Democratize Cybersecurity

Brian Moody:

We're taking on a topic here today. I read something this week that just set me back, again. And it was executive protection at home is 'the', not 'a', but the major gap in cybersecurity. And it kind of set me back because I think this is why you founded this company, Shahin.

Shahin Pirooz:

Maybe we picked the wrong topic. We should have focused on executive security at home.

‍

Brian Moody:

But I think this is one of the key reasons why you founded this company. And it drives from frustration in this security business from a standpoint of the claims that so many of these tool manufacturers make with respect to their tool, and they're targeting very specific things, and security is a much broader topic. Now, executive security without question is important and it is a focus. Executives are targeted but I think on a broader scale security is much broader, and executives are not the only ones that are targeted in the organization.

So let's take a couple of examples. Target, 2013, this was actually not even an employee. So this was a contractor that was targeted, an entry level contractor that was accessing the target infrastructure. Twitter in 2020. Again, low level employee, not a Twitter executive, low level employee. The Colonial Pipeline attack. Now, again, we're talking not even an employee of the organization, a contractor that was focused gaining entry into the organization. And then finally I'll call out Uber in 2022. An IT administrator, social engineering attack against that individual. None of these major attacks involved an executive at all.

Shahin Pirooz:

Now I don't want to have folks walk away from this and think that these WhiteDog guys are fools. They don't realize how important executive security is. And Brian said it, it is. It's critical, it's important. You have to put energy into security awareness training because there's a lot of attacks that are going to come that are business email compromise attacks, they are targeted phishing and whaling attacks. They're intended to fool a low-level employee to do something, in the context of they're helping an executive. So it is critical that we protect executives. And as the companies get bigger then brand becomes a problem, social media becomes a problem. There's a lot of factors associated with this. So while this article has a noble topic to talk about, it surely is not the only thing, and it is, to your point, fundamentally the issue that WhiteDog had with cybersecurity today.

When we started WhiteDog, there were 3,500 cybersecurity firms that when you sat down with a VAR or reseller, they would open up their catalog of products they can sell you, and it was categories like endpoint security, email security, DNS security, all these things where each category had 20, 30 manufacturers in it. And you had to, as an organization, figure out which manufacturers are doing this better than anybody else.

And fast forward to today, there's over 5,000 technology security companies and they keep popping up with very specialized use cases like this one here, which is they focus on executive security. There's another that focuses on social media security for executives or brands. So these challenges that these things create is now you have instead of a security stack of about 20 technologies to do proper security, now you have hundreds of little tools that you're having to manage and figure out how to integrate, how to support, how do you get visibility across all of these things, and if something happens in this tool, is the SOC notified so they can start taking actions and doing things on the backend. So, brilliant effort to try to solve a problem that's out there. Miserable failure in the fact that there is no integration amongst all these technologies. And that's the fundamental problem with our security ecosystem in the market today.

Brian Moody:

Well this is where I think we get back to, and you've heard us oftentimes talk about technology debt is, as these environments get more complicated, as new capabilities come out and become advertised the marketing executives at these companies are really, really good, right? And so I think they steal the attention of really what's required. And what I think we've done at WhiteDog is take a broader approach. So can you talk a little bit about why today's cyber threat landscape requires kind of a broader perspective than what seems to be this tool-specific marketing approach in our industry?

Shahin Pirooz:

WhiteDog is effectively 25 odd years in development in my head. It's basically the experiences of building a global managed service provider and understanding the types of things we had to do from security and securing thousands of customers and tens of thousands of sites across the globe. And, did that in 14 different languages and learned a lot about what are the challenges that we face as a security organization trying to protect this world.

And the fundamental thing that everything came down to and the design of everything I did in that company and in this company today is there is no edge. The edge is gone. And I'm not talking about the conversations that have come up in the last five years. I'm talking about this was in 2001 when I made that statement. There is no edge. We have to treat people exactly the same. No matter whether they're sitting in a Starbucks, they're sitting in the home office, they're sitting in the corporate office or they're sitting at a customer site. It makes no difference where the individual is sitting. They should get the same level of service wherever they are. Do what you need to do, from where you need to do it from. Not have to go to a specific place in order to be secured to do X, Y and Z.

