Kirstin Burke:
Hello, everybody. Welcome to WhiteDog’s Security Bytes for the month of July. I can't believe we're almost halfway into the month of July, but here we are. I'm Kirstin Burke, and I'm joined by WhiteDog’s founder and big brains, Shahin Pirooz. Welcome, Shahin.
Shahin Pirooz:
Hi, everyone.
Kirstin Burke:
I'm really excited about our topic this month. Anyone who's paying attention to the headlines is just seeing all of this activity. We're calling it targeting the big get. Take a look at the hackers, and the supply chains they are targeting, and the platforms they're targeting, and it's so monumental, just in the last six months what we've seen. The first, we're going to talk about two big gets. We're going to talk about the supplier chains and we're going to talk about platforms.
And the way that I'm thinking about the supplier chains, and we were joking about it a little earlier, they're shakedowns, right? You look at Change Healthcare, you look at CDK, you look at these organizations who really supply an entire industry. There's an entire supply chain, and even the CDK breach, they're talking about it possibly affecting the GDP.
So you take a look at having that supplier hacked and there's not a lot of room to hold out and say, sorry, we're not gonna pay a ransom because you've got everybody in the supply chain saying, we gotta resolve this now. When we think about that kind of shakedown strategy, can you peel that apart for us?
Shahin Pirooz:
Yeah. Ultimately, what's going on is the same thing that happens to any enterprise. They're getting phished. They hook a phish. They then implement their tools. They implement ransomware. They ransom the environment. And that's where the shakedown starts. Pay or we're not going to release. And the problem is in a single enterprise, you're impacting that single enterprise's revenue. In a supplier supply chain scenario, when you're talking about either Change Health for the healthcare environment or you're talking about CDK for the automotive environment, all the downstream stuff. Think about for the automotive space. You can't sign leases, you can't sell a car, you can't whatever. In the healthcare you can't do your prescriptions, you can't send bills, you can't collect money, so all the downstream stuff that is impacted you're now impacting hundreds of thousands of little enterprises that are relying on these suppliers to do business.
So the implication is you're targeting one company that impacts a much larger breadth, and they have no choice but to pay the ransom. Because it's no longer about just reputation, it's you're impacting the business and livelihood of all these downstream people.
Kirstin Burke:
Well, and all of those downstream companies all have customers screaming in their ear saying, you go all the way to the end customer who's saying either I can't buy a car or I can't pay my bills or I can't pick up my prescription.
Shahin Pirooz:
Any of the above.
Kirstin Burke:
And so it's so far reaching. It's interesting because this isn't the first we've seen of this, right? Years ago, I think we all think about the Target breach or something like that where it was an HVAC supplier where that bad actor got in. But you look at how, I guess, the creativity of our adversary is saying, huh, so if I could hit a target like that through a third party, what could I do to affect even a larger ecosystem and, in fact, have a very successful shakedown because, you know, quite frankly, these organizations have no choice.
Shahin Pirooz:
They have no choice. And it's when you look at the difference, the maturity of this supplier attack, starting from the target breach, which was the first really big, oh my god, this is huge. What happened back then was the bad actors recognized that the HVAC manufacturer, who has a backdoor into target, doesn't have the same stringent controls that target does. So it's going to be a lot easier to get into target by compromising that network and by doing ransomware there, not ransomware, in that case, they were basically trying to get passwords and use the passwords to get into the target environment, and then steal data and exfiltrate data. In that scenario, they weren't trying to shut down target, they were basically taking data and embarrassing them and saying, we have all your customer data, pay them.
And in this case what the tactic has shifted to is I could target one healthcare company, let's pick on Kaiser for a second. I could target Kaiser and probably get ransom out of it. Maybe they've got pretty good security. They probably have better security than Change did. And the reason is these manufacturers of technologies or supply chain infrastructure or platforms that are supposed to be helping the ecosystem of customers they build this for are not security providers. They are a healthcare management platform. So should security be everyone's responsibility? A hundred percent. US government, NIST, everybody's trying to make security a primary thing. There's all these conversations about shift left, but security in the development cycle have less compromises. But the reality is every platform has compromises and we aren't going to catch every single one of them. So it's a lot easier to, rather than try to target the platform, the software itself, to target the company that wrote the software, because they're probably not putting the same level of energy into their own network security that they are into the development of the platform they're putting in customers, because there are controls and guidelines and all that and how you certify a piece of software that is secure for consumption in this space.
