that way, think about a storm.
Chris:If there was a storm and every Microsoft customer came in today and said, I wanna use Microsoft Dynamics, and I want it to be used the way you show it to me in the demo, the world would collapse. We don't have skill sets. Very few know how to build on it. The way you see it and sold to you is not how it works out of the box. And you run yourself in these situations where there's no direction but in order to figure out another path.
Chris:Right? For security, I think this automation, and I think it solves a lot of what you're talking about and looking, you know, and what we're talking about here around how do you make this stuff more effective, how do you drive cost down, how do you make it more efficient than for the customer? Because at the end of the day, they're scrambling. Large customer with the sock is scrambling because his employees are closing alerts that they just don't feel like triaging, and they know nobody's gonna come look at it. And, you know, the alert's been the same way forever.
Chris:So what makes you think it's any different today? You know? Or, leaving early or whatever it might be. You start looking at this, and there's one keyword that solves all of this, and it's automation. And I think that's gonna be huge.
Chris:Sorry. I ran on on that one a little bit. I'm a passionate automation guy because I think the lead the the your number one asset in the security outer in the security operation center is your automation. And, you know, you can't automate if you don't orchestrate, and you can't, you know, extend response where it's manageable for 1,000 or tens of 1,000 without it and leveraging APIs and that kind of stuff. So it's kinda where I where I think that space goes more or less or how you can try to solve it at least at our forefront, any customer size.
Max:I have a client, and they make desalination plants. And and one of their projects is in Nigeria. So when you look at that, and all of a sudden you say, okay. Your phone system vendor your phone system vendor starts seeing phone calls and traffic that's going to Nigeria and blocks it because all phone calls in Nigeria are just automatically there's something wrong with it.
Chris:Scam. Right.
Max:But but this client actually has desalination plant projects where they're installing desalination plants in Nigeria, and they're trying to convince the phone system company now that they actually need to be able to call in Nigeria legitimately because, like, they're actually doing business in Nigeria. Right. And it was a really kinda funny thing because, you know, that that that phone provider wasn't equipped to actually even compute and understand that, like, people actually do business in Nigeria. And I think about this a lot in the security world too because, you you know, a, you've got, a lot of data coming into systems. But, really, what, like, I'm most interested in is what is normal and what is abnormal.
Max:Like, if you're doing business in Nigeria, it's normal for you to be sending data back and forth to Nigeria. Right? But, like, if you're not doing business in Nigeria and, like, these sorts of decisions become very personalized but require a certain amount of behavioral anal you know, anal and behavioral analytics upfront in order to say, you know, it's it's normal that we have data that goes to China. It's normal that we have data to go to Nigeria. And, you know, I'm I'm wondering, like, how do you guys deal with this with your clients of actually coming out and saying you know?
Max:I mean, it's really kinda twofold. Right? The first half of it is how do you, you know, aggregate at scale to say, you know, we've seen this thing now happen that's happening across a lot of it, and there's something going on here. And at the same time, pull that noise out to say, no. It's totally normal for this company to be doing this sort of traffic because that's just what they do.
Max:So
Chris:one, onboarding. It all comes down to the onboarding process of understanding what your current's you know, your current customer that you're working on's ecosystem looks like. Right? Or tech you know, network footprint looks like. You know?
Chris:And also understanding what is normal inside of those, you know, you know, regions that might be more susceptible to scam and, you know, malicious activities such as, you know, the top whatever ten it is that most of us know off the top of our hands. Right? You know? And it happens that, you know, these company there are these countries like Nigeria or even Cuba or there's a few other ones that, you know, north side of India. There's some significant areas where scam is relevant, right, or prevalent.
Chris:And, you know, what happens with the telco and the telco defenses, he definitely leans towards, I don't wanna get burned for, you know, x amount of dollars by allowing this to go through knowing that customer. If this isn't legit, customer's not gonna wanna pay for that. I I think, though, it just goes back to the start of that is you solve this in onboarding, understanding where the customer has locations, understanding what's normal, you know, educating them that, you know, they can probably use Wi Fi calling in a lot of those locations too if they need to keep it on their US network versus, you know, possibly, you know, having to use a local telco, and keep it all SIP over, I guess, public internet at that point using an app on a phone or something. But when you're looking at it from a telco perspective, if they're delivering any type of last mile service to that customer, I would assume they would wanna know what kind of business they're in or what they're doing or, you know, what normal business hours looks like, especially if they plan on blocking communication between the states and Nigeria or something that could impact the safety of an individual.
Chris:Right? You know? And I think that's the presentation. I think customers look at it as this makes my business hard. Well, you know, Telco is like, well, this makes my business hard too to manage your Nigeria traffic if I didn't I'm not aware of it.
Chris:Right? You gotta look at it from both coins. But, you know, how it can be solved is is just, you know, having the right, you know, procedures, having the right processes when you go through these conversations to understand what the normal is for that customer and then setting parameters around what's abnormal. Because you know, at the end of the day, if you break make it around safety, you get what you want. If you push it as a business process, you probably don't get what you want.
Chris:But safety, everybody says, woah. We can't have malicious people grab an IV. You know? And, you know, things in hospitals, that safety problem, we gotta solve that. You know?
Chris:But if you go, hey, man. You know, I think you need this because of, you know, x y z. They're like, you know what? That sounds like an item we need to budget for next year. And you're like, wait a minute here.
Chris:That's the wrong approach. Go back to it. There's a safety problem here, and we need to solve that. And then with a telco and a and voice services, it's a major thing. Right?
Chris:They have to be able to communicate. You know, if somebody falls, hurts themselves, gets attacked, you know, and and if the carrier is blocking those calls, they're putting those employees at risk. So, you know, in those scenarios, I I just think that, you know, people do their due diligence in on that first, you know, 30 days of the new customer or in the scoping, you avoid that. If if it's not that case, then you have to fight blocks and everything. And it's no different.
Chris:Telecom versus security tool. All of our security tools that we wanna load get blocked by the next tool. So you still gotta go through all these processes. And if you know it in advance, possibly you might be able to get a white list or an exclusion made. Right?
Chris:Helping solve the problem before it's a problem. So, yeah, that's kinda how I I I I really look at every process breakdown, every every customer failure when it comes to that piece of it being around, you know, something was missed in onboarding. Right? You know, it's just the same way it goes if you flip the coin to the service provider and you say, look. We're like, how in the world did this customer spend this much money on us when we're on a flat rate and all that?
Chris:And you're like, well, somebody obviously dropped the ball in the onboarding phase. They didn't ask enough questions or didn't do enough discovery. That's how we got here. We didn't get here because customer, day 1 of signing the contract says, oh, by the way, we just got this new vendor. Let's let's just slam them with traffic right now and, you know, we'll test them.
Chris:It's not that's not a normal behavior.
Max:You even, tools have come up a few times. Mhmm. And it's, I mean, there's it's like it's like every day there's a new tool that gets announced. Like, oh, solve all your security problems by implementing this tool. Right?
Max:So now we have some tools that become that I feel like are are pretty much, like, ubiquitous in the stack. Right? We talk about EDR as a tool that'll probably stay here forever, And we talk of, you know, SIEM. Right? You know, these are, like, foundational tools.
Max:For companies that are just that are either selling tools but, actually, let's say, from a from a company that's looking to solve security problems. And and and it's just like tool, tool, tool, tool, tool, or as a service as a service as oh, you know, you can you can get this MDR. You can get this XDR. You can get this SOC. You can get this EDR.
Max:You can get this SWG. Like, you know, how do you unpack this noise and figure out what actually makes sense to do? Like, what what you know, people are trying to figure this out. Like, what what did how do you how do you help them?
Chris:Gotta understand what you're securing. I mean and I think most salespeople just forget that right out of the bat. Or right out the gate. They forget. They go to that bat and they forgot the whole pop process of gotta understand, 1, about the customer, and you gotta understand what you're gonna solve for the customer bay effectively, what their risk is.
Chris:Right? Some customers don't have that much overall risk out of the gate. You know? They don't have HIPAA compliant. They're not PCI.
Chris:They, you know, do an EDI transfer of funds and, you know, work through an ERP and ship a, you know, a metal weight or something like that. You know, along those lines are, you know, they package hay and ship it across seas. You know? You start looking at, you know, certain arenas where maybe compliance isn't as rich or maybe only compliance is rich in certain things like a custom, but not in the system. You know?
