#99 Precog Cyber Attack PAth with XM Cyber

Subscribe to get the latest

on Mon Aug 08 2022 17:00:00 GMT-0700 (Pacific Daylight Time)

Intel’s Darren Pulsipher, Chief Solutions Architect, and Paul Giorgi, Director of Sales Engineering, XM Cyber, discuss how XM Cyber technology can help organizations uncover attack paths and reduce risk.

Keywords

#aiml #cybersecurity #xmcyber #technology #process

Listen Here

Paul has been in security since the late nineties, getting his start by doing projects for the Department of Homeland Security and the Department of Defense. In 2005, he joined Fishnet Security doing sales engineering and has been tied into sales engineering. He joined XM Cyber to concentrate on breach and attack simulation.

Rather than traditional cybersecurity, which is detection, remediation, and prevention, XM Cyber is predictive. A good description is that it is a precog simulation. XM Cyber creates imaginative incidents to give you insight into how your tools might be able to address them and how you could work to remediate specific chokepoints. The idea is to do all of this before pen testing. You can fix things today, see the impact tomorrow, and then continually increase and improve your security.

Google maps is a good analogy for how XM Cyber works. When you want to get from one place to the next, Google maps will tell you all the ways to get there, which avoids tolls, which is the most direct, etc…XM Cyber does the same thing but with an attack simulation. For example, suppose you have a compromised active directory user account. In that case, it will show you the six steps to be able to get to an on-prem domain controller and compromise that critical asset. It will also show all the different routes between those two points.

A use case for this is that you can enable a red team to be super-efficient with this information because they don’t have to poke around and try to make discoveries. It can also help the blue section, allowing them to prioritize remediations on chokepoints. For example, if there are 400 attack paths all going to different areas in your DMZ, but all 400 seem to have to leverage this one entity to make that path happen, then you can fix that one problem and destroy all 400 paths. Blue teams can lock down those chokepoints that could enable the attacker.

One area that XM Cyber analyzes is identity management, not just in the data center but also in the cloud. Sometimes attack paths will be ten steps long, but nine steps will be navigating the identity world. For example, you might have permissions to your admin account, and then that admin account might have additional permissions. Do six or seven adjusting different permissions or resetting passwords and deploying GPOs. You could take nine steps from a standard user account to domain admin by leveraging the active directory.

In addition to identity, XM Cyber looks at over a hundred entities such as machines, S3 buckets, and SSH keys. These different entities can be combined to create an attack path. Sometimes it gets very complex. For example, an attack could start on-prem, go out to Azure, take advantage of Intune, and then go back over to compromise another machine that allows a pivot over to GCP. Once attackers are in the GCP environment, they can take advantage of trust or permission between AWS and GCP to compromise AWS. XM Cyber looks at all the different types of entities in disparate environments and connects them to assess these paths around how every entity holistically plays together in the risk of all the others.

There are two ways XM Cyber engages with customers. The first is high-level discovery to assess the environment, expose vulnerabilities, and measure how an attacker can expose new vulnerabilities to put critical assets at risk. The second is a targeted assessment of a specific scenario that the customer is worried about. These engagements are not just static analysis of entities. They are dynamic because they look at traffic and other patterns.

A typical targeted use case is determining if OT is the critical asset or the breach point. XM Cyber plays out scenarios such as if a machine in HR is the breach point, is there any risk to this PLC sitting in the SCADA environment controlling pressure switches that could turn off the electricity for a city municipality. That is an actual use case that XM Cyber can simulate. This type of information is critical in a world where OT is no longer isolated but connected to networks.

XM Cyber is a SaaS solution rather than on-prem, so they can stay dynamic and deliver the best service. It can be scary to think that something in the cloud has all your attack techniques. Still, XM Cyber does a lot of work to ensure that data is completely isolated, SOC 2 compliant, among other certifications, and there is no multi-tenancy. They also do not collect anything sensitive. Sensitive information is hashed, and only a portion is sent to the cloud. They don’t have to have actual data.

