Xcitium: Unleashing the Power of Endpoint Security for Complete Business Protection (Guest: Dani Pickens and Tim Bandos)
It's it broker.comtechdeepdive. I'm Max Clark. And I'm here with Danny and Tim from Exidium. And today, we're gonna talk about MDR and all things Exidium and and really what the world means now. So, Danny, Tim, thank you for joining.
Max:And, why don't you introduce yourselves and share your official titles, and let's and let's get into it.
Dani:Yeah. Yeah. Thanks for having us. We're really excited to be here. Danny Pickens, RVP of channel sets for our western, region, and I will turn it over to mister Bandos.
Tim:And I am Tim Bandos. I'm our executive vice president of SOC Services, so I run our managed detection response.
Max:Okay. So you should know a few a little a little about what you guys do then. Let me let me let me tee this up here, and I'll prompt you. Exidium is a acquisition merger roll up rebrand is is what I understand. So there's a lot of history that goes our if you just look up Exidium, you find a very short amount of details.
Max:So then if you actually start clicking down into it, you find a lot more. So can you give me the backstory in how Exidium came to be and and, what you guys do and where you fit in the market?
Dani:Yeah. Great. No. You actually nailed it. It is a rebrand.
Dani:We rebranded as Exidium last year in 2,022, but we have a long history, in the SSL certificates as the brand Komodo. And so as we started to move forward and look at this next gen technology and cybersecurity, services for endpoints, we knew that we needed to have this new brand that we could move forward with with that vision and long term strategy.
Max:I'm old enough that I've actually purchased SSL certificates from Komodo. So that name, I'm
Tim:fairly familiar. Dates back to 1998. So, yeah, we we we definitely won't bet.
Max:I'm definitely old enough. So what is Exidium now? What are you guys focused on? What do you do? What separates you from the pack?
Max:You know, high give me high level, and then we can get into the weeds.
Tim:Yeah. I mean, the way I look at it, Excedium, I mean, we're a complete endpoint protection platform that offers, you know, people and process behind that technology. Right? So we offer managed detection response, XDR, you know, extended detection response. If you want us to consume third party data sources and monitor that activity as well, we do that.
Tim:We've got a 24 by 7 SOC team. We got reverse engineers, malware analysis. You know, we build out a complete stack of capabilities to address all of those different needs. So next generation antivirus, firewall, post intrusion prevention. We got something called auto containment or zero dwell containment, which I'm gonna discuss a little bit later.
Tim:And then on top of that, we wrap all those services around it.
Max:I don't wanna throw you completely off the rails. I'm gonna give you 2 keys here, and talk me through this. Let's go start to finish, and I'm gonna take some notes. And then I'm gonna we're gonna get into it because I've got, I don't know, probably, like, 500 questions already, so I don't wanna get too distracted.
Tim:That sounds that sounds great. Let's go then. Yeah. I I tell
Dani:you what. Just to kinda talk about who Exidium is, what it looks like. I'll start off with just a quick slide to cover the company information, and then we'll get into the real, fun stuff with Bandos showing what exactly our platform looks like. So I will share my screen here. Alright.
Dani:So to recap, founded in 2022, but again, that was from our rebrand. We have a focus around the endpoint security. We have our Exidium's patented 0 dwell technology, which we're excited to show you today. But it uses kernel API virtualization to isolate or move threats like 0 day malware and ransomware before they cause any damage. We have 6,000 plus customers that we're working with and servicing today and 27 patents here that know that's gonna really be a big part of our strategy and how we go to market with that 0 dual technology.
Dani:We're not sharing that with anyone else. Right? It's a little bit of a busy slide, but, again, wanted to condense this to get over to the real fun stuff that Bandos is gonna walk us through. We do have some fantastic awards and accolades. One of our latest that we've not had time to put on here is from Frost and Sullivan.
Dani:We won their, 2022 strategy, for cybersecurity. And down below is our NASCAR slide as I like to reference it. Some of those great customers that are in our customer base of those 6,000 plus, folks. You see Shell, UPS Store, Jimmy John's, some really fantastic, logos there that we work with.
Max:Part of Exidium is you have your own endpoint. And this is software that you wrote that was developed originally under the Komodo name, and then part of it was open sourced and released. I mean, I found, I think, a GitHub repo for this. So is is that still part of this portfolio where you're basing your MDR, XDR, EDR endpoint services on top of your own IP for this for this endpoint?
Tim:Yeah. I mean, back around 2017, 2018 is really when when we started to develop this technology. Right? The whole endpoint protection platform. And one component of that platform is endpoint detection response.
Tim:So EDR technology. The ability to collect telemetry process creates registry activity, you know, things that you typically see from other EDR vendors. Our, you know, founder of this organization wanted to open source this. He believes detection should be free. Right?
Tim:We gotta make some money, though, so we charge for protection. But detection should be free and available. So we open sourced that just recently. So anyone can go out to GitHub, download it for free. They can, stand up their own environment, or they can even leverage Exidium services and our back end for free for for 3 days storage.
Tim:So they can install the EDR agent. All that data can go up into our Exidium SIM. We give you these nice beautiful visualizations, capabilities for alert triage. Once again, 3 days for free. Not a problem.
Max:I feel like a lot of companies right now, when they're looking and they're and they're dipping their toes into cybersecurity, you know, it starts with, like, endpoint is usually the first thing on that list. Let's go find an endpoint. From there, it turns into, okay, how do we manage this? And then it becomes, what do we layer on as well? Right?
Max:So SIMs come into play, and then this fire hose of data starts coming into it. So for companies that are somewhere in that journey already, you know, they've they've purchased an EDR. They're looking at, you know, rolling out E5 Security from Microsoft. How does that story change, with Exidium? I mean, are you are you taking that EDR that already exists and feeding into your platform if they're going MDR with you or or XDR with you or end up being a replacement where you're gonna take and and display set EDR that's already in place and use your own tech on those on those desktops?
Tim:Yeah. It's a great question. I think, you know, we do a little bit of both. We have the ability to ingest additional EDR data sources. But, you know, really, our go to market strategy is to replace.
Tim:It's a rip and replace. Right? Because we think our technology is the best. We have, you know, protection capabilities layered in with all that additional visibility. We wanna leverage our own technology to do that.
Tim:However, if organizations are already signed up with other EDR vendors, that's fine because there's other data sources for us to additionally monitor, you know, for XDR services. So we'll layer in that as well. So if you wanna consume firewall, you know, Office 365, cloud services, all those integrations are built into our technology. And we we take all that data and store it in our centralized SIEM as well up to a year's worth of, you know, queryable data. And we'd also do, you know, advanced correlation rule sets against that dataset.
Max:This is becoming a a bigger and bigger spaghetti mess for people where it's you know, we started with this thing where we had Splunk for centralized logging data, and then we turn it into our SIEM. And so now we've got this thing that we're feeding data into, and what do we do with it? And then we went out and we got this EDR, and then we need to figure out what to do with it. And then we decide that we need incident response capabilities or remediation, capabilities. And I feel like a lot of the conversations I'm in with companies and with our clients is is just trying to take stock of what's already deployed and and what can be replaced, what can't be replaced, what's invested, what's not.
Max:I mean, just in navigating through that. So as you're dealing with I mean, you've got organizations, you know, your NASCAR slide, you've got big names there. This isn't like you're gonna go walk into some some, you know, multi tens of thousands of seat company and say, okay. You know, go and rip out everything that you have. But how much of that journey really comes into that conversation of trying to take stock of what's there and figuring out how to I don't wanna say, like, rip and replace isn't necessarily always available with people.
Max:Right? It's just it's, you know, there's just a a time in people.
Tim:You're right, Max. You know, the rip and replace strategy is probably one of the most difficult. Right? Because they're already familiar with the endpoint technology they have. They're already familiar maybe with the name that they already have.
Tim:Excedium hasn't been around a long time. Komodo has, but our technology, you know, since 2017, 2018. So how do we prove ourselves in the marketplace? One thing that we do do, for from a go to market strategy is we layer in our auto containment technology. So, if a customer already has a CrowdStrike or maybe they're just leveraging Windows Defender, we can take our patented technology, our containment piece, where we block unknown threats, right, and add an additional layer of protection, you know, for the the customers that focus on that unknown activity.
Tim:That's what we're gonna talk about a little bit today in our slides of how we approach cybersecurity and how we prevent unknown threats from even executing in the first place. And then we layer in, you know, MDR services, etcetera, if if if they wanna subscribe to that.
