Transcript
Watch the Webinar
Jay Ryerse
Good morning, afternoon, maybe even evening for some of you listening in today. My name is Jay Ryerse. I’m here from SentinelOne. Talk about the value of R. I’m with a friend and partner of ours, Zack Hoffman. Before we get into introductions and why you should listen to us, I want to kind of dive right into the content, be a little different than your traditional webinars you guys might be listening in on. But let me just say up front that we are recording this. We’ve got a team on standby that are there answering questions in the chat in the Q&A section. So if you’ve got questions, they can help answer them. And with that, let’s begin. So we’re talking about the value of R. In cybersecurity, we love our acronyms. They’re everywhere. But when we think about EDR, MDR, XDR, I immediately have that oh my feeling from The Wizard of Oz, like there’s just too many acronyms and too many Rs. And the value of R is not always what we think it is. Here at SentinelOne, we actually think about R not as an EDR or MDR, but really as a TDR, right? It’s threat detection and response. And we’ve been on our partner community to help deliver that capability, leveraging SentinelOne technology. But threat detection and response by itself is designed to provide organizations with real-time monitoring and automated responses to cyber threats. And really just thinking beyond the end point, right? Because at the end of the day, that’s what matters. So who am I? I’m Jay Ryerse. I lead our global MSSP partner team. I’ve been in this community for a very long time. And my team works with our global partners, and really a small number of them, including the CyberMax. I’m joined today by Zack Hoffman. Zack, welcome.
Zack Hoffman
Thanks. It’s great to be here, Jay. A little bit about myself before we dive into some more slides and fun throughout the webinar. But I’ve been in the cybersecurity space for a little over a decade now. Spent a lot of time at SecureWorks. I’ve pretty much touched every role you could imagine in a SOC, threat hunting, security analysis, customer service, management. And I found my way to CyberMax about two years ago now. And I lead the professional services arm here. So I’m responsible for detection engineering, threat research, security control management, as well as any pen testing engagements or social engineering engagements that we do provide for our customers. So it’s a little bit about me. I’ll hand it back over to JD to keep going.
Jay Ryerse
You’re hands-on and everything cybersecurity is what I just heard you say. If I simplify it down to the normal User conversations, right?
Zack Hoffman
I am a man of many hats. I’ve touched pretty much everything, and I keep getting my hands dirty. Just yesterday, I was in a sim.
Jay Ryerse
There you go. Appreciate that. Well, look, let’s have some fun here today, right? So I’ve got to ask, in the audience, you guys are welcome to jump in and answer on the chat or the Q&A if you want, but what do you call a group of math and science geeks at a party? Anybody? No, what do they call them? All right, social engineers, of course. All right, all right, so enough of the corny stuff. Let’s dive into what we’re seeing in the world of cybersecurity and what’s happening, and of course, we like to call it the threat landscape, but I’m going to kind of modify it just slightly. I’m not going to get too technical yet in the conversation, but let’s talk about the challenges that I think IT departments, businesses all around the world are facing when it comes to cybersecurity, and first off, there’s too many tools. At the end of the day, the number of tools that a business might need to support their environment to keep it secure could push somewhere in the high 20s to low 30s. It’s impossible to manage. It’s just not practical from that perspective. Now, the good news is technology will help solve a lot of challenges we have, but the reality is that there’s not enough people to go around to help take on and face the challenges that we’ve got. There’s a number out there, which I’ve talked about over the years, and that is China alone has half a million people dedicated to, well, threat actors, to focus on and hack into Western civilization businesses. Your business, my business, other businesses. And that’s just one that are known, right? It’s all the ones that we don’t know about, but also create the pain. And so having the right people to depend against that is pretty tough, which is ultimately why it’s a true and literal cybersecurity is a team sport, right? It makes sense. And lastly, digital transformation. For a while, that was a go-to-market theme, right? But today, it’s AI and the impact of AI and technologies, even quantum computing in the environment, that are really going to drive change in how we think about and drive cybersecurity. Now, if I dive into AI for just a moment, it’s not a straight line curve, right? But if you think about the human performance over time, we get incrementally better as we learn more and we adapt to new environments, new technologies, new capabilities. But computers have reached a point now where they’re moving and thinking