Static Trust vs Dynamic Risk: How Attacks Bypass Security

Brian Moody: Brian Moody, global sales, own global sales and channels for WhiteDog, and with us is our esteemed CEO and founder, Shahin Pirooz. Very dynamic topic today: static trust versus dynamic risk, and, you know, from that standpoint, I mean, how attacks are really bypassing our static security infrastructure.

Shahin Pirooz: There's been a slew of news about threats that have come out recently that trusted applications, trusted plug-ins, trusted platforms that we use are being compromised quietly, and the backdoors are there, and the bad actors are taking advantage of those backdoors.

Brian Moody: Right. So browser extensions. We're talking applications. We're talking software updates and, you know, our static security infrastructure that we've put in place. I mean, hackers are taking advantage of the gaps that exist between these systems.

Shahin Pirooz: Yes.

Brian Moody: And then I think on the bigger front end of that, what we're seeing is... We talk about these trust models is... Once you're trusted and you kind of come into the system these security infrastructure and the security tools almost take a position of safety, that that's okay now.

Shahin Pirooz: I know that guy.

Brian Moody: And what we're seeing is, that guy now is, they're taking advantage of the infrastructure and they're hacking us.

Shahin Pirooz: Exactly.

Brian Moody: And matter of fact, this morning we were talking about this, and Shahin brought up, you know, you think kind of a major event this year was the Louvre theft. They walked in dressed as workers, right? So they came in, and people didn't give them a second look, right? Workers are there. They're trusted folks. They walked right in and assumed they were doing what they were doing, and they walked out with some pretty expensive stuff. So that's kind of our topic today, and it's interesting. I have been saying for a long time now that, you know, hackers aren't breaking in anymore. They're logging in.

Shahin Pirooz: Yeah.

Brian Moody: And, now today's discussion takes us to an extension of that, is much more so not necessarily logging in, but our browser plugins--

Shahin Pirooz: We let them in.

Brian Moody: Our software updates. We're letting them in on the backside of this, and they're taking advantage of these infrastructures and these trust models, frankly, to take advantage of the infrastructure and dwell time. So, we're going to talk about this a little bit today and focus on a couple key things, and I think one of the topics is, is really kind of the recent ShadyPanda attack. Tell us a little bit about that and how that leads into this topic.

Shahin Pirooz: Yeah. ShadyPanda, which, is a big, big flag. They call themselves shady, and we decided to trust them. But ShadyPanda for about seven years was a trusted set of browser plug-ins. They wrote two plug-ins that became, you know, well-used. They were spread across four, four and a half million browsers globally. They wrote these plug-ins for Chrome and Edge, and in mid '24, they decided to slowly start adding malicious updates into the platform.  

So these same plug-ins that have been sitting there and trusted for years. now all of a sudden are spying on us, now all of a sudden are creating backdoors, now all of a sudden are allowing them to do things on our systems without us even having the slightest clue that it's happening as an end-user. And, just imagine for a second what plug-ins your users download. We don't really know what they're downloading, and they could be downloading anything. And so now, the job of security becomes much bigger, and do you now go down the path of saying no plug-ins, no nothing, whatever, or everything has to be inspected?  

And the short answer is, there's a fine line between enabling people to do what they need to do to their job, and if these plug-ins are actually adding value to their job, making them work faster, that's positive to the company. But at the same time, not just blindly accepting whatever is happening on the network without having the right set of tools and lenses to be able to inspect and identify the threats that are in the environment.  

The topic itself, static trust versus dynamic risk, what that is simply really talking about... And WhiteDog did a post on LinkedIn an advisory on this with that topic so feel free to go to the IOCs for the ShadyPanda attack are there. But what that simply means is that our controls are static. We set them and kind of assume, at that point, that those controls do what they're supposed to do.  

Problem is, the bad actors aren't static. They figure out ways around it. They are dynamic, and so the risks are dynamic, but our protections, our controls are not. And a lot of the technologies, all the evolution of security and why we have 5,000 security vendors right now, is because that dynamic movement creates new gaps, and new technologies and new solutions come out to try to close those gaps. Which is fundamentally why we've always been saying you need an evolving evergreen platform that continuously refreshes and doesn't have the technical debt of a single vendor solution.