So the concept of filtered rooms and glass houses and all that, in our minds, goes away to let's figure out how to extend a blanket or the cone of silence if you will, to wherever the individual is to do what they need to do. With that mindset, we took and built the technologies, the capabilities, the integrations and the services that we brought to market to be able to stand behind that mission of there is no edge and everybody needs to be secure.

Brian Moody:

So, really it's about a solution, overall platform than it is--the individual pieces make that up, but the challenges associated with end customers and for us here at WhiteDog, it's our partners who are working to implement these infrastructures to take to their customers because, if this is your first time with us here at WhiteDog, we don't sell direct to end customers. We are a channel only organization and we drive our business through our very valued channel partners. So addressing the challenge that they have about building out these solutions, building out these platforms, they are just bombarded with this tool-centric mindset. And every time a new attack vector comes out, every time a new capability comes out, they're adding, you know, another club in the bag so to speak that they have to manage.

Shahin Pirooz:

Exactly. We talked about it in our previous Sound Byte when we were talking about announcing our open XDR offering that's coming out, it's kind of funny talking about launching an open XDR offering. When you look at the definition of open XDR, it's WhiteDog except we are managing all the components behind the scenes. But when you think about why open XDR is important is the market has finally started to realize that these monolithic single vendor security stacks aren't the be all end all. They are potentially great at one thing, but they can't be great at the 30 other things they need to be great at.

And, we've talked repeatedly about technical debt. If you are good at one thing, you may not stay good at that one thing over the long haul. So maybe another one of your tools in your stack becomes really good because the market shifts and that becomes a focus from a security perspective. So open XDR is intended to say we're going to be agnostic. It's not a single vendor approach. It's we're going to take best in class tools and then we're going to have an overlay interface for monitoring and managing it. And all of those things are brilliant, but what traditional open XDR solutions, or I guess modern is probably a better way to put it, don't really talk about is the same problem. If you build it yourself, you still have to manage all the tools, all the consoles, configure them, upgrade them, maintain them, make sure you're doing correlation rules, and fine tuning, and filtering.

What WhiteDog brings to the table that addresses both sides of that world now is, if you have a penchant for building it or you've made an investment in your technology stack and love it, you can leverage our open XDR to be an overlay on top of it, which is all the knowledge, threat hunting and everything else we did build on top of our own XDR offering, we take that and apply it to your stack. On the other hand, if you don't want to manage the contracts, install the tools, upgrade the tools, train your staff, deploy the tools, configure the tools, then do tech evaluations next year to see if that tool is still a good tool and replace it. We have a full XDR stack which is integrated components and we take care of all that pain on the backend for you. So if you think about where the challenge is with this individual, absolutely executive security is critical, and we embedded in four of our services. But to have a company come out and say 'this is the thing', when Brian shared that article with me, I lost my mind as well.

Brian Moody:

It's 'the' thing. Now let's be clear.

Shahin Pirooz:

It's the only thing.

Brian Moody:

It's the critical, you know, aspect of what's missing in cybersecurity.

Shahin Pirooz:

And that is fundamentally the frustration, to your point earlier, that led us to put together WhiteDog and come to market. It was every security player out there is saying that their's is 'the' thing, and they solve it, and there's nothing else you need. That's the implication. It's not true. Don't fall for the trap.

Brian Moody:

Well, I think the other dynamic that we've seen, and we've been watching this for a decade now in cybersecurity, you talk about how we put this together, but best in class technologies. And I think it's the unique architecture that WhiteDog really brings to market is the fact that we aren't beholden to anyone. Now, we test and have very, very strong OEM relationships with our partners, but in the same token, we have an expectation around those partners continuing to do what they do at the level they do it at today.

But what we do is constantly test that technology to make sure that it's most effective. And if we need to add something, which we've got some exciting, and we talked last Sound Bytes, about some new capabilities and technologies that we have coming out in our XDR platform. But we continue to innovate with respect to that platform. And I think what we've been watching for decades now are the larger OEMs trying to build out their infrastructure. And again, I've heard you say this time and time again, is that they acquire technologies in order to become broader security companies, but they're not necessarily the best at what they do.

Shahin Pirooz:

Not just that, but they don't have the expertise to continue to maintain it. And oftentimes the founders of those technologies, they take their two years of golden handcuffs, and as soon as those two years are up, all of that vision and innovation and everything that built that company is gone. You do have sometimes the engineering tool team staying behind, but the top minds—including the founders and all of the top engineers that they brought to build the core stack—they end up going and doing a next startup. So acquisition ends up destroying technologies more than it does creating a better technology. There are some companies that have the wherewithal and the fortitude to take their own teams and integrate them and make them part of their technology stack, but that's rare.