Max:I'm very interested in in understanding more about this. And at some point, I'm really curious also for your definition of MDR versus XDR because I'm seeing you know, there's there's this big push always in tech marketing of, like, let's layer on a new term and try to own that term, but that term doesn't really mean anything. And then other people start coagulating around that term. So
Tim:Yeah. No. That totally makes sense. Should we just dive right into it? Go start going through the slides?
Tim:I agree. It can get confusing. Let me see if we can kinda clear that up. Let me share up my screen here. Alright.
Tim:Exidium Services. So let's just go right into it. We'll skip this slide about me. I'm important, but not that important. Let's go into Exidium Services.
Tim:Alright. So we offer this a variety of different ways. Right? So we have something called Exidium Advanced. This is for customers who just wanna leverage our technology stack and manage it themselves.
Tim:We have advanced endpoint protection, which includes, you know, next generation antivirus, hips, firewall. They have that zero dwell containment capability, which I'll go into in a moment. We have endpoint detection response, which is that visibility arm. Right? So giving you root cause analysis of how something, you know, ended up on an endpoint.
Tim:You know, we do a great job of blocking malware as soon as it, you know, drops, and stopping it and preventing it. But customers also wanna know how did it even get there. Was it an end user that clicked on a link or an attachment or went to a drive by download site? This is all important from, you know, a security awareness perspective or, you know, additional security layers that need to be applied or improved upon. And then we also have this endpoint manager feature as well, where we have patch management capabilities.
Tim:We have the ability to remotely, you know, desktop into additional devices and manage mobile devices. Right? So we kind of give you a full, you know, you know, technology stack, right, of of next gen antivirus, EDR, and then RMM, remote monitoring and management capabilities as well. So that's the Exiting advanced package. That's if customers wanna manage themselves up to them.
Max:You said it twice. So you're including, in advanced, patch management and RMM with the service?
Tim:I am.
Max:Okay. That's huge.
Tim:Now for customers who are you know, wanna slightly manage it, maybe they wanna manage the technology, but they want, you know, someone to triage the alerts that are coming in, we offer something called MDR guided. Right? It's it's really just alert triage analysis level one, you know, analysts looking at alerts that are coming in. Right? We'll generate high fidelity threat notifications based on that activity that comes in.
Tim:But that is one component that we can if customers are just dipping their toe into the MDR field. You know, it's it's hard to call it an MDR, but it's slightly managed. Right? We're we're really just kind of offering some SOC capabilities there. Where we really go to market, though, and what we've been focusing on over the last, you know, year is is providing a full end to end managed service, whether that's called Exidium Managed or Exidium Complete.
Tim:Right? So those are 2 different services, the fully managed service offering and one that includes extended, you know, detection response. And I'll show you what that means in a moment. The way that we look at it is, you know, 4 primary pillars in in terms of offering an MDR service. This is how I at least perceive it, you know, along with Excedium.
Tim:Right? Is is, 1, having that complete visibility component. Right? And this is where we provide our technology, the advanced protection, our EDR. And then we have something called, network traffic visibility.
Tim:We have a network sensor that can be deployed to environments that wanna have that, you know, XDR, you know, flavor. So this provides packet inspection. It's got a built in IDS. It has the ability to also ingest third party data sources. So if you want us to consume Windows event logs, active directory logs, firewall logs, Linux logs, any log source, we have the ability to do that and then send it to our Exidium SIM for alert
Max:Is this a physical appliance or a virtual?
Tim:It's a virtual appliance. It comes as an ISO file. It can be downloaded and deployed as, you know, much as they want, right, throughout the the environment. And, really, what we do with that data is we, you know, analyze it for anomalous behaviors and trends and identify, you know, root causes of, you know, particular attack vectors. And this goes across endpoint network and cloud.
Tim:So we have integrations with cloud sources as well. On top of that, we have our SOC team. I know you're gonna think I'm crazy after this one, but, you know, we do offer the 247, 365 digger iron glass, but we also offer for free at no additional charge instant response services. And when I say instant response services, I mean full end to end digital for on, you know, digital forensics and response. So if there is a breach in environment, right, we'll provide that that eyes on glass, that analysis, you know, a full breach report, neutralization, you know, from a to z, you know, walking in a client through an IR.
Tim:Now you might say, Tim, you you guys are an endpoint protection platform. Why aren't you stopping the malware? We do a lot of that, but there are, you know, certain situations where maybe there's a vector that's open. Maybe, you know, a client stands up an RDP server and forgets to install Exidium, or there's some vector that we don't have visibility to and they move in laterally like a supply chain attack. Alright.
Tim:You can still be breached even though have even though you have, you know, an endpoint protection platform in place. And we'll provide that IR, making sure that we neutralize that threat and that, you know, they aren't successful, you know, in the case of, like, in a ransomware being deployed, right, throughout the Wait.
Max:You're probably gonna get into this in response a little bit here. Actually, talk about response, and then and then I'm gonna ask this question.
Tim:Yeah. The real time response, right, we're enabled through our technology. And this is that r m capability that allows us to automate forensic collection, block activity in real time. We can isolate endpoints from the network. We have the ability to executing custom commands or custom scripts or third party tools.
Tim:And when you have that capability, the sky pretty much becomes the limit. You can do whatever you need to do, right, across a fleet of devices, and that's incredibly useful during an IR. Right? Because then you can start pulling back all that digital forensics that you need, right, memory analysis, and then provide those answers near
Max:There's a there's a pretty big line. Right? We talk about a company that wants that's looking for tools and a platform, and they wanna manage themselves, and then a company that wants tools and platform and advice and expertise, and then a company that wants, or a CIO that wants, hey. I don't want, like, to worry about somebody calling somebody and looking at something at 2 o'clock in the morning. I just want it taken care of and dealt with.
Max:Even if taking care of it and dealing with it just means unplug it from my network until we can deal with it on Monday morning. You know, talking through you know, going and going into RMM, if they're on a managed platform or a complete platform, will you quarantine, disconnect, disable, whatever you want? What terminology is appropriate here? You know, if some endpoint does something or or starts behaving strange or something happens to the network, at what point are you gonna be in, let's call it, auto mode for a company? Is that available to them?
Tim:It is available, and that all comes with the initial terms of engagement when we, you know, enroll or onboard the client because we wanna make sure they're comfortable with us doing that sort of, you know, neutralization effort. And we actually had to do this literally on Christmas Day of last year where we couldn't get a hold of a client, but he had authorized us pre authorized us to take any sort of action that we needed to take. We had saw some activity of lateral movement from a device that we didn't have axe we didn't have our Exidian, you know, technology installed on, we had to immediately start isolating, you know, the network. Right? So because we knew this was a ransomware operator, based on threat intelligence, you know, observed.
Tim:We saw their tactics techniques. We knew what what what the end goal was. So we immediately cut that access off to them until we're able to actually get in touch with with the CEO of the company. So because sometimes it, you know, just doesn't happen. It's difficult to get in touch with people.
Tim:We we escalated through the whole chain. But, thankfully, we had those terms of engagement in place prior to that event occurring. Otherwise, they might have been successful. Right? Because there's only so much we can do as long as they authorize us to do so.
Tim:But that is part of
Max:How would you go about dealing with that? Because, you know, some some people talk about, hey. You know, we have a network appliance that's plugged in, and we can issue TCP resets. So that way, we can effectively disconnect something from the network by just not allowing it to talk to anything else to the network. Others will focus on saying, okay.
Max:We're gonna have access to your network equipment, and we're gonna have, permissions to your firewalls or permissions to your switches. If you've got your agent running on a desktop, maybe your endpoint running, right, you have control and you have access and visibility to that endpoint. But if you have something a fish tank. Right? A fish tank is compromised.
Max:You know, what's what's the, like, general approach in order to take action if the without the client, if the client gave you, you know, permissions to take action on their behalf and you can't reach them?
Tim:Yeah. I mean, that's a nightmare scenario, to be honest with you. If there's a fish tank infected and we don't have access to that and we can't get in in touch, it's possible. It's happened. I'm sure that can happen.
Tim:It has happened.
Max:Right? I wish that was an imaginary story, but,
Tim:like It's not imaginary story. Yeah. I've I've been a part of silly crazy cases like that as well. We've had telecom employees come in backdoor the routers. Like, how do you even detect that, right, when it's an employee of another company, but they're working for a nation state?
Tim:It's impossible to detect. But it's a great question. Like, what do you do in that sort of scenario? We would do everything we could to get in touch because we don't have access to network devices. Right?