Chris:And and in those arenas, I think that the security vendors out there and also the salespeople, they miss the they miss the boat on just trying to figure out what are we solving. Not you know? Everyone has the common problems. Right? Phishing, you know, data theft or, you know, you know, misuse of data, things like that.
Chris:Everyone has those hygiene problems and the phishing side being more malicious. But not everyone has the opposite problems on their on their, you know, main screen, let's put it. A lot of them are on the back seat, which is that right? Obviously, a security professional, I'm like, no. I mean, we should we need to spend all the money on security, but that's not realistic.
Chris:Right? And I always I always like to have these conversations around with customers around this. And it's if I make $1,000,000 a year on a solution and that $1,000,000, it costs me $900,000 to secure it, what do I do? Buy insurance. Right?
Chris:Buy insurance. You know? I do what I have to do, but I buy insurance because I'm not going to take $1,000,000 in profit as a manufacturer and shrink that to a 100,000 when when when the organizational's tolerance for risk is not what the same as what I would think it would be as a security professional. Right? So they have to take their accepted risk and say, look.
Chris:We'll accept, you know, to put a $100,000 of the, you know, 1,000,000 every quarter in a ransomware fund until we've accumulated enough, hoping we don't get hit there, and then we've got a fund because we'll we'd rather capture the revenue. This is what the process must be going in all these boardrooms because it's not the opposite of, alright, guys. We've got all this money. Let's go buy all this technology. No.
Chris:They're looking at it as, look. If if if I make a1000000 on this feature or function, this app in the cloud, and it cost me $900,000 to secure it, I got 2 choices. Accept the risk or kill the app. Right? Making a 100,000 on the app when I was making, you know, 90% more than that, doesn't make business sense.
Chris:And that's why companies are in these situations because somebody somewhere has gotta make the decision. If it costs us 500,000 or 400,000 to secure that million, maybe maybe that does make sense. So let's ramp up and let's get the products and services that mitigate the risk. So I think that these need to be the conversations that, you know, customers need to have when they're going in and trying to figure out what do I buy? Right now.
Chris:2023 is a lot different than 2014 15 when I first started doing this and first started the company. You know, we're coming up on our 10 year anniversary here soon. And it's totally approached in the same manner, but differently. You know? Now you can go out and buy at a per employee cost or a per endpoint cost.
Chris:You can literally buy layers of security. Back in 15, 14 when we first went at this, you couldn't do that. You could, but you couldn't. Right? There wasn't a, you know, menus of items and programs that every service provider was like there was a 1 or 2.
Chris:You know? And and those were your choices besides the OEM, and you go through that process. But I think now customers have to look at it as if they're looking at this as a cost factor, a rate center, and they look at this down from mitigating risk down to a rate center. If they're already paying an employee cost of a $150, and that $150 is, you know, 80 p, and it's you know what I mean? It's probably more than that.
Chris:You start looking insurance. You start looking at all these costs. Cyber at 10 to $15 per employer endpoint, all of a sudden, looks like a huge win. We're talking 1 to 5% of the overall employee cost is what what you need really to secure up. But that's not the case for most entities.
Chris:Right? They don't look at it that way.
Max:Insurance historically pays you after an event happens. Right? You know, somebody breaks into your house and steals all your stuff, you get insurance. Your house burns down, you get insurance to replace it. And and I I thought about, you know, cyber in in that lens for a long time, but the problem is is that cyber cybersecurity isn't isn't an insurance policy.
Max:Right? You're you're deploying layers of cybersecurity to lower your risk of something bad happening to you, but not necessarily like a guarantee. There I mean, there what is the ROI on spending $1,000,000 a year in in cybersecurity? Like, you you know, can you quantify a decrease in in effective risk for a company? And, therefore, you know, what their what their budget overhang or what their revenue risk overhang or you know, You know?
Max:How do you how do you have that conversation with an enterprise that says, you know, at $1,000,000 a year, you know, it's reasonable for you to spend a $100,000 because it's giving you this return, you know, on your investment.
Chris:So well, there's definitely tools out there that can help come customers in these conversations. I believe risk lens or something like, along those lines, that product suite actually can take, like, your current frameworks, the products you have in your environment, your accepted risk, revenue, and everything, and kind of spit you out a score. Based on that score, you could actually plug in a new technology and say, okay. If I add in a new firewall and it has these functions, what is it? How does it change my risk profile?
Chris:You know? Or if I add a, you know, data classification solution, how does it change my profile? There's technology out there that will do that. Now are you gonna see that in the everyday company? Absolutely not.
Chris:It's expensive. And there's still 4 3 or 4 elements that go into that conversation that the IT gentleman or woman that's running that department, they don't have the skill set a lot of times to even be able to plug this the data into the solution to be able to give them the output. So there is a way to solve it with software. But at the end of the day, I think you have to start looking at you know, the historical or the footprint of the customer and say, look. You know, if you're not using MFA, you I I always look at I guess another way to look at this is there's always low hanging fruit that you can give for improvements, whether it's you know, just go back and check to make sure you do have MFA enabled.
Max:I mean, the easiest, simplest thing to turn on that gives you the most value is, like, if you're not Most
Chris:people don't use it.
Max:It's crazy. It's crazy. It solves it solves so many problems and cost you almost nothing to deploy. I mean,
Chris:it's Definitely.
Max:I I was talking with a business owner here and recently, and he was explaining how he got phished. So this is a this is a this is a they're an MSP. I mean, they install, you know, their their primary business is installing, like, wireless and AV systems. I mean, not like an unsavvy, you you know, person. Right?
Max:Very savvy person. He was personally phished for over a $100,000. And in the process of going through that, he found out that, their cyber insurance policy did not include a, you know, crime, riders. Like, so he had there were 2 specific riders that the insurance company came back and was like, oh, whoops. Sorry.
Max:Nope. You're not covered because you didn't have crime, and I forget the other rider specifically that he didn't have. They helped with the investigation. They figured out what had happened. They did the whole thing.
Max:The bank didn't help at all either with the wire transfer that went out. And, you know, his reaction to it is like, well, in the grand scheme of things, like, I learned a lesson for this much money, and it wasn't that much money. And I'll recoup this money in this many, you know, this many quarters. So he wasn't, like, distraught over it, but insurance is also an evolving, you know, moving target. And and this reliance on saying just go out and get insurance is changing.
Max:Insurance companies are getting out of certain policy coverages. I think it was Lloyd's of London who announced that they weren't going to, pay ransomware for state sponsored hacking anymore. You know, the the the liability to them were just too high. So, you know, I I mean, are you seeing this as well? I mean, insurance companies starting to push back harder and harder against companies of, like, oh, nope.
Max:Sorry. You didn't you weren't running an EDR or you weren't running a fill in the blank or you didn't pay attention to alert. Why on on on the second of of March? And therefore, your insurances doesn't you know, we're not we're not gonna pay you.
Chris:The day of insurance in cybersecurity has a finish line. I mean, that's just probably the best way to put it. I mean, I sure. Companies will always be able to get insurance, but you can already see 100% that they're not covering state sponsored attacks. That was Lloyd's who did release that.
Chris:I saw that as well. You also see it on your Lloyd's policy if you're a customer, there's they also remember real clearly state this on there. I was actually just looking at a renewal, and, it's really clearly. So my caveat to that always is, at what point did it all come from the state sponsored peep folks then? Right?
Chris:And and that's where I think the insurance loophole possibly down the road comes into play again. They're just gonna be like, well, it's not yeah. This gang didn't do it. This group didn't do it, but they're funded and owned by x y z. So Yeah.
Chris:Does that mean that they're state sponsored? I mean, I think there's too many loopholes in the insurance game. Insurance is going to continually to recoup their money and not pay out. They all pretty much across the board now bring in their own people, breach coaches to come in and walk people through their effectiveness at, you know, actually exfiltrating or root cause is not not what it used to be. This isn't like, you know, the the old days of bringing in Mandiant and, you know, and and Mandiant coming in and, you know, cleaning the cleaning cleaning the park up.
Chris:Right? You know, when they're done, they even rake the sand and, you know, it's great. You know, now it's well, we're gonna come in. We're gonna figure out there's exposure. And then at that point, we're gonna figure out if we're gonna pay for that exposure.
Chris:We're gonna tell you to accept the risk. That's what I think I'm seeing more of than the opposite, which means that the day insurance the end of insurance is coming. Meaning, when it comes to cyber insurance of, you know, you can just call them up and say, I got locked out. I have bad hygiene, and, you know, come cover me for my own mistake. I think those are over.
