Welcome to the Episode 386, part of the continuing series called “Behind the Scenes of the NetApp Tech ONTAP Podcast.”
Security is one of the most important – and most complex – concepts to address when dealing with any aspect of IT. This becomes much more apparent in the cloud, which is why using a managed service makes a lot of sense, particularly for small to medium businesses that do not have the money or expertise to manage their own security.
Scott McCrady (scott@solcyber.com) of SolCyber joins us to discuss how SolCyber provides managed security for the cloud.
For more information:
Finding the Podcast
You can find this week’s episode here:
I’ve also resurrected the YouTube playlist. Now, YouTube has a new podcast feature that uses RSS. Trying it out…
You can find this week’s episode here in the RSS feed:
You can also find the Tech ONTAP Podcast on:
I also recently got asked how to leverage RSS for the podcast. You can do that here:
http://feeds.soundcloud.com/users/soundcloud:users:164421460/sounds.rss
Transcription
The following transcript was generated using Descript’s speech to text service and then further edited. As it is AI generated, YMMV.
Tech ONTAP Podcast Episode 386 – Managed Cloud Security with SolCyber
===
Justin Parisi: This week on the Tech ONTAP Podcast, we talk to Scott McCrady of SolCyber all about cloud security and how to manage it, without managing it.
Podcast Intro/Outro: [Intro]
Justin Parisi: Hello and welcome to the Tech ONTAP Podcast.
My name is Justin Parisi. I’m here in the basement of my house and with me today I have a special guest to talk to us all about cyber security in the cloud. Scott McCrady is here. So Scott, what do you do and how do we reach you?
Scott McCrady: Hey, Justin, thanks for having me on. Scott McCrady, it’s easy, SolCyber.com, S-O-L-C-Y-B-E-R.com, scott@SolCyber.com, and what do I do? I think my team asks that every day, but I try to keep us building stuff for customers to keep them secure. If hackers are trying to get in, we try to bop them on the head and kick them back out.
Justin Parisi: How often does that work when you bop them on the head?
Scott McCrady: We’re pretty good about getting them out. Yeah. We’re pretty good.
Justin Parisi: That’s good. Is it like a shark when you hit them on the nose?
Scott McCrady: Don’t swim away. We like to say everybody has incidents, but try to keep any incident from becoming a breach. Stuff happens, but you try to keep it minimal.
Justin Parisi: So let’s talk about an incident versus a breach. Give me the differentiation of those two things.
Scott McCrady: You know, it’s a great question because in the security space, what we as an industry like to do is just take all the terms that were clear at one point in time and munge them all together so that nobody actually understands what they are.
I don’t know why we do that, but it’s something that’s been that way for 20 years.
Justin Parisi: That’s how you create value.
Scott McCrady: Or obscure value but it keeps everyone guessing, that’s for sure. The really fundamental problem here is when, let’s say a nation state breaks into an organization and does really bad things, right? You tend to call somebody called an incident responder. Or you have an incident response retainer. And so there’s definitely a cultural use of the term incident around something really bad and horrible that’s happened. But, under ITIL or just sort of information technology terms, incident is just, you got to take care of something or do something. Let’s just say that I click on something I’m not supposed to and my machine gets infected. And I’m an employee inside of a 10,000 seat company. I get infected and maybe somebody else does too. So now there’s two of us. But with the tools and the services and the ability to detect that, maybe we’re doing the service for them.
We can see it pretty quickly. We contain it. We understand which process was corrupted. We roll back that process and away you go. So that is definitely not like rolling in the FBI in an incident response. You’re not calling your insurance company. You’re not getting lawyers involved.
And so there’s this gap between a breach in an incident that has become sort of confusing in the market. And so for better or for worse, we try to simplify to say, well, a breach is when you have to reach out to your insurance agency and get lawyers involved, probably have to do a notification. An incident could just be anything short of that. So no official terms, if you will but that’s how we describe it. In our view is incidents happen literally all day, every day to companies all around the world. It’s okay. There’s a difference between catching a cold and going to the hospital, right?