faster than humans ever can. And I really believe that we’re right at this gap right now, that this transition from human-led to technology-led, but human-supported environments that we’re going to need to think about. Of course, when you apply that into the world of endpoint security, advanced endpoint security, EDR, MDR, TDR, XDR, whatever the conversation is, kind of look at time, over time, how things have moved and migrated, right? We went from signature-based technologies to lots of humans behind keyboards, trying to keep things secure, requiring lots of updates daily, to where we are today with SentinelOne and our ability to help drive an autonomous SOC leveraging technology. So that’s about it as far as my pitch and where we’re going to go there. What I really want to do is kind of think about the value of R. And that’s really why we’re here, right, Zack, is to talk about what that means. And so I’m going to put out this this formula, because when I was thinking about this webinar, I actually put into Gemini, Google Gemini, used AI to tell me what the value of R was, and it brought forward the Pearson coefficient calculation. When I looked at this like, yeah, I was a math major, and I forget how to do most of those things, other than my order of operations. So I can probably figure out some of it, but it’s a massive formula and it’s not realistic. It’s not really what we’re here to talk about today. Zack, when you think about R, I mean, what is it to you? And I’ll cheat with some slides and the advance here. We’ll kind of talk through this. So what is R if you’re a business leader?
Zack Hoffman
Yeah, for us, I think it makes up a lot of the different things that you have on the slide there. So the biggest one that we focus on is response. And then I would say secondarily, we focus on responsibility risk. We really want to try to prevent needing to get to that recovery step and all those different Rs that you have on there. Definitely still an important part in the equation, so to speak, but we really focus on the response portion of it. And I’ll get into it a little bit later about what that big R or response functionality means to us as a provider.
Jay Ryerse
Yeah, and you know, if your provider and your team is doing the right things, the reward is not monetary, right? It’s the fact that you don’t fall victim. You don’t always look at it that way because it was like, well, it didn’t happen to me. I’ve never seen a cyber attack before. Well, you probably did and just didn’t know it was a cyber attack, right? Whether it was a phishing attack or an attempted phishing attack, a counter takeover, you know, all the way into some of the biggest name brands that have been compromised over the years.
Zack Hoffman
It’s kind of like an insurance type thing, right? Like you want somebody continually monitoring it. You’re paying for the service to kind of prevent, hopefully, the need to ever actually experience an incident. Or if you do, you’ve got somebody there to kind of support you in your corner type of thing.
Jay Ryerse
Yeah, I mean, it goes back to that team support conversation, right? None of us can solve it ourselves. We’re going to have to do this together. But if you’re thinking about our, and you’re a business leader, looking at risk, who’s responsible? Like, who’s going to get blamed if your company gets compromised? If you didn’t at least dig in to understand cybersecurity to a business level, are you at fault? In most cases, business leaders are the ones that suffer the most. And of course, response and recovery are important, and that’s my reward. But there’s a fascinating bit of information out here that there’s a slide out there. Oops, hold on, I just lost my, there you go, there’s the button. There’s this concept out there that originated back in, I think, 2011 timeframe from a leader at Cisco, who talked about the cybersecurity poverty line. And I bring this up because the concept is where organizations lack the financial resources to implement robust security solutions, leaving them vulnerable to cyber threats. The reality is an Exxon of the world has far more resources to help protect their intellectual property in their business than most small and medium-sized businesses, even small enterprises, right? But the reality is there is a minimum acceptable level of coverage regardless of where you are in your business journey that you need to consider. And it’s not one of those things that you should be doing yourself, right? It requires partners to figure these things out because I’ve never met a business leader that runs a manufacturing plant or a production facility, an accountant. but also has a degree in cybersecurity. And so leveraging the experts to help you raise your bar of understanding will make your decision process, when you’re thinking about finding partners and assessing the risk, it’ll make more sense. And that’s kind of what Zack talked about, what he does day in, day out, right? Sometimes he’s in the trenches fighting fires. Other times he’s out there playing the fire marshal. you’re trying to prevent forest fires from happening. And I don’t know, Zack, do you have any thoughts on that?
