Emerging Tech in Cybersecurity
Welcome to the Upstack podcast, an ever evolving conversation on all things digital infrastructure, giving tech leaders food for thought as they push to stay ahead of the technology curve. I'm Alex Cole, And with my cohost and colleague, Greg Moss, we invite you to join us as we talk candidly about the latest technology infrastructure topics. Stay with us.
Speaker 2:Greg, my friend, after a brief hiatus, we are back at last. It's been too long.
Speaker 3:If my eyes weren't open seeing you, I wouldn't know it's you, Alex.
Speaker 2:I know. I know. I've lost my I've lost my summer tan, and my my voice is gone. It was I was practicing for for for today's episode and went went a little too hard, but we're back. You're doing well, though, I hope?
Speaker 3:I'm doing well. I'm back in full force. Excited about today's call. Excited about our guest.
Speaker 2:We've got a great episode today. I know we haven't disappointed yet. Let's let's keep up the good work. It may be a new season of the Upstack podcast. This falls upon us, but, you know, some some topics are are too important, even too vast, to think that we've covered every angle.
Speaker 2:So we're back from our hiatus with this episode. Let's also travel back to a topic we touched on in the early days of the Upstack podcast, back when you had hair and I didn't have a beard. So come come with me. Srag.
Speaker 3:Sixth grade?
Speaker 2:You you remember I think it might have been our second episode where we had our our good friend, friend of the podcast, Ariel Pizetsky join us, VP of IT and cyber at Tabula, Upstack customer. And we we he helped us dip our toe into what seems to be an incredibly deep abyss or, ever deepening waters, if you will, of of cybersecurity. And then remember, we also talked, with our colleague Frank Frodojian, who's an UpsTag partner when we dove deep into our tech trends report with that special series. And, it seems like we did only scratch the surface. You know, the outer layers of the onion.
Speaker 2:You know, the onions always And the gums has been opened. That's for sure. Onions, deepening waters. Either way, you're gonna need goggles. So let's grab our goggles, grab some snorkels, and let's let's dive in because this time, we've got new areas to explore, and we're going below the surface.
Speaker 2:And I brought a new swim buddy. Please welcome to the podcast, Sean Fortanian, founder and CEO of mTheory Group. MTheory was founded in 02/2007, headquartered in Los Angeles, California. MTheory is a pioneering leader in managed services, cybersecurity, and cloud infrastructure solutions. From AI enabled cloud infrastructure for the largest private equity firms in The United States to delivering vulnerability management services to a leading firewall manufacturer in the world, mTheory is a technology delivery platform.
Speaker 2:And, Sean, you are the founder and CEO. Welcome to the Upstack podcast.
Speaker 4:Thank you, sir. Honored to be here. Really excited to be here.
Speaker 2:When Greg and I said, let let's catch up. You know, when we think cybersecurity and we look into our our growing network of of colleagues and trusted peers, it's a it's a a pretty impressive lineup, and you're certainly near the top of of that list if not at the tippy top. We're glad to spend the next five hours, six hours maybe with you because we could certainly certainly go on for for quite a while. But but shot, I I gave the short bio about you and M Theory, but I have to believe there's much more to it. So can we get a little more background on you?
Speaker 2:We love to do this with our guests, you know, some some context perhaps on on how you got into the technology industry and also a little history on on M Theory.
Speaker 4:It's a long story. That was way back. I'll try to sum up, but I fell into IT in 1997. I was running my dad's automotive family business. He was retiring or on the way to retiring, and I was in year four almost of running the business, when I was getting long in the tube.
Speaker 4:The family business was great. It's just there was no scale, and there was a lot of limitations onto what I could do in the future. By happenstance, a customer showed up. I was very helpful for that to that customer, and I was very generous to that customer. So in turn, he he came back to me and said, I'm gonna change your life.
Speaker 4:And he brought a box out of his car, and and it was CPUs and memory chips. And he said, I think you can sell this commodity and make some money for it. I'm one of the bigger dis I work for one of the larger distributors, and you'll never need to inventory as long as you and I are friends. So he gave me this box, he goes, Go sell it. And by the next day, I had sold most of the units in that box to the person who made my first PC.
Speaker 4:Anyway, long story short, I go, I like this thing. So I went to my father and said, Hey, dad, I think I think I need a career path change and I think I want to explore this. So out of the shop, I started building the business and then I realized the only way to kind of grow the business effectively was to copy the model Gateway Computers was doing at that time, which many people don't. Gateway, wow. Gateway.
Speaker 4:Gateway was essentially financing laptops at $20 a pop and having you recycle them every two years, kind of a subscription model for hardware, which is what sparked what M theory is today back in 1997. I said, right, we need to partner with some finance companies and we need to be selling payments on infrastructure, not the cost of the infrastructure, much like a copier was. And so the business started in 1997. I left my father's business. By 02/2007, it was evident that the old model was dying out, and the new model, cloud, SaaS, forming.
Speaker 4:My thesis was that the catalyst into SaaS was not the ease of product or the better product or the easy acquisition of the product, but rather in 02/2007, what was happening, The global banking system was dying and no one was financing tech projects at mass or scale. And it started with software transactions like SAP and Great Plains because the banks weren't lending software only. And as a result, SaaS formed as a necessity and people started adopting it in 02/2008, '2 thousand and '9. And my thesis was, well, if Salesforce can do this as software, why can't I do it to hardware? So in 02/2007, I created a model called CapEx as a service, and I said everything VARs should sell at a true CapEx consumption, I should be able to turn it into managed OpEx, starting with servers.
Speaker 4:And so we started we were the first people in the world to build private cloud delivered on prem, migrate on prem, manage on prem in your own data center, then that scale to networking, firewalls, infrastructure, everything you can consume as a managed OpEx, all delivered by this little managed services provider in LA. So we started slow, but it was interesting because in 2010, people weren't putting their credit cards on browsers because they weren't trusting it. And around 2010, AWS was was starting to explode slowly. And we became the private cloud guys you can trust because we're building a stack and we're delivering it into your data center. It's with your own data and no one has access on it on a multi tenant level.