Chris:They're getting insurance for the everyday business, I think, is extremely hard for cyber now. I mean, the questions are you know, the temp the questionnaires, the process, the reasking of questions a 100 times over. It's it's rigorous. You know? And I think companies are just gonna pass on it and say, look.
Chris:I mean, you know, if this happens, I'm gonna have a backup of it or whatever it is, and, you know, I gotta start looking at other options because the cost of having insurance is probably more than just having somebody monitor it. The chances the monitoring is probably more effective than the insurance. So there's a lot of different ways to look at this. But, yeah, I think insurance comes to an end eventually when it comes to the coverage.
Max:You had talked about really risk, for companies and cyber policies. And and the and the 2 buckets that you really kind of established were, you know, do you have a compliance risk? So are you PCI or HIPAA or you know? I mean, there's there's a lot of other acronyms. Right?
Max:You know? I deal with ITAR companies a lot. Right? Are you you know, do you have these overwhelming you know, do you have a compliance mandate that you have to adhere to? And then you had, like, everybody else.
Max:But, you know, there's still risk in this everybody else category. You have cash in a bank account. You've got employees working for you. You have productivity. I mean, if you're barrel if you're if you're, you know, growing hay and you have to bail it and then put it on a boat and ship it somewhere, if you can't do that, like, that's still relatively impactful to your business or catastrophic for your business.
Max:So, you know, how how does a company you know, I don't wanna say, like, figure out their risk profile, but figure out like like, you know, what's an acceptable, like, scale? You know? If you're a $1,000,000 a year business, you know, what should you be spending on cyber? I mean, if you're a if you're a $100,000,000 a year business, what should you be spending on cyber? You know?
Max:Those those scales probably go up or down percentage wise, but, like, how do you how do you I mean, it's like, you know, you read these things of, like, HBR of, like, oh, you should be spending 20% of your revenue on marketing. Right? Have we gotten to that point with cyber yet where there's just, like, a this is the industry benchmark that you should be looking at?
Chris:Sure. It would be nice if there was a lot more standardized, you know, you know, besides, like, every other framework. It's just like you need to do this. It's all interpretation based. Mhmm.
Chris:But I don't know if it'll necessarily be like that, I guess. I think it's more that companies are gonna have to determine again from a percentage of what what's the impact. Now Let's break this down further because the question is very broad. Right? In my opinion, let's say, 15 to 20 percent sounds good.
Chris:Your total IT spends probably 30, 35 percent, all all perfect world. I don't think that's the exact realistic, right? I think what it is is, you know, in the marketing piece, right? And I don't know, you know, also marketing is telling us that marketing should be doing too. So, you know, so there's there's that component as well.
Chris:I I would say that, you know, somewhere 10 to 15% of your overall spend should be focused around making sure that, you know, your your assets are protected, and that's protecting your your assets or your physical assets, your employees, you know, everything that's going inside your customers. Right? And having a, employees, you know, everything that's come inside your customers. Right? And having a best practice around that.
Chris:So if you're a $1,000,000 company that makes $1,000,000 a year, I don't think that a $100,000 to secure your businesses is asking for too much. I think that's probably about a good safe bet, and I bet that same company spends another 100,000 on IT services. And if they're in data centers and that, that's probably another 100,000. You know, most companies don't make a 100% margin. So I think we all know that, you know, out of every top end dollar we bring in, there is a is it, like, a fiduciary responsibility if you're in financial services or, you know, an owner's responsibility or an executive's responsibility, to make sure that the best practices are in place.
Chris:Right? I think historically, though, a lot of executives have said we got insurance, and we'll let let them worry about it if it happens. I think that that day's ended now significantly because it's just they the insurance companies can't play it play that path. But I think 10 to 15 percent is a good safe number. I would love to see 20%.
Chris:And if you actually broke that out and you said 20% is, you know, cyber, 20, you know, 20 percent is IT, and say cyber and compliance. You know? It's tough to throw cyber in its own bucket because there's several parts of cyber. Right? There's the security element of it, then there's a compliance element of it.
Chris:And then there's the regulatory bodies that, you know, on top of the compliance. And then on the other side, you have the product. So so it's a pretty big space. That's even like with jobs. Right?
Chris:You see people, like, I wanna get break into cybersecurity. Well, no one ever says, like, hey. But, you know, break in as go sell it. They're all I'll be an engineer, man. Well, yeah.
Chris:Well, I'm sure. Right? No one wants to do the hard stuff. Like, go out there and talk to the people about it. Use the skill set.
Chris:So, yeah, I think 10 I think to answer your question accurately, somewhere 10 20%, I think is a fair bet. I think the average company right now only spends, like, 3 to 5, though.
Max:I had a conversation with a, director of security operations, the SecOps, for a large company. And the conversation was fascinating because there were I mean, I there was a bunch of backstory with this one. But, basically, that the net net was, he a certain percentage of his job, his salary, he knew was to be a fall person. Like, at some point, something bad would happen that he wasn't able to defend for because he didn't have the budget to defend against it. And that part of his job was to be the one to be fired.
Max:Right? Like, oh, we had this thing and, like, you're the you're the person that gets put on this you know, your your your head's on the stake outside. And and that kinda pushed farther into you know, I was asking him, if you're working for a company that doesn't really support what you're trying to do because you can't get the budget to actually implement meaningful, you know, practices? Like, why not go back to, you know, and and and secure you know, an MSP, a a company doing this at scale, somebody in the security ecosystem that actually is is is paid to do this? And and his response was something along the lines of, like, if you're in operations of the security company, your job is worse than if you're the figurehead that's gonna get staked on the fence, you know, working for a company that doesn't care because the the security companies, the sales and marketing organization just have to be selling security.
Max:And if you're in operations, you're just the widget that's getting, like, churned out. And it was like the whole conversation got very depressing. Like, what's the, like there's, like, no there's no, like, flowers or beds of roses out there somewhere in this thing. You just have to go find greener pastures somewhere.
Chris:I talk to a lot of people that are in positions where they say we have no money, whatever. I don't know. Do they really have no money, or do they just not wanna ask?
Max:So okay. That's a good segue. You know? No. No.
Max:I I like a segue. Let me let me ask you a segue. What are they supposed to ask for? Right? So let me let me let me let me pack this up.
Max:We'll talk about tools for a second. Right? And we'll talk about tools, and we'll talk about processes. So security is the land of endless acronyms. I mean, it it's like you know, the only the only the only I mean, only the military, I think, has more acronyms than security at this point in terms of, like, your data type stuff.
Max:Right? Right. Okay. So but, like, what what what's common? Right?
Max:We so we talk about, the easy stuff. The easy stuff is you can go and implement, you know, basic SSO and SCIM and 2 factor authentication or MFA. You know, just with whatever if you're in Office 365, you can go turn it on. If you're on Google Workspace, you can go just turn it on. Just just go turn it on.
Max:Okay? That's my my I'm gonna rant about that for a second, get off the soapbox. But from there, you know, commonly, you have an EDR. You have SIM. You have MVS and vulnerability scanning.
Max:You maybe have pen testing. You've got, network taps. Now you've got this idea of, secure web gateways, you know, which could be like an anti malware and IPS system. Gartner was so good and and merged all this stuff together into the Sassy soup. So now it's the Sassy soup.
Max:We talk about SD WAN with, yeah, the Sassy soup. I mean, Gartner my favorite article I read I can I I need to frame this thing? It's so fantastic. You know, Gartner defined SSE Secure Service Age and then defined SASE and then has a a post, like, a year later trying to explain the difference between SSE and SASE that they define. And they can like, if you read the 2 of them, you're like, I don't even know if you guys know what the difference is between these two things.
Max:Anyways, so we got the sassy soup now, which then also, you know, we start bringing in, you know, a CASB function, DLP function, 0 Trust networking, so ZTNA function. And you've got like you look at this and you're like, okay. Great. And then you still have to go out and figure out threat intelligence. You've gotta go get your threat feeds.
Max:You've gotta feed this into a SIEM. You need to correlate this into something. You have to do incident response. You need to have a SOC. Where do you start?
Max:And, like, if I if I came to you and I said, hey, Chris. You know, we've got enough budget here to to do something, but we can't do all of it. Like like, we could do an EDR, or we could do a secure web gateway. Should we do the EDR, or should we do the secure web gateway? And, oh, by the way, you know, 60% of our workforce is remote.
