Sean Weiss - Demand More from Your Endpoint

All right. So, next up we have Sean Weiss from Forinet. Great. Thanks. Is this on?

Good to go. There we go. Okay, everyone. Thank you uh for having me. Um my name is Sean Weiss. I'm from Fordet. I'm the business development engineering manager uh for Canada. Um I hail from Calgary. Uh so uh first time in St. John's. Um, so of course I tried something called screech last night and it's not really uh being helpful this morning. So you might see me pause and forget what I'm talking about. So bear with me. All right. So today we're going to talk a little bit about uh demanding more from your endpoint. Um and and really we're going to talk about well the endpoint and we're going to talk about why the endpoint is sexy again. Right? For a

long time, I think we can all agree up until a couple years ago, the most boring part of cyber security was the endpoint and largely because it wasn't working anymore. It didn't do a lot for us. And we're going to talk about how that changed a couple years ago and how it's evolving. Um, and then before we do that though, we're going to dive into a little bit about threat landscape and we're going to talk about some of the things, some of the drivers, um, some of the challenges, things that are keeping us up at night, um, that really demanded more from the endpoint. And so that's what what we'll do first. So let's jump

into threat landscape. Okay. So a couple of um, couple of items to bring up. You know, some things that we've been challenged with over the last couple of years. First and foremost, enabling work from anywhere, right? So, you know, COVID brought this to a head real quick and you know, unless unless you were dead the last two years, um, everyone understands this concept, I think I think pretty easy. But what happened here, right, in in a snap of a finger when COVID came along, we literally had to send everyone home, right? So, everyone was all of a sudden working from places that we no longer controlled as a corporate security operations uh uh group, right? And so security operations

folks now struggled with well how do we secure the endpoint in our data wherever it might be. It could be someone working from the hotel. They could be working from home. They could be working from Maui, right? We really didn't know where anybody went. Um and all we knew is they had our laptop. They had access to our assets uh and data. Um and and really all we could do is really uh support them with with an endpoint, right? that was really our our only chance of of protection or at least it was our best chance of protection. Um so this so trying to protect this new plethora of users that could be anywhere uh really created a whole bunch of

essentially remote offices that we all of a sudden had to protect real quick. So that was a massive headache and you probably all lived through that. The other big one here that keeps us up at night is ransomware, right? And you know, we've been up here, guys like me been up here for 10 years telling you the same thing. Ransomware, it's getting worse. It's getting more sophisticated. And it is right. That's the problem with that story. It really is. Every year I get up here and it's get it does get worse and worse every year. And we'll talk about that. So again, how do we protect against ransomware? Ransomware is becoming more and more advanced just

like the endpoint is, right? So it's a cat-and- mouse game. You know, we throw ML or machine learning and AI at it. Well, guess what they do? They do the same thing. Um, and it's this cat and mouse game. Um, where we're always trying to stay one step ahead, but it never seems like we are. The other big problem that we face is a lack of people, a lack of people that know what they're doing. And so events like this are great for that. Um, but we need to do more. And what I mean by that is there's a massive skills shortage in security operations folks. people that understand threat hunting, that understand automation and orchestration

and the the the skills that go into that, the building blocks behind orchestration. Orchestration is not easy, right? Um it takes a lot of it takes a lot of skills, a lot of training to understand how to make APIs work with each other, how to script that out. Uh and there's a shortage of people that can do that stuff. There's a shortage of people that can reverse engineer malware um and and threat hunt. And so that puts our security operations um uh in jeopardy. All right, here's some stats. 16 days is the average number of days that it takes us to remediate an incident. So this is from I think IBM. Is this IBM? No, this is Verizon, right?

This stat came from Verizon. 16 days it takes us to remediate ransomware, right? That's over two weeks that ransomware is running wild encrypting um and asking for uh for money. Okay, that's ridiculous. The other problem here is it's not even the ransomware that costs the money, right? It's not ransomware that does the that that that is the expensive part. It's those two weeks of being down, right? The costs that go into not being able to sell anything or produce anything or whatever it might be, ship oil in a pipeline. Um, actually one that really upset me, anybody like um um um what's that Italian lure? Uh, Kari. Anybody like Kari? Yeah. Well, then you probably know about this one.