Speaker 4:That started gaining some adoption pretty quickly. And so that was the genesis of what we do today. Also, a couple of other thought process I had at the time was if we were a VAR, which what I was before, we were actually selling every type of product you can buy from CDW. So when I converted into this new managed service type entity that I was contemplating, I said, well, we should be building business units that cater to pretty much everything on the IT umbrella and security umbrella. And so that's what we did.
Speaker 4:We started building a parent company structure and then every major infrastructure deliverable that we deliver today is delivered as a separate business unit with its own leaders and operations and standalone processes. And our customers just flow between divisions all the time because we're totally vertically integrated model today. And that was like the thesis before. We should be vertically integrated, OpEx company that manages everything you do and delivers everything you need in from one shop. So that's what we did.
Speaker 2:And this all started with a conversation at the point of sale. A guy hands you a box of CPUs and fast forward a couple you know, multiple decades, and and here you are.
Speaker 4:Yeah. It's it's been a it's been a it's been a ride. Listen. It's been unsuccessful for a fair many, many years. It's a very challenging business as we know.
Speaker 4:And when I say unsuccessful, it needs to gain its own critical mass and operate on its own. It's not there yet, but the organization is today catering to Fortune 100, Fortune 500, Fortune 1,000. We've done this without any Salesforce. We've done it without any marketing budgets. And we're pretty formidable service provider in the industry today, I would say.
Speaker 3:It seems like all these business units to me generates, you know, a fair amount of data. And it must be interesting to have that kind of holistic view of the markets, you know, and what's trending, what's not trending, how things, you know, intertie and stuff like that.
Speaker 4:It's interesting that you brought that up because one of the things we're launching next year is our official platform. And it does just that. It takes data sets from all sorts of customers with all sorts of various business units and then that starts deciphering or does business analysis as to what bottlenecks the customer experiencing, what improvements are required, what is the business suffering from, and how do we automate the processes to deliver scale for them at low cost, essentially.
Speaker 2:Sean, so you talked about vertical integration and the expansion of the services and capabilities that M3 provides to your clients, and cybersecurity very much being one of them. I mean, as we know at Upstack, you touch the technology stack. Cybersecurity plays a role in every single piece of that. So I'm going to imagine that the team at M Theory, you are working with a variety of clients in terms of size, area of focus, you name it. When it comes to cybersecurity, what are the biggest blind spots you're seeing?
Speaker 2:And how do they or do they differ depending on the type of company you're supporting?
Speaker 4:It's a good question. Most blind spots are not necessarily blind and not hidden. Most of the attack service can be resolved very quickly, very efficiently, and very cost effectively. And it would thwart the vast majority of risk an organization has today. And that holds true across every industry, every vertical.
Speaker 4:There's table stakes that are required as an organization if you're taking cybersecurity seriously these days. And if you follow the basic principles or the basic fundamentals that are across all industries, you truly resolve about 80 of the attack surface. The other 20% is nuance. And the nuance has to be addressed based on the industry, based on the workflows, based on the model. And obviously more challenging to execute the last 20, but the first eighty, eighty plus is relatively easy, low hanging fruit fixes that you can execute or IT departments can execute pretty effectively if they find it right.
Speaker 3:But I know this is a weird question, but is there a cost differential between the 80% and the 20%? Does it get that Will you find an organization managing eight different products in that 20% just to cover their bases?
Speaker 4:Well, a lot of it is lockdowns, right? And maybe we'll focus on a little bit of the conversation on identity or identity management, which is, again, the vast majority of the attack surface happens through the identity. And time and time again, what we see at least, identity is the last thing to be managed in an organization. So much so that vast majority of organizations, there's still a lot of organizations that are in the mid market and enterprise space that do not have MFA deployed across the org. They might have it at a HINSO executive level, multifactor authentication deployed across across the organization.
Speaker 4:We have organizations that have essentially field techs or field reps that are in the thousands of users, but management deems them not necessarily office users, so they protect the office workers that are coming in with certain licenses and protections against the user identity. But the field service people that are just using emails are never protected or even contemplated when they're using iPads and their own cell phones, etcetera. And again, the baseline structures, the fundamental structures are similar across all organizations, the table stake discussions. And again, most of it is identity. We could start there.
Speaker 4:As an example, if we're taking identity seriously, there's only two platforms people typically use. It's Microsoft three sixty five, Google Workspace. On the Google Workspace side, we find that most people use the free versions of Google Workspace, so they don't take advantage of any enhanced security features or configurations that are available. But the vast majority are on Office three sixty five or Microsoft three sixty five, which the ecosystem of securities, I would say, if executed properly, the likelihood of someone getting breached is very minimal. Very, very minimal.
Speaker 4:This is without any disaster recovery or any business continuity solutions that need to be contemplated as part of any true cybersecurity roadmap. But from the identity side, if you just take on Entra ID and do baseline hardening and lock down the IDs and the conditions that they access environments with, and then couple that with locking down the device itself, Microsoft has built a very interesting zero trust framework, and the first two pillars of that framework are identity and device. Identity and device really cover 80 of the attack surface today. The rest of the pillars tackle things like data, network, applications, but the two that give you accessibility to all, if locked down properly, will protect most organizations. Those two things single handedly, let's say in the Microsoft world, would leverage a product called Entra ID P1, a $4 line item or $6 line item, I think.
Speaker 4:And an Intune license would essentially enroll each and every device into the network. And as a user, if I'm logged in and my MFA is utilized, but my and maybe breached, but my device is not enrolled, we're still not allowing the user to come in. So there's multi points above and beyond just the MFA access that we could control. And in any size organizations, building the fundamentals of those table stakes are about four weeks long. And a Microsoft engineer can take the existing license and configure it in a manner that the user is essentially locked down to where they need to work or how they need to work.
Speaker 4:Then you couple those with some more modern technologies like SASE, which we can dive into a little bit later. And then you would imagine most most organizations will not be breached if they employ these simple little measures, which are again low cost. They're not like cost prohibited or impactful or even user impactful. Shyam, you
Speaker 2:said four weeks. So in a month, an organization is that for a smaller organization or most organizations can put this identity identity management in place that will address eight out of 10?
Speaker 4:Let's see. If it's a hundred user or a hundred thousand user, we would get it done in four weeks. And most organizations get it done in four weeks.
Speaker 2:And based on those rough quotes you provided, it seems like it's pretty economical to do so.