Once XM Cyber has found the problematic pathways, they can also help you remediate them via customer success managers who have weekly or biweekly meetings where the goal is to take the data coming out of the platform and help you use it and find solutions. They also have partners such as managed service partners who bolt the attack simulations onto their platforms to give them insight into offering their services.

XM Cyber recently acquired Cyber Observer to more directly deal with encryption, which offers controls and protection. Cyber Observer has API integrations into different cloud environments and the other security controls, both cloud and on-prem. They can assess whether or not an exfiltrated XM Cyber simulated file was encrypted and ease worry. For example, they can point out three security controls that would have made it harder for that to happen. With the insight of Cyber Observer, something that looked like an easy attack can be made more complex with encryption; an attack might still be technically possible, but there is an EDR solution to bypass.

For more information about XM Cyber, go to http://xmcyber.com.

Podcast Transcript

Hello, thisis Darren Pulsipher chief solutionarchitect of public sector at Intel.

And welcome to Embracing

Digital Transformation,where we investigate effective change,leveraging people, processand technology.

On today's episode, Precogs

Cyberattack Powers with Paul Giorgifrom XM Cyber.

Hey, Paul, welcome to the show.

Thanks, Darren.

Hey, Paul Giorgiis our director of sales at XM Cyber.

When I first heard about XM Cyber,

I was like, I don't quite understand.

And then you guys coached me and taught meand I was like, This is cool stuff.

Yeah.

So before we get into what you guysdo, tell me a little bit about yourself,your background,and how you ended up at XM Cyber.

Yeah, so I've been in securitysince the late nineties,started doing a lot of DHSand DOD projects.

That was where I got my start.

There's a great place to learnand have kind of an unlimited budgetto just do whatever.

I wanted to kind of secure the perimeter.

And I started there.

Ended up coming over and joininga company called Fishnet Security,doing sales engineering.

And that was back in 2005.

And then I fell in lovewith sales engineering.

If you would have askedthe one who's managing the firewallsthat Paulwho was managing the firewalls back then,if I'd ever get into anythingsales related,

I'd be like disgusted by the idea.

But I love sales engineering.

And so I really fell in love with itat Fishnet.

And then my career has been kind of tiedwithin sales engineering.

I've worked at a few different places.

I participate as a co-founderof a cybersecurity companycalled Device Security.

I worked at exhibitions.

I love logs.

One thing I've always played around withis breach and attack simulation.

I think that that's an emerging space.

The last few years that I fell in lovewith an XM

Cyber Falls within that category.

And so when I was looking forthe next kind of adventure, I was like,

I want to do breach in attack simulation.

And then I surveyedand I really fell in lovewith what XM Cyber was doingand their unique take.

And so that's that's how I ended up here.

Okay.

First of all, as you know what breach.

You know, simulation and attacksimulation,you're dealing with blackout whitehat type of things going on here, right?

Yeah. Is that what it is?

Yeah.

There's categories of breach in an attacksimulation,like you can automate pen test.

So if you want every single dayto run a test in your environment,that is a categoryof reaching exact simulation.

And then there's what we callsecurity control validations, whereif you're using CrowdStrike or Sentinel

One or Microsoft Defender or Silenceor whatever the EDR tool is,and you want to make surethat your solution's blocking specifictype of variance, you can launch thingsthat look and simulatethose type of behaviorsto see, is my policy protecting me?

Or if it is protectingme, are my playbooks working the way

I anticipate them?

So there is definite valuein those type of use cases.

We don'treally address either one of those kind ofto the extent that our competitors do.

We do what's called attackpath management.

And attack path management is justholistically assessing your environmentand giving you insight intohow an attacker might leverage entitiesin your environment to laterally moveand compromised critical assets.

Okay.

So this is a this is different than whatwe hear traditionally about cyber, right?

Yeah, traditionally,it's detection, remediation prevention.

You know, those arethose are the typical thingsyou guys are doing, like predictive.

How can they get in?

If they do get in,where can they go type of thing.

So you're like, oh, what's the right word?

It's like,it's notit's not like going to the doctor, it'sgoing to the gym.

Kind of, yeah,

I've sea of like a three cog sim or it's.