Of all the people to hold up for ransom, it was Kari in Italy. It Kari couldn't ship Kari for literally a month after being held ransom, right? That for me, that's when it goes too far, right? You start you start attacking my booze. Now I'm mad. Um, anyway, where's where's I going with that? But um loss of reputation of course uh the cost that it takes to rebuild because nobody really knows where the ransomware lives, right? And so half your network has to be rebuilt from scratch. So there's a lot of costs that go into this be beyond just your your initial ransomware. All right, let's talk about another another uh another issue point product syndrome. I call it no vendor

left behind strategy, right? Some guys would call it best of breed, but I'll argue that point later. This is one of the problems as to why we have a skill shortage, right? Because most organizations are built on this best of breed mentality. Um, again, what I call the no vendor left behind strategy where you wake up one day, the CISO, and he realizes he's got 17,000 security vendors in his network. Each one of them doing one individual thing, half of them not working with each other, not integrated, not coordinated. Um, and now he's left with this this massive mess. And we're going to talk about why that is driving u u u some of the stats that I just showed you. Um

right because that's hard for your operations team if they got to learn 17,000 different security products. That's a lot of training. Uh that's a lot of overhead. How do you make those tools work together if they're not designed to work together? And most of them aren't. Um and so this is what's this is what's driving a lot of security operations to these great inefficiencies that I'm u trying to talk about. So in this stat that was done by uh this one was done by uh ESG research and they basically said in their findings that 67% of organizations complain about disconnected tools and that's what I'm really trying to talk about today is this inefficiency in the sock um that's

being created by tools that just don't work together. There's either too many of them or they just don't integrate. And complexity, as we all know, complexity is the enemy of security. All right. And further following up on uh this study. So, this one was basically asking some questions. Which of the following would you say your organization um uh what their biggest challenges are? I don't know if you can read those or not, but I'll read them out to you. Number one was too many emergencies, right? Anybody Anybody working the sock here? There's probably a lot of guys doing sock stuff here, right? you're probably running from one fire to the next, right? You don't have a lot of

time for preventative measures, right? You're you're always constantly putting out the fire. You're always reacting. And that's what they're talking about here, right? Too many emergencies. You're always putting out a fire. The second number one problem was blind spots. Lack of visibility. You don't know what's going on in your network. You don't know what's around you. Um you're not sure if you're seeing all of the threats in and out. So, that's a big one. Third one was difficulty correlating data and this is really talking about lack of integration or lack of threat intelligence sharing and we'll talk about why that's important and how that can be helpful. Incident management was number four. Right? So basically the

soft team's complaining that they can't manage incidents properly. They can't do it in efficient manner. They can't do it timely. So essentially what we're saying here is SOCK is saying we're challenged by constant emergencies, blind spots, blind spots, lack of integration, and the inability to respond effectively. So we got to do something different, right? Some of those stats I showed you earlier, um there should be a bit of a wakeup call that things aren't getting better. We're not getting any better as a cyber security uh industry at stopping malware, uh at stopping breaches. So, we got to do something different. And really what it comes down to is time. Time is the enemy. And that's really what I'm going to talk

about today when we when we talk about the endpoint and its place in all of this uh strategy is how do we get to a to a better uh how do we get to a place where we can protect and detect faster? That's really ultimately the goal of cyber security today. This other stat here, I think this is from IBM. So, this isn't ransomware. This is this is basically any and all breaches. Um, and I've been doing this slide for probably a decade. And this used to be 276 days. 10 years later, it's now 228 days. So, are we really getting any better? That's like 50 days in 10 years, right? That's a 20% increase. That's not very