Speaker 4:Yeah. And there's professional services. And that's I mean, you know, the larger organizations have Microsoft skill sets in house that can perform these functions without going to a third party vendor like us. Although, third party vendor will come in, knock it out and execute and put a bow on it and hand documentation over, which is an effective methodology. But if organizations are budget conscious or they have in house talent that has the capacity to start building these things or configuring these things with the native tools that they're already utilizing, that's the challenge.
Speaker 4:Everybody buys business premium, which is a $22 license. And it includes a $15 bundle that people don't even know exists called EMS E3 in that license. For that $22 license, people actually do get that bundle. And you can do all sorts of things. You can do things like autopilot in Microsoft, such that when you do order your laptop to onboard employees, CDW or Dell will ship it directly to the user's house, launch it, Office three sixty five login, and voila, everything's onboarded.
Speaker 4:Policies, applications, accessibility. This is literally a four week project to get it orchestrated and executed. And it also includes things like we actually today, for most organizations, we don't allow them to change passwords. Actually, it's a passwordless environment for most of our customers. Their face logs them in, their multifactor logs them in.
Speaker 4:They don't even know their password.
Speaker 2:Has key, biometrics. Yep.
Speaker 3:I'm seeing it so much from there though. I'm seeing tons of that, know, where it's just saying, hey, we just emailed you a code to get into here.
Speaker 4:You have to. I mean and by the way, it's those things sometimes when someone says, hey, I'm gonna email you code. Yes. It it slows down the process, but most breaches happen through the user itself, the identity itself. Someone breaches the credentials, then navigates to the network and tries to find a way to elevate credentials in such that they can get some administrative rights and then do some real damage.
Speaker 4:And most threat actors are in environments for at least six months, at the very least, because it takes them some time to navigate and actually assess and essentially do due diligence on the asset they're about to attack. Keep in mind, threat actor is running a business much like we're running a business. So when they're coming in doing due diligence, they're essentially pricing their service out. What can we get for our service here? What can we damage and what is the capacity or capability of this organization to repay?
Speaker 4:At what value would be enough for them to not continue to try to restore? So there's a pricing exercise these threat actors do as well. And a lot of that happens as a result of them sitting in your email, watching emails go through, trying to see if they get access to anything that provides some guidance as to how much capital or liquidity is in the bank or how large the organization is. And based on those metrics, along with some other tools they're now using, tools that we use ourselves like ZoomInfo, are able to take a very strategic approach into how they approach breaches or exploit.
Speaker 2:You're talking about threat actor as a service? That's a little
Speaker 4:There's actually ransomware as a service. Don't know you've heard of that.
Speaker 2:We need to get into that, but can we just want to stick with blind spots for a moment because it's it's it's heartening to know that 80% of the attack service surface can be addressed through pretty simple steps and using tools and features most likely already available to you through the products and services you already license. But, Sean, just like the larger technology ecosystem is constantly changing, we have to imagine the cybersecurity landscape is shifting with it. How are blind spots or these associated threats changing?
Speaker 4:Well, it's interesting because, you know, historically, we go through an industrial revolution every one hundred and fifty years or so. Now we go through a technological industrial revolution every three months or so. Every three months to six months, dynamically everything changes. And from an engineering perspective or a cybersecurity perspective, our engineers have to be up to date as to the newer threads and how the attack vectors are changing. Attack surface is changing all the time.
Speaker 4:And rightfully so. I guess the very first other fundamental thing that every organization should employ or deploy is an XDR platform of any kind. Hopefully it's a viable brand they're selecting and a viable service provider who delivers the secured operations center monitoring these things, but one of the other table stake items that we would always recommend to 100% of the customer base is basically an XDR platform that essentially takes and integrates with all log activity, all traffic activity that the organization utilizes, whether it's an office, external to the office, Office three sixty five traffic, networking traffic, everywhere you would be able to sift data on the user or user behavior environment analysis, all gets centralized into a brain where AI and ML run through it every single mint second and look for anomalous activity. Because the tax surface does change. What these modern AI XDR systems also do, because they are AI driven, is look for anomalous activity.
Speaker 4:And anomalous activity is just a change in user behavior. It's simple enough. If today Greg operates in his day to day workflow function and part of his workflow function is to upload and download 50 megs of data a day on average, and that's what he does and typically as part of his day to day operational tasks. But month four, for some reason, all a sudden two gigs of data get exported out of his account somehow, whether it's legitimate project he's working on or not. But the security operations center at that point reaches out to Greg's boss or the IT team or whoever is in charge and ask a fundamental question, is Greg doing something he's supposed to today?
Speaker 4:And someone from the customer side will come back to us and say, yeah, actually, Greg is working for a special product, but CEO, that's why it's unusual. And so we allowed that transaction to continue. But if not, a red flag would have been presented a spotlight on Greg's account and management would have instructed us what to do next, if there was something malicious going on.
Speaker 2:Now I know why I get a ping from our security team every time I go to download the holiday party photo.
Speaker 3:Alex is pushing pee. We can't have you doing that.
Speaker 2:I was going say, you're the wildcard. You're the perfect test subject. Sean, XDR, sorry, define that, that acronym first.
Speaker 4:Extended detection and response. So imagine CrowdStrike Endpoint Detection and Response or Sentinel-one antivirus type product handle the endpoint? Well, take that log ingestion from that endpoint and endpoint detection as an example, but then you also need to get all the log activity from the firewalls. All the firewalls around the organization, they might have a hundred running in various locations. You get the East West traffic logs, North South traffic logs, third party application cloud native logs, and all that data does compress, get centralized into a cloud engine, processing engine, And that's where all the anomalous activity is now being sifted through and parsed through.
Speaker 4:And then things like that we didn't put conditions around Office three sixty five, because when we do zero trust on Office three sixty five, as I was alluding to earlier, we're locking on Office three sixty five and the vast majority of the movement of data. But there are other components to data movement. There are other components to organizations that we still don't have true visibility to. And what XDR does, it allows a data ingestion of everything. So we're very adequate, very important.
Speaker 4:All sorts of providers do it. There's obviously Top five that we would recommend, new Palatos of the world, etcetera. But there are also lower cost solutions that can be entertained, but I would caution people to look under the hood pretty indefinitely, and a bake off is always always a necessity.
