1
00:00:00,000 --> 00:00:10,240
So, my family very recently had a DNA test done and found that we are far more Scottish

2
00:00:10,240 --> 00:00:16,080
than we realized, so ever since that I've definitely had that on my list.

3
00:00:16,080 --> 00:00:22,800
But all of the UK and Europe has always been on my list as well.

4
00:00:22,800 --> 00:00:27,120
Just to be very generic about it, basically that whole part of the world.

5
00:00:27,120 --> 00:00:34,240
I mean, if we're talking money's no object, I mean the world is your oyster.

6
00:00:34,240 --> 00:00:37,040
Go be Jeff Bezos, let's go to space.

7
00:00:37,040 --> 00:00:42,800
If money's no object, then you can really go anywhere you want to go.

8
00:00:42,800 --> 00:00:45,200
So, yeah, let's go everywhere.

9
00:00:45,200 --> 00:00:48,400
That would be a dream vacation.

10
00:00:48,400 --> 00:00:49,400
Yeah.

11
00:00:49,400 --> 00:00:51,040
Tour around the world?

12
00:00:51,040 --> 00:00:52,200
Yeah.

13
00:00:52,200 --> 00:00:54,200
I think for me, I'd probably choose.

14
00:00:54,200 --> 00:00:55,920
I think Rome would be really cool.

15
00:00:55,920 --> 00:01:02,800
I think it'd be really cool to see the Colosseum and all the history within that space.

16
00:01:02,800 --> 00:01:08,800
I'd primarily want to hit that and then maybe trek over to Egypt as well and see the pyramids.

17
00:01:08,800 --> 00:01:17,680
I think the mysteriousness of that is just so interesting to me.

18
00:01:17,680 --> 00:01:22,560
And if money's no object, paying off the tour guide to take to undisclosed locations in

19
00:01:22,560 --> 00:01:25,360
the pyramids would be cool.

20
00:01:25,360 --> 00:01:31,360
I'll see you got one.

21
00:01:31,360 --> 00:01:33,600
I think Matthew stole mine.

22
00:01:33,600 --> 00:01:36,920
It was so rude that I was like, come on, man.

23
00:01:36,920 --> 00:01:38,280
But yeah, money was no object.

24
00:01:38,280 --> 00:01:42,680
I was like, so could I just move over to Europe and then just keep on taking these weekend

25
00:01:42,680 --> 00:01:48,240
vacations because that's really what sounds good is being like, let's fun just moving.

26
00:01:48,240 --> 00:01:52,720
And then I can just take these small little vacations instead of doing one big trip.

27
00:01:52,720 --> 00:01:55,840
But maybe that's just me that I'm like, I'd rather just go somewhere and stay.

28
00:01:55,840 --> 00:01:58,640
But what about you, Tara?

29
00:01:58,640 --> 00:02:00,720
I would say this isn't necessarily on my top.

30
00:02:00,720 --> 00:02:05,600
It just comes to mind is one of my favorite vineyards is actually in New Zealand.

31
00:02:05,600 --> 00:02:10,400
So I would love to go there and have some other wine.

32
00:02:10,400 --> 00:02:11,400
Nice.

33
00:02:11,400 --> 00:02:12,400
Very cool.

34
00:02:12,400 --> 00:02:13,400
Yeah.

35
00:02:13,400 --> 00:02:15,200
New Zealand is beautiful.

36
00:02:15,200 --> 00:02:18,640
I really want to support anyone going to New Zealand as well.

37
00:02:18,640 --> 00:02:19,640
Love it.

38
00:02:19,640 --> 00:02:28,560
I was going to say August kind of stole mine going to Egypt or I kind of think the first

39
00:02:28,560 --> 00:02:30,960
thing that came to mind was maybe going to Italy.

40
00:02:30,960 --> 00:02:36,000
I spent so much time in like art history classes.

41
00:02:36,000 --> 00:02:40,840
It would be so fun to like go and be in front of these things that I have only seen in books

42
00:02:40,840 --> 00:02:43,480
or on the internet.

43
00:02:43,480 --> 00:02:45,920
I think that would be pretty awesome.

44
00:02:45,920 --> 00:02:46,920
I would agree.

45
00:02:46,920 --> 00:02:47,920
That would be really neat.

46
00:02:47,920 --> 00:02:48,920
Yeah.

47
00:02:48,920 --> 00:02:56,360
Well, today on our tech for business podcast, Kelsey, Tara and myself are joined by Matthew,

48
00:02:56,360 --> 00:03:02,960
our GRC analyst, August, our sock technician and Andrew, our security engineer and incident

49
00:03:02,960 --> 00:03:04,560
response team lead.

50
00:03:04,560 --> 00:03:06,640
I got it.

51
00:03:06,640 --> 00:03:12,920
We're doing a little deep dive today into our world of EDR and how it can save your

52
00:03:12,920 --> 00:03:13,920
business.

53
00:03:13,920 --> 00:03:20,480
I'm going to kind of pose our first question to Matthew just before we really jump in.

54
00:03:20,480 --> 00:03:21,840
We've talked about EDR before.

55
00:03:21,840 --> 00:03:28,280
I have a podcast linked in our description, but what are some quick basics and overview

56
00:03:28,280 --> 00:03:32,560
that someone should know to really understand what we're talking about today?

57
00:03:32,560 --> 00:03:34,920
Yeah, definitely.

58
00:03:34,920 --> 00:03:40,600
So I don't think I was in that other podcast, though I believe the rest of the group was.

59
00:03:40,600 --> 00:03:43,520
But in short, it's endpoint detection and response.