A great precogs now.

Now we got Minority Report going on.

I feel like that's been a good descriptionwhere it's like we're not correlatinga whole bunch of thingsthat are happening.

We're correlating a lot of stuffthat could have,could have stringing them together,a imaginative incident,giving you insight into how your toolsmight be able to address it,how you could work to address remediationson specific chokepoints,and then if you thinkabout an organizationwho learns a lot from a test, like backwhen I was doing the DOD projects,

I was working at an Air Force base.

Every quarter we would have a pen testand they would always get usand it would just be so frustratingthat we'd spent so much time fixing stuff.

But my favorite time waswe would get around a conference tableand they would all share around, Hey,we did this,we did this, and then immediately

I would respond and addressall of the thingsthat they were doing to fix it.

And there was so muchwe learned during those incidences.

So that's what we're trying to do.

But on a regular basisand something where you canfix things today,see the impact of them tomorrowand then continually increaseand improve your security.

So this can happenwell before pen testing then, right?

Yeah, that's the idea really.

There was one customer.

So so he says well so here's a questionthen.

Yeah, right.

Could, could you have your red teamuse your stuff to find their way aroundthe blue team and then go to town.

Right. Yeah.

So we actually havethat use case deployed.

And so your tool can be very dangerous.

Yeah.

I mean, if you think aboutwhat we're doing, I use it in.

The wrong hands, right? Paul

Yeah, exactly.

Like Google Maps, for example,is a good analogy where it's like,

Hey, I want to get from one placeto the next place.

Here's my starting point, here'smy ending point.

Google Maps will tell youthese are all the ways to get there.

We do that same thing.

But from an attacksimulation, we're saying,hey, if you've compromised thisas your Active Directory user account,these are the six steps that you can takein this order to be able to get to likean on premise domain controllerand compromise that critical assets.

So just like Google Maps will say this isthe route that we recommend you take.

This is the one that avoids tolls.

This one's the most scenic route.

We do that same thing. We'll tell you.

These are the six waysto get from this point to this point.

And you think about howthat would help a red teamer.

It makes them super efficient.

They don't have to waste timepoking around and trying to do discovery.

They say, this is where I'm at.

I want to get over hereexcept tell me how to get there.

And so, yeah, you're right,it is kind of scary being able to to showall of that data in one specific view.

Well, yeah,you're going to enable the red team byyou can also give it to the blue team too.

So that's

I guess that's the next question, right?

You guys run all these predictiveattack path analysis and so what do I do?

You give me all that information.

What do I do with it?

Yeah.

So there's this fascinating perspective.

From a blue team perspective.

You can now prioritize your remediations.

If we are showing youthe entities that are allowing an attackerto most commonly compromiseyour critical assets,you want to focusyour remediations on those.

So we call them choke pointsand think about a choke point as aif I have 400 attack paths,all going to different areas in my DMZ,but all 400seem to have to leverage this one entityto make that attack path happen.

I just fixed that one problemon that one entity.

I've really destroyed 400 attack paths.

So from a blue teamer, it allows youto prioritize your efforts at making surethat you've locked down these choke pointsthat could enable an attacker.

We know that if an attacker is able to getsomething like a domain admin accountor get onto a machinelike a domain controller,there's a lot of stuffthat they can wreak havoc on.

They basically own the environmentat that point, but in most environmentsthere are accounts or entities that areriskier than your domain admin accountsand without having any insight,you don't know what those are.

But I'll tell you, there's a lot oflike a developer accountwho has rights from a federated identityand Google and Azure.

And from that one account, you're ableto get access to all these things.

And that's more powerfulthan a domain admin account.

Or think about an into an adminor just a regular domain userwho has rights to use the Intuneadmin service.

They could push software to anyas your Active Directory admin machinesor as your Active Directorydomain machines and push software.

So that one account is even more dangerousthan to make them an adminbecause it sits above another layer butthen has the ability to replicate down.

So it's an interesting perspectiveto now start seeing what other accountseven today introducemore risk than a domain admin account.

All right.