efficient. But that's how long it takes on average for the average organization to detect a breach in general. 228 days. That's twothirds of a year. takes them 80 days to contain that breach. The other stat u I didn't put it up on this one is over half of those breaches are detected by a third party. Not even detect detected by your own sock team. They're detected by somebody else, somebody you're doing business with. Uh sometimes the government or CEUS or whoever it might be that puts out a uh uh some kind of bulletin. Um so most organizations aren't even finding their own breach. Now this one is interesting. This one basically show and take this

one with a grain of salt but this basic this study basically threw up a couple of other numbers and they threw up a number here 1 million and they're they were saying the average savings from containing a data breach in less than 200 days. So what they're basically trying to say here with this stat and take it with a bit of a grain of salt is that the quicker you detect something and this is probably a no-brainer. It should be the quicker you're detecting, the quicker you're protecting, right? The quicker you're finding the threat, the the less damage it's going to do. The other stat they threw up here, the 3.58, this is the savings in average,

the total cost of a data breach when fully deployed with security, automation, and orchestration. So this number that they did in the study was basically saying when you're getting to a point of integration and you're using automation, these are the savings that you're going to realize. Again, take with a grain of salt, but it's obvious. Right? Now, this is not just me saying this stuff. Good old Gartner has actually got a lot to say about this. So Gartner a couple years ago really maybe the last year or so has really been touting this new strategy or a new philosophy a new concept of what they call uh cyber security mesh architecture and the cyber security or CSMA what this is really all

about it's about getting away from the best of breed no vendor left behind approach to something that's a whole lot more integrated and integrated for the purpose of orchestration for the sake of automation. It's automation that's going to save your bacon because again, it all boils down to time. We largely win or lose this game based on time. It's all about how fast we can react and sorry, detect and react. And that's what Gartner is saying here. You know, get away from the point product syndrome. Get away from siloed products. um because if they're not integrated and they're not sharing and they don't work together, then you're not doing yourself any favor. All right. So, some of the

benefits, some of the other benefits of of what Gartner talks about here, um sharing a policies. So, you know, think of some of your networking gear, firewalls for example, um with a mesh architecture in theory, you're creating policies that can be duplicated elsewhere, right? So, you create one policy and you push it to where it needs to go. you don't have to worry about configuring uh the same rule set a thousand times because what happens when you create the same rule set a thousand times eventually you fat finger it somewhere right and it no longer becomes the rule that's uh trying to do what it was supposed to do sharing of threat intelligence right so something that's

found on one part of the network sharing that with the rest of the network right maybe the endpoint finds something and now we want to share that threat intelligence whatever it might be could be a hash uh from a piece of malware could be an IP address the URL but then sharing that amongst the network right or or just amongst all the other security tools and then of course playbooks right so the ability to have a a orchestration capability where you're either pushing a button or the machines doing the pushing for you where all of the different devices and and and and solutions in in the network are actually working together to detect and then

mitigate that threat that for me is the big Last but not least, this integrated approach should be coming with some sort of financial benefit where you're consolidating things like licensing, um, consolidating training. So, no longer are you trying to, um, you know, train everybody on 17,000 different security tools. You're hopefully being able to reduce that. And what Gartner is going to talk about here in the next slide is for them to realize the benefits of a security uh a cyber security mesh architecture CSMA. Gartner is basically saying that a consolidated vendor approach is probably going to be the best way in the foreseeable future to realize that strategy because integration is ultimately difficult because vendors

have to get together, they have to talk, they have to agree and then they got to stop screwing around with the next version of firmware that breaks that API. Right? So that's why Gartner says if you're going to realize the benefits of something like a security mesh architecture, um it's probably best done with a consolidated vendor approach. And you know, of course, I want to tout my own company, but um I'm not trying to make this uh a Fordet thing. There's there's more than just Fordet who believes in this philosophy. Um and so um so just take what I say with a grain of salt, but this is where the industry as a whole is moving

towards. um a consolidated security strategy where things just work together. All right, I kind of went through this already, right? The benefit of the mesh architecture, it's really all about speed to detect and speed to respond. It's about increasing efficiency. Um it's about not taking 228 days to find a breach and another 80 to remediate that breach, right? It's about finding that breach in real time and mitigating it in real time. So instead of getting a letter from CIS saying, "Hey, we found your intellectual data on a website in China, instead we're getting a message on our phone that says, "Somebody from China tried to hack your database, but we just quarantined that IP address on the firewall and