If you catch the cold, we want to kick it as quickly as possible and never have to be in a place where you have to go to the hospital.
Justin Parisi: Yeah. Or another analogy is, maybe an incident is a knock at the door. Yes. Are you home? And breach is you kick the door down. You’re in. Yes. Okay. So SolCyber. Tell me about that, what it is and what you all do.
Scott McCrady: Yeah, so the industry has really been in a very consistent model for about 20 years. And the very short version of that model is, you get a CIO or CISO, they’re responsible for understanding everything that’s involved in the threat landscape and risk and organizational structures and all the tooling.
There’s 4,500 security products now. They have to understand all of that and how it all fits together. Then they have to go procure the tools that are needed to stop the bad actors. You’ve got to go hire the people. You have to deploy the tools, manage the tools. And once you have everything in place, you have to daily upgrade all that stuff.
And then traditionally, you’d send all that information over to an MSSP, Managed Security Service Provider. So 24 7, they take that data from all those different tools, look at it, and they’d ship alerts back to the customer. Customer would consume those alerts and try to figure out whether or not they needed to act on them. And when this all started, it was very logical because only the really big companies cared about this 24×7 high end analytics. And because of that, they had the people that could catch those alerts and do something with them. But as the security space has gotten more aggressive and more afield, if you’re a 2,000 seat company or 500 seat company, you’re getting targeted as well.
And this model just really fundamentally starts breaking really quickly because it’s hard to, Essentially run a security program with all the tools, processes, and people for these companies that are smaller than Fortune 100. It’s very difficult for them to do that. And there was no model to fill that gap.
And so what we do is a drop in security program as a service. And so if you think about it, you’ve got 2,000 employees or 8,000 or 500. And what you’re trying to do is secure your overall infrastructure and also upgrade your capabilities on a consistent basis. That model that I described is really challenging, so they can come to someone like us, you get all the tooling it’s all hung together, it’s all the deployment, it’s all the management.
It’s all the correlation analytics, all the threat data, and then we do the response too. So when we see something bad, we’ll actually go in and fix it. And what it does is it alleviates the burden on the underlying company from saying, okay, I need an architect I need an engineer I need a security analyst, I need a response person.
I’ve got to have all these different, really expensive capabilities, and it’s hard to find one person that has maybe all of them. So you end up getting two or three people. And then they’re not being used all the time. Like how often are you doing incident response? Hopefully not that often, but it can happen multiple times a year.
And so that’s really what the main difference is at Solus Library is we’re not really a traditional MSSP. We offer that capability, but most of our customers use us for much broader sort of security programmatics and being able to offload that so that their people can do more of the customizable security. Every company has built unique products or services. And those products and services need security built into them. And so what most of our customers do is they up level all their security people and say, okay, how do we make our product that we’re selling to our customers more secure while SolCyber takes care of our internalized security?
Justin Parisi: So when you’re doing cybersecurity, why would you want to do something like a managed service versus rolling your own? What are some of the drawbacks and benefits of doing each?
Scott McCrady: At a super high level, without going into super granular detail, it’s really two or three fundamentally hard things to do.
The first one is in order to run a good security program, you actually need quite a few different skills. So you need the ability to choose the right tools. You need the ability to understand what’s happening in the threat, so that if the threat changes you now know to either update your tools or get new tools or enhance your tools.
So you have to have some level of strategy and tool selection. That’s one type of skill. We have another type of skill, which is operational process. Believe it or not, most of the breaches happen because operational process breaks down. A really simple one is phishing simulations and security awareness training or Active Directory or identity reviews, meaning is everybody that has access to your identity infrastructure actually still employees, right?
And these are just hygiene things that everybody has to do and they just don’t get done oftentimes because everybody gets too busy, they get pulled away to projects. So you have to have some ability to understand a concept of operations and implement that and do it consistently. Then you have to have somebody that’s an analyst that can look at all the data coming off all these tools.