Max:So is it better to be you know, I perceive EDR as more, like, defensive and reactionary. Do we wanna be defensive, or do we wanna be offensive a little bit in having filtering? Like, how how how like, this this, I think, becomes the question because, like, obviously, we want everything, but you can't get everything. So, like, what actually brings value to this, and then what, like, order?
Chris:Ordering is, like I mean, every everybody's their own. Right? And what do they have already when you get there? But, I mean, to answer the first question, gateway or EDR, I think you gotta go EDR because, the fee the functionality is gonna you know, it'll have a lot more functionality. You know, the use cases around the gateways, you know, the old DNS, open DNSs, umbrellas, all that kind of stuff, you know, is a is a very unit based security approach.
Chris:Right? In, out. We we do this. We either block it or it's allowed through. Right?
Chris:The next gen EDRs, they have, you know, a combination of, like, signature based, plus machine learning, plus behavioral, you know, plus capabilities to automate response and all that. So you're gonna get a lot more value. Cost, I think they're about parallel in cost nowadays, though. I mean, you know, I think it's 3 to $4 on one side and 3 to $12 on the other side, you know, depending on features and function. There are some vendors that do combine the 2 together.
Chris:And if you're tight on a budget, you really need to find things that'll orchestrate. Right? Having a a lot of technology that's singular unit based technology that doesn't integrate, it's bringing you much value. You know, having technology that orchestrates brings you value, plus it augments your time. So, you know, I think these entities have to look at it from that aspect and go find it.
Chris:So, you know, the the best decision would be to have them both. The if I only had to pick, I'd just take the EDR knowing that I get a lot of functionality and a lot of device control with one product.
Max:So then you get into the next question, which becomes integration, which you brought up, orchestration, and, you know, like, single vendor versus best of breed. And and I'll I'll I'll lay some foundation. I'll I'll use my you know, I'm not gonna put you in a corner here so that way you can just react to this. Palo Alto, probably the biggest name in in firewalls, you know, now has acquired a, you know, an SD WAN with with CloudGenics. We have Ion.
Max:And then they've got the remote access Prisma, and then they've started integrating a bunch of things into the Prisma sphere. But they don't sell switches, and they don't sell access points. So right? So now do you go out and you have Palo firewalls plus some other manufacturer for switches and access points for your on premise stuff that you still needed to have insight and telemetry for? What do you do about East West traffic?
Max:Oh, you pan to your firewall. Or you go to Fortinet. You say, well, Fortinet's got the firewall, and they've got FortiGuard, and they've got their Sassy product, and they have basic SD WAN functionality. And they've got switches and access points. You know, verdicts out whether those switches and access points are good or not.
Max:But they've also got now an EDR, and they've got a SIM. So, like, as an enterprise, you just go and get with a single vendor. Or you look at Cisco. Cisco buys Meraki. Meraki has has terrible SD WAN functionality.
Max:It isn't like it doesn't have any. It'll just say, oh, the link finally, you know, went down. It was offered however long. We're gonna fail over. That's not a sassy product.
Max:Right? You still need a v c s t on the outside of that. They bought open DNS. You know, they bought Umbrella, you know, DNS based filtering. Now they're introducing CASB and deal but those don't integrate with each other.
Max:You're in 2 different consoles. You can enable Umbrella within your Meraki console, but you still need to man I mean, it's like those aren't integrated. What else do we see? So it's like no matter what you do you know, EDRs, right, who are the big ones today, CrowdStrike, Sentinel 1. You know, Carbon Black is still out there.
Max:Of course, Microsoft Defender is gonna be a huge EDR. You know, those you know, that entire list doesn't integrate with that other security apparatus. You've got 2 consoles there. You know, then what SIM are you running? Right?
Max:Like so this is this is part of that, like, how do you you know, like, let's just just say you've got a best case scenario. You're you've got funding. You know? You're you're bootstrapping a 200 person organization, 500 person organization, and you've got, like, the the ability to start from scratch. Like like, is it make sense to go out and get Palo plus Cortex or Fortinet plus Forti EDR or, you know, Meraki plus Umbrella plus, you know, Sentinel 1?
Max:Like, help me navigate this world. You know? Like, you're like
Chris:So good question. So I guess let's just take it down and kinda dumb it down first. Do you, you know, and look at it in like a real world scenario. Right? If if you were going to go buy a specialized bicycle, right, and that specialized bicycle you want to use for road racing, you don't go Walmart to buy your road racing bike.
Chris:Right? You probably don't go to Amazon to buy your road racing bike. Cisco and Fortinet and companies that have fabric ecosystem development, meaning they bought a bunch of different companies, they plug them all in, effectively are the Walmarts and the Amazons. That doesn't mean necessarily though that Walmart doesn't deliver you the, you know, highest grade truffle, you know, in their food section that you can still get at, you know, the Ritz Carlton, the same dang thing. That doesn't mean that they don't do that.
Chris:It just means that they offer a wide menu of everything. You can come shop here, and when you're done, you can leave with a security program. You know? For example, I'll use an example using Fortinet. Fortisource was through acquisition from Cybersponse.
Chris:We're a Fortisource customer, and we have been for 6 years. And, you know, we we consider ourselves a leader in SOC Automation. And Fortisource is one of the top 3 or 4, SOAR platforms out there in the market. They're a leader in that space. But in switching, they might not be considered a leader considered next to like a Cisco or a Juniper.
Chris:Right? They have a solution that meets the needs. It integrates into firewall, and it does all those things. When you're looking at it from the Palo model, this is like going now and going to buy your specialized bicycle from the, you know, REI. Right?
Chris:And when you go into REI, they've got, you know, a $10,000 road bike, and they've got a $1,000 road road bike. Right? And depending on what you want on your road bike, it gets to $10,000. That's the POLO model. You come to us, you know, because, historically, we've been the best of breed for firewalls.
Chris:Right? And that's really where it starts, and then they branch into the other products. And now they're trying to buy through acquisition. They're trying to get other companies. They purchased Demisto, which is now, their sore XD or whatever they call it, XOR.
Chris:You know, and, you know, companies like, Splunk bought, Phantom, you know, another product. And, you know, you look at company like a Splunk is like a Palo Alto, very specialized. Right? You go there because you want the road bike, because you're gonna be in the Tour de France. You don't go to buy the road bike for Tour de France at Walmart.
Chris:Right? So those are the things that you have to justify and the best way to kind of describe the difference between somebody who has, you know, a difference between somebody who has, you know, a product for everything you need versus a specialized product. Right? I'm sure CrowdStrike or somebody like that who's got 1,000,000,000 upon 1,000,000,000 of dollars, if they wanted to be in the switching game, could get into switching and routing and all of that. But, you know, they don't wanna be that, from my opinion.
Chris:They wanna be the best at what they can be in their individualized product. Fortinets and the Ciscos of the world necessarily don't have that model. They want best of breed products that are sold to the masses, because they want you to look at a menu and buy an EA contract from them. When you buy an EA, it comes with all these different things, and then it's just your responsibility to buy the hardware. Right?
Chris:Because it's all licensing based at that point, right? And they're giving you, you know, those products and services, and they always throw in everything because, again, they're like Walmart, right? Come over here and when you come by your, you know, your frozen pizza, you know, we'll we'll throw in a bag of chips too. And if you need a, you know, a package of socks for next week, you can grab that too. Right?
Chris:Just like why Cisco sells adapters and cables and like Affordant and all of that. It's very similar model. So that's how I look at it. You know, if I need the most granular solution in my in my scenario, I'm gonna invest a lot of time in going to figure out what that is, and that might be Palo, or that could be a checkpoint or something else we didn't mention. But if I'm looking to go solve a problem and I already have a relationship, I probably go to Fortinet and Cisco first because I know that they have a menu.
Chris:And the menu probably includes what I'm looking for, at least to give me the knowledge and understand. Can they check the box, or do I need to go to the specialist? Because, you know, I'm Tiger Woods, and I need knee surgery.
Max:Checkpoint's an interesting example on that. You know, great lineage of firewalls. I mean, if you're in Europe, you look at Checkpoint a lot different than if you're in the US. You know, they just don't have the penetration in the US. Checkpoint has, Harmony, which they sell.
Max:And and my supposition is that Harmony is licensed very friendly for MSPs that have existing SD WAN plays because now we see Harmony as the, you know, security solution, you know, that that's bundled with all these other MSP selling SD WAN services. That was just like, we need to go out and have a SaaS solution. What do we do? Oh, great. You know, check it's just like, all of a sudden, harmony, harmony, harmony, harmony, harmony.