Speaker 3:I was gonna ask, what role does mTheory play in vendor recommendations? Right?
Speaker 4:So a couple of things in that. So we have our favorites and, you know, we're we have I would say we represent seven different XDR platforms if we're just looking at XDR as a product set. Although we like the customer to bring their own platform if they have something they've been using and and they would just like us to now operate the security operations center because they don't have the 20 fourseven team that of security analysts that they can employ. But from a no order or no order of importance, but top top of the world is Palo Alto. With Palo Alto, there's some up and comer young ones.
Speaker 4:Kato Networks is up and coming right now. With Kato does a lot of things outside of just XDR. XDR is actually a new platform from for them. We're a big stellar cyber shop, Rapid7 shop, Arctic Wolf shop. So we catered the platform based on a couple of things.
Speaker 4:Do we like the platform? Do we trust the platform? Number one, from our perspective. Two, customer has a specific use case that one platform may work better than the others, or we're leveraging something from the ecosystem of Palo Alto. So we're now moving everything to Palo Alto as a result because we want a fully integrated model.
Speaker 4:So we're, I would say agnostic to the actual brand. We would like to push them specific based on what the customer's use case is, or if the customer has something they'd like to utilize. But Microsoft Sentinel, a great game in town. If you're a Microsoft shop, we'd recommend it highly. But a lot of these are pricey.
Speaker 4:Like in the Palo Altos and the Sentinel Microsoft Sentinels of the world, they're very, very pricey. The Arctic Wolves and Stellar Cybers, most organizations can buy and they're rock solid. They're not gonna be rock solid. And should not operate a business without this specific platform.
Speaker 2:Yeah. There's mention of security operations centers, so SOC. We love acronyms. XDR. Are there any other acronyms?
Speaker 2:It seems like there's an equation here somewhere, kind of the building blocks of what.
Speaker 4:Throw acronym. SASE is another one. It's for it's EnhancedVPN, let's say, VPN on steroids, Secure Access Service Edge. This essentially which is now probably, I would say, from a technology perspective, and Kato's huge on this. I know you guys are you you guys partner with Kato.
Speaker 4:We're a Kato partner as well. But SASE is now, I would say, a product perspective, maybe the next game in town in terms of scale and growth. But essentially, you're you're putting some heavy steroids in the VPN platform itself, such that you can start now granularly modifying the user access to a specific environment. As an example, when we use Prism Access for Palo Alto, we allow the VPN access to hit this application, this application, and this application, let's say, and very specific applications utilized with that VPN, including Office three sixty five. But if we detect something odd in movements, maybe not too risky in the endpoint itself, we could turn off access to only the critical application that might have financial data, because we still don't know if what we're seeing is a real thing and might be a false positive, something happening on the endpoint.
Speaker 4:So in an automated fashion, access to accounting department files are turned off, let's say as an example, but it can still use a CRM until we determine that this was in fact a threat, because we don't want to interrupt this business flow. So we can get really granular as to what kind of threats we thwart when we experience them on the endpoint level. But essentially, the user itself, now we control exactly what he has access to, and on the on the asset end, when what he's connecting to, only allow this user with this device, with this IP address set, connect to this location. Super easy setups, super easy configurations. Again, SASE can be deployed unless set them up as well, even in a 5,000 user environment.
Speaker 4:So although SASE does tend to cost some cost some dollars for most organizations. So that's something they have to contemplate in terms of budget for sure. But then you really control access and that approaches them to the zero trust on the network pillar of zero trust.
Speaker 2:Because as we discussed, cybersecurity touches every aspect of the technology stack. Have Sean, you we're talking cybersecurity. We're digging into your background, your capabilities. I imagine when it comes to managed services or manage, frankly, managed security more specifically, you're on the ground when companies are breached. You're out front.
Speaker 2:What what are some some of the emerging technologies on the other side of that equation when a breach happens? We've talked about the defenses, the multi layer defenses we want to put up, the monitoring that needs to happen, the ability to segment off, cordon off when there is a breach in one area that still allows the business to run, in other areas or individuals to operate within the business in other areas. But it's what's the old adage, Craig? It's not a a matter of if you've been breached, it's when you're gonna get breached. So what's happening on the other side of that, Sean?
Speaker 4:And no one thinks they're gonna get breached, especially if they haven't been breached after twenty years. Social engineering is becoming more and more difficult to tackle. Oregon, earlier we mentioned that you got to think of the threat actors here as a true business. And you see that in some of the ransom notes you get. They actually literally say, instead of hiring a vulnerability server consulting firm to identify your vulnerabilities, We just did that for you at this price tag.
Speaker 4:And we also gave you the blueprint on how we got there. So we're actually doing you a favor for any future threats that you may want to overcome. We just gave you the blueprint how to protect yourself. So they are treating this as a true business. And treating it as a true business, there's the team that actually goes and sources who to attack, essentially recruiting the leads.
Speaker 4:They actually pay for ZoomInfo. I mean, we pay for ZoomInfo. You guys probably pay for ZoomInfo. Goal of the threat actor is to get to any user account where possible and stay and remain in an environment until such time they can really do the damage. And damage comes typically twofold.
Speaker 4:One, eliminate any possibilities of recovery, whether you delete backups or cut off backups or turn off antivirus, and they do those things. And that's why it's very important to select the right endpoint detection solution because a lot of the branded endpoint detection solutions can be turned off by a threat actor such that they could then go run their malicious software. But before we digress, these organizations are now, once they're in, they're looking to see who you work for. They're seeing who your boss's cell phone number is, which is listed on ZoomInfo, and they're navigating the relationships within the organization and essentially trying to adopt the identity of the user they breached so they can jump in between communications at a particular point in time, if they can, or get into an environment part of the environment where somehow they can elevate privileges by accessing the link by someone in a room that sent them to a SharePoint site or somewhere. And so within that environment, the social engineering component now becomes very difficult to tackle because they know the personality traits of your boss, cause they're seeing communications on your teams, on your Zoom, on your chats, and in your email.
Speaker 4:And the next big thing which is already happening is the deep fakes. So the AI video bot looks like Greg, talks like Greg, adopts Greg's mannerisms and voice, but happens to be the CEO or CFO and instructs his, junior clerk to initiate a wire on his approval urgently on video. That's actually happening today in real time. It's obviously difficult to protect against initially. Obviously we use AI services to do that.