Brian Moody:

I've got a personal example of that right now. My son worked for an organization that sold a cybersecurity tool. They were acquired by Equifax, and over the last two years, my son has communicated with me, but we've watched 90% of the people in that organization were let go. So to your point, that tool set was great, but all the folks that developed it, knew about it, sold it, marketed it, it got absorbed up into the larger organization, and 90% of the organization literally was decimated with respect to what brought that tool to its capability, to where Equifax wanted to step in and buy it. So it's exactly what happens I think. Talk a little bit more, which I think is interesting, so, tools, tools, tools. We have tools. I mean we utilize probably 45+ tools across our organization.

But one of the things that you have mentioned all the time, which I think is so important, and I think it truly is part of our open XDR, but the key IP behind WhiteDog is talk about the man we put in the guard tower. Talk about our guard. Because you say you can stand all these tools up, which I think our partners do this, and customers do this. They stand all these tools up and then the technology debt associated with manning them, but without that guard in the guard tower. So talk to us about that guard.

Shahin Pirooz:

Yeah, it's fundamentally, these tools, and let's say that you implement an open XDR solution or a SIEM solution, but you don't staff a SOC, you don't staff it 24 by 7. You now have this deficit. The analogy that Brian's talking about, I always say having a SIEM without a SOC is like having a guard tower without a guard.

You won't see the bad actors breaching your walls until after they're in your courtyard. And that's too late. The attack has started. Now you're 100% reactionary, and now you're figuring out how to stop it, and how to prevent it, and how to lock down, and how to recover from backup versus if you have, our entire mission, and those of you who have seen these before have repeatedly heard me say, on average a bad actor is inside a network for 200 days. That's six months. Six months that people, and some of these breaches that Brian talked about, it was even longer than that. The target breach was almost 18 months before they pulled the trigger. So six months that they're sitting inside the network rooting around, trying to figure out where the crown jewels are, and where to pull the trigger to cause the biggest impact and therefore get the biggest ransom.

We take six months down to six minutes. We take dwell time from six months down to six minutes. We have done it consistently for over eight years now. The longest detection cycle we had was three days. The shortest was seconds. But, on average, we're seeing that six minute time frame. And that was the mission we set out when we built WhiteDog, was we will take dwell time from six months to six minutes. And at the time, it was an arbitrary number. Today, it's a fact. It's what we do. And that threat hunting piece is what Brian's referring to.

No matter what you do, if you're not threat hunting for bad actors inside your network and looking for anomalies, and I don't mean AI based, because AI is great, but AI is prone to hallucinations. AI can easily be fooled if something looks normal. So AI is beneficial to help reduce the load on the analyst. But you still need analysts. And the fundamental thing that we decided to do differently and now all of our competitors are doing is we have 24 by 7 security operations. And many of our competitors have added 24 by 7 security operations. Now they don't go to the extent we do. They become more of an alert triage group, but--

Brian Moody:

Monitor, identify, notify.

Shahin Pirooz:

Those are Brian's favorite three words.

‍

Brian Moody:

That's my favorite three words.

Shahin Pirooz:

But what we do is we actually have no goals or metrics for our analysts other than find the threats. The analyst job is threat hunting. They're not allowed to do anything else. Whenever one of our supervisors gives them something to do that isn't threat hunting, you'll hear somebody else say, wait, that's not threat hunting. And the reason we get so dogmatic about this, no pun intended, or maybe intended, is that we really are trying to create this culture of let's get that dwell time down to six minutes. And the minute we start straying away from our mission of threat hunting, we will lose focus on that, and we will not deliver what we commit to deliver to our partners. The tool stack is phenomenal. We think, obviously we're biased, we think we do a really good job of picking best in class tools. I've certainly had partners who said, you don't know what the heck you're doing. Everybody's got their opinions and everybody has religions, part of which is why we launched open XDR. We're not here to battle what tool is the best tool or not with anybody. We're here to provide threat hunting at a level that's not been done in the industry yet.

