SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

Cyber Security DE:CODED – Security opportunities for Managed Service Providers

“Every SMB is an expert in something. A passion. It’s probably not anti-virus…”

SUBSCRIBE! Use one of the ‘Listen on’ links below to keep updated using your favourite podcast platform.

Listen on Apple Podcasts Listen on Spotify

Series 1 | Series 2 | Series 3 (in production)

Other ways to listen: YouTube | Google Podcasts | Stitcher | RSS


Show notes for series 2, episode 7

Small business and Managed Service Provider special!

  • Do small businesses face the same cyber threats as large organisations?
  • Are your security solutions 100% effective? And how do you pick a good one?
  • Where are the opportunities for MSPs to add value and make more money?

In June 2022*, we set up a panel of security experts to help and advise companies selling managed security services. Managed Service Providers (MSPs) need to choose a set of security solutions that they can use or possibly resell to their small business clients, known as SMBs.

The clients face the same cyber threats as large organisations, but they’re far less equipped to handle them.

We answer all of these questions and more with special guests Martin Lee from Cisco, Chad Skipper from VMware, and Luis Corrons from Avast.

Security Life Hack from John Hawes (AMTSO)!

Security opportunities for Managed Service Providers

Simon Edwards was joined on stage by Martin Lee from Cisco, VMware’s Chad Skipper and Luis Corrons from Avast. They gave a great mix of perspectives covering network virtualisation and endpoint security. Simon represented the security testing world.

The panel got together in London to help over 100 different MSPs identify new opportunities in the cybersecurity world. And we informally recorded the session. Now you can listen to the top grade advice our excellent guests imparted.

Please subscribe and join the discussions. Use one of the ‘Listen On’ links above to subscribe using your favourite podcast platform.

* It really was 2022. Ignore Simon’s claim in the intro