So the shift changed from I'm going to take advantage of this company who has less security to get into a big company to I'm going to take advantage of this company who's writing software for all these companies, because they probably don't have the same security as all these companies I'm targeting.
Kirstin Burke:
Well, I think the interesting thing we're seeing as we look at maybe the MSP space, right? A lot of folks we talk to, in some cases they target a specific industry, right? They're working with the banking industry, the financial industry, you know, et cetera. And what they're seeing is a lot of these larger organizations recognize the downstream risk, if you will. And so they're now telling their suppliers, hey, in order to be a partner with us, you have to meet these more rigorous security standards.
And in some cases, either that end supplier or the MSP who works with them is saying, wait a minute, you know, I'm only equipped to take you this far, yet they've now got pressure to very quickly adapt and improve their security posture. And oftentimes these MSPs don't have the wherewithal to do that, to do it quickly and to do it confidently. And so I think that's where MSPs are seeing some of the rub, which is we have to up our game fast to help our customers stay engaged with their partners.
Shahin Pirooz:
And it's not just the MSPs, it's really everybody in the supply chain, in the ecosystem. The third party risk is what that security assessment of your third party partners, providers, downstream or upstream, however you want to look at that control set is. And the problem with third party risk is up until recently, it was a spreadsheet you would send out to all your suppliers. And they said yes, no, yes, no, yes, no, yes, no. And if it was a no, they had to explain it. What supplier’s going to say no? They're just going to say yes, yes, yes, yes, yes. And then when the HVAC vendor gets compromised, they go back to the spreadsheet that they filled out by hand with no inspection and say, you said yes. Like, well, sort of, you know, that's an example of where the traditional approach to a checkbox security model, which is yes, we did a third party risk survey isn't really doing a third party risk.
Fast forward to today. One of the things we enable for our MSP partners is, in our platform, we actually have a third party risk assessment that is doing an external posture and looking for compromises and giving at least the sense of this company has their act together or they don't. And, our MSPs can take that third party risk and offer it to their customers across all of their supply chain. So now you have this very easy way to do, instead of a subjective yes/no survey, a scan, an external security posture scan of your third parties that you're using to say, are you actually doing the things you say you do, at least from an outside perspective? Are there any glaring holes? And should I be concerned about doing business with you because there's glaring holes outside of the environment?
Kirstin Burke:
Well, and I think the other benefit to that scan, right, is a checkbox is a point in time, right? And was that three months ago, one year ago, two years ago, and having this scan that can be done continuously is going to help you find that vulnerability, you know, if it gets even worse, bring down that dwell time much, much faster than would ordinarily happen.
Shahin Pirooz:
Exactly. And I think it's, you know, we're getting a little bit off topic here, but it's pretty important because a lot of people are going to hear what I just said and say, oh, we already have an external scanning tool. There are a million external scanning tools out there. And the problem with every single one of them is that all they do is they scan for vulnerabilities and show you a list of vulnerabilities. And they usually don't crawl deep. Some of them do. There's a handful that are decent that'll start crawling URLs and get deeper and deeper and find vulnerabilities. Not a single one of them out there is actually looking to see, based on the MITRE tactics and exploits that are out there, this vulnerability has the following exploits, let's try to take advantage of those exploits and see if they can be exploited or not. So, is it actually exploitable?
Kirstin Burke:
So taking it to that next level.
Shahin Pirooz:
Not just the vulnerability. I found the vulnerability. I found the CVE. But can I take advantage of the exploit? And that's what we do. So we take it to that next level. We scan the dark web. We use credentials from the dark web. And talking about what the bad actors are doing, the largest password leak on the planet just happened.