60
00:03:43,520 --> 00:03:50,480
So it's a tool that runs on an endpoint, which is the language you use for workstations,

61
00:03:50,480 --> 00:03:57,680
desktop PCs, laptop PCs, and mobile devices as well, whether that's phones, tablets.

62
00:03:57,680 --> 00:04:06,560
And the goal is that it detects issues as they're occurring.

63
00:04:06,560 --> 00:04:10,320
We've also done a lot of podcasts on AI and deep learning.

64
00:04:10,320 --> 00:04:13,480
And this is basically a form of that where it's tracking what's going on in the work

65
00:04:13,480 --> 00:04:21,920
station and finding actions that are unexpected or non-hobitual that it's trying to detect

66
00:04:21,920 --> 00:04:27,120
those rather than just finding things like an original antivirus did.

67
00:04:27,120 --> 00:04:32,120
Original antivirus would just look for specific file types, would look for specific things

68
00:04:32,120 --> 00:04:34,560
that were done.

69
00:04:34,560 --> 00:04:37,320
And if they happen to match with something that was done previously, they'd still block

70
00:04:37,320 --> 00:04:38,320
it.

71
00:04:38,320 --> 00:04:41,000
If they happen to be something that you did every day and they decided that that day,

72
00:04:41,000 --> 00:04:42,520
that was a bad thing.

73
00:04:42,520 --> 00:04:46,200
All of a sudden, your antivirus could stop you from doing anything, which we may have

74
00:04:46,200 --> 00:04:49,920
all had experience with before.

75
00:04:49,920 --> 00:04:54,280
So EDR is really the next step of that.

76
00:04:54,280 --> 00:04:58,160
If you've listened to myself and Todd on any of the other podcasts, you'll have heard

77
00:04:58,160 --> 00:05:03,160
him mention specifically how important EDR is now.

78
00:05:03,160 --> 00:05:09,120
In fact, I think the MFA podcast that came out a week ago when this one's coming out

79
00:05:09,120 --> 00:05:11,240
directly talks about that in depth.

80
00:05:11,240 --> 00:05:16,200
So EDR and MFA are kind of what we're talking about in there.

81
00:05:16,200 --> 00:05:21,440
And in this part, EDR is the endpoint side of things, how it can be stopped and saved

82
00:05:21,440 --> 00:05:23,960
for a workstation.

83
00:05:23,960 --> 00:05:30,960
Have I missed anything there?

84
00:05:30,960 --> 00:05:31,960
I don't think so.

85
00:05:31,960 --> 00:05:37,360
I think you covered a lot of the ground of what it is.

86
00:05:37,360 --> 00:05:43,280
So I guess how I can take on the portion of how it can save your business of some real

87
00:05:43,280 --> 00:05:52,840
case scenarios of what we've seen of it taking anonymous action, anonymous, I can't say that

88
00:05:52,840 --> 00:05:59,240
word, autonomous action on different types of threads that are coming through.

89
00:05:59,240 --> 00:06:05,400
Just looking for hash based signatures and just types of any type of malicious activity

90
00:06:05,400 --> 00:06:14,160
going on, seeing something such as Mimikatz, which is a credential stealer basically for

91
00:06:14,160 --> 00:06:22,040
that can be ran on systems, and seeing something like Sentinel-1 or any EDR tool blocking that,

92
00:06:22,040 --> 00:06:29,160
and then seeing an attacker try a different form of Mimikatz to try and steal credentials,

93
00:06:29,160 --> 00:06:34,400
and that being blocked and seeing the real time action log of a 10 minute span of an

94
00:06:34,400 --> 00:06:40,560
attacker trying multiple different forms of attack vectors and being stopped from that

95
00:06:40,560 --> 00:06:46,680
one tool that saved pretty much your multiple days of being down.

96
00:06:46,680 --> 00:06:53,120
So I think it's a super important part of a business.

97
00:06:53,120 --> 00:06:54,120
Definitely.

98
00:06:54,120 --> 00:06:58,240
Just to kind of tie in with that a little bit, August, we've mentioned a couple of times

99
00:06:58,240 --> 00:07:05,440
now the autonomous actions as well as how it's reacting to the actions being taken.

100
00:07:05,440 --> 00:07:07,080
So autonomously it's stopping.

101
00:07:07,080 --> 00:07:13,560
It's not asking for requests to make these changes, and it will block an action.

102
00:07:13,560 --> 00:07:17,000
You mentioned a couple tools in there which are hacking tools, which it's going to look

103
00:07:17,000 --> 00:07:23,360
for and stop, but it's also looking for things that are maybe unexpected behavior in some

104
00:07:23,360 --> 00:07:24,360
way.

105
00:07:24,360 --> 00:07:31,200
So it's trying to get access to file systems that maybe you hadn't accessed before.

106
00:07:31,200 --> 00:07:37,040
Maybe it's a file that's instantly trying to duplicate itself across multiple areas

107
00:07:37,040 --> 00:07:42,000
or changing too many files at once, the type of thing that ransomware does.

108
00:07:42,000 --> 00:07:48,760
EDR tools very quick, and obviously there's a lot of variables, but when it does what

109
00:07:48,760 --> 00:07:50,960
it's meant to do, it's doing it very quickly.

110
00:07:50,960 --> 00:07:54,400
It can stop these things in its tracks.

111
00:07:54,400 --> 00:07:57,440
I'm not on the incident response team.

112
00:07:57,440 --> 00:08:00,840
That's more Sherf's area here.

113
00:08:00,840 --> 00:08:05,920
How often do you see it that the alerts were getting on not, hey, this machine needs to

114
00:08:05,920 --> 00:08:08,000
be recovered.