So I got to back you up a little bitbecause my my listenersheads are spinning now.

Right.

So I want to kind of break this downa little bit.

You talking about attack paths, so andthen you were talking about user accounts.

So yeah, obviously in in your past stuff,there's more than just user accounts.

There's more than just what's connected towhat and what firewalls are.

So how would you break down?

I mean, let's break it down a little bit.

Yeah, I've got identity managementas one of the things.

So that's one of the things that you guysleverage is, hey, who is who in the zoo?

Yeah, not just in my data center,but it also sounds like in the cloud.

Yeah.

So you guys can handle multi-cloud accessmanagementand or you're analyzing the access.

You're not doing the access management.

You're analyzingit, correct? Yeah. Is thatokay?

So that's the identity site.

So if Ithis is going to beif I have multiple identities, is thereany way for you to track to track that?

I am using multiple identities or not.

Is that just outside of the realm?

So we wouldn't I mean, we don't carewho owns what, but if if you've ever useda tool called Bloodhound, they are doingthe same thing that we're doing.

We actually have the same exact features,but kind of at a much larger levelwhere if you have accessto a specific Active Directory user,we understand that this active direct usercan reset the password for another one.

And now this past, this user accounthas the ability to now add a GPOand then from that GPO,we can then do this.

So sometimes attack paths will be tensteps long, but nine steps.

So I'll just be navigating the identityworld and it's all just due toyou might have permissions to your adminaccount and then that admin accountmight have additional permissions.

So if you do six or seven stepsadjusting groups and adjustingjust different permissionsor resetting passwords and deploying GPOs,you could kind of take nine stepsto go from standard Darrenor Darren's user accountto then get to the pointwhere you're at domain adminjust by leveraging Active Directory. Wow.

Most people don't even know thatthat that's an attack stuff.

And it gets even. More right.

I mean, I've got identities. Yeah.

Yeah.

I can imaginebecause, you know, cloud identitieseven though they try and sync them upbetween.

Yeah, they're unique identities, right.

They're not you know, they're unique.

Okay.

So identity is one paththat you guys follow on attacks.

What's another path that you guys follow?

Because it just can't just be identities,right?

You're doing but not. Yeah.

And so I like to use the term entitiesbecause it's a generic termencompassing a lot.

So sometimes an entity in an attackpath is the user like we were talkingabout another example of a common entity,it would be a machine,another entity would be like an S3 bucket.

It's not a machine, it's not a user.

It's just kind of a cloud storage area.

Another entity is a fileor an associates key.

I mean, the list is longin our supported entities.

I think there's about a hundred, maybeeven more than that, where all of thesedifferent entities can all be combinedtogether to create an attack path.

And sometimes, like I was saying,it's an attack path of ten,but nine of them are just userlike within the user space.

And then sometimes it gets really complexwhere an attackstarts on premise,goes out to as you're takes advantageof maybe Azure Intune like thatexample we're talking about before goesback over to compromise another machinethat then allows you to pivot over to GCP.

They don't want you over in the GCPenvironment taking advantage ofmaybe some sort of like trustor permission between AWB and GCP tothen compromise AWB.

So you get really complicatedand you look at allthese different types of entitiesand the different disparate environments,and then you connect them togetherto assess these paths aroundhow every entity holistically playstogether in the risk of every other.

Oh, so, so wow.

I mean,most I know because I do this myselfsometimes I set up those paths myselfbecause obscurity is a form of security.

At least we thought.

Yeah, but it sounds like to methat with tools like yours, I'm surethe bad guys have tools like this too.

Yeah.

Now, once you get in,they start looking around for paths.

Yeah.

So you can't use obscurity anymore, right?

So even if you're hopping betweendomains or hopping between cloud serviceproviders.

Yeah, it sounds like you really needsomething to help you identify these.

So let's say. All right,how does it work as a customer?

I bring you guys inand it's professional servicesor I just let your software just go hogwild, crazy.

How how does it work?

Explain an engagementwith with a customer.

Yeah. So there's two main waysthat we get engaged.

Sometimes it's just at a high leveland on a discoverall my attack pathsand that's a great, great use case.

