Cyber hygiene: what is it and why do you need it?

May 19, 2020

Max Clark talks with Open System’s Sr. Director of Product Management Threat Response, Dave Martin, and Head of Sales Engineering North America, Roman Jeitziner. Dave and Roman provide an in-depth discussion on what cyber hygiene and security are, how they can make life easier, and how to balance priorities when investing in security.

Episode Transcript:

INTRO: [00:00] Welcome to the Tech Deep Dive podcast, where we let our inner nerd come out and have fun getting into the weeds on all things tech. At Clarksys, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before. 

Max: [00.18] Hi I’m Max Clark and I’m talking with Dave Martin, who is the Senior Director of Product Management and Threat Response, and Roman Jeitziner, who is the Head of Sales for North America at Open Systems. So, we’re here to dig into Open Systems, and as kind of a foundational question… Open Systems, we know started as a value added reseller and an integrator for Checkpoint firewalls, and then you’ve evolved into something well beyond that in the space and your approach for security. Can you give me just a quick overview of what Open Systems does, and what your general buckets of service and product are?

Roman: [00.56] Sure, yeah. The fact that we started as an integrator is probably the main reason why we are where we are today. When we just sold firewalls and then the need came up for WAN, global WANs, we kind of started to combine different platforms and Open Systems itself started to realize at a very early stage that it adds an enormous complexity, right? So, you have your service chain, firewalls, WAN platforms, routing and so on… And based on that, we thought, “Let’s shift our model, let’s shift from a hardware perspective to a service perspective, let’s start to build our own platform.” That was like twenty years ago, I’d say. So back then, we said that whole service chain doesn’t work, it’s too complex, so let’s build our own platform and that’s where we started. The core of that is obviously SD-WAN; I mean, that evolves from just WAN and automatic failovers to more sophisticated ways to failover applications, now called SD-WAN. And then around that on the same platform – and that’s the critical part – we also offer NG firewalling, secure web gateway, network detection and response and so on, and that’s all on one platform. Luckily Gartner came up with that terminology, SaaSy – secure access service action, 2019, and for Open Systems that was kind of like the first time we thought, “Okay, this is actually where we belong, this is where we should be.” It’s not just an SD-WAN box, it’s not just a firewall, it’s not just a proxy, but it’s actually a service platform which combines all of these different services onto one platform, and that’s Open Systems in a nutshell.

Max: [02.43] You’ve approached this a little bit uniquely, and I think this also comes from km where you started, because when you look at MSSPs in the market today, it’s usually a discussion around integration of other vendors’ platforms, so what we were just talking about. So, we’ve got this brand firewall, we want this brand SIM tool, and this brand this, this brand that, and very quickly you start talking about layering on a lot of different products. Security for an enterprise at this point is a significant amount of different products, in order to have the different maturity models and what you’re trying to actually achieve, right? That gets pretty complicated very quickly, right? You see slides with — I don’t know, I think it’s the favorite slide of people selling integrated services of, “Here’s how insane this would be to do it on your own, we make your life simpler.” You know, we talk about firewall and web gateway and et cetera, but it’s a lot more than that, you guys go a lot deeper into this. 

Roman: [03.40] Yeah, definitely. I mean, this is kind of where we are coming from, and we have Dave Martin the call because he’s where we are heading to. So, it’s not just network and network security, but it’s security as a whole. That goes to the endpoint, that combines a seam as a platform, and to — we want to be able to provide them managed detection and response services, like a SOC – a full blown SOC. We already have, and we have had for years, a huge SOC component with network detection and response; previously that was called IDS, and we added value to that, it was not just an alert, but it was really some output. Our engineers in our operations center and security operations center, we analyze these events and then provide qualified feedback to the customer saying, “Hey look, this is something you should really look at, this is what we suspect, these are the actions you should take, please provide feedback so we can train our system further and be more proactive the next time.” We want to take that to the next level, and this is actually where Dave Martin is jumping in.

Max: [04.51] Dave, let’s talk about that, what is the next level?

Dave: [04.55] Sure, yeah. Happy to share that Max, but also wanted to reaffirm what both you and Roman have pointed out, which is that the complexity in the security stack today is very candidly, just unmanageable. I talk to a lot of CISOs and many of them are moving to try and consolidate that security stack to eliminate that complexity there. A lot of this is, I think, just a manifestation of where we’ve come as an industry, where for a long time we used what are called technology driven security models, where the idea is if I just started with the firewall, but then I say, hey, if we just buy an IDS, we’ll be safe. If we just buy an antivirus, we’ll be safe, and so on and so on and so on. As an industry, we spend over a hundred billion dollars in security related software per year, and yet despite all of that investment and really smart people and good efforts – best efforts – damaging breaches continue to occur. So, this idea that we need to simplify and consolidate and then as Roman was mentioning, monitoring all this is really key to minimizing risk, and you know, we do have the entire platform, and we’ve added to that platform a number of managed monitoring services, essentially. You know, we assume that despite best efforts, security controls will be bypassed, and the only way to really know that is to be watching, to be monitoring all the time.

Max: [06.17] You bring up this concept of, we’ll be safe… And an enterprise will be safe… But that means a lot of different things to different people, and also you mentioned users. You know, most users’ perception of security is that security exists to make their lives harder. You know, this isn’t something that’s actually benefiting them in any way, right? I can’t access this system because of our security profile and I can’t work now, you know? You want to throw your keyboard out of the window. So, how do you balance those two? I guess the first thing is as you’re interacting with the customer and you’re looking at what your service evolution is, how do you define safe, and how do people find that balance in safe for them, and then how do you do this in a way that users aren’t frustrated that you exist?

