EP#50 - Chris Neyhuis: EDR & NDR for Security Decisions

May 27, 2021

Remember those halcyon days when you could just stick an antivirus on your desktop and not worry — before all these confusing initialisms like EDR and NDR….

Well, turns out, they aren’t as complicated as you may think.

And I can’t think of anyone more qualified to explain why than Chris Nyhuis, President and CEO at Vigilant, who joins the show to shine some light on why the old-fashioned AV is seen as a relic of the past — and whether the new tools that have replaced it are buzzwords or brilliance.

We discuss:

How EDR differs from AV
What NDR and ENDR are
The pros and cons of automating security
Why compliance isn’t enough

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (intro/outro) (00:00:06):

You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:00:26):

Hey there, and welcome to another episode of The Virtual CISO Podcast. With you, as always, is your host, John Verry, and with me again, is Andrea VanSeveren. Good morning, Andrea.

Andrea VanSeveren (00:00:35):

Good morning.

John Verry (00:00:35):

Or should I say, “Good afternoon.”

Andrea VanSeveren (00:00:37):

Yeah, well, nobody knows, but thank you. Hey everyone.

John Verry (00:00:39):

There you go. And now they do. They didn’t know until I made the mistake of telling them that I screwed it up. So, what did you think my conversation with Chris?

Andrea VanSeveren (00:00:47):

Good. So I always like a good Teddy Roosevelt reference. We don’t have enough of those in life. But, aside from that, I thought it was a great episode. As a former CISO, Chris has worked on some really innovative methods for defending companies against cyber attacks, he seen a lot of different types of situations.

John Verry (00:01:08):

Yeah. So why I asked Chris to be on, and I really like this about Chris, is he’s of the same mindset as me that there’s way too many buzzwords being thrown around. And you’ve got EDR, and MDR, next gen, and XDA. And what I love about him, is he kind of brings it down to a very simple level, and this idea of translating these new buzzwords back to the fundamental basics of what these tools do, and why we need them, and how to optimally implement them. I think he does a really good job of that.

Andrea VanSeveren (00:01:38):

Yep, yep, absolutely. So I think you’ll really want to hear some more, so if you’re a CISO, or an IT leader, you want to hear about how you can ask some more detailed questions to your end users, kind of getting through the buzzwords, and the current endpoint detection, and antivirus tools they’re using to really understand what the pain points are, and see if maybe there are some additional services, or responses you can provide to deliver more value, and IT security operations. Because really, it’s about the value add, and the value prop, and what those pains are.

John Verry (00:02:14):

Yeah, I mean, at the end of the day, it’s the idea of ensuring that we’re getting the trusted information that we need to be secure, and we’ve got the overlying services or approach to use that information in a meaningful way. So, let’s get to the episode. Chris, nice to finally meet you. You and I have had a hard time making this happen.

Chris Nyhuis (00:02:38):

We have.

John Verry (00:02:38):

So I hope you’re going to bring it big time, to kind of [inaudible 00:02:43].

Chris Nyhuis (00:02:44):

I don’t mess around. It’s been boiling up, ready to go.

John Verry (00:02:47):

All right. So, tell us a little bit about who you are, and what is it that you do?

Chris Nyhuis (00:02:53):

Sure. So my name is Chris Nyhuis. I’m a CEO of a cybersecurity company called Vigilant. We’re 12 years old this year. Started back right in the middle of the downturn, the economic downturn, so it’s always fun to start a business back then. But the driver for us was, I was a CISO back then, worked for an organization that warehoused financial data for the automotive industry, and we had significant security budgets, significant IT budgets, and we just saw that really when advanced threats were attacking us, which back then, advanced threats, there was a big barrier of entry to get there.

Chris Nyhuis (00:03:31):

When they attacked us, they got through a lot of things we paid for to get in. And that concerned me, it concerned us, and I really started digging into that. And as a person, I’m an adventurer. I’m a pilot, I love to climb mountains, I love to solve problems. The way my brain works is very chessboard like. I just kind of see what’s before me, and I play all the different options out in 30 different warfare aspects.

Chris Nyhuis (00:03:59):

And so, I looked at that and said, “Hey, let’s go solve that problem.” And so, I’m a father, I’m an adventurer, I’m a problem solver. I love to serve, as a leader standpoint, I really think you need to be a servant leader, and I love to have fun. I love to enjoy life.

John Verry (00:04:18):

Before we get down to business, and why you’re here, we have a tradition. We like to ask what’s your drink of choice?

Chris Nyhuis (00:04:24):

I brought it actually, check this out.

John Verry (00:04:27):

Uh-oh.

Chris Nyhuis (00:04:28):

Clase Azul, it’s tequila.

John Verry (00:04:31):

Oh, I have a buddy that has the most crazy collection of-

Chris Nyhuis (00:04:37):

Yeah?

John Verry (00:04:37):

He’s mostly a bourbon guy, so he’s got like 130 Bourbons.

Chris Nyhuis (00:04:40):

Yeah.

John Verry (00:04:40):

But tequila is a close second. He’s probably got 90 tequilas. I think I may have actually had that. That’s very… It’s super rare. I know that.

Chris Nyhuis (00:04:50):

Yeah, yeah.

John Verry (00:04:51):

But he brought it back from… He goes down to Mexico every year, and he always brings stuff back. Is that from Mexico?

Chris Nyhuis (00:04:56):

It is from Mexico, but it’s not actually from Mexico. But check this out. So, something people don’t know about Clase Azul, is it’s actually got a hidden thing onto it. So this top part is a bell. Yeah, so it’s pretty fun. One of our-

John Verry (00:05:18):

That way you can bang the bell after a couple, and somebody will come and help you stagger [crosstalk 00:05:22] to bed.

Chris Nyhuis (00:05:23):

Exactly. Yeah, that’s exactly it. It’s funny. Yes, over the years I used to be bourbon… I was a beer guy for a while, I stopped drinking beer, just turned into a bourbon guy. And then tequila just became-

John Verry (00:05:35):

Did you go Mezcal as well?

Chris Nyhuis (00:05:37):

Yeah.

John Verry (00:05:38):

Yeah.

Chris Nyhuis (00:05:38):

One of the guys in our finance team, senior finance team is from… He’s a guy I’ve known for a long time, but Miguel, he’s from San Luis Potosí, down in Mexico. So, him and I drink a lot of tequila together.

John Verry (00:05:51):

Yeah, there’s a cool little restaurant in Grand Cayman that we’ll frequent when we go there, and they have a in house Mezcal guy that they brought in from Mexico, and he’s just an incredible collection. And I drank a fair amount of tequila in my day, but never Mezcals. So, it was always fun going there, and trying different versions. They’re definitely related to tequila, but definitely relatively unique, relative to it.

Chris Nyhuis (00:06:19):

Yeah, my first time I had Mezcal was in LA. There’s this secret club up in the top of this office building, and we were doing some interview there. It’s a membership only type thing. And so, it’s just a way for people in the building to kind of just go, grab a drink in the middle of the day, and no one knows about it. It’s all the C level people, and the bartender there, I told him I love tequila, and so popped out Mezcal. It’s actually pretty intense.

John Verry (00:06:47):

Yeah. Pretty earthy, sometimes.

Chris Nyhuis (00:06:50):

Yeah.

John Verry (00:06:51):

I mean, is that is that an off flavor? Is that supposed to be there? There was a few of them I was like, “Has this gone bad? Or is this the way it’s supposed to be?”

Chris Nyhuis (00:06:59):

Right. It’s like drinking scotch. You’re like, “I don’t know. Is this supposed to taste like that?”

John Verry (00:07:04):

Scotch is just whiskey ruined by peat. But that’s another story.

Chris Nyhuis (00:07:07):

Right. What’s yours? What’s your favorite?

John Verry (00:07:11):

I do like tequila a pretty fair amount. I used to drink these drinks when I skied out west. I think it was called either a cactus bite, or a snake bite, which was like roses, lime juice, and like a little triple sec, and tequila. And after a good hard day of skiing, a couple of those, and off the bed, and ready for the next day.

Chris Nyhuis (00:07:31):

Wow.

John Verry (00:07:32):

But if you look, I don’t know if you can see the shelf behind me, but there’s a fair number of… I drink a lot of bourbon, a lot of stouts, a lot of red wine, just because that’s supposedly healthier.

Chris Nyhuis (00:07:42):

Yeah, right. Get that [crosstalk 00:07:43].

John Verry (00:07:44):

At least that’s my story. That’s my excuse.