Zack Hoffman
Yeah, a lot of it comes down to risk reduction, right? Like you said, a lot of these business leaders don’t necessarily have the background. They don’t know what they’re looking for in terms of their cybersecurity hygiene or posture and stuff like that. So it’s really helpful to be able to turn to a partner to kind of give you some consultation as well as give you some suggestions on steps you could take to kind of tighten your gaps and stuff like that. The one thing I do want to call out to you that you mentioned there is kind of, you know, everybody needs cybersecurity. And one of the things that we do really well is kind of meet customers where they need. We always start with the first thing we want deployed is EDR, Sentinel-1. We want that deployed first. We want to be the closest to the end users. That allows us to get the best visibility in their network. Obviously, we need additional visibility through network devices and stuff like that, but starting at the end point, meeting the organization where they’re at in their security journey, I think is extremely beneficial, not just to the organization, but also to us to be along with them on that journey.
Jay Ryerse
Yeah, it makes so much sense. I mean, the insurance companies, the IR firm, I know you guys do IR as well, but the insurance companies now, many of which are starting to even offer discounts. if you’ve got Sentinel-1 deployed, right? So you’re talking to your insurance companies, talking to your partners like CyberMax, make all the sense in the world. So enough about me on this conversation. So I got to ask you, Zack, why CyberMax? And why now? Why does this matter?
Zack Hoffman
Yeah. So I mean, it matters a lot for a bunch of different reasons. I mean, let’s look at the supply chain attack that happened, for example, earlier this week, I think it was the NBM, I may be butchering that. There’s a lot of information. It was the issues with the code libraries, right? Like a non-security researcher got phished successfully. So that type of stuff is getting better. If it’s fooling people that do security day in and day out, how susceptible is somebody that doesn’t do security day in and day out? So a little bit about why CyberMax. I’ve kind of mentioned the big R earlier in the presentation. Here it is kind of one of the main things that we focus on. Now, what that R means to us means very much similar things to what SentinelOne did, or what you mentioned earlier, Jay. Risk, response, responsibility, and recovery. We focus on the response portion of that the most, obviously. We kind of start with that within our SOC. We’ll focus on right to left rather than left to right. So we’ll get the case or the alert in this case from whatever telemetry we’re ingesting from a customer, SIEM, EDR. We’ll take the necessary response actions right away as soon as we’ve done some additional triage alert. But then we’ll go back and figure out why or how that alert came to generate. Was there a breach? Did somebody click a phishing link? Did they get MFA fatigue? Kind of what led to that case being generated, or we’ll do the full end-to-end analysis. Kind of with that, too, we always like to say we have a threat response team built into our SOCs. So those are skilled individuals that have incident response experience, initial triage, threat hunting. We see that all within our SOC, which is kind of a little different than some of the traditional MSSP or MDR providers. That helps us reduce the time from detection to containment or eradication of the threat. So it allows us to get this stuff quicker and less passing between different teams. As you mentioned, Jay, we have our own IR as well. One thing I will call out there that’s important to note that you mentioned insurance providers. One of the first questions we get into with customers is, who’s your insurance provider? Do you have approved IR vendors? The last thing we want to do is start doing incident response work for a customer and potentially void their cyber insurance warranties. So it is a question that we often ask our customers, and it’s one that we want to make sure that we’re getting to. So all of our SOC analysts are well aware of that. So they’ll do some of the initial triage, and sometimes we can’t go further. And the different IR firm needs to pick that up, and we’re willing to pass that over to them. And our SOC will work directly with that IR provider to assist them. in their investigations. Do you want to say anything, Jay? Or you want me to just keep going?