Dave: [07.03] That’s a great point, and you’re exactly right; even myself as a security person, you know, when I’m prompted to install an update on my machine and I’m right in the middle of something, a presentation or something, it can be frustrating, so I completely understand what you’re highlighting. And I always joke, I always say to people that there is this spectrum that you’re kind of highlighting – the most secure device is the one that’s not powered on, right? But then again, is it useful? No, it’s not. It becomes a paperweight at that point, so exactly to your point, you need to strike a balance. One of the things we do with our service, our monitoring, our threat detection service is we have an onboarding process, where we sit down with the security team or the CISO or the person responsible for security and we have a candid discussion about what is it about the “Am I safe” question that you’re worried about? And it’s different Max, for each customer in that spectrum as you might imagine. Some customers are worried about ransomware and getting locked out of critical data, others are worried about theft of intellectual property, others are worried about spear phishing or business email compromise attacks and these kinds of things, so when we engage with customers, we start with that dimension: what do you consider most valuable? Then, we build and tune our detection around that, and I always say that security is a journey, not a destination, because that’s just a starting point, frankly. This is the value of having a service, is that you need to be tuning it all the time as you’re learning it and as things change in your application and your business and so on. 

Max: [08.32] I mean Dave, isn’t that a little bit of the cart leading the horse? If somebody comes to you and says they want to bring you in because they’re worried about ransomware, I mean… How do you balance like, “I’m worried about ransomware because I just read this article in whatever newspaper and I should be worried about ransomware as a result.” I mean, everybody should be worried about ransomware, there’s a lot of other threat factors that they should be worried about as well. That’s a very human response in terms of what my priority chain is. Like okay, I’m worried about ransomware because I just read something horrible about it, but I’m not worried about phishing? That’s also a balance, right?

Dave: [09.02] Absolutely, and it’s one of these interesting dynamics where, for a variety of reasons as you are probably aware, every organization has different levels of cyber hygiene. Some are very sophisticated, they’ve got things really well mapped out, others not so much, and to your point – sometimes there’s — I want to focus on x, when you realize some of the basics really aren’t done. And so, this is part of our  role as well, and become more of than a monitoring and service provider for our customer but becoming a partner in security, and we explain to them, “I understand that’s the direction you’re going to go, here are some investments that will go a lot further for you.” And we have those discussions, we have opinions about those things, because we see it happening, we see the results of this, you know, every day, and in the end, it’s the customer’s decision, right? There’s always a trade off in security, it would be wonderful in everyone had unlimited budgets and could throw everything at the problem, but  that’s not reality, and so we very much view our job as trying to highlight customer’s areas where we think they can improve, should evolve to, and then essentially try to make the risks known and managed to them.

Max: [10.13] The conversation I have a lot related to security now is really what’s the goal of security and where are you really trying to get to? We talk about, so you’ll be safe… You know, I’ve stopped thinking about security in the context of, you’re going to prevent a breach and an incident, and I think about it more in the lines of, you’re going to limit the damage that incident causes you. So, you’re going to be able to detect that incident faster and be able to carve it out before a lot of damage happens, you’re going to be able to block somebody from exfiltrating data from you, or you’re going to prevent — in the case of ransomware, you’re going to be able to have the ability to rollback and remediate your systems much faster. How do you guys view this? Because you also -in the relationship with a customer – you keep using this language very intentionally, we can advise, we can interact, we can recommend, but a customer still controls their infrastructure. How do you balance those two, of like, there’s this going on and this is what you think you should do, and you’ve decided not to do it. How does that work?

Dave: [11.09] Yeah, and actually I’ll hand it to Roman here for just an input with a little preface which is that, you’re on such an important point with some of the value of what we have as a platform here, which is when we do detect threats, because we control the security stack, we’re able to often contain those threats earlier in the cyber killchain. The many studies Max, have shown that the earlier you can detect and contain a threat in the cyber killchain, the less the impact is to your organization. So this is a real strength of having an integrated platform… We’ve done a fair amount of automation and Roman can describe that in our platform, but before I ask for his help here… Many of these decisions, when it’s not straightforward, there’s a human involved that ultimately is making the decision, and you know, we have recent response plans that we’ve developed with customers when they come on board with the service – some things we can do automatically, others we require authorization and we work together to do that. And now I’ll turn it over to Roman, maybe Roman you could touch on some of the automation we’ve done with our platform.

Max: [12.09] Actually Roman, let’s start a little bit more basic and work our way up your stack, I think this will be helpful for me as we talk about. You talk about this precursor to SD-WAN and this appliance that gets installed at a physical location, right? So you have a box that gets installed and you have intelligence on that box, and that box connects to your service, and as well as that you have software that gets installed on PCs and servers, et cetera, that can also provide intelligence and feed data to and from Open Systems. And so, these are pretty foundational elements to deliver your service, and let’s talk about what those things actually do, and what the layers are going up from that, and I think that’ll drive this a lot.

Roman: [12.51] Sure, yeah. I guess in sales engineering or in sales in general at Open Systems one of the pictures that we often use in the process is the killchain, as Dave mentioned. So, we should not just look at one aspect of the killchain, but at the killchain as a whole, and that starts on the left side, reconnaissance – so firewalls, for example. They can prevent an attacker from finding out what’s going on, right? They can also prevent the spread of a malware within a network, if it goes from one side to another, so that’s a mechanism to prevent them. And then we have mechanisms like the proxy to secure gateway, or our DNS filtering, which — these are all elements on the prevention side, as we established, we still expect breaches to happen and this is why detection and especially this response part is critical. From a detection perspective, we have two main sensors, I would say. One is on the network level, so the network detection and response sensor, and the other one as you mentioned is the endpoint detection. So, this gives us like two sensors at critical points within a company’s environment, to detect incidents. And now the critical coin is that, obviously the sensor data is not — we need more, right? So that’s why we correlate that information in a seam, we take the sensor data, we take firewall logs, proxy logs and so on, and we take some compex logs from Active Directory, for example, and we correlate that in that platform. On top of that, we provide our service which we call the managed detection response. Now, one of the key differentiators at Open Systems is that our service model is unique, I would say. When we built that years ago, we said that we don’t want to build that level one, level two, level three support center, because first of all it’s annoying, and it doesn’t work. I can’t imagine any more to call somewhere and say like, “Oh yeah, I have this one problem,” and then they tell me, “Have you tried to turn it off and on again,” because… Yeah. And we always take this analogy — Let’s imagine your kitchen is on fire, and that’s comparable to a major IT incident, like a security breach for example. And now, the fire bridge is arriving but they send in the most junior firefighter there is, like just because it’s level one, right? And this firefighter is coming in and says like, “Hm… Yeah, that looks like a fire. I think we should do something. I’ll hand you off to level two”, and then the kitchen fire all of a sudden is like, the whole building is on fire and so on – it’s not how it should work, right? It’s the same in IT, it’s not how it should work. When you have an incident, you want to have the most experienced person available to have a look at that, and that’s how it works in Open Systems. We call our operations center Mission Control, it’s kind of based on NASA, and the most experienced person is the captain. The captain is responsible for triaging all of the incoming events and tickets, so that person is the most experienced firefighter on the bridge, and says, “Okay, this is like a small fire, we just need a fire extinguisher, we hand it off to the junior one,” and on the other side we’ll say, “Oh, that’s the whole building on fire, we need the whole brigade, everyone needs to come and everyone needs to fight this fire.” And this is the absolute key differentiator, and this is why our customers are very happy, because they first of all don’t have to go through that level one, level two, level three, because it’s annoying as I mentioned, and on the other side, everyone who picks up the phone in mission control, they can really help out customers. 

