Ep#104 – Is Digital Business Risk Management the future of Attack Surface Management?

Intro Speaker (00:05):

Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.

John Verry (00:19):

Uh, hey there, and welcome to yet another episode of the virtual CISO podcast with you as always your host, John Very, and with me today, David Moe. I think I got that right, which sounds, uh, to me like a French surname.

David Monnier (00:32):

Yeah, it’s Qua Quebec French

John Verry (00:35):

Qua. Um, are you, are you actually from, uh, Quebec?

David Monnier (00:38):

No, from the Great Lakes. Close enough. The other side of the, uh, from the other side of the Great Lakes, so.

John Verry (00:44):

Gotcha, gotcha. We are

David Monnier (00:46):

From, from the United States.

John Verry (00:48):

Cool. So, uh, always like to start easy. Uh, tell us a little bit about who you are and what is it that you do every day?

David Monnier (00:54):

Yeah. So, um, I am Chief evangelist, uh, and Team Cuy Fellow at Team Cuy. Um, I do a lot, um, I do a lot of, uh, outreach. I do a lot of, uh, product, uh, design. I do a lot of, um, you know, supporting, getting our message out. Uh, for us, outreach, uh, in evangelizing kind of falls into two camps. Uh, we have both, uh, one, uh, side of the house, which is out helping to ensure that people, uh, know of our products and, and know what solutions we have, you know, kind of in the space. But then the other part, uh, of it is that we spend a lot of time, uh, going out, making new friends, uh, and helping network operators solve their problems, uh, so that we can, uh, help track bad guys, uh, and see what it is that they’re doing. Cuz that’s a big piece of, uh, how we get to see what we see, uh, is we help, uh, people who own networks find bad stuff on their networks, uh, and then they give us the chance to see what all was talking to that bad stuff.

John Verry (01:50):

Sounds cool. And in my next life, I want to come back with a title of chief Evangelist. I think that that’s a, that’s a cool damn title. Yeah. Um, so, uh, we always ask, what’s your drink of choice?

David Monnier (02:02):

Uh, let’s see. So, um, these days I’ve been drinking rum, uh, and, uh, probably my fa favorite rum right now is a rain, uh, rum, uh, made by a French company. Uh, they’re called Plantation. Uh, they are, uh, they’re a cognac company originally, so they do a lot of blends. Uh, though I like agricul rums. Uh, lately I’ve been drinking a, I think it’s a seven year age, that might be five year age, but it’s a rum called Haak, uh, with an X. And it’s the Mexican word for Jamaica, or not Mexican as in Spanish, but Meca as in the original people of Central America. So it’s in their language. It’s the word for Jamaica.

John Verry (02:41):

Yeah. One of my neighbors is into, um, smoked, like, smoked aged rums. I think it’s Cuban, Cuba has some, you know. Sure. And I, I had never partaken, uh, and recently was over and, and had and enjoyed, um, yeah, very. So probably one of the first person who actually answered rum to that question.

David Monnier (02:59):

Yeah. I had a really, uh, bad, uh, I had a really bad experience when I was young with some bourbon, and unfortunately, uh, it caught out like an entire category of things that I can drink. So I’m stuck to either drinking vodka, uh, which I prefer ze, broka, uh, vodka from Poland. Uh, but, uh, when I’m not, when I’m not drinking, uh, vodka, I prefer Roman.

John Verry (03:24):

Uh, I like Polish vodkas, you know, the potato vodkas are, are pretty interesting. Um, there’s actually also one from Russia that I really enjoy called Musk of Acaia. Uh,

David Monnier (03:33):

I’m familiar with that.

John Verry (03:34):

Which are you really? Yeah,

David Monnier (03:36):

I got

John Verry (03:36):

Quite

David Monnier (03:37):

A bit. My family’s Russian.

John Verry (03:39):

Oh. Uh, that’s a, that’s a great, uh, vodka. Anyway, um, let’s, let’s get down to business. Let’s get down to business. Although I, cuz I could speak alcohol for years. Um, so, so I was interested in chatting with you today because, you know, in, in, in talking with clients today, it feels even more so than than normal that they’re not only worried about the threats. They know about, you know, the, the work from home threat and the changes, you know, the cloud security threat, the pandemic nation state adversaries and people like that, but they seem even more worried about what they don’t know. Right. The, you know, So the question I had for you in, with what you do, which you guys have on your website, used the term digital bis, business risk management. Is that something that helps people address both known and unknown risks? And if so, how?

David Monnier (04:30):

Yeah. So, um, for starters, I wholly agree with you. Uh, that’s also my assessment. Uh, I think CISOs, um, are kind of inundated with a lot of what they already know. Uh, everybody wants to come and like tell ’em the same story, just using some new words or some new variation or some new whatnot. But at the end of the day, uh, you know, kind of the gist of the story ends up being something they’ve heard before. And I think they spend a lot of time kind of weeding through, uh, products that are largely just wrapping papers, different wrapping papers over the kind of same stuff that they had seen before. Um, and that is, uh, uh, obviously that is, uh, useful to some degree. Uh, but when it is that you start seeing that over and over again, I, I think a lot of CISOs find themselves wondering like, why is everybody wanna show me the same stuff and why is nobody showing me anything new?