You have to have a fourth skill, which is managing all that stuff, and each of the tools is very different. And then you have to have the fifth skill, which is when something goes bump in the night and something’s really bad, can they dig in, do the forensics, and understand what’s actually happening in real time, and then act in a way that gets the bad actors out.
So, there’s more than that, but if you just think those are five really in demand skills that are not easy to find. And rarely do you get one person that has all five of them, and if you do, they’re very expensive, as you can imagine. And then secondly, you have to do that 24×7. So the reason why organizations outsource to someone like us is they don’t want to take the time and energy anymore to try to get those five skills consistently.
They also don’t want to spend the money to get those five skills in a 24×7, 365 manner. And so what they’re doing is they’re saying, well, I have two or three people. And so I’m going to use my two or three people more strategically, and I’m not going to have them spending time like managing infrastructure or running phishing simulations, security awareness campaigns, or when an incident happens, using somebody like SolCyber who does it literally every day versus they may have a person that has never really handled an incident, and never really engaged with an adversary in order to stop them from doing the things they’re doing.
Justin Parisi: So basically cost effectiveness, time savings, and expertise. That’s really what SolCyber offers here, because if you do this all the time, and this is something that anyone can relate to if you’re doing something all the time and you’re the expert at it, then that’s who you should talk to you.
Like if you want to install a 240 volt outlet into your house, call an electrician.
Scott McCrady: You know, it’s such a good analogy because as soon as you start saying that, I was like, man, I have tried to tackle some household upgrades that I managed to get done, but upon finishing it, I know that the second time I did it, it would probably take one fourth the time. And the third time I did it, it’d probably take even less time. Like putting in a hardwood floor or installing, as you said, a 240 volt, but there’s actual danger on the second one. If you’re not doing it all day, every day, It’s just difficult to do and be an expert at it.
Justin Parisi: Yeah. I use that example because I tried that and then it wasn’t working. I was like, why isn’t it working? And I called an electrician in and he basically was like, who did this? What idiot did this? It was me. This is why I called you. I didn’t want to burn my house down. So my rule of thumb is basically, if it’s something that won’t burn the house down, I’ll try it.
But most of the time…
Scott McCrady: It’s just, I know I can do it, but it’s going to take so long and be so disruptive that it’s just not worth it.
Justin Parisi: For me, that’s painting. I hate painting. Yeah, like painting a room. It’s like, man, this thing takes so long. It’s just so much easier to have somebody come in and paint my room for me.
Scott McCrady: Mine is hardwood floors. The first time I did them myself and then I did not realize just how much edging had to be done and how all cuts need to be really accurate. So, yeah. The second time I outsourced that.
Justin Parisi: One time I installed a new microwave and I had to saw a different size into the slot and I could do that.
Oh, yeah, I could saw that. That’s fine. It doesn’t even occur to me that sawing creates all this sawdust in your kitchen. And I’m like, Oh man, there’s a lot of sawdust here. I mean, it got done. It’s fine. But it’s like, man, I got to clean up all the sawdust. And somebody who has expertise, it’s like, Oh, well, let’s put down some stuff to catch the sawdust.
Cause I’ve done this before. Oh, let me make sure I wear a protective covering on my face because sawdust. So yeah.
Scott McCrady: It’s funny because the first time of hardwood floors, it takes weeks and months. If you’re just doing it on the weekend and what have you. Or after hours.
The next time I had it done, they came in on a Monday and they were done by Thursday. The entire house was completely cleaned and put back together. Inside of four days. And I was like, that’s just way better.
Justin Parisi: Yeah. They cover things in plastic and they’ve got a system and a process and they’ve done this. they’ve got experts. So rely on that.
And it’s not just the time, right? You could do real damage to your materials, to your house. So yeah, there’s a lot of reasons why you go with a managed service over doing it yourself because cybersecurity is one of those things, like a 240 volt outlet that you don’t want to screw up.
Scott McCrady: Just this past year we probably had close to a dozen customers that we talked to and we were like, listen, your security is just not good enough. And then we said it nicer than that. And they were breached after we had the conversations, so there’s a lot of companies out there and we get it.