Dave: [16.44] We should probably also share with you Max, that in addition to what Roman just described with NVR, we have a model where we have security analyst teams that we’re essentially assigning to some numbers of customers. Those teams only deal with those customers, and the principle reason for that is that we believe the better you know an environment, the better the threat detection will be, the more accurate it will be, because the humans — you know, we do use a fair amount of AI and automation, you know, supervised machine learning and so on, to reduce noise and amplify signal, but  at the end the human is still the best at spotting the gray areas, they things that don’t quite look right. So, we look at our platform as trying to make the human better, versus replacing the human, and that model Roman described is what we use, and then we’ve doubled down on that by adding this extra dimension where we have a security analyst get to know the customer and get to know that environment very well.

Max: [17.36] So with the network appliance in a physical location, or with endpoint software running on devices, and then overlaying that with a web proxy, and overlaying that with NS, and we start talking about rolling all this log data into your SIM tool – we’ll use industry terminology for it – and then you pack in, you know, threat intelligence, some other signals coming from other places as well, and you roll all that up into like, this giant slush pool of data, right? Well, now you have to process that and evaluate what’s actually normal and abnormal on a customer by customer basis as well as — like, this is something we know is bad on the internet in general, right? But then you have lots of options, when you talk about killchain, of where do you actually attack and kill that thing, right? Do you kill it in your proxy, are you killing it in your DNS, are you killing it in the appliance, on the endpoint – so that’s awesome. And then you also have lots of different customers, so how much is this collaborative data that comes into Open Systems as a whole because you’re getting all these — I mean, my traffic is going to be very different from somebody else’s traffic. How much correlation — correlation isn’t the right word — but how much information can you glean from your customer base as a whole to then apply and make those decisions across everybody? I mean is this something literally like… If one of your banking customers get attacked and you build a rule for it, you go, “Okay, boom, apply this ruleset now to everyone else,” and that particular threat vector is now gone from the network?

Dave: [18.56] Certainly, we do share rulesets generally that are applicable, so that our customers get the benefit of learning about these different threats in different types of environments. But Max, you’re on a really interesting point. Roman mentioned earlier that when we deliver our service we use sensors… One of the main reasons we do that is because those sensors become our source of truth for what’s happening in the environment. When you’re trying to do threat detection with multi-vendor security stack that you don’t know, you don’t know how it’s set up and so on, the effectiveness of that approach is really poor. I can share with you that we’ve gone back and sold MDR to managed service to companies that are just disappointed with the current model, where they are just trying to use their own kit. You don’t need to have our entire platform, I should make that very clear, we sell MDR separate from the platform; you don’t get the benefits of the killchain integration that Roman and I talked about, but essentially we would drop our sensors in and then collect that other long data and do correlation. The idea is that through that SIM, as you correctly described, it has threat intelligence, it’s got a default set of rules – and by the way, we use the Mitre ATT&CK Matrix, if you’re familiar with that framework – to measure our detection and improve it over time. We focus on the techniques that threat actors use, rather than the actual attacks or IOCs, if you will, because if you can identify the technique, you get a lot of return for that investment. You know, you can spot hundreds or thousands of threats that utilize the same technique, just by being able to recognise that technique or that tool. We learn from customers and we apply that, generally speaking, when it’s appropriate. 

Max: [20.37] I mean, there’s a mention of like, ticket creation and triage and maintenance and you know, remediation. I mean, if I’m an MDR customer, let me actually restate that — if my company was an MDR customer with Open Systems, and I’ve opened up my Outlook one day and I’ve clicked on a link, am I going to get a phone call from Open Systems one day that says, “Hey Max, you’ve opened this link or you went to this website, I mean what are you up to? We’ve got to do something now.” I mean, that’s going to feel a little… Big Brother creepy-ish. Are you going to the IT department? What is the interaction for MDR, who is responsible for what, like how do you find those — and I’m ask this question because you read a lot of horror stories about RFOs with security incidents, where there was a system in place that detected and notified and said there was a problem, and then it was ignored. So, detecting an event that goes to a person to make a decision and then either it’s just autofiltered into a folder and an email inbox, or it’s just like, “Oh we don’t care about that, that’s a false whatever and we’re not going to do anything,” or “You’ve got this device that’s doing something weird on your network,” and, “Oh, I’ll get to it on Tuesday,” you know, like how do you balance that? It is, again you’re talking about this is your customer’s platform, not yours. How do you interact with them? 

Roman: [22.00] That’s an important point, and as you say, we have different customers, and every customer is different. So, one of the major things we have to do in the early stage of a partnership is we have to establish these processes, they can marry — but let me make a general example, or pick up your example where someone clicks on a link in an email. So, first of all we want to have protection in place which would protect you from getting infected by clicking on a link. So, we have different – on that killchain – we have different services in place, like the DNS filter which would check the link you click, we have the proxy, so we would also be checked for malware epsilon, but now it can still happen that something kind of goes through that mesh of protection, and this is when then the sensors would pick it up, right? And I myself had an interesting example when I was working in mission control, that one of our sensors picked up a keylogger activity. So, I was able to analyze the traffic and then I was able to generate the text file, which had usernames and passwords to specific domains, which were sent to the command and control server. The immediate action was to block that destination, and my next action was to pick up the phone and actually call the customer. I did not contact – in this contact – I did not contact the end user itself, but we contacted the IT department based on our established processes. And again, it really depends on the customer but in a major incident like that, the phone is usually the way to go. You say, “Hey, this is what we saw, this is what we recommend to do, and get back to us as soon as you did it,” and then we have some additional capabilities, so we could lock down the host, for example, if we have endpoint… An endpoint client installed, we could lock the host on the network, so the host could not go to any other site or through the proxy or anywhere any more. So, we have different capabilities to isolate that host, but that really depends on the feature set the customer has enabled and the processes we have established with the customer.

