Welcome. Good morning. Good afternoon. In today's webinar, we're going to be talking about effective endpoint security with automatic detection and response solutions. I'm John Tolbert, lead analyst here at KuppingerCole covering these kinds of cybersecurity topics. And today I'm joined by Thom Langford, the global security advocate for SentinelOne. Hi Thom.
Hey John, how are you?
Good, good. Thanks for joining us.
Oh my pleasure. It's always a pleasure to be at KuppingerCole events. I missed them last year.
We all did so a little bit about our events. We do have a virtual events coming up. We call these KC live on February 3rd. We've got unlocking decentralized identity, a playbook for your enterprise. Then next we'll have making zero trust to reality on February 17th and identity fabrics, future proofing. I am on March 3rd and we have a, these are just the start. We've got many more plans.
So check back off and then we'll keep you up to date on our KC live events. So for today's webinar, we're controlling the audio centrally. There's no need to mute or unmute yourself. We're recording this and the slides and the recording will be available probably within a day or so after this is finished and we'll take Q and a at the end, you'll find in the go-to webinar control panel, there should be a blank, four questions, and you can type questions in at any time and we will deal with those after the presentation.
Once again, I'm John Tolbert, lead analyst and premier Cole.
I'm going to give an overview of the cyber threat landscape. Talk about a market compass that I did last year on endpoint protection detection and response. Tell you a little bit about the methodology there and show some selected results from that. And then I will turn it over to Thom and he can go into more details specifically around some of the automated response side and then the Q and A's at the end.
So looking at the cyber threat landscape, just a quick review of the major malware types, ransomware, still a huge concern, many local city state offices around the U S have been plagued by this for a year or more lots of hospitals. Now, unfortunately in the time of COVID, I think the bad actors are preying upon those that are incentivized to keep operations running as quickly as possible.
So that's a major problem that continues to cut across many and government agencies around the world, file us malware.
Most of the vendors say that, you know, somewhere between one half to two thirds of the traffic, they're seeing the malicious traffic is Phylis malware. So there's no signature or no file on this to develop a signature for. So it can be harder to detect. We still have crypto jacking. Its popularity depends on let's say cryptocurrency prices, which have been fluctuating and rising rapidly w viruses long time things that have have been out there.
Other types of malware spyware, botnets root kits, and keyloggers, you know, gaining access, thinking about, you know, the recent solar winds event, you know, that's placing back doors in victim systems to be able to look for information and do lateral movement around their assets and exfiltrate information. So these are all these different kinds of techniques are still in use by threat actors around the world.
Radically.
I like to go out and look at these kinds of statistics from hacking again, you know, they fluctuate a bit but month to month, but here we see cyber crime is about 80% of the bad activity that's out there. Cyber espionage things like solar winds is about 12% cyber warfare, 2% and hacktivism is about half a percent. So like I said, these change a little bit every few months, but cyber crime is definitely one of the leading causes of different kinds of data breaches.
Also like to look at their stats on the attack techniques we see malware is, you know, a large percentage somewhere between, you know, 38, sometimes closer to 50%, they're unknown types of attacks and account hijacking targeted attacks, which often use malware. Any of these could be sort of broadly construed as parts of apt or advanced persistent threats. Again like solar winds, many of these target vulnerabilities DDoSs is still a huge problem.
Doesn't get as much as it used to, but it's, it's a constant problem, especially in certain industries.
So yeah, there's a wide array of different kinds of attack techniques that are in use in the market today. So here's where EPP and EDR tools enter EPP. So what we call next gen antivirus plus, and then EDRs endpoint detection and response.
This is, I thought it might be good to break down, you know, where can you look for malware and permit? So on the prevention side, you know, before it executes, you can use signature files that were developed, you know, to look for malicious content that would be stored on disc.
So, you know, that's, you know, in some circles, 40% less effective, but it is effective and it's actually more efficient than some of the other methods as you'll see here. So vendors the do signature, you know, may have some of an advantage just for the some specific use cases.
There there's heuristics doing static analysis of files, moving into runtime, they're sandboxing taking code and running it someplace where it hopefully won't harm anything else to see.
You know, if it is in fact nefarious before letting letting the user have access to it, micro virtual machine implementations are like the next step beyond that. Not, not very common anymore, but you know, taking the code and putting it in a totally safe space, running it and see what happens. But you know, some malware like, like solar winds is onto that. So they test to see if they're in a sandbox or VM environment and don't run.