Kirstin Burke:
Just happened, yeah.
Shahin Pirooz:
And what was it, 200 million passwords? Those passwords are now things they're gonna use to try to get into customers' environments, use for phishing, use for, and continue to target these supply chain attacks.
Kirstin Burke:
So the scanning is even more valuable this week than it was last week.
Shahin Pirooz:
Yes. We have, we have much better passwords now.
Kirstin Burke:
Yeah, yeah. So, so we talked about the shakedown, right? So, if we switch over to, I guess let's call it downstream, right? We have these other large scenarios that we're seeing where, the hackers or the adversaries are saying, hey, I'm gonna attack you, but I'm not in there to attack you, I'm there to get access to your downstream customers. So again, it's scale, right? I'm not just getting access to you, but I now have access to a universe of 1,000, 5,000, 10,000, where I can now go in and try to hack all these different places. We're seeing in MSP space, it is kind of a bigger deal because a lot, not a lot, but some of the platforms they rely on, a lot of them rely on, have been vulnerable in this way.
Shahin Pirooz:
We've had specifically the RMM platforms that MSPs use are being targeted. We saw Kaseya get hit. We saw ConnectWise get hit. Part of the challenge is these are platform attacks. They're targeting the platform exploiter vulnerability because they recognize that that platform has access to, again, hundreds or thousands of companies’ endpoints. And once you get access to the endpoint and can use elevated privileges because of the platform, you can deploy ransomware events. So now, they're using these tools as a conduit to get to a much broader set of environments, and instead of getting the one $60 million dollar ransom they're getting sixty $3 million dollar ransoms. And so the impact, the implication, is that it is kind of a crossover between the supplier because it's still one supplier that's supplying this platform to the ecosystem, but they're not targeting the supplier in this case, they're targeting the platform in order to get access to the end customers, to the downstream customers.
Kirstin Burke:
So if you are an MSP who relies on one of these platforms, what is it, what are your options? What do you do? Because a lot of these people are going to say, well, ConnectWise is key to what I do. It's not like I'm going to walk away, understanding ConnectWise isn't necessarily a security company. You know, how does an MSP plan understanding the platforms they use may introduce some vulnerabilities either to them or their customer base? What do they do?
Shahin Pirooz:
Well, the part of the challenge comes in that these players are now positioning themselves as security platforms. And they're really not. They're aggregators of security tools. And that misnomer of being a security platform implies a lot of security knowledge, implies a lot of security experience, implies the proper monitoring and closure of exploits and vulnerabilities and so on and so forth. But they're an aggregator of tools. And many of those are security tools. And an aggregator of tools is really no different than a distributor. And a distributor isn't really a security player. They're just a single place to go and consume the things that you need to run your business.
The implication is that, as an MSP, you have no control over those vulnerabilities or exploits. You rely on the manufacturer to close them. And if their security tools aren't even catching, the security tools they're selling you, aren't even catching these exploits and can't prevent it and can't help you with it. You now have this like domino system of problems that keep building in your ecosystem because of this reliance on a single vendor. And that sounds very hypocritical because here we are, WhiteDog, a single vendor of a security platform we've developed. And I think, you know, the easy question is why WhiteDog and not these other places?
Kirstin Burke:
You stole my question!
Shahin Pirooz:
I know. I'm sorry. It's my head started going there. I do that. And, but yes, this is what 25 years does.
The difference between what we've tried to bring to market from single manufacturers that do aggregation of technologies and try to embed them and integrate them into their platform and these, let's call them RMM, PSA manufacturers that are buying security companies to make it a single point marketplace of technologies, is that we're not bringing you a bunch of different consoles. In some ways we are, we give you access to all the consoles.