Sometimes it'shey, we do pen tests every quarter,we get so much insight and from them

I would like to kind of have these doneon a daily basis if I could afford it.

But I don't have a budget of $100 millionto do a pen test every single day.

So sometimes it's just at a high level.

I just want to be ableto assess my environment.

And in that case, when thingslike filling out or log for a dayor spring for a showlike those vulnerabilities of the monththat kind of pop up under the radar,it is a really strong valueto for an organizationto measure the impact of thesevulnerabilities, like, hey, yesterdaythere was only ten attack passgoing to this critical asset.

Lena dropped on the sceneand now I have 100.

And so being able to measurehow an attacker can operationalizenew vulnerabilities in your environmentto put your critical assets at risk,that's that'skind of in line with that first customer.

The next customer,when we kind of get engagedis they'll have a specific scenario.

There was a really large bankthat we did a posse with last year,their customer now.

But when we did the posse, they said,we know that our offshore developershave access to one small IWC environment.

That's all they should have access to.

But we're really concernedthat there is some way that they havethe ability to abusemaybe different entitiesin the environmentto be able to access production data.

So that was a different scenariowhere they said,

I want to start hereand see if there's any risk to that.

And in that case,it was two days later we were saying,

Yeah, look at how they can abusethis lambda function.

From this lambda function.

They get this role from this rolethey can do is crawl across to meand assume role capability to thenget access to your production data.

So for however longthat they had this configuration,they had this false sense of securitythinking that because all their offshoredevelopers were relegated to one.

Yeah, they had them in a.

More secure, like there's no way.

So they came to us saying like, Hey,we want to verify this.

And so we ran through the simulations andwere able to say, Hey, you're not secure.

And by the way, it only takes three stepsto get from here.

Over there, it's very easy.

So they stopped the posse, fixedall of those things and thenresumed the PSC and is now a customer.

And so those are kind of the twomain areas where we.

Are targeted, right?

Yeah, I have a specific problem.

And then also tell me where I'm at.

This one, to me,this is kind of screaming forthis would have to be continuously runbecause as soon as I add another entityand as three bucket a new person,

I could have opened up Pandora's box.

Yeah.

Not only just the dynamicnature of cloud,but we alsotrack user behavior in our simulations.

So in most environments

I've found that the security scoregoes up during the weekend,and that's because we've removed the usersfrom the environment.

You're moving the users, rather,the score goes up.

I mean, every network is more securewith our users.

So that was one thing that you find.

So there's a lot of patterns, not onlyjust, hey, we deployed a new applicationor Hey, we're, we have some elasticityin our cloud environment.

We've got like this expansionthat normally doesn't happen.

So there's a bigger attack surfaceor like the example I gavethe users are doing something differenttoday.

What's happening today that is putting usmore at a security risk than yesterday.

So it's just not you're notjust doing static analysis of of entities.

You're also doing dynamic because you'relooking at traffic patterns.

You're looking atholy cow.

Yeah. Yeah.

I mean, that's that's why. Impressive.

Yeah, that is a lot.

And you said something interestingand it'skind of in in jest,but a serious question.

You basically saidget rid of users off your network.

Well, I mean, for the most secure,conscious for the most and limitthe number of users,

I think that that's a really good it'skind of if we talk about least privilegedprinciples, I mean, the best wayto get rid of privilegedprinciple or implement that is getting.

Rid of years. Yeah.

All right.

The reason I brought those upis because the OT environment.

Yeah.

Which is very different than I.Tand I'm doing a lot of researchright now in OT managed security andthe OT guys are scared out of their minds.

Right, because I think rightfully so.

Right.

Because if someone hacks into yourcritical infrastructure or people die.

Yeah, right.

This is a big deal.

So can you guyscan you guys help with thatpathfinding across the entity barriersor do I just saythere are no identities in the OT network?

But yeah,

I don't know if that's an answer.

So go to.

That specific use casewhere it's a targeted use casethat's a really common targeted use case.

We have customerslike in the energy sectoror anybody really with an O.T environmentthat probably is having that problemor problem, but it's converging.