So they don't draw the attention of antivirus or endpoint security programs for Phyliss malware memory analysis is the way to go looking at memory, trying to figure out if the code that's there that could possibly be one would be malicious and then exploit prevention.
All the, all the CVE information can be turned into, you know, sort of a program, so to speak that would allow the employment protection system to look for, you know, stringing commands that would add up to an exploit. And if they find that in the queue, stop it on the post exec side.
That's where EDR managed detection response comes in forensics tools. Hopefully all this is being dumped into a SIM along with all your other application logs. XDR is the, the word of the day combining EDR network detection and response. I think that's a really good way to go. I think we'll see a lot of movement in this direction in industry over the next, I'd say 18 to 24 months combining these kinds of capabilities.
So indicators or compromise are how ADR programs tend to work. This is what they're looking for. They look a MD file. Hashes of non-band files.
They look for bad URLs, bad IP addresses a file and process name mismatches. And then, you know, in that case, you might have a, a file that was intentionally named something that it's not to try to throw off the antivirus endpoint protection solution changes to the registry. That's a common way that malware gets in and, and persists to, you know, to get into the registry and make sure that it runs every time that machine launches a unusual application and network port usage. This would be, you know, locations generally have specific network ports. They run on.
If you catch one, you know, using different ports and going to different IP addresses, it could be a compromised application, unusual process, injections process injections can happen legitimately, but it's also another technique that malware uses to get their code into a, perhaps a trusted module. So it looks less suspicious than changing the module load points, you know, using different DLLs or calling different parts.
Some of the bigger techniques there, other things that EDR can offer is taking in threat intelligence and evaluating it.
There are many different threat intelligence service providers that many of them pick up, you know, very different kinds of threat intelligence. They sorted it, they assess it, they package it and they provide these as subscriptions. Many of the EDR XDR soar vendors will bring that in natively or allow you to add your own set of sources. But having that done in an automated way is definitely advantageous so that you can constantly be using the latest threat Intel in your searches and hunts event.
Correlation is looking across all your enterprise, looking for similar things, being, you know, if you say are suspecting that you may have had an event on one machine, it's good to be able to kick off a search and find any evidence of anything similar to that, and then have your EDR XDR platform manage that as a single event, interactive query, you know, a console for your analysts and admins to be able to conduct their searches, run their threat hunts.
And, and, you know, the quality of the query experience can make them far more efficient live memory analysis.
One of those slightly more advanced features, let's say you've got a situation where you've cut off the suspicious node only of the console can talk to, but you want to do live memory analysis on the node and questions. If it's got malware running, that's, that's a pretty good but useful feature for mature organizations and then activity play back or activity recording and playback.
That's not something you can leave running all the time, but if you can set triggers for events and that, to be able to say, you know, let's record, you know, these five bits of information and that kind of helps track and attack, it might help you discover a lateral movement for so ADR these kind of work across the board, and there are different levels EDR for endpoint, NDR, network detection and response for network.
Again, these are kind of moving into XDR where end points, Kim, you know, in some cases, the nodes run in promiscuous mode, capturing information about what's going on all around rather than the NDR approach, where you place a box, either in line or off of span port and collect all the information that's going by that way, and then roll it up and perform, you know, machine learning based detection on it, soar tools, that's security, orchestration, automation, and response.
That is sort of like I, you know, becoming the hub for threat hunting and security investigations that takes in the threat intelligence and provides a console for users, admin and analysts users, to be able to do their threat hunts, look through all the information that's stored in SIM or from public cloud, or it comes from the EDR NDR systems SIM's been around for a long time.
That really still is an essential part of every security architecture.
It's important to not only have information flowing into SIM from all your applications and endpoints, but also whatever you're using in the cloud. I think solar winds, again, illustrates that many organizations are using cloud-based services. They're not paying for additional log storage at the cloud, which is in many cases limited to like 90 days of storage. So you've got to get that information from the cloud, into your SIM and store it for, you know, I'd say at least a year in order to be able to conduct these investigations of things that happened six to nine months ago. Okay.
MITRE attack, you know, minor attack, I think is more realistic or at least in an updated form of Lockheed's kill chain, Lockheed's kill chain was kind of focused on the upfront pieces of prevent or prevent and detect minor looks at it. Like, yeah, those things are still important, but you know, we really got to focus on the detective respond. So here we see, you know, prevention essentially limited to the beginning phases of an attack, the initial access, the execution part, but all the rest is detect and respond.
You know, the persistence escalate privileges, they made defenses steal, credentials, get data, move around collected, and exfiltrated so security products today are increasingly built with MITRE attack framework in mind.