(05:22):

Um, and typically by the time in particular, by the time you’re operating at the C level, you’re usually smart enough to know you don’t know everything in the world. Um, so, and you’re usually, uh, uh, adept enough to know that, you know, the real value in life is learning things that you didn’t know previously. So we do, uh, we tried, uh, very hard to try to make that a reality. So we try very hard to, um, uh, make, uh, things, uh, better, um, uh, visually, like in the sense of you can see more. Um, so we tried to provide, uh, like a layer of threat intelligence, uh, that goes into what is a normal asm. Uh, and, but what we found is, is that kind of normal ASM view was just,

John Verry (06:06):

Wait, wait, real, real, real, real quick, David, I apologize, but just making sure asm you’re referring to a tax surface management, Correct? Tax

David Monnier (06:13):

Surface management. Yeah. Yep. And that’s kind of how we go about the digital, digital risk management. So, uh, to us, you know, your digital risk is measured, uh, uh, in a couple of different ways to the business, right? Uh, but it’s interacted with really largely only in one way. And that’s via your service, via, you know, the, uh, either the edge of your service, uh, you know, if you’re providing software as a service or some type of, uh, thing like that, or the end of your enterprise, like for happens if you have, uh, some kind of full, uh, enterprise with, uh, you know, a lot of humans still going to offices, things like that, you still kind of think in those terms. Uh, and so to us, the attack surface, uh, um, space, if you will, was an obvious place to try to apply intelligence and to try to, uh, frankly teach and show people something that they didn’t know before about their, uh, infrastructure.

(07:02):

And that’s really, uh, what I consider at least as a, you know, 27 year, I guess now, 28 year almost practitioner, um, is, uh, you know, the things that show me something that I didn’t know to know are truly the most valuable. Even if it’s something that, you know, what you’ve shown me is some terrible reality, uh, that I’m totally ill-equipped, uh, to be able to deal with. At least now I know about it. So, what we really try to do, uh, is we try to have, uh, a let’s show you something you didn’t know, uh, approach, uh, for CISOs to try to solve that very problem that you, that you’re speaking of. Cuz I think it’s, uh, I think it’s, um, the number one thing that keeps people up at night, if you will, is that is that haunting feeling that there’s something else, uh, that’s gone on that they just don’t know about. And I think it’s a natural, I think it’s a natural response, but that is, to answer your question, Yeah. That, that is exactly how our solution aims to, um, uh, to help cease.

John Verry (07:59):

Gotcha. Now you, now you use the term tax service management, you also use the term assets mm-hmm. <affirmative>, uh, are we talking about, like, when you talk about assets, are we talking about information assets, infrastructure assets, all of the above? People assets, physical, you know, physical building. Talk to me, what, like, what, what, what you mean by asset and what is a tax service management in that, in that, those contexts?

David Monnier (08:21):

Sure. Um, so we’re largely a signals, uh, business. So we are more, uh, when you think of, of assets in my term, it’s ones that you can interact with electronically, you know, either with packets or, you know, so photons or electrons, you know, whatever your connectivity is. Uh, so that’s typically what I think of when I think of an asset. But realistically, uh, it could be absolutely any, uh, any, uh, uh, you know, traditional term for that. You could think of it as that way. Um, in fact, if you are a CISO who has physical security phec under your, uh, uh, authority as well, uh, then I absolutely should be thinking of it in terms of, you know, down to staplers, you know, depending on, uh, you know, the degree of inventory control and, and asset management that you can have. And to us, that was, um, that was really one of the big drivers.

(09:09):

So we, um, when we set out, typically in business, right? We’ve been a business to business, uh, largely an intelligence supplier into other people’s products. So, um, you know, think, um, you know, you make a firewall, uh, we were the company that would help, you know, what the block with that firewall. So that when you brought it to the marketplace, that had some intelligence that knew what threats there were. Uh, and we approached, uh, asset management the same way. So we saw, uh, asset management as, uh, in particular, uh, in the attack service space. When, when you think of, uh, how attack service management happens today, it’s starts with some type of asset inventory. So how many devices, uh, do we know of in the infrastructure now of those, uh, devices? Uh, how, uh, how recently have we scanned them for any vulnerabilities? How often do we update their patches?

(09:59):

Do we update the inventory system? You know, like, what are all the tie-ins for logistical controls and things like that, as well as security controls? And you kind of start to see it in those terms, uh, as like a, just an endless supply of tasks that you have to do first, you have to, uh, identify it, then you track it, then you scan it, then you do something, then you do something and so on. But what if that host is already compromised? What if, uh, you know, what if you needed to rebuild it? What if by the time you got around to identifying some vulnerability on one of those assets that it was already compromised? So when we sat down and kind of looked at, uh, how can we get intelligence into the ASM space to make things seem better, What we identified was that there weren’t really any products that were designed to take into account threat intelligence, or even in the sense, uh, what we think of it as is more like reputational data.

(10:48):

Uh, so like to let you know, like, Hey, you have 3000 of assets that we’ve discovered on your network. You only knew of like 1500 of ’em, uh, but, uh, you know, 10 of them that you didn’t know about are already compromised. You should remediate these not, uh, uh, not try to patch these, this is, you know, tear this down and rebuild it. So we, um, so we really, uh, uh, worked very hard to try to fill in, uh, uh, what’s, what’s I, I’d like to think of it as a market gap, but we tried to fill in, uh, what we saw as a tax surface being largely, uh, a logistical tool and then like a kind of feeding into security scanning and vulnerability scanning and things like that. We tried to add actually two intelligence layers. One being reputational based or threat intelligence oriented, but then also business intelligence.