Max: [24.21] I mean, so mobile device management, a lot of people are going from fleet management with software installed, but also because it gives you the ability to say this device is lost, secure wipe it if it ever connects to the network again, right? But you mentioned that if a customer subscribes to it, I mean… You know, if somebody hasn’t opted into the Rolls Royce and all fifty-seven packages of options, you know, with Open Systems, and you have an event and it comes down to, “We’ve got this thing running and we know this is in the wild and it’s on,” and I’ll pick on HR, “It’s on the HR director’s computer who has gone on vacation,” can you customers say to you, “Let’s enable this feature, lock that box down, we’ll deal with this on Monday.” How does — I’m curious, is that a predefined support boundary that gets established because they haven’t integrated the service or is that a service where you could just say, “Hey, we’re going to turn this thing on, and we’ll get back to it, we’ll settle up in the future but right now we’re going to take care of this.”

Roman: [25.27] Yeah, and that’s actually something that happened in the past unfortunately, I have to say. We had, for example, we started with the rollout, and the rollout was delayed, so only a few of the clients were actually protected by an agent, for example, and we detected that – Dave help me, what kind of malware was it, like a cryptolocker or something?  

Dave: [25.50] Yeah, exactly.

Roman: [25.52] Yeah, we found a cryptolocker, but obviously it did not originate, but we were able to see that it kind of spread around the network, and originated from a host that was not protected, and then we were able to kind of push that further, so that we kind of were able to roll out the rest of the agent and kind of get the whole network protected. So that’s kind of one scenario. Another scenario is that customers have incidents and they got it from somewhere else, and then they ask us, “Hey, can we spin up these additional sensors,” for example? This is kind of like… That’s the nice thing, because it’s on the same platform you just spin it up. It’s not… No additional hardware needs to be deployed, no rollout project, nothing. It’s the same box, and it’s fully integrated. That’s the nice thing. For example, on the proxy, we decrypt encrypted traffic, right? So all the SSL, TLS traffic, it’s all decrypted but then it’s automatically sent to the sensors. Now imagine you have a proxy solution and you have an IDS solution, or a network sensor – and these are two different products. You would now have to make sure that you send traffic when it’s encrypted from one box to the other, and this is like integration efforts on your side. You have to make sure, or your MSSP has to make sure that it works. It’s probably like some API connection, or commonly known as service chaining. This is just complex – you have to do it, you have to make sure it still works once you update one box or the other box, and because we have all of these capabilities on one in the same box, they’re awfully integrated. So, when I receive an email, for example, that email link is already checked by the proxy engine, so it already runs through the proxy, kind of virtually, to check if it’s bad. If it’s bad, the email is already blocked. So, we talked about the killchain – kill it as early as possible in that chain. We use different mechanisms, from services which would usually come later, but we already use it in the earlier stage to block that malicious activity, and yeah… This is where the big benefit comes into play. You don’t have to care about that integration or anything, it’s just there, out of the box, you can spin it up if you need it, and yeah – that’s how it goes.

MID-ROLL: [28.21] Hi I’m Max Clark and you’re listening to the Tech Deep Dive podcast. At Clarksys, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before. With thousands of negotiated contracts, Clarksys has helped hundreds of businesses source and implement the right tech for the right price. If you’re looking for a new vendor and want to have peace of mind knowing you’ve made the right decision, visit us at Clarksys.com to schedule an intro call. 

Max: [28.50] You know, I remember the first time I installed Snort, and enabled it, and we had it running – actually at that time it was on the corporate network, single location, as well as in the datacenter environment, powering a web application… And, I think Snort ran maybe for three or four hours before we had created Outlook filter rules to filter all of its logging data into different folders, and I think we made it another few days before we disabled the email notifications for Snort completely, and just would refer back to it when we were looking for things. This was – I’m going to date myself – this was a long time ago. You know, when I look at this now, and I’ll — I mean, at the risk of making an absolute statement, I’ll make one: IT teams are completely overwhelmed. I mean, just your number job… Industry averages right now are pushing one hundred and fifty employees of IT staff, maybe more. I mean, that’s a lot of day jobs, forget any sort of massive event correlation, security overlay and service chain and everything else… I mean, trying to get a firewall talking to a SIM with threat intelligence overlaid on top of that, with endpoint detection and response integrated on top of that, and being able to correlate and investigate every single event that hits one of those platforms, saying this is valid, this is not, this valid, this is not, this is valid, this is not… I mean, it seems to me at this point — I mean, I would probably not make it very long in an environment if that was my job. I just think I would just ignore it, and that’s because of the volume of data that would come towards you and the percentage of false positives, as well. That was the one that was really exhausting for me, it was just the percentage of just absolute… You know, we think this traffic is bad – look at it. And you’re like, “Okay, great – now what do I do?” Four hours later goes by and you’re like “Yeah, yeah, it was totally fine.” We talk about your machine learning – I won’t use the AI term because it’s really machine learning – and automation with an Open Systems platform. I mean, how much of your R&D energy goes into automation and how much of that is informed by manual investigations that occur, and what does that cycle, you know, that rinse and repeat cycle really mean for Open Systems and how you evolve yourselves to get faster as, you know, the market in general speeds up?