It’s just not something that you want to deal with. It’s like dealing with insurance. Do you really want to buy health insurance, probably not, but you know you need to. And I think cyber is a lot like that in today’s world, as, as people know they need it, but they’re not sure if they have enough or not enough.
They may think they have enough. And they’re dealing with lots of other demands on their time and on their budgets. And to your point, we would really prefer for companies to get ahead of the problem than trying to come in and help them afterwards when there’s a big mess.
Justin Parisi: Yeah, and there’s no guarantee you’re going to be able to fix the big mess after it’s made because, you know, maybe there’s ransomware involved and that data is no longer available because it’s locked and you can’t get it back.
Scott McCrady: That’s right.
Justin Parisi: So when you’re dealing with these customers, I would imagine that the biggest hurdle is trying to help them understand the ROI on these things.
There’s a cost associated with a managed service. And we see this with cloud offerings, like our volumes as a service that we do. Upfront, that seems like a lot of money, but then when you start to think about the savings of time, the savings of data center management, the savings of staff, you start to realize those costs. As the experts, like the hardwood floor guys have their system, do you have your system that, hey, this is how we save you money in the long run?
Scott McCrady: You know, we do. The biggest problem with security is we call it a back end cost versus a front end cost. A front end cost is like Salesforce.com. You’ve got to have something to manage your sales team and a spreadsheet’s not usually good enough. And so what are you going to use? If you’ve used a system that increases the productivity of your sales team and you can track it, then it’s much easier to make the case for the sale. With security we have all the data and we have all the numbers, right? So we know that if you’re fewer than 10,000 employees, you’ve got a one and two and a half chance of being breached every year. Those breaches, on average, are in the millions of dollars worth of costs. And so, every year that you don’t have sufficient security is rolling the dice.
The challenge is that we’re back in cost. So of course, organizations just generally don’t want to spend the money. And then two, how much security do you need is a really big debate. And so if you think about any of the major breaches last year, not any, but a significant number of them, they were all identity based breaches and process based breaches. So we’ve got a lot of companies that are like, well, I’ve got an EDR, an endpoint detection capability. And it’s one of the better ones. It’s one of the ones that we would use actually. And we’re like, great.
That solves about 30 to 40 percent of your surface target area right now, down from like 60 to 70% a couple of years ago, because The bad actors are recognizing, well, those tools work really well. We’ll just figure out a different way. And we’re going to try to get a hold of Scott McCrady’s username and password.
And it’s relatively easy to steal an MFA session these days. And we’re just going to log in as Scott. And then once we’re in, then we can do pretty much whatever we want to do. It takes about 78 minutes, plus minus to get breakout on average. So to get from my Identity and machine over to a different location, it’s about 78 minutes. The biggest challenge we do have is trying to articulate to customers the risks that they have, because obviously everybody has something. But there’s a really big difference between some sort of mid tier tooling and a top tier security program, if that makes any sense.
Justin Parisi: Yea, that makes sense. So when you’re dealing with security on-prem versus in the cloud, what are some of the key differences that you’re finding when you’re trying to manage that side of things?
Scott McCrady: There’s really sort of a fundamentally different way that people view the two. If you were to take super high level viewpoints. Again, let’s go with our mythical 2000 seat company, and they’ve got a big cloud infrastructure that their SaaS based products that they serve out to their customers or sit upon. When you think about internal IT, you really think about it in two ways, which is external threat actors, and insider threat. So, can a bad actor get into my organization? And two, is there a malicious insider that’s going to do something nefarious? There’s a lot of different things that need to be in place to be able to detect and try to mitigate the damage from those two things.
When you get into cloud, for the most part, organizations aren’t really thinking about breaches in the same way as far as like a threat actor is going to get in there. They’re thinking more like posture management. Now, what you are starting to see is, like the intrusion detection systems that used to sit on networks, you’re seeing a lot more of that being developed and built. for cloud based services. So you’re seeing that from the API connectivity. You’re seeing that from different types of instantiations in the cloud,talking to other locations. So you’re starting to see more can we detect threats inside of cloud networking, essentially?