Max:And you're like, well, why are you using Harmony? Oh, it's probably licensed really well for you, right, and not competitive. And these sorts of things are very interesting when you kinda, like, try to look at, you know, assembling all these LEGOs together. So, security the other question, you know, that I've I've talked about for many years with security is, you know, it's like this. How do you sell security to somebody who's not buying security?
Max:Right? It's like it's an important thing for you to have, but not necessarily something that people invest money in. And my perception of this really is security for the most part is a is a defensive purchase or reactionary purchase. It's either reactionary to a compliance mandate or a supply chain mandate or a client mandate. You know, you can't do business with us.
Max:We're not gonna give you money until you have x y z implemented. Right? Or it's a reactionary and they're like, we've had something bad happen to us. I thought insurance was gonna be the driver to push security forward in companies, and I really haven't seen that yet. And we talk about this a little bit on a golf cart the golf course a while back of, like, what what do you think becomes the, like, everybody just has a base level of security?
Max:Like like like, when do we get to the point? Like, what drives it so that every company just has MFA? Like, you just, like, everybody just knows that you just turn on m MFA and you just have MFA running.
Chris:We don't because there's always gonna be the accounts you can't have those type of features and functions on. Right? The service counts and stuff. So, you know, obviously, you're as good as your passwords, you know, protection policy and your password rotation policies at that point because not everybody's going to be able to mitigate it all the way around. Sure.
Chris:And I think do I agree with out of the box by default, every product organically should enable MFA as a default and force an administrator to go in and disable and then write an exclusion? Absolutely. We're not there yet. Right? Most companies can't even, you know, manage change management.
Chris:Yeah. Let alone ask them to go in and do it another way. So I think that's the I think I think you're spot on on the, you know, the question. I just think that the companies, you know, it's they need more help than they want to admit. You know?
Chris:And because of that, the only the first thing to do is we'll we'll help you in all the products that everyone sells. And, organically, all the products are designed to be able to turn off these functions so that they're not an annoyance for the use case that, you know, ultimately is controlling the environment. Something like, you know, service counts. Right? So that's an interesting one.
Max:The part of this that makes me just really you know, like, how far behind we are, Amazon last year finally supported redundant hardware keys for root accounts on AWS. Like and you think about this as, like, they this is AWS. Like, AWS just last year finally supports having hardware keys for security with, you know, with with with the ability to have a second key register for redundancy. Like, why do you wanna have keys? Well, that way, in case you lose your keys, you have a second key and you can authenticate against the root account.
Max:Right? And, like and and you think about that of, like, if if AWS doesn't support this, like, what chance does the rest of the like, like, really, what chance do we have? Like, we have no chance. It feels like it's depressing. Anyways, I won't harp on this one too much.
Max:Did you read actually, that's a good question. Did you read the CircleCI blog post from their CTO after their their their exploit? Have you gotten into this at all?
Chris:I've gotten that one now.
Max:We should wrap about this later. They they
Chris:Send me the article.
Max:Oh, it's it's it's I I've still been, like, digesting this because I have a lot of clients that were impacted by it and have spent weeks now trying to rotate all their keys and update their security accounts and do what they need to do in response to this. Basically, the summary is that CircleCI is a is a continuous integration, continuous delivery, a CICD tool, And companies use them to do, you know, unit testing automation and then, deployment into production systems. Right? So, like, it's it's relatively important if you're building software and publishing software. Right?
Max:In December of last year, they got a notification from one of their clients that that they were seeing unusual activity on their accounts and that they had correlated that unusual activity in the service accounts back to stuff that was published, and they knew, like, they were pretty sure it came from CircleCI. So CircleCI found out about this not because they detected it, but because one of their clients told them that they're had to get their house in order. And they didn't disclose this to the broader community or broader client base for for several weeks, and they, you know and then they they published this this blog post recently, which was like, what happened? What are what are, like, root cause analysis? And it was really funny.
Max:They used some very interesting terminology. Like, the ultimate the ultimate hack was we were able to forge, session tokens in order to authenticate into platforms. Right? But then you go backwards until, like, what led into that. It was like, well, they didn't say what the threat or the initial exploit was, but it was probably an email phishing attack.
Max:Right? Because a it was a developer got malicious software on their device, which then did x, y, and z. And our and our and then the other one that was really stood out was our antivirus didn't detect it. And I'm like, that that phrasing was very interesting to me because nobody refers to an EDR as antivirus. So I'm like, you weren't running an EDR.
Max:What antivirus were you running? Were you, like, running, like, Norton or Symantec, like, on your computers? Like, what what's actually going on here? You've got no security policies because then they say, you know, the threat factor in terms of what was going on were all these VPN hosts from from international, like, mobile VPN and, like, all these different things. They're like, okay.
Max:So you've also got no, like, correlation whatsoever of where your developers are actually authenticating, connecting to your systems. Like like and, you know, of course, there's, like, all these things that you can go unpack and say, well, like, this tech solves this problem, and this tech solves this problem, and this solves that problem. And but it was wild in the in the sense that anyways, I'll send it to you after Rita. We'll talk about it later because I'm I'm really kinda curious about this.
Chris:So let me add one thing, though, real quick on your AWS thing about the keys and rotation and all that. So what I've seen, and this is something I've seen historically, let's just talk about API keys. Right? And I think that Salt, as the company now, has a solution to pretty much solve all of this. You know, it's something that I've actually been hearing from a lot of my financial service vendors that they are leveraging Salt to secure and manage API now, which is fine.
Chris:Well, most techno Hashicorp Vault?
Max:Anyway. Yeah. Hashicorp Vault? Yeah.
Chris:Yeah. There's a bunch of different ones. But one thing that I have noticed about AWS when it comes to these type of incidents are, one is they don't get involved. But the second thing is you will know about the incident because they will just shut your service off. And then until you've remediated it, they just don't turn your service back on.
Chris:Things like s it could be like SMS. You know, someone gets ahold of the API, can't start sending emails out from your platform or something. Right? It's probably one of the most common ones. And and they just don't have the in my opinion, it's not necessarily the right approach if you were looking at it from we're also gonna sell security products to our customers.
Chris:You know? The approach they take is like, hey. You come here to host our infrastructure. Beyond hosting the infrastructure, the underlying, like, that's your problem. You know?
Chris:And and yet but at the same time, they'll come back and sell you products to solve that problem. So it's like, don't you have a little bit of responsibility in the delivery point of all of this infrastructure just to secure the other customers to make sure that somebody couldn't really cross one of these so called barriers that we all have? You know? And you look at it from that aspect, and you're like, if you're selling security products, you should have responsibility to have to then go back in and say to customers, like or have some type of tool that says, hey. You know?
Chris:Press these buttons like Microsoft does, and your score goes up. Right? AWS, up to my knowledge, I don't believe they have a tool or something like that. You would probably know better, Max, because you're the expert in in cloud. But, you know, from my standpoint, I look at it more as alarming.
Chris:Like, so you mean to tell me you're just gonna spend me for 5 days after I just blasted 4,000,000 emails out to everybody in the world and phished the world? But I only gotta be spending for 4 days. And if I wait 4 days to get my account back, you know?
Max:There's there's a better example that I'm gonna I'm gonna I'm gonna pivot to here.
Chris:Alright. Cool. Go for it.
Max:Microsoft sells an email security package on top of their email that they sell you with Office 365. I you you know, I like I understand going out and getting a proof point, a Mimecast, a dark trace, like, any of these email security overlays. And by the way, you know, like, when you when you see, like, what they do on top of, like, Google Workspace in terms of, like, detection, like, it's unbelievable. But but I don't understand how Microsoft sells an email security package on top of their email that they've already sold to you. Like, it that's that feels criminal to me.
Max:Like, there's just a certain point where you're like you know? Like, I I don't you know? I mean, so it's just it's it's I I mean, in the, like, the whole, like, oh, you're gonna sell the EDR, the Defender tool, and the Sentin' on. It's like, okay. I I get that.
Max:Like, that that makes sense. That's a completely different functionality package. But, like, if I'm already paying you to host my email, like, shouldn't you be doing this for me? I don't know. Maybe I'm crazy.
Chris:The email piece is interesting, you know, to Microsoft's defense. They probably look at it as well. We give you some filtering, and we tell you sometimes when it's malware. So we gave you something, you know, but you need to pay for a little bit more. I don't know.