Chris Nyhuis (00:07:46):

Right, right.

John Verry (00:07:46):

All right.

Chris Nyhuis (00:07:47):

[crosstalk 00:07:47] normal fashion, pop tequila in it, in your old fashion.

John Verry (00:07:51):

Oh, that’s pretty cool. Yeah, you know what? I mess around with a lot of those things. One of my favorite things to do is add some of the bitters, like an Amaro, or Campari. So like a, what do you call it, a Boulevardier, a is a bourbon, with instead of a Negroni, which I also like, but you replace the gin with a bourbon. They call it Boulevardier, which is kind of a fun drink.

Chris Nyhuis (00:08:13):

I’ll try it. [inaudible 00:08:14].

John Verry (00:08:14):

Yeah, yeah. Well, you’ve got to like the bitters, and I do.

Chris Nyhuis (00:08:17):

I do like bitters.

John Verry (00:08:19):

All right, cool. Well, listen, you and I could probably chat about alcohol for the next hour, but I don’t think people want to listen to that.

Chris Nyhuis (00:08:24):

That’s not what they want us to talk about.

John Verry (00:08:25):

Yeah, well, maybe they do. But, we’re going to disappoint them then.

Chris Nyhuis (00:08:27):

A lot of people drink tequila right now, I guess.

John Verry (00:08:30):

So, the reason why… I saw what you guys were doing, and I thought you’d be somebody cool to chat with is, that even for someone like me who lives in the information security business every day, and I live more at that governance CISO level, it’s gotten confusing. There’s a ton of buzzwords, right? I mean, so let me ask it in a very basic way. So, if we go back to 2005, and the world was a lot simpler, we had AV that you put on your desktops.

Chris Nyhuis (00:08:58):

Right, right.

John Verry (00:08:58):

Now you no longer hear that term, you hear just every other term, EDR being one of the more common ones. So, what is EDR? And how is it, or is it not different from good old fashioned antivirus from a dozen years ago?

Chris Nyhuis (00:09:16):

Right. So, this is the thing I think, for those of us that have been in the industry for a long time, we’ve seen it evolve, we’ve seen things like renting other people’s servers, and processors turned into… Which wasn’t a sexy name for it, turned into the cloud. And then everyone’s like, “Oh, I want some more of that cloud.” And you could never sell servers, and processors in a data center, but you can sell the cloud, because it sounds cool.

Chris Nyhuis (00:09:38):

And that’s what happens a lot in this industry, is that I think the consumer gets tired of hearing the same thing over and over again. So, it’s just kind of like, they will just want something new and exciting. And a precursor, because we’ll probably talk about later, but they want to be new and exciting because they inherently feel that it’s not working. Right? So they want something new and exciting, so the industry comes out with this brand new term, to name it something else.

Chris Nyhuis (00:10:04):

Like XDR came out last year. Well, XDR is really just getting data from all the things, and doing something with it, right? Trying to compress it in the same data sets, you can look at it. EDR, endpoint detection and response, I mean, it’s really taking the same type of… Taking a client on an endpoint, desktop, laptop, whatever it is, getting data out of it, and then reacting to it proactively, right? So, the methods, the ability, the things like that, that we used to do with AV, it’s really more wrapping a service around it, right?

John Verry (00:10:38):

Okay.

Chris Nyhuis (00:10:39):

The terms, and the types, and the approaches have just come [inaudible 00:10:46] in both the consumer, people buying things, and what they want, because that’s changed, but also what is provided as a service in today’s world, which 10 years ago, there weren’t a whole lot of services out there.

John Verry (00:10:57):

Gotcha. Gotcha. So, if you go back to like, again, I think most people are comfortable with the concept of antivirus, and they think of signatures, right? How much of EDR is still living in that signature, where we have concerns about zero day? How much of it now has kind of moved into artificial intelligence, machine learning? How much of it is interpretation by people? Tell me a little bit what happens. Like you said, you’ve got this client sitting there, and it sees something.

Chris Nyhuis (00:11:26):

Right.

John Verry (00:11:27):

Right? How did it know what to see… What happens at that point?

Chris Nyhuis (00:11:30):

Right. So, there’s… And especially as services come around, whenever you… It’s a little bit of a loaded question. But when you go after, and go down the path of a service, for instance, there’s a give and take for most service providers, because for a service, you as the consumer want as much of that service as possible, for as little as you can pay for it. And the service provider wants to give you enough service to where they still make a really good margin, and can take that money back to them.

Chris Nyhuis (00:11:58):

So, it really comes down to whose value are you after? Right? In a lot of cases, I would say the industry today is not necessarily looked at as a care industry, like you would with healthcare, for instance, right? So when you look at the endpoint, the system itself, when something triggers, what it’s evolved to, is very specific detection automators. Because what automation does, is it minimizes the workload for the analyst on the back end.

Chris Nyhuis (00:12:29):

So, if you think about it from AV days, right? Why did everyone really hate Norton Antivirus so much about 15 years ago? Well, they hated Norton Antivirus, because it bogged down systems, and it became very noisy, right? And so, for about six months, the entire industry went, “Well, let’s go to something else.” Six months later, Norton came out, and said, “Hey, we’re a lot faster. We’re much faster, much better, we’re better.”

Chris Nyhuis (00:12:54):

But what happened in that scenario is they tuned it, they took out some algorithms they were looking for, some detection, they took out some of the processing thing that they were looking for, and they tried to make a little bit more efficient.

Chris Nyhuis (00:13:06):

So, to follow that path, when you have antivirus, or endpoint, or anything running on an endpoint, and a piece of malware pops on there, it’s primarily, in today’s world, looking for something that it already knows about, to be able to detect it. And when you enter in things like machine learning, and AI, what they’re trying to do there is minimize the time period that it takes for that technology to know about what’s there.

Chris Nyhuis (00:13:38):

So in a lot of cases, it’s still the same thing. It’s still about trying to detect what you know about, and whether you knew about it, because you went out and did an investigation and found out the way a hacker was doing something, and you created an algorithm, or whether you learned behavior from that system, how the user does things, and you’re looking for, is this new behavior different? Or you’re looking for something like machine learning, where machine learning basically did those two things, but without an analyst present, and did it in an automated fashion. Right?

John Verry (00:14:16):

Gotcha.

Chris Nyhuis (00:14:16):

Yeah. And then that sends an alert to somebody, that then does something, whether it’s done automatically by the technology, or is done by some analyst somewhere.

John Verry (00:14:25):

Gotcha. So that was exactly the next question I was going to ask you. So, current gen EDR, your particular product, right? Does it take more direct action, like old school, what I would call IDS, IPS, intrusion detection, which would just make noise, versus intrusion prevention, which would actually block an action? So does the EDR take action directly? And if so, what type of action? Or does it alert, and work in concert with a SOC, or a SIM, or somebody who sees the information that the EDR forwarded?

Chris Nyhuis (00:14:58):

Yeah, and I would say it all depends.

John Verry (00:14:59):

Okay.

Chris Nyhuis (00:15:00):

Because when you take the person out of the scenario, with the personnel, security for you is really just guesswork. It’s guessing, and you’re hoping that this technology guesses well enough. And if you think about it, in terms of your own life, would you put a mechanism, and attach it to your heart, that would guess whether or not you’re healthy or not, or whatever, and then make a totally uninvestigated decision, and then take action? Probably not, if it was life or death for you.

Chris Nyhuis (00:15:32):

And the thing you have to really realize as an organization is that this is life or death for your organization. Security is… You can make a lot of really bad financial decisions and recover from that over years, you can make a lot of product decisions, things like that, but security you can’t. And so, when you take the person right out of it, you create a scenario where you’re relying on a piece of guess.

Chris Nyhuis (00:15:54):

So, the reason I say it depends, is because it depends on the threat that you’re dealing with. If it’s a threat that’s kind of like an on off switch, if it does this, it’s exactly that, right? Do this, right? And you can do those things. And that becomes this automatic detection standpoint of things, and automatic, what we would consider prevention, where you detect something, and you automatically shut it down.

Chris Nyhuis (00:16:17):

If you’re in a scenario where your risk of shutting down that communication is low, then intrusion prevention automatic is not necessarily high risk for you, and the risk of not shutting that potential threat down is higher. But if you say, put a heart monitor on a person in a hospital, and it’s the difference… Or a medication device, and it’s that automatic preventative decision, can cause that device to fail. Or you’re in a banking scenario, where if communication was shut down, you might lose a billion dollars in transactions, that causes an issue.