115
00:08:08,000 --> 00:08:11,120
This machine has already stopped this issue.

116
00:08:11,120 --> 00:08:17,600
What do you want us to do to clean it up and resolve it?

117
00:08:17,600 --> 00:08:24,440
I mean, when it comes to an incident, be it a single device, single endpoint is some

118
00:08:24,440 --> 00:08:28,800
user downloaded their free cursors and now that there's some malicious software on that,

119
00:08:28,800 --> 00:08:33,680
it asks for forgiveness then permission.

120
00:08:33,680 --> 00:08:41,720
It's going to rip it out and block it even at the extreme level, disconnect your networking,

121
00:08:41,720 --> 00:08:43,640
and then ask for forgiveness later.

122
00:08:43,640 --> 00:08:49,520
It wants to protect you versus say, hey, can I block this?

123
00:08:49,520 --> 00:08:53,760
I think from a business point of view, I think it'd be more important that, hey, we allow

124
00:08:53,760 --> 00:08:59,960
this application on the device if it is something business related versus the off chance that

125
00:08:59,960 --> 00:09:02,960
it's something that's not.

126
00:09:02,960 --> 00:09:06,480
That's one huge benefit with EDR.

127
00:09:06,480 --> 00:09:08,680
Definitely.

128
00:09:08,680 --> 00:09:12,280
Just something that I want to mention quickly here then because it does come up in the way

129
00:09:12,280 --> 00:09:15,800
we're talking about this.

130
00:09:15,800 --> 00:09:19,760
Based on what you mentioned there about asking for forgiveness, Andrew, I want to mention

131
00:09:19,760 --> 00:09:27,200
the CIA triad, which is the confidentiality, integrity, and availability triad that defines

132
00:09:27,200 --> 00:09:29,400
how we talk about cybersecurity.

133
00:09:29,400 --> 00:09:32,840
In short, this is how do we keep things safe?

134
00:09:32,840 --> 00:09:36,200
How do we make sure all the data has integrity and is not changed?

135
00:09:36,200 --> 00:09:39,760
How do we make sure it's available when it's meant to be available?

136
00:09:39,760 --> 00:09:44,840
Now, generally when we're making things safer and immutable, that means we're increasing

137
00:09:44,840 --> 00:09:49,320
things on the confidentiality and integrity side of things, which tends to make the availability

138
00:09:49,320 --> 00:09:52,120
side of things lower.

139
00:09:52,120 --> 00:09:56,600
You'll tend to hear this when people make MFA available, when people make different

140
00:09:56,600 --> 00:10:02,480
tools available to you, you think it's harder to get into your system and harder to do things.

141
00:10:02,480 --> 00:10:08,720
I may have mentioned this previously, but I once had a CIO tell me that in my perfect

142
00:10:08,720 --> 00:10:15,880
world, no one would have access to their workstations because then the data is safe, which is true.

143
00:10:15,880 --> 00:10:19,880
If we completely remove availability, keeping something safe is far easier.

144
00:10:19,880 --> 00:10:23,920
When we talk about asking for permission, what we're saying is that some of these tools

145
00:10:23,920 --> 00:10:30,200
do maybe make parts of your job sometimes more difficult if they accidentally trigger

146
00:10:30,200 --> 00:10:33,080
on something that isn't a problem.

147
00:10:33,080 --> 00:10:36,880
But it's better that they trigger on something that isn't a problem than that they don't

148
00:10:36,880 --> 00:10:42,480
trigger on something that is and all of a sudden ransomware has taken over your network.

149
00:10:42,480 --> 00:10:46,120
I'm not sure about everyone else here, but personally, I think losing a little bit of

150
00:10:46,120 --> 00:10:51,000
availability to increase the security so that me clicking on a link or accidentally going

151
00:10:51,000 --> 00:10:59,760
to a website doesn't cause me to take down the business is a worthwhile trade-off.

152
00:10:59,760 --> 00:11:06,200
On speaking about that, I think we've said this in past podcasts, but the average downtime

153
00:11:06,200 --> 00:11:09,760
for a ransomware incident is two weeks.

154
00:11:09,760 --> 00:11:15,360
Is your business prepared to be down for two weeks to restore your business or would you

155
00:11:15,360 --> 00:11:20,440
want to put a tool in place that could in all likelihood protect it?

156
00:11:20,440 --> 00:11:22,920
Stop this kind of thing from happening.

157
00:11:22,920 --> 00:11:29,200
There is a buy-in, but end of the day, that buy-in is worth what that two weeks of no

158
00:11:29,200 --> 00:11:31,840
money coming into your business would be.

159
00:11:31,840 --> 00:11:32,840
Exactly.

160
00:11:32,840 --> 00:11:36,880
That two weeks is generally just the uptime.

161
00:11:36,880 --> 00:11:42,280
Chef, getting back to having machines up and running, we also have the side of things

162
00:11:42,280 --> 00:11:47,280
with the forensics teams dealing with the insurance that that process can take another

163
00:11:47,280 --> 00:11:50,440
month, two months just to get everything back.

164
00:11:50,440 --> 00:11:55,840
There are a lot of factors that need to be, if this doesn't apply to any and every business,

165
00:11:55,840 --> 00:12:02,440
but average downtime is two weeks and that's business back to maybe 60%.

166
00:12:02,440 --> 00:12:06,040
How would I say is comfortably that's the two-week window.

167
00:12:06,040 --> 00:12:08,480
Sometimes you can get back up in 24 hours.

168
00:12:08,480 --> 00:12:10,960
Sometimes it could be a month and a half.

