B62 — Going Beyond XDR with Kiran Vangaveti
Shiva Maharaj Kontinuum 0:00
What is SDR? Why do I need it
Kiran Vengavati 0:02
once to call ourselves an SDR company we call ourselves more of a beyond SDR back in 2017, when they supported the company, we started with the belief, the A, the data points that we’re collecting from different sources on the network are not good enough. That comes from my 20 plus 33 plus years of experience in the industry, having led socks for multiple international companies, or to 10s of hundreds. So I came back and said, No, we need to look at this problem in a unified platform. Essentially, we need to look at what’s happening on the endpoint, what’s happening on the network, what’s happening in the data center, what’s happening at the ingress egress, whether it is your cloud environments, or your data centers, and then correlate all that information and only then be able to judge whether something is actually an attack or a false positive. Otherwise, the context is completely missing. There was this big hue and cry about EDRs and EDRs, became extremely popular, carbon black, really rode that wave all the way to the bank. In based on that, they said, Okay, you know, what, we’ve hit the limit and ceiling on what you can collect with it pointed, we need more data, because endpoints can lie. Because I have compromised an endpoint, which is your laptop, desktop server, virtual machine be whatever buting device it is, I can make the system lie to you. So they said, Okay, fine. You need more data points of vulnerability when it’s coming up other tools and other things on the network that exists. Now they’re saying ad XDR calling it STR str is more like extended detection and response. What used to be endpoint detection and response became an extended test detection. We’ve been doing it all along. And we’re very hyper focused on site resiliency, improving cyber resilience in organizations where we look at the capability to predict something likely, and respond and remediate to it very fast. And that’s why we call it aura. But beyond STR than just an SDR which is just getting fired now.
Shiva Maharaj Kontinuum 2:13
What is your platform is Sim. And then you provide the analysts that are doing the hunting or monitoring the alerting and doing the remediation.
Kiran Vengavati 2:24
Essentially, when you look at cybersecurity from a defense perspective, right? You’re talking about your firewalls, your proxies, your email gateways, your antivirus systems, those essentially form the basic security didn’t step by if we go beyond that, let’s say what, what is the agenda item. And I know all of these, and the attackers today are easily able to get passwords, very clear, we’re seeing these media outlets reporting attacks every day now. But beyond that, you go, then you start looking at what we call an advanced defense attack by really looking at behavior anomalies, or failure on the endpoint or on the network, trying to understand the anomalies that happen on the network side, by most from signal intelligence perspective, understand process behaviors, or the standard user behaviors, and then try to make sense of what is happening. And on top of that figured out how do you want to respond and remediate one of these activities? So if there is an incident happening, how do you respond to that case, like, for example, I want to say collect more data on the incident, or I want to perform a trigger, I want to actually go back and say, Please suspend the process, don’t do anything, because I think it’s bad suspend it, I will go back later and collect the many types of response I want to quarantine them. And, you know, in organizations parenting, an endpoint is not very easy, because of the large expanse of most of these organizations running into 1000s of endpoints. And especially today that the remote work force that is actually in play, if I want to quarantine your laptop, and you’re part of my organization, that’s not as easy as steps anymore. Because you run on your own infrastructure, you don’t run on my structure, this creates problems, right, which again, are called solve those and then move on to what we call threat hunting, which is at the top of the stack,
Shiva Maharaj Kontinuum 4:17
how are you? How are you solving those problems?