Everything's kind of the same networksand so there's risk to that.

And the old schoolskater guys managing their PLCs,he thought they were isolated because,hey, this doesn't connect to our network,can no longer say that anymore.

So now you've got this problemwhere, hey, is otithe critical asset or the breach point?

If you think about kind of like attackpasses,are we getting attacked from these devicesor to them or.

Right. And so we get to calculate that.

But to your description,we definitely have that use casecommonly played out like, hey,is there any way from my i.t.

Environment, let's playthe scenario of somebody in h.r.

If somebody in h.r.

As machine as the breach point,is there any risk to this policysitting in my skate environmentcontrolling pressure switchesthat could turn on and off the electricityfor some city municipality?

So that is a real use casethat we can simulate.

And if we do findthese are the attack pass,it gives you insight to remediate thembefore an attacker finds themand then takes advantage of them.

So so thiswould be really importantto to run these simulations.

So that's another question I have for you.

I mean, is this is this a SaaS offeringor is it on prem?

I think SAS would be a little scary for mepersonally, right?

Yeah, because I'm like,you're going to store in the cloudsomewhere how people can attack me.

I mean, that's scary, right? Yeah.

So we ask the solution.

Early on, we did have kind ofwe did have an on premise solution,but it was really hard to keep it updated.

Think about. How often we're.

Constantly adding new attacktechniques and new attack vectors.

And so it became such a problem for usto constantly be tryingto update all of these on prem systemsthat we eventually saidfor us to deliver the best servicethat we can and constantly stay dynamicwith every new vulnerability and a tacticthat comes out, we have to be SAS only.

And to your point,it is a little scary to think about,

Hey, there's something in the cloudthat has all of our attack techniques.

We do a very, verywe put a lot of work to make sureall of our datais completely isolated, SOC two compliantand all these different certificationsshowing that we don't do any multi-tenant.

See everything is in it'sisolated tenants using a WACand so we make sure everything is isolatedand secure and we try not to collectanything sensitive.

Now you think about stitching theirtheir attack pass and what appears likethat's sensitive but if you think aboutwhat we're showing you, a lot of itisn't as sensitiveas some things like datasetting credit card doubles, credit cardnumbers, PII, so, so the password.

So when we are doing these attacks,it's really common for us to say, hey,we compromised this user account,we have this password sitting here,but we never send anythingsensitive to the cloud.

What we do is we hash it a bunch of timesand we actually sent halfor a portion of that hash up to the cloud.

So that way we can say, Hey, this passwordis the same as this password over here.

So we can leverage it in a waywhere we can kind of continue to use that,that password in living off the landfrom an attack perspective.

But we don't have to know what it isand we try to do thatsame sort of mentality on everythingor it'sif we don't need the actual datathat old kind of hash it, obfuscate it,and then just compare it in the cloud.

But we have really large referencesfor customerslike Nasdaq, for example,is a really big customer of ours.

We've got Fortune 50 banks.

So you have to like the scrutinythat we've gone over to get those times.

You've already gone through that.

So yeah, yeah, I, I bet I was a bigit takes a while for them right.

Yeah. And there's some still. Yeah.

So thinking or cloud is scaryand it's somebody else's computerand I don't like that. So yeah, I get it.

I feel that way, the same waya lot of times too.

So I guess here's here'sanother quick question.

Have you guys moved itall into the government spacein state and local governmentsor federal governmentsor, you know, national governments?

Have you moved into that space yetor are you still getting a little pushbackfrom them?

You mean just with the cloud adoption?

Yeah. With yeah, with the cloud adoption.

Yeah, I think so.

Most of our customers are in that space.

Put usthrougha little bit more of a effort test.

Of the ringer. Yeah, yeah.

And I mean, so, like,we are owned by a German company,the Schwartz Group that owns

XM Cyber Germany is knownfor like a lot of really strictprivacy laws and things like GDPRand all these different compliance.

So there is a kind ofan extra layer of scrutinyjust because we have to adhereto these type of things like the GDPRin a way that maybe we don't have toas much in different areas in the States.