Brian Moody: Right. Well, I think one of the other kind of critical aspects of this is we see all these tools, you know, we've talked about some very large dynamic environments can have up to 60 tools in them, because they continue to try to deploy and close these gaps. The other aspect of it is most of these securities tools are static in respect to what they do, and they get installed individually as a toolset with little to no integration or cross-platform capability.

Shahin Pirooz: Completely siloed.

Brian Moody: They're completely siloed. So it's this gap that exists between the siloed tools. So this is where layered defense, and this is where I think that's...

Shahin Pirooz: Integrated layer defense.

Brian Moody: Integrated, thank you. You know, that guy. We talk about that guy, right?  

But you know, the integrated layer defense I think is, critical, but not only that, but what's most critical today is to really see the anomalies that exist across these tools is, we're looking for behaviors. We're looking for process changes, and I think that's one of the unique things around WhiteDog and what we've done, especially with our ASM platform, is yes, we have the static tools. I think the other dynamic piece is but we've integrated them.  

So we've done cross-tool integration, you know, within our platform as well as the way our security operations center look at our tools and the telemetry from them. But I think it's this unique aspect, because once, once a player is in the game, and they're taking advantage of the gaps, you know, talk a little bit about how, you know, these threats are bypassing the tools and, you know, taking advantage of, kind of those components of the infrastructure.

Shahin Pirooz: Yeah, it's not so much that they're bypassing the tools. What they're doing is, once we let them in and we say, "This is trusted"... And it could be a number of things. It isn't just these browser plug-ins.  

Like, one of the posts that we also recently did on LinkedIn as an advisory was about the WhatsApp attack, the ghost attack. The other one was about the Notepad++. Notepad++ sits on every developer's desktop that I know. It kind of became the de facto developer's toolset if you weren't using an IDE for quick code changes, for quick code analysis, and if you take that into context, we have let these tools in our environment, and we just assume that they're fine. And once we assume that they are fine and they're trusted, we're no longer inspecting the traffic coming from that tool.  

So the ShadyPanda solution, the communication to the ShadyPanda servers was accepted. It was, yeah, that's a tool there, we know it, it's standard. Even if you're doing behavioral analysis, it's standard communication to show that it's going to the same place over and over again. It's not changing behavior. On the other hand, as part of their updates to the tool, it was starting to bring in modules that were allowing it to monitor your behavior on that machine and send it back...

Brian Moody: Exfiltrate it.

Shahin Pirooz: It was really just spying on you and sharing your behavior to a bunch of Chinese servers.

And similarly, with the Notepad++ scenario, the auto-update feature of Notepad++ a bad actor hijacked the auto-update process and redirected to a different site, but it was just doing auto-update from Notepad, so it wasn't, it wasn't anything crazy, so the firewalls didn't block it. What needs to happen is it needs to go beyond, this app is here and we trust it.  

This is where I know the term zero trust has become kind of trite. People look at it and say, "I'm so tired of talking about zero trust." And I keep saying, it's not a new topic. Zero trust has been around for 30 years. It's fundamentally the way our government agencies work. The notion of zero trust is a tough one to wrap your head around, and it all it means is stop implicitly trusting things. And that's what we're talking about here.  

Assume there's bad behavior and look for it, and that's really what WhiteDog does that's different from everybody else. We make the assumption that there's a bad actor in the network, and that's fundamentally how we're able to reduce dwell time from six months to six minutes, because if you're assuming that and you're looking for bad behavior, you're going to find it.  

If, on the other hand, you’re assuming this is a trusted solution and not looking for bad behavior, it will continue to run quietly under the surface of the water, and you won't see the bad behavior happening. So the key thing to understand about how these guys are bypassing, they're not really bypassing, they're in. They're already in the network. You let them in the house. The doors are not locked from the inside. So they're now opening the door and letting their buddies in, and you're not noticing that they're opening the doors and letting their buddies in.  

Behavioral analysis tools that are not siloed, that are integrated, that say, Hey, this auto-update happened, but on the machine we saw this process running that has never run before, and on the network we saw it open a connection to something else, if that integration is not there to say, This thread of things that happened that are connected from a very similar process initiation, you won't know.  

Those three different things I just described can just be isolated, no big deal, and the tools won't alarm on them. That integration is what is key for taking something that looks benign and identify it as potentially very risky.