(11:36):

Like for example, uh, in a typical, uh, enterprise, right? You’ll have your real, uh, prime servers, let’s say your active directory, something like that. Maybe it’s lep, whatever, but you’ll have those prime ones. But you’ll typically have clones of those devices where you test patches on first to make sure it’s not gonna crater, you know, all those types of things. Well, to a vulnerability scanner, those are the same host, you know, only a, you who knows which of these devices, uh, can add that type of layer. So that’s the other piece that we really tried to set aside, uh, is to add business intelligence so that, because only you know, which devices are most critical to your, uh, business, you know, um, so we try to add that layer as well. I’m sorry if I gotcha. If I’m all over the place, but, uh,

John Verry (12:18):

No, you know, you know, it’s, it’s easy to get all over the place when you’re talking about something that’s relatively encompassing mm-hmm. <affirmative> like what you’re talking about. Right. So, let, let me, let me see if I, if I understand this. So it sounds to me like you are looking at communications that are occurring, you know, to and from assets of relevance. To me, it sounds to me like your cyber threat intelligence feeds and your reputational data and your business intelligence data, help me contextualize those communications to determine which of those communications are business as usual, and I don’t need to worry about which, and, and which are something that I need to potentially take action on. And if so, even providing some level of, uh, import to what I might do.

David Monnier (13:13):

Absolutely. Yeah, That’s, uh, that is a very good, uh, way to see it, to think of it. Um, and, you know, to that end, uh, other things that we do that’s kind of different. Uh, so for example, uh, like namespace, uh, you know, we, uh, track, uh, internet namespace regularly passively using things like p passive DNS and other types of collection methods. And, um, what if, you know, for example, a certificate with your organization’s domain appeared up in AWS space somewhere, um, it’s outside of your address space altogether. Say you have a, you know, slash 24 network that you know is yours, and, you know, you watch that diligently, but what if your DevOps team has spun up instances outside of your infrastructure that you have no idea of, uh, but have, you know, exported SSL certificates, uh, or tls, uh, certificates that are pinned to these services.

(14:08):

Wouldn’t you want to know about that? And that, uh, type of, even additional, like, and maybe it’s legitimate, maybe it’s not, but it’s, it massively important for the CISO to know that, uh, and to know which of those things that they want. You know, like, do you want to, uh, do you wanna even allow it maybe a policy that says, Hey, all development has to happen internally, you know, loads and loads of, um, uh, of, uh, I know it’s not a common word, uh, or it’s not popular word, but breaches a lot of companies that have been, uh, supposedly been breached. Oftentimes it’s, that’s not the case at all. They left their data someplace where someone else had access to it without any type of controls on it. And that type of data exposure, I mean, luckily lawyers have started to get in front of this and, and get people to stop saying that word.

(14:53):

Uh, but, you know, there’s a lot of CISOs, uh, I know of some even, uh, who really went through the ringer, uh, as if their company had been breached. But in actuality, it was somebody else in the company had just disregarded policy altogether and, you know, stood up and sent, you know, an export of a com of a live database full of customer data, Right. For example, and stuck in it on an S3 bucket or something. You know what I’m saying? And that’s, And what do you do for that? How do you know to know?

John Verry (15:16):

I mean, right. So it’s, but, but it, Yeah, and breach is an interesting word. It is a data breach, right? But it’s not, it’s not a breach of a company. Yeah. Right? So

David Monnier (15:24):

It’s, it’s like the data exposure, even I would, I would argue

John Verry (15:26):

It’s, Well, the reason I think breach, the reason breach gets used is because of the, the, the data breach requirements that are, you know, in, in most of the privacy laws. So I think it is technically classified as a breach under, under law, or under these regulations, right? So it is referred as a breach, but I agree with you, there’s a, there is a, it’s, there’s no difference to the people whose information might have been compromised, but there is a difference to the risk profile and the, and the current security posture of the organization that we’re talking about. Absolutely

David Monnier (15:53):

Correct. Yeah. And, and typically you’re talking about a ciso, right? Who’s made the decision for the stake of the business to keep running, uh, for the sake of the business. He re they realize, Well, we’re in business to be in business. We’re not in business to be secure. I know that’s contrary to what a lot of people like to hear, but it’s the truth. And a CISO has to draw this very fine line between, uh, appropriate policy that gets the job done, uh, too little policy that gets them owned or too draconian policy that gets, keeps work from happening, right? Mm-hmm. <affirmative>. So they’re always fighting this line. And I feel terrible for the ones who get caught up, uh, in these, like I said, legally technical term, meaning breach, uh, right. But I know some very bright folks who, uh, you know, frankly have gone through the ringer, uh, and, and caught a little bit of a, of a, you know, what’s called a shiner, for lack of a better word, Uh, but where they, you know, got a ding as if they were responsible for a breach that they, I would argue technically were not.

(16:46):

Um, so, uh, but that aside, um, I’m glad to see that, uh, I’m glad to see that, uh, people are starting to, like you said, expand on, use different, uh, language to describe ’em, uh, because it’ll, it’ll help consumers in the long run as well, I think. Anyway, uh, I think this kind of, the way a lot of those reporting, uh, clauses are written today, they’re a little harsh. Uh, uh, in particular the, if you don’t do it, like, if you didn’t know to, didn’t I, then how would you know to do it? Uh, you know what I’m saying? There’s some big traps there, so mm-hmm. <affirmative>.

John Verry (17:17):

Yeah. It not easy. It’s not e Yeah, it’s not easy being a ciso. I think we can agree

David Monnier (17:21):

On that. Yeah. No, it’s not. Yeah, it’s not.