169
00:12:10,960 --> 00:12:14,960
Average time two weeks and that is not full functionality.

170
00:12:14,960 --> 00:12:20,600
There is still going to be much more time of hurting, getting you back to 100%.

171
00:12:20,600 --> 00:12:21,600
Exactly.

172
00:12:21,600 --> 00:12:25,440
It wouldn't be a podcast without me mentioning an incident response plan, which you should

173
00:12:25,440 --> 00:12:29,860
have, as well as business continuity and disaster recovery, which can definitely help

174
00:12:29,860 --> 00:12:31,840
you cut down on that time.

175
00:12:31,840 --> 00:12:34,040
But I think by saying that I cut you off, August, sorry.

176
00:12:34,040 --> 00:12:41,240
Oh, no, I was just going to say sounds to me that paying per agent is a little bit of

177
00:12:41,240 --> 00:12:45,720
a better trade-off than being down for two weeks on average.

178
00:12:45,720 --> 00:12:49,720
So, it wouldn't be worth the cost.

179
00:12:49,720 --> 00:12:50,720
All more.

180
00:12:50,720 --> 00:12:56,320
When I've dealt with ransomware incidents, one of the first couple things I say is to

181
00:12:56,320 --> 00:13:01,200
set the expectation to be prepared for two weeks.

182
00:13:01,200 --> 00:13:04,880
If we get you back up in 24 hours, that's icing on the cake.

183
00:13:04,880 --> 00:13:10,200
But when I tell people that it's two weeks average time, I just hear gasps.

184
00:13:10,200 --> 00:13:12,440
So that is kind of that.

185
00:13:12,440 --> 00:13:13,440
Send the shot across the ballot.

186
00:13:13,440 --> 00:13:17,840
Do be aware that if you did have ransomware and you didn't have, say, an EDR product in

187
00:13:17,840 --> 00:13:23,120
your network, that is where that trade-off is coming there.

188
00:13:23,120 --> 00:13:24,120
Exactly.

189
00:13:24,120 --> 00:13:30,920
Now, we've covered some of the things that can happen as a result of not having EDR or

190
00:13:30,920 --> 00:13:33,000
when EDR doesn't catch it.

191
00:13:33,000 --> 00:13:34,080
It's not a perfect system.

192
00:13:34,080 --> 00:13:40,520
There are times when things get around it, but that's not as often as when it's caught.

193
00:13:40,520 --> 00:13:45,720
So why then, I think that kind of covers the why we think it's important, why we see it

194
00:13:45,720 --> 00:13:48,080
and why we recommend it.

195
00:13:48,080 --> 00:13:55,520
It's something we recommend heavily and push as soon as we can to everyone.

196
00:13:55,520 --> 00:14:00,200
Are there any things that you guys have seen recently or that are coming up that are maybe

197
00:14:00,200 --> 00:14:03,440
stopping people from wanting to use it?

198
00:14:03,440 --> 00:14:08,560
Have you guys heard any of those types of arguments?

199
00:14:08,560 --> 00:14:13,680
I would just say, primarily, it's the false positives that come through.

200
00:14:13,680 --> 00:14:18,720
Some of the processes that get ran are something like a PDF converter.

201
00:14:18,720 --> 00:14:21,200
Something as easy as that being blocked.

202
00:14:21,200 --> 00:14:24,280
People just don't like it.

203
00:14:24,280 --> 00:14:29,200
It comes back to the availability part of the CIH end of, I want to be able to do my

204
00:14:29,200 --> 00:14:32,240
work now and not be blocked by anything.

205
00:14:32,240 --> 00:14:37,720
If I want to run a PDF converter, I'm going to run it.

206
00:14:37,720 --> 00:14:42,440
I think it just all ties back into availability.

207
00:14:42,440 --> 00:14:47,880
Real life example, where something like that, August, I think you're talking about a little

208
00:14:47,880 --> 00:14:49,920
bit about line of business applications.

209
00:14:49,920 --> 00:14:57,000
There was a company that we had dealt with that had this Excel application, a technically

210
00:14:57,000 --> 00:14:59,960
plain application.

211
00:14:59,960 --> 00:15:05,800
They had macros out the wazoo on this Excel document that they've had for 10 years and

212
00:15:05,800 --> 00:15:08,160
it's doing 70,000 different things.

213
00:15:08,160 --> 00:15:15,720
It's essentially their ERP through a single Excel file, malware spreads, ransomware spreads

214
00:15:15,720 --> 00:15:17,720
through macros in an Excel file.

215
00:15:17,720 --> 00:15:21,920
That's why Sentinel-1 killed it, caused downtime for them, caused problems.

216
00:15:21,920 --> 00:15:26,960
It raises a larger question of why you're doing that.

217
00:15:26,960 --> 00:15:34,760
Using that false positive, it is some downtime best cost of those problems.

218
00:15:34,760 --> 00:15:44,080
I would say that it's really trying to run that line of how your business needs to function

219
00:15:44,080 --> 00:15:46,880
and protecting at the same time.

220
00:15:46,880 --> 00:15:48,200
Exactly.

221
00:15:48,200 --> 00:15:50,160
This tool as part of it is that deep learning.

222
00:15:50,160 --> 00:15:51,800
It's the machine learning.

223
00:15:51,800 --> 00:15:54,680
It learns what's normal for your organization.

224
00:15:54,680 --> 00:15:57,960
There might be some hiccups as it's coming on board, as it's learning that maybe your

225
00:15:57,960 --> 00:16:02,880
organization does something that is unique to the way that organization runs.