Brian Moody: So I think one of the other interesting aspects too is when you talk about zero trust, and you and I both have commented many times about how we don't care for that term. There is no zero trust product.

Shahin Pirooz: Right.

Brian Moody: So, and I think in our industry, in so many areas, we see, you know, this is a zero trust tool, right? There's not a zero trust tool, right? As you said, this is more of an architecture or a strategy that you implement across the environment.

Shahin Pirooz: Yep.

Brian Moody: So a zero trust strategy that is inclusive of a lot of different components that actually then begin to take it, you know, or watch this behavior which is key. Another thing we say all the time, implement the tools, implement the security infrastructure, don't have the security operations center watching it, stand up a guard tower, but don't put the guard in it.  

So, talk a little bit more about the importance behind tools [only] do so much. Like, you just talked about three components and the integration of them, the importance of having a security operations center watching, [why] that's critical.

Shahin Pirooz: So, I'll break that down into two things. There's a lot of security operations as a service solutions out there in the marketplace. I think the market has gotten worn out and frustrated with what they're seeing, because many of these solutions are simply a triage function.  

The systems they use to monitor your network logs, systems, apps, endpoint security, all the tools that they're collecting data from, are simply designed to trigger when something bad happens, but they're relying on that triggering. They're relying, and some do a better job of creating correlation rules, and others don't, so they're relying on native functionality, and the ones to mostly be aware of is the ones that say, "We'll monitor your SIEM," because they don't have expertise across that SIEM. They're supporting any SIEM on the platform. So why is that solution not a great solution versus one that is doing actual threat hunting?  

When we created our SOC services behind all of our products, the intention was not to just create another triage function that sees an alert and forwards it. The intention was we have this notion of identify the threat, inspect it, investigate it, and escalate only if necessary. So that construct has been borne into all of our analysts. They're trained for two months before they're able to hit the floor. So having a SIEM, security set of tools, a security operations center that is automated gives you limited capability because it's really focused on just getting alerts from everything.  

And every tool has their own silo. So now you're taking tools, and each tool has their own AI embedded, but they're not doing anything across the other tools. So if you're taking an alert from a tool and just notifying, and you get the alert from email, you notify, you get the alert from the endpoint, you notify, you get the alert from identity, you notify. Now somebody has to say, Hey, I just saw three alerts for the same user on the same machine from three different systems. Is there something wrong?  

And that's what WhiteDog has designed. We do that integration to say, This user got a phishing email. They clicked on it. They went to a website that's a known bad website that our DNS security platform captured. They exposed their identity by entering information into that website, and we see that because we see the identity management platform monitoring and triggering an alert that it looks like an impossible login is happening, and then their endpoint did something that it hasn't done for the last year.  

So if you don't have that connection of those threads, you have to rely on somebody being smart enough to say, "I just saw four alerts, and they might be the same thing."  

We don't have that problem.

Brian Moody: So other companies, other tools, you think about it. CrowdStrike, they've got security operations, SentinelOne, security operations, right? We talk about different SIEM platforms when we've got security operations. So I would also say that as the challenges, especially I would say with our MSP partners and customers in general, is if I'm buying the tool and the tool's saying, I've got operations behind it, it’s siloed security operations, too. There's no integration across those telemetry security operation components.

Shahin Pirooz: No, they're looking at their tools.

Brian Moody: They're looking at their tools. So there's no integration across there.

So, layered is what comes to my head when I think about WhiteDog, and I think about what you and the product team have done in creating this platform, is we've created layers and the integration of those layers.  

Now, layers can be multiple layers within the same vector, and I think that's another piece that you've talked about, the criticality of not just having one. You know, you don't just have a gateway solution. We have a post-gateway solution, right? We have phishing components on the backend. We have a layered approach to protecting email and multiple components within that. So we talk about DMARC, and BIMI, and all of the SPF. Again, I can continue to go on with what we've created.  

It's just this layered approach to capture. So if someone does take advantage of one thing, are they going to get around the other two or three layers that we've created in the security platform? So talk a little bit about that and how we extended that and what that means to our platform.

Shahin Pirooz: Yeah, if we bring it back to the topic we're talking about, how are you going to know if a trusted tool, technology, solution that you embedded in your environment is behaving badly? And the answer is what you just described.  