John Verry (17:23):

Um, so, so let me ask you question. So, um, you know, your cyber threat intelligence feeds, right? Which is, I, I think your bedrock of your, of your, of your organization for sure. As far as, right. So, um, I’m assuming that most people consume those through a third party, right? It might be, you know, maybe, maybe you provide those to Palo Alto and, and I’m getting ’em through my firewall. Maybe you provide them to, uh, uh, you know, uh, Dell SecureWorks and I’m getting them through my security operations center. Mm-hmm. <affirmative>. Um, so, so first question would be that, and then the second question would be, you know, is that how I consume your, your, your threat intelligence feeds? And then how do I consume the business intelligence and the reputational? Is that done through, uh, again, through those same vectors? Or do you guys offer other services where, where I would let, where I would consume those capabilities?

David Monnier (18:14):

Yeah, absolutely. So, uh, our, our raw data, our feeds, if you will, uh, um, are available, uh, like you said, in a lot of people’s products already. You’ll typically see our logo on the box, for lack of a better way to describe it. I dunno, we don’t really go to stores anymore. But usually when you pull up, uh, you know, their product, it’ll say like, intelligence powered by team Comey, pure signal, or things like that. Uh, you’ll see that lo lo located on there, or, you know, you can ask an ae like, Hey, does your product have this intelligence in it? We’re also in a bunch of tips, like if you happen to have, uh, you know, uh, one of the, uh, aggregators, uh, feed, you know, our intelligence aggregators that push out policy to your tools. So these are the various threat intelligence platforms.

(18:55):

I don’t necessarily want to, uh, promote any specific one cuz they’re, they all kind of do the same. Um, so, but, uh, I’ll say that we’re also in there, uh, but we’re also like, um, for example, we’re a big, uh, piece of the intelligence that’s in, uh, the micro Microsoft’s Protection Center, uh, and those types of tools. So we’re also in there, like, if you’re in a Azure, uh, you’ll see us listed as, you know, our intelligence is available, you can just like click on it and add it, uh, to, you know, to your capabilities. So we’re in that as well. Uh, but the specific parts, like the business intelligence and the, uh, uh, reputational, uh, stuff, those are on, uh, product that we’ve made specifically, um, uh, specifically to address the kind of a attack surface monitoring space. And that’s our pure signal orbit is the name of the product.

(19:39):

And it’s, it’s new. Um, it’s a, uh, what, like I said, we would describe it as a hybrid approach to what is traditional asm, uh, to the point where we consider it to be kind of an evolutionary step. So we refer to it as ASM 2.0. Uh, because we think if your tool is really only informed by what you’ve told it, uh, that’s kind of the hallmark of the old way to do a tax service management. And if it’s not, if your tool isn’t showing you things you had no idea of, it’s probably a good indicator that you have a, you’re doing it the old way. Uh, whereas our tool will tell you things, uh, that typically you didn’t know about. Uh, we had a large, uh, well, we had a state ciso, uh, for one of the larger states in the United States, uh, came and, and they, uh, were one of the first folks, uh, to work as a pilot, uh, on orbit. And we found something like 380% more infrastructure than they knew they had. Um, that’s a lot. That’s, uh, to, to say the least. Uh, they were surprised. So, um, but what’s, it’s good stuff. It’s good that they know. Um, so, but their previous ASM tool, uh, didn’t show them any of that. In fact, it showed them only what they knew to tell ’em, which was the networks they knew of. Um, so what we do mm-hmm. <affirmative>, uh, is typically illuminating, uh, stuff that folks didn’t know.

John Verry (20:56):

Right. How do you, I just know that’s interesting to me. How do you do discovery of that nature? I mean, generally speak, are you actually, I mean, like, you know, and it’s so funny because if you look at, you know, implementation guidance, level one on C, you know, the c I s csc, right? Mm-hmm. <affirmative> Asset Management is like, you know, foundational to information security and yet poorly, poorly done by most organizations. Yeah. So how is it that you would go into an organization, you know, obviously an ongoing and successful concern, if they had that much infrastructure, How is it that they, they don’t know about this infrastructure? What were they missing and how did you discover that?

David Monnier (21:31):

Well, in their case, because it was a collection of, um, regional locations. So think of, you know, imagine the business of a state, um, uh, is not dissimilar to, like, think of it as a match nama, uh, massively decentralized, uh, brick and mortar business, right? So you have all of your various county offices, you have your, uh, uh, state, uh, offices, you have your city offices, and then you have to have this overarching component, uh, that fits in with that. Uh, and what ends up happening is, is there’s a lot of individual, um, fragmentation, uh, because, you know, one office is doing business one way, another office doing business another way. And most of their interactions are determined by, uh, pre, previously agreed upon specifications, right? Those are typically in the form of, uh, governmental forms, right? As long as the form is filled out in a certain way after that, typically the execution, uh, phase of the business of the state is determined by the local, uh, office.

(22:27):

Like the states gives out the guidance for a result, but they don’t typically give out the guidance for a process to arrive at that result. And so what we see is, you know, figure hundreds, uh, hundred plus years, uh, of, uh, you know, state business that has gone through all of the technological changes a long time. And what happened was, is this state just frankly didn’t keep up with their, uh, uh, tracking of what their devices and what these things were. And now how we discover them is, uh, well, we, I employ, we employ, uh, analysts to do exactly that. Uh, we have, uh, uh, threat intelligence analysts who, uh, uh, typically have had, uh, experience in either law enforcement or in some cases some military backgrounds. Uh, but where these folks are good at, at discovering assets, it’s like what they do. Uh, so just as bad guys, uh, can determine, uh, you know, who’s, who owns what devices on the internet, good guys can use very similar methodologies and come to very similar outcomes.