Tim:It's a like, we can only do so much with our network sensor in terms of IDS and, you know, doing resets. But, yeah, if we don't have access to that aquarium, that's a problem because they're gonna attempt to, you know, continue to move laterally, especially if they have credentials at that point. You know, it might even come down to us executing commands to, you know, block out accounts. Right? Because we have complete domain administrative access with our technology.
Tim:I mean, you can log in to the AD as a system user and then start running commands. So those are doomsday scenarios. We haven't had to do that yet, but it is available at you know, to us.
Max:But it's there. So, I mean, the the point of this is if it got to that level and people are at a Christmas party and have had too much punch, you're gonna take care of it and do whatever you know, if you if they've been if they've if they've said and signed up and said, we want you to to take care of this, and if you can't get a hold of us, go crazy. Do what you need to do. Like, you're gonna do it. Okay?
Tim:I'd have to leave my Christmas party to do it, but I would do it because that's what I've signed up for. That's my job. Right? So, yes, that that sort of scenario does happen. That's a great question.
Tim:So kind of back to where we left off on the RMM piece. So in addition, right, to all those different capabilities in terms of response, you know, we also have that patch management visibility and the ability to, you know, patch operating systems, patch third party applications. Right? So we can run reports to see if there are any vulnerable devices and what those vulnerabilities, you know, look like from a criticality perspective. And then with a click of button, we can patch those, you know, those devices.
Max:So mobile device management. I mean, are you talking cell phones here, iPhones, Androids, tablets? Okay. Interesting. So, how deep are you getting into the MDM or UEM space with this software?
Max:I mean, is this something that you would displace an Intune with? Or, you know, I mean, how
Tim:I'm sure my company would love for me to say we can displace that. But the way I look at it from a range of capabilities, you know, we have the ability to wipe. We have the ability to apply policies, you know, to prevent applications from running and white listing. We're not, like, a full suite. That isn't our core, I think, capability, but we offer it, and it's available to customers.
Tim:And we do have a good number of customers that do leverage it, you know, as a service. But I don't it kinda depends, right, on, you know, the size of the customer and what they wanna do because if it satisfies those use cases, then
Max:I have some organizations that are trying to hit adhere to NIST. Cope. So they wanna have a corporate owned personally enabled device, you know, a cell phone. So right now you have to have containers on that cell phone to actually say, okay. We can remote wipe the corporate data on this device so we can inspect traffic interacting with corporate data, but, like, we're not gonna delete your photos off the phone.
Max:It's a very specialized kind of MDM UEM, you know, platform for that. Data can only be accessed by corporate owned devices. And so then how do you deal with that? And and it's and you kinda, like, touch into these things where it's, like, it's not really a CASB. It's not really a DLP rule, but you have this kind of thing in between where it's, like, we wanna make sure that we have a certificate on a device and that certificate is inspected.
Max:And it's a relatively lightweight thing to say, okay. You know, push out this config, but it still has to be there and be in place. And and, you know, then you you get into this dialogue around how many different agents are running and how fat you know, how much resources do you have on a machine and, like, you you know, that becomes an interesting conversation.
Tim:It does. And, you know, to get to that level of granularity, it's, you know, we're just not there. Right? From our perspective, we off, I mean, we even offer a DLP functionality where we do light DLP for data loss prevention, but it's not a primary, you know, go to market strategy either. Right?
Tim:It's just if you want us to stop or prevent PCI or, you know, HIPAA data from leaving your organization, we can have a rule that that does that. But we're not like, you know, I was gonna say Digital Guardian because I was the last company I was with that just got acquired. But we're not like a Digital Guardian with a full range of capabilities and data loss. You know? So I I think it comes down to use cases.
Tim:Right? Yeah. Like, what are you looking to solve? And if it's light, then we could definitely solve it.
Max:I'm still surprised to see these bullet points on the slide. So I'm I'm I'm just digging into it a little bit.
Tim:You know, on in terms of, you know, how we you know, where we also get augmented is is our threat intelligence piece. We got something called the Exidium Verdict Cloud, which is kind of similar to, like, a VirusTotal, but not in the sense where we have a 1000000 different AV engines running. It's really just our own. But, really, what Exidium Verdict Cloud does is it verdicts every single, you know, sample that, you know, is collected, either it be, you know, trusted. Or if it's unknown, we do a static analysis, a dynamic analysis of it, and we provide a verdict to it.
Tim:You know, is it safe or is it malware? And this ties into, you know, our unknown protection, right, our containment capabilities, which I'll show you in a moment. But it's nice because you can search any hash, you know, on the site, and it's for free to sign up too. And you get all the metadata details associated with that binary, what it does dynamically, you know, what what you know, where we would put that in terms
Max:of the threat. Like, is it a piece of ransomware?
Tim:Is it a backdoor, a rootkit? So it's got a ton of different features in terms of, you know, the the amount of data that we report on each and, you know, every individual binary that gets uploaded. We got a team of around 40 plus, you know, threat researchers and reverse engineers too that, you know, is in this organization. So they're working day in and day out, you know, looking at binaries all the time. Then on top of that, we also do, you know, behavioral based rules and, you know, MITRE mapping, you know, to the MITRE ATT and CK, you know, framework.
Tim:And that gets layered in with our our our EDR telemetry as well.
Dani:And, Max, that Exidium Verdict Cloud, that's actually public facing. So you can go to our website on that and see that anytime. It's really cool. We'll have to take, take a look at it later on.
Max:You know, having having threat intel or or having something where you're taking and you're taking, you know, cert feeds and and you can and you can correlate this. The nightmare scenario for most organizations isn't necessarily like there's something that matches a signature that's already known. It's, you know, it's these modified binaries, you know, true zero day attacks, you know, things that that look okay but aren't okay. And it feels like the percentage of that is actually increasing. You know, now, of course, with all these different AI tools and stuff coming out and when we look at, like, phishing attacks and whatnot, you know, the sophistication is increasing because they have just access to they can increase the volume of what they're you know, what an attacker is actually doing, and it's easy for them to increase that volume.
Max:How does, like, the 0 day factor into all these things? Like
Tim:Again yeah. I mean, it's a it's a great another good question. You know, I was used to work for a large manufacturing company, 200 plus year old company, had, you know, millions of trade secrets. Every single, you know, incident that we ever worked, you know, in this particular organization, every single indicator was not something known to the world. So there's no threat and tell, you know, list or feed that matched up with that hash or matched up with those capabilities.
Tim:Like, yeah, maybe the techniques that the adversary used, like, maybe they used 2 letter binaries, like tv.exe out of, you know, a particular directory. Like, the behavior was maybe something you could line up, but there's no threat intelligence that could have mapped to that. We dealt with that every single day. You know, we subscribe to a 1000000 different threat intelligence sources as well. Nothing helped us in that particular field, which is why we really always focused on the behavior.
Tim:Right? Like, you know, lateral movement activity. So if you know, just because the name of the binary was tb.exe, if you look at some of the other metadata, it might have been, you know, sysinternals ps exec. So if you see those 2 as a correlation rule, that that's a mismatch. Right?
Tim:Like, we know internally no one would ever use, you know, a renamed, you know, binary such as PS exec. So it always kinda comes down to, you know, when you're doing threat hunting or pivoting and looking through that data, those are the types of things you gotta look at. Like, what is normal behavior versus what kind of stands outside those lines? And that's where you start to identify, you know, potential 0 days. You know, one thing that we used to do with looking for, you know, beaconing activity, command and control activity.
Tim:Right? We would, you know, aggregate all that data. We would look at all the sites that it went outbound to, and we would look for, you know, pings, you know, once a day to us, you know, specific site over a week period. You know, if we only saw 7 over the course of 7 days, that might be indicative of, you know, a command and control, like something phoning home. No.
Tim:That type of stuff was and we were hugely successful back in 2008, 2009 with that approach because malware, you know, was, you know, pretty straightforward from that perspective. That'd be it becomes harder today. Right? The beginning activity, you know, going out to Twitter and pulling down something from an image file and then doing something. Like, how do you detect that?
Tim:You know what I mean? It becomes more of a nightmare scenario for us.
Max:20 years ago, I was working for a company, and I was asked to block Yahoo, Instant Messenger. And we started going through it, and it turned out that, like, it would start failing back into more and more commonly used services. And, like, one of the last fail over you know, failbacks was, like, actually going to yahoo.comport443. And you're like, okay. Great.