It’s not just pulling four different threads, but having the ability to understand from a technology perspective, so that the analyst can move faster, that these four things are a thread, not that you have to go look for a thread. That is the key distinction about where a proper security operations... and we're not doing anything magic.  

If you were a Fortune 50 company building a security operation center, they would probably build exactly what we did. It's not magic. What we've done is we've taken that super large enterprise security operations capability and made it affordable and attainable to the masses. Our largest customers are 30,000 seats and our smallest customers are one seat. It scales all the way up, and it scales all the way down.  

So there is no chance a one-seat customer is going to have, will be able to afford, 24 by 7 security operations and 20 technologies to monitor their security. That's what they get with us, and at a ridiculously achievable price.  

That notion of being able to tie even trusted apps and seeing the behaviors, we don't think about apps are trusted or untrusted. We take, again, that approach that everything is assumed to have bad behavior associated with it. The bad actor is going to take advantage of everything.  

So if we see behavior that is anomalous, it's different than what it was, this application is now running processes it never did before, we trigger on that, and then we also trigger on what else changed in the flow. How did that happen? Did they click on something in email? Did they do something in DNS?  

So being able to take that layered approach across technologies, and pull that data together, and correlate the information at the core, that's really the key distinction of what we're doing in contrast to correlating alerts. That's what most of the security operation solutions in the market are doing today. They get alerts from five or six things, and if it happens to be from the same machine and the same user, they then trigger an alarm that says there's some bad behavior, and it's across multiple vectors. That's great. That's a great step. That's better than nothing. But not integrating the silos together.

We don't rely on the silo. We rely on the context from all of the silos together to be able to determine there is some bad behavior, and here is the string, the timeline of that behavior.

Brian Moody: So I think that's a great point to kind of bring it full circle, like we always try to do is, okay, what does this mean to our partner community, right? And our partner community spans our MSPs, our MSSPs, our solution integrators, our vCISO community, as how they engage.  

And we've interacted with so many different MSPs in the last many years, and see what they're doing, and they're doing just this, right? They're implementing these sets of tools, and then they're hiring staff. They don't necessarily have full security operation centers. In some cases, some of the more advanced MSSPs do. But they're relying on vendor security operations.

Shahin Pirooz: Or third parties.

Brian Moody: Exactly. But, you know, they're trying to figure out all of these different telemetry components that are coming in. So, to bring it full circle, what behavior-based detection, and kind of layered visibility, change operationally for MSSPs now?

Shahin Pirooz: The key thing is, it's not that something changed. It's been changed for a long time, and it's the same notion as we used to look at file-based attacks in traditional antivirus. We had definitions, signatures, all that. And so if something triggered based on those signatures...  

And today, a lot of those same platforms are using file hashes instead of signatures and trying to say, Hey, if I see this file, somebody told me that this was a bad file, I should alert on it. The issue is that there can be a file that is completely fine because it's not available. Because when we talk about metamorphic malware, it changes the way it looks. It changes its signature. What it does though, behaviorally, is still consistent. So it still is acting in a consistent way to spread the attack. It might change the order of the attack.  

So, another problem in the industry is that we have solutions in the marketplace, very well-known solutions, that rely on the behavior being in a specific pattern in order to identify a threat. So, if they see a malware do something, they, they built a, let's call it a definition or a signature of the behavior. And if that behavior happens again, then they know it's that same product. But in the context of metamorphic malware, which almost all malware is today, it changed its behavior. Instead of doing the function, the things it did, the behavior in the order of one, two, three, four, five, it does five, two, four, three. And now all of a sudden, it is not a threat.

Brian Moody: So almost exactly like the file changes because we gave the file a signature.

Shahin Pirooz: Exactly.

Brian Moody: The processes, we gave the processes a signature, so...

Shahin Pirooz: So just like we're saying, don't trust your trusted tools, we do the same thing from the technologies we use, the engines we use to do monitoring of security. So, we're constantly evaluating our solutions and we're doing shootouts on a regular basis to make sure that they are continuing to do what they do, and when we do our attacks against them for evaluation, we modify the patterns, we modify the order. We see if they can still catch the behavior. And the tools that can't drop out of our systems, and we bring in new technologies in that composable stack architecture.