But we're bringing you a single, unified, integrated platform that's composed of all of the best-in-class tools in the market, and we continuously innovate and improve those tools. If the tools aren't effective, we change them. If there is an exploit in a tool and it can't be fixed, we replace it. So we're constantly improving the back-end ecosystem whereas when you're dealing with a manufacturer they can't replace the tool that they sold you, they have to figure out how to fix it. So that's tremendous development cycles, that's tremendous effort. And then, I've said this before, those technologies end up developing technical debt. The life of a security tool is five to ten years max, and I'm being super generous at ten. It's really three to five years.
So the life of a security tool because of technical debt, what does technical debt mean? It means that I continue to add features, functionalities to be able to ward off or battle or detect bad actors as they change their tactics. But there's so much I've added, now to make a change for the new tactics that are coming out, or if the tactics stop coming from left field, they start coming from right field. I'm pointing the wrong direction, but you get the idea. Those tactics are now too difficult because of the technical debt to adapt to and adjust for. So what's left? I have to rewrite the whole platform.
You know what WhiteDog does? We take that tool and move it aside, and put in a tool that has addressed these problems, and is modern, and is current, and put it in place. And overnight, with no impact to our customers, with no impact to the MSPs and their downstream customers. You now have the best-in-class tool again dealing with the problem with no hiccups in the ecosystem. So that's really the key difference. It's really hard for a manufacturer to get around or bypass technical debt because they own the tool. They have no incentive to sell you another tool that does it better. Their only option is to go buy something that does it better and figure out how to integrate and migrate from one to the other. That's what we do. We do it without the burden of technical debt.
Kirstin Burke:
Well, and you kind of just alluded to what I was thinking listening to you talk. You think about the difference, really, you know, you said there's a lot of acquisition happening to create a singular marketplace, right? So I can go and I can pick if I need something for, you know, phishing or finding something for email or whatever, I can select from that marketplace of vendors or tools that you have purchased.
Shahin Pirooz:
Right. I may have one or two vendors instead of 30.
Kirstin Burke:
Right.
Shahin Pirooz:
But I'm buying 30 products.
Kirstin Burke:
So there, so it's almost a replication of what an end customer or MSP might be, which is tool centric. I will go buy a tool. I will sell you a tool. You will use a tool. Whereas, when I think about WhiteDog and kind of the fundamental differences, we're not trying to buy and push tools.
Shahin Pirooz:
We're not a tool.
Kirstin Burke:
We are not a tool, and we have a t-shirt to prove it. But what we're doing is saying we understand going in that these tools are dynamic. So we are solving a service problem, a feature functionality problem, we're not really trying to solve a tool problem. We're not trying to solve email security, we are saying as a cybersecurity platform, what are those vectors where you need to secure and what are the best ways to do that? So the tool question, it doesn't really become a tool question because those are replaceable and the platform has been built, really, to replace them because we know that they will not stay, the leader will not stay the leader.
Shahin Pirooz:
Right.
Kirstin Burke:
The other thing that came to mind is integration, right? So if you're offering a marketplace of tools, how well did they play together? And how well do they integrate together, and how well do they stay integrated together? Because we talked about configuration drift. We talked about all these different ways that just over a very short course of time, you create gaps, not even intentionally. And the cybersecurity platform that WhiteDog has invested in has constant attention paid to any drift that is going on on the back end that, again, an MSP doesn't need to worry about.
Shahin Pirooz:
Exactly. So the other aspect of this, I think that probably one of the most critical factors here is that that ecosystem drift happens sometimes faster than three to five years because there is this technology that gets created, and the speed that bad actors are moving, now that we've got you know there's a lot of talk and conversation about how AI is accelerating the ability for bad actors who don't have extensive talent, they're new, they're script kiddies, but now they're not even having to write the scripts. They're literally going to, there are equivalent chatGPTs in the dark web for them to be able to generate bad scripts, or malicious scripts more accurately.
Because of that acceleration, technical debt is becoming a bigger and bigger and bigger problem. And it's going to start the same issue or challenge that technology has had that, I think I just put out an article that talked about how Bill Gates years ago at the launch of XP said, it's not the operating system, it's not the platform, it's the network that's the problem because it can't keep up with all, the broadband can't keep up with what we're trying to do. And he said the network will catch up, and he was relying on Moore's law to let the network catch up.