Dave: [31.02] First of all I can completely identify Max, with the environment that you described; many of our customers are in that state where they’re just inundated with alerts. I mean, we have one early customer for MDR service, the CISO enabled Sentinel in their Azure environment, and immediately Sentinel started producing a ton of alerts, and frankly it was a question — the CISO didn’t even really know what to do at that point, even am I under attack, right? That sort of very basic question was difficult to answer because of the noise that was generated, and your Snort example’s another one of that. And so, we have a philosophy here where we only say ‘outcomes not our words’, that our customers want outcomes, you know? These systems are going to generate a lot of noise, and our job is to reduce the noise, amplify the signal, and only deliver the outcome. People don’t buy a SIM for the SIM’s sake, or the security technology for the technology’s sake, they want the outcome of these products, and that’s really where our focus lies, is in delivering that outcome and simplifying that. It is a process. I mean, we automate where we can, to reduce the noise, but ultimately our platform surfaces things that it thinks are suspicious that our team needs to run to ground. And we do that, we correlate it with other sources and then we say, is this a true positive and a security incident, or is that a false positive? And in a strange irony, if we’re doing our job well, Max, our customers wonder… Well, what are they actually doing, right? They should only be hearing from us when there’s a true security incident. One of the interesting side effects of delivering this service is, fortunately for us we have a model where we have a monthly meeting with the IT team of our customer, where we receive the performance in the SOC, so we can show them the value, and then also we use that opportunity to work on some of the cyber hygiene and guidance things you and I talked about earlier. But yeah, you’re exactly right – this is the big difference between a provider that is just monitoring the infrastructure and tossing alerts over the wall, and one that actually has a structure and a model in place where they’re producing the outcomes that the customer is looking for. These IT teams are burdened… One final point I’ll make here is that it’s not uncommon for me to talk with security teams, and nobody has touched their firewall policy in a long time. You can probably identify with it —

Max: [33.18] Come on Dave, every security firewall policy ever… Here’s my NAT real inbound, allow everything outbound, you know? I mean, come on!

Dave: [33.29] It really is – and by the way, I don’t blame people, because the way this technology works, you can inadvertently open up a hole and expose a vulnerability, right? And so, it’s very… People tend to only view things when there’s a breach or when something’s obvious. And security, we should be doing better as practitioners than that; that’s when monitoring can provide that feedback to that security stack, so that you can always be optimizing it and tuning it. Security is like a complex system, it needs a feedback loop for it to be working correctly. 

Max: [33.56] I mean Dave, I hate firewalls… I mean, going back twenty plus years and selling firewalls, you know this belief that gets sold of if you install a firewall your system is secure, and the percentage of really bad things that I’ve seen happen because it was the application that vulnerable that surfaced through the firewall, and the firewall did exactly what it was configured to do. It allowed traffic to a known service, based on a known rule, and that service is vulnerable. You know, and credential stuffing attacks, or SQL injection attacks, all these things — I mean, the firewall does what the firewall is supposed to do. 

Dave: [34.31] That’s right. No, you’re spot on. These attacks are much more sophisticated, our security model needs to be — and nuanced – these attacks are sophisticated and nuanced. I mean, a determined threat actor, they used obfuscation, they’ll weaponize the steganography to hide things, I mean it’s… You know, this idea, this notion – Max, to your point – that we have a firewall, and some additional security technology should be fine – the problem is just much more nuanced than that these days. That’s why I think services like ours are becoming very, very popular; this is really becoming a best practice I think, to minimize risk. Most CISOs are either working to outsource a SOC or build one themselves, so it’s sort of on that trajectory these days.

Max: [35.09] There was an article in Crypto Security not too long ago, and it was a confessional, I am an engineer at a cloud company in silicon valley, and I was — for lack of a better word, he was or she was victimized by a social engineering attack that ended up exploiting and gaining access to her bank account and wiring a significant amount of money… This is a person, and again the confessional that I’m a relatively sophisticated person, and I fell for this. You know, there’s this idea and this started a long time ago and it looks at risk or organizations and threat vectors for organizations, right? It was UNINTELLIGIBLE 35.52 by internal employees, and then — I mean, it’s not to say that you blame a target or focus on, my users are the problem, I don’t think that users have a shot, there’s no chance you know, for people, the average person nowadays to be able to defend themselves and make these decisions because the sohpitistaction of it has gotten so incredibly good and it’s so… I mean, you’re doomed, almost. If you’re talking about now you’ve got the rank and file employees trying to do their jobs, they’re clicking on opening a file, and that’s how it’s started in training. Are you helping customers go through training models, are you helping people educate, are you providing materials, like… What’s — because you know, this goes a little deeper than just installing systems and sensors, this goes also down into the stack of what users can and cannot do, and are they educated and how do they know, and what do they respond to, and if it’s customer service or contact center, what information are they releasing? How deep do you guys go? 

Dave: [36.54] We don’t offer any security awareness training services ourselves, Max, we’ll recommend vendors to our customers, and that’s a good thing to do, those kind of things that you’re describing, for sure companies can do. One of the things we’re going to be doing in the future – we’ve not yet implemented this yet – is that in our MDR service I mentioned that we have monthly meetings. One of the things we want to start doing is taking a cybersecurity framework, there’s lots of them but the one we’re most partial at the moment and looking at more closely is NIST cybersecurity framework, and take a piece of that like identity or detect or protect, and just go through that with the customer to offer advice or areas they can improve, so there’s a little more structure around these discussions, so that we can help from a training perspective. Not necessarily go over the training ourselves, but basically increase the awareness around that, and then make some general recommendations. If there’s further, there’s lots of security professionals as you’re well aware that can go in and do very rigorous assessments and auditing of security controls, and we don’t offer those today. But again, we like to think of ourselves as a partner with our customers on their cybersecurity journey here, and because we’re in this unique position where we have complete visibility into all the potential a track surfaces, we have  a lot of information we can provide to the customer to help them improve over time. You know, we set up a model or service where we can deliver those improvements continually. 

Max: [38.21] I mean to some degree also, security is reactionary, right? It was a best practice, we know we should have these things in place, and these things should detect and track and block things that we already know about that have occurred in the past, right? Like, this is something that has happened in the past, it shouldn’t happen, right? That’s still reactionary, it just builds on twenty five years of experience to some degree, right?

Dave: [38.24] Yeah.

Max: [38.42] So, I mean what’s the actual — the aim? What’s the end result when you start getting back into this concept of, we’re safe? What is the goal of security, because if everything to some degree is reactionary, there’s a preventative measure with security, and then it’s, you know, and then the hairy kind of things of new ransomware attacks of these things are very much reactionary. So in that case it’s not prevention, and it’s not an insurance policy, you’re not getting paid out if you can’t get access to your computers or if you have to go through and re-image a fleet of a thousand machines or whatever it actually is, so in your mind what is the actual end state, the goal in what you’re actually trying to achieve for your customers?