Brian Moody: So I keep pressing on this with respect to kind of WhiteDog's attack surface management. This is something I think you and the product team have created. We have seven or eight of them now across the platform, and how we integrate through all of our detection and response, so our MDR, XDR, and our DeltaDR platforms, and kind of the escalation of our implementation of those.  

Talk about that platform a little bit more in depth, about the layers that it creates, because, yes, we have the static tools. I mean, I think almost to the degree of, the high degree of quality security tools, that's table stakes.  

The interesting piece I think is really what is unique about WhiteDog is this platform and the proactive approach it takes, but the layered approach to it, and then how our ASM [suite] does just what you've been talking about, right? We're looking for the anomalies. We're looking for process change. We're looking for changes with our ISPM, our Identity Security Posture Management tool. Are there changes in identity? Are there changes at network? Are there changes going on in the dataset? Just expound upon that a little bit, because I think that's really the unique component.

Shahin Pirooz: You did, did a pretty good job.

Brian Moody: You've trained me well, that guy.

Shahin Pirooz: So, I would say it's more important to think about attack surface management in context to detection and response. When we're talking about solutions in the market that monitor and alert, they're really doing detection and notify.  

What we've built in our MDR, XDR, and DeltaDR offering is detection and response across all five of the attack vectors. And for us, those attack vectors, as we define them, and this is in order of the threat: email, DNS, identity, endpoint, and network. And so we built attack surface management modules across those.  

So for DNS, we have DNSPM. We are monitoring the configuration of DNS to make sure that you have your records set up properly so that people can't spoof your domain, so they can't take advantage of sending your customers messages that look like they're coming from you.  

In email, we have MSPM, which is mailbox security posture management. Are we seeing configuration issues in that environment? Are we seeing threats in that environment? Is there malware that has been sitting in inboxes in your network for decades that somebody clicked on a long time ago and it's just been sitting there, and it's sitting there because the gateway solution didn't catch it at the time and the gateway solution doesn't scan the mailboxes.  

For the endpoint world, we do data posture, so DSPM. We're looking at all the data on your endpoints and your network and your cloud to look to see is there any issues in terms of data that has PII or PCI or HIPAA or whatever, and what's the risk associated with the data across your network? And if there is risk, let's identify what the ransom would be associated with that.  

For the identity, we have ISPM, or Identity Security Posture Management. What's the config of your Entra ID or your Active Directory look like? Do you have users that are stale that haven't logged in, in whatever period of time? Do you have privileges that are set too high for individuals? Do you have users who have access to things they shouldn't ought to have? So it's giving you visibility into the controls that a bad actor would take advantage of.  

And on the network, we have both...

Brian Moody: Before you go to network, but also from a standpoint of the ISPM's standpoint is, being able from our perspective to almost honeypot identities if someone's...

Shahin Pirooz: That's not included in our ISPM. That's part of our IDR [Identity Detection and Response] solution. But yeah, we do have honeypotting in multiple areas of our security offering.  

And on the network, we have network security posture, which is what you would consider traditional vulnerability management, scanning the network for what is vulnerable, what fingerprinting of OS's, applications you have on the network.  

And then externally scanning from what the outside face of your organization is to the world, and that's the first thing the bad actors look at. How many gaps do you have there? How many exploits are exploitable outside? And doing continuous pen testing against those. We also scan the dark web to see if you have any leaked credentials in the dark web for your domain.  

So put all of that together and what we're doing is we're saying, Here's the risks. Here's the things a bad actor can take advantage of, and give you recommendations to close those gaps.  

And then on the other end, we also have the detection and response capabilities across all five vectors as well. So what are your actual risks and how do we address if somebody does get through to identify them quickly and try to stop them.  

So, the majority of our space is only focused on single tools to do one of the attack vectors, not all, and usually it's in the detection and response space, not on the attack surface management.  

So to build what we've built, it requires something in the neighborhood of 20 to 30 tools to achieve it for our DeltaDR offering. It's complicated, and then now you have to teach your staff how to manage all the tools, how to monitor all the different consoles, how to come up with those correlation rules to get data across multiple vectors to say, Oh, I see where this thread came from, and then be able to correlate that to say this is a real attack or this is false, and give them the ability, the training to investigate. So when they see something that looks phishy or malicious or anomalous, they can jump in and look across multiple technologies to validate whether it is or not, and identify if it's spread to more machines than just the one.