So moving onto my market compass on EPR and point protection detection and response, let's talk about the methodology. We start with a market definition. I want to look at products that can detect and prevent malware execution upfront. And then also look for signs of malicious activities in cases where malware might've slipped by that app.
And if so, contained and remediated, when it's failing to limit the impact and then provides the means to investigate and fix problems, and then inter-operate with other security solutions and parts of your security infrastructure. So excuse me, the features that are common to both sides now for EPP and EDR security. I think it's imperative that all such programs offer multifactor authentication for admins and analysts users to use their consoles.
And then also a back in our back for access control and attribute based access control or role-based access control.
Then there are discrepancies, particularly on the EPP side between the effectiveness of agents that have, you know, full-time internet connectivity that allow the agents to get information from the vendors cloud, or to be able to send samples to the vendors cloud and back. So autonomous agent operation means those agents that do just nearly as well, or just as well.
If they're not able to talk to the vendors cloud, perform these sandboxing functions locally, be able to figure out if it's malware and what to do with it features are multi-engine scanning, you know, having more than one tool in your toolbox for how you go about looking for malware before it executes crypto API monitoring. Again with ransomware agents need to be able to monitor the crypto APIs on a machine, both the native ones and any third-party libraries, ransomware will do things like try to enumerate all files of, you know, particular data types.
They passed wildcards.
They the might be too many of them start by trying to encrypt the volume shadow copy. And there's not many reasons I use your level program, whatever you have any need to do that. So if you see an attempt like that, it's pretty good sign. It's now a ransomware, so it should be stopped. So those are ways in which a ransomware can be caught, hopefully before it does much damage exploit prevention is agents proactively reading ahead and looking for those patterns that essentially make up known exploits and shutting them down before they get to that point.
Secondary EPP functions are things like device hardening that's, you know, turning off on necessary services on the endpoint device level firewall URL filtering for internet facing programs like email and browser application control. That's a really important one.
Being able to stop users or require an administrative authority to use new applications, system integrity, monitoring, looking to make sure that there aren't any changes to critical operating system files, vulnerability, scanning, and reporting back to the console and then patch management and patch management includes more than just the iOS, but the applications that are commonly used in, in organizations as well, EDR features a real-time behavioral analysis using ML detection models to first of all, establish a baseline and then detect anomalies and then classify.
So this takes usually both a unsupervised and supervised ML detection models to do that multiple sources for ILCs it's best to have, you know, not only what the vendor provides, but maybe some additional sources that can be very specialized.
Some specialize say in, in DNS and domain generating algorithm detection.
So, you know, pick sources that are important for your organization, threat hunting and forensics, being able to do the threat hunt, having a good interface for that event, tracking whatever can be automated, you know, a place of confidence levels in the workflow.
And then, you know, even attribution theory is in some cases, automated remediation is an area that there are capability is present for, but many end user organizations have not chosen to fully implement this yet, but there are a lot of, you know, high value things that can be done already around automation of collecting forensic evidence, creating tickets, working with your ITSMs to create tickets and do alerting and, and then things like process termination on the effective node, quarantining, the node, making it so that it can only talk to the console.
And, you know, some vendor products allow like roll back to a known good state, but not too many people implement that yet.
Interactive remote query kind of talked about that already as part of a threat hunt, being able to set up a console and look at remote machines, do live memory analysis.
If you think there's something suspicious there and then to analysis, you know, looking at this from a higher level, once you think you have an event in progress, then providing playbooks with some really detailed step-by-step recommendations and then that activity recording and playback that can be expensive in terms of, you know, performance hit. And it's not something you can leave running all the time, but you know, if you can set the right triggers that it's, it can be very helpful for forensic examinations, OSTP support.
Of course, current versions of windows are important. Some products go all the way back to XP or server 2008 or two with Mac. It's an odd backwards compatibility. And it's a problem so much, as, you know, keeping up with the latest version of Catalina Linux, having support for whichever variant your organization is. And then coverage for VDI is, is important also.
So in the market compass, we have four major categories, security, deployment, interoperability, and usability for security. It's about, you know, does it require MFA for admins?
What about the access control model is our back a back? How well built does a deployment? Is it easy to deploy? Where can it be deployed? Is it possible to run it from the cloud, the console, which OLS is, are covered interoperability, doesn't support the right standards. And then usability is how easy is it for both an admin and an analyst to use? Here are the five categories that I lumped the major functionality into malware protection prevention.