Chris Nyhuis (00:16:58):

So, organizations have to really look at the security that they put in place, look at the risk over the thing they’re protecting, and it has to be granular. All right? Because security can’t be one size fits all. It has to be built for you. And they have to look at that risk and say, “What do I want to do automatically? And then what do I need to involve people in?” Right?

John Verry (00:17:20):

Right.

Chris Nyhuis (00:17:20):

To make those decisions, based on the risk of it. Because the other aspect of that too, and we’ve had major incidents, we’ve gone in where there’s a nation state, coming through a company that picks up trash, right? You would never think they’d be involved in a nation state, to nation state war, but they bounce through that organization, and back out to another company. If their detection automatically just stopped things, well now you just destroyed evidence, you just destroyed maybe a potential ability to understand how someone got in all these things. So, does that answer your question?

John Verry (00:17:55):

Yeah, it does. And the sad part about it, I’m sitting there listening to you, and I’m thinking to myself, I can remember the first time I ever saw a Cisco security agent, it was actually before that it used to be called Okena StormWatch.

Chris Nyhuis (00:18:06):

Yeah, right.

John Verry (00:18:06):

The McConnells were the founders of that company. And I remember seeing it, and thinking to myself, “This is amazing technology.” And it’s how many years later, it’s got to be 15 years later, and we’re still having the same conversations about IPS, that IPS in principle is a phenomenal idea. But, everybody is scared to death to turn it on.

Chris Nyhuis (00:18:26):

Right, yeah.

John Verry (00:18:28):

Which is such a shame, because fundamentally, I would have hoped that we would have advanced more in the last 15 years.

Chris Nyhuis (00:18:34):

Yeah. And that’s a difference. So like what we do here, data is the key, right? But when you have data, what that means for the security provider, and this is the key, right? It means that you have less margin, you have to do more work, you have to do more investigations, right?

John Verry (00:18:50):

You’re explaining why we got out of the active SIM business. We used to run SIMS. SIMs, and I’ve run SOCs too, and the problem is, is that clients think they want information, but they want the problem solved. But solving those problems, and having people on call, and having people do these investigations costs time and money. So, it’s a terrible challenge, between achieving what somebody wants to achieve, and being willing to pay the price that’s necessary to achieve that. It definitely is a challenge.

John Verry (00:19:19):

Okay, so question for you. So, I don’t know if we’ve blurred the conversation a little bit, right? And I know that you guys, the common phrases, and phrases you use on your website, EDR, and MDR. So, MDR, what is MDR, and is MDR part of the conversation we just had about EDR?

Chris Nyhuis (00:19:36):

It is somewhat. So, the reason, by the way that we use EDR and MDR is just because that’s what the industry is evolved to.

John Verry (00:19:43):

But you haven’t used next gen twice in front of your products, which is what you’re supposed to be doing, isn’t it?

Chris Nyhuis (00:19:49):

I know, I know, I know.

John Verry (00:19:51):

I was literally on a call with somebody, and they were like, “No, this is a next gen, next gen firewall.” And I stopped for a second, I was like, “Oh, we’re sorry, we can’t buy this.” He’s like, “Why?” I said, “Oh, we want the next next next gen firewall. You guys are clearly a year behind.”

Chris Nyhuis (00:20:10):

Yeah, right, right. Someone clearly wasn’t thinking when they came up with next gen, because where do you go from that [inaudible 00:20:19]?

John Verry (00:20:18):

Nextest Gen?

Chris Nyhuis (00:20:18):

Right.

John Verry (00:20:19):

Nexter?

Chris Nyhuis (00:20:21):

[inaudible 00:20:21] Bestest? Next gen times three?

John Verry (00:20:24):

Yeah, exactly.

Chris Nyhuis (00:20:25):

It’s MDR is more managed detection response. It’s really… And this is the confusing part for people sometimes, just because all these algorithms. It’s really what XDR has become.

John Verry (00:20:36):

Okay, so I don’t know what XDR is. Can you tell me what XDR is?

Chris Nyhuis (00:20:40):

Yeah, it’s extended detection response. Isn’t that cool?

John Verry (00:20:42):

That sounds an [inaudible 00:20:43], honestly, Chris.

Chris Nyhuis (00:20:46):

Yeah, it’s amazing. Yeah, we’re going.

John Verry (00:20:50):

Who wouldn’t want to extend it? I mean, do you want regular detection response, or would you like to extended? Of course, I want extended.

Chris Nyhuis (00:20:59):

I want extended. Exactly. It all comes down to this concept of like, data, you’ve got to get data out of things, and you have to get it in such a way that you can trust it, and then you can make decisions on it. Right? EDR is endpoint detection and response. So, it’s taking data out of endpoints. It’s more than just threat information. You have to have what’s happening in the processor, what’s the service tag? What’s the user doing? Who’s logged in? All of the things you would think from an operational standpoint, that don’t necessarily constitute security detection, and combine that together. Right? That’s when it gets really hard to do automatic detection. You have to really tune that in.

Chris Nyhuis (00:21:42):

MDR is this concept of EDR, endpoint detection response, and network detection and response, NDR, put together, right? So, it’s just those two things. It’s looking at those two things. I’ve got another acronym that’ll really blow your mind here.

John Verry (00:21:57):

Okay, so NDR is network detection response?

Chris Nyhuis (00:21:59):

Network detection response, yeah.

John Verry (00:22:02):

And how are we doing that? Do we have a sniffer on the network? Or how does NDR work?

Chris Nyhuis (00:22:05):

It’s all over the place. I’ll tell you what, if you have a-

John Verry (00:22:08):

Are we tapping on a core switch?

Chris Nyhuis (00:22:11):

Right. Yeah. So I mean, NDR is done in a couple different ways. The cheapest and easiest way that security providers do it with, is asking you for a mirror link, right? Not a tap, they want a mirror. The reason they want a mirror-

John Verry (00:22:27):

Tap is old school. What did they used to call them? [Schmidty 00:22:30] taps, or something?

Chris Nyhuis (00:22:30):

Yes, Schmidty taps. They don’t want to buy a tap. That’s why, that’s the whole point. They don’t want to buy a tap.

John Verry (00:22:41):

So they just use… That’s a SPAN port that you guys use at that point?

Chris Nyhuis (00:22:42):

Yeah, so they say, “Oh, we’re going to use your existing equipment, nothing else to buy, it’s so great. It’s so good for you. We’re going to put a mirror port in.” What people don’t know, and even in the community, a lot of times, they don’t know that your reports cause a significant amount of packet loss. Right?

John Verry (00:22:58):

I didn’t know that.

Chris Nyhuis (00:22:59):

If you take a switch, right? The switches his primary job is what? To be a…

John Verry (00:23:04):

Transfer mechanism. It’s a switch, right.

Chris Nyhuis (00:23:06):

It’s a switch.

John Verry (00:23:06):

Switch traffic, direct traffic to the right MAC address, basically.

Chris Nyhuis (00:23:11):

Right, right. And if you’re trying to pass traffic fast, you design processors to pass traffic fast. You’re not designing processors to do deep level investigations. It’s the same thing in firewalls. Most of them are async chip sets, because async chip sets can store and port fast. They’re not meant to do deep level, real time, line speed investigations.

Chris Nyhuis (00:23:33):

And so when you take an algorithm, like a SPAN port algorithm, and you put it on a switch, the primary job is a switch. So, if switching doesn’t happen, because you turned mirror ports on, a whole lot of people are going to be really pissed off. So, the mirror spanning port algorithm has a lower priority than the primary priority of the switch itself. And so, as the switch starts to do more, and gets congested throughout your day, what happens? Less and less priority is given to the to the SPAN port, so you’re only getting part of the conversation.

John Verry (00:24:05):

Gotcha.

Chris Nyhuis (00:24:06):

And so network detection responses, its goal is to get all the information passing across your network, and the points that it’s running, collect that, and investigate it. Right? And do investigations off that. So, you have disparity between what different security providers do. A lot of them use mirror ports, because it’s cheap, it’s easy, you just pop in. But what can then enter in? One, packet loss, right?

Chris Nyhuis (00:24:32):

Think about this conversation, if people only turned on, and say we had a lot of lag, right? And it was choppy, and they only heard 60% of our conversation, they’re not going to really know exactly what we’re talking about. In the case of security, if you’re only getting some of the conversation, and you tap on top of that machine learning, algorithms, behavior analytics, you’re creating analytics, and behavior, and decisions off of some of the conversation.