Max:How do we block this? Right? You know, like, it's like, okay. I can block this now, but we have to literally block all of Yahoo traffic in order to block this thing. It was it was really impressive.
Tim:It becomes impossible. Yeah. I mean, we had a threat actor one time leverage our internal Microsoft link or what is Teams today, link server as a command and control. They were able to find a route out and, like, literally going I mean, going under the radar is another like, an understatement. We were only able to detect it because there was a a web shell that was, you know, beaconing that activity through our link server.
Tim:I'm like, what is this? So that's what once again comes down to, you know, kind of threat hunting and looking for these anomalies right across
Max:MDR services, you know, fit into kind of a defensive and reactive, you know, approach. Right? You're you're trying to, identify, contain, and then and then react and clean and remediate, you know, an event that's happened and taken place. And part of the security word soup that we deal with, you go into, like, more of these, like, I don't wanna say, like, offensive measures. But, you know, if you if you look at, you know, segmentation, 0 trust, secure web gateways, remote browser inspection, you know, these these other this other kinda, like, shell that's coming on.
Max:When people are looking at trying to decide, like, okay. Should I go out and deploy and go full sassy and have, you know, an agent with, you know, protected network Internet access with everything flowing through our gateways and and traffic everywhere and, you know, effectively segmentation on our network is should we do that, or should we go after the endpoint MDR, you know, IR, you know, side of it? Or what's the contrast there, and and how do people make sense of this?
Tim:I like how you said sassy. Yeah. Like, do you go down the sassy route? For sure. I mean, I think it I think it depends on, you know, the size of the organization, where they are at, you know, from a strategy perspective.
Tim:I think the end goal would be to kinda get to that 0 trust, right, functionality. But what's mind blowing to me, Max, is it's it's, oh, it's this low hanging fruit stuff that just still gets exploited. It's like 80% of these attacks a lot of times just happen because of a link that someone clicked on or attachment. Right? It's not something that's yeah.
Tim:Email. It's email. Like, that that is the primary vector a lot of times. Or once again, an RDP server that stood up and they have weak domain admin credentials on that server that they're able to brute force their way in. So no two factor authentication.
Tim:It's these basic controls that organizations just don't put in place. So even before you get to, like, the whole sassy and zero trust thing, like, just get the basics down first.
Max:I mean, at this point, you know, having some sort of 2 factor or MFA enabled on look. That's table stakes at this point. And there's a and there's a lot that don't run it, which is amazing. And, you know, organizations that are not on Microsoft 365 or are not on Google Workspace, It's just like, what are you guys doing? Move to one of those platforms and enable, you know, MFA and use that platform's MFA capability.
Max:And it gives you so much just doing that, which you're already paying for, which is, like, the core of, you know, of of collaboration and productivity at this point, it's like, just just do that. Start there. Security maturation model. Right? It's it's like, oh, you know, here's this ladder of of steps that come up to, like, you know, like, oh, you're down here with no security and you're the NSA over here.
Max:Right? And then they're like, now, like, pick, you know, pick which one you want. And it's like, there's it's not like, oh, I want, like, I want, like, a 2 out of a 5 on a scale. You know? It I think the security industry in whole is isn't really doing a lot of service for itself or, you know, or for its customers of what is the the steps that you take and say, okay.
Max:You know, we've got the basics. We've got 2 factor enabled, and we've got SSO if enabled. And we can we have an IDP and, you know, you know, identity. We have our identity covered. Now what do we do?
Tim:You know, they they call that the journey. Right? The security met, you know, maturity going through that entire journey. But I agree with you. It's, like, all rated on a one to level 5.
Tim:Like, how mature am I? I think it's taken those baby steps first, and that's why, you know, we we try to solve a lot of those problems with an MDR type service. Like, if you're not gonna do a lot of those table stake type things, at least monitor for it so that you at least know you have a problem or a threat, you know, within your organization. A lot of the organizations that we work with are smaller businesses. It could be like a dental office, right, that has 30 or 40 endpoints, but it still needs protection.
Tim:Right? Because, you know, they get held up for ransomware as well. And if they get hit by ransomware, they they might not be able to afford a $1,000,000 ransomware note. Right? So, you know, they don't look at security like we do.
Tim:They're not hiring a CSO. They're not hiring even probably someone ahead of, you know, security. It's just like an IT guy who wears a hat of security who might just dabble in it. And I don't think they're ever gonna get to that point, and that's really where we try to kind of wedge ourselves in. Right?
Tim:And is is a lot of times those organizations who need assistance who are that's why we consider ourselves MDR for the masses. Right? It's not just, you know, the large enterprises or organizations that have 20, 30000 endpoints. We've got customers like that, but we really try to also fit in those spaces where it's, you know, 500 endpoints, a 1,000 endpoints because they have no I don't wanna say I mean, I'm not trying to belittle them, but they have no clue from a cybersecurity perspective what they're really This
Max:the scary conversation I get to have is, oh, we've we've, enabled Defender and Sentinel from Microsoft. We've got it covered. And you're and you're just like, okay. I don't think you actually know what that means. You know, for most of these situations, it's an eventuality.
Max:Like, you will have a cyber incident. It's just it's an eventuality. And, are you prepared for it, and can you react to it? You know, become very critical for companies and and make a huge difference in the impact of the organization, the financial impact of the organization, the brand impact of the organization, you know, whether or not they're gonna recover from that event in the 1st place or not.
Tim:Yeah. And I think a lot of times, it also comes down to price point. You know? These, you know, smaller organizations don't have, you know, allocated budget for a lot of these advanced cybersecurity solutions. So, you know, Exidium saw that as an opening where let's make ours a little bit more affordable.
Tim:Right? We'll still make some gross margin there, but let's make it affordable that these smaller shops can have an MDR service and get protected at the same time. And we've been relatively successful. I mean, we've, you know, we've done pretty well over the last year and a half just focusing on that segment of the market because they can't afford, you know, some of the big names, which I won't drop, but, you know, some of the big names. So that's how we structure our MDR service.
Tim:You know, in terms of deliverables, they always wanna know, like, what do I get out of this service? This is what what we provide. Right? So the 247, 365 days a year eyes on glass and learning. That means level 1 through level 3 triage and analysis.
Tim:You know, we do weekly and monthly reporting. Do our customers look at all those reports? Probably not. But there's a nice lot of trends and stuff in there that will give them insight, you know, executive summaries. Here's the value that service is providing.
Tim:We do all the profound policy management so they don't have to worry about it. Right? They buy the technologies that from us, and we we do all the services and everything else on top of that for them. Just making sure that it's hardened for them. Because we've had customers who have purchased that one solution where they wanna manage it themselves.
Tim:I've seen them white list, like, their entire c drive and just allow everything to basically execute. I'm like, nah. That's gonna be a problem for you. And it was actually because they were like, we got infected. It's your fault.
Tim:But, unfortunately, it's not really our fault when you start white listing stuff like that. So we try to avoid that scenario.
Max:Show me a 100 firewalls. I'll show you a 100 allow everything outbound policies.
Tim:Right. Allow exactly. Allow everything. Right? At yeah.
Tim:That's at the bottom of the list. Right? And then we also provide that proactive threat hunting, active breach containment. You talked about threat, you know, live remediation support. That that's one of those deliverables.
Tim:Right? Like, take action on my behalf because, you know, I could be at a Christmas party, and I need your assistance doing that. And we also have monthly meetings with every single one of our customer accounts with the primary stakeholder. You know, just to make sure that they're receiving the value out of the service that, you know, they're expecting. You know, there are any sort of enhancements they're looking.
Tim:There are any custom requests that they'd like to see from us. We make sure we have that touch point with them so it feels like a white glove service, and they're not just a number, you know, as a part of our, you know, our overall MDR service. Just the final part point is, you know, if if if customers want that full end to end complete XDR flavor, and, you know, I use XDR. I really mean, you know, monitoring additional data sources beyond endpoint. You know, they could subscribe to that.
Tim:Right? Have the network sensor deployed, get network log traffic visibility. We can adjust all those additional, you know, event logs, firewall logs, and also cloud monitoring. And that seems to be, like, the winner. Like, everyone pretty much goes with that because they want everything monitored.
Tim:They just wanna sit back and, you know, have someone else deal with it. The differentiator. Look at that. Perfect timing. Let's bring it up.
Tim:So I call it the differentiator. We call it 0 dwell containment. You know, I mean, that's our marketing term. It's let's say an auto containment capability where what we're doing is we're virtualizing the hard drive, the registry, and the comm interface. Right?