Jay Ryerse
Well, I was going to say, first off, it’s fascinating. Two, I know that you guys get heavily involved in helping other IR firms, right? So you guys become an extension of teams when you need that. But the fact that you guys will not only send an alert, right? One of the R values I hear from business all the time as well, yeah, they send us a report of the problem. And then it’s up to the IT team at that company or the MSP at that company to do the work and figure it out. But what I heard that’s different about CyberMax and what I’ve always liked about you guys is that you take responsibility for determining what the problem was and where you have the ability to control or to take control. You guys do that on behalf of your clients. And that’s different than most.
Zack Hoffman
Yeah. I mean, there’s scenarios where we’ll get a case for an endpoint-based alert from sending to one. We’ll take the action to isolate the host, but sometimes we’ll take it a step further. We’ll go investigate, and sometimes it resolves with us locking out that customer via their M365, for example. If that account’s compromised, we want to make sure we don’t prevent it from logging into other hosts, from sending spam emails or phishing emails. So we’ll take it a step further and take the full response action for the full response lifecycle that we need to mitigate that threat for that customer.
Jay Ryerse
Yeah, and I think that that’s very important. So we’ve been talking about the value of Rs, and you’ve been talking to me about the little R and big R. Can you explain that to us?
Zack Hoffman
Yeah, so we’ll go on to the next slide here. Little R is exactly what you were just mentioning, Jay. It’s the MSSP in the equation, right? The alert and notify. So they’ll do some initial triage on the alert or the case, in this case, and then they’ll send it over to the organization that they’re supporting, right? That helps the organization, but it’s not the end all be all. They’re not actually mitigating the threat. They’re not resolving it on behalf of the customer. We’re taking responsibility or response actions. To us, that’s the big differentiator. We’ll take those additional actions for the customer on their behalf, and we can spin up IR quickly if needed. We can support an additional IR firm that’s needed. So that’s kind of like the big differentiator for us. And then we’ll also do proactive actions on top of that. I’ll kind of get into some of the other example or another example in the slide, but one that I did want to touch on here. We’ll often take suspicions or additional information that’s provided to us by one of our customers or clients or an ISAC, for example, and we’ll take that and we’ll run with it for our entire client base. A recent example, we had Chime and a healthcare ISAC reach out to us about an actual physical threat against hospitals here in the US. We took that and turned that into, okay, can we, what’s your security posture like? Are there IOCs from the organization making the threat? Do they have TTPs or tradecraft that they follow? Do we have detections for that? And we took it even a step further and sent out an advisory, took that healthcare advisory and sent it out to all of our healthcare customers Didn’t matter if they’re a large hospital, a small practice, but taking those proactive steps is kind of what the big R means to us. We’re not just playing the defense. We’re also playing, you know, how much information can we send out there? Can we make you aware of? Can we be proactive about it?
Jay Ryerse
Yeah, you know, and it’s interesting because you tie that into, you know, cybersecurity is 24 by 7, right?
Zack Hoffman
Yep.
Jay Ryerse
And you guys are running a 24 by seven team. You’ve got to follow the sun model. I know you’ve said that in the past. But the reality is that most businesses don’t have 24 by seven IT teams. And I think that’s the connector of why your willingness to take action to contain matters a lot because an alert that goes to an IT department at two o’clock in the morning They don’t look at their emails or their tickets until 6, 7, 8 o’clock the next day, or that same day, later that morning. It’s too late.
Zack Hoffman
Yeah, and in my experience, and I’m sure in yours as well, a lot of the threat actors too know that. So if they’re an overseer or a local threat actor, they’re going to take advantage of that time difference and try to abuse that, right? What can I get away with while I know the IT team’s sleeping? So that’s what MDR providers are there for, or the tools as well. Send-in-one does a great job of kind of blocking and preemptively taking some of these actions on our behalf as well.
Jay Ryerse
Makes sense. So you’ve got an example success story, right?