Chris Nyhuis (00:25:01):

So, using taps are more expensive, but you’re going to get line speed information, you’re going to get line speed analysis, you’re going to get most, if not all of the conversation, and you can make better decisions off of that. Now, just as when… So those two types of things.

Chris Nyhuis (00:25:19):

The other aspect of NDR is there’s a lot of disparity and how they do what they do. Some are just running the information through algorithms. Some like us do full packet capture, we’re storing that for a long time. We’ve got some patents around how we distributively analyze that. You create log, event, network metadata from that. There’s all kinds of different ways to use that information, the more data you get.

John Verry (00:25:44):

So, so let me ask you a question there. So, EDR, I have visibility into what’s happening on each of my desktops. Right?

Chris Nyhuis (00:25:51):

Yeah. Right.

John Verry (00:25:52):

EDR, typically, do you guys typically run EDR on servers as well?

Chris Nyhuis (00:25:55):

We do, yeah. Yeah.

John Verry (00:25:56):

Okay, good. Okay, so now, basically at that point, I have all of the systems in my environment, I have some visibility into. So what does NDR give me that EDR doesn’t give me?

Chris Nyhuis (00:26:06):

So, can they… And you’re on video [inaudible 00:26:09].

John Verry (00:26:08):

I want to see Bono on there right now.

Chris Nyhuis (00:26:10):

Bono is awesome, isn’t he?

John Verry (00:26:13):

Yeah. You’re not going to draw on Bono, are you?

Chris Nyhuis (00:26:14):

Oh, I’m going to draw to the side of Bono.

John Verry (00:26:16):

Okay.

Chris Nyhuis (00:26:16):

That fine?

John Verry (00:26:17):

That’s good.

Chris Nyhuis (00:26:18):

Think about this as your endpoint, right? You run EDR, you’re running that inside the device. So kind of think about this logically, right? I got a system that I’m worried about it getting taken over by a threat, right? And when the threat takes it over, they’re most likely going to get root level, or admin level access.

John Verry (00:26:39):

So they turn it off, so the NDR gives us the ability to see it. All right, I got you.

Chris Nyhuis (00:26:44):

But, it can actually miss it, too, right? Because if I have admin access, I can control things coming in and out, I can determine what EDR sees, what it doesn’t alert on, all of those things. So when you look at network detection, network detection operates, if this is another PC, right? So PC one, PC two, or endpoint one, and endpoint two.

Chris Nyhuis (00:27:08):

Network detection is going to operate in all the air around things, right? And so, network detection is, if you think about it, is what you see. Like if you were going to go, if you saw someone commit a crime, right? You run down the street, see a crime committed, you saw it with your own eyes, you can say, “Look, you absolutely did the crime, I saw you with my eyes.” You created this evidence.

Chris Nyhuis (00:27:33):

That’s what NDR is going to give you. It’s going to give you unadulterated information that no one can change. It’s going to be exactly what happened between this point, and this point, right? When you combine that in an MDR way, with what you’re seeing inside the device, well, now you’re getting what the device is telling you about itself. “Hey, I didn’t steal that car.” “Well, I just saw you steal it. Of course you did.” Or, “I’m not sick.” “Dude, you’re coughing, and hacking up. Yes, you are.”

Chris Nyhuis (00:28:04):

This is going to tell you what you saw. This is going to tell you what the thing is telling you about itself. And when you combine those two, now you can start to get a better picture. And I can tell you really quickly, if I see a communication here, and this inside here is telling me it didn’t happen, there’s something wrong.

John Verry (00:28:25):

Right.

Chris Nyhuis (00:28:26):

Right?

John Verry (00:28:26):

Right. And I guess the other big thing here is that most malware, especially ransomware, likes to propagate. If, for some reason the original device isn’t unable to tell us that, we’re going to see the propagation through the NDR. Okay, that was a good description. Thank you.

Chris Nyhuis (00:28:40):

Now you put them together, that’s in MDR, which now is turned in XDR.

John Verry (00:28:44):

Right, of course, and everybody wants the XDR.

Chris Nyhuis (00:28:47):

Right, [crosstalk 00:28:47].

John Verry (00:28:47):

And you guys are going to be first to market with the Next Gen XDR, based on our conversation, I think, right?

Chris Nyhuis (00:28:51):

Yeah, well we’ve been doing XDR for about 12 years now. And so have a lot of people, right? XDR, it just means it’s extending to things outside of those two. So cloud, whatever, right? And then you have SASE now, which is your-

John Verry (00:29:08):

What do we have? Oh, SASE.

Chris Nyhuis (00:29:09):

SASE.

John Verry (00:29:10):

Yeah, I’ve heard people call it says, sassy, yeah.

Chris Nyhuis (00:29:15):

Yeah. It’s really just XDR. It’s XDR with more prevention built into it. Right?

John Verry (00:29:21):

Gotcha.

Chris Nyhuis (00:29:21):

[crosstalk 00:29:21] Yeah.

John Verry (00:29:22):

So what kind of threats is EDR, and or in combination with NDR, good at detecting, and are there any threats that it really can’t detect?

Chris Nyhuis (00:29:34):

You know, that’s a loaded question.

John Verry (00:29:36):

I know.

Chris Nyhuis (00:29:36):

I like loaded questions.

John Verry (00:29:38):

That’s my job. I mean, otherwise, why am I here, Chris?

Chris Nyhuis (00:29:41):

Right. Yeah, exactly. It’s all about placement. Right? NDR is… It depends where you’re doing it. Some people will do… Well, let me say it this way, NDR out of your firewall is going to miss a ton of stuff, because it’s only going to be detecting what’s going through your firewall.

John Verry (00:30:03):

Right, North, South, not East, West.

Chris Nyhuis (00:30:05):

Right. But even external, like your firewall’s a vulnerable piece of machinery. It’s literally just a server running on hardware. It’s not this impenetrable device. And so, that’s another benefit of doing NDR with taps, right? Because it’s on the line, no one can take away your ability to see, they’re not going to change… Hack in your firewall on change something, or hack into your switch and change your config. They’re not going to take away your visibility.

Chris Nyhuis (00:30:32):

So, it’s NDR is going to give you more of a holistic attack, and you’re going to see things at lower levels of communication. So, if you remember the OSI model, for instance, a lot of security has pushed itself up into the upper levels of that. And for those of you that don’t know what that is, for some of the younger ones of us out there, the TCP IP model, we went from seven layers, to less.

Chris Nyhuis (00:30:58):

But it’s really just, if you look at, it’s the way that two things communicate, it’s standards. So as communication, like my voice is going into my microphone, going across the internet, as it goes into my microphone, it gets an envelope put onto it, and then it goes to another level of communication, another envelope gets put on, seven times, until it gets to an ethernet cable, it goes across that, gets to your site, and then unpacks, right? I know, you already knew that, I just wanted to let everyone else know.

Chris Nyhuis (00:31:25):

And so you have these seven layers of communication, and the endpoint detection and response operates more at higher levels of that, whereas NDR done well can operate at almost all seven, in most cases. And so if there’s attacks, like there’s a layer called the session layer, right? NDR is going to see more session layer attacks, and more physical layer attacks, or more layer two broadcast attacks [crosstalk 00:31:53].

John Verry (00:31:52):

Certainly. Certainly the layer two is really, I think, a huge advantage.

Chris Nyhuis (00:31:56):

Huge, right, where you’re not going to see that with endpoint. And so endpoint, if you think about it, it’s more of a less trusted data set, then an NDR data set would be.

John Verry (00:32:07):

Gotcha. But you still didn’t answer my question. I don’t know if that was intentional.

Chris Nyhuis (00:32:10):

Yeah.

John Verry (00:32:11):

I mean, so let’s talk about the important… I think the biggest thing most people are concerned about, is that any form of access into an environment these days, it seems the way that they want to monetize it is ransomware. How effective is EDR, and or NDR against ransomware? And most of them are… Often the ransomware isn’t the first, often there’s a RAT, or something like that, or a remote access tool, put onto a machine, then the other stuff comes.

Chris Nyhuis (00:32:39):

Yeah.

John Verry (00:32:40):

What percentage of the stuff, the bad stuff that can happen, could a good product, with good managed detection and response supporting it? I mean, are we still vulnerable? Because life is about being vulnerable, or are we almost, like we got 99% or 98%?

Chris Nyhuis (00:32:59):

Yeah, you can get to 100% ability to be able to reverse engineer attacks, right?