Tim:So anything that is unknown, if it's an unknown hash to the world, if it's an unknown piece of script or code, we allow it to execute, but only in this container, basically, that exists on the endpoint. And there's almost negligible to 0, overhead as well. Right? We're not I don't wanna bring up the name, but Meromium from back in the day where they did a hypervisor across the whole device and brought everything down. We're a very small segment of of the operating system where we're intercepting those APIs, and I'll show you what that looks like kinda visually.
Tim:But we do it in a nice elegant way, and we have patents for this capability. So no other vendor can
Max:So registry and common interface is very much Windows specific terminology. Endpoints run a Mac and you have people in Linux and etcetera, or is this a Windows focused
Tim:tool? So so our our initial go to market was with Windows. We're active development for Linux and Mac containment capabilities. Right? You can understand some of the restrictions on Mac.
Tim:It's been difficult with all the changes, especially with that OS over the last couple of years. But that containment capability is absolutely coming. We do have a lot of the antivirus type capabilities, you know, within Linux and Mac, today. And we we support a ton of different Linux flavors as well. But that containment piece, isn't there yet.
Max:You know, Linux shipped, SELinux, I mean, I don't know, 10 years ago. And and, most of the distros enabled SELinux by default, and it became, like, this default policy for anybody running Linux just to disable SC Linux as part of their, like, install scripts. What's the user interaction or the admin interaction as this thing is going? So when you say, like, you know, 0 to 12 containment and it's it's it's virtualized
Tim:Yeah. The experience, so the end user experience, this is all configurable as well. But let's say, for example, a phishing attachment comes in, right, to an end user. They open up that attachment, and there's, you know, suspect code that's entrenched inside the PDF. There's gonna be a green container around the PDF notifying the user that something is going on in the background, right, that we've contained a piece of code, but we're still allowing the end user to interact with that document.
Tim:Right? They can view the contents. They can, you know, even edit the document and save it to the container, but it's not touching the actual hard drive. Right? It's not being stored or saved anywhere on the disk, itself.
Tim:It's all virtualized, right, inside the container. So it doesn't you know, basically, it prevents any sort of damage, right, from the code even running in the first place. And then once our Exidium Verdict Cloud does a determination on either that piece of code or that that, you know, that binary to say, yes. It's safe. It then releases it from the container.
Tim:And it's it's it's really seamless to the end user.
Max:Are you providing this data reporting, back to admin, you know, admin users to say, hey. Like, this is this software that's running on all your devices, and you've got, like, the stuff running out there that you don't know about?
Tim:Yeah. So we we offer complete software inventory visibility. You can see every single version that's running, you know, every application that's executing, everything too that we've contained versus not contained. We also capture the script content, of whatever has been executed as well, and we can port that up to the console. So if you wanna even wanna see the the contents of a particular script that ran, you could do some reverse engineering or, you know, analyze that data as well because you're gonna need that visibility sometimes if you need to do that human element.
Tim:Right? Just to make sure that, you know, it isn't something a little more nefarious. But anything that suspect. Right? Once again, we're containerizing that, and that's at execution time.
Tim:And then, you know, we have our full stack, of course, on the pre execution and then the post execution as a service.
Max:So is everything always running in a container or at some point, you know, VertiCloud comes back and says, yep. We know this. It's good. It doesn't it doesn't run-in virtualized?
Tim:Yeah. Not everything. Right? Everything that so let's say, you know, SBC host executes or, you know, task list or any of those binaries execute on a program. We all know those are legitimate programs.
Tim:They're all trusted. Right? There's trusted hatches. They've been out there, you know, in the world for years or maybe even just a year. Right?
Tim:And it's trusted, no good. There's no, you know, behavioral, anomalies associated with it. We allow it to run automatically. Right? There's no no, you know, no impact for anything that's once again unknown.
Tim:Like, if you search the hash on Google or virus total. Right? And it's completely unknown to the world. No matter what it is, we're containerizing it. Right?
Tim:We wanna make sure and validate that it's safe before allowing it, right, the air and the water and everything else that it needs to breathe on and operating.
Max:So something gets through a, you know, email filter. User clicks a link, downloads a payload, application does something, goes crazy. At what point the flag start getting raised of saying, you know, this thing is trying to talk laterally. It's trying to do something that it shouldn't be doing. It's trying to it's talking to something we think is a command and control.
Max:Like like, how does that escalate through that? Like, we haven't seen this before. You know? Like, now it's doing something strange to get rid of this thing.
Tim:So it's immediately immediately flagged and contained. Like, once again, at execution, almost so so pre execution, we have something called FLS, which is a file lookup. So every single file that even exists on the disk right before it even executes, we're doing lookups and we're verdicting, you know, all those different binaries. And the second that it runs, right, if it's unknown, we then submit that to the Verdict cloud. If it starts doing things, like, really nefarious, we just it gets killed.
Tim:Right? Once again, these are all controls or knobs you can turn. If you want it to automatically killed, automatically get wiped from the container, you can do that. Or if you just wanna allow it to still exist within the container and have the container wiped a day later, you could do that. Right?
Tim:We recommend having that thing killed immediately because, you know, we don't want any risk, you know, occurring to the end user. Because let's say they open up a document, it tries to run some code, but maybe there's also a link in there that takes them to a website that they're trying to phish credentials. Like, credential phishing is tough to stop. Right? Because you could you don't there's no malware necessarily associated with it.
Tim:They're just asking for your password. And once they have that, boom, they're in. Right? They're in your environment. There's not too factor.
Tim:Like, maybe they're looking for your Office 365 login. We see that quite a bit as well. I can show you kind of how that works. Right? So, you know, how we go about doing that.
Tim:Right? The feeding 0 day attacks, we call it kernel API virtualization. And there's really 5 objects. I only have 3 in the other slide, but it's file system registry, kernel object services, and that common interface. And that's where we layer in.
Tim:We we we provide this virtualization layer. And this is what it kind of looks like from more of a graphic How
Max:much overhead does this add to a computer? You know, if if you're dealing with an aging fleet and now, you know, this you know, their their their desktops or laptops have to you know, are running this in addition to, you know, running what their applications are. Is this is this something where you have to factor in at a certain size? I mean, is this like, hey. We've gotta make sure we have this much RAM or this much CPU capacity.
Max:Or
Tim:Incredibly lightweight. You can run this thing on an XP with, you know, 512 megabytes of RAM. We've we've seen it run. No problem.
Max:I feel bad for those people.
Tim:We're doing is I do feel bad. They still exist, by the way, you know, and Windows 2 1,000 servers. I mean, what's going on, guys? But once again, it's just API interception. Right?
Tim:We're intercepting those APIs and just redirecting them. So we're not we're not, you know, building a whole hypervisor or consuming all these resources to, you know, containerize it. It's just interception with, you know, a thin restriction layer. But, yeah, that question comes up quite a bit. Right?
Tim:Because, you know, any sort of endpoint that you're adding agent to what you're adding to the endpoint is that's the question. What's the impact on memory? What's the impact on resources?
Max:I've had some, secure Internet access, you know, SWG clients, and you install it and you put it on a cell phone, and then you just watch the battery just kinda go and just and if you're like, what what what did this thing just do? Yeah. I can't use this. That's great. Like like, wonderful.
Max:You know? I mean, kind of kind of small problem there.
Tim:I'm, Yeah. You know? So so we were doing a POC one time at my last company. Listen. There was no fault of my last company, but we were running our solution on a Mac, and the battery caught fire.
Tim:And somehow, they literally blamed it on the agent. They're like, your agent has so much overhead that it caught a I mean, look. That one's still TBD is what I call it. It's to be determined if that was really the case. But, yeah, if you've got something that's heavy, I mean, it does drain and have a, you know, an operational impact to the battery.
Max:Segway a little bit here. SIMON XDR. This becomes a really confusing, you know, sales motion. Right? You know, you start talking about SIMs and you start for you know, questions become like, okay.
Max:Let's try to size this environment. Right? You know? You get to a concrete point where it's how much does this cost? And and that becomes, well, how much data are you sending?
Max:And and and, I think a 100 out of a 100 companies are probably also gonna say, I have absolutely no idea how much data and telemetry data I'm gonna send to your son. So from a sizing exercise or somebody that's actually looking at this and and and, of course, it wants, how do you go through that sizing exercise with that with that company? And how much variability do you see, you know, company to company based on utilization?