(23:29):

And in our case, that’s what we do. So when we onboard someone, typically what happens is, is, uh, we will say, Okay, tell us what you do know, and we’ll get, you know, their IP space, we’ll get their name space. Maybe they have a slash 24, maybe they’re a huge network and they have a slash 16 network, and, and they, maybe they have you, you know, 200, uh, dot com domains and, you know, twenty.org domains. And you know, I mean, just the whole mix of what they do know. And then usually that’s all that we take from them to start, and then we go, uh, and do a discovery, and then we come back and say, you know, a week or two later, uh, where we’ve had a human being curate the starting point and say, Gotcha. Here’s all these things. How much of this did you not know of?

(24:09):

Uh, and in this, And like I said, in this case, it’s, I, I would like to believe it’s gonna be a one crazy outlier story, uh, you know, that we’re just getting started with this. But I, I mean, personally, I was a little surprised. I mean, people say, you know, uh, government work, you know, people make fun of that. Uh, you know, people say, Oh, people who can do, and people who can’t, you know, whatever teach and people can’t teach, go for the gov, work with the government or whatever that, I know people like to make those jokes, but 300%, 380 something percent, uh, increase in assets. That’s a whole bunch of citizens, uh, of that state who were maybe lucky to not have something bad happen to him. And this CISO was thrilled to find out that, Oh man, I’m really glad to discover this, that we had all these other things cuz I had no idea and I would’ve never known to know. Uh, gotcha. So we about to be really good, and like I said, I hope that doesn’t turn out to be like every time we go and sit down with somebody, you know, that they’re hundreds of percent of discovery. Uh, but this one so far, like I said, we’ve just been getting started, so we’re still in the first year, uh, of the product, uh, of it being launched. Um, so we’re still, uh, discovering these stories. But so far that’s been the big one.

John Verry (25:16):

Gotcha. And then in terms of these assets that you’re discovering, are they, uh, are they always in the realm of what I’m gonna refer as corporate owned, corporate controlled assets? Or, uh, does it include like, you know, like, so as an example, if like someone like us were in Microsoft Dynamics, you know, like Microsoft’s environment, will you be identifying that as well? Will you be depending our Salesforce instances? And so yes, gimme, gimme that idea of how much you’re actually discovering there.

David Monnier (25:41):

Yeah. So for those kind of, uh, so those, let’s call those embedded capabilities. Like you have a capability, your capability’s embedded in Salesforce, right? Mm-hmm. <affirmative>, um, uh, and their software is, is operating there. But how you find that embedded service in there is you typically, like, you know, most Salesforce accounts, when you sign up there, they give you a unique RI mm-hmm. <affirmative>, uh, that points you to there. Well, much of that URI is exposed, uh, uh, via typical DNS namespace. Uh, so in that is, uh, typically, uh, passively observable. Uh, and, uh, you can also, uh, there’s, well, there’s a bunch of different ways to enumerate, uh, at, uh, assets. You can, you know, look up IP addresses and get PTR addresses. You can, uh, uh, look for passive instances of where people have looked up domains related to it, or host names related to your domain, things like that. And that’s how we do a lot of that discovery, uh, is we have, um, uh, we have access to, to being able to see, um, you know, name space and, and things like that, both from crawling it as well as just passive collection.

John Verry (26:47):

Gotcha. And do you have any, um, if I’ve got iott devices on my network that are talking outbound, do you have any visibility into those? Cuz you know, identifying iot devices and environments can be a challenge for a lot of works.

David Monnier (26:59):

Yeah, it is very tricky. Um, so out of the box, uh, we may see some, it depends on specifically what protocols are being used and, and things like that. Typically, we have fairly decent, uh, I P v, uh, ip uh, traffic visibility. Um, but if you, um, uh, for like a partner who has, uh, like say they have significant iot assets and, and say they’re, uh, that they’re aware of that, often what we are, what we do is we try to work with them, uh, in tandem to actually get some visibility from the, uh, from the partner. So that’s the, uh, our long term goal, uh, is, uh, and by long I’m talking, you know, within the next year or so, is, is, is our objective, but is where orbit becomes a tool, uh, that your devices are informing and it’s informing your devices. So, uh, like for example, uh, you know, you may have a, a WF or you may have a vpn, or you may have, you know, various things that produce signal elements that show like, Hey, this is talking to this.

(28:03):

Uh, or you may have routers that produce net flow. You may have, uh, switches that, that, uh, produce, uh, session data. I mean, there’s a lot of other footholds, right? Where you can, uh, start to understand what’s happening on your network. And the idea is, is that orbit will become a, an orchestration point, uh, for that, so that you can, uh, get the policy, uh, visit, uh, visualized in orbit can show you this is what’s bad’s happening off your network. This is what you have on your network that might be impacted next by this, uh, right click to, you know, maybe, uh, start dropping those packets at your gateway or something like that.

John Verry (28:37):

I was just gonna ask you, so is, uh, so orbit in its default configuration, does, is it, is it leveraging the threat intelligence? So let’s say it’s, it sits on my firewall. So in theory, if, uh, you know, in theory you’d have, and it might be just a capability that you haven’t built yet, but in theory, you should be able to characterize, you know, periodic communication out to a specific IP from a particular host and, and, and, and begin to signature that out to understand that might be a video camera, that might be a, uh, an an aw, you know, uh, Alexa device, things of that nature. Correct.