226
00:16:02,880 --> 00:16:07,240
Over time, it does learn that that's okay and it will stop doing that.

227
00:16:07,240 --> 00:16:15,560
We can also teach it very quickly if need be and tell it, hey, that's fine.

228
00:16:15,560 --> 00:16:19,600
In those cases, if it is catching something that you're doing that is unique, it's important

229
00:16:19,600 --> 00:16:23,560
to remember that maybe what you're doing is unique in a way that's negative.

230
00:16:23,560 --> 00:16:32,840
Yeah, like Andrew said, using it as a full ERP is, Excel is not a database, as we're

231
00:16:32,840 --> 00:16:36,160
all very fond of saying.

232
00:16:36,160 --> 00:16:42,160
Using it as one is probably creating an attack vector and attack surface that isn't going

233
00:16:42,160 --> 00:16:44,440
to exist in other organizations.

234
00:16:44,440 --> 00:16:48,200
Finding out that that's happening and if this tool is catching things that you're doing

235
00:16:48,200 --> 00:16:53,800
that it thinks are malicious or dangerous, let you learn about how you're working and

236
00:16:53,800 --> 00:16:58,440
find new ways and better ways to keep yourself safe.

237
00:16:58,440 --> 00:17:03,300
One of the arguments that I hear pretty regularly and less now but still occasionally is that

238
00:17:03,300 --> 00:17:08,240
antivirus does everything that they need.

239
00:17:08,240 --> 00:17:12,440
I covered this very briefly at the start about how antivirus should be thought of static.

240
00:17:12,440 --> 00:17:17,120
It looks for specific types of things as it's going through.

241
00:17:17,120 --> 00:17:23,120
I think I'd probably compare it to antivirus being the bouncer at the front door checking

242
00:17:23,120 --> 00:17:28,200
everything and then EDR is more like the people running the perimeter and making sure no one's

243
00:17:28,200 --> 00:17:32,880
trying to jump the fence or sneak through putting on disguises or hiding in the back

244
00:17:32,880 --> 00:17:36,120
of trucks that are going in.

245
00:17:36,120 --> 00:17:39,640
It's more about finding patterns and ways around it.

246
00:17:39,640 --> 00:17:45,560
What do you guys say to someone who says that antivirus is meeting their needs already?

247
00:17:45,560 --> 00:17:48,760
They don't need EDR.

248
00:17:48,760 --> 00:17:55,200
From an incident response perspective, I've seen many times where antivirus did not catch

249
00:17:55,200 --> 00:17:59,640
something and their network was compromised.

250
00:17:59,640 --> 00:18:02,840
As you were saying as antivirus works, it's static.

251
00:18:02,840 --> 00:18:07,320
It knows that a threat does this, this and this and there's a signature for that.

252
00:18:07,320 --> 00:18:08,800
Well antivirus knows that.

253
00:18:08,800 --> 00:18:10,960
EDR is seeing hope.

254
00:18:10,960 --> 00:18:16,760
This application is interacting with us other thing and it normally doesn't do that and

255
00:18:16,760 --> 00:18:21,040
there's no signature for how that's acting, but it's blocking it because it shouldn't

256
00:18:21,040 --> 00:18:23,280
be doing that.

257
00:18:23,280 --> 00:18:31,840
That's where antivirus may be doing its job, but you're paying minimum wage for a bouncer

258
00:18:31,840 --> 00:18:35,720
at the front door where you could be paying a security team to watch your perimeter.

259
00:18:35,720 --> 00:18:38,720
There's a cost with that.

260
00:18:38,720 --> 00:18:43,000
Is your business, again going back to the two weeks, is your business able to sustain

261
00:18:43,000 --> 00:18:47,960
a two week downtime if you don't have this more advanced security product?

262
00:18:47,960 --> 00:18:54,160
Yeah, I like how you worded that.

263
00:18:54,160 --> 00:18:57,240
Some of the applications that are touching some of the files that it shouldn't be is

264
00:18:57,240 --> 00:19:03,760
in going back to some of those macros of why is this Excel document making file modifications

265
00:19:03,760 --> 00:19:11,120
to a configuration file five-folder past deep?

266
00:19:11,120 --> 00:19:18,160
Whereas EDR can remediate against that and then not only stop the threat, but also if

267
00:19:18,160 --> 00:19:26,000
it wasn't the macros, if it isn't true positive, roll back the device to an image right before

268
00:19:26,000 --> 00:19:28,400
that process occurred.

269
00:19:28,400 --> 00:19:38,080
Restoring all the files that it did touch to the state right before of modification.

270
00:19:38,080 --> 00:19:49,960
I would say another one of going for why there are pushback against it is that Macs don't

271
00:19:49,960 --> 00:19:54,320
get viruses.

272
00:19:54,320 --> 00:19:56,200
We can shut that down quickly, can't we?

273
00:19:56,200 --> 00:20:00,640
I've heard that one a few times.

274
00:20:00,640 --> 00:20:05,920
As an Avid Mac user at home, I can tell you that they definitely do.

275
00:20:05,920 --> 00:20:10,600
I can also confirm that there are tools out there that can help you.

276
00:20:10,600 --> 00:20:17,800
I would also say if you have one of the M1 or M2 chip Macs, you should be extra vigilant

277
00:20:17,800 --> 00:20:24,680
as people are finding them a very fun target to try and find flaws and vulnerabilities in

278
00:20:24,680 --> 00:20:27,000
just because they are so new.

279
00:20:27,000 --> 00:20:29,480
That doesn't mean they're more vulnerable.

280
00:20:29,480 --> 00:20:38,960
It just means that people who like to take on a challenger using them as target practice.