How, how does it work on EPP side? How good is it for threat hunting? What about what's possible in terms of automated responses? How easy is that to deploy and configure the secondary EPP functions?
You know, which, which functions are there. And then how about the common functions and does that make it easier to deploy in an organization?
Well, I'll read the list, but here are all the vendors that participated in the market compass this last time around, you'll see some one was one of them. We rate these on spider charts, farther out. The spider chart is the, the more complete the product is. So you can see that they, they Excel in, in most, every possible area. And so as not to go on too long, I'm going to turn it over to Thom.
Thank you. Thank you very much, John. I'm going to take the conversation slightly further on.
Now I'm going to talk about effective endpoint security with automatic detection and response solutions, which to be honest with, you sounds a little bit dry if you ask me. So I reframed this presentation to talk about CSOs, complexity, containment, and other C words. Let's see if you can spot those other C words. There are no prizes because I can't see you put your hands up on the phrase, but yeah.
So I'm going to try and break this down in, into those two sections, really the complexity of the environment in which we operate in and also tying to containments, which is a very, very critical and important factor when dealing with any kinds of endpoint protection or EDR endpoint detection and response solution. So the last year, and I hate to bring up the words COVID, that's one point if you COVID, if there's one point, if you've spotted the first C-word is the fact that we all know what it is to mean to protect.
And we also all know that, you know, sticking the mask on our faces or just put it downloading a simple endpoint protection onto our end points is no longer enough. It used to be fine. It used to be many years ago when I first started in it, it was a bit special to have antivirus on your machine. It then became a table stakes. It had to have it. And then the environments are evolved and the products evolved to the point of where we are today. We also need to add in detection. We need to try and spot these things before they actually deploy before they attack.
And we also subsequently need a response. We need to do something. When we detect something, when something is seen as entering into our system, entering onto our end point, we need to be able to do something about it rather than just simply protect the environment that it's attacking in this case, perhaps an end point, we actually need to proactively do something about it.
I will award an extra point for anybody who can tell me which flag this is. I couldn't work it out myself, but I'm sure it's a flag of somewhere in the world.
So why do we, why do we need to evolve from protect to protect, detect and respond? Let's go back a few years back to the, when malware and APTT, et cetera, proper malware, because it was proper because it had a logo let's face.
It, it wasn't proper unless there was a logo associated with it. Those of you who remember Hartley and want to cry and all that sort of stuff. So let's go back to yes, when malware and IPTs were real because they had a logo. So not Petya. For instance, this was a very critical piece of malware that actually took down organizations for days and weeks on end. This was almost the, I wouldn't say the beginning, but it was certainly a real example of the kind of complex environments that CSOs were operating.
It was, it came out of a company in Ukraine and accounting software company, various companies globally that did business in Ukraine use this particular piece of software in order to do business. And it was installed by effectively. The updates to the pack to their environment was broken. And the backdoor was put into, into the update and therefore spread around many, many companies, even though they may have had protect, they didn't have protect against this kind of zero day environment.
And so they became vulnerable and were literally taken offline for, as I say, days and weeks and subsequent follow-up. It turns out that the environment in which this Ukrainian software company operated had not run any updates since 2013. So it was wildly out of date and therefore, you know, very much open to open to attack. Now let's move on to more recently again, you know, I like the old days when there was a logo for a, a particular high, I could not find one for some burst.
So this one will have to do, and we've all heard about some burst, some burst.
Most recently it was discovered by FireEye who then were able to trace it back to the solar winds Ryan software that they ran. I did subsequently found that multiple organizations who used the saran package and had installed a very fairly recent update, had actually opened up a back door to alleged nation state actors. Many people are pointing the fingers at Russia.
I, nothing formal has been said yet. So I will reserve judgment on that. Although there's multiple indicators sorts out, but the important thing here was that it was inserted through an update.
Again, an update that we, you and I run on a day-to-day basis was what made their environments vulnerable. Now analysis has shown that the initial attack on solar winds was roughly they think around about spring of 2020, if not earlier, potentially November, 2019, in some cases.
And this really supports the findings from many analysts Ponemon Institute here, for instance, in 2018 said that on average it's 197 days, it takes for a company to find out that they have actually been breached that an outside actor has gained access to their environments.
And solar winds is, is no exception to this. The key thing here for me though, however, is that by targeting a company like solar winds by targeting the update environment and the updates process, they're really undermining very much our core tenets of what security is for us. So as security professionals, we regularly talk about how we should be updating, updating, updating, making sure we run patches to make sure that we're not vulnerable to the latest security attacks. And yet that is exactly what was the root into these companies in the first place. It was one of those updates.