John Verry (00:33:06):

Okay.

Chris Nyhuis (00:33:06):

You’re not going to ever, at least right now, if anyone tells you that they’re going to detect all attacks, the moment it happens, they’re lying to you.

John Verry (00:33:13):

Okay, so zero day is still zero day.

Chris Nyhuis (00:33:16):

Yeah, but zero day, here’s the interesting thing, and I’ll actually draw a quick example, it will help people understand this a little bit. But, zero day, if you read the most recent IBM report, the most recent IBM report said that it’s, I believe, 315 days, on average, to detect, and contain a threat, when it’s done in someone’s environment for the first time, on average.

Chris Nyhuis (00:33:39):

That means threat actors are in your environment, using brand new attacks for 315 days, on average, before they’re actually detected. Last year it was 212 days, something like that, so after a significant year of new advancements in cybersecurity, it’s 100 days later. 100 days [inaudible 00:33:56], right? And it’s because of this idea that all these things are becoming more automatic, in a lot of cases, right?

Chris Nyhuis (00:34:05):

And threat actors are, if you really look at what threats are doing. They’re not fully automating their attacks. In most cases, what we’re seeing, we go into organizations that had incidents, we’re seeing initial entrances to these organizations are manual. And they’re moving manually.

John Verry (00:34:22):

Because they know… These guys are smart, right? They know how you detect what they’re doing. Right? So, what they’ll do is just intentionally… I mean, it started as early as when people were running vuln scans, just slowing down the scan, knowing that back in the old days, WatchGuard firewalls always had… You had a trigger port you could turn on. If you looked at a bad guy’s system, that one port was left our of the scan.

Chris Nyhuis (00:34:47):

Right, you’re like, “What in the world?” Well, I mean, think about it. And we call it credit card security, we actually trademarked that. Credit card security. So, if you can buy it with a credit card, so can a threat actor.

John Verry (00:34:58):

Yep.

Chris Nyhuis (00:34:58):

And so, security’s become so commoditized in today’s world, right? Because we don’t understand warfare in the United States, we just don’t. Outside of here, if you travel, and you talk to people, pretty much every other country out there understands warfare. We just don’t get any more, because we aren’t face to face with it every day here in the US. And so, we don’t think with warfare in mind.

Chris Nyhuis (00:35:21):

And so, when you think about it, every firewall you buy, every antivirus that you buy, unless somebody has change [inaudible 00:35:33] and change and things, change it on the inside, every piece of intel you can buy, all the best practice documents that come out at the end of the year, that everyone goes, “Oh, my gosh, let’s go do that best practice list now.” Right? All of those things are easily accessible to your threat.

Chris Nyhuis (00:35:52):

And what they do is they buy these things, they put them in their labs, they write malware against it, they can literally log into it, and see exactly what it can detect, and what it can’t, and they tweak it just enough to where it no longer detects that attack, and then they go attack you, and they keep testing their attack in their labs, all day long, until eventually it’s detectable.

Chris Nyhuis (00:36:15):

Because what happened? It went out, it was used for 315 days on average, and then some some security researcher out there found it, tore it apart, reverse engineered it, created algorithms for it, uploaded it to the manufacturer, the manufacturer dumped it down to all the endpoints, and all the firewalls, and guess what? Including the ones that the threat actor has in their lab, and now they know what they’re doing. So, that’s where, when you say, “What can it detect, and what it can’t?” In most cases, because these systems are not managed, and curated for organizations, people are installing firewalls, even managed service providers, right? They’re installing firewalls, or endpoints, and they’re just checking the boxes hitting next, next, next, and enter, and it’s a default installation.

John Verry (00:36:57):

Right, right.

Chris Nyhuis (00:36:58):

And so, it can’t detect much at that point.

John Verry (00:37:02):

Even more amazing to what you said is that not only these guys doing it themselves, but like when you looked at the old Zeus malware, Zeus malware had options that if you licensed it as a bad guy, you could say, “Run it through.” And they actually had up to like 50 different antivirus endpoint detection applications. You could check them off, and it would say, “We’re going to charge you an extra $500 to do this.”

Chris Nyhuis (00:37:23):

Yeah, right.

John Verry (00:37:24):

So, people are actually selling that as a service. Test your malware against all 50 of these antivirus package… It’s nuts what they’re doing.

Chris Nyhuis (00:37:32):

Yeah, right. Yeah. So, to answer [inaudible 00:37:34], in most cases, if it’s a trending attack, or a trending alert, trending virus, or trending ransomware, or trending whatever, it’s going to find it.

John Verry (00:37:43):

Right.

Chris Nyhuis (00:37:43):

As we all know, like with Bitcoin, it’s trending now. Is this the best time to buy Bitcoin? Still, you probably should, because it might go up. But the best time was like 10 years ago, when it wasn’t trending. And the same thing with threats, by the time they’re trending, or by the time you’re following best practices, you’re too late.

John Verry (00:37:59):

Yeah.

Chris Nyhuis (00:37:59):

And most things that are going to attack you, you’re not going to find, unless you’re doing deeper detection.

John Verry (00:38:05):

Gotcha. So, completing the… At least some large percentage of the buzzwords in your industry, is MDR different from SOAR? If someone’s listening, and we already have a SIM, is MDR different than a SIM? Or is MDR closer to managed SIM? How does somebody figure that out?

Chris Nyhuis (00:38:25):

I’ll draw it for you. It’s pretty simple.

John Verry (00:38:27):

Oh, good.

Chris Nyhuis (00:38:27):

Yeah, so if you think about a SIM, so in NDR, think about like this. NDR creates, right? SIM collect. Created data is always better than collected data, right? And so, a SIM has the same problem that EDR has, is that it only is as good, even if it has the most amazing machine learning, and the most amazing detection algorithms, the most amazing people behind it. It’s only as good as the data that it’s received. That’s it.

Chris Nyhuis (00:39:00):

And SIM came out of… And it’s a great idea. But if you think about it this way, when we were all network people back before they called us a security industry, and we were sleeping on data center floors, and we’re trying to find out problems and things like that. The way we maximized our life was we said, “Let’s create a logging server, and it will tell us if the hard drive is going to fail. And then we can look at 1000s of servers in one console, at one time, instead of having to log in each one of those.”

Chris Nyhuis (00:39:28):

And so, the same people that were doing network analysis, and things like that said, “Hey, let’s do that with security, too. Let’s collect all these logs.” And that’s a good thing because you’re collecting all the logs. But, I can’t tell you how many incidents that you run into, that the logs don’t have much of a complete story about what happened. And the reason for that is because it’s collected.

Chris Nyhuis (00:39:54):

If a threat actor jumps onto a system, the first thing they have to do is look where the logs are pointing, right? Or they have to modify it somehow, or change it somehow. And your time, basically, from when that threat actor gets onto a system, you have a timer running, right? And basically, you have to find that threat before your storage rolls off. Right? Because most people don’t have a ton of storage on their SIMs.

John Verry (00:40:25):

30 to 90 days is not uncommon.

Chris Nyhuis (00:40:27):

Not uncommon, but man, if it hasn’t happened enough, or they’ve run low and slow, and by the way, threat actors can buy the same sim you have, so they know exactly what it can detect. So, you have 30 to 90 days to detect that, and every moment, from the moment they get in, you’re down, all they have to do, is that means they have 30 to 90 days to manipulate this system, so it no longer sends information about what they’re doing on that box. Which is a crazy benefit for them, because you’re not sitting there looking at just that.

Chris Nyhuis (00:40:59):

And where logging works in the… I mean, it works, because logging is always… Having logs is great, because you can do comparative analysis, you can do all these things. But you can’t look at a SIM, and go, “Man, I got a SIM, we’re all secure, we’re going to find all the things.” Because you actually don’t have anything to verify it’s trustedness. Right?

John Verry (00:41:18):

Right.

Chris Nyhuis (00:41:18):

You don’t know that it’s there. Whereas if I have a SIM, and I’m collecting information, and I’m doing NDR around the box, well now I can compare what’s happening around the box, with what it’s saying about itself, and it tells me what’s there. And so, if you just have that SIM, without the NDR, you’re going to be flying blind in a lot of cases, and that threat actor is going to really manipulate you. The other thing is, they can manipulate you with the information, because they can generate traffic from you.

John Verry (00:41:47):

Yeah, they can intentionally get noisy, so that your signal to noise goes down at your SIM.