281
00:20:38,960 --> 00:20:45,640
A lot of people, if they do have Macs as their business PCs, they're considering that idea.

282
00:20:45,640 --> 00:20:48,160
Everyone should have EDR.

283
00:20:48,160 --> 00:20:53,600
Everyone should have some form of safety of that tracking what they're doing.

284
00:20:53,600 --> 00:20:54,600
That's a great point, August.

285
00:20:54,600 --> 00:20:56,600
I really like that one.

286
00:20:56,600 --> 00:21:00,600
I like that you mentioned that from experience.

287
00:21:00,600 --> 00:21:07,720
What were you downloading your free cursors and screen savers and you got a virus?

288
00:21:07,720 --> 00:21:08,720
No.

289
00:21:08,720 --> 00:21:10,320
There's a lot to that question.

290
00:21:10,320 --> 00:21:12,720
No, I did not download one.

291
00:21:12,720 --> 00:21:21,480
I have been the Mac specialist amongst my friends for almost a decade at this point.

292
00:21:21,480 --> 00:21:26,000
I will often get that question and often get asked what's going on and what's happening.

293
00:21:26,000 --> 00:21:32,400
I spend more time reading Mac vulnerabilities and Mac changes than I do reading.

294
00:21:32,400 --> 00:21:36,600
We can do these vulnerabilities and changes, which really shows a lot about how much I'm

295
00:21:36,600 --> 00:21:40,360
reading of this stuff more than anything else.

296
00:21:40,360 --> 00:21:47,880
I would say going back to that, the M1 and M2 chips are pretty exciting attack vectors.

297
00:21:47,880 --> 00:21:54,680
Google's bug bounty program is a pretty good payout if you find a zero-day, non-clickable

298
00:21:54,680 --> 00:21:58,000
thread.

299
00:21:58,000 --> 00:22:02,160
Definitely a very solid attack vector in that regard.

300
00:22:02,160 --> 00:22:03,160
Exactly.

301
00:22:03,160 --> 00:22:07,680
Yeah, there's some good money to be made if you are a bug hunter, finding them within

302
00:22:07,680 --> 00:22:09,240
Mac systems.

303
00:22:09,240 --> 00:22:14,520
You can see what those payouts are very easily online, as well as what some of the most recent

304
00:22:14,520 --> 00:22:17,600
ones were and how much these individuals get paid.

305
00:22:17,600 --> 00:22:25,880
There are people whose sole job is finding flaws and vulnerabilities in systems.

306
00:22:25,880 --> 00:22:33,200
Just some side reading if you're looking for that.

307
00:22:33,200 --> 00:22:42,240
On the case of EDR, obviously I think we've made it clear why it's more useful than antivirus,

308
00:22:42,240 --> 00:22:46,960
as well as how it's tied in with the other sections like incident response and things

309
00:22:46,960 --> 00:22:50,160
like that.

310
00:22:50,160 --> 00:22:55,600
I had a point from something you said before August and I've lost it in this Apple side

311
00:22:55,600 --> 00:23:00,800
track.

312
00:23:00,800 --> 00:23:04,600
I think one of the things that I'm seeing from this conversation, which maybe hadn't

313
00:23:04,600 --> 00:23:15,480
been clarified for me before, was that EDR's handling is a lot more aggressive than antivirus

314
00:23:15,480 --> 00:23:19,240
as well.

315
00:23:19,240 --> 00:23:25,440
Maybe some of the ways that some of the pushback we're seeing is because of that aggressiveness.

316
00:23:25,440 --> 00:23:30,520
Do you think that there's part of this in if people are doing things that are outside

317
00:23:30,520 --> 00:23:32,920
of what they should be doing?

318
00:23:32,920 --> 00:23:35,440
Let me phrase that.

319
00:23:35,440 --> 00:23:38,760
Everyone's going to be doing things that they've done from learning how to do it and

320
00:23:38,760 --> 00:23:41,400
learning what works for their business.

321
00:23:41,400 --> 00:23:46,440
Because the EDR's aggressive nature is maybe bringing out some of those, I don't want to

322
00:23:46,440 --> 00:23:53,880
say flaws, but non-best practice actions that the organization is taking.

323
00:23:53,880 --> 00:23:57,040
That's a have-it's-good or bad.

324
00:23:57,040 --> 00:23:59,880
Exactly, yeah.

325
00:23:59,880 --> 00:24:04,600
I will say then that I think that one of the things that I like from EDR then, and this

326
00:24:04,600 --> 00:24:08,720
may just be a me thing, is that it does let me know if the actions I'm taking are also

327
00:24:08,720 --> 00:24:12,920
the actions that might be taken by someone trying to take over a network.

328
00:24:12,920 --> 00:24:16,720
Maybe it's a learning experience to be able to say, hey, if I keep getting stopped from

329
00:24:16,720 --> 00:24:20,040
doing that action, is there a better way to do it?

330
00:24:20,040 --> 00:24:21,280
Is there a quicker way to do it?

331
00:24:21,280 --> 00:24:23,960
Is there a smoother way to tie it in with things I have already?

332
00:24:23,960 --> 00:24:28,040
I know a lot of us are very ingrained in the way we like to do things.

333
00:24:28,040 --> 00:24:33,320
When applications update or change, that can be quite annoying.

334
00:24:33,320 --> 00:24:37,960
I at least like the idea that EDR is telling me, hey, this Excel document you've been using

335
00:24:37,960 --> 00:24:42,800
for the last 20 years is problematic.

336
00:24:42,800 --> 00:24:48,200
Maybe that's a good idea to start looking at other solutions.