quarantined uh the compromised machine uh with a knack." That's hopefully the information you're getting as opposed to uh the email from CESUS 228 days later. That's what this is all about. Okay, introduction to EDR and where does endpoint uh play in this game. So, a couple years ago, um you know, a lot of vendors came to well, customers came to the realization that endpoint just wasn't up to the task anymore, right? It was the problem is it wasn't detecting stuff anymore, right? It was based on antiquated technology, blacklisting, right? You want to detect malware, you needed a blacklist. needed a signature and he had to download that constantly all day long. And this is where the attackers

were a step ahead of ahead of us with what we call polymorphic malware because the malware would change constantly. And so these these blacklists, these signatures were were quite useless. And so eventually the vendor community um started bringing some sex appeal back to the endpoint and we started doing things a little bit differently and we were no longer relying on just blacklisting. And so we call that AV or sorry nextG AV right so AV changed from a a a static signaturebased method of detecting and it went to something that's more machine learning artificial but really behavioralbased. So what we do with the endpoint the nextG endpoint today is we look at the behavior what is what is

this file or this process trying to do with the operating system. So we don't really care about um hashes anymore. We don't really care about um um you know something static like that as a signature. We're looking at the behavior, right? We're looking at the behavior because no matter how many times you change that hash or change that piece of malware to make it look different, it's still the behavior. The behavior it's going to do is still going to be the same. So that's where endpoint um has really changed the game a bit um and has u really added some increased value over the last couple of years. Now that's nextgen AV. There's another product that

came out as well a couple years back and this is what we called EDR or traditional EDR I'll say because some of this has gotten all wrapped up together and I'll kind of explain what some of that terminology means because it's it's kind of confusing for for a lot of people but then EDR came along one day because what did nextg AV lack so sure it was good at detecting stuff but it wasn't so good at threat hunting it wasn't so good at remediating and rolling back and all that other stuff that a sock needs to do because even with NextG AV being as good as it is, you are eventually going to get breached. I will guarantee that you will

get breached. No matter what you buy from who, you will eventually be breached at one time or another. Hopefully not as much as you were before, uh, if you're doing the right things, but you will get breached. I don't care what you do, what you buy, how much money you spend, you will get breached. And what separates the men from the boys in this business or the girls from the women is not that you didn't get breached, but it's how fast you responded to that breach. It's how efficient you were at mitigating the damage that was done. Right? So again, I come back to the fact that this game that we're in is largely won or lost

based on time. And NextG AV didn't really have a way to help us with with that part of it. So EDR comes along and EDR was all about how do we remediate? How do we roll back? How do we threat hunt? How do we look for uh these indicators of compromise that we just detected on this machine? How do we make sure that this stuff isn't somewhere else or that somebody didn't talk to the same command and control channel server or uh or the URL and click on the same the same link. So that's what EDR was all about. So then we end up with these two endpoints on everyone's machine and then we finally started consolidating these

together. And so that's what you should be demanding from your endpoint. Um right this should be the same thing. All these two tools these two strategies for endpoints should be combined together into the same into the same footprint. And here's some other things you should be demanding from your endpoint. Proactively uh mitigating risk. And so what I mean by this is your endpoint should be able to detect the communications not not just look for malware but it should be looking at the processes that are running on your machine and what is the risk uh of factor with that with that process. So for example, let's say you're using Google or Chrome. You're using a really old antiquated version of