Speaker 4:But again, the deepfake is actually adopting the personality trait of the actual user that it's portraying. So it is becoming very difficult for the internal employee or the low level employee not to trust the video message you just received.
Speaker 2:AI, deepfakes, at the top of the episode, Sean, you mentioned ransomware as a service. Yep. That is as it sounds, I'd imagine. You can hire people to to execute ransomware attacks.
Speaker 4:Well, it's different. It's different. It's a software platform. It's a SaaS essentially, a SaaS platforms out there. I'm imagining a world where I build a SaaS platform that can essentially go exploit organizations for ransom.
Speaker 4:And I built it Bulletproof. I built a process of currency exchange. I built a process of remediation, real true go to market strategy. And then I go to the parts of the world where threat actors thrive, let's say, and I go to the marketplace and I say, hey, guys, everybody can use these tools that I've built for free. And when you collect, it's an eighty twenty rough share.
Speaker 4:We keep 20, you keep 80. And you can use my ransomware as a service tool. You can go breach using this various technologies we built to breach and encrypt and decrypt, and here's how you do your exchanges. And a young 15 year old kid who doesn't know how to run the business, but knows how to breach or hack or whatever he knows how to do properly, signs up for these ransomware as a service organizations. And then all of sudden, you start seeing that there's an army of individual threat actors everywhere at all age groups, at all age levels that are now conducting these attempts to breach and exploit organizations around the world.
Speaker 4:The challenge is the government state kind of close their eyes to this because it brings so much money into the economies of the countries that are orchestrating these threats. All of sudden, you're a little Kazakhstanian, I don't want to call it Kazakhstan for any reason other than a simple example, a village and $5,000,000 shows up in crypto into one individual who then goes out and spends that money around the economy. So it's hard to stop because it's kind of quasi supported by government or not stopped by government, not necessarily supported, but not stopped by government and allowed to happen. Anyone can get into the business, let's say. And it is a true business.
Speaker 4:I mean, one of the things that's interesting that I thought and I found comical when we did our first attack was after we did our first attack, which led us to starting a security division, by way, 2019, We helped support a major incident response for an organization. And that kind of woke me up into, hey, we need to build a cybersecurity division. And within the next six months, had a 20 fourseven SOC running and test team running, And we were a security shop. Six months later, Fortinet became a customer of ours for Pentest. So it was something that we aggressively built, but it happened as a result of this particular breach for a very well known large recognizable customer.
Speaker 4:After we paid 1,900,000.0 in ransom or the customer paid 1,900,000.0 in ransom, the threat actor in his chat said, would you like me to transfer you to tech support and help you remediate this? This is in 2019. And I was just floored. I go, wow, this is this is going be tough to tackle because you're now the mindset of the individual is no longer, I'm a criminal. I'm just running my business and this is my product.
Speaker 4:You know, if you want to use my product, don't protect yourself. Protect yourself if don't use my product. And that's kind of the mindset we're dealing with or tackling here. And we've heard and we've based on our our experience that some of these farms are like 4,000 hackers deep in a warehouse sitting there in shifts around the clock with management at all levels of escalation. So the first initial guys are the ones that send the bots.
Speaker 4:Then something happens, someone else is alerted and escalated for the next level of invasion. Then the exploit team comes in and starts doing some exploits. And then ultimately, it goes to the payment department, accounting department to process everything. So this is a you're dealing with now almost a free market kind of approach to to crime, which is unheard of.
Speaker 2:And to think I was feeling better about things at the top of this this conversation. So you've just added IoT, sounds like bots, to the list of threats. Is there anything else, any rapidly developing threats that we should be aware of as we think about that, what is it, the 20% of the attack surface that still remains vulnerable?
Speaker 4:You know what's an interesting one that's easy to resolve as well? There's a technology out there called Spin dot that's tackling this or combating this. A few other companies that do it as well, but Spin is something we partnered with. But everybody uses Chrome. Everybody uses Chrome extensions.
Speaker 4:All users on their own independently typically add an extension or a tool they need in their browsers as you probably have yourself at some point in time. Most organizations don't control the browser at all. It's kind of a willy nilly utilization of browsers in organizations where actually the you know, if you want to follow best practices, you stick to one browser, whatever that browser you've selected as an organization, and you lock down that browser and the users are not allowed to use any company related access, logins at all outside of the approved browser itself. But, you know, these browser extensions are in marketplaces all the time. You as a user say, hey, need a quick calculation tool or a conversion money conversion because that's what I use every day, and I want to be able to convert money in real time just right on my browser.
Speaker 4:And you find this little thing, and you click on it, and it's now an extension. Well, that browser, although a functioning tool that actually is useful, was created by a threat actor. And that threat actor has now access to everyone that uses that. And that's actually what's happening in the world of browser extensions more and more these days than you would anticipate. So that's something that I would say an easy fix, easy concern to resolve or vulnerability resolve, but it is a major vulnerability that people don't even contemplate.
Speaker 2:Is the fix just stop using browser extensions, or is there something that people can look out for to know that if a browser extension is legitimate?
Speaker 4:True. Well, that true. There's there's and by the way, even legitimate browser extensions don't get updated. So Chrome might be updated for security patches, but the browser extension might not be. So it's not just necessarily threat actors you're you're solving for here.
Speaker 4:But a couple of things, either you block the ability to and that's how you should start by the way, block all the ability for a user to independently download an extension without IT approval first. That's fundamental. Then if it's part of the workflow and it were required, either it's an approved manufacturer's list, or you use a tool like Spin that on a real time basis looks at the vulnerability and the health and validates the extension itself. It's out of patch, it doesn't match the patch level of Chrome or Edge or whatever, and it is vulnerable and it'll showcase to management a hierarchy of vulnerabilities on extensions. You have 10 in your environment, have 10 extensions that are pretty solid, no questions, you don't have to worry about it, but there's about five running organization that are questionable, should eliminated or turned off or investigated.
Speaker 4:So that's kind of very simple visibility you can do because people are going to use extensions. So you wanna put some controls around it. And much like everything in business, try to put controls and processes around things, before you let people, you know, go in the wild then.