Chris:I've I'm still trying to figure out the whole new Microsoft model of where we're trying to go. You know? And I'm also trying to figure out how they're, like, number 1 in every single security product. Anyone else ever anyone ever use Sentinel yet from Microsoft?
Max:That's pretty much.
Chris:We're not there yet. Right? Well You know? But cool that they can integrate with ChatGPT now, though. So, you know, might as well just have our analysts use ChatGPT as their standard response.
Chris:That's classic. So
Max:I think what's scary about that for me is the conversation of, oh, we enabled e five secondurity, so we are now secure. And and I you know, it's a really I mean, I don't even know where to take that conversation really of, like, oh, we've enabled it so we're secure now. And you're like, no. No. No.
Max:No. No. No. No. No.
Max:No. No. You're not. Like, no. This is not how this works.
Max:Like and and I I I worry about the amount of pain that's, like, coming down the pipe with a lot of these organizations that just have this assumption of, like, we turned 95 secondurity and now we're secure. And I'm like, no. No. No. You licensed a tool that now you need to do something with, you know, in order to see stuff.
Max:And, you you know, it's just it's just a tool. Like like, you're not, you know, you're I mean, I I don't I don't know. I mean, you you take a stab at this one, Chris. Like, what do you what do you what do
Chris:you think? So, well, I think there's some advantages to, like, e 5. I think some one thing I think most people don't know about on the e 5, I think you only need, like, one e 5 license to get the dashboards to for the rest of the environment. So if you have one, you get the features and functionality across the rest. I just don't know how it works across them.
Chris:Not Microsoft guy like in that way. But my thing is there's no way they're the best of breed in every one of those products or there would be no other competition. They own the operating system. And in addition to that, I would never throw all my eggs in my basket in with the company that solely is providing that stack from start to finish. Right?
Chris:Just for the same reason why I think that Apple has really tried to stay out of, you know, some of these products. Right? They deliver you a Mac computer or Apple, you know, iOS on it. And iOS from there is a pretty secure environment. I mean, organically, always has been better than Microsoft.
Chris:Right? Less susceptible. Doesn't mean it's not you're not impacted. Right? We're all using Chrome browsers, and we're all susceptible to all this other stuff that's in the wild.
Chris:You know? And we all use Microsoft products across the board too, which, you know, brings us all of our chaos. You know? Amazing how malware is always in a win word file or an Excel or you know? And it's always coming through your email.
Chris:You hit it right on there there. You know? So, you know, I think the value of an e five of giving people features and functionality is a good thing. I think Microsoft took the approach of Walmart, though, and is now offering them everything in one thing. And customers do think that this is a one all get all, and I'm gonna do this, and I'm gonna do that, guys.
Chris:It took us 6 years to build what they're telling you. You can build in a week. It's not possible. That's probably the easiest way to say it. It's not possible.
Chris:You can't take something that took 6 years and make it in a 1 week. And and if you did, then I mean, everyone be out of business. Right? But it's not the case. They're they look at it as I'm just gonna get throw more products so I can charge you more money.
Chris:And, you know, what's e 5 now? $50 a user almost?
Max:I think the list is 50 7 is what it's at.
Chris:How much 57?
Max:57, I think, is what
Chris:57, but we can't get 12 for security, guys.
Max:Well, I mean, in that well, you what you're gonna argue there is you're gonna license it for 57, which includes your EDR and your SIM. So maybe you did get your 12. I mean, the the just Microsoft got the 12. You know, the power of the bundle is is unbelievable. Like, I mean, if you're if you're just talking about, like, budget allocation of what you're actually gonna do and you and, you know, you you mentioned EAs, like, going out and getting an EA, you know, and and just having all this stuff licensed.
Max:It's like, well, you know, why why don't we run Teams and and put voice in Teams and then run Defender and then run Sentinel and, like, you know and there's there's a whole eco I mean, right? Like, you can I've been jeez, man. I've been dealing with Microsoft. I I'm a Windows NT 4 4 o Exchange 5 o I mean, that's how far back, like, certified. Like, you know, I I was deploying Exchange servers before they had an SMTP connector built into it.
Max:Like, I mean, you have an email server that can't send and receive email. Like, like, think about that one for a second. Right? You had to license and install the SMTP connector separate. Right?
Max:I mean, that's, like, how old I am at doing this stuff. But, you know, in in 25 years of exchange, you know, that I've been dealing with it. Right? Like, never in that span of 25 years would you not have an external backup or or an external spam and antivirus system. And I I I mean, I kinda wonder about that with Defender and Sentinel of, like, okay.
Max:Cool. We've got this thing, but we still need to go out and buy all this other stuff that runs on top of it in order for the make you know, the thing to actually work. You know, what does this do to, like, a Splunk? Or what does this do to, you know, these other companies that are providing the actual tool. Right?
Max:Like, you know, you know, CrowdStrike and Sentinel definitely are branded. Right? And they're they're market leaders. But, you know, you look at these smaller EDR platforms, do do these things, like, go bye bye? Like, what happens what happens there?
Max:And does everything just become defender? Like, I don't know. You know, it's that's hard to say and protect.
Chris:I think that if you're drinking the Microsoft Kool Aid and you're an e five shop or e three plus ATP, quasi e five, however you wanna look at it, I think that there are tools out there. I know there are. For example, I talked I have this conversation all the time around our our our EDR that we include inside of our SOC platform, which is a forensic agent. It's it's NetWitness EDR. And Netwitness EDR doesn't do any AV.
Chris:It doesn't have an antivirus component like a traditional CrowdStrike currently would. It looks at it more from like a forensic standpoint. Access to MFT file tree, system dumps, response capability, whitelist, blacklist, snapshots, all the things that a responder would need on top of that tool, like an e five license using Microsoft Defender. Therefore giving it as much power, horsepower, theoretically, as like a CrowdStrike enterprise with overwatch or something like that, then effectively managed by our team. So you can get there, but you gotta be creative.
Chris:Whereas, you know, you if you're looking at Microsoft Plus, I just think that the best way to look at these Microsoft is Microsoft Plus something. You know? If I'm gonna invest more in in an e five, that's probably gonna save me maybe some email security space. Maybe I might save something. I might get, you know, encryption as part of that, and I was paying for encryption somewhere else.
Chris:You know, obviously, there's, you know, BitLocker and all these other things that come, you know, with disk encryption and stuff that are part of these licenses that are good, you know, wins. They're wins. Right? But, you know, for every time you go to Walmart, you still gotta go to REI sometimes to go get the specialized, you know, pair of shoes or the bike or whatever it is. Or, you know, Walmart doesn't, you know, repair your bicycle tires, but REI does.
Max:K.
Chris:Right? You know, things like that. So I think that's the model. You have to augment what you're doing. Take that spend, and throw a little bit extra.
Chris:Maybe it's 10 to 15% on top of your Microsoft spend to bridge the gap and also have layers. Right? I always looked at email security as nobody ever has enough layers. Right? Everybody got an email.
Chris:Security solution got email. But nobody thinks about, like, adding on extra to that. You know, maybe you need 2 emails security. Maybe you need Microsoft E 5 plus, like, Avade Secure, who for an extra dollar or 2 will do some classification, do some AI in your box. Well, all of a sudden, makes sense.
Chris:Right? And they're just not it's not Microsoft's trying to be all. And at the same time, they're missing their opportunity where they just integrate it with all these companies, leverage them into your stack, and show people how to do it. You know? And that that's kinda my passion on that side of it, but it'll we'll get there, man.
Chris:There's enough people that want this stuff to happen that I think will get there as a space. But, you know, it's that it's disruptive when the vendors come in and they market the hell out of it and change a customer perspective on what norm is, therefore, effectively making this customer not as secure in the end. You know? Not to say Microsoft doesn't secure you. It absolutely does.
Chris:But, you know, if you have a perception that every time you walk in your house, there's never an intruder, someday you might get caught for a surprise. You know? Then and and that's, you know, kinda where it leaves that. Right?
Max:70, 80% of all cyber incidents start from email. You know, whether that's I mean, whatever the actual you know, phishing, payload delivery, whatever. And I would imagine that 99% of those companies are running Office 365 or Google Workspace. So, you know, like, it it's like one of those, like, just just connect the the 3rd dot, which is, you you know, you should absolutely be running something on top of your email because your number one threat vector is, I mean, is just email. Like, it just it just really and people employees aren't randomly on some website that delivers some payload and install some RMM agent in TeamViewer.