David Monnier (29:11):

Exactly. What you’re describing is exactly our, That’s, that’s the plan. That’s

John Verry (29:15):

The plan. Okay. Good. Yeah, it may, it may, it makes complete sense. Um, the one thing which is very intriguing to me, right? So there’s a lot of talk right now about, you know, supply chain risk management. There’s a focus in the government, you know, we’re talking about, uh, you know, that, that type of flow down. And one of the things that I noted that you guys, uh, talked about doing was, uh, was to actually help monitor the supply chain. Is that just a matter, you know, so, so the question I would have is that, uh, how much involvement do I need from my downstream supply chain vendors to, to do that? Do I need them to give me the blocks of ips and things I own? Or can I do that just through like a, a domain name and still end up with, uh, a pretty fair amount of information about what’s going on in, in there? And then not only does that tie into your business intelligence stuff, but can I also leverage that from a reputational perspective as well?

David Monnier (30:05):

Yes. So, uh, the long answer, or sorry, the short answer to your question is, is yes in that preferred order that you’ve just listed, actually, um, ideally, uh, you knowing as much about them as possible, uh, is great. Um, but it’s not necessary. Um, like I said, we, uh, that’s what we do, is we sit down and help the people identify those things. Uh, we actually have two different supply chain, uh, components. One is orbit, uh, where, uh, you could have, um, kind of a, uh, daily, if you will, um, you know, uh, approach to helping people manage their network. So if you, they’re down chain downstream from you, they tell you, Hey, these are our ips, these are our networks, and you just can continuously be part of their posture. Or we also have our pure signal recon product, which is slightly different, but allows you to do like ad hoc, uh, views so you don’t have to continue.

(31:03):

So you don’t have to, uh, license, uh, continuous monitoring of your supply chain, right? You can just, uh, uh, license recon and use it, uh, to look at your supply chain as needed, as opposed to getting continuous reports cuz uh, you know, some people’s supply chains, I mean, imagine the supply chain of say, you know, I don’t know, Kmart mentioned Kmart supply chain. Mm-hmm. <affirmative>, you know, there’s gotta be a million suppliers to them, You know, something like that mm-hmm. <affirmative>. Uh, so it’s, it wouldn’t be realistic, uh, to do some type of ASM monitoring for a supply chain that big, but we certainly could use recon, our other tool to do ad hoc checks of something like that. Um, but yeah, ideally, um, they, a partner can tell us something about their supply chain, uh, but if they can’t, we sit down and, and work through it with them.

(31:47):

Uh, that’s, that’s, uh, like I said, it’s probably one of our bigger differentiators that we identified was how people get started with, uh, understanding how a attack surface management works. A lot of people just get handed the keys and get told, type in your information and go, Well, I mean, you could have done that with just Nessus. I mean, you don’t, why, why would you have all these other tools? Uh, you know, when you could have just done that yourself with something open source and, and, and very inexpensive, but it’s not the way it, it’s not the most, uh, thorough way to do it. So what we do, like I said, as we sit down with a human being, a human analyst, uh, who tries to make, draw someone’s conclusions, we have a bunch of automations that feed that process, but the end process is determined by a human being says, Yeah, this is us, or no, this isn’t us.

John Verry (32:30):

Gotcha. So that is going to, you know, see that that’s going to see what’s visible from a non-privileged perspective. But we’re not going to get the benefit of your threat intelligence feeds in that type of monitoring. Correct. Unless, unless some, unless we were actually sitting on some inbound outbound gateway, you know, communication information. Correct.

David Monnier (32:53):

No, you would, you would still get it. If something in your network, uh, is talking to a command and control server that we’re aware of, you absolutely will

John Verry (33:00):

Still get that, you know? No, no, I know in our network, but I’m saying in the, in the, in the supply chain,

David Monnier (33:04):

If someone in their network, if you know their prefixes, if you know that like, uh, your supply, your vendor has such and such

John Verry (33:10):

A, if I know, if I know Okay. That, Okay, so if, if they’re, if I, if they’re willing to help me identify their class, you know, they’ve got a class C or they’ve got a block of 16 ips Yeah. Then I’ve got some, some ability to be aware of that.

David Monnier (33:22):

Absolutely. That’s correct.

John Verry (33:24):

Yeah. But that’s interesting,

David Monnier (33:27):

More as like an alerting tool, It would be like a, here’s a daily review of the ips that you’ve asked us to look at. Or in the case of recon, it’s, you know, you run through and, and we’ll show you if in the last 90 days or so, if any of these hosts have been, uh, identified as being likely compromised.

John Verry (33:42):

That’s interesting. So that, that, that kind of implies that you’ve got, um, and that’s what you said, you, you, you were working with network operators, so you have visibility into traffic flows that would allow you to

David Monnier (33:54):

Command control servers. Yeah. Yep. Okay. So once we, so we, to, to give you an idea of the process, right? So we detonate 500, 700,000 pieces of malware every day. Uh, we detonate that stuff and, uh, observe it. It’s at the time of detonation mm-hmm. <affirmative>, we, we identify it’s signal behaviors, signaling behaviors, uh, both lookups as well as reach outs, things like that. Uh, we monitor all that and then we identify once we find them in the world, if we can we’ll, uh, uh, endeavor to participate. Uh, so meaning like make a bot client and see what they’re being told to do. Is it, you know, are you told to exfiltrate data? Are you told to DDoS someone, you know, what are you told to do as a bot? Mm-hmm. <affirmative>. So we try to better understand that, but then almost immediately what we do is we take that signal and we convert it into applicable network policy for owners and operators around the world so that they can, uh, you know, a reduce the unwanted traffic, you know, uh, and and whatnot that their network, uh, is being part of, especially for like DDoS, it’s a very, very powerful tool.