Kiran Vengavati 4:20
Oh, we’ll come back to that in just a second. So, in that stack, there are different stack the top piece is usually threatened. Essentially, it is figuring out what could be happening and trying to go solve those problems before they actually become major issues. Oh, you probably receive threat intelligence from certain us or certain or wherever you are, and probably industry vertical, they are supporting particular regions and keeping you let’s say there are particular artifacts a attacker is reporting or behavior is doing and if you go in search for those artifacts, and you find them that means the attacker is what are It could be a hypothesis, essentially, you say, Okay, I want to say, I want to disprove the fact that my company is leaking data. How do you do that? You start out looking for uploads of data, what kind of uploads? Can I find who is doing that, and try to narrow it down. If you don’t find anything great. If you find something that you have a coin to actually write, that’s the downside of a different stack, because today’s attackers very rarely drop malware, they are attacking you from the inside, which means there is a fishing for your production getting into you’re acting as one of you stealing credentials while they’re inside. And everything they do is using the system tools that are already present in every one of their updates bitmac Big limits to Windows, right? So it becomes very hard Max don’t get viruses What do you say, viruses are what we call you know the lowest common denominator among attacks malware, but it is used right this bit, kiddies will that put these things up, and most of the times it is the actual sophisticated attacker after he has taken and stolen data to it is on his tracks the the DB ransomware on your neck. So you nothing becomes recoverable and the forensics become based, right. So tactic one Cyber Defense Stack is where where attackers are playing. And as defenders, we claim that that is what the entire stack, instead of providing piecemeal basis, like today, you could probably use six, seven different tools to do what the software does. But having treat it as a unified stack, we have the integration that can cleanly show you for point A to point B and draw a complete storyline for you in seconds. But usually in today’s security operations center takes hours or days or days, all that other points drop, we have an agent, okay. And it’s one of the most mature today in December, we began our open source the framework, we call it a framework because though it solves a lot of problems that may be problems that we’re not taught, and we want others to actually contribute. And we built it on a flexible framework. So it can be extensible by itself without requiring too many tech. So we open sourced it in December, December 21. And now we’re seeing a lot of response from organizations who will risk management who want to use our framework to go ahead and take remediation actions. So in Windows, we obviously use Rmi, or Wi Fi to connect windows, and Wi Fi to connect to remote systems. And Linux, obviously, we use a Stach. Mac, we’re not really seeing that much of a requirement on the other side. But we are getting there slowly after we finish up. So that agentless system, which means I don’t have to present on your system to for me to take action, I can still do it remotely just like an attacker, except that we’re doing it for defense. It’s one of the most mature frameworks today has over 272 plus capabilities that it can look for and do more and more coming in the open source.
Shiva Maharaj Kontinuum 8:02
Now you were saying earlier that a lot of it is behavioral based? Is there an audit timeframe that you have to run on the client systems to really understand how they operate before you can really become effective? Yes, and no more in terms of in terms of understanding their behavior and knowing the difference between them. And a bad actor and or an insider threat?
Kiran Vengavati 8:25
Yes or no. In most organizations, most vendors today use what we call supervised learning algorithms. But everybody talks about AI, right? Unsupervised learning algorithms really need you to baseline the environment before they can actually deliver any amount of value. And the challenge with that is that everybody’s baseline. And if the malware is already on it that there is an opportunity for you to baseline the malware behavior, and take that as a baseline and completely sideline any anomalies that may be generating insights. So we’ve moved away early on, we decided that we’re not going to we’re going to move away from those models, and look for from a behavior perspective. And when we started in 2017, we didn’t have the next initiative of mitre attack framework attack matrix. Luckily today for most vendors, everybody has that access to the mitre attack matrix. So what is this matrix is it is a combination of all the techniques and tactics an attacker can use to compromise the network. How he accomplishes, each of this technique could be in finding ways, but it is broken down into Okay. These are the different techniques you can use to get into your network. And these are the different behaviors he could show. Back when we started, we didn’t have that luxury and we painfully build our version of it. But now we also map agonist and monitor. So it’s about 280 Plus techniques in all that an attacker has to exhibit some way shape or form. And we go after those big Israel claims and look for what it how we as they try to achieve each of these, we don’t worry about that we just go by
Shiva Maharaj Kontinuum 10:04
now, are you guys installing any type of network tap anywhere on the tree? Or?
Kiran Vengavati 10:09
I like that question because we have an option of installing and working off in the tap. We call that our sensor, the sensor looks at all incoming and outgoing traffic, and it will also look at all the east and west traffic, and pick up a bomb list. The idea is that we won’t build a modally anomalous behavior, and try to understand a simple example would be that, you know, when you’re normally browsing means your data coming in is more than your data going up on each machine. That’s normal. If you’re pulling too much data than the CD, that means you’re actually uploading data out, which means data is going out. That’s very unusual behavior. For a normal workstation. It is probably a normal behavior for an FTP server or an SFTP server. Nobody uses FTP anymore, but SFTP server or SSH based over that you’re allowing people and providing a service. But every other system on the network that isn’t anomalous, most of the times people are getting data, they’re not actually uploading data. So that is one of the signals you could look at. But that’s just a very basic example. Right? And these kinds of mapping the data with also the threat intelligence that we collect from over today, I think we collect from more in tune sources deduplicate, that data validated and then match it across all of the data that’s going in and out.