Max:Like, that doesn't that that it's not like some they had to get to that website somehow. Right? And how do they get to that website? Well, usually, they click a link that they weren't, you know, like. Anyways.
Max:Okay. Let's let's let's circle the wagons, come all the way back to the beginning here. So let's give it a hypothetical. Right? So a hypothetical would be a company that has, you know, let's say they've they've they've gone out and they've they've, you know, invested in the basics.
Max:Right? They've got an EDR tool. Maybe they have a SIEM or they don't. They've got some internal people doing, you know, SOC function and and, and, you know, event and, you know, event correlation investigation work. You know, they've they've they've got maybe they've got an SWG, maybe they don't.
Max:But they've they've kinda gotten to that point where they understand, like, we cannot do this. Like, we cannot scale this. We can't do this efficiently 247. We're, you know, our our our employees are expensive. You know?
Max:Like, this is not an efficient use of our salary dollars. Let's go out and let's find an MDR. Let's go out and find a SOC serviced overlay on top of this. So this company now is going to market and they're and they're talking to different you know? What do you do differently and better than the market that makes, that makes 360 SOC a natural fit and, like, a place where, like, Like, this is the only company we should be doing business.
Chris:Number 1, you come companies come to 3 6 suck because they want a 100% of white glove experience. Most of our most successful customers came from our competitors. They've they adopted that, you know, a security path was the only path. But the ones that come from our competitors always say one thing, and it's number 1, onboarding is exceptional. It's very hands on.
Chris:It's white glove. But in addition, our competitors are charging up charging for that ongoing continued life cycle of white of white gloving the experience. Whereas, we include that in from start to finish. The coolest thing we do by far, and it's the only we're the only entity out there in the world offering SOC and MDR is the live chat function within our security operation center. Our customers, 247, 365, have a 5 minute SLA, SLO to to get to our analysts, via chat within our platform.
Chris:And from there, it can initiate a live conversation. We're the only company out there in the world that does offer that live chat function. That, from what we were told from our customers, has been a game changer. It takes the effectiveness up. It creates a runbook at the customer level.
Chris:It it it mitigates escalations, which then at the end of the day makes us more effective at securing the environment and also monitoring, you know, what we're delivering for those customers. So yeah.
Max:Let's talk about let's talk about the incident. Yeah. Let's talk about the incident chain. Right? Because, you know, a company, you know, overlays 3 60 stock on top of this.
Max:And, you know, again, we're I don't think this is technology specific, whether they're still running the SIEM or they're run on your platform. Right? Let's just they've they've implemented your SOC services. So at that point, either something happens that they become aware of or your SOC picks up something and says, this is not okay. Right?
Max:How how far into incident response and remediation? Like, what becomes the checkpoints? Are these are these, like, interactions, the lines between you and and the customer? I mean, are you unplugging devices off their network for them? Are you, you know, calling the CEO on a cell phone and being like, oh, rip the cables out of your networking closet?
Max:Like like, what does this look like?
Chris:So for us, we have response built in the platform. So, you know, understanding response built in the platform, it gives us a lot of features and functionality to be able to reach out to firewalls, block IPs, URLs, indicators, hashes, isolate devices, you know, kill devices, power them down, etcetera. So definitely have, you know, full functionality to respond. You know, as far as, like, ripping cables and all that, when something happens, you know, you gotta understand that it's never a fire drill like that. For 1, if if service providers are running in a fire drill like that, then they got a big problem on their hands.
Chris:1, they're not getting anything done, and they're not being effective. There there's a lot that goes into a conversation before you would get to incident response. And I really think that our whole space kind of splits incident response out versus response. We we as a company provide response all the way down to the eradication level. So what that means is that, you know, if we can if we have access to an endpoint security solution and you have console you know, remote console, if the directory is plain Jane, we know it's not supposed to be there, the file, whatnot, we can blow that away and eradicate for you.
Chris:In the in the opposite scenario, if we go through all this process, we we're trying to figure out what it is. We're asking questions. You can't figure out what it is. We can't figure out what it is, and we have to move to forensics. Then that's where incident response comes in, and they need to notify their insurance company that and figure out can we do the incident response?
Chris:Or do you want, you know, is that are they is that third party bringing in, like, a breach coach, for example Yeah. Or whatever they call their responders. Okay. So so that's kind of the approach from an escalation standpoint. Knowing that we have live chat on the platform, everything goes through the platform.
Chris:Customers, a lot of times, these escalations, they know the answer right away. They wanna go in the platform, they wanna respond, and they wanna hit the close button. Once they hit the close button, their response goes into the runbook. The next time we see that same incident, we know how to respond. We don't have to impact the customer.
Chris:So our customers do like us because of our effectiveness when it does come to escalations. We run a point 1 percent escalation ratio annually year over year. Basically, what that means is our team is 99.9% effective from start to finish in every investigation year over year.
Max:So that so you say point 1. So point 1 of events that you're seeing is what actually ends up being escalated to your customer's team.
Chris:Or a question has to be asked.
Max:I I mean, the amount of noise that that counts sound like, I mean, that should probably be your, like, your lead in of, like, you know because the amount of noise that I mean, this is, like, my favorite thing. You, like, you implement an IDS, IPS, some sort of, you know, thing, and you say, okay. In fact, an IT team did this, and I say, let me see your, email filter where you've created auto auto filtering rules in Outlook to, like, just shove all your IDS alerts into this folder and never look at it again?
Chris:It's everybody. I mean, you know what's bad about it is that's everyone. Right? They're like, wait a minute here. You need to tell me every time I get something assigned to me, it gets it sends me an email?
Chris:Well, that's getting filed. But you're like, oh god. Yeah. 247365
Max:just the email coming through. So you're connected to the Internet. What's the first thing that happens? It's like, as soon as you plug your your your network into the Internet, it's like you're getting scammed by everything. Right?
Max:You're just like, oh, good grief. Okay. So that reminds me of a of a very famous and depressing hack. So Target had an incident many years ago. This is very public.
Max:And they ultimately found, software installed in their point of sales terminals that was skimming credit card numbers straight out of the POS terminal. So you go swipe your credit card. Boom. It was getting packaged up and shit out. So, and kudos actually to, like, releasing, like, the root cause analysis, and the root cause comes down to an HVAC contractor who had access to their store networks in order to monitor and maintain their HVAC systems.
Max:You know, small you know, perceptually much smaller than Target. Right? Wasn't spending 1,000,000 of dollars on their cyber. Who knows if they were spending anything on it. Right?
Max:I mean, they're an HVAC company. Why do we need to have cyber cybersecurity? Right? So, that's not the depressing part for me. The depressing part for me is that Target had a third party monitoring their network and paying attention to what was going on that was alerting Target, that was escalating to Target this stuff is actually going on and you need to do something about it.
Max:And those escalations were being ignored. So let let me ask you the uncomfortable question, which is, you know, you have a customer and you know something is seriously wrong going on with that customer. And, you know, whoever that that escalation path is is like, hey. You know, it's a company party. I'm not dealing with this stuff.
Max:I'm off getting drunk right now or whatever is going on or just I just don't feel like responding to this stuff because I'm disgruntled or I'm I'm I'm just I'm I'm overworked or whatever things are. Like, how do you deal with that as a service provider? And, like, what have you had to deal with this? And, like, what did you do?
Chris:So you always have everyone has the customers that don't respond. So what you organically have to do is you just have to do more for them. You have to note that, 1, if you were going to escalate to them, it's ultra critical. The other thing is that you have to be the 1st and willing to respond for them knowing that, potentially, they might not respond. So if something is ultra critical like that, it's malware has been executed.
Chris:We're gonna go ahead and put that device right in isolation until we can review that with the customer, try to figure out what that is. Therefore, if it's 3 AM, they don't have to get woken out of bed. If they're at a company party, they can party it up. We can address it when they get in the office, we will mitigate the exposure. We do that for our customers.
Chris:And we've also built in, some unique use cases, leveraging combinations of threat intelligence, data deduping, and historical runbooks from the customer itself, and and actually combine that together looking for, you know, commonalities or miscommonality so that we know how to respond as well.
Max:So So I I think
Chris:tons of tons of different things built in the solution for that.
Max:Probably second part that you should have on your website. You know, first thing, we escalate nothing to you, and the second thing is is we'll take care of it when your employees don't. Right? Like, it's you know? And and it's
Chris:like that. We'll take care of it when your employees don't.