But for most of our customers, and again, we’re not dealing with the Fortune 100 for the most part. They’re more worried about the classic, did we leave an S3 bucket open. Did we engender permissions that shouldn’t be available to certain types of resources?
Do we have visibility into our admins. So if you think insider threat, but in the cloud, our admins, are they too empowered across all of our cloud instantiations, or do we have that segment down? So, there’s a lot more concern amongst our customers around the permissions and who has access to the underlying components of the cloud infrastructure.
And I don’t know if you see something similar, but that’s definitely where most of our customers heads are at.
Justin Parisi: Yeah, one of the key differences also, well, I wouldn’t even say it’s a difference, but it’s actually a similarity if you think about it. So, you’re responsible for your security on-prem, and that’s a given.
When you go to the cloud, you’re sold these managed services. Hey, we will fully manage it for you, you can use this as a service model. It’ll be great. But it doesn’t always come across clear that as a service only pertains to the application and it doesn’t always pertain to the security.
That’s still the responsibility of you. So now you’re dealing with an on-prem mentality. in the cloud and sometimes people aren’t even aware of it. They don’t realize it. Oh man, I have to manage this. Right. We saw, I guess it was a breach a couple of years ago in Amazon and somebody got a hold of a key and deleted a code base.
Right. Oops. But that kind of goes along with that idea that it’s buyer beware almost in those situations.
Scott McCrady: Mm hmm. That makes sense.
Justin Parisi: So what does SolCyber offer? Do you offer an on prem edition and a cloud edition, or do you just deal with cloud only?
Scott McCrady: We do both. So, the way to think about it for SolCyber is we have a concept called the Security Program as a Service. That is for the securing of the organization. So think of it as internal security, essentially, because it doesn’t really matter if you’re a 300 person SaaS company or a 5,000 person manufacturing company.
When it comes to securing the organization itself, everybody needs essentially the same stuff. So there’s a consistency around those pieces. We then allow for the customization, we call it extended services, of cloud security, because the reason for that is, as you can imagine, the manufacturing company may have zero or very limited need for cloud security, relative to the SaaS based company that may need lots of cloud security.
And so for extended offerings, we use the same model, is we use best in class tooling, and then we take that best in class tooling, we deploy it, manage it on behalf of the customer, and then we integrate it into the security stack essentially that we’ve rolled out for them for internal security. We don’t really sell cloud security by itself but it’s something that can be added on to the overall security posture of a company when and where they need it.
Justin Parisi: One aspect of cybersecurity that you deal with is the intrusion and the breaches and handling those situations. But there’s another side of security that I guess maybe, I wouldn’t say it gets overlooked, but people don’t think of it as security and that’d be the data protection aspect. Your backups, your replication.
Does SolCyber deal with that side of things where you need to deal with recovery or is it strictly securing the environment, making sure there aren’t impactful breaches?
Scott McCrady: Yeah, it’s a great question. It’s a classic CYA. So the availability aspect of, is the data still there and is it backed up? We don’t do a lot of that and there’s a simple reason. We partner with a lot of MSPs, Managed Service Providers. So MSPs, Traditionally, that’s very in their wheelhouse. That’s something as a service or a capability they’ve had for a very long time. And so it’s a very natural partnership for us to do the heavy, high end security operations components, because for most of the MSPs, it’s a little bit dangerous for them to be offering high end security, if they’re not good at it, because if they offer it and then their customer gets breached, then there’s a problem. Where they’ve traditionally been in the backup and recovery space for a long time. In fact, a lot of the MSPs got started at 30 person mom and pop shops that are like, Hey, first thing we need to do is get backup set up.
I remember helping a buddy of mine – this is 20 years ago. He just started his own MSP and I, I helped him on a couple of with a couple of customers to get all their backups set up. Traditionally that availability piece, we do rely on our partners to do and we’ll bring them in. So we have partners that we bring in, we give deals to, and obviously they’ll bring us in on, on security components. We do have the capability, but we’ll just say, yeah, we can help you with that, but we’ll bring in this partner who’s an expert at that and they’ll help you get that all done.