So right, it is definitely somethingthat we have to keepstaying in touch with and different,different compliancelike Fedramp, for example,if you're playing in federal spaceand you want to SAS servicethat adheres to Fedrampand state fedramp compliant,like there's alot of those type of things as wellthat we continually have to work.

So you're so you're already in Fedramp.

You're in the gov cloud already. Not yet.

I think what we are, what do you call itwhen it's pending authorizationso we don't have the certification. Right.

We're just going through that process.

You're going to.

Oh, that's good.

That's good. That's good to know. Yeah.

Okay, let's say that

I, I get all this information from youguys.

You guys have shown mewhere all my, my parts are.

Maybe I'mnot that sophisticated in my cyber.

Maybe I'm a mid-sized company. Yeah.

Do you guys have, like,consulting services to help me figure out?

All right, you you found all these powers,and I'm sitting there going,

I don't know what to do.

I mean, how do you educate me?

Or can you help me figure out what to door point me to a partner?

Maybe you guys have a partnerthat does manage security.

I don't I don't know.

Yeah. What do I do?

So we have both every customer of oursgets assigned what we callcustomer success manager.

And they either have weeklyor biweekly meetingswhere the whole goal of their sessionstogether is just to take the datathat's coming out of our platformand help them like actually use it.

If we're just running,running thesetheoretical is every single week,but no one's fixing anything, thenwe aren't really making anything better.

So what, you're not.

Making any progress? Exactly.

So what's really a fun takeaway or a funoutcome of those sessions is commonlythose sessions will identifya few things like, hey,this chokepoint is impacted by this attacktechnique.

It will.

These are the steps to remediate it.

Do you think we can have this doneby two weeks from now?

And then on the team, they'll assignstuff, open tickets, put it infor that change control window.

And then two weeks later, we get to nowsee the impact and say, wow, look,we had this fix.

Look at how it replicaterippled across all the environmentand your security score goes up.

So that's kind of the main waythat we addresskind of using the solutionand not just turning in the shelf where.

But to your other point,we do have a lot of partners.

There's a lot of like managedservice partners that we work withwho bolt on kind of these attacksimulationofferings into their platformand then allow them to have that value.

But the perspective it gives themfrom a managed service, like an MDR,really gives them a ton of insightinto the organization to help thembe better at offering those services.

Now that that that makesthat makes a lot of sense.

Yeah. Now I have another question.

You talked about the entitiesand all that stuff.

What about if I have all of my stuffencrypted?

Are he checking for encryption?

Because Intel, we've gotsome cool technology around encryptionlike memoryand use encryption right in SGX.

Are you guys looking downat that level too?

So even if someone infiltratedso what they can't seen.

Yeah.

So that's a really interesting point.

We just acquired a company called Cyber

Observer and cyber observerkind of is more on the controlsand protection aspect of it.

So what we did before iswe kind of ignored encryptionor we ignored kind of security controlsaying, Hey, this risk is still here.

So what they ended up being ableto download or access an encrypted blob.

They shouldn't have been able to do thatin the first place.

And there's risk to that because Imean, we're talking about encryption.

I mean, we know that the postquantum world and being ableto kind of be able to startbreaking encryption is not that far away.

So we don't want to have any data loss,even if it is encrypted.

But now through this acquisitionof cyber observer,cyber observer has API integrationsinto different cloudenvironments, the different securitycontrols, both cloud and on prem.

And now they can assess whether or not,hey, that file that we simulateda compromised on waswe had a simulation that there wasthe acceleration that happened,but cyber observer was able to sayit was encryptedso you don't have to worry about it.

And then also things likethere was these three security controlsthat probably would have made it harderfor that to happen.

So then we address itand rate our our complexity factor.

So now with the insight of cyber observer,we could say, hey,without cyber observer, it looked likethis was a really easy attack.

But now there's this encryption to break.

There's this EDR solutionyou have to bypass.

And so it now because cyber observertold us that we're going to saythat this is still technically possible,but it is something that'sgoing to be more complex than somethingthat doesn't have that.

Okay.

That that makes a lot of sense to me.