Brian Moody: So you just brought up another, I think, critical point that we talk about advantages, you know, of WhiteDog and really what some great benefits that we bring to our partner community, is really that technical debt.

So you just ran through about seven or eight key components of what responsibility lies on the technical team, you know, in really any partner or even customer trying to implement these technologies. The technical debt associated with trying to manage 20 or 30 tools, selecting the tool, implementing the tool, integrating the tool, upgrading the tool, and then having the staff, one, that knows how to do that.

Shahin Pirooz: And then the tool's no longer good and you start over.

Brian Moody: And then you start over. It's like you've always talked about, it's the Golden Gate Bridge, right? You paint it once and then when you get to the other end you start over again.

Shahin Pirooz: Exactly.

Brian Moody: So you brought up detection and response and, like this guy does all the time, it's that you already, you already almost pretty much answered my last kind of question for you, but it is really about detection and response. What do our partners do to build cyber readiness that has this detection and response capability? 'Cause that's the critical aspect is really the response piece, and we talk about that often. But, I mean, what we have now today really is our trusted platform has become an attack surface. So, I mean, I know the simple answer, you partner with WhiteDog.

Shahin Pirooz: There's a link on our website that says "partner". Click on that.

Brian Moody: But, I mean, so what steps can they do right now? So we've talked about browser vulnerabilities, application vulnerabilities, these key components. So kind of to wrap this up and put a bow on it for us, like a big Christmas present. What can our partners do to really kind of create this cyber readiness that's got this detection and response capability?

Shahin Pirooz: Go and invest in 20 to 30 technologies, train your staff, build a SOC, and monitor across multiple vectors, build a data lake that collects data from all of those tools, and correlates it and normalizes it, so that now you can see the threads we're talking about. All joking aside, security is not rocket science, but it is a significant amount of heavy lift to get to where it is a functional platform.  

We've been doing this now since 2018, and every month, every quarter, every year, we continue to evolve and get better. And not only do we get better in terms of how we train our folks, we get better in the technologies we use because we're constantly evaluating. We get better in our processes, because we're now seeing, okay, when we see something like this, we may have missed a step six years ago, now that step is part of process, and we do it today. So, there is no silver bullet to do this. Except, this WhiteDog thing we keep talking about.  

We've been having conversations, Forrester's Wave has been talking about security platforms as opposed to security technologies. It's no longer about a tool, and a lot of the market, a lot of our customers, partners that we talk to in the field, prospective ones I should say, consider that it's "I just need to find the right tool." That's the dialogue that keeps happening. We keep digging and looking for the right tool.  

It isn't about a tool. It's about an integrated platform that covers the attack surface, both from a being able to identify what risks there are, but also from being able to detect and respond across those attack surfaces. And, I don't know a single company in the market that covers as many parts of the attack surface as WhiteDog does. And that's probably the key differentiator. That's why I say, I'm tongue-in-cheek joking that WhiteDog is the answer. It is because regardless of what you're trying to solve, we have a product that addresses that gap.  

There's areas we don't go into yet, but I think I mentioned in our last Sound Byte that we're about to cross over into, one of the places our customers have been asking us to go, is in the application security space. Hasn't been historically something we've put energy into except for our own internal stuff, and that's almost always how things come to market, is we use and consume something ourselves to protect how we do things, how we make sure we're protected, so we don't become a risk in your ecosystem. And we're productizing our application security posture management, application pen testing, and SAST and DAST functionality, to bring to market for customers.  

So we will continue to expand. We're doing things like, for example, configuration management has been one of those things we've been talking about forever. We identify the vulnerabilities in the environment but, you know, our partners have to figure out how to patch those things. And some of our partners are challenged in addressing and solving that, so we're coming out with a patch management capability and configuration management capability that will help them, because we will operationally on the backend manage the security patches for critical securities issues. So, reducing the risk by removing the holes that a bad actor will take advantage of.  

Our approach has always been, we don't simply want to tell you there's something wrong. We want to help stop it. We don't want to make money on the backend after you've been compromised.

Brian Moody: On the recovery.

Shahin Pirooz: On the recovery. Which is why we include continuous incident response at no additional cost in MDR, XDR, and DeltaDR. Nobody else does that. They claim it, and there's so many partners that have said we called them to say, "Okay, we had an issue. Come help us." And the answer is no, that doesn't qualify for the free.  