Justin Parisi: So it’s basically a tag team effort, right? You’re there to help secure the backups, but they’re there to actually help set them up and get the right strategy going.
Scott McCrady: Bingo. Also, most of the time, the MSPs have arms and legs physically on-prem. And so, immutable backups and all that jazz, there’s a lot of different ways you can do that, but a lot of times customers like to actually have a person show up at their office, and so that way we actually have arms and legs that we can work with, with the MSPs for if the customer needs somebody on prem.
Justin Parisi: So one topic that gets brought up a lot these days is the advent of AI within multiple areas, whether it’s art and music or, data analysis, and in some cases, cyber security. And some of that’s being used by your nefarious actors that are trying to get into your systems. AI is going to be a useful tool for that, but conversely, it’ll also be a useful tool for the other side, protection.
So, how involved is SolCyber in the AI aspect of this?
Scott McCrady: Yeah, I mean, we’re pretty involved because If you think of layers of AI, right? Machine learning, LLMs, and all this stuff. The whole premise of the original MSSPs, the ones that were supporting the big companies, was essentially machine learning algorithms that were built to basically take data across a lot of different security tooling and across the different data sets that those would generate and send to us and correlate those to be able to have confidence that you could tell that a bad actor was breaking into an organization.
So that concept around machine learning and what have you has been core to the large data set analytics that have been going on for 20 years. I think what you’re going to see when it comes to AI, in relation to security specifically going forward is I think you’re going to have two aspects, which is the bad guys are going to use AI to generate the ability to break into organizations much more quickly.
And to be able to, once they’re in, to get breakout much faster. And so if you think of this 78 minute breakout time frame, why isn’t that seven to eight minutes in a year? I struggle to believe it’s not going to be much, much, much faster. So once somebody’s in, can they get to where they want to go more quickly. Two it’s going to impact patch management processes. As we all know, that’s a painful process for most organizations. It’s very consistent and sort of set. And I think you’re going to see AI being used to build toehold tools and capabilities in a way that aligns to the gaps in the patch management process. If you think about A three day or a two day threat is in some ways more dangerous than a one day, because everyone’s got their patch management process based on the information they had a day ago. So you can fit into this gap. So I think you’re gonna see some of that.
On the defensive side, what you’re going to see is obviously AI against the data that we’re all seeing. So you’re gonna have the ability to do better user behavioral analysis. Better correlation. And I think another really big piece is AI is going to be very effective at pulling the data and the analytics from lots of different analysts and be able to apply that data and put it at the fingertips of another analyst relatively quickly. So, if you’ve got your best in class analyst, that’s like, this is exactly how this zero day firewall threat happened, and these are all the different locations I went to. And this is all the data and language I pulled together to walk through this incident and how it happened. That is a perfect use of AI to be able to synthesize all that and put it at the tooling of another analyst so that when an analyst sees something they can almost click a button that says, run pattern match against the last seven super malicious attacks.
And have it pop up and say, yeah, it looks like this is really similar to what we saw a month ago.
Justin Parisi: And do those give confidence rates, like, 90 percent confidence or 75 percent confidence, that sort of thing?
Scott McCrady: Most of the tooling we use now does have something like that. When it comes to the AI components over the top of them, I would assume those are going to get significantly more accurate and specific going forward.
Justin Parisi: Yeah, you see this in healthcare with radiology images, right? They’re going to use AI machine learning to identify cancerous growths or other things.
And they’re going to give you a confidence level. And basically it’s a way to get you started in the right direction rather than giving you the answer right away.
Scott McCrady: Yeah. And we have that right now. So let’s just take impossible travel, right? Impossible travel, for your listeners is, Scott logged in in Dallas and then 30 minutes later, he logged in from Orlando, Florida. Or Canada or something or anywhere. Now most of the time that’s a VPN or something, but if you see impossible travel, that may be a 50/50, right? Half the time it’s bad, half the time it’s actually less than that. It’s probably 15 percent is actually something. But as soon as you get another hit and another hit, right?