Brian Moody:

So that's one of the big differentiators. I think the other piece that you didn't touch on was, and what we're seeing other folks, so you said other companies now are starting to bring in this 7 by 24 operations, and we are seeing that. So they're beginning to combine their tool sets through acquisition, and they're now beginning to offer seven by 24 security operations. What we're also seeing companies start, and we just saw a major announcement from Palo Alto last year with respect to continuous incident response. You implemented continuous incident response in this company eight years ago. Talk about that a bit.

Shahin Pirooz:

It's actually one of my favorite stories. When we first started going to conferences, I was in a boardroom and one of the board members said, how could you give away continuous incident response at no charge? Is your service that bad? And I said, I nodded my head a little and I said, I think it's actually the opposite. And then before I could finish, another person in the room said, have you never seen the Maytag commercials?

So, the fundamental thing is, if we're doing our job well enough, giving away incident response is basically an insurance policy that hopefully you'll never have to tap into. The comfort and the relief we give our partners is, look, if something happens, our experts are here to help you. We're going to jump in, we'll do the incident command if you want, or we'll ride herd behind your incident commander. We'll give you directions, we'll give you guidance, we'll tell you the things you need to do. We'll help you recover.

And we've done hundreds of incident responses, all of which have become customers of ours after the incident response, which is pretty typical in this industry. Usually you find out you need cybersecurity after you've been breached. Unfortunately it's kind of like backups. You don't realize you need backups until after you can't get your data back.

And so continuous incident response was one of those things for me that had to be table stakes. If we're going to say we're doing this thing and finding, reducing dwell time by that factor of going from six months to six minutes, we should be able to, within six minutes, identify a bad actor and therefore prevent them from causing problems. Therefore, we should be able to put our skin in the game and say, we will provide incident response if something bad happens. It's not a guarantee. It's a commitment. We are here, we're always here to back up our partners. And we recognize that many of our partners don't have cyber security expertise. Some do. Some are phenomenal experts in the field, but many don't. And they could use the help if something goes wrong. And we want them to feel comfortable that they have it. And I can tell you that we've jumped in and helped several partners when they've had challenges. And the first question we get is, what do we owe you? And it's like, nothing. It's included.

Brian Moody:

Well, I think the other aspect of that is it's all about timing, because it's how quickly do you respond. I think the other shift that you implemented that's a little bit different than we've seen industry wide is, if you think about it, you mentioned we can be the responders, we could be incident commander. So start to break down those components of response. What you see also in some of our competition is the actual response team isn't the same as the SOC team that actually identified this.

So many times what we see, that in the response, you've got a SOC team handing off to a response team. They're not the same team, they're not the same organization. The response team actually now has to come up to speed with respect to the telemetry and the data. And you change that within a WhiteDog SOC, because our response team and our analyst team are the same team.

Shahin Pirooz:

We do have incident responders that step in and support the incident response, but the SOC stays engaged and they're the people who are doing the lookups, the investigations, the further research based on what the commanders are asking for. What's interesting is we've seen, we made a conscious decision not to implement a forensics functionality. We do have forensics capability, but we consciously decided not to because when we first started doing this business, it started with incident response, and we had companies who would bring in their cyber insurance and their cyber insurance wanted their own forensics team to come in. And so we realized very quickly that is going to be the pattern. And what's interesting is in every single incident response we've done with the many forensics firms we've done them with, they walk away from it saying, “Can we partner with you guys? Because we've not worked with anybody that works as collaboratively. You gave us access to everything. You did the testing we needed, you did the research, you put out the scripts.”

When we say incident response, I would read the fine print for everybody else. Because there's a lot of qualifications around continuous incident response that's being published in the market today. We have called it continuous incident response from day one. And we literally mean continuous. There is no fine print. It just is. We're going to do it if it's a problem. And there's a lot of these players that say, yes, it's continuous, but it's going to be this hourly rate if we need to bring in this resource or that resource. So read the fine print when you're getting that from other players.

Brian Moody:

So, we've talked about no edge. So the edge really is gone, if you think about the modern enterprise environment.

Shahin Pirooz:

We've also discovered the edge isn't important anymore because all you got to focus on is executives.

Brian Moody:

[Chuckling] That's the one problem. Fix that problem and you're good. So we've talked about different pieces. So talk a little bit about the path forward for kind of democratizing cybersecurity. And then how is your vision within WhiteDog? How is WhiteDog addressing that?