It does go to show quite how important the supply chain risk assessments is in the supply chain, understanding of the security models in place, et cetera, but really it's, it's created an environment that is incredibly complex, incredibly frustrating, and very, very difficult for any CSO or any security team to really navigate their way out of with any singular or clear agenda on how to do it. Now, these are the most words that you'll see on a side in my presentation.
And Kuppinger Cole said actually, in, in a report in 2020 that the, the move to digital transformation, et cetera, that's just protection from known threats is no longer a feasible security strategy by itself is just, it's just not going to do with that. The shift to this new class of end point detection and response is absolutely critical as it, what it does is it detects and investigate suspicious activities, even if they are zero day exploits.
For instance, if there is activity going on within the environments that they're monitoring, that doesn't seem right, you'll get alerted rather than when a known threat is actually exploited. A fun fact. I always put a KuppingerCole analysts quoting to all of my talks because the one talk where I quoted another analyst firm, they told me off.
So, so yeah, always, always quote KuppingerCole I say so, and the times, therefore, even when I started, you know, back in 2008 or nine, yeah, yeah. The real core tape it's that we had to face. The core challenges that our CSO had to address on a regular basis was originally just confidentiality, integrity, and availability we can throw in there safety as well. I think if we talk in about industrial control systems, et cetera, I think safety is a valid one to throw in there.
I think if, if a CSO was able to get their arms around these four core tenets, then actually we would be far, we were well ahead of the game.
The unfortunate thing, however, is that whilst the four core tenets are the same and once they all input are influenced by the surrounding areas, the fact is the environments in which most organizations are operating in, is that much more complex, that much more challenging is constantly changing on a regular basis as made it that much more difficult.
You know, so for instance, we've, we've got in, in here, cyber crime, hacktivism hacking resource abuse, cyber terrorism, ransomware, cyber warfare, fishing. I mean, fishing alone would warrant a vast number of different attack vectors here. And so it's no surprise, therefore that the average CSO now not only has lost all their hair, but it's rather upset about the way things are working and actually the environment in which they are working in is that much more challenging as a result.
So let's take it, we'll pause there and move on from this rather good looking gentlemen, and take a little flashback to what happens when something actually does go wrong.
Then what happens if we do have protected act and respond and something goes wrong. This incidentally is a picture of the UK on January 1st, the first day of Brexit, or you could think of it as, you know, if an actual attack cyber attack has happened in your environment.
But yeah, just let's put ourselves into the place where, you know, an instance has happened that needs to be addressed. We can break down our response into three major chunks, really pre-incident peri incidents and post incidents. We're going to discount for the tuck for the purpose of this talk. Pre-incident because frankly, pre-incident, we're in blissful ignorance. Something may be happening, but nothing's, we've not been alerted to it, et cetera.
Post-incident well, we fixed it, but we now need to, you know, we've got plenty of time to try and save plenty of time, plenty of time to kind of address what the challenge actually was.
I want to focus on that central part, peri incidents that going wrong and trying to fix it part. So if we focus on this one view, and this is one view of all of many, but one view is that you have to go through a series of steps in order to address an instance as it goes through. So obviously from the point that we go, we have to detect that something is actually happening.
We detect it because it's a known invite. It's a known issue, or it's a known attack, or the fact that we're detecting that there is communications, outer bank communications and app is phoning home to an unauthorized location, et cetera. But we've detected that something has happened. Ideally we would have something that would automatically respond to that. It would pick up on the fact that something has happened and it would then alert us.
We would then identify what it is that we're doing, what it is that has happened and categorize, establish what's happening, et cetera, and investigate, find out what it's doing, why it's there? Is it a false positive? Is it real, et cetera? We then manually respond. We will actually go out and for instance, unplug a computer at purge it, we might deploy certain tools, et cetera. We might close down an environment and capture before it spreads and go through and sanitize that environment. We then verify that it's words.
We look elsewhere for that a particular piece of activity, make sure it's not happening elsewhere. Look for indicators of compromise elsewhere. And then we would consider it contained. Now this is your time to containment. This is the period of time in which you will spend fixing the problem from the moment you first hear about it to the moment it's closed.
And there are various ways of doing this, the normal, the traditional way of doing this is with the humans, the human side of things. You will have a room of SOC analysts looking at lots and lots of screens.
You know, you don't have a sock unless you've got multiple screens in your environment and you will also have those SOC analysts will be looking at alerts that are coming up through their scene. And they will have to sift through potentially millions of records, millions of, of alerts to work out, which ones have B, which ones are, you know, true positives, which ones are false positives, et cetera, and take action on it.