Shiva Maharaj Kontinuum 11:34
What type of data retention Are you guys offering? With your platform? I know you have three different levels. Oh, yeah,
Kiran Vengavati 11:41
we have three different levels. But from a data retention perspective, all of them by default report by day since we are SAS platform, we’re limited by how much storage but today, actually, end of this month, we are ready to announce a unlimited data storage model where we can search and query unlimited amount of data. So 45 days of data is online, you can still go back one year in Salzburg with our piping booth, the majority of the people who probably run with us as SAS today, they only provide 15 or 30 days, that itself and if you want older data, they have to restore it. So we’re walking away from the inspiration model, you can directly query data at rest in purpose.
Shiva Maharaj Kontinuum 12:25
How does that go against most compliance regimes that ask you to hold data for ungodly length of time? That really make no sense? Yes, we just qualify that statement. I am not a fan of most compliance regimes. I think they’re just checkbox exercises and don’t actually do anything to improve security.
Kiran Vengavati 12:47
The Caribbean is not improved by copyrights. Security is improved by intention. So you have to eventually move forward every year. So you’re very right, absolutely correct. What compliance is trying to do is get the information security teams the power, they need to add the budgets, they need to actually get things done, at least the basic level of security. So in that regard, compliance is actually useful in securing budgets. But other than that, budgets are hotel wise, by itself, being compiled by itself is nice.
Shiva Maharaj Kontinuum 13:21
It’s a money making exercise. I have a question for you. And this is something I think you’re probably more apt to answer. When COVID came around, everyone started talking about let’s protect the identity. And they said, We don’t need to protect the perimeter anymore. We don’t need to protect the device. As long as you use an IDP like 365 Octa or any of the other guys. What are your thoughts on that? And what type of data or telemetry Are you losing by not having a tap on a network because you know, I’m working from home, I call this my global headquarters, you’re probably working from home, at least some part of the time as are millions of other people.
Kiran Vengavati 14:02
So network tap is just one source of data we look at, we look at a full host of other category information, the employees themselves, the servers, data centers, any other tubes, any other equipment that you use inside. But coming back to your question about identity, I think validating identity is actually a very good exercise. But that by itself does not provide you there’s just one step of the gig, where you’re actually trying to say hey, you know what, 90% of my workforce working remotely, I need to confirm that the person who is logging in as Shiva is actually right and there that’s where the identity management is coming in and ensuring on the larger scale identity also exists. I am tools also expand their reach into managing access to resources on an organization network. That usually takes a backseat very, very fast. Because access control lists by themselves are extremely complicated and enterprises. Majority of this time with these are the stop and provide not a value at the identity detection piece itself. But they’re very good. And they talk about perimeter being that as you’re just moving your perimeter, I know you’re widened your perimeter rather than saying your perimeter is the perimeter is not that your data is interesting, like this probably exists the club in a VBC, it’s still your VPC, you still need to understand what’s going in and you’re protecting it just like you’re protecting. The only changes are when you’re using the serverless more by them, you’re probably using an application, not an entire infrastructure. Oh, those are the places where you know, the very minute all these debt, but you still want some level of information based on what you’re using. And I think the gold providers are working very hard to provide you specific labs to your instance of activity that is happening. Now, there. Theoretically, there have been a lot of discussions on how you can actually attack a serverless computing environment, and then write that to gain access into your infrastructure. We haven’t seen any practical attacks as of date of that still largely remains theory, a majority of the times primarily because the short duration of time the seamless periods are available. And very specific tasks are designed, rather than standing up an infrastructure instance, like a BM, which could do a lot.
Shiva Maharaj Kontinuum 16:32
How are you guys deploying on all these computers, if you’re if you have an agentless brandmark.
Kiran Vengavati 16:37
So we have not deployed, that’s the beauty of so we’re able to access them based on the configurations that looked for, and then in brigade them, and then find their current state, which is what more observability is a new term that’s making the rounds today. But essentially, we’re trying to understand what is happening from the signal intelligence perspective, communications sponsored the interrogating the system, getting the data we need. And if possible, we can also put an agent if they want to provide more info. But we can get all the data we need without using it, etc.
Shiva Maharaj Kontinuum 17:14
But how are you getting that data without an agent?
Kiran Vengavati 17:17
So without agent, we’re interrogating these endpoints. And collecting those data points. And if you’re using as they were is cute and others, they need the best you get the data or any of that data.