Zack Hoffman
I do. So there was the healthcare one, and then the next one we have is actually about a single IP address that we kind of use to help secure a couple different clients. In this case, analysts got presented with a case that was normally benign activity. Everybody deals with false positives. We’re no exception. There’s no way you work in a SOC and you don’t get false positives. It’s just a matter of time. So this one looked like we thought it was a false positive, but something irked the analyst. They actually went and queried that IP across multiple clients, and we saw a couple different hits there. The one that was the most concerning was a successful authentication to a Outlook mobile. or Outlook on a mobile phone. And then they were like, well, that’s anomalous. We don’t usually see that from that user at that time in that geo location. What were they doing? Turns out they had deleted some emails that came in while they had an out of office message set up. So what did the analyst do? They locked down that account, kind of take it to the customer, let them know. And then we took that IP and we searched across all the clients to see if we had seen any other suspicious activity. across that. So really having the cross-client data, I like to call it the net effect, right? The more clients we have, the larger the data set, the more we can query out against and kind of make additional pattern matches and stuff like that. It improves our detection capability as well as the posture of our customers as a whole.
Jay Ryerse
Yeah, that makes sense. So again, I kind of go back to you, didn’t know why CyberMax?
Zack Hoffman
Yeah. So The big differentiators that we have are both the proactive security steps that we take, as well as the threat response team within the SOC. One of the other proactive steps that we take is called CTEM, Continuous Threat Exposure Management. Very big buzzword in the industry right now. I’m sure most of you have heard it. Acronyms. Exactly, yeah. We’re in no shortage of acronyms in our industry at all. I think all the places I’ve worked, we actually maintain a dictionary of all the different acronyms because nobody can keep up with them. But I mean, along with the visibility, we also do C-TIM or this continuous threat exposure management, which equates to daily vulnerable, external vulnerability scanning of your assets or your external attack surface. We’re looking for well-known vulnerabilities as well as the newest CVs that come up. So The acronym we always like to kind of give with CTEM is we want to make sure your network’s your house. We want to make sure all your doors and windows are locked, right? Those external assets are usually the entry points outside of traditional phishing and stuff like that. But those are the most likely to be exploited successfully. So if you’ve got a vulnerability, we want to make sure you’re aware of it. It also feeds back into our SOC, right? We’ll take a look at what vulnerability scan results are coming in. So if we get an alert for SQL injection, for example, all right, well, does that server run SQL? Is it worth waking somebody up for potentially the middle of the night if the server doesn’t run SQL? Probably not, right? But we’ll also take that a step further and do stuff like dark web monitoring of your external attack surface, domain squatting, botnet activity, A bunch of different stuff like that. So we’re really trying to provide a proactive security net or measure for your organization as a whole. We’re tech-enabled. Obviously, we’re a partner with SentinelOne. We’re partnered with some other vendors as well. But we really serve as an extension of your team. Each customer gets a dedicated CSM that works with them and meets with them regularly. The SOCs 24-7, 365. We’ve got incident response, threat response straight in the SOC. So really, we kind of differentiate ourselves by focusing on those different Rs that you mentioned earlier in the conversation, Jay. Risk, responsibility, response, and recovery.
Jay Ryerse
Yeah, it really doesn’t matter. If you get those right, then the reward is you get to do your job and not focus on what a bad day looks like from cybersecurity. Because I’ve been there. You’ve seen them, and you still see them day in, day out. The impact on businesses, on business leaders after a cyber attack, you can’t describe the emotions that they go through, like the five stages of grief. There’s way more than five during a cyber attack, and it’s tough. And it’s one of those things that we don’t talk about enough, and I’m not trying to scare people, but the reality is you need partners that have the expertise, the knowledge, the experience, of both defending and responding, to take care of a business. And so, with that, Zack, I know you’ve got some content here to, anybody has any questions, wants to reach out to you guys to learn more about what you’re doing.