Dave: [39.25] I think most organizations have come to the understanding, Max, that they’re in a position where they’re trying to minimize risk. These things can happen, you know as you say, and so having a strategy around what’s truly important, you know, if there was a certain incident that would be very damaging for your business as an organization, and then focusing your security around minimizing your exposure there, I think is probably the best thing you can do, right? I get asked all the time, can you guarantee or detect every threat, or you know, and the short answer is no – nobody can do that, to your point. What we can do is with the — from a combination of the existing preventative controls and then assuming that they’re going to fail and always going to be monitoring, you can really minimize your risk, and we have a model where we’re willing to deliver this service, there’s generally speaking, two classifications of threats. There’s known threats, and usually the security prevention layer will be updated with known threats, right? You said earlier about Snort, there’s a signature base, most companies – we here at Open, we update our signature base every twenty four hours with the latest intel on known threats, but then there’s unknown threats, these so called zero days. These are new techniques and things that have been developed, and the only way you’re going to catch these things is with monitoring. So like, if you have those two controls in place, you’ve got a strategy for detecting known threats, and then you have a strategy for detecting zero day, really that represents kind of the state of the art for today. And really, it is a bit unfortunate, as you say you know, this may sound a bit corny, but I feel good about the fact that we’re helping to protect people that otherwise wouldn’t have the means, for whatever reason: cost, it’s not their focus, whatever. That’s sort of what drives me and many others at the company every day, but there’s no guarantees, to your point. You just have to continually improve, and that’s why I say – I mentioned earlier, security is a journey and not just a destination. It’s just the nature, I think, of the problem.

Max: [41.22] So for a company that’s already — I mean, that just deployed firewalls or an SD-WAN service or you know, endpoint detection system, or a SIM or all these different things, part of your sales team engagement would come back and say, “That’s okay, you can use us for everything else and we’ll get back on that at some point in the future.” If we eradicate certain parts of that service chaining, it does degrade your ability to see information and respond to information and interact with information, so how – from a practical standpoint – if I’m not replacing my firewalls when I’m onboarding with Open Systems or if I’m not replacing my endpoint, you know, with your sensors or using your web proxy or, you know… How much does that really impact the effectiveness of your service, of your platform, and how quickly are your customers changing that decision of, you know, we’re going to keep our big box firewall that we had when we came onboard, and three months down the road are they saying, oh, we’re getting rid of this thing? Obviously from a sales perspective, being able to say, “That’s okay, we’ll work with you,” is the right response, but I’m interested in what’s the practical reality of actually providing the service delivery?

Dave: [42.33] Yeah, you’re on an important point, because we tend to have customer engagements in two dimensions – one is from the networking side, and then the other is from the security side. The short answer to your direct question on the firewalls, if we don’t own them and so on, the greatest impact really is just on the containment side of it. When we deliver our MDR service, we collect those firewall logs, we use them in investigations, even if it’s not our firewall, same with endpoint, Max. So, the detection side is not really impact in that sense, it’s really more in the containment, when it’s not our stack, we’re not able to update the security policy, but we would provide the customer with a response to an incident and suggest that someone on their team do that, but we’re not able to take those actions on their behalf. I think what happens, I know from personal experience with a lot of customers, we start wit them on the monitoring, MDR, and then there’s this idea that there’s a strategic alignment with the whole stack, because over time they do want to consolidate, they want to get rid of their existing firewall and move to something that’s more integrated, so it’s a way for us to get engaged and have a longer term roadmap for how to improve and save money for the customer, you know, and end up with better security and cost savings over time. Roman, I don’t know if you have anything to add there on those lines?

Roman: [43.50] No, the only thing I would add is that it’s not an all or nothing solution that we provide. As Dave mentioned we often — the first engagement, often is SD-WAN, because customers are looking for SD-WAN, or even just transport layer, so ISP lines at each and every location, that’s one of the gates we often step in. Then it’s our job as a sales team to educate the customer that it is not just SD-WAN, that they should not just look at one silo, right? They should look at the environment as a whole, and that doesn’t mean that it has to be a day one switch from old world to new world, from point products to SaaSy solutions, but it’s kind of like… That mindset change needs to happen, and then they realize, “Okay, let’s start here with SD-WAN, then let’s move on and once our firewalls and proxies are end of life, we already have the platform in place, we don’t need to change anything, we just spin it up,” right? And then on the other side, towards the security, we start with these logs that are available with the products they have in place, we integrate them, we take them as telemetry and act on it, and then over time, we lift and shift if the customer wants that. That’s how it often works – we start small, we can expand if the customer wants that, or they’re just in our MDR service without the stack, and that’s also possible.

Max: [45.23] So I know Open Systems in general was very happy when Gartner announced and launched SaaSy, and defined it and started tracking SaaSy, and my response is both, right? Happy and sad. In one sense it’s, great, we have a definition around these things and we have validation around further maturity and evolution of security and security delivery, and of course I’m sad because I know the reality of it is lots of marketing departments are going to be figuring out how to classify themselves now as SaaSy, just… You know, we talk about SD-WAN, like every box has been trying to figure out how do you shoehorn this into saying, it’s an SD-WAN box, even if it really isn’t. It’s a box, it’s on the internet, and it manages your internet connection – it’s SD-WAN. So, you know, so yeah, I’d say it’s probably great for you guys, because now you have a lot of addition lawarness that’s come out because Gartner is saying, “Okay, SaaSy is important.” You know, the other thing though, for me, when I look at this in terms of like maturing operation structures for companies, and now we talk about distributed and remote being a primary mechanism, this concept of people being in offices has already been decreasing as time has been passing, and we have larger and larger organizations that have been completely remote, and we expect that to increase now post-COVID, that the amount of remote and distributed workforces are only going to scale up, you know… And I’ve been a big fan of zero trust since Google released a research paper, however many years ago. I mean, this concept of, how do you establish and determine, does this person or device match a policy that allows you to gain access to a resource, and then do things, and you know, I’m kind of curious when Open Systems starts announcing and branding yourself to some degree as zero trust, because you have a lot of components that come into it, of how you’re deploying your software today.