Shiva Maharaj Kontinuum 17:31
Okay, so you’re just leveraging API, and success? Yes. Okay. Do you find those? Let’s use Microsoft 365 as the example because we have companies are lifting and shifting or doing some form of hybrid as your ad deploy. Now they have a SLA that they can they have up to 24 hours to generate a lot? Has that presented any issues for you guys?
Kiran Vengavati 17:57
Usually, I’m sorry, bye. Bye types of some other backup way of providing the data to us if they’re using instances. But if you’re talking specifically about Office 365, they’ve come a long way. There’s still downtime where you don’t receive logs, especially with the graph connect API’s. People have been struggling with that to get the right data. And we do see data coming towards late. But more often than not, we also rely on the VPC flow models to provide us information on what’s happening on the network and see if there are threat actors who were on the environment actively using it without showing their presents. Now, it provides a challenge when you’re using something more of a service like a proposition where you’re clearly reliant on the cloud provider to provide data to you that presents its own set of challenges. Today, as of today, there are really no easy answers. But if you actually are hosting your infrastructure on Azure, then there are much better ways of getting this. What
Shiva Maharaj Kontinuum 19:07
is your ideal client and deployment look like? Meaning what type of infrastructure would you like to see your clients have? And then how do you plug into that,
Kiran Vengavati 19:17
um, we are specifically targeting the mid mid market segments. And when we say mid mid tier markets, we’re talking about anywhere between 100 million to six to 7 billion in revenue. That’s the market segment. We’re really active. Most of these are either cloud first companies or a hybrid cloud and we’re seeing a lot of traction from all supposition manufacturing. And when I say precision, I’m more talking about manufacturing companies that are under direct compliance requirements from Department of the balance, bad songs. Healthcare is here to help financially companies are something we’re seeing a lot of traction in today. Pearl, they are moving, lifting and shifting a lot of their, by the structure into the cloud now. And we see tremendous opportunities there
Shiva Maharaj Kontinuum 20:09
in terms of manufacturing, because they do have a bigger deal manufacturing clients. And the biggest problem there are these legacy CNC machines that run software and hardware that’s probably older than you and I combined. How does a product like yours or any good security product really have Overwatch over something like that? Or is it just really a matter of segregating it from the network and controlling access as to what’s going in and out to that VLAN or separation?
Kiran Vengavati 20:39
Still, we go back all the way up to working with Windows XP, in terms of our agentless approach, and this is where our agentless pros actually shines outweighs everything else, especially in regulated environments, in pharma companies, manufacturing companies, where they cannot control any of the SCADA machines are. Typically the CNC machines you’re talking about are considered SCADA controllers, those machines that was the SCADA controllers, and so on, so both which are under manufacturer warranty, And they usually don’t have any patterns, they’re very, very old. Our agentless mechanism actually helps with collecting the right data points that we need without having to install anything with the endpoint. At the same time, we look at the cell, we look at the data that we collect from the sensors, also the tap, which we use to gain intelligence board a correlate that information, and decide what action needs to be taken on that agent. So rather than point out, since we’re agentless, we can actually go with take the action required. Case in point one of our customers actually had a malware very old, we’re opening up remote access, so we call it power, but essentially the rest of the world knows it as TeamViewer. So installed on he got off his machines that they were not even aware that is being controlled by somebody else. They had no clear. Once we saw anomalous activity from places where this benefactor was positive that they did not have any relationships with, I’ll be ready to go in, terminate those processes and remove those computers without having to install or sucks all of this mapping without actually having to install anything on that in. So that’s where we can warm up. The other major decision by the fighters is some very interesting stories. Operating in France, there’s a Chinese company that comes up and open shop right extra. This company, French company, manufactures, defense contractor parts, where United States and China comes in. A Chinese company comes in and manufacture the same exact thing. And obviously, they’re suspecting a breach. So we go in, and we put in our sensors, we put in our data, and then we start monitoring and start to see anomalies showing up. And when we investigate those anomalies, turns out the fact that we had so much information on this actor, he knew exactly when a specific reset, Foreman would go into the guest network versus the carpet. That much information they have. So their malware would overreact. But he’s on the guest network and would lay completely dormant porn even do things it wouldn’t even do any reconnaissance is where they will do command and control communication, nothing. But it comes back onto the corporate only then is on the guest network, it will transmit out and use Mandarin controls to communicate with whoever. But when it’s back on the corporate network, it just would not. It would just like lay there. That was amazing. When we saw that, and the level of information they already had, the amount of targeting they did to get the right data out was a date. These are the dates that that customer today is our one of our largest customers, and they’re expanding in scope on top doesn’t endpoint or how
Shiva Maharaj Kontinuum 24:13
were you? How were you in your team able to figure that out.