Zack Hoffman
Yeah. I’ll just, I’ll jump in too with a couple of other things. One of the ways that I typically tell customers to help mitigate some of those cyber scaries is tabletop exercises, right? actually testing your existing policies and process and what your team won’t do in one of those situations becomes invaluable. The more you practice it, the better prepared you are for one of those things that happen. It’s inevitable. Your company is going to have some kind of cyber event, whether or not it is bad or it’s all handled or contained, it’s going to happen. I don’t think anybody is inescapable for cyber events these days. And the last one is, we kind of talked about not trying to scare anybody or anything like that, but we’re getting closer to Halloween. So one of the things that CyberMax does is we do Tales of the SOC. So we just go to talesofthesock.com. We’ve got a bunch of different success stories from the SOC for cyber attacks were stopped, stuff like that. It just kind of lean into that Tales of the Crypt vibe, if you will.
Jay Ryerse
Yeah, I love that. And tabletop exercises are fantastic. I’ve got one that I do in a one-to-many environment, like where make it really safe space because we don’t dive into what your company is going to do. We talk about what’s happened in the past. It’s unbelievable the things that actually happen to businesses that no one ever hears about. You hear about it if a target falls victim because their HVAC vendor got popped. But the reality is, these things just don’t happen the way that we think they’re going to happen. So let me just ask a couple of other kind of random questions. Where do you say, where do you see AI coming in into your team’s work? And what do you guys offer to your clients?
Zack Hoffman
Yeah, so I see AI potentially impacting a couple different areas. We’re just talking about tabletop, so I’ll stick into that. There’s a lot of different interesting solutions, I think, coming out there in the tabletop space. So I would love to see us, and I’m taking responsibility for trying to get it utilized more, but using AI to play a reporter or to role play different scenarios within a tabletop, I think can be incredibly helpful. So that’s one. The next one, which is what creates all the buzz and stuff like that, is using AI within the SOC. I think that there’s a lot of different ways to use AI in the SOC. I don’t think it’s ever going to replace SOC analysts only. I just, I don’t think that it’s going to get to that level. But what it does do is provides a pretty good initial correlation and investigation into stuff, allows the SOC analyst to skill up and get additional skills and spend time doing threat hunting and stuff like that. And then it’ll help provide the additional correlation data. For example, threat hunting, a lot of times we’ve had to write pretty lengthy queries to hunt for specific TTPs or known malicious activity, we can kind of reduce the time it takes to build that query using AI. We can say, hey, write it in Sentinel-1’s deep visibility language or their XDR language. And it’ll help condense that. Now, it’s not going to be perfect every time you’ll make edits and stuff like that. But I’m sure you can attest as well, Jay, but one of the pain points has always been the different languages that all the different products use. So deep visibility and then, Microsoft’s got KQL. Well, how do I take one query and kind of convert it to all these different languages needed to query multiple different tools and stuff like that? So that’s really where I see AI coming in is to kind of reduce the time it takes to investigate an incident, helping do queries and then, you know, additionally like tabletop or different role-playing type scenarios.