If we were to apply, apply automation to that, if we were to apply, apply in some kind of machine learning, I'm not going to say AI because AI is written in PowerPoint, not real code at the moment, as far as I'm concerned, but if we were to apply some kind of machine learning, some kind of automation, that's going to speed up the environments in which we're operating in really quite dramatically.
If you think about, if any of you run your own SOC, if you think about the challenges of running that salt, most of those challenges are human based.
So you know anything from, you know, analyzing and observing, et cetera, that includes a certain amount of user fatigue. There are endless stream of false positives that have to be verified and true positives that have to be verified, et cetera. That is very fatiguing on the human brain. Something that automation can do quite significantly better. Anybody who's tried to, to staff and resource or a sock knows that it's a very often a junior level position. The majority of your people come in and they will move out after, you know, a year or two, there's a constant cycle of hiring.
It's a very grinding and fatiguing position to be in. And hence why the position of, of automation is one that is absolutely vital and needs to be adopted across the board, such that the whole detection and response can happen in a way that doesn't wholly rely on the human.
Now that's not to say that this is getting rid of the human aspect of this from the socket, from the, you know, SOC analysts, et cetera, not at all these go hand in hand, but what the automation can actually do is allow certain actions to be too big, to happen and to be triggered very quickly, very accurately, and with, you know, very good outcomes, very strong outcomes as a result of that, upon which humans can action and upon which humans can subsequently act upon. Now, why is this important?
I'm going to go back to polmont again in 2018, they said, according to this best studies that are in 2018, it took 69 days on average to contain an incident 69 days, that's over two months from the moment that they saw something to the moment that something was contained slightly better. Mandiant in 2020, said that it took 56 days.
Now that may be a that's over the last two years, we've, we've managed to knock off two weeks off of, of the time, or it may be that they're still roughly of the same order of magnitude.
That is a huge amount of time though, still two months in order to contain an incident, when frankly, we should be able to do this much more quickly and much more effectively through the use of pure automation. So if we were to look at this, let's look at the sort of six key factors that roll into, into how can actually reduce that time to containment, to be as effective as possible. So if we look at automation at the end of the word, I've used the most here, machine speed over human speed, it just makes absolutely sense.
You know, machines can work far quicker, they can do an automated response.
They're going to reduce that workload overall and therefore reduce that time to contain for the majority of incidents.
Yes, there are going to be out buys. Yes, there are going to be significant and massive outbreaks that are going to challenge everyone. Be they human powers or machine powered autonomy, which again is a, is a natural progression from automation. If you're your to points for instance, and the systems that are supported can detect without dependencies elsewhere and without prior knowledge of a threat, you're going to reduce that time that it sits in your environment before it's detected this again, reduces that huge amount of time to containment.
And in correlation, anytime of automatic correlation, any kind of automatic correlation is going to reduce the analyst workload. It's going to go and look elsewhere to see what else is going on. Are there other activities going on on various other end points that are indicating, this is part of a greater issue, or it is an isolated issue.
And what it does is it improves your ability to make decisions and to action on any of the detections that you find as a result, an end to end integrated processes.
So for instance, if something is detected at the end point, the ability to carry out a series of actions across the life cycle, across the timeline and how, and how, how that incident is handled. And that could include everything from, you know, firewall rules to updating end points, to closing down certain ports in a, in a local environment, et cetera. If those end to end processes are fully integrated.
Again, that time to, to at time to contain is significantly reduced. You don't have to wait until next Tuesday. When Jeff from the firewall team comes back from holiday and is the only person authorized to make a firewall change. Those changes are made as part of the overall process and then made with the evidence required to back that decision a one platform.
So for instance, here, the one platform is important because it actually allows you to minimize those delays.
It relates to, again, to that end, to end integrated processes, that ability to action, a whole sequence of events in here, for instance, app EDR, firewall, device control, kill quarantine, isolation, et cetera, et cetera, having that all in one place is going to significantly reduce the time it takes to make decisions based upon each of those individual actions. That's not to say that it can't be done with multiple platforms, but of course the integration and the handoff from one platform to another is significantly more complex.
And we've already established that your average CSO is looking for a lot less complexity in their life. And finally, and perhaps the most important thing is it's brings empowerment to the SOC. The SOC can actually deal with issues far more easily in a far more controlled manner.
They don't have to cross over different organizational boundaries.