Tim:Yeah. Max, this is where you're gonna think we're a little insane with how we price, that. We actually don't take that into consideration. We just price it per endpoint. So we don't we don't actually look at how much data we're ingesting.
Max:I I actually don't think you're insane. I actually really like that answer because it makes it really easy to explain.
Tim:Super easy.
Max:Yeah. Yeah. Because the other way is insane. It makes it it's hard. It's it's impossible.
Max:I mean, if you have
Tim:any What's the gigabytes for yeah. Exactly.
Max:Yeah. Okay. Great.
Tim:We've we've made it a lot easier on the salespeople and for a reason. Right? And then the reason why we do that too is because, you know, we've got some accounts who ingest very little. Maybe it's a foul a couple thousand events per day, and then we got ones that are, you know, over the top. Right?
Tim:So it it levels out from a pricing perspective. You know, we still, you know, hit our margins fine, you know, with doing that, but it also removes that complexity from the conversation because no one wants to, you know, figure that out.
Max:You can't. You can't. It's impossible. You can't
Tim:just say a 100% agree with you.
Max:They're like, okay. Great. We have, you know, 2,000 endpoints and x amount of virtual instances running in these places plus, you know, Office 365 plus this plus that. And you're like, okay. Great.
Max:What does that mean for us? You know? And then you get a spreadsheet, and it's like, oh, we think you're gonna be this much data. And you're like, but it could be more. It could be less.
Max:We'll find out.
Tim:Yeah. The way that we approach that and that's why, like, the salespeople love that model, and we're just gonna keep you going on that. Onboarding deployment almost feels like a breeze too. You know, typically, we have an implementation, you know, kickoff call where we go through, you know, what what does XENM installation configuration look like. We do testing and deployment.
Tim:You know, this is where we, you know, discuss all the the the technical details right of the deployment. It's very easy because what we do is we spin up an environment. This takes a matter of not even minutes. It takes maybe a minute to spin up an environment. And then there's packages that you can be downloaded that only communicate with that specific environment.
Tim:Right? So we keep it multi tenanted. It's very easy, for for deployment. They can leverage any tool that they want to, you know, do deployment, you know, through. And then, you know, stage 1 is enabling all these different things you see there on the left.
Tim:Right? That's our full stack. You know, file rating, bioscope, HIPPS firewall. We call it stage 1. It's kinda like the learning phases even with our host intrusion prevention.
Tim:We do a heuristic like a learning mode. Let's baseline your gold image. And then, you know, after stage 1, maybe a week or 2 weeks, we we convert it over to stage 2, and then you're off to the races. Right? If someone wants something super locked down, you can go to stage 3, and then you can start getting more granular in terms of what you wanna block on.
Tim:But, typically, stage 2 covers all the bases, you know, protecting your environment from 0 days and and everything else. But the implementation is just comes in term in in the in the form of PS, professional service hours. And there's not a lot of hours really that takes to do these sort of deployments. It's it's very straightforward and easy, especially if you do, you know, MDR because we're managing it at all for you. So, really, it's just, you know, meeting with the client, making sure they're comfortable with everything, showing them, you know, how to log in and see tickets and, you know, how to file help desk requests if they have any sort of issues.
Tim:But everything is managed for them. Right? So they don't have to do a lot. And then deployment just kinda takes it from there. So we just kinda guide you through this process, review the status, and they're off to the races.
Tim:So we can move as fast as, you know, they're able to move, basically.
Max:So this is kickoff. You're gonna have a a weekly check-in, make sure everything's moving forward. After after deployment, you know, what kind of interaction I mean, besides, like, hey. You can log in to our our console and you can see, you know, data. Are you doing monthly updates?
Max:Is this quarterly updates? Is this weekly updates? I mean, what's the what's the back and forth?
Tim:Yep. Yep. It's, it's it's monthly. Right? So it's we we set up monthly calls with them.
Tim:We have a whole customer success team as well that'll engage. We have multiple touch points. The SOC team will engage with them. Also, our customer success team will engage. Professional services will only come back if they need additional hours for other setups.
Tim:Maybe they wanna expand into XDR and deploy network sensors. You know, they could pay 2 hours. Right? And then, boom, they're off to the races. But we think it's absolutely critical, right, to connect with our customers on that regular cadence because you wait quarterly or any longer than that.
Tim:They forget about you. Then comes, you know, renew time. They're gonna say, what have you done for me? You know? And especially with smaller shops, it becomes a problem.
Tim:Like, like, you have 20 endpoints, and I'm giving you MDR. And I haven't given you any malware alerts. It's because maybe you you have a boring environment, basically. Right? There's not a lot that goes on.
Max:MDR has become a very crowded space. There's a a relatively small amount of EDR vendors. You know, people are actually producing EDR agents, and some are trying to push, you know, or have pushed into the MDR space and saying, okay. We're gonna provide MDR services on top of our EDR platform. There's a lot of companies in the market now that are saying that they run SOX, saying that they have an MDR that as companies I mean, as this as this gets more crowded and more noisy and more confusing, how does somebody actually go through the process of figuring out?
Max:We try to do it ourselves. We couldn't because we realized it's just trying to trying to bite off too much. We just don't have the expertise, and we're not trying to do this ourselves. So we know we want, you know, endpoint protection, and we know that we want an MDR. We know we wanna have, you know, these other things layered into it.
Max:How do they decide at that point? Like Yeah.
Tim:I mean, a lot of the prospects that we talk to, you know, that that come under these calls, I mean, they might have what they think in mind is everything that they need, you know, to kinda be put in place. But once they see the range of even you said it during the the conversation, oh, you guys offer patch management capabilities or visit they might not even realize where they could also replace other technologies that they have deployed. So I think it comes like, I kinda need an MDR service or I need maybe EDR or something like that. And then it kinda we broaden that horizon. We say, by the way, you could do you know, you could replace all these other things over the course of, you know, this relationship.
Tim:Right? You could purchase a part of it now. And then as you expand, we can replace. And I think it kinda comes down to what we provide as a part of the service is also security guidance. I think having that reliance, right, like a breach free warranty and free instant response services, We need to differentiate ourselves a little bit, right, compared to the other MDR players.
Tim:And that's where we like to focus, not always on price. I don't I hate differentiating on price. You know, you never want you wanna be the cheapest thing in the market. Right? Because then what is your value?
Tim:We like to differentiate on the service, right, that we offer and then obviously the capabilities as well.
Dani:Just to touch on that warranty too, as cybersecurity insurance is a huge focus for companies. And can we get it? What's it gonna cost? That warranty and some of the check boxes, that we help with, we hope helps drive that cybersecurity insurance down for companies.
Max:I'm really curious what happens with cybersecurity insurance here as as, you know, this year continues in the following years because there's been a lot of large carriers starting to exclude and step back from providing cyber ins you know, cybersecurity insurance and and remediation insurance. And, I mean, so, you know, like, Lloyd's of London was a pretty big warning shot. Right? We're not going to ensure and, pay out for, you know, state sponsored hacking. I think for a while, there was this idea of, like, oh, we can go get cyber insurance.
Max:And then it became a strategy of how do we make our cyber insurance cheaper. Oh, if you get these tools, your policy costs you less, and and then that would take care of it. You know, I I don't know how much that that persists and that lasts Yeah. You know, going forward.
Dani:We hear that all the time that there's that fear that it it may just go away because at the end of the day, insurance companies are a business. They're there to make a profit, and they keep shelling money out for these incidents. Well, it's gonna go away.
Max:You mentioned dentists. So my dentist, I can remember when they went digital. Right? So integrated, you know, computers at every at every every bed. Right?
Max:And but, I mean, 20 computers. 25 computers in their office probably. Not really sophisticated in the sense of at 2520, you know, 2025 computers, you're gonna have a sophisticated IT operation, but sophisticated that everything's digital. X rays went digital. Everything's on that computer.
Max:It's you know, you can't if that turns off, I don't know what they would or would not be able to do. People now at this point looking at it and say, okay. You know, we're a dentist, and we're at a dental association meeting, and we heard a horror story from this other dental office that had ransomware that that that crippled their business. And so now we're gonna go out and investigate this and and go find this.
Tim:Yeah. I mean, Max, I think sometimes you even answer your own question sometimes when you ask the question because that's exact I mean, that's exactly what we've seen and especially the I mean, I get anxiety going to the dentist when I see, like, their their Post it notes literally on, like, the screen, like, their admin password. I'm like, what are you guys doing? Like, anyone could walk into this chair, know your your credentials to get in, and your Wi Fi is open so I could just hop on your network. I don't have access to your network.