Jay Ryerse
What about yourself? So we’ve got some extra time here. I know people are probably listening in, you know, interested in this. I’ve got a text document on my phone that came to me from a partner several years ago. But this keeps happening. It happened to be an extortion attack. So there’s no ransom. There’s nothing else other than two text files opened up on one user’s machine on a desktop. One was a file tree of all the files that they said they had exfiltrated or stolen. And the other one was this note. I’m going to read it to you, and I’m curious how you’d respond or what advice you’d provide, because business owners don’t believe this thing’s happened, but this is real life, really from the threat actor. I’m going to polish the English a little bit, because it’s hard to read sometimes. Hold it off. It reads like a Nigerian prince, but it says, Your network has been breached. Welcome, this is the Karakurt team. Internal documents and files were stolen. Please read this so you can contact us. OK, you’re reading this, so it means that we have your attention. Here’s the deal. We breached your internal network and took control over all your systems. We analyzed and located each piece of more or less important files while spending weeks inside your network. We exfiltrated– stole– anything we wanted. The total size of taken data exceeds 350 gigabytes. By the way, this happened to be an accounting firm, and they took accounting client records, tax records. You can see the full tree on the other file that popped up. You can choose any two files from the file tree, and we will provide them to you in confirmation that we have them. Also, if necessary, we can return your files back after payment. Now, their files weren’t gone. Their team was working as if nothing happened, but this is the message. Frequently asked questions. I love this. First one, who the hell are you? And the response was, pretty skilled hackers, I guess. Why are you doing this? Our motivation is purely financial. And they were only asking for 50 grand, by the way. We’re going to report this to law enforcement. Well, you surely can, but be ready that they will confiscate most of your IT infrastructure. And even if you will later change your mind and decide to pay, they will not let you. By the way, that’s not true, guys. So don’t believe that’s the case. They will not confiscate your stuff, but they will look at everything with you to understand what occurred. Who else knows about this breach? Me, you, and nobody else for now. What if I tell you that I do not care, I’m going to ignore this incident? That’s a very bad choice. If you will not contact us in a timely manner, we will start notifying your employees, clients, partners, subcontractors, and any other persons that should know how you treat your own corporate secrets and theirs. And what if I don’t contact you even after that? Then we shall move forward and start contacting your business competitors, a list of anonymous inside traders we deal with to find out if they’re going to pay us for your data. The list of the people who is interested in such a day is formed, the closed online auction starts. No one will buy what you took. Well, I do not believe you. Well, if the auction fails, we will just leak everything online, making sure that this leak goes straight to the press. We will make sure that your business will bleed by using any power we have in our possession, both social and technical, because they’re purely financial motivated. So what happens if I do pay? Nothing bad will happen. We will remove everything we took from your network and leave you be. We will provide the confirmation that the data is deleted. And you’re ready for this, Zack? We will help you to close the technical vulnerabilities you have and provide some insight on how to avoid such incidents if some other perpetrator is interested in you. We will never tell anybody about it. It goes on there to show how to contact them. I won’t obviously repeat that. But I mean, this is real life stuff that businesses don’t ever talk about.
Zack Hoffman
Yeah, so what’s interesting is that was probably from a couple of years ago, right? We see the ransomware gangs of today, the ransomware as a service gangs, fall almost that exact same playbook. So they will offer pen test reports. They’ll try to help you close the vulnerabilities. all that type of stuff for additional fee. So I mean, my first recommendation always going to be is in that scenario is reach out to your cyber insurance provider, right? The last thing you want to do is screw that up. They’ll help cover any liability, any expenses. And oftentimes, those insurance providers also have negotiators. There’s a whole job out there where your job is to negotiate with these threat actor groups.
Jay Ryerse
Yeah.
Zack Hoffman
So once you’ve done that, then it’s, how do they get in? Do they actually take the data? All of that is not overly quiet. You can, if you’re looking at firewall throughput, the endpoints that the files are hosted on, you’ll see some kind of activity with that. It’s very, unless you’re dealing with the NSA or a nation state specifically, they’re going to leave fingerprints all over the place. So you’ll be able to figure out and kind of build that timeline to figure out whether or not they actually have what they have. And then it becomes a business discussion, right? Are you willing to pay that? Do you want to pay that? Do you have to? Do you need those files? There’s a lot that goes in that, you know, CyberMax can’t necessarily make that decision. We can provide advice on stuff. But that really comes down to a business decision at that point in working with your insurance provider.
Jay Ryerse
Yeah, my advice has always been call your attorney first. then contact the insurance provider and they’ll provide all the rest of the resources you might need, including IR. But in this case, just for people that are listening that want to know the outcome, the business owner refused to be held hostage, refused to pay, even though both his attorney and the insurance company suggested that he do pay, and they were prepared to negotiate and make the payment on their behalf. He refused Six weeks later, all their data and the entire information got released publicly.
Zack Hoffman
Interesting.
Jay Ryerse
And they probably filed bankruptcy 90 days later.
Zack Hoffman
So what’s interesting, you start seeing rules or regulations now around that too. I think in the EU, they’ve banned paying of ransoms as well for ransomware engagements.