Max:I'm I'm telling you. You know? We'll work for, bottles of booze being sent to my house.
Chris:Only the finest bourbon, though.
Max:It's so hard to ship bourbon, though, in the US. Right?
Chris:It's getting it's even harder and harder. I mean, it's, yeah, harder and harder. There's a couple a reserve bar, I think. There's, I'll get you a can out. My our chief compliance officer is a huge bourbon guy, and he found a couple distilleries that got that they'll ship anywhere in the states.
Max:So I don't know how they'd pull it off. I I was I was in Nashville. I went to Jack Daniels because I was like, yeah. I'm in Nashville. Like, I'll go to Jack Daniels.
Max:And I I pulled the ultimate rookie mistake of, like, I'm gonna buy bottles of Jack Daniels. It's, like, engraved from Jack Daniels for, like, friends and family and stuff. And then, of course, it's like, no. No. No.
Max:You have to put this in your luggage and check the bag. And, you know, like, your bag's, like, clinking.
Chris:300 pounds full of jack on it.
Max:And I just have this moment. I have this, like, visualization of, like, this bag coming down the conveyor belt where it's just, like, seeping out out of the way.
Chris:I know. So nightmare coming back from Hawaii for sure. Right?
Max:You can ship wine. You cannot ship liquor. And I'm like, why did I I mean, of course, like, I've never you know, these are the the things that, like, until you try to do the first time, like, why would you ever think about it? And I I I kind of I'll I'll connect that back to security where it's like until you've had an incident. Right?
Max:The stuff you're like, why should we have this? You know? You know? I think the hard the hard part is is, there's tech and there's tools that solve almost every problem. You know?
Max:Like, maybe you just don't know the Rosetta Stone. You don't know how to translate the problem you're trying to solve into technology you're trying to solve it with. But, like, almost all this stuff is solved. It's now just, did we implement it in time? You know?
Max:Like, backups are a solved problem. Do we have backups? Do we test our backups? You know? Do we have an EDR?
Max:Could we do forensics? Could we unwind changes? Could we do we you know, Ubiquiti. Right? Ubiquiti wired $40,000,000 to some bank, you know, because they convinced the controller that they were buying a company that was being that they couldn't release because whatever.
Max:And, like, they're like, oh, yeah. Sure. $40,000,000. Email. Email based threat.
Max:And $40,000,000 goes out. You know? And and you you're like, okay. Great. You know?
Max:What do you what do you do here? And you're like, well, you know, there's actually turns out there's tech that'll help you prevent this from happening to you, and then processes processes and people. Okay. Chris, we've been at this for a while. What have we not talked about?
Max:What, what what what, I don't wanna say, like, final words here, but, like, you know, how do, you know, what what are next steps? What have we talked about? You know, like, where do we go from here?
Chris:You know, I think the one thing that I'll add is that everything that you think that you should probably just be doing on annual basis, you know, or on a schedule probably needs to be done more regularly, more often. And also, you know, you need to have people in your back pocket that can help you crunch data, numbers, scenarios.
Max:Mhmm.
Chris:And without those teams pre enabled, you're always going to be chasing. Cybersecurity is not something you want to chase. Cybersecurity is something you want to stay ahead of. And you can significantly stay ahead of it with the right service providers, the right products, the right service, and also, most importantly, educating your front line, which is your employees, and then also making sure that the low hanging fruit stuff like configurations and all that stuff is not where you're susceptible to attack. Right?
Chris:You know, to answer your question around, you know, every you know, there's probably a solution out there for everyone. Yeah. Definitely. There's there's tons of solutions out there, but there's still 0 days. Right?
Chris:And the combination of 0 days and how you, you know, can discover them and also, you know, start mitigating when you discover them does come down to visibility. You know, you mentioned the target attack and, you know, I I think if I recall in the target attack, how they actually find the activity from those terminals is by using a network detection and response solution, I e called packets. Won't name the vendor, but, happens to be in our stack. And, they were actually able to detect the connection events, therefore, start the remediation path. You know, if you if you're out there doing and looking at things like NDR, these are the use cases that you know, that is why these technologies were developed.
Chris:It's really hard to see in real time what's going on. But if you have the right tools in place and the right visibility, those persistent ticks, data movement, and all that, you can start seeing this and you can analyze it and break it down and visualize it. So, you know, the one thing I'll add is, you know, you gotta stay ahead of it. You gotta you gotta invest in learning about it. I'm not saying you gotta buy it, but you gotta educate yourself to understand what what the whole space is about as a company, to understand then what your risk is at an organization.
Chris:And then if you're in a role where you're responsible for these things, you need to always be educating because this is moving fast. And it's moving faster than people, and which means that the space is moving to, you know, kinda move people out of it. Right? And and, you know, and those are the things I think and I think customers the scariest thing to add and what's good probably on your side of the house is, you know, customers need more assets. They need trusted advisers that understand this stuff.
Chris:And when I say understand it, they understand the baseline of being able to ask questions and deliver it to an expert so the expert can analyze it, give you information that you can deliver back. The companies, the people like yourself, Max, that have the ability to do that, now is the time and the opportunity is riper than ever because customers are underserved. And you guys in in the partner community and in your seat, Max, you guys have the opportunity to shape their future by educating them.
Max:The average tenure of a CISO is, like, 18 to 20 months right now. And when you when you think about, the longevity of program, you know, like, 18 to 20 months. And and by the way, CIOs are also in the 2 year cycle. You know? Like like, senior executives in the IT world, you know, really seem to be on a 2 you know, it's like this 2 year cycle mark is pretty common.
Max:And and it's actually not even senior executives. That's senior engineers. Like, the 2 year cycle is is is you know, comes all the way down. It it's almost it feels like to me at a certain degree that, like, the most valuable contribution that a person can give to you as a company if they're gonna be on this 2 year like a CISO. Like, the most valuable thing a CISO can do for a company in 18 months is establish program and vendor relationships that are gonna last 3, 5, 7 years.
Max:Because then at least there's a longevity of engagement where, you know, this was implemented. This is why and I mean, just being it's crazy to think about it. Like like, you know, from, like, a knowledge standpoint and being able to say, like, this is what happened 4 years ago and what we did as a result of it. Like, if you don't you you know, like, you you can't assume that you're gonna have that sort of knowledge base inside the company anymore with people that were available, but yet who does? The the people that do are your 3rd party, your MSPs that you've actually engaged that can that can run with you for, you know, a long span of time and actually provide that, you know, continuity along the way.
Max:So so I think, you know, I'm a I'm a I I I'm a when you think, like, build versus buy, you know, historically, my brain always goes to build. Like, I I'm an engineer. I love building. But the value in building is so greatly diminished now that being able to actually buy and implement and manage, it's just you know, it just feels like it's a no brainer for me to go that direction. Anyways
Chris:Yep.
Max:I will get off my soapbox. Chris, thank you very much. It's a pleasure. Yeah.
Chris:Thanks, Mac. Look forward to playing some more golf with you this year, man.
Max:Oh, yeah.
Chris:Getting some other stuff going. So thank you for the opportunity. We on behalf of my whole company, appreciate it. Thank you for thinking of us. And, you know, definitely thanks for being, you know, a true trusted adviser out there in the space because, I mean, again, couldn't reiterate enough.
Chris:This is what customers need. This is what customers need in their back pocket, and trusted advisers outlive employees at these companies. So, you know, if you wanna be resilient and not worried about, you know, that 2 year life cycle, this is this is a solution for that. And conversations like this definitely enable them. So thanks for, you know, including us on this, Max.
Chris:We appreciate it.
Max:Yeah. I mean, Chris, I'll I'll end on this. Like, it's easy. If you're a if you're a big company, a Fortune 100, and you say, okay. We wanna go out and solve a solution.
Max:Let's go get another Fortune 100 to solve this problem for us. You can find those programs, and we have them, and we deal with them, and and we like them. Right? But that's not a good fit for everybody. And and and you you talk about, like, white glove and an onboarding.
Max:The bigger you get when you say, you know I won't I won't abuse anybody's names here. But the bigger you get, the more regimented your process has to be and the more a customer has to conform to your process in order to be actually go through end to end in your process. And I really like I don't wanna say, like, the smaller companies, but I really like the companies that are still being able to provide, like, one off individualized that you know, because as much as everything is the same, it's that little, like, 5% of difference that makes a huge you know, that's that's everything in the world. So yeah. So yeah.
Max:Big fan. Alright. Thanks, Chris.