So now you see them go into locations they’ve never been to before. Now they’re sending out traceroutes and pings that they’ve never done. That confidence level goes up. The confidence scoring in alerting in malicious activity is already inside of what we do, but to your overall point, I think what you’re going to see is more complex attacks with AI being able to look at those complex attacks and the tendencies across the network and endpoint data and come back with this is a 98.7% probability, and I would assume they’re even going to be able to do groups, right? Attribution and things like that. The TTPs are exactly what we saw from APT28 three weeks ago. Consequently, we think this is 98. 5 percent accurate and it’s most likely the same group.
Justin Parisi: Yeah. And that’s crucial because you’re getting faster time to resolution. And that’s the most important part when you’re dealing with a breach because the faster you get them out of your system, the less impact.
Scott McCrady: That’s right.
Justin Parisi: The bopping on the head or the nose, so to speak. So how do you bop someone on the head or nose?
Like what’s, what does the bopping entail?
Scott McCrady: So obviously we don’t do offensive capabilities. We hand that stuff off when applicable to the government. When we say bop them on the head, we basically mean get them out of the network. There’s a variety of ways, depending on how they’re quote unquote in the network. Sometimes it’s really traditional malicious code on a machine and that’s tied back to a process or something in memory. So you take the appropriate steps. You can either roll back the process, you can quarantine the machine and wipe it. I mean, there’s a variety of things you can do to get that out of there.
When it comes to identity we catch a lot of stuff, believe it or not, in advanced email capabilities. So you can actually tell that the email that was written from Scott McCrady’s email address? It’s just structured in a way that Scott’s never structured an email before.
And so we can reset username, password, MFA. Kick them out through those means. Obviously you’ll do hunting to see if there’s any other infections. So it really depends on the type of incident and penetration that’s happened in the current thing that they’re doing in order to support it. Sometimes you get droppers and they’ll talk back to command and control, but they haven’t actually deployed anything yet. They haven’t deployed any malicious code. And so depending on where they are in the stages where they are in the MITRE TAC framework, if you will. And part of the reason why people use us is, because of that, our analysts will actually do what needs to be done to get them out of there, or they’ll talk to the customer and say, Hey, by the way, we don’t have access to your Azure Active Directory. Can you reset the username, password, , et cetera, et cetera.
So we work with the customers to either fix it for them on their behalf or have them do the things needed if we don’t have access to the underlying systems.
Justin Parisi: A lot of companies are actually building this type of technology into their products. And for example, NetApp, allow me to pitch. So we have the storage operating system ONTAP and we have something called automated ransomware detection.
So essentially it does what you’re talking about where we detect anomalies and data patterns, right? So a bunch of atime or mtimes get modified, you’re like, Oh, that might be something weird. And then we take a snapshot automatically and send a notification so that the end user can say, Oh man, I gotta take a look at this because there might be something going on here.
And the snapshot’s there, of course, to try to restore in case there is actually a problem. So have you dealt with a lot of vendors that have that kind of capability built into their native architecture, or are you finding that vendors aren’t necessarily doing this enough yet.
Scott McCrady: Man, that’s a good question, Justin.
So NetApp, when you think of where you all sit, you think of big data and all the needs around big data. That’s such a great feature, right? You send a notification, there’s some sort of logging, alerting that’s going on there.
And it’s a capability. Now, what’s the percentage of customers that actually turn that on and enable it, right? I don’t know, maybe it comes by default turned on. If so, that’s really useful, and then is somebody looking at all that? So when it happens, does somebody actually see that this is an alert, that they’re supposed to go do something and double check it, right? And the reason why I say it that way is, we see more and more tools that have capabilities like that. But remember what I was talking about earlier, do you have the people and do you have the processes to actually consume or run the program in a consistent manner? And so, What you just described there is a perfect capability that gets limited by the programmatic and the people if they’re not following the process of saying, where does the alert go?
And when the alert happens, what’s the timeframe for someone in the company to pick that alert up and go double check and see if something bad actually happened, right? Let’s just say it was sent to me and then I left the company. So, so now it just gets dropped on the floor.