So I would say, there isn't anything we've done to our partners and to prospective partners that you can't do. You can, absolutely, if you've got five years of time and millions of dollars, you can absolutely build what we've built. No question. We're no smarter than anybody else. What we have is a fully integrated ready-to-go solution that has a 30-day onboarding guarantee. You can be up and running in 30 days instead of taking five years to do this.

Brian Moody: So, close. Couple key thoughts...

Shahin Pirooz: I thought it was a good close.

Brian Moody: That was pretty good. It wasn't bad. Just food for thought for our MSP partners, what gaps do you have? So, in your tool set that you've deployed today, do you have silos? Do you have gaps? Are you looking at the behaviors in those environments in order to be able to respond to them? Check those browser plug-ins. Check the applications, again, especially the ones that have been published, right? I mean, zero days are tough, but they occur. Again, that's where we're watching the behaviors.  

And then, where are your MSP's trust gaps? You know, as you kind of analyzed your own infrastructure, where are those? And ask questions, inquire.

Shahin Pirooz: Yeah. I think one of the biggest things on the zero days that's super important to make sure the community's aware of is, if you're relying on a tool, you're also relying on their backend threat intelligence teams to make sure they're adding those zero day correlation rules and behaviors to the platform. They're not always super fast at that. They don't consistently do it.  

One of the things we do is we don't rely on the threat feeds from each of the vendors alone. We have our own threat intelligence where when we find zero days, so every advisory you're seeing, every newsletter we send out to our partners and prospects about, you know, we do a weekly advisory communication. That weekly advisory has the threats that we've seen in the industry, what the implication is of those threats, and we take the IOCs from those and we put them into our threat feed. So we now, all of our tools, have the same threat intelligence that we've identified as threats that are zero-day potentials in addition to the threat feed that comes from the manufacturer.  

So, when you asked the question earlier, what can MSPs do? The answer is do what we're doing. Build your own threat intelligence, build your own SOC, build your own people to be able to enhance and enrich the data that's coming from the tools and then be able to cross-channel it across all the platforms.  

In terms of the gaps that you have, we've had three conversations in the last month and a half to two months where partners have so many overlapping prospects, have so many overlapping tools doing the same kinds of things because, you know, they have a percentage of their customers on tool one, and then they started going towards another tool and the percentage of their customers was on another tool. And imagine the pain and challenge in managing three platforms doing the same thing but they're not doing the same thing equally.  

We solve that problem for partners. If we replace a tool, we're also going and replacing it across all your endpoints so that transition is managed. The only thing we need help on is deploying the agents if there is an agent. And beyond that, we're doing all the things for you on your behalf or with you if you want to do them.  

In evaluating where your gaps are, think about how often are you having to bring in a new technology? How often do you have to now negotiate contracts? Do those contracts have minimums? How long are you being locked into to get the price that makes sense for your customer base?  

We have no minimums, consumption-based pricing, can be monthly or annual, you choose, and you have zero minimum requirement in terms of moving on to the platform. And we will help you transition from where you are to where you need to be at no cost. There's no implementation cost. There is no onboarding cost. Everything is really designed to make your life easier.

Brian Moody: And then if something happens, there's continuous incident response from...

Shahin Pirooz: We're there.

Brian Moody: ...the security operations center at no additional cost.

Shahin Pirooz: Exactly. This has really been a passion project of developing something that I would have loved when I was running an MSP, and this didn't exist. There was no such thing. We had to develop it ourselves, and a lot of what you see in WhiteDog today comes from those lessons learned and pains from the last 25, 30 years.

Brian Moody: We'll extend that too from your experience of being a CTO, CISO for a customer, so to speak, you know, in your previous career where you were not necessarily always at an MSP.

Shahin Pirooz: Yep. 100%.

Brian Moody: That platform you would have you would've loved to have had. So, with that, if there's anything we can help with, answer your questions, please feel free to reach out to us. Just go to whitedogcyber.com and go to our partner page. We've got a partner inquiry component there. You could put your question in. We'll be happy to reach out to you and talk to you about any of this.

Shahin Pirooz: Indeed. And looking forward to partnering with each and every one of you.

‍