Jay Ryerse
Yeah, and here in the States, there’s actually only a small number of companies that are actually authorized to make those payments. And they have to to determine attribution of who the attacker is, their history of paying, and then are approved to actually make payments. Even though others say they can do it, there’s only a very small number that follow the OFAC guidelines. And so make sure that you’re working with those kinds of teams. And again, partners, Center One does not do that, but we have partners that do. All they do is negotiate counter-extortion or ransom payments.
Zack Hoffman
And you can’t, those aren’t easy to do either because you got to convert it to Bitcoin or some other crypto. In some cases, that takes time to clear. So you got to negotiate that timeline with the threat actor in a lot of cases. My biggest concern with all those two is the, even if they give you a report and try to help you close the vulnerabilities, what are the odds that they’re going to live up to their word and only exploit you once or extort you once? We’re starting to see, you know, re-extortions. Was it United? I think it was UnitedHealthcare that got breached, they paid the ransom, and then they got ransomed again. Same organization was still in there, was able to re-ransom and get a secondary extortion out.
Jay Ryerse
Yeah, when we don’t have quality IR partners involved, what happens is the IT teams that are very smart have a tendency to restore from backups. All they did is restore the threat actor back into the environment. because they didn’t find that national problem. So anyway, all right, so enough that we’ve done a rabbit hole. It wasn’t planned, I’m sorry guys, but I thought that was a good conversation. It was very appropriate for where we were. So let me ask you one last question as we kind of wrap up. So one of the things that I think are important are about operationalizing 24×7. 24×7 is not easy. It takes a lot of people and takes tools and technology and training and just tell me how CyberMax approaches that topic.
Zack Hoffman
So we kind of mentioned the follow the sun model earlier, but we have a team of analysts. We have a large team of analysts in the US, and then we have a smaller teams over in Ireland as well as the APAC regions. And we kind of follow the sun. So we have handoffs in between each team, or not team, shift. And then we also have a 24/7, 365 on-call model where there’s additional components and resources available in an ONCOM model. But all of those teams, whether they’re in Ireland, APAC, the US, get the same level of training on each of the platforms that we support, the incident response capabilities, what capabilities we have, what questions to ask customers, how to do that investigation. So we have a pretty big training and budget planning and stuff like that we do. Each year, we make sure people get to go out to some security conferences. We also have our own internal security research arm that will do the research into new exploits, vulnerabilities, replicate them, build POCs, and then we’ll host our own internal training sessions as well, regardless of region, and kind of record those and make sure that everybody is starting from the same place, whether they’re in one geographical location or the next. So we really try hard and put a lot of effort into operationalizing that 24/7 follow-the-sun model.
Jay Ryerse
I mean, this is why businesses don’t run their own security teams. They would have a CISO or somebody on staff that becomes the liaison to help communicate and keep things internal. But you need teams like that are invested in their own growth as well as what it takes to protect their customers. So I really appreciate that.
Zack Hoffman
And it takes a lot of time, too, to find the right individuals. We go through hundreds of applicants, almost for every analyst role we have open. We’ve got a recruiter. We spend a lot of time screening them. It takes a lot of time and effort to find the right candidates who are also passionate about cybersecurity and have kind of a base level of knowledge that we can expand upon.
Jay Ryerse
That’s awesome. So Zack, thank you so much for your time. I’m going to put back up on the screen how to get a hold of Zack and his team. Do you guys have questions with that? Any last words of wisdom?
Zack Hoffman
No. We’re here to protect you guys on your worst day, and hopefully we’re there for your best days just as much. And I want to thank SentinelOne for being such a great partner. You guys have always been there for us, and we work very closely with SentinelOne.
Jay Ryerse
Yeah, we appreciate that. So Zack, thank you to the CyberMax team for helping us and joining us today. And to everybody else, look, stay safe, stay healthy, and of course, stay secure. Signing off from SentinelOne.
Zack Hoffman
Thanks, everybody.