So for instance, waiting for Jeff to come back from holiday with the firewall, waiting for approval from somebody else to segment off a piece of network, et cetera, your processes, which are embedded within this single platform with these end to end integrated processes that are able to correlate every single action that's happened as a result of the automa automation and autonomy of the systems that are monitoring this environment means that you can contain much, much faster and actually allow the sock to do the job that they were employed to do. That's the end of the talk.
I hope these six points and our complexity discussions spoke to you. If you do have questions, please do put them into the chat function. I know that's John and I are just about to start looking at those. So thank you very much. Let's
Go and take a look at the questions that we have. So first one, why should we be paying attention to the sunburst vulnerability and solar winds breach?
Well, you know, let's work backwards. Something interesting that I read this week about the latest development of the latest discovery of the sun spot loader.
You know, I think that says, you know, not only is it impossible to pull off an attack like this, where you can get some malware into sort of a critical piece of it, infrastructure that everybody uses that everybody trusts, but the sunspot piece says that, you know, this is able to maintain control over the development environment in which these developers were operating so that it could make sure that the right copy, the right infected copy got put into every build and at build time. So I, you know, that people always say with every breach, you know, this is a very sophisticated breach.
And, you know, sometimes they're trying to cover up for the fact that maybe they didn't do everything they were supposed to do in the first place. So they said it was sophisticated, but you know, this is sophisticated. And I think the sunspot piece really shows hackers or threat actors taking this to the next level, by doing something that enables persistence at compile time. And that was something that I thought was very interesting. What were your overall thoughts on sunburst, huh?
Yeah, absolutely. I agree.
I think, I think one thing our, our industry that has no time for a, is non transparency and when people are sort of making things out to be worse than they are order to protect themselves, I think it was very interesting with this particular, a vulnerability and these particular incident, especially when it came to FireEye initially was quite how much the industry rallied around in support of fire Ryan subsequently.
So to winds because they saw it for what it was, and it was declared for what it was, which was, it was a very complex and it was a very advanced attack and targeted attack on a company. And they, the clients of set company, it reminded me somewhat, obviously you're in a diff different environments, et cetera, right? Reminded me somewhat of Stuxnet the sun, supporting Linda in the sense that it was written and targeted at a very specific environments for one sole purpose.
And to, to, as you say, sort of finagle its way into the production systems of, or into the, the production line, the virtual production line of creating software updates and the fact that it was able to hide itself. So well, you know, in a company that is, you know, these, this is not just, you know, two people sitting in their front rooms doing a bit of coding on a server under the stairs.
This is a, this is a company with established security chops, established processes, professional employees, et cetera. And this was a significant piece of malware and, you know, a vulnerability taken advantage of that.
If, if they couldn't find it at some points during the previous 200 or days, then that's quite quite, that's, that's a, that's a very, I'm almost lost for words. So that's that, that just shows quite how complex and challenging it was.
Well, you know, talking about meantime to discover meantime to contain, yeah. I mean, this falls right in those mean times, you know, about six months before anybody caught it and you know, we're a month into it. So what about another month to go before it's contained and all the places that have already discovered that they have it?
So yeah,
Those that still haven't discovered, but think, but my habit, you know, and that's the thing. If you go down that, that sort of pyramid, as it were a lot of organizations that are using the Orion platform may not have quite such a scaled or resource security department to look into this, to actually understand quite how vulnerable they are.
And if, even if they have, you know, applied to the most recent patch for a ride makes it secure. Where else is that? Is that malware gone? Are they still vulnerable through other means as a result?
I mean, the backdoor was quite literally a backdoor that allow people in to then disseminate whatever else they wanted to and scrape out whatever they, whatever they designed.
Yeah.
You know, besides the sunspot piece, I thought what, you know, many of these techniques that they use are things that we've known about for years, but it was the way it was apparently assembled. And they had so many tools at their disposal.
I mean, especially the, you know, talking about the back door and being able to, you know, they went in and loaded credentials and everybody's active directory. They stuck certificates in, so they could get access to mail. They even created federated trusts so that they could log in remotely, you know, and they had spoof SAML tokens.
I mean, that, that does really make it sophisticated. It makes it much easier for them as the attacker to gain an access and keep control. Yeah.
It's, it's quite the story.
Yeah, absolutely. And I think the thing that points towards it being nation states, rather than cybercriminals, there's been no apparent financial gain as yet nothing has been sold and subsequently put on the market. Nothing has been, you know, encrypted and subsequently ransomed, you know, to decrypt.