Chrome, right? And that could be a critical of of a CVE critical vulnerability um uh score of of five u or maybe something high. And so you should that's a visibility that you need as as somebody who's managing risk in your corporation or in your organization. So being able to detect and manage risk from the endpoint. Um you know what kind of behaviors is that endpoint exhibiting? Um what kind of risky behavior and processes and applications are on that machine? And then also think about IoT or rogue devices. So your endpoint should also be able to detect what's around me that might not be good for me, right? What's around me that's not safe? What's around me that I need

some visibility into? So being able to detect IoT devices, being able to detect rogue APs running around um that's also something you should be demanding uh from your from your endpoint. We talked about nextg AV and that's really what we're talking about here with the NE with the next two, right? So this is uh your your endpoint. Um you know if we're buying into the whole nextg AV concept um it should be able to integrate um uh with things like sandboxes um other behavioral analysis tools. Um um but it's the whole idea behind it should be detecting threats based on behavior. No longer should we really have to rely on on static um uh blacklists anymore because those days

are gone. And then ransomware. Ransomware is a very particular kind of malware. Um, and it needs different tools from the endpoints perspective, different behavioral analysis type of tools um that are different from just normal malware. And so your endpoint should specifically have capabilities that are devoted to just ransomware protection. And then of course the last two what I was just sort of talking about a little bit earlier is that whole we then need to wrap all of this up in a management framework where we can threat hunt. we can take those indicators of compromise that we found in the network um uh whether it's whether it's something we learned from some somewhere else in our

network or whether we learned it from the endpoint itself and we should be able to propagate that IOC discovery process amongst everything in the network so that we know if anybody else has been compromised or that we know if anybody else um has gone to that website or that URL that probably shouldn't have and then the ability to roll back and remediate right so what we're talking about here is let's say file files were dropped. Let's say registry entries were changed. Um or the machine itself is completely compromised. We should be demanding from our endpoint the ability to fix that, right? Delete those files, put that registry entry back the way it was before or let's do a complete roll back

of that machine from scratch. So these are all things that we should be demanding and are possible with with with today's new uh endpoint. All right. The only thing I'm going to say about this one is something else that we should be demanding. The last bullet point here, zero trust. Who's heard of zero trust, right? Probably just about everybody. It's another buzz word that um we like to ram down your throats these days. Um right, it's the next best buzzword um out there. Um but it's important. Zero trust is important. Um, and I know we sound like marketing guys sometimes when we come up here talking about zero trust and the terminology gets confusing too,

but zero trust is all about, if I, if I can dumb it down a bit and just sort of summarize it super quick, zero trust is all about ensuring only the things that are safe and authenticated and authorized should be on your network. So EDR, the endpoint has a part to play here, right? Right? Because I just got finished talking about how EDR knows what kind of IoT devices are running around next to the endpoint. It knows what kind of risky applications and processes are running on your machine. Uh it knows if it's discovered malware. Um um we can threat hunt and look throughout the rest of the network at what other endpoints might be

compromised. So EDR has a big part to play here because the endpoint can then start to put a tag on the endpoint and say, you know what, this guy's got ancient version of Chrome running. He's got Bit Torrent on here. He's got team viewer, which we don't like in our corporation, you know, etc., etc. And we can put a tag on there that says this is a naughty machine, whatever that tag needs to say. And now the rest of the network, if we're integrated, can say, "Oh, this guy's got a tag of naughty." That means he can't talk to the corporate financial servers or he can't talk to the server network, whatever, whatever that rule wants to be

on our firewall or our network access control. So, you should be demanding that kind of capability from your endpoint. Tying endpoint into zero trust is absolutely crucial and critical uh to zero trust. Okay, so let's talk about another buzzword XDR. EDR is the same thing as XDR, just two different buzzwords. The difference is XDR just comes with more bells and whistles, more options, more capabilities. It's it's more integration. So you so it's really an integration and in fact all all of the things I'm really trying to tell you today is is XDR. All this integration and orchestration capability, that's what XDR is. It's taking edr and adding this functionality of integration and orchestration. It's the same tool. It's

the same endpoint just opened up with with more functionality. So that's what XDR is. Now Gartner has something to say about this too. Uh recent survey by Gartner um found that 75% of organizations are pursuing security vendor consolidation in 2022. That's up from 30% just two years ago. Um now the funny thing here is you know a lot of a lot of people tie vendor consolidation uh reasoning into cost savings like being the biggest driver but uh the takeaway from this slide is the biggest driver for more most organizations in consolidating vendors in the cyber security space is not just because it makes sense financially right with the reduced licensing and whatnot and training but it's because it makes