Shahin Pirooz:

So there's a handful of what we've just talked about that addresses that. Cybersecurity should not be a unilateral decision. We built our platform and our capabilities in effectively a Chinese menu that allowed folks to pick the pieces and parts that fit best in their environment. So we were never the Model T Ford any color you like, as long as it's black. It was always a design what you like, what fits in your environment, and we made tools that help partners to select when and how and what time frame. And reach out to us and Brian can share the economic roadmap story with you, which helps you determine how and when to roll out if you want to get a bigger and broader touch.

But what democratization really means to me is the ability to make choices about cybersecurity and not compromise cybersecurity because of the extensive cost of getting into technologies. We've taken those burdens out of the way, and we allow you to make decisions and choices about what you need in a very cost-effective way for your customers. And the most recent, continuing to tag on this word democratization, is the concept of Open XDR.

Not only are we giving you choice and timing about what pieces of our platform you can deploy into your environment, but we now have the facility to say you can have our threat hunting functionality on top of the investments you've made. And we have partners who are chomping at the bit to consume those services. But then a lot of them are saying maybe we start this way and, as my contracts expire, we switch and go to your tool. When you're looking at any player, there's always a benefit to using the tool that that team has expertise in. For example, you're using tool A for your EDR and our default tool is Tool B, we're obviously going to have more experience in tool B but we will monitor, alert, do response functionality that we can from an API perspective in your tooling, no matter what it is. When you wrap your head around that there is some value in looking at the democratization means you now have choices. You get a vote in how security is done in your world. You have a voice in how it's done as opposed to being told this is how you do it. It is not a dictatorship of security.

Brian Moody:

And I think you've created that flexibility within the overall WhiteDog platform. And I call it, it is truly a platform. We have many mentioned times on Sound Bytes that we're not a tool. We've created a solution, we've created a platform, we've productized the security services so that those economics associated with you managing it, well we're co-managing that now where you have full access.

So we've had partners tell us 30-40% cost savings in optimizing their business around utilizing the WhiteDog platform. So those challenges are, now you have a choice, you have flexibility, and then I think from a standpoint of WhiteDog, we tie economics to that to make the financials even more attractive, so that your hand isn't being forced with respect to the security requirements that your customers might have. So bottom line, kind of getting close here to our half hour is true security means really protecting everyone not just the executives from a standpoint of solving 'the' cybersecurity gap.

Shahin Pirooz:

And it's everyone and everything, to be more accurate. Because there are things that aren't attached to people, especially more and more these days the cloud workloads, the IoT devices. So, when we start looking at specialization in security, we start looking at a tool that can do one thing. And, it's what I like to call little-minded focus on problem solving.

There's this little problem, which is a big problem, but in the context of cybersecurity it's a little problem of ‘we need to figure out how to do container security’, so now there's 40 manufacturers out there that have container security. There's this little problem of IoT, now there's 400 players out there who are trying to do IoT security. And it continues to propagate because some brilliant individual has an idea, and I don't mean to be rude to my fellow founders out there, but the idea is a little idea. It's not a big idea. It's not trying to solve cyber security as a service, it's trying to solve one component, one facet of cybersecurity, and it's a valuable thing because we wouldn't be who we are if it wasn't for those founders.

But what we bring to the table that is distinctly different is we take the burden of evaluating which one of those 400 technologies is the right one for IoT security.

Brian Moody:

And I think if we look at just the overall complexity of the modern enterprise today, it requires a number of tools to protect, but versus focusing on a specific, an executive, or even the overall employees. There are so many different vectors now that create the modern enterprise that I think we see more and more. I hear from you, I hear from our partners that the barrier to entry to get in to address this is huge. It's expensive.

The human aspect, the human investment, the tool investment, the time investment. These are huge costs where companies are wanting to go this direction. They have at times a risk to their current customer base. They want to grow their business. And I think for us that's the other aspect we've really been focusing on here is that if they're is no edge and we need to cover everyone, the requirement to do that is becoming very expensive. And it's becoming quite a challenge for many of our partners to deliver. And I think it's a truly unique place. You've heard me say, right product, right time, right space from a standpoint of WhiteDog. And I think that we bring a very unique perspective to solving that problem for our partners and enhancing their business.

Shahin Pirooz:

I was having a conversation with a prospective OEM partner today, and the comment this individual made, which probably captures what we do better, is that we are not an idea waiting to happen. We are a practitioner of security that implemented solutions around that.

Brian Moody:

I think that's a good way to sum it up.

‍