Kiran Vengavati 24:17
From the network traces we were able to collect. And looking at the activity that was actually happening from a process perspective on that endpoint. We were able to put to a do to get So essentially when we saw in the previous tools because it was getting work. They were letting all data out. But what we found out was while it was letting data out, there were some periodic communication happening only when that laptop was on the cusp, not when that device was actually on the corporate. And we said this is where we got this kind of biotic activity usually looks like malware, because it’s extremely small amount of communication because it’s command and control. And we picked up command and control a video it was command and control. But we’re trying to enlist And why are we seeing it only in one place, then we inquire, we realize that that is actually the guest network or diaper that is reserved for visitors. This woman was using it for his course.
Shiva Maharaj Kontinuum 25:12
The fact that they’re using guest versus corporate network, that is a lot of human reconnaissance, that they, before they even injected anything.
Kiran Vengavati 25:22
It is amazing. It is amazing. We were blacker that they knew so much about the company before they even launched the attack.
Shiva Maharaj Kontinuum 25:30
Do you guys see a lot of a PT activity? Within your I guess if you’re dealing with independent clients,
Kiran Vengavati 25:37
every put it this way, we do see a lot of Abt. But if you’re asking, do you see a lot of sophisticated A? Well, I would say you know what majority of what is what goes for sophisticated APDS really are not that sophisticated. They’re using one of the most basic attacks that we have moved for forward again, by at least a decade. But these are so simple, that it has escaped majority of their focus. People have not thought about I look at more commonly noted sophistication
Shiva Maharaj Kontinuum 26:10
as success. I look at sophistication as success on their part, because they’re just really good at drilling the basics. And that’s what allows them to live off the land and be successful in what they’re doing. So
Kiran Vengavati 26:26
that’s where we actually spring and dry girl, Stan, who is actually trying to live off the land and why a guy had been distant doing something of that sort. He’s also suspicious if he’s trying to build things in very different ways. For example, somebody who has a security operation center, and you start noticing that they’re using some of those live off the land binaries or the call log binaries, right. And we notice them using this time. And again, without specific purpose that actually relates to this, we will become extremely suspicious like
Shiva Maharaj Kontinuum 27:01
this at the factories. How do you feel about RMS, like the datto. So Well, now it’s enabled, they got spun out from SolarWinds. Are you familiar with those platforms?
Kiran Vengavati 27:15
I find I’m familiar with them more on the data recovery side, I’m not sure if they’re doing anything else more actively in that space.
Shiva Maharaj Kontinuum 27:24
The reason I ask is because it’s essentially command and control infrastructure that a managed service provider uses to make mass changes and administration of multiple clients across various geographic locations. And these are all platforms that I’m going to catch a lot of flack for this, but are lacking in the security area, because they’re old, they were built in a time where today’s threats could not have been imagined or weren’t imagined. And they’re essentially trying to hide them behind a WAF to keep them protected. But once you get it and you have near unfettered access to 1000s upon 1000s of workstations and servers,
Kiran Vengavati 28:03
what’s your say could be said for most of the new generation tools out there to buy the majority of the SAS providers out there today that are being you know, what you’re saying probably wants to bring up the pace of innovation, the pace of technology advancement is so fast. It is really very hard for somebody to do a ground up approach, trying to build something and embedded security. Everybody loves to talk about this. We have lived it ourselves. And we’ve seen it in the market. It is an extremely hard challenge to manage the pace of innovation versus pace of release of features, not necessarily innovation. Most of the times many times it’s just trying to meet the demands and also be secure at the same time you’d have to lean on external tuning factors like wraps are the app is that are you going back and fixing things? I think that is is more right. A baffling ligatures. What happened in the Kaseya ransomware was a classic decadal technique of taking a box traversal vulnerability that existed in Microsoft defender day long ago, using that to conduct risk. It just happened to be worth about Kaseya in that drill back into updates, who do updates into almost everybody’s systems and it is amazing to see something that was patched probably a decade ago. And then the same binary pack, replace the binary and execute and almost every single EDR SDR out there as the Detect astronaut EDR and it was signed by Microsoft. There was never a problem with that. And majority of the deals today if it is signed to Microsoft that day. All trust by and these are the challenges that Petrovic working on focus on. We have a tool called blue armor. It is an invoicing tool that is specifically focused on preventing bad from the reason I say bats. Rather than say, hey, protect sectors malware protect second strand somersaults is because all of that is bad behavior. And we’re very, very behavior focused. And the proof is in the pudding, we have not updated in it in the last 24 months. And just six months ago, or five months ago, it prevented a brand new ransomware from executing at one of our clients never updated, never had to be patched. The only update we do do it is from a usability perspective, but from a detection perspective, and it’s completely behaved, and it’s only one megabyte in memory. Tell me do you use on your laptop to do that?