better sense from a security posture point of That's really the the primary reason that most people are going to this CSMA or um u consolidated vendor approach to security. All right. So what is XDR? Right. So it it it uh it means extended detection and response. So that extended part is the important thing here. The differentiator between uh uh up more integration capabilities. And we'll talk about that in a bit more detail. And that's what this is here. So this slide is showing kind of the front end of what of the art of the possible with XDR. So XDR opens up the ability to take in information. Not just take in, it's actually a birectional

relationship. So the endpoint and the firewall have a relationship and can talk to each other. Um same with a secure web gateway. if you still use those instead of uh a firewall uh email gateway uh which is an interesting one right a lot of people think well what does the endpoint have to do with a mail gateway and I'll show you an example a bit later um authentication stores active directory for example right there's a nice birectional tie in there too um things like DLP and casbies so there's a lot of lot of integration um and that's at the heart of XDR is the ability to uh integrate so that we can automate

eight. Okay, so how does XDR help? So again, I kind of mentioned some of these bullet points before. Um, but first and foremost is reducing alert fatigue, right? So one of the things XDR does because it's taking in threat feeds and data from all these different sources is it can start to correlate and it can start to it can start to reduce false positives. So rather than just sending out blind events uh from a device, um you're getting incidents, not events. Um and so these incidents are correlated um and they're prioritized um um based on on um uh on criticality. Um so that you're really only facing or looking at what's important to you in

the sock. And of course, you know, the one I keep coming uh at time and time again is XDR with its integration and automation is really all about speed. Uh speed to detect but speed to respond, right? And that's really where XDR in my opinion is the game changer. All right. So, let me give you just a couple of examples of how this might look. Vendors will remain nameless. So, let's say you got a firewall in this example. You've got an endpoint. Um, what else do we have here? I think we got a mail gateway. But, let me kind of go through the uh the script. Um, and this is a lowhanging fruit one. This is one that's super simple, super

easy. This is this should be something that no script kitty would ever have to touch. This should be something that's just lowhanging fruit that your console with a uh with the touch of a couple of buttons should be able to automate. All right. So the whole idea here is malicious application uh on the endpoint. It tries to access external servers, command and control channel servers, right? So the endpoint detects that this is something malicious. There's a malicious communication going on on the endpoint. Now the problem with detecting all of this at the endpoint all of the time is your endpoint is your last line of defense, right? Do we really want to leave the endpoint to being the guy

who's always detecting and stopping everything all the time? That's kind of late, isn't it? Right? Because the endpoint is the furthest thing back into the network. So the whole idea here is this threat intelligence shouldn't just be for the endpoint. We should be stopping this stuff right at the front door. So the whole idea here is as the endpoint detects indicators of compromise could be uh uh hashes of a malware or the IP addresses of these command and control channel servers it feeds that into the firewalls all of the firewalls. I don't care if there's one or if there's a hundred they'll all get this information and it feeds all of that threat intelligence so that the

next time that command and control channel or that attacker who tries maybe something different, we don't have to wait for the endpoint to do its job. We'll let the firewall do its job, right? and the firewall will block it right at the firewall and that protects the rest of my network faster and quicker. I don't have to rely on waiting for the endpoint uh to do everything. All right, so I kind of built that one out. All right, another one. All right, so this is showing integration between the XDR the endpoint and network access control. So again, a very lowhanging fruit, a very easy couple of couple of um many items that that you push, a couple of IPs that you add to

make this integration work. And this is essentially um the endpoint working with NE network access control or Knack. If you've ever heard uh heard of Knack, who's never heard of Knack? Do I need to explain what Knack is maybe? No. Okay. So what Knack can do? I I'll explain it anyways. Knack is a device or solution that can basically take um uh it basically provides visibility on everybody on your network. So it it talks to switches, talks to access points um and as endpoints, servers, whatever it might be uh jump onto the network, it knows about it and determines whether these devices are safe and secure. Are they part of corporate policy? Um do they have their