(34:54):

If you can get all the bots off your network, you know, uh, that’s, that’s a big win. Um, so we typically go through that process with them. But, uh, in the course of that, uh, and, and we have, uh, very good connective visibility. Uh, when we get back to that uh, stage, we can start to see what’s the victimology and things like that. Once we identify a c2, we say, Okay, what else? Talking to this in the world. And, uh, is it tra uh, uh, traversing any networks where, where, uh, people have been kind enough to let us see, uh, what’s talking to these known bad things. Uh, so granted obviously it’s a race condition, right? Because as once, cuz we’re aware of the maliciousness at the time of, at the beginning of the process, right? And our products are updating globally, telling everybody’s policy, Don’t talk to this IP anymore.

(35:41):

It’s a known botnet controller, right? So we have a little bit of a race against time if we’re to see very many of the victims. Cuz this very, people who are often tell us about the victimology are the same people for who benefit from us telling them about the command and control server. Do you know what I’m saying? So mm-hmm. <affirmative>, it ends up being this kind of, uh, uh, we kind of steal our own ability over time to see, uh, uh, things, but it’s still, uh, you know, it’s for the benefit of the good. So it’s, it’s, you know, not the end of the world to not know. But that’s kind of how that process goes. And then all that victimology data, uh, as at least related to command and control servers, turns directly into reputational data, which says, Hey, we identified this host was talking to a command and control server at this, on this port at this time. You know, and so on. And that type of, uh, reporting.

John Verry (36:27):

Gotcha. So that reputational data would be, So what you’re saying is, um, you, you determined that my supply, someone in my supply chain had communication with a known bad device. We know that you’re, you’re, you’re sending out this message to let’s say all of the device and, um, services vendors, you know, so they know that’s a known bad actor. Mm-hmm. <affirmative>, if they, if they have a configured properly, you know, their firewall, their socks, whatever it might be, determines that yes, we’re going to respect that, that, that, uh, information we’re going to block any communication. Um, and you’re going to then, from a reputational perspective, let me know, uh, and maybe let the world know that this, this company over here had, that had that communication within the last end period of time.

David Monnier (37:13):

Exactly. And, and we do that, um, we do that for, uh, every IP every minute of every day. You know, like our, our, um, we have reputational information on, on, you know, every host. We’ve seen this behave, we run a massive network of honey pots and sinkhole and all this other stuff as well that collapse all of this bad behavior. So we have a key that we use, it’s actually like a, a 15 field key, uh, that will show you like categorically how many ways something has been misbehaving, uh, how long it’s been misbehaving, uh, how many, how long it’s been misbehaving for each of the ways, uh, if it a shared hosting environment. Like if it’s talking to, maybe your bot is talking to something that hosts 10,000 domains, cuz it’s some domain monitorization service. Well, you need to know that before you make a reputational, you know, policy

John Verry (38:05):

Decision that Yeah. That’s been the problem. Like back in the day, you know, going back a long time ago, we tried to use a lot of those feeds mm-hmm. <affirmative> and the problem was those feeds were so damn noisy. And you know, that’s back in the day, back in the day, you know, you’d have an IP address that hosted 50 websites and one of those websites was, was compromised and 49 of them are okay. And you’re blocking traffic to all, all 50 websites. So Exactly that’s, I’m, I’m assuming that things have, I’m, I’m assuming that that’s one of the pieces of magic that you guys have developed over the years is to minimize the likelihood that happens, happens. I’m sure you can’t, you completely stop it.

David Monnier (38:37):

Okay. Right. And we are, uh, we are kind of unique in that fashion as well. Uh, we published our spec for it. We tried to, we hope other folks in the industry will pick it up the format, cuz then everybody in the industry can just start to use, you know, that algorithmic model. Uh, cuz we include things like time and, you know, and a lot of what we’re doing, uh, at our business isn’t just for our business. Like, um, our founder, Rabbi Thomas started the business to make the world a better place. And I mean it mm-hmm. <affirmative>, I know it sounds like lofty, uh, but he literally did. Um, so much of what we do, uh, like is it, would it be ethical to charge somebody money to let them know their house is on fire? No, of course not. You would go let them know their house is on fire.

(39:20):

Um, so for a lot of the things like that where, where we ask ourself is it ethical? Should we give this away or should we, uh, gate guard this? Uh, and oftentimes we discover that the right thing to do is to give it away, to make it available. Uh, and so we take a lot of our methods, a lot of our technologies, uh, we’ve published, uh, you know, dark net guides like how to build a dark neck center. Uh, a dark net sensor, a dark net sensor, uh, probably 20 something years ago. Uh, how to safely configure your routers. Uh, we’ve maintained those templates for years. Uh, we gave, like when Covid, everybody started working from home, we immediately gave everybody access. And I wanna say it was something like 50 queries an hour you could make to make sure that you are this new work from home staff that you had no policy, no visibility, no anything on.

(40:09):

If nothing else, we can tell you if we’ve seen ’em, you know, hit dark net. And we launched that, uh, capability. And I think we ran something like sustained gigabit traffic coming from this thing for like the first week and a half of it being available, cuz there was nobody else really had the ability for these people to come look stuff up. Um, so, uh, it was hugely popular and, and, but that’s just like how we’ve always conducted business. Rabbi Thomas is like, Hey, do the right thing and the business part will fall in line. What you can never do is get your soul back. You can’t go back and, and do the right thing after you didn’t do the right thing to begin with. I mean, you can always say you’re sorry and, you know, promise to do the right thing going forward, but you can never go back and undo that.