Tim:I can log in to your domain controller or whatever. Right? Like, it's just readily available. So I've at least hardened my dental office, you know, through advice. I tried to get a lower bill.
Tim:That didn't happen, because those those dentists, they know how to charge.
Max:How altruistic. It was altruistic cybersecurity.
Tim:Yeah. Right. So so we're seeing more and more just businesses out of nowhere. Even car dealerships are asking for protection because they're concerned about that $500,000 ransomware note. We have a I have a good friend who actually runs not a dealership.
Tim:It's, what's just a law firm? Small, little law firm. Right? But they got ransomware ed, and they had to pay out $300,000 because they didn't have all the other controls like backups and everything else. And she's like, my like, how do I I don't I can't even, like, pay for that.
Tim:So I think they're now just scared of that nightmare scenario, and they're just they're paying for these services and
Max:Predictions for you know, it's what is it? It's now it's March. It's March of 23. I had to look at the calendar because my brain doesn't work that way anymore. You know, predictions for the rest of the year next year.
Max:I mean, so one of the biggest things that I used to track and follow really closely was this idea of dwell time. You know, how how long did somebody get on a network and sit on the network before they launched an attack? And, you know, a few years ago, it was, you know, 200 plus days of dwell time. And now these stats have gotten really short, you know, like, a couple of days of dwell time. And and and lots of sophistication around, like, you know, the hierarchy of, attackers.
Max:Right? Where, you know, maybe somebody gets gets into a network and immediately flips that credential to somebody else. And then that other person, you know, that other team, another group, that other person, whatever it is, is gonna go out and actually investigate and figure out what they can extract out of that. You know, are we gonna see more companies investing in this? Is that gonna tip the scales?
Max:Are we gonna see more horror stories like hollowing a pipeline of, like, people pumping gas into the back of their cars and, you know, tarps? Like, what's
Tim:Yeah, Max. It's I think it's only gonna get worse, and I hate to use, you know, even examples like chat g p t, you know, writing its own malware and, you know, be here. I mean, I could ask chat g p t to write, you know, a signature from the MITRE framework, and it writes it perfectly for me. Right? And I say, put it in Splunk format or something.
Tim:It's like, when you get to that level of capability and then adversaries start leveraging it, they're only gonna become harder and harder. The defender's job is I don't wanna say it's impossible, but it's almost impossible. Right? I mean, because you kinda get to this point. And the dwell time is extremely scary, especially when you get the state sponsored cases where it's not even days.
Tim:It's a matter of hours. Right? It's a it's an 8 hour work shift where they know exactly what they're going after. We've worked cases where we've seen that in the timeline. It was, you from 8 AM their time to, you know, around 4 PM, you know, China time.
Max:Break break for lunch.
Tim:Break break for lunch. I see you see you see the act yeah. No. It literally dips during lunchtime. And, you know, it's it's sad, right, that we've got to that point.
Tim:I mean, we I I remember when I had my first child that was in the delivery room, we had a nation state threat actor get into get into our organization. They broke in. And I was working the case while working the delivery room and I said, that's it. I'm not working on Chinese New Year. Like, let's have let's have the child during Chinese New Year because then I know we won't be breached.
Max:So some organizations have a higher risk profile. Right? You know, obviously, banks, casinos, and financial organizations, you know, there's a risk profile. If you're industrial and you're manufacturing, you have intellectual property. Right?
Max:There's you know, you're at a different risk profile. You know, the majority of companies or, you know, nonprofits, NGOs, you know, whatever it is, health care organizations are gonna say, you know, we're not a target because we don't, you know, we don't you know, like, we don't have anything that people want. Right? Which is not true. How much of this is just, like, low hanging fruit?
Max:You know, where if you've taken, like, very menial steps. Right? You know, like like, just the simple stuff of just do you have 2 factor authentication deployed? Do you have a decent endpoint deployed? I mean, how how much does that really eradicate that risk from, you know, these non targeted attacks just just moving on?
Max:It's not worth the energy to spend any more time here.
Tim:Yeah. I mean, there's groups dedicated to just that initial infiltration, and then they sell that access. And that's the low hanging fruit. I mean, those people are making out. Like, they're they're selling that access to ransomware operators, and then ransomware operators will come in, move laterally, deploy their own ransomware.
Tim:You know, that is low hanging fruit. But even these large organizations, casinos, and banks, and stuff, like, they have these IoT devices now, and they neglect. They might because that one fish tank one was wasn't that a casino? That was a casino, I think, out in Vegas. But anything that's Internet connected is a tax service.
Tim:Right? It's readily available for anyone that that, you know, that that can access that. So, you know, I I think to to that point, it's I don't think it matters what organization you are. Big, small, or the level of security controls you have in place. There's always a vector for an adversary to get in, and they're gonna take advantage of that.
Tim:It doesn't matter. So we're seeing a but a massive increase in these lower hanging fruits, though, and that's what we see because we're now in this market. Maybe maybe that maybe that's the reason why I'm seeing it more because now we're we're finally selling for that. My last company, we focused on enterprise, and all we saw was, you know, larger, you know, targeted. But we see this consistently now even in the headlines.
Tim:And a lot of times, it's not even reported. Like, my friend, it's not like that got reported in the news, but we didn't hear about it. Right? So I think it's hard to also capture those metrics on.
Max:A a piece of news hit last night, this morning, and it's, a proposal from the White House to shift cybersecurity requirements from organizations into technology providers. And, you know, it's it's vague, and then it says, you know, legislation will be proposed, you know, sometime in 24 for this. But it's it you know, I read that, of course, as it's saying, okay. Microsoft is now your fault. You know, your responsibility to make sure that all your customers are secure if they're using Office 365.
Max:Is that doing a disservice, you know, to the average organization in terms of what their roles and risks and responsibilities are versus, you know, what other people are gonna take care. I mean, I'm not saying this, like, as an anti Microsoft or anti Google thing, but they're gonna have a carve out in this legislation that says, oh, you know, if you didn't secure your password, you know, we were not liable for it. Right? Like, there's reasonable, like, levels of care that have to be conducted you know, taken. Otherwise, it's just it's not reasonable for us to be responsible for it.
Tim:At the same time like, I would love Microsoft to be responsible, actually. Like, because if they didn't detect a piece of malware, then they might come and say, well, you didn't buy our advanced protection, you know, or APT, you know, threat level service. I'm like, what is that about? You know what I mean? Like, you're you're supposed to stop malware on my endpoint, your Windows Defender.
Tim:And it's not just them. I don't think it should be placed on the vendors. I think I do think these businesses have a level of responsibility in security. I do wish the government would stay out of that, but maybe you need to push not just the vendors, but also organizations to have that, you know, minimum level of security, like, to factor off it. Like, make it a standard.
Tim:Like, that that needs to be in place. If you're protecting customer data or you're protecting anything, your own business, I mean, we need to have a certain level of control, but that's a tough one, man. You know, that that becomes a huge political debate, to be honest with you. You know, like, who's responsible? Because we could be held responsible.
Tim:If we didn't check the piece of them out, that's why we offer money back. Here's a breach free warranty. You know? We think about that. We try to be nice.
Max:I I don't think that government regulation or insurance is gonna be the saving grace for us. You know, I'd I'd for a long time, I actually thought that it was either gonna be government regulation or insurance was gonna be the saving grace to actually force, like, reasonable cybersecurity postures for most companies. And I'm I'm not holding my breath for that anymore. And, and it's the the risk of this is terrifying. I mean, you know, I've had hospitals, you know, call us after they've been breached.
Max:And it's, you know, it's it's then you then you get into, like, really scary stuff where you're like, oh, we've gotta start, you know, transferring patients from one hospital to another hospital because we can't, you know, provide care because we don't we can't. And that that stuff is really scary. It's, I do
Tim:think the government also is a little choosy with who they help protect.
Max:So I don't know if
Tim:I can get in trouble for saying this, but, you know, even at that large organization that I worked for, I would have a 3 letter agency come and knock on my door and say, hey. Search your SIM for this IP address. You're owned, and we know this. So they have insight into everything, right, that's transpiring across these networks and stuff, but he they were right. Like, we had a nation state adversary that that got past our defenses.
Tim:They had a command and control, you know, foothold. They just told us. I mean, did they tell everybody that stuff? I doubt it. Right?
Tim:I mean, I I I think it could be a bandwidth issue, but, you know, that sort of stuff too kind of also piques my interest. Like, how did you know that?