Justin Parisi: Or I was the one who did it.
Scott McCrady: Yeah. That’s the whole point is we see a lot of amazing capabilities in the tools. What we see the gaps consistently are in the hanging the program together in a way that allows for companies to be secure. And so to your point, why do people use us?
Well, we don’t manage NetApps, right? By using us, instead of somebody looking at their endpoint data or their endpoint logs and not be able to make hide nor hair of them, you could make sure that the NetApp notifications were actually consumed by somebody, or there’s a very high chance we could probably actually take them and consume them ourselves.
And then that way we would let them know and we would harangue them until somebody picked up the phone. And so that’s really why companies work with somebody like SolCyber is there’s so many things like what you just described there that are so helpful, like really, truly helpful and can literally save a company’s rear and oftentimes the information coming from these tools and the capabilities isn’t getting handled in the correct manner and it just gets dropped on the floor.
Justin Parisi: Back in my days of doing sysadmin work, I remember we had alerting set up and I think we were a little too aggressive with alerting.
Yes. So, you get pinged at 3 a. m. with a bunch of texts and they’re almost always false positives. Yep. You ignore them because you, it’s 3 a. m. I just want to sleep.
Scott McCrady: Well, and there’s a reason why these stories like The Boy Who Cried Wolf. How long ago was that written? It goes to the psychology of humans. I mean, that’s why it’s such a great, never ending, long lasting story is I was a sysadmin at one point in time. And we did the same thing. And after a while, what do you do? You just stop looking at all the alerts. Because you can’t consume them all.
And that, again, is sort of why companies struggle sometimes with their security posture.
Justin Parisi: It’s really mundane work. I mean, let’s just be honest. It is stuff that no one wants to do. And this is why we’re seeing so much automation around the space, because it’s important, but mundane.
Scott McCrady: I have a phrase that I say, you want to see my customers eyes glaze over and roll back to their head?
Let me start talking about a concept of operations, and you will see people be very uninterested very quickly. Mm hmm. But, unfortunately, it’s one of those things that you have to do, and you have to actually do it well. And, we keep telling them, we can tell. You know your security posture and your program’s bad.
We know your security program’s bad. Bad actors know your security program’s bad. Let’s just fix your security program. It’s mundane stuff. So spend a few extra bucks, offload that mundane stuff to a group that does it well and does it consistently.
And get on to doing more interesting things.
Justin Parisi: It’s the painting. It’s the hardwood floors. That’s right. Right. It is work that may not necessarily be fun to you, but it’s fun to somebody.
Scott McCrady: That’s right. The challenges that we see across our customers because it doesn’t really matter the infrastructure or the underlying thing you’re trying to do. Customers are still struggling with the same problems, which is how to operationalize this all in a consistent manner.
Justin Parisi: Yeah. And that’s the story, regardless of its security or anything else in this world. If you’re not an expert at something, don’t be too proud. That’s right. Alright, cool. Well, Scott, if you wanted to find more information about SolCyber, where would we do that?
Scott McCrady: S-O-L-C-Y-B-E-R, SolCyber.com and come say hi, drop us a note Scott@SolCyber. I respond to, I think, every email I get, so feel free to say hi.
Justin Parisi: All right. Excellent. Well, Scott, thanks so much for joining us today and talking to us about SolCyber and cloud security and weirdly enough, home improvement.
Scott McCrady: Thanks, Justin. Appreciate it.
Justin Parisi: All right. That music tells me it’s time to go. If you’d like to get in touch with us, send us an email to podcast at NetApp.com or send us a tweet @NetApp. As always, if you’d like to subscribe, find us on iTunes, Spotify, Google Play, iHeartRadio, SoundCloud, Stitcher, or via techontappodcast.com. If you liked the show today, leave us a review. On behalf of the entire Tech ONTAP Podcast team, I’d like to thank Scott McCrady for joining us today. As always, thanks for listening.
Podcast Intro/Outro: [outro]
Why Is The Internet Broken? 