(40:50):

You did the wrong thing. Uh, so we operate with a do the right thing the first time, uh, since day one. So we’ve, funny enough, we’ve actually had people come work for us for, uh, you know, six, seven months and then they finally are like, Are you guys just trying not to make money? Like, I’m gonna go work somewhere else cuz I can’t get my head around it. <laugh>. Uh, but it’s, it’s, uh, it’s true. And I’m, I’m, you know, maybe just, uh, uh, some dumb Hoosier, uh, you know, but, uh, it works for me too. So it’s, uh, Yeah.

John Verry (41:17):

Well, you know, I I I I’d like to think that the vast majority of us that are in this space are doing it for altruistic reasons Yeah. As well. I mean, like, I feel good about what we do every day. I feel good about the fact that, you know, we’re helping hundreds of companies, those hundreds of companies have thousands of employees and, and those thousands of employees, you know, feed millions of people. Yeah. And if we, if we can prevent something bad from happening Right. You know, the company succeeds, the people succeed, you know, it make, it does, it does make the world a better place. And I, you know, and I especially feel that it’s equally more important in these time and dates when this has gone from being something which was just nuisance stuff to nation state adversary. And now you’re talking about, you know, our, our economy and our, our our sovereignty. Right. You know, is, is, Yeah. I know it sounds like you said, uh, uh, flowery, but it’s damn true. So I, I appreciate everything you guys are doing. Thank

David Monnier (42:06):

You. Yeah, thank you.

John Verry (42:08):

Um, we beat this up pretty good. Uh, I had one last question actually before mm-hmm. <affirmative> before we, uh, before we close, um, cool stuff. Uh, is it, is it targeted to global two thousands? You know, is it targeted to, you know, SMBs? I mean, who, who is a target for your, uh, your, your products

David Monnier (42:26):

Right now? Media and Up is our overall target space, depending on the product itself, Uh, or orbit is definitely a mid-market tool, uh, is definitely appropriate for medium sized businesses. Uh, we hope to get it, um, uh, worked out, uh, to where, you know, small businesses can just plug right in and go. Um, but we still do have this, uh, like I described, it’s a fairly extensive, uh, learning project. Uh, you know, that happens at the beginning of it. Uh, so for right now we’re, uh, kind of scaling it to, you know, meet medium and up. Um, but our recon product, uh, is fully mature. Um, but it tends to need a more mature, mature team. Uh, if you, uh, I’ve given quite a few talks on our, the evolution of our hunting model, uh, based around, uh, methodology we refer to as threat reconnaissance.

(43:15):

Uh, you’ll see if you google those words, you, you, you could see it. Uh, some of my talks I, I believe are, are still available online. Um, but that method, um, that kind of, uh, deeper analytical effort does tend to require like a more mature team. So, you know, think a team that has a threat hunter, like actually on the team, um, uh, those types of folks tend to be in the global 1000, you know, global 1500, something like that. So we’re, we’re, uh, partly also, uh, focused on that space, but it’s really just about who can use the tool. Uh, cuz it’s not, it’s not super easy. Uh, if you don’t have, you know, a good technical background recon that is our orbit tool is very easy to use, uh, relative

John Verry (43:59):

To it. Okay. So the hope, the hope is that at some point that the Orbit tool will be something suitable for the SME space.

David Monnier (44:05):

Yeah, so, well, yeah. We, I I would argue we’re ready for the medium now. Uh, we’re just not quite to the small, uh, stage. Okay. And, but, but what we are, uh, what we’re focusing on is kind of lowering that curve at the beginning of the process, that analytical discovery effort, uh, in trying to make better use of some other machine learning methodologies. Uh, because it turns out there is a kind of a, uh, uh, there is a, a rhythm to the madness that is, is the internet. Uh, and, and you can, you know, people do tend to name their stuff in kind of similar ways and discoverability as we are, as we’re learning. Uh, now, uh, there is some methodologies that you can use to automate discoverability and, and I’m not just talking about crawl and IP space, you know, but like other, uh, signal discovery methods, you know, looking for variations of domain names and passive DNS data, for example.

John Verry (44:53):

Mm-hmm. <affirmative>. Yeah, exactly. Yeah. Um, alright, um, I think we beat this up pretty good. Any, any last thoughts?

David Monnier (45:00):

No, nothing for me. Thanks much for having us on.

John Verry (45:02):

Yeah. This is fun. So, so I, I didn’t give you the warning. Should I ask you the question?

David Monnier (45:08):

Uh, I, I probably won’t have any good, uh,

John Verry (45:11):

Example then, then I won’t answer the question. And, and this one’s on me, so I apologize.

David Monnier (45:15):

No sweat.

John Verry (45:16):

Yeah, no sweat. So, so, so if someone, so now it’s interesting, you know, it’s comy mm-hmm. <affirmative>. But yet just for the people that are listening, it’s spelled very different. If you’re looking for it, it’s CM, C Y M R U. Uh, if somebody wants to get in touch with you guys, what’s the best way to do that?

David Monnier (45:30):

Uh, that’s cuy.com. We’ll redirect you to our website. Uh, we have a, a couple different Twitter feeds. Uh, our research team has a Twitter feed of its own, uh, it’s probably worth, uh, checking out our other, uh, if you wanna see our events and whatnot, uh, goes through that Twitter feed. Uh, we also have, uh, a no cost curated news offering called Dragon News Bites. Uh, if people are interested in that, um, they can find that under our community section and also a number of, uh, community projects that we run, uh, again, uh, geared towards making the internet a better place. And they can find those on our website as well. But that’s, uh, C Y M R u.com is probably the best place to get started.

John Verry (46:09):

Awesome, man. Thank you. I appreciate, appreciate your time today. Thanks John.