Chris Nyhuis (00:41:52):

They’re smart. They’re smart. And when you think about it, they’re after… I mean, now we’re in the world of ransomware. I mean, they’ve come into organizations in the mid market and get $6 million from them easily. So, if I’m a threat actor, and I can get $6 million, if I even invested $3 million into my attack on you, and I can replicate that to other companies, man, that’s a great return on my investment. So, I’m going to be very good, and if you’re a company that is in the mid market, and you’re just throwing automated detection at things, or you don’t have a security provider, you don’t have a security team, then your chances of stopping these threats early on are pretty slim.

John Verry (00:42:33):

Gotcha. Do you consider MDR… Because I mean, so when you’re talking about like a full fledged MDR, right, you’re talking about the fact that we’ve got the EDR and NDR communicating to us, communicating back to you, and you’re part of that analysis, right? You’re part of that, letting us know if something’s going on, right? Just to make sure that that’s the managed part of it.

Chris Nyhuis (00:42:54):

Yeah, yeah.

John Verry (00:42:54):

Okay.

Chris Nyhuis (00:42:54):

Yeah, right. Yeah.

John Verry (00:42:55):

So, do you consider, like when you think about SOAR, the security… What is it? Security orchestration, and response, do you consider MDR SOAR? Or is SOAR something that’s got to be more automated, right? Because I mean, I get asked these questions all the time, Chris, that’s why I’m asking you. And I struggle to answer, because there’s a subtlety to a lot of this stuff.

Chris Nyhuis (00:43:20):

Yeah.

John Verry (00:43:20):

And I don’t know if it really matters at some point.

Chris Nyhuis (00:43:22):

I know. Right? So, what it is, is because there’ such a, like I said earlier, there’s a disparity between what companies are doing internally, what security providers are doing, and what they’re not. For us, we’re about putting everything we got, everything, to make sure that you’re protected, right? And so, it’s not about how little can we do to gain as much margin? It’s about what can we put… Everything, because your company’s on the line. Your team member’s retirements on the line.

Chris Nyhuis (00:43:55):

For the business owner, everything they put into that, for the board, every… Personal liability is out there now for their decision. So, the reason I think all these things are coming out, SOAR, it’s automation, but you should have been doing that with MDR.

John Verry (00:44:11):

Right.

Chris Nyhuis (00:44:11):

You should have been doing that with NDR, you should have been doing that with EDR. And so, it’s a way for, I think, companies to have new products, and new levels of service that they can charge different for.

John Verry (00:44:24):

And listen, I mean one of the things which is terrible about our industry, and I think you started the conversation with this, is buzzword marketing.

Chris Nyhuis (00:44:30):

Buzzword marketing.

John Verry (00:44:30):

Yeah, servers in somebody else’s data center isn’t sexy, cloud is, okay great.

Chris Nyhuis (00:44:37):

Right, right.

John Verry (00:44:37):

I mean, so SOAR, responding to security incidents, well, we need a fancier name for that, so that way that… Closing the loop on what we saw.

Chris Nyhuis (00:44:45):

Yeah.

John Verry (00:44:46):

Yeah, we need a new buzzword that we can sell, next gen.

Chris Nyhuis (00:44:49):

Right, right. Yeah, right. So yeah, next gen, next gen, next gen SOAR. Maybe you can [inaudible 00:44:53] that.

John Verry (00:44:54):

You should trademark that now. Right now.

Chris Nyhuis (00:44:58):

I know someone’s going to use it.

John Verry (00:44:59):

Can you trademark based on just conversation? I mean, this is like one of the… Isn’t that first use? I mean, this is first use.

Chris Nyhuis (00:45:05):

How about we trademark it together, you and I?

John Verry (00:45:08):

I think I said it first, Chris. So I’m going to license next gen SOAR to you, for a small fee.

Chris Nyhuis (00:45:14):

I’ll trump you on that. Next gen next gen SOAR. So, really what you’ve got to know as an organization, is that in today’s world… 10 years ago, threat actors, they had to be really skilled, big barrier of entry, like we talked about, right? It was hard to become a threat actor that was really, really good. In today’s world, like you were saying, there’s all kinds of tools that you can just go click, click, click, click, you can pay someone $50,000, you can pay someone $1,000, and you get malware, and you can go use it.

Chris Nyhuis (00:45:40):

So the barrier of entry is so much easier. In fact, there’s mentoring on how to hack people, right? And the whole industry works together to do it. So, you as a company, as an organization, you have to do what it takes to defend against that now everywhere advanced threat.

Chris Nyhuis (00:46:01):

And if you’re a small company, or a medium company, the threat actor is not going to be nicer to you, because you’re a small or medium company. If you’re an enterprise organization, they’re coming after you the same way. So you have to have this standard across. And SOAR is, it’s security, from all the things with automation, and response, right? I mean, that’s really what you’re doing.

Chris Nyhuis (00:46:23):

But now what you’re seeing is SOAR is being deployed as a way of automating and removing people. And you cannot remove the team, or the person aspect, from detection and response. And so, what you’ll probably see is managed SOAR come out. And then again, then there’ll be extended SOAR, right? Because, it just will. But it’s interesting, but what it is, it creates a moving target, and frankly, I think it’s something where our industry does a disservice to organizations because it confuses them, and then they spend a lot of money on things that don’t really help them.

John Verry (00:47:05):

So, one quick question for you. So, I find that SMEs have a tendency to under appreciate their actual risk, right? “I’m not a target, I mean, they’re going to go after somebody bigger.” And I don’t think they… I constantly am having the conversation about what percentage of attacks are opportunistic, right? “I didn’t intend to find you, but I was running just to scan for open WordPress servers, or a new vulnerability, and I happened upon your infrastructure, it was an easy way in. Okay. I’m in, I’m going to monetize this, I’m going to use it to attack somebody else.” So the question I have for you is that, because I think most SMEs under appreciate the threat, who are the clients that you find are willing to invest into MDR?

Chris Nyhuis (00:47:49):

I think what we found, and this is really interesting, you find companies, and it’s really interesting, it’s revenue based, right? Companies that have 10 to 12 million or more in revenue tend to realize they’re at that inflection point of, “We probably should look at something a little bit differently.”

Chris Nyhuis (00:48:09):

Companies underneath that, they’re so tied to their finances in some ways, that they don’t see security as an investment. When you get to the enterprise level of around 1.2 billion, there’s another inflection point. You have this all set mindset, you have in house only mindset. You have this approach that creates a microcosm within that company. And so, it’s really this 10 million to like 1.2 billion in revenue.

John Verry (00:48:39):

That’s your sweet spot.

Chris Nyhuis (00:48:40):

I mean, we protect companies into the upper billions as well, and small, but what I’m saying is like the companies that go, “Okay, we need help.”

John Verry (00:48:51):

I get it, yeah, they’re going to fall in that class. Quick question for you on that 10 million, 11 million, 12 million level. Do you think that’s because in many companies, that’s the first time that they’re really getting dedicated security people? I think, up until, the smaller companies you tend to see IT IS as being sort of one function. The IT director, CIO guy kind of is responsible for security. Maybe they give him an under under guy to help support security. Do you think that’s part of it, is that that they’re just getting to that point where they get dedicated security staff that is able to recognize the issue, and communicate it better to management?

Chris Nyhuis (00:49:29):

I think it is, but I think it has to do with the ownership in a lot of cases. It’s the point where I think at that 10 million mark, I think that’s where the founders, the owners of the organization, are letting loose a little bit more of control. And so, I don’t necessarily think it’s the… Because there’s companies that are 20 million, and they don’t have dedicated security staff, or IT staff people.

Chris Nyhuis (00:49:50):

It’s just that it’s that less tied to that pocket book, right? And they’re thinking more about… It’s also the inflection for a lot of organizations, 10 million is a big jump point for growth. They’re starting to go, “Hey, we’re going to go big time now.” Right? So, it’s that, and I think the thing that boards, C level people, decision makers, the owners of organizations have to realize is that everything you protect can be taken away overnight by a threat.

John Verry (00:50:21):

I was just going to say that. So there’s a… COBIT always had this idea that always resonated with me, and still does, value creation, and value preservation. And I think that that gets interesting, because if you only have a million dollar company, you’re not losing that much, you can rebuild it. If you took a hit, you can take a step back, but you start getting to $10 million, I mean, you’ve created something that suddenly you look at and go, “I can’t afford to lose this.” So, maybe maybe like you said, Maybe that is what it is, it’s more that their mindset shifts to some greater recognition of that value preservation side of the equation.