Dave: [47.11] Yeah, it’s interesting you’ve touched on a lot of points. Obviously as you highlighted, it’s helpful that Gartner has coined what we’re doing. It is an evolution of the networking space, but more broadly, it’s interesting – I often tell customers I wouldn’t necessarily want to be in their shoes, because of all the claims that these vendors make in general about things. And you know, even managed detection and response there’s no formal definition, so you get a wide range of companies that say they’re MDR companies, when really they’re not, they’re just doing managed firewall, for example. It’s one of those things where I think you need to look beyond the label and understand what the action is, what you’re looking at. You mentioned AI over here and sort of the optimism and I have to tell you I kind of share your sentiment, as you might imagine I have vendors that have different AI software solutions, saying, “Hey, you guys should use our artificial intelligence, our threat detection,” and then you dig a little deeper and you start asking, “Well, what’s the rule sets, what’s the data that it’s operating on?” And when I don’t get those answers, my spidey sense starts to tingle, right? Something’s not quite right here. And So I think as consumers, security professionals, we need to dig a bit deeper on these things and not just take those things at face value.

Roman: [48.24] Yeah, and let me add to that. I think over the years – I’m with Open Systems for six years now – in the beginning I think it was our challenge to explain to customers why hybrid WAN, with their existing MPLS and all of a sudden a new internet line would be a great thing, and then Gartner came up with SD-WAN, and that made my job easier because I now had a term, and everyone was interested in SD-WAN, but it was nothing else as the day before, like, I just had a name for it. Last year, the same happened with SD-WAN, I had a hard time to explain why it is an interesting concept to have SD-WAN box and a firewall and all of that stuff, on the same platform, right? And now it’s just easier, so my job changed every two years from explaining why something is interesting, to why you should now pick Open Systems before someone else, right? So that everyone — I fully agree that everyone tries to get in that space. I guess for people looking into SaaSy or whatever, the important thing is don’t look at the word or at the label, always look at what are your requirements? I answer a lot of RFPs obviously, and the worst RFPs are RFPs which ask for specific features. They say, do you do deduplication or do you provide this specific feature, and the question should not be do you provide this specific feature, it should be these are my requirements, what solution do you have to this requirement? You kind of shift the conversation, because it forces us to often into saying, “Yes, we do it, but we kind of do it differently,” or, “Hey, have you looked at this?” They’re looking for a feature or a data sheet, right, and they’re not looking for what’s their actual requirement. At the end of the day, you have users and you have applications and you want to make sure that the users, wherever they are, get to your applications and that all of that is secure. So that’s what you should care about, and the providers, they should make sure that with the solution they provide, facilitates and fits that requirement. This is key, and if it’s called zero trust or it’s called SD-WAN or SaaSy, that at the end of the day shouldn’t matter. It makes it sometimes easier for us to start the conversation, because we now have kind of a word around what we do. 

Max: [50.52] I feel for you that you have to work on lots of RFPs, I constantly find the study of trying to figure out how many hours a year are lost collectively between both sides of the RFP process, and let’s actually — I mean, I get it, a corporate procurement department has to go through it and this is the most efficient way for them to try to standardize, and cut it up, but you can’t standardize and cut up and you know, do apples to apples comparisons on these, when you get into sophisticated services. It’s just the RFP process is so, so deficient and such a time suck, that — anyways, that peeve of mine. So, I’m expecting an opinionated response to this question, and I’m hoping I get one actually… When we look at other security vendors and MSSPs that are in market and are coming about this and approaching the market as, you know, we’ve partnered with firewall vendor A, and we’ve partnered with SIM vendor B, and we’ve partnered with endpoint systems C and we’ve got threat intelligence D and they’ve gone through and are attaching to the labels of, this is the, you know, leading vendor in each one of these spaces and now we’re going to integrate the service chain for you and we’re going to manage the service chain for you and our value as your MSP is we’re going to be your SOC, and we’re going to do your managed security, and we’ve got best in breed across each one of these service chains, starting from, you know, I mean maybe it’s as basic as identity and access management, all the way up the stack, right? That is different from what you’re doing and how you’ve approached it, and why shouldn’t a customer go into an MSSP delivery in that matter? 

Roman: [52.33] That’s a good question and something we have to highlight often, because it is a key differentiator. So, if you as an MSSP provide someone else’s product to a customer and the customer has a problem, like… We know everyone has bugs, that just happens, but now you as a customer, you notice something is wrong with your technology stack. Now you go to your MSSP. Now the MSSP needs to be big enough to talk to their vendor, liek to the point product that they operate on, they need to be big enough to say, “Hey, can we please talk to product management, because there is something wrong here and it needs to be changed,” right? Compare that to Open Systems – we developed our own stack, and we operate our own stack so the developers — because we have a DevOps model, each and every engineer at Open Systems, including myself, we work fifteen to twenty percent of our time in operations. So, that also includes our CTO for example, it includes our developers, it includes all the customer success engineers and so on. If we see that something is not working, it is a direct feedback loop – we have the capability to change it instantly. It’s not — we don’t have to go somewhere else, wait for a patch, and then the MSSP has to deploy that path to all… I don’t know how many thousands of devices, and it takes too long. Open Systems, we have I think currently like eight thousand plus devices deployed worldwide… It takes me one line in my shell to patch all of them at the same time, right? And our people in development, they can – if there is a problem – they can fix it and we can roll it out instantly, right? There is no going back and forth between vendor MSSP and customer, but it is… It’s customer and we see yourself not as a vendor but as a strategic partner to the customer, because we have these capabilities.

Max: [54.34] You know, we haven’t touched on this at all – Open Systems is a Swiss based company, i started in Europe, you’ve expanded, you’ve been in the US for some time now, but you’re not really a known name here, the world’s not out yet, and you’ve some interesting customers. We don’t have to name them specifically if we’re not allowed to, but banks – you have banks as customers, you have big enterprises as customers, you’ve got the type of people as customers who are actually trying to protect something of significant monetary value, and you know, so banks right, they need to protect their assets, and that’s usually what people think about with security first, right? What am I protecting, is it valuable, somebody wants to get me because I have something of value instead of like, I have no risk vector because I have nothing of value. So, who — as companies are looking at a security vendor or trying to integrate these sorts of things and are looking down this path, what is it about you that has developed the relationships and the lineage with your customers that you have? What makes a good customer profile for Open Systems? I mean, what do you guys need to also be successful with your service delivery with a company?