So with without this new acquisition,you guys made it.

Can I get access?

Yeah.

Basically now it's like, Oh,

I got access, but it's guarded.

Yes, exactly.

I mean, I've always.

I can't understand it or, you know, what.

I've always referred to,like security controls as safety netsbeing like, hey, if something bad happens,this will protect you.

And so we've never really evaluatedthe safety net in the aspect of security.

So we've always said like,hey, this is possible.

You probably shouldn't careif there's a safety net or not.

Like this is something that's badthat could happenand I don't want to rely on thatsafety net.

You should rely on the actual postureof it in general without kind of falling.

So we would address those things firstto make sure you never have to leveragethe safety net.

But now we're at least kind of consideringwhether or not the safetynets exist and how strong they areand can they help you?

Because now we actually have that insightthrough our cyber observeracquisition.

That's pretty cool.

That'sthat's a nice addition for you guys.

Another thing that comes to mind,

I don't know if you guys handled this.

It's micro segmentation motionor controlled.

I'm talking to a companynow called Felicity.

Really cool stuffwhere they're controlling at layer twoand layer three where they're saying,

I'm getting rid of VLANs completelyand I'm controllingtraffic between devices directly.

Do you guys bring that into play too?

Like on the networking sidein micro segmentation or or you say, now

I got access and if these two machinescan talk, you're, you're yeah.

Yeah.

So we do play in that spacekind of when you're talking about likethe targeted use case, that would be onewhere it's saying like, hey, I want to seelike how well my micro or macrosegmentation is actually in our help.

So yeah, we do take that into account.

The way that we do it is most of the timeif we are sayingthat there is some sort of attackthat's happening between two machinesor there's a vulnerability being exploitedbetween two machines, we'lllook at the relevantport number that that service runs onand the exploit that it's running on.

And we will attempt to,through a handshake to see like, hey,can I talk on that appropriateport number?

We don't passany data, there's no exploit happening,but we are confirming connectivity.

So whether you're using a Lumiaor guard, a call or whatever,the micro or macro segmentationthe solution is,we will be aware of those controlsand that limitation.

So that wayif there is a vulnerable service running,we will have insight into,hey, these are the only three machinesin the environmentthat actually exploit that vulnerabilitybecause of those controls.

All that that is says, Yeah, cool,you guys have some really amazingtechnology.

Yeah, it's relevant and.

I. Would it's funbecause. Yeah, it's very real.

I'd be afraid to yeah, I'd be afraidto release it on my own network.

I did thatwhen I first started at five or so.

I've got four kids.

I know you got a lot of kids.

And so it's one of those thingswhere I was able to seewhich one of my kids machines putsthe most amount of risk to my network.

Is that storage device.

I've got a little synology device forall of my critical stuff is sitting there.

So I built all the attack pathsand figured out that my daughter Rylan'scomputer is a choke pointbecause of the way it was configuredso I fixed thoseand then made it so that way.

At least all of the kidscomputers risk are the same.

Oh, yeah.

Well, there you go.

You want to be an equal, equal opportunityparent, right?

All the kids computers are.

Definitely especially the games.

They play the samethe same amount of risk.

Hey, Paul has been a pleasure.

This has been wonderful.

I learn. I learned a lot.

We may probably have to have.

You kind of love that. Yeah.

Cause I especially. I want to go.

I really want to go deeper into OTbecause that's that'sa scary part for a lot of people today.

And I'm like I said before, I'mdoing a lot of research in thisin this area right now.

I have a lot of customers buggingme. Darren, what do I do?

What do I do?

So we mostdefinitively need to talk again.

Okay. Yeah.

Next time, maybe I'll even pull upin a use case and show you the interface.

And with those two scenarios,that'd be fun.

Oh that, that would,that would be awesome.

Hey, thanks again, Paul.

Thank you for listeningto Embracing Digital Transformation today.

If you enjoyed our podcast,give it five stars on your favoritepodcasting site or YouTube channel.

You can find out more informationabout embracing digital transformationand embracingdigital.orguntil next time, go outand do something wonderful.