Shiva Maharaj Kontinuum 30:52
I can’t think of any. That’s definitely not chrome
Kiran Vengavati 30:55
basically built this for the SCADA environment. And then we realize there’s tremendous potential for it on the other side of the fence. So we’re working closely on that we’re working with a close group of clients on that and trying to see how it performs. Basically, well, because majority of the organizations that you’re not a bleeding edge company, you’re always struggling to patch, I talked about one of the largest providers, it providers in the world opposite, they were breached, not because they did not have security, is everybody likes behind the patch, patch. So you’re going to run after the patch program to try to make it efficient, you’re going to fail. Because the wonderful thing is that we’re stuck.
Shiva Maharaj Kontinuum 31:36
You know, we patch workstations on a daily cycle. We hold them for X number of days, I wouldn’t say publicly because I don’t want anyone listening to know, but they’re held for a certain number of days and tested to make sure that they’re stable. And be our patch window runs every day. So if it’s approved today, it’s going to run tomorrow morning. And servers or every week, I’d rather brick a computer than have a ransomware attack to take it. You know one of the things that I’d really like to check out
Kiran Vengavati 32:07
throw this at you. When was the last time you bird a wonderful up being used to compromise and network and encrypted it
Shiva Maharaj Kontinuum 32:17
apparently struggles last week, I’m sorry,
Kiran Vengavati 32:20
I’m going to the last time you heard of a major security incident happening because of a wonderful city that was publicness tele Apache strips was the last one clear vulnerability. That was so good right now. Yeah, the posts that majority of the attacks have been Insider. It was through credential phishing, and then going and is to compromise other services, things like?
Shiva Maharaj Kontinuum 32:44
Well, that’s my next question for you with your platform and everything you’ve told me up until now, the two things that really keep me up at night, which are completely out of my control as an IT services provider are shadow IT, and insider threats. And I look at shadow IT as a user not knowing better and giving persistence by accident, whereas an insider threat is a an it’s a deliberate act that an employee or contractor is taking to bring bad in how do you guys work with that? We’ll work with those two. Essentially, when
Kiran Vengavati 33:21
we look at each of these, we look at the from a behavior, whether it is deliberate, or it is unintentional. Or it is the madness is happening without your knowledge from yours. This could be in your probably your credentials got fished, or you clicked somebody need not use somebody else using your system for a short period of time like something whatever the case, we’re looking for changes in behavior that look like irrespective of what an attacker does, he has to exhibit some behaviors. And those behaviors are what will purely razor sharp, focused, but not really focused on whether it is originating from inside or of that and we don’t care one way or the other. Our job is to stop. A lot of the industry seems to be very hung up on trying to understand hey, is this a Russian attacker or a Chinese attacker, right, that comes next. And that will come next. That’s okay. The first thing you need to do is read stop prevent bad things from happening. And that’s the first thing we look at. Rather than trying to understand and mold our machine learning algorithms to understand the behaviors of multiple malware CMMC swarms, or if you put a razor sharp focus on trying to just understand the behavior of an attack. An attacker has only a finite number of basic effects. And he has to exhibit his feathers at some point in a day when his theory beer logs are rare. They’re always trying to look for any present potentials in the memory he has to look before he can get that or he’s trying to because whenever dr. Lyons on the network our assistant does like it Downloading in a dark blue, without any perspective, he needs to figure it out and try to understand vaguely. And that’s what most of the times case study. And the further steps each of these tactics can be looked at in more detail. But I think that is a dead giveaway. Now, when you have a platform like ours, which looked at looks at multiple data sources, I think that made that what makes us provide a much stronger signal, rather than just true or false positive and say, hey, you know what, we saw a recon activity, or we saw a mass installation activity, or we saw communication to a norm that intelligence, or something of that sort, we are able to correlate all that information, I saw a hit from a system that is known to be bad from the deep legislating. Or I say I saw it hid on the system. And then I saw it reach out, make