Roman: [55.46] Yeah, I can agree. So, we are in a lot of different verticals, so we work for banks, a lot of NGOs, manufacturing is, I would say our biggest vertical, so it’s not really specific to an industry because everyone has an eed to connect users and applications in an efficient and secure manner, right? That’s not specific to one industry. Now, Open Systems’ ideal customer, and the sales people will probably say something different… I would say that it starts at a thousand users, it can also be smaller, we have smaller customers and it also makes sense, but I would say what I’m looking for is a thousand users plus, and the ideal customer is global, because that’s where we can really shine. It can be a US based customer only – you mentioned we’re from Switzerland and Switzerland is a very teeny, tiny country, so the United States as a country itself like big enough to profit from these services we can provide, but it’s a thousand users, ten locations for example, that’s where it kinds of stars. But, we have customers that have twenty thousand users and four hundred locations, that’s also the case. Or, we have customers that have just a few locations, but thirty thousand people sitting behind our infrastructure. So, we cannot pinpoint it to one industry or one type of… I would say it’s definitely not the mom and pop shop, it’s not the ten, twenty users, that’s not our area, we would be too expensive because it doesn’t scale, but the more users, the lower the price per user.

Max: [57.23] So really also probably within that, you’re talking about organizations that have had enough time and experience trying to integrate and manage these systems on their own, and have really come to the conclusion that they shouldn’t be in this business anymore, and need a partner to integrate and maintain these systems for them. I’ve noticed with a lot of – especially security at scale – it is, this is a complicated animal, there’s a lot of different platforms, it requires a lot of people. I mean, shift work is difficult, seven people for one desk in a 24/7 cycle, all of a sudden that’s a very heavy staffing schedule to follow, you said earlier people talking about building out and maintaining their own SOC or NOC infrastructure, you start looking at it and you start saying, “Okay, how many people do we need to have on shift,” well that’s a measure of how many devices or how many end users they’re supporting. Well, okay, if you need to have five people on shift and you need to have seven bodies for every one desk, you’ve got forty five people in your SOC that you have to go hire and train and staff and maintain, and… You know, deal with attrition, everything else. I mean, that’s a pretty complicated process to support. We’re not even talking about now actually integrating and responding or anything, we’re just talking about staffing.

Dave: [58.38] That’s right. No, you’re right Max, it does very much tend to be a build versus buy decision at the initial stage, and for all the reasons you’ve highlighted, more and more are landing on the, we need to buy it, not build it. Staffing is a huge issue, there’s a negative unemployment rate in cyber right now for security professionals, and I talk to CISOs that say that not only finding them but then keeping them interested, because as a security professional you’re looking at the same environment every day, that gets stale after a while, right, so you want to move on, and so staffing is a relay problem, and I think that most people are now recognizing this and more what I find myself spending my time doing is explaining how would the customer’s existing team work with the service? That’s where a lot of the interest lies. They sort of get that there’s too many alerts – to your point about 24/7 – we don’t have enough people to staff it, but there’s a lot of questions around how do we integrate with your service? Which is good, in the sense that they’re kind of along that path of recognizing that this isn’t my core job or responsibility, but how can I contribute, how would I interface with all this, and so that’s where the conversation tends to go these days.

Roman: [59.50] I guess we have one customer, the CIO, he said, “I have no business being in security,” and I think it’s the favorite quote of David Nudi, our Head of Channels here in the US, but “I have no business being in security,” was a statement, and it’s kind of like a perfect example of why we can provide value to our customers. Open Systems was exactly what he was looking for, because he does not have the resources, he doesn’t have — he doesn’t even want his people to do that daily operations stuff we do. Like, he doesn’t want his people to make sure that the policy sets are up to date, the patches and the signatures and all that stuff, it’s just cumbersome. We can do them for thousands of end devices for hundreds of our customers at the same time, but if you do have to do it — if you want to spend your resources, your valuable resources on patching and stuff… I did it myself back in the days when I was a systems engineer. It definitely wasn’t the best part of my job, when I had to check and install Microsoft updates, or patch the firewalls we had in place… That was not the funny part, I cannot add any value to the company. I can add value and I can talk about how should I structure my policies, what kind of processes do we have to define to, to act to specific incidents? So this is where an IT professional’s job gets interesting, and it’s not about patching and all that, right, the boring stuff I would say.

Max: [61.21] Absolutely. I mean that’s an interesting topic in itself, I mean the shift in IT and how IT adds value into organizations, I think is definitely maturing and it’s evolving, this thing that we’ve talked about for a long time. It started with — we started seeing it with a lot of these shifts into cloud and SaaS applications, SaaS delivered applications, and then how you support users and then of course companies and IT departments got compressed in terms of ratios, but I think that dialogue is finally getting to a point most organizations are looking at their IT staffs, of how do we have a strategic asset here which makes the business run more better, more efficient and gives us competitive advantage over other organizations, and not so much who is doing our patch management and who is doing our fleet deployment and who is doing this, and for me that’s really encouraging. I’m happy to see that and have that conversation more with people, because you know to your point, come on Microsoft SUS was wonderful, it made your life so much easier, you could just push a button and do everything — Come on, who wants to do patch management? Nobody wants to do patch management. You know, that’s the last thing you want to deal with. I agree with you completely on that. Dave, Roman – thank you very much for your time, it’s been a pleasure, I feel like we’ve just scratched the surface here and could probably do this another five or six times before we really get everything, but this was excellent, thank you.

Dave: [62.41] Thanks a lot, Max. 

Roman: [62:42] Thanks Max.

OUTRO: [62.45] Thanks for joining the Tech Deep Dive podcast. At Clarksys we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven’t heard of before. We can help you buy the right tech for your business, visit us at Clarksys.com to schedule an intro call. 

Transform your business without wasting money.

We help you identify, audit and implement technology changes within your business to create leverage points to scale your company faster.