337
00:24:48,200 --> 00:24:54,800
The circling back a little bit to the people who are pushing back for antivirus, or pushing

338
00:24:54,800 --> 00:25:00,200
back for EDR, think about it like in the 90s when antivirus was the brand new thing.

339
00:25:00,200 --> 00:25:06,480
Hey, it's causing problems with my XYZ because it's blowing it up or doing something like

340
00:25:06,480 --> 00:25:09,480
that because it thinks that it's malicious based off of signature.

341
00:25:09,480 --> 00:25:15,400
We're at that point now for EDR, is that antivirus is going the way the dinosaur, EDR is the

342
00:25:15,400 --> 00:25:16,400
new thing.

343
00:25:16,400 --> 00:25:22,520
Previously, antivirus wasn't on computers in the 90s or whenever, I remember when first

344
00:25:22,520 --> 00:25:25,840
antivirus product came out.

345
00:25:25,840 --> 00:25:31,600
We're at that point in computing, is antivirus isn't good enough anymore?

346
00:25:31,600 --> 00:25:34,840
EDR is better.

347
00:25:34,840 --> 00:25:37,840
We're moving away from that to a more robust solution.

348
00:25:37,840 --> 00:25:45,160
I'll say as something else you just mentioned, alert fatigue is a real thing.

349
00:25:45,160 --> 00:25:50,200
I'm sure we're all remembering those times when we first started using antivirus and

350
00:25:50,200 --> 00:25:55,920
it just pinged at us for 20 minutes straight because it's like you have three different

351
00:25:55,920 --> 00:26:01,560
PDFs named new PDF one, two, and three.

352
00:26:01,560 --> 00:26:05,840
One of the upsides to EDR is that oftentimes, depending on who you go with obviously, but

353
00:26:05,840 --> 00:26:11,440
oftentimes because it is autonomous and especially at a business level when you're getting it

354
00:26:11,440 --> 00:26:17,760
through someone else or with a SOC team included, you aren't seeing those alerts at all.

355
00:26:17,760 --> 00:26:23,360
It's completely silent for you because it is making these actions and asking for forgiveness.

356
00:26:23,360 --> 00:26:27,800
It may tell you that something isn't working if you try it enough times, but more often

357
00:26:27,800 --> 00:26:34,360
than not, you'll get a call from our SOC team, someone like August, letting you know, hey,

358
00:26:34,360 --> 00:26:35,880
this has been blocked.

359
00:26:35,880 --> 00:26:36,880
Was it something you meant to do?

360
00:26:36,880 --> 00:26:40,520
Is it something that you want allowed on this system?

361
00:26:40,520 --> 00:26:47,160
It really removes a lot of that annoyance of seeing a ping every time something you do

362
00:26:47,160 --> 00:26:52,360
that again, maybe you've done a million times is suddenly being called up.

363
00:26:52,360 --> 00:26:57,760
You're really handing off that part of it, which even though it might seem like a small

364
00:26:57,760 --> 00:27:02,640
part of your day seeing those pop-ups and seeing those alerts, it does take into it.

365
00:27:02,640 --> 00:27:04,240
It does bring up your stress levels.

366
00:27:04,240 --> 00:27:07,760
It does take over part of what you were doing previously and distract you.

367
00:27:07,760 --> 00:27:12,440
I like that you say you want to call from August because that means the tool is doing

368
00:27:12,440 --> 00:27:13,440
its job.

369
00:27:13,440 --> 00:27:18,160
If you get a call from me, that means that something is not going well and there's bigger

370
00:27:18,160 --> 00:27:19,480
problems.

371
00:27:19,480 --> 00:27:20,480
You want to call from August.

372
00:27:20,480 --> 00:27:21,960
You don't want to call from me.

373
00:27:21,960 --> 00:27:22,960
Yeah.

374
00:27:22,960 --> 00:27:25,600
If you get a call from me, it's because I want to talk about policy.

375
00:27:25,600 --> 00:27:31,400
Be excited.

376
00:27:31,400 --> 00:27:35,760
I hadn't really considered that taking it off their hands as well.

377
00:27:35,760 --> 00:27:41,920
Maybe you have someone in your office who is not really the IT person, but has fallen

378
00:27:41,920 --> 00:27:48,440
into that role and they're actively handling these every time there's pop-ups.

379
00:27:48,440 --> 00:27:49,960
So much easier.

380
00:27:49,960 --> 00:27:52,880
Just to pass that off to the EDR and SOC team.

381
00:27:52,880 --> 00:27:53,880
Yeah.

382
00:27:53,880 --> 00:27:57,320
Then August jumps in and handles it for you.

383
00:27:57,320 --> 00:27:58,320
Yeah.

384
00:27:58,320 --> 00:28:07,240
I was going to say the jumping into the passing it off to a SOC team member is a lot more

385
00:28:07,240 --> 00:28:09,400
efficient than having to deal with it yourself.

386
00:28:09,400 --> 00:28:11,720
This is a stat that I heard.

387
00:28:11,720 --> 00:28:17,240
I don't know if it's, I believe it's correct, but it takes about seven minutes for the brain

388
00:28:17,240 --> 00:28:20,440
to switch from focusing on one task to another.

389
00:28:20,440 --> 00:28:27,960
So if you're deeply working on a project and you get blocked by your EDR tool, having to

390
00:28:27,960 --> 00:28:34,960
go in, make the exclusion, figure out how to do it, opposed to someone like myself giving

391
00:28:34,960 --> 00:28:41,200
you a call and saying, hey, let's get this figured out and then be on your way.