a script based decision to reach out to something outside your network, not web browser, not originate via browser. And then when we saw something, come back, and then that system did something else. Like it tried to actually look at own itself and see who else was operating here are the keeper specific ports looking for failed logins, it doesn’t have to be five failed logins, like the classic pieces, even if it’s a single payer login, attackers today are very patient. Right? So we look for those kinds of patterns trying to map them together, which gives you a much stronger signal, we call those Beitrag state, but anybody could bring up any name they want. But essentially, we’re mapping across the belt and they okay, this no actually looks like an attack to me. It’s not an isolated incident. And this looks like an admin activity to me. But it is still unusual, because he’s using the concept of really unusual or using that activity, and somebody needs to take like, recently, there was a pen test or a customer data there and without informing us. And we immediately bubbled things up to them and said, hey, you know what this is doesn’t look right to us, primarily, because we’ve never seen these woffinden You don’t as these are okay, for System A, B, and C, these are expected because you’re using some custom software which to pay. But we’re seeing it on multiple systems now. And that’s not okay. And oh, no, no, because they were actually.
Shiva Maharaj Kontinuum 37:13
But how many companies are actually aware of their assets and able to identify them and inventory them.
Kiran Vengavati 37:20
And that’s where the network probe actually starts could bring value. Majority, it’s not fair to expect people to know their assets, majority of the times, not because they don’t want it, even with all break intentions, like eviction, Shadow IT and other things that come into play. Every organization has, you know, businesses, your credit cards, and nothing is stopping them. And Middletown types, people do it with a good intention that they want to actually take the business ball, or the primary purpose of business is to build business, not necessarily to collect them. So it just happens to be something they have to do as they move along. And it just happens. I mean, I’ve worked with Fortune 10 companies, 1400, and much smaller organizations, but 700 800 employees, organizations also. A, it just is sprawl that keeps happening over and over again, we are constantly playing catch up. So your network prompts that really deliver a lot of tools like Cisco eyes, that bring intelligence into kind of devices connected, which devices are connected, which user is coming from kind of device, and we loved him, those are actually we integrated Cisco ISE. And some one of the things interesting things we do is when we see activity from non standard user devices, then we treat that as a suspect, for example, Shiva always comes in from those laptop, I see hidden recording a Linux system or trying to connect from one of the sensors, IoT devices or something else, then I will raise a alarm. So why would
Shiva Maharaj Kontinuum 38:53
a company go with you versus trying to build their own internally by connecting 1000 different products that don’t actually work well with each other?
Kiran Vengavati 39:03
So why does any company buy products, it’s not building themselves, the majority of the IT organization,
Shiva Maharaj Kontinuum 39:09
so they don’t lose budget for next year.
Kiran Vengavati 39:11
Support becomes a major, right? I mean, and constantly keeping it up to date. And you know, there’s no bonded labor for the last 50 years. So people are free to move around. And the person who had this, they move around, they use all intelligence. And this has happened over and over again. And we get to see majority of this in most enterprise customers today. Were over a period of time they have so much legacy top pair that nobody knows our given functions. Nobody knows where it even sits, what it talks to, and what access credentials, it just works at DOD. And these are major challenges, right? I mean, if you ask me, I’ve been on the other side of the table for 25 plus years, and we this board about reliability, constant updates and support. So you wanted to close out with. Now, I think that your questions are spot on. I love being on your show. Thank you.
Shiva Maharaj Kontinuum 40:08
Thank you, and how can people get in touch with you if you even want to hear from us?
Kiran Vengavati 40:13
We have a chat bot on our website, Blue Sapphire dot out. You can also email me directly. I’m the CEO, and I do look at all my emails myself. Didn’t lose that paradox. If you want to reach for more information, info is a very good spot to get their info at Blue south. We’re active on Twitter. As you can tweet us and we’ll respond back. A team will be constantly monitoring the assets
Transcribed by https://otter.ai