Speaker 2:Social engineering is always coming up as one of the more effective tactics out there. It's it's leveraging people access. When it comes to organizations, who are the prime targets for those types of attacks? Is it the entry level folks? Is it people who've just joined the company because they can see that on LinkedIn?
Speaker 2:It, heck, is it the IT department or maybe they're not high on the list.
Speaker 4:It depends. IT is actually very high on the list. You know, surprise empty, by the way. IT low level IT is high on the list because they as an example, we have low level IT engineers that are NOC staff that are there to monitor things, but they do not really have access to most, if anything at all, in terms of credentialing, right? Because their job is to monitor and alert and let someone know that something is happening 20 fourseven basis.
Speaker 4:But they also do have access to documentation systems that we have, let's say, and other systems that they may have low level access to. And the threat actor wants to get to the low level guys, because through the low level guys, inevitably they'll always elevate privileges. Always. I mean, is true and true. Every single time they'll find one help desk engineer somehow had a link to something that gave them access to an elevated firewall and elevates its privileges to the firewall from that point, takes control of VPN access and jumps onto VPN access of the user.
Speaker 4:And that's how it happens. But to answer your question more thoughtfully, outside of IT, if the paydays you're going after the money guy, it's the CFO, it's anybody that works with the CFO. Typically we're seeing because we've actually had this happen like four times now, social engineering. One of them is a very large gym company, helps gym company, that opens up new locations on a regular basis. And each and every time they open a new location, it's a 3 to $4,000,000 construction event that they execute.
Speaker 4:And the threat actor in this case got wind of these projects coming up and intercepted an email for wire transfer from one of the vendors. So essentially, they're in the system of their organization and they seek communication with the contractor. Contractor is talking about money and what it's going to take and what the deposit requirement is. And in this case, was a $750,000 deposit requirement to initiate a construction project. At the request of the wire information, and that's when the threat actor steps in from the vendor's side, they mimic the domain of that vendor, ABC construction is not ABCI construction, as an example.
Speaker 4:They send the email in between, intercept the original email template for the wire instruction from the vendor, send a new email to that same clerk accounting person that has to report to the CFO for the wire instruction. All the while, there's a construction discussion happening with the actual vendor, so there's an expectation to initiate wire tomorrow at 8AM, and all of sudden at am, the wire instruction comes in as the threat actor's bank account, which happens, and money does go out. And until someone says, hey, I haven't received it yet. No one's checking to see if it's received. That's tomorrow morning.
Speaker 4:And then tomorrow morning comes, money's gone. That's what's happening. And that happens a lot. It's a very by the way, it's not always happening seven fifty's, but it oftentimes and this one is more the smaller business is more of a target here because this happens quickly on the small hundred user, 50 user business that are not very well organized, let's say. That's what's being attacked for these low level 10,000 interceptions, 20,000 ROI interceptions.
Speaker 4:There's another interesting story recently we got brought into, I think it's worthwhile even talking about as an example, but we recently got brought into a small dental practice, a very small dental practice that's very successful, like a high volume dental practice. And they were breached, backups were deleted, couldn't restore, problematic, took us a month to finally restore and cobble data and get them back up and running. And so everything everybody's happy. And this dental practice uses a very specialized dental practice software where it's widely used by most dentists across the world, right? So it's more utilized software.
Speaker 4:The data that's built into the practice management software can only be visible if you have a practice management application to view it. So these threat actors go around and they take data, but they can't necessarily see a lot of this data unless they have the application to launch it in. This particular transaction was interesting. The threat actor actually found the doctor's medical license or dental license, called the software provider, and you can only order the software with a license. So ordered the license, got the download license, paid with it with a stolen credit card.
Speaker 4:The vendor figured out it was a stolen credit card, and they reached out to the doctor and said, hey, someone just ordered this on your behalf, and we've shut it off, but too late, they now have possession of the actual application itself. Now they have the patient records that they can utilize. And not just with this doctor, everything else they've stolen for the last umpteen years that they weren't able to do anything with that data. Now they figured out a mechanism to get that data. Now that's social engineering at the, in my opinion, highest.
Speaker 4:Wow. Because later they're still getting credit card charges with their, there's doctor dental practices being opened up under his name in every other city you can imagine right Wow. Yeah. So there is It's pretty bad. So this goes back to the original comment.
Speaker 4:Eighty percent of the challenges or the risks can be avoided in a month, another five to 10% with some real careful thought, and budgets, etcetera, and the remaining, you're never going to get to 100%, but as closest to zero trust line you can get, you're constantly trying to chase zero trust and that goal line is going to change. It's going to keep being pushed forward. And your goal or our goal or any organization's goal is how close can we get to that line at all times? Because the thing you have to think about of a typical business, it's an organization that amongst deploying product or developing product and running a business, it fundamentally has like 10,000 doors in the organization. There's doors everywhere.
Speaker 4:And most of the times, most doors are locked and there's access control to get in there, I mean, most of the time. But when there's 10,000 doors, you would imagine most doors are often left unlocked. And in this case, when no one has the master key to lock doors, no one. And this is the analog to that. So our job, or the IT director's job at these organizations is let's go find them important doors, lock those first.
Speaker 4:Hopefully, they're not impactful, but let's keep the big doors locked and then slowly but surely, the perimeter doors one by one, we can lock and make master keys for and and figure out what we're gonna
Speaker 2:Are you just gave the example of a a smaller company. It sounds well, vigilance applies to any business. Social engineering can impact any business. But I am curious as we look in the mid market, maybe even enterprise size organizations, do you see certain types of attacks more prevalent than others?
Speaker 4:Well, I would say they're across the board similar. That easy attack is the user because it's all email, it's all phishing. I think something that the last result I saw, 90 plus percent of actual attacks come through email. And again, 80% of your tax surface is covered by in an organization is covered by identity management and device management, you know, that's it. So stick to those things.
Speaker 4:But the proven methods are the same across the board. The more sophisticated stuff is where they're trying to get into people like us because the payday is a lot greater because now if we get breached and if we're not protected, they have access to actual administrative credentials to our customer base, which is now obviously the biggest and biggest risk. So we're locked down everywhere we can possibly be locked down. A similar story happened to a competing MSP about three years ago. 21,000,000 was the ransom.