Chris Nyhuis (00:50:59):

Right, right. And another one point, too, I mean, we had this major retail organization, we went to show what we do, we do an audit for free, like people [inaudible 00:51:10] to go do pen tests and vulnerability assessments to get the type of information we give them, we give to them for free, because we’re like, “Hey, it’s so important that you understand what has to happen in your environment, that we want to show you the information you can have, the decision making that can happen.”

Chris Nyhuis (00:51:26):

We went through this major national brand and went in, talked to their team, their team’s like, “Yes, we need this, this is going to save us tons of time, it’s going to reduce risk in massive ways.” And they went to their purchasing department. This was a February, and the purchasing department said, “Sorry, we only take new vendors in the month of January every year.” And they said, “Are you kidding me?” And guess what? Six months later they were in the news.

John Verry (00:51:51):

Oh my god.

Chris Nyhuis (00:51:52):

So, it’s one of those things that when you get to be above that 1.2, that’s another inflection point. You’ve got so many layers between what has to happen, and where you’re at, and so many decision makers that things take forever. I mean, the enterprises, sometimes takes 12 to 18 months. And when you have threat actors in your environment, 315 days, you’re fighting a losing battle. Right?

John Verry (00:52:20):

Gotcha. So, quick question. I mean, obviously, especially in bigger organizations, budgets, budget, budget cycle, budgeting is important. What’s a ballpark cost? And you guys, are you believer in ROSI, return on security investment? Is that part of what you communicate to people? Is it possible to even do that with your tools?

Chris Nyhuis (00:52:41):

Yeah, absolutely. Because security done well, if you do security well, it gives you visibility into everything else we’re doing. Right? It gives you visibility into your IT staff’s time, right? I mean, why do they keep low staffed IT teams? Because they’re expensive. So, if we can maximize your team’s time, with better information, and more strategic surgical dials for them to turn, and not thousands of emails they have to go through, or alerts all the time, you just gain back a significant amount of time.

Chris Nyhuis (00:53:12):

We had a customer last year, a defense contractor, that the defense organizations that they were contracted with, came out and said, “We need you to run this report.” And they went out and tried to find all different ways to try to run these reports. And so, the only way they could figure out how to do it was to have someone do it for two weeks, and this person made $180,000 a year. So, two weeks of every month, they’re running all of this information from multiple different places to run a report.

Chris Nyhuis (00:53:37):

And we have general security business reviews with our customers, and we say, “Hey, outside of security, I want you to dream big, because we are doing security while in your environment, which means we have data.” Like for instance, we collect, we have, on a daily basis, in our infrastructure day to day, if you look at all the mp3 storage that Apple, has six times that amount of storage, about data around customers’ environments, that to be able to just analyze threats.

Chris Nyhuis (00:54:10):

And when you’re looking at that type of information, you can determine the security threat, but you can also determine operational things, right? What’s going on your environment, how can make your life better? So we asked, “What are other things, if you were to dream big, outside of security, what are problems you’re having?” And they told us about this report, and we said, “Oh my gosh, we have that information? What if we could automate that for you with a click of a button on a monthly basis, or even email it to you?” And they’re like, “That’s great.”

Chris Nyhuis (00:54:38):

So we literally, through security, gave them back half of the salary of $180,000 team member, because we’re doing security well, so we can solve other problems. So, security really can drive efficiency in your organization. It can drive better business processes to help you understand team member efficiency, and growth, and even tell you if certain things are working or not. Right?

Chris Nyhuis (00:55:07):

So many companies have technologies that aren’t deployed correctly, and they don’t even know it. An ATM vendor came out and updated ATMs in one of our banking customers, and checked the box for compression, and didn’t check the box for encryption. Their DLP systems miss that all their transaction data was passing through their infrastructures in clear text, just compressed. Right? We saw it because we do security well, and we were able to see immediately that, “Oh, this transaction data is passing through, even though it looks encrypted, it’s really not. And by the way, here’s this user’s bank account information, you should probably fix that.”

Chris Nyhuis (00:55:44):

And so, if you can stop the bang of the security event from happening. Most companies operate in the world of bang, it happened, now let’s react, right? If you can make security boring by doing it well, and you stay on the left side of bang, by doing things the right way, or having information, it actually becomes a very boring thing for you as the consumer.

Chris Nyhuis (00:56:08):

Now for us on the back end, doing all the analysis, we’re hunting stuff all the time, right? We’re trying to keep that at bay. But it should become boring for you. And if your security is not boring, you either have security that’s not telling you anything, or you might not have something that’s working.

John Verry (00:56:28):

Chris, you mentioned before, you gave an example that had a defense contractor in it. CMMC, obviously, is a huge deal. We’ve talked a lot about it on the podcast, and there are some requirements within CMMC to be able to do good security monitoring. Are you guys doing much with your product with CMMC?

Chris Nyhuis (00:56:48):

We do, significantly. So, just with the services we provide on the Vigilant side of the business, we meet around 82% of the CMMC requirements just by putting this in. If you put in three of our services, just those three, 82% percent. We now own a managed service provider that does firewall management SD-WAN, we do spam filtering, things like that, outside of that.

Chris Nyhuis (00:57:12):

But we separate those, because one of the requirements of CMMC is separation of duties, right? So we have separated out those across those two organizations so that they can work together, but separate at the same time. And, really, I mean, for spinning up CMMC compliance for us, it’s fairly fast in our client environments. Their cloud infrastructures can be turned up in 20 minutes, because it’s just putting API keys in. We can send out our fiscal sensors to your locations, probably faster than you can deploy them.

Chris Nyhuis (00:57:43):

Really, I mean, just 24 hour turnarounds, and installations that take less than an hour to really spin up a very mature infrastructure. You just plug things in, and turn it on. Endpoint detection response, our teams help you to play that through software deployment tools. So, it’s not hard to get there.

Chris Nyhuis (00:57:59):

We had an organization, defense contractor, that had a two and a half year rollout plan for CMMC, was going to be impossible for them to meet any deadlines, and $1.5 million to deploy. We probably should have charged more, because we were able to deploy, and we got them to $27,000 a year. And they just had a few… From other things they had plus us, they ended up with about 8% of things they still had to do.

Chris Nyhuis (00:58:29):

And even inside of that, we have what’s called the CMMC calculator, that’s what we call it. But we’ve basically just mapped out the entire CMMC platform, and put in language to each one of them, and you just go through and check, check boxes what you have for us, you get an automatic report of what you cover, and then we have recommendations on quick things to do that hit it.

Chris Nyhuis (00:58:49):

What I would say is with CMMC, what a lot of companies are doing out there is they’re just checking the box, and you can’t do that. You have to deploy CMMC in such a way that not only meets the fulfillment of it, but it also gives you good security, because no one’s going to care if you’re CMMC compliant if you get hacked. You’re still going to lose your contract.

John Verry (00:59:11):

Right, right.

Chris Nyhuis (00:59:12):

So, the second big mistake that we see people doing is they don’t understand compensating controls. So there’s a lot of different things you can do that add up to fulfilling a control, and organizations may already be doing a lot of these controls already, if you combine them. And so they go out and they spend a significant amount of money getting new controls that they already have covered by their compensating controls.

John Verry (00:59:36):

Right. Yeah. So, and just to be clear, you’re covering the 82% of the controls that need to be implemented, not 82% of the work that needs to be done to become CMMC certified, because you’ve got to start with scoping, you’ve got to conduct a risk assessment. Because of the process requirement, you’ve got to document all of your policies, standards, procedures. You’ve got to make sure that you’re generating the observable artifacts across the different use cases, two data points for each control. But I agree with you completely, that you guys are probably… You could probably take that whole audit and accountability block, and just go, “Well, that’s done.”

Chris Nyhuis (01:00:12):

It’s done.

John Verry (01:00:13):

Yeah.

Chris Nyhuis (01:00:13):

Yeah. Again, when you’re doing pretty well… And a lot of these organizations too, when they’re doing these audits, they’re going through, they don’t know themselves very well. And so, we’ll come in, and we help the auditors that are coming in, understand what’s going on better, so that that way, those organizations start at a very good spot, and then move forward.

Chris Nyhuis (01:00:33):

But, CMMC, again, it’s like XDR MDR, right? It was really 80171 three years ago, and then people didn’t do 80171, because they didn’t understand what it needed to really maintain. Like, they could go check the boxes, but they didn’t know how to maintain it. So, US government came out a few years later and said, “Hey, now we’re going to do CMMC, and we’re going to force it on you in different ways.” And it’s really just an evolution of the 80171 approach that they took years ago. Right?