We have the opposite problem where the bad actors are moving so much faster and technology is allowing them, Moore's law is allowing them to move that much faster. And we're literally just keeping on their coattails. And if we were stuck chasing coattails and we were stuck with the same tool and we weren't able to change our tool easily, that tool-centric approach becomes a serious problem because now we are 100% dependent on the manufacturer to stay on top of it. And not every manufacturer does, which is why they fold and go away. Think about the endpoint security tool you used 10 years ago. Think about the one you use five years ago. They change because they can't keep up.
So what is it the paradigm shift we're trying to make is, in order to properly secure an environment, you have got to stop thinking about the underlying technology, but you have to be thinking about the outcomes and the features, as you said, that you need to address security problems. And do the technologies under the surface meet those requirements is the key question. And the, that paradigm shift is what WhiteDog is trying to bring to the table is stop focusing on, I'm going to go back to a cell phone model, this is a consumption based service approach. Stop thinking about does this cell phone only support TDMA or CDMA? You don't care anymore. Like nobody talks about what's the underlying network anymore. I mean, only if you're in an area where you've got to pick the telco that covers that area the best. But outside of that, you don't care how the voice is getting from that device to the tower to the other device on the other end or how they interact because that has become ubiquitous.
Security tools are the only thing in IT technology that is not ubiquitous. There is a huge religion around what tool I use. And it shouldn't be. It should just be meeting a set of requirements to secure the platform and outcome we're trying to achieve, which is detect, like our whole mission, the entire mission that all security people should have is reduce dwell time. Because they're going to dwell. You just got to get dwell time down to a point where they can't cause impact. And that's our entire mission is taking that average of 200 days or six months of dwell time down to six minutes.
Kirstin Burke:
So if we go back to the big gets, and I know we kind of went on a couple tangents, but I think they're relevant, right? Because none of this happens in a vacuum. We talked about the shakedown. We talked about the downstream attack. But what's encouraging to me is we are not helpless. You know, it's not I mean, these attacks are going to happen and the adversary is going to continue to innovate and to say, OK, how do I get the biggest bang for my effort? And so right now we see these two scenarios that are, you know, big reward for the effort. But what I'm hearing is, you know, as WhiteDog or find another provider that can do this, that there are things that you can do.
Shahin Pirooz:
Good luck.
Kirstin Burke:
Good luck, he says. There are things you can do to further protect, to further evaluate. You know the continuous scanning, you know, if you are using these PSA or RMM so that there are safeguards that you can put in place if you've got a cybersecurity platform like a WhiteDog that is really not focusing so much on the tool orientation, but, you know, from the shakedown, right, it's okay. We need to know where our vulnerabilities from our suppliers are all the time. That is your requirement. So go find someone who can fulfill that requirement, right, on the other side, on the downstream, right? We need to make sure that whatever platforms we're using, that those feeds can somehow come into a place where we can build them into our monitoring and management. And I'm sure there are other things, because you're the guru. But I think that the end result here is there are answers to some of these very overwhelming problems.
And we're not, to your point, we are not going to stop every attack. We are not going to be able to be in front of these adversaries. The best we can do is be able to identify things fast, reduce dwell time dramatically. That's what we have to do. And to your point, that's what WhiteDog is in the market to offer. I hope this has been interesting. I hope this has been helpful to all of you. I always learn something new when we sit down and talk. But we encourage you to reach out to us if these are some of the things you're thinking about or even if something we mentioned got a different thought going. Have a conversation.
Also, we're going to be at several events this summer. We will be at XChange Security next week. We will be in San Antonio in August. So if you're an MSP who's going to be there, come find us. Come find the WhiteDog booth. Shahin will be there along with Brian Moody, who's our channel chief. And we'd love to have a conversation with you. We'll leave it at that. Thank you for joining us. We'll see you next time.
Shahin Pirooz:
Thanks, everyone.