Speaker 4:The end result was even after paying the ransom, every customer left. Because once that happens, that's a mark you can't come back from very effectively. So those are more sophisticated and obviously the big government state sponsored stuff is more complex than we're talking about. But the things we're talking about are using a five user, a hundred user, a thousand user, a hundred thousand user environment, same methodologies across the board. What's the open door?
Speaker 4:Check the firewall. Bots are doing all that. A year ago or so, the biggest threat we were facing is anybody that had an exchange server on premise. That went away when Microsoft finally ended support, and now everybody's on Office '3 '60 '5 almost effectively almost everyone. But that's a, like, a simple threat of a vulnerability of patching some software that doesn't have, you know, patching patchability.
Speaker 4:That's where people come in from. They look for these open doors, and that's what the bots are the needs are looking for.
Speaker 2:The doors. Lock the doors. Get your software updated. Educate your people. It sounds like there's a strong it's keeping people informed, enforcing vigilance.
Speaker 2:Everyone plays a role, but breaches do happen. We've talked about some financial implications, you know, paying ransom, your team, dealing with the bad actors directly, some of whom are state sponsored and keeping their local economies afloat with their their, illegal actions. But what does the aftermath look like for a a company? And I'm also curious for the people at that company.
Speaker 4:Such a good question. Let's tackle the people first. It's a this is an untold thing because what happens to IT teams you know, I'm close to this because we experience it, I mean, day in and day out. A breach happens. Usually, an IT leader takes it to heart.
Speaker 4:He does everything he can to to be responsible and bring the company back up. And, you know, he's got his internal team that he reaches out to, and then they start working around the clock for the next two to three weeks, typically. It's not like something they just try to resolve pretty quickly because they can't. This is a two to three week, no one's sleeping, everybody's out the office, we're sleeping two hours a day type load of pressure. There's a responsibility level the IT team feels, even if it wasn't their fault necessarily.
Speaker 4:They might not add budgets, but it was under their watch. The lower level employees don't last the two to three weeks typically, so you start seeing people quit on the job mid breach. That happens all the time. Mid breach, a team of three or four after burning the midnight oil for the third or fourth day and having pressure from management come in every twenty minutes saying, What's going on? What's going on?
Speaker 4:People do break. It is PTSD like if it is not completely PTSD. Really? The IT leads typically are now paranoid with everything they do, and it actually impacts what they were planning on doing in the future because they start changing the way they approach things. It's now everything's at risk versus let's be risky in the appropriate places because we'd have to for the business itself, or let's experiment on something because we'd like to experiment.
Speaker 4:This is when you start seeing where management comes in and says, we're not doing anything that interrupts. We're not trying any new technologies. We're going to try to minimize anything that can change in the environment. And then the organization becomes stagnant. The IT leader is ineffective afterwards, typically, at least for an extended period of time mentally.
Speaker 4:Is, I mean, you got to think about the toll. I mean, a very simple permit me to give a quick story of one we did last year, a 300 user, thirty year family business SaaS company. They own the market, their particular market they're in, 10% of the market's theirs. I mean, it's a big volume SaaS provider. And the IT lead has been there since he was 22, 20 three.
Speaker 4:He's been there thirty years. Just so put it in perspective, has moved up the ranks. The owners pretty much retired and it's a family type run business, sold an Ironman's family more than 300. They get breached pretty bad and they get breached bad with a very amateur threat actor. By the way, you want your threat actor to be more sophisticated sometimes, unfortunately, because the amateur threat actor actually breaks things as they encrypt things.
Speaker 4:The sophisticated threat actor encrypts things but allows you because they want to come back again and have you pay them again over and over. So the reputation of the ability to recover is important for the threat actor. So that's another tangentially. The threat actor has a product to deliver. The product is the decryptor.
Speaker 4:And the decryptor better work for everyone else to pay for that decryptor in the future. So it's very important for this process to go smoothly for the threat actor. In this particular case, the threat actor was an amateur. They had just started like six months before that, going in the, you know, in the news. They double encrypted the environment by accident.
Speaker 4:When we did pay the $3,000,000 ransom, the decryption came back and every single VM with the exception of one was corrupted, which meant everything had to be replant from scratch, which had to happen. And so then it took another three to four weeks to rebuild everything, even paying that 3,000,000. Now the challenge was the owner of the company had a choice to make. Do I just call it quits? Let's not pay the threat actor.
Speaker 4:Let me pull the money from the bank account and just call let's just shut down the business. We've had a good run. Or do we pay and what if we don't recover? The other issue was they're a SaaS company. If they're not up and running for three weeks, what do you do if your SaaS provider is not up and running for three weeks?
Speaker 4:You go to the next SaaS provider. You just don't use it anymore. And then what they start seeing after the first week, second week, everybody was already gone. So then they're like, Do we pay? Do we not pay?
Speaker 4:You pay, and you still have to rebuild. Luckily, we were able to rebuild. But the tool, a psychological tool on the IT team, the family that they supported for thirty years that they grew up in, that they devoted their life to, felt like they stabbed them in the back for not doing the right things. It wasn't their fault, obviously. But they still take it to heart.
Speaker 4:A bunch of the IT internal teams quit on the individual, obviously, because it's a 60,000 to $80,000 employee, doesn't need to deal with the pressure day in and day out working 20 fourseven and a breach. So this tool is a huge issue and, you know, it's not like anyone's getting therapy for it. Not that I'm suggesting therapy for it, but no one's actually taking a break afterwards either because once you're live, you're now high alert on everything. So there's no For aspect,
Speaker 2:it's definitely not discussed enough. I mean, sure, financial ramifications, impact on brand perception and and customer advocacy, but the massive psychological impact on the people who are just trying to do their best, and these things happen. Shah, we're gonna enter the lightning round phase of the episode because we are curious, know, the pre call, we talked about emerging technologies. You're out there. You mentioned some of the the solutions providers that that you work with, and you bring to the table for your customers.
Speaker 2:We do the same at Upstack. It'd be interesting to hear what what are you seeing coming on on the scene with emerging technologies that people might not know about or aren't taking advantage of yet?
Speaker 4:Well, listen, easy answer is everything's AI. Both sides of the coin, offense, defense, both sides of the coin, AI. The technologies, all the existing technologies are now just enhanced enhanced with AI solutions sifting out on anomalous activity or sifting out things that they should run-in the wild and look for threats. So as long as your systems of choice or platforms of choice have a competent AI, it has to have competent AI, not all AI is the same. All things being equal, it's not the same.