John Verry (01:01:06):

Yeah.

Chris Nyhuis (01:01:07):

To push it.

John Verry (01:01:07):

But the big difference, not only the additional 20 controls, but the big difference is, the audit is comprehensive. I mean, you’re talking about literally a 25 man day audit on your organization.

Chris Nyhuis (01:01:24):

[crosstalk 01:01:24] Yeah. Absolutely. Yeah.

John Verry (01:01:25):

Yeah, yeah. We do a ton of CMMC work.

Chris Nyhuis (01:01:28):

Yeah. Right. And it’s so labor intensive, you can’t do that on your own. Right?

John Verry (01:01:35):

No. Well not only that, but you can’t get certified without a tool like your tool. Because you can’t meet… I mean, like you said, I mean, so much of CMMC is generating the auditable artifacts, and the evidence, right? So user, I mean, your tools can be used to evidence a large chunk of those controls.

Chris Nyhuis (01:01:59):

Yeah, 100%.

John Verry (01:02:02):

Yeah.

Chris Nyhuis (01:02:02):

Yeah, I’d love to talk to you more about it, because we have… A lot of organizations could probably use our services.

John Verry (01:02:05):

Yeah, we should, we should, and vice versa. I should probably get you in touch with George on our team, so he knows. He kind of leads that effort, and he’ll know where your tool might be appropriate to some of our clients. So I think we beat this up pretty good, any… With regards to EDR, MDR, XDR, next gen XDR, next gen SOAR, was there anything we missed?

Chris Nyhuis (01:02:28):

I don’t think so. Maybe some… I mean, give the industry about 15 minutes, and we’ll probably have a new one.

John Verry (01:02:34):

All right, so the next buzzword that comes out, I’ll call you back up, you can come back on and talk about it.

Chris Nyhuis (01:02:38):

All right, thanks.

John Verry (01:02:38):

So now we’re going to find out if you remembered to… You’ve done a great job to this point, so I hope you’re not going to let us down here. I don’t know if you remember that there’s a… What fictional character or real person do you think would make an amazing or horrible… Oh, he didn’t prepare, folks. Oh this is embarrassing. And you were killing it? I gotta be honest with you, Chris.

Chris Nyhuis (01:02:55):

I did think about this. It’s a hard one for me, because it will…

John Verry (01:02:59):

You could probably name real world people, that’s the problem.

Chris Nyhuis (01:03:02):

I know. I know. I know. I know. I am… It is crazy. Yeah, it’s because it’ll actually… I don’t want to piss anybody else off out there.

John Verry (01:03:13):

When I said real person, that was like, John Wayne, or…

Chris Nyhuis (01:03:16):

Yeah, yeah.

John Verry (01:03:18):

It’s funny. Some of the some of the questions that you get, I mean, some of the… Elon Musk. One of my favorites was Eeyore, which I thought was funny. All right, well I’ll tell you what. We’ll have to have you back on another time when you prepare for that one.

Chris Nyhuis (01:03:34):

I think I would say… You want me to still answer?

John Verry (01:03:38):

Yeah, sure.

Chris Nyhuis (01:03:39):

All right, I would say, so one of my favorite presidents, Teddy Roosevelt. And I think… This is the horrible one. I think he would, as a CISO, you have to be a bit diplomatic. And one of the things I love about him as a president, is because when he wanted to showcase our Navy, he just sent it around the world, halfway around the world, because he was able to do that, within his powers. But Congress didn’t want him to send them around the world. And so, he said, “Okay, I’ll send them halfway, and if you want them back, you can pay for the rest of the way back.” And so he forced them into it.

Chris Nyhuis (01:04:19):

And so, as a CISO, you have to [inaudible 01:04:23] come from that world. One of the things that really frustrated me the most is that I was one sixth of the vote, right? And I got outvoted all the time. And so, it causes you to get into this place where you start to just go rogue sometimes, you just want to just say it, because you understand what’s at stake, and you’re like, “I’ve got to go do this no matter what.”

Chris Nyhuis (01:04:40):

You want to do something like he did, like, “I’m going to send the ships halfway around the world, if you want them back, great. Oh, by the way, I’m going to paint them white, so that way everybody sees them. They’re not going to blend into the ocean.”

Chris Nyhuis (01:04:50):

You have to, as a CISO, realize that the rest of your team may not speak your same language. And what I had to do as a CISO is I had to realize that I came from the world of seeing the danger, and I understood it because I have years of getting there. And I also realized that my language was a bit different. I spoke in the world of forensics, and XDR and MDR, and SOAR, and everything else, and it caused me, when I went into these rooms, to lose my audience.

Chris Nyhuis (01:05:18):

And what I had to do, is I had to learn how to take this forensic information, and all these algorithms, and learn their language. I had to learn about return on invested capital, and velocity, and cash, and I had to start speaking about how those things would be affected. Our place in the marketplace, and competition, and I had to associate that back to that information, and then they got it.

Chris Nyhuis (01:05:44):

And so, Teddy Roosevelt, great president, but he was a decision maker, right? He had his own controls, and he was able to do that. But when you’re [inaudible 01:05:52] maker, you’ve got to make sure that if you go rogue, and you just go and do it anyway, people are going to… One, you’re going to probably save your company, for one, for a lot of things, but you’ll damage your relationship with moving things forward. And that’s why in a lot of cases, I think the the lifecycle of a CISO is pretty short.

John Verry (01:06:09):

18, 19 months, yeah. The data is absolutely frightening. Is he the guy that said, famous for, “Walk softly and carry a big stick?”

Chris Nyhuis (01:06:22):

Yeah, yeah, yeah, right. Right, right, he is. Yeah.

John Verry (01:06:23):

And I couldn’t agree with you more about the CISO’s conversation with the with the CXO suite, or with the board, is that… And I’ve always said the same thing, that the problem is, is that we talk in different impact criteria, and we talk in different buzzwords and acronyms. And I think that your thought process to normalize that, right? So that we’re talking about impacts to our business in the same… Not, we use as CISOs, confidentiality, integrity, and availability, and this is a high risk, that means nothing to them.

Chris Nyhuis (01:06:54):

It means nothing.

John Verry (01:06:55):

But if we can translate that into customer loss, loss of customer retention, cost reduction, whatever they might be, yeah, I think you’re going to be a lot more successful.

Chris Nyhuis (01:07:03):

Yeah, you’ll be a lot more successful.

John Verry (01:07:06):

Cool stuff, man. Well, thank you very much. If somebody wanted to get in touch with you, and find out more about some of the great stuff that you talked about that Vigilant is doing?

Chris Nyhuis (01:07:18):

Yeah, you can email us. You can email our sales team, [email protected]. I’m on Instagram, Chris.Neyhuis. It’s N-Y-H-U-I-S. I do a lot of speaking engagements around the country, I’m really passionate about helping entrepreneurs grow their businesses, and giving insight there. We built Vigilant, we felt that doing it with no outside investment would be a smart thing, ended up being a smart thing, but it was a really hard path to go on, and learned a lot on how to do that.

Chris Nyhuis (01:07:52):

But what’s great about it, when you’re in a care based organization, you can really focus the value on your customer. So, reach out there as well. Any young entrepreneurs out there, security business or not, reach out, and I would love to talk you through that. There’s a lot of things that can make you quit, and if you don’t, you’ll come out on the other end of that.

Chris Nyhuis (01:08:14):

The other thing for Vigilant is we, from very day one, we have been mission minded. And so, our focus is keeping companies in business, and along with that is, we take 25% of our profit, we donate that to Orphan Care around the world, and taking care of kids, get them out of the cycle of Orphan Care here in the United States, as well as around the world. We also do… And this just this year started, doing a lot of what we do around the anti-human trafficking world. So, yeah.

John Verry (01:08:45):

Cool stuff, man. Cool stuff. Well, listen, that was a lot of fun, and very informative, and I wanted to say thanks.

Chris Nyhuis (01:08:52):

Yeah. My pleasure. I really enjoyed it. Thanks.

John Verry (01:08:54):

Same here.

Narrator (intro/outro) (01:08:55):

You’ve been listening to The Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected], and to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.

Pivot Point is now part of CBIZ. Click Here for more information.

EP#50 – Chris Neyhuis – How EDR & NDR Help You Make Better Security Decisions

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security