392
00:28:41,200 --> 00:28:49,600
So it saves, I think, time, money, efficiency, and just to offload that work onto us.

393
00:28:49,600 --> 00:28:50,600
So.

394
00:28:50,600 --> 00:28:51,600
Exactly.

395
00:28:51,600 --> 00:28:54,800
And that's before we get to the two weeks of downtime for not having.

396
00:28:54,800 --> 00:28:55,800
Exactly.

397
00:28:55,800 --> 00:28:57,960
You don't want to hear Sherp.

398
00:28:57,960 --> 00:29:01,440
I don't want to call you guys either.

399
00:29:01,440 --> 00:29:03,440
It's no fun for me either.

400
00:29:03,440 --> 00:29:04,440
Yeah.

401
00:29:04,440 --> 00:29:07,240
And, Chef, when you messaged me the other day saying you wanted to chat, I'm like, oh,

402
00:29:07,240 --> 00:29:10,240
no, what's happened?

403
00:29:10,240 --> 00:29:11,240
Perfect.

404
00:29:11,240 --> 00:29:12,240
Wow.

405
00:29:12,240 --> 00:29:22,880
Well, we've gone deep into the technology of EDR, and I'd love really quickly if somebody's

406
00:29:22,880 --> 00:29:27,480
listening to this and they're like, I got to jump on that bandwagon.

407
00:29:27,480 --> 00:29:32,480
What would be an action step as our closing thoughts, if there's anything else you want

408
00:29:32,480 --> 00:29:33,480
to share?

409
00:29:33,480 --> 00:29:40,200
And then what is an action step that someone could take to start their journey into implementing

410
00:29:40,200 --> 00:29:42,680
planning or researching EDR?

411
00:29:42,680 --> 00:29:49,680
Well, without just straight up being a sales thing here, I mean, you can tell we all love

412
00:29:49,680 --> 00:29:51,680
to talk about this.

413
00:29:51,680 --> 00:29:53,600
There's a bunch of stuff online.

414
00:29:53,600 --> 00:29:57,720
There's blogs and YouTube videos that you can dig into.

415
00:29:57,720 --> 00:30:03,120
But you can spend as much time researching this as most of us have here.

416
00:30:03,120 --> 00:30:08,120
I know Sherp and I spend, and August as well, spend so much time reading about these, reading

417
00:30:08,120 --> 00:30:10,360
about the tools that exist and how it changes.

418
00:30:10,360 --> 00:30:12,320
And everyone's free to do that.

419
00:30:12,320 --> 00:30:15,840
The information we're reading is the same information you're reading.

420
00:30:15,840 --> 00:30:19,080
But also, do you want that in your brain?

421
00:30:19,080 --> 00:30:22,700
Do you want to have to keep all that there?

422
00:30:22,700 --> 00:30:26,840
Not just us, there's a lot of organizations that will help with this, but reach out to

423
00:30:26,840 --> 00:30:27,840
us.

424
00:30:27,840 --> 00:30:28,840
We're friendly.

425
00:30:28,840 --> 00:30:30,840
We'll say hi.

426
00:30:30,840 --> 00:30:34,760
That next step is really about finding out how it will integrate into your business.

427
00:30:34,760 --> 00:30:39,160
So whether you're doing that research yourself or getting some assistance, think about how

428
00:30:39,160 --> 00:30:44,520
you can integrate it in a way that allows you to keep that triad, the CIA triad in your

429
00:30:44,520 --> 00:30:51,800
mind and secure the system better without causing any additional complexity or harm

430
00:30:51,800 --> 00:30:55,920
to the way that you currently work.

431
00:30:55,920 --> 00:31:01,280
To also add to note, as you're researching, do keep in mind that there are many tools

432
00:31:01,280 --> 00:31:07,960
out there, but EDR itself is not going to be a catch all stop all year 100% protected.

433
00:31:07,960 --> 00:31:12,120
There is still other layers that should be put in place and should be discussed.

434
00:31:12,120 --> 00:31:16,760
EDR is a huge step forward, just like MFA is for your logins.

435
00:31:16,760 --> 00:31:19,720
If you put this in place, it's going to give you a huge amount of protection, but it's

436
00:31:19,720 --> 00:31:21,400
not going to protect everything.

437
00:31:21,400 --> 00:31:23,320
You need to factor in other things that are going on.

438
00:31:23,320 --> 00:31:29,560
I know this podcast is purely about EDR itself, but as we're talking about this, it's important

439
00:31:29,560 --> 00:31:34,920
to know that there's no one size fits all perfect solution for everything.

440
00:31:34,920 --> 00:31:37,880
So you need to understand what is right for your business.

441
00:31:37,880 --> 00:31:41,600
EDR will help immensely, but there are other things that do need to be considered when

442
00:31:41,600 --> 00:31:47,480
you are trying to increase your security posture.

443
00:31:47,480 --> 00:31:51,080
Please listen to any of our other compliance podcasts for more information.

444
00:31:51,080 --> 00:31:53,280
Yes, I love it.

445
00:31:53,280 --> 00:31:54,280
Yes.

446
00:31:54,280 --> 00:32:01,320
And if you have any questions or want to learn more about EDR or talk to any of these people,

447
00:32:01,320 --> 00:32:09,520
feel free to reach out to us at info at cit-net.com or head out to our website at cit-net.com

448
00:32:09,520 --> 00:32:12,200
slash podcast.

449
00:32:12,200 --> 00:32:16,520
Thank you Matthew, August, and Andrew for joining us today and we'll be back next week

450
00:32:16,520 --> 00:32:24,640
with an all new episode.