firewall on? Uh do they have their AV up to date? Are they authenticated? Yes. Put them on the network. That's what Knack does. Well, Knack can also do the opposite. If Knack says, "Oh my god, you just downloaded some malware, off the network you go." And the way Knack realizes or learns that you're now no longer a good corporate citizen is through XDR, right? The endpoint tells Knack, "Hey, guess what? We just downloaded some malware today, man. We just went to a URL that we shouldn't have. Uh, we just talked to a command and control channel server. things are bad here and so Knack can then go okay off the network you go and we'll put you on an isolation VLAN we'll

alert the sock and the sock can go talk to you and figure out what's what's going on right so that's another real easy integration provides real safe very fast effective way of taking um machines that are exhibiting malicious behavior and getting them off the network before damage is

Couple more to go through maybe. All right, this is getting a bit more sophisticated. This is now starting to get into the SIM space, right? This sort of thing we kind of left to SIMs traditionally and soores, sore tools. So, here's where XDR kind of goes, am I a SIM? Am I a sore? And we can talk about that uh later. But here this is a this is where XDR gets more sophisticated. Fishing attack, right? So here's where we integrate with mail, right? This is a good example of integrating with mail. Um mail gateway determines that there was a fishing attack. One way or another, it somehow detects through its uh capabilities and says, "All right,

we've been fished. We've been fished." And so as it comes to this verdict, it's got indicators of compromise on how this fishing campaign uh has been conducted, right? There's IPs, there's domains, uh maybe there's URLs. Um and so these indicators of compromise are then XDR then goes okay we can't be the first guy that got this so let's go see who else went to this because as you know threat vectors can change in the snap of a finger right so if we detected a fishing campaign today 5 minutes ago did that means we didn't we may not have known about any of those indicators of compromise 10 minutes ago. So, who 10 minutes ago maybe clicked on this thing?

Because we only know about it five minutes ago. So, we better go check, right? We better go make sure that nobody else has clicked on this stuff before we knew that this was all bad. And that's the idea here is is these indicators of compromise are fed back to the endpoint system. And the endpoint automatically, you don't even have to lift a finger. You don't even have to get out of bed. The system will automatically thread HUD and it'll look for all of those indicators that compromise to see if anybody else in your network went to those links. All right, last one. Detect uh and block brute force attempt. So, here's where we integrate with identity stores. So, uh

uh Active Directory, right? So, we all know what a brute force uh login attempt is, right? Somebody's trying to uh force their way into your network by constantly trying to uh try a username and password combination. Um, and so the idea here is when we see this attack on the network, quite often it's it's uh IPS and Active Directory logs working together and the XDR takes these correlates and goes, "Oh, this is a a brute force attack." Um, and so then what happens is XDR can go, you know what, if we let this guy keep doing this long enough, he's going to get in, right? So what do we do? We talk to Active Directory and

we say disable this user because this guy's going to get in eventually. So let's just disable this account. So that's an a quick and easy integration with Active Directory where if we see a brute force attempt, XDR can talk to Active Directory and and he can say disable this user. So that's another quick and easy one. Okay, I'm going to close out with this one and thanks for your time today and and uh suffering through my my screech, but um you know, if I leave you with any last parting thoughts here, it's in this game that we play, which is not really a game, we largely win or lose on time. And we have not done very well as an

industry at at equipping socks with an efficient fast ability to detect and remediate. And part of it is because of this best of breed point product syndrome where just too many things don't work together. They don't integrate and they're hard to orchestrate. It's all about how do we get to a point of protection faster than 228 days because that's ridiculous. We have to do better. And the way that we're going to do better is by automating. And the only way to automate, I shouldn't say the only way, but the best way to automate, and take it from Gartner if you don't take it from me, is with a more consolidated vendor strategy where that consolidation is native to the products

when they're built. That's it. Thank you for your time. [Applause]