It's very, it seems like a very much, a long game that's being played, which just screams statecraft.
And they may be surprised to how successful it was.
I mean, you know, they're eight solar winds, AK filing said one 18,000 customers may have downloaded the app previously. So they've got 300,000 customers. So naturally the question that comes to my mind does that mean, Hey, they must know which customers have, which versions and 18,000 of them, you know, maybe stuck on that version that was only available from like March to June of last year. So what does that say about patch management? And I was at a meeting yesterday. I have a CIS, so saying, well, you know, we were, we're quite a few months out of date before that.
So w I don't
Think we got it. Yeah. I know. Talk about a dichotomy of, of, of, of feelings about this.
You know, thank God we were incompetent enough not to have loaded the latest pack.
I think that's really the wrong message to send them, because most
Of the time, you know, patches
Have security fixes this, it wasn't supposed to work this way. So please don't take a lax attitude because of solar
Winds. Exactly. And that's the point, that's where, that's where you try not to say this complex environment.
It's like, you do the right thing. You still get hit. And now the right thing is the wrong thing, except when it's the right thing to do, except when it might be the wrong thing, but it's not before, you know, it's hugely difficult to, to come out of this with a clear message of what you should have done.
You know, I think, you know, going forward, we've got, and I can say this cause you're on the vendor side, but, you know, I think we've got to, as industry, as customers use customer leverage to hold vendors a little bit more responsible over some of the internal coding practices that they have. I mean, it's not appropriate to get too much into blaming that.
I mean, I think that there's enough evidence that there were other steps that could have and should have been taken during the development process here. So, you know, I think we need to find ways to hold vendors accountable and even make it so that they can demonstrate that they are using all, not just, you know, good coding practices, but recognizably secure coding practices, which doesn't eliminate every possibility of malware showing up somewhere.
But, you know, I think as is often been said in our business, our job is to make it as hard as possible for people to do their own thing.
Absolutely. But I think I, you know, I, I w you're completely right. Vendors must be held accountable, certainly in the security space, we have to be, you know, the, the, the cleanest of all, since we're, you know, we are the vendors that are actually trying to protect against this environment, but it still needs to be in a balanced, a balanced view on it.
Many times I've heard CSO say many times that, you know, the risk of a nation state attack is quite limited on you as an individual or us as an organization. You know, we are, you know, our defenses are at the cybercriminal level, not nation state because frankly, if a nation state wants to get in, they've got the resources and the time and the, you know, the money, et cetera, to do it, you know, and the, the massive computer sits it under a rock in some mountain somewhere, then they're going to get in.
So, you know, at what point is accountability too high to the point where actually it's, it's economically viable or not viable to produce software, that's going reach those kinds of, of levels. So all of this is, is a balance of risk. It's going to be fascinating to, to hear the real story, the real dissection of what's happened internally. So two wins in the morning. I really hope they continue their, their, their start so far. I've been open and transparent about it, because if we can all improve, know if we can learn from this environment, we all improve.
And the bar raises for everybody across the board. Well, so
Let's take one more quick question automation. Isn't the panacea for a CIS who runs a SOC, not a quick answer on my part is it's very helpful, but it doesn't fix everything.
Absolutely, absolutely. You're not going to technology your way out of this without a shadow of a doubt.
Nobody has ever technology their way out of anything, even, you know, even if we look at NASA and the moon shots and all that sort of thing, I think the, the famous scenes in Apollo 13, where they had to fix stuff with tape and dental floss and all that sort of stuff just goes to show that the human influence is always there. And they had the processes to follow that allowed them to address the challenges. And in the same way, you know, automation is going to massively help.
But if you don't have processes and procedures, et cetera, in place in the first instance that audit's going to do is muddy the waters at best. You'll have a piece of shelf where that's, you're spending a lot of money on doing nothing at worst. You're going to automate a really bad process. That's going to screw you over.
Okay, well with that, we'll do a quick reminder of upcoming KC live events. We've got February 3rd, 17th, and March 3rd, decentralized identity, zero trust and identity fabrics. We are also offering masterclasses, interactive webinars, covering our up-to-date research with offerings of certifications and all day virtual classrooms. And then lastly, KC pluses, our content research platform, you pay for a subscription, you get access to all of our documentation and it's easily searchable and available online. So is that I think we will close and thanks everyone for attending.
Thanks, Thom, for your excellent insights. Always great to work with you. Thank you. And we have been recording. So this webinar and slides should be available in the next day or so. Thanks everyone. Have a good rest of your day. Thank you. Bye-bye.