Max:I think I wouldn't wanna be in charge of making those decisions. You know? Because because on the one side, it's like, you wanna alert people and you wanna protect people and you wanna share people, but then you always kinda counter that with the, you don't want the adversary to know that you know what the adversary is doing. Right? Like and, like, trying to make that call and and, like, I'm okay not not having that responsibility right now in my life.
Max:I've got
Tim:I can't imagine it, to be honest with you. Because it's not just one organization. It's probably a plethora, right, that they have command and control access to. So they probably want a larger sting takedown operation. I get that.
Tim:But it's like, how do you get that relationship too going where you're getting some of those tips so you can protect your your trade secrets? Because if they see something, they're not always saying something, and that gives the adversary dwell time, which then gives them the chance to exfiltrate data.
Max:Exidium straddles an interesting fence here where your manufacture where you're creating intellectual property and you have an endpoint, and then you're providing MDR services as well. How adversarial or friendly is this industry with each other? You know? I mean, is there, like, a secret convention of EDR vendors that get together and share notes or MDR services, you know, at some level of of, like, this is what we're seeing and, you know, we're all in this together. I mean, because it's I mean, adoption of these things as a percentage basis, I mean, you know, the TAM for for endpoint is every device ever made.
Max:Right? And the TAM for MDR is every organization running a device ever made. So, you know, the TAMs are infinite on both sides. So then it's it's it's now people actually adopting this technology hasn't really caught you know, I mean, there's there's we we we've got years of work ahead of us in in adoption of technology, but but it's not like a total you know, it's not a TAM issue. It's
Tim:We don't have a secret society. If anything, it's a it's a and I've seen this, unfortunately. We I, at all cost, avoid this is is the whole is the bad mouthing or even trying to say that they don't have all of these cape like, have you ever seen those side by side? Like, show me a a battle card of this technology versus all your others? What you do is you say, oh, they only have 2 of the 37 things, and we have 37 of 37 things.
Tim:It's so dishonest, and it's not even true. I can't stand battle cards.
Max:My version of that is show me an RFP, and I'll tell you who wrote it.
Tim:Right. Exactly. So you'll know exactly who did it. Or they'll they'll say, you know, we they basically write your your services that you provide, but it's maybe that's not even true. So, look, I think EDR vendors, they pay attention to the capabilities and the services and stuff that they offer.
Tim:I think there's some that, you know, try to outdo one another with marketing or whatnot. I we're trying to avoid that noise. I know sometimes we we might generate some noise. We probably shouldn't, but we try to focus on the customers and just focus on our go to market strategy. Right?
Tim:Focus on MDR for the masses, people who can't afford the the larger names, and let's see how successful we can be. Offer them a white glove service. I mean, that's we've been successful so far. Know? So let's continue to do that.
Tim:But I think when you start worrying about other vendors, it can become a problem.
Max:So, Danny, somebody that is Exedy, I'm curious. We've talked a little bit about deployment onboarding. But, you know, what is that, you know, process and timeline? I mean, how fast? How slow?
Max:What does it take? What's average engagements, how do people get started? You know, what does this kinda look like for a company that's out in the market and evaluating, bringing cybersecurity into the organization? And
Dani:Yeah. We have some fantastic cyber, cybersecurity sales specialists and they have we have inbounds, we have people, you know, calling, emailing, reaching out with our BDR team. We've seen in instances especially when there has been an issue, they realize that there's an issue or a breach, we've seen these close very quickly in less than a couple of days. For a normal sales cycle, obviously, the engagement, we get involved, we understand their environment, kind of the process Bando's kind of spoke to with deployment. Right?
Dani:That's mirrored with our discovery, with our sales teams. They go through, they understand the environment, we make sure that we fit the right product and service, to what they really need. But we can see the sales cycle still be very quickly because you hate to sell on fear, but there is fear out there in the marketplace. No no doubt about it. So these are actually a little bit faster sales cycles, than what I'm accustomed to from other parts of the tech stack, you know, UC and CCaaS.
Dani:So you can see anything from 30, 45 days up depending on enterprise. But, again, it's that white glove approach, not just at deployment and onboarding with Bando's team, but from the very beginning. We're gonna have, you know, the opportunity to deep dive, give a demo, have proposals, have conversations and discussions about what it looks like, and then rope in those teams, Bando's deployment, our customer success team. So white glove approach from the beginning.
Max:You know, I don't wanna call you, like, a professional services or consultant. Right? But, you know, when you think about that level of service, I mean, if you go out and you need an Internet circuit for your office, you can go out and say, okay, it's relatively commoditized, you know, vendor a, b, c, d can provide service to this location. You know, which one do you like? Which one do you not like?
Max:Which one has a better pricing promo? And and it's a relatively easy decision. You look at this, it's not as clear cut, especially if a company hasn't purchased this before, hasn't been down this road, isn't, you know, comparing with an existing service. How do you help them through that of, like, okay. You know you know, we're looking at Exidium and because we have a corporate policy, we're looking at, you know, x, y, and z as well.
Max:How do you help them increase certainty? And and what's that, you know, process like to, you know, bring people across the bridge of, like, you know, this is, you know, lowering risk, increasing certainty, and understanding the outcome they're gonna actually get?
Dani:Yeah. I, I believe that we do have the opportunity that throughout that sales cycle and making them more comfortable with our people, with our processes, with the platform itself, we also do offer a POC. Right? Let's let's take it for a test drive. Let us show you what it looks like in your environment.
Dani:Our POCs, are are pretty brief. You know, we go in. We throw some attacks at it. Let it test it out. They have that time to really get comfortable with the controls and the admin and what the dashboard looks like.
Dani:And once the POC is over, again, that deployment, the teams, everyone's wrapped around this customer. It is a big decision. This is what's going to protect your company. Right? And we take that very seriously.
Max:Okay. So with a carboline analogy, they can kick the tires. They can take a POC. They can sell the agent on a few devices. They can get a feel for it.
Max:They can see it running. You can simulate some stuff against it. They can understand what they're getting themselves into and and use that as part of a purchase decision.
Dani:Absolutely.
Max:Tim, Danny, any last words? Not really that ominous, but is there anything we have not covered here? Are there any hidden slides? I think we actually got to the end of the slide deck.
Tim:I think for any listeners or people who wanna learn a little bit more, you know, engaging with us, I mean, you can go to open edr.com com and spin up a free instance yourself. You know, typically, we like to kind of hand hold you through that process, make sure you're comfortable with it. But for customers who wanna just dive right in, they can actually go out and and spin up a free instance. But we we we recommend, you know, checking us out. Right?
Tim:I mean, I know we're, once again, a relatively newer name to the long list of MDR, Xidian players, but we offer a really great service. You know, the individuals on my team all have, you know, 15 to 20 plus years of experience in incident response. All of our SOC level 1 analysts have at least 5 to 6 plus years of experience. So we we really have put together, you know, a solid team. Right?
Tim:We don't have entry level analysts who just started out. We really have people who understand the cybersecurity industry.
Dani:So So I'm actually gonna counter him a little bit. Any listeners that are interested in Exidium, please reach out to Max Clark. On top of all of the wonderful resources we've spoken to, and explained, Max actually has, in our channel program, has additional resources on top of that. We have our team there to support Max's, client base. We have, additional escalation points, executive support, from the highest level, our CEO, Ken Levine.
Dani:He's wonderful. So we have a full team backing Max and dedicated to him for our jail partners.
Tim:You're
Max:gonna make me blush now.
Tim:Yeah. You can just edit my comment. That was much better.
Dani:Also, I just have to say, Max, knowing Tim Bandos, I think he knows the first rule of fight club, but you don't talk about fight club. So I'm gonna have to pin him down about those secret societies. Sometimes I'm not believing that.
Max:Yeah. Guys, thank you very much. This is great. I appreciate it. There's a lot of noise.
Max:And I do this for a living, and there's a lot of noise. And it's confusing to understand and figure out. And, I mean, sometimes these things become easy of, like, you know, there's only one path or two paths that makes sense. And then sometimes it gets really hard. And cybersecurity is one of those things that's not really cut and dry anymore.
Max:There's so many factors, and there's so many potential outcomes. And there's so much noise, and, making sure that people have a good experience and a positive outcome is really important. I making sure that people have a good experience and a positive outcome is really important.
Tim:I agree, Max. Yeah. Well said.
Max:Thank you, guys.
Dani:Thank you.
Tim:Alright. Thank you so much. Have a great day.