Speaker 4:Let me double click on that a little bit. As an example, the industry best AI today, could all pretty much hone in on Microsoft. Right? We got ChatGPT. We got Copilot.
Speaker 4:And in terms of adoption, industry adoption, well, there's a number of tools that we like as well. But Copilot is everywhere. Copilot is in security now. Copilot is in enhanced security. And one of the things we like about Microsoft is the wholesale coverage of everything you do comes out of this one ecosystem of services that Microsoft provides.
Speaker 4:And within those ecosystems, if you leverage the right technologies, the right XDR platform, the right VPN or CASB or SASE platform, within Microsoft, and you're doing all the conditional access, and now you're just having Copilot to look at everything across the board for this anomalous activities in one house only, where it knows all the doors, it knows the blueprints of everything and how everything works in a fully vertical integrated manner. That's what we feel that people have to start thinking. You want all systems to be to be centralized somehow and one AI system looking through everything and analyzing all data. Four four oddities where possible. Right?
Speaker 2:And now, Greg, our our AI streak continues. It just keeps popping up and just it keeps popping up. There's something there. So, there are some solutions shot that perhaps require significant investment, and that investment not might not be a problem for your larger organizations, but what about smaller businesses? Are there easy and or cost effective precautions they can take?
Speaker 4:Yeah. Okay. Really quick on that. I'll give you some, you know, rapid fire answers. A small business sub of 100 typically typically, hopefully uses mostly Google Workspace, Office three sixty five, and like a QuickBooks type low level application.
Speaker 4:They're not using intense applications other than on the desktop level, typically. They're not using ERP systems and they're not using CRM systems. And even if they were, they're not on premise. They're all cloud based today. What you want the users to do to adopt a central process of where they keep data and control the data.
Speaker 4:You don't want it on discrete systems. That's the first and main advice we give, other than the things we talked about earlier, table stakes, is you want everybody to save everything on OneDrive. Save everything Google works. Not on the desktop, not in both sides, not on a personal OneDrive. You want it controlled into a corporate environment that's controlled.
Speaker 4:Very easily you can encrypt everything in OneDrive in a flip of a switch. Literally everything if you wanted to, in such that, you you could do without any real impact to the organization and any real cost to the organization, as far as encryption goes. Then you want to control encryption in a manner where it's not disruptive to the business, let's say, And that's a different deep dive discussion. But the small business should do a couple of things. One, endpoint detection response, they're not going get XDR necessarily.
Speaker 4:No matter what anybody says about what happened with CrowdStrike, it's still the best game in town. You want CrowdStrike. It's not expensive. It's not cost prohibitive. It's something everybody should do.
Speaker 4:And if you have to spend dollar, you spend it there first. Next step for all businesses, centralize where data is and put some security controls around where the data lives. That's the two things. And the last thing, what we spoke earlier, at a very minimal level, just control the identity and the access. If you do those things at a 100 employee level, 200 employee level, these are tasks that can be done in days and not costly and has to happen.
Speaker 4:It's almost like saying, well, we're going have a door on the front, but we're not going give anybody keys. No, we want give everybody keys. A small business, just close the door, lock it, give everybody a key. It's a simple door. It's only one door in this case.
Speaker 4:On the larger, complex environments, segregating network is important. Not easy to do. In some environments, it's pretty complex. The other thing we didn't touch upon, but we should probably just, from a high level, touch upon is people don't know what they have in OT and IoT devices. No one knows or has visibility in their organizations because there's no monitoring for things like that, unless you really went out and invested in a solution specifically for that, I.
Speaker 4:E. ForeScout or Juniper. They have specific technologies IoT and OT devices. A simple example is we rolled out a Forescout solution, which is a very large enterprise solution for a very large oil producer not too long ago. We discovered something like 8,000 devices they didn't know existed.
Speaker 4:Did not have a visibility that existed. And some of these devices, by the way, are connected by a serial port. So you can't really run monitoring agents on these things, but they exist and they should be checked for vulnerability or accessibility. And so what people what we discover in the larger organization, no one actually has a true control or visibility of what's connected to the network, other than the normal typical user device level stuff.
Speaker 2:So that's All of those examples.
Speaker 4:That's a very big, big problem.
Speaker 3:Alex, I feel educated.
Speaker 2:I I I feel educated
Speaker 4:too, and
Speaker 2:I think I'm trying to think of my my my main takeaway based on all we've covered. It's clear. Ideally, a lot of you'd already have a lot of these these things in place if you're part of or running a business and if you don't, while not ideal, that's okay. Now is the time. Sean, I think you'd said the best time to start all this is what last year, next best time is right now.
Speaker 2:So it's it's heartening to know that there's things probably already available to you that you may be paying for. Your licenses you already invest in that you should be implementing in terms of identity protection, data management. You know, now I'm also thinking back to earlier cybersecurity conversations where any lock, a lock, in as many places as possible is better than a few amazing locks in in a few a few places. It also makes you wanna go check my windows and doors and, maybe
Speaker 3:I might might already shut my computer down. I'm, like, nervous at this point.
Speaker 2:Yeah. We're going analog from here on out. It's gonna make this podcast really, really interesting moving forward. Sean, you've survived the gauntlet, my friend. I did.
Speaker 4:You did. I like that. Nice. You've risk, but it was good.
Speaker 2:You've expanded our minds and made our palms sweaty all at the same time. But we do appreciate your time. We look forward to to having you back. We wish you good luck, and you and the M Theory team as well.
Speaker 4:We love you guys.
Speaker 2:Best of luck, and thank you for all you you do for for businesses the world over.
Speaker 4:Thank you for all you.
Speaker 2:And with that, we're back. Feels good to be back, doesn't it, Craig?
Speaker 3:Feels good. The AC is getting there, right?
Speaker 2:Earning it up. AC is getting there. Maybe The Voice will be back next time we regroup. Give me couple weeks, and and I'll be there. But until then for you.
Speaker 2:This has been the Upstack podcast. Thanks for joining, everybody.
Speaker 1:Thank you for listening to the Upstack podcast. Don't forget to like or subscribe to the show wherever you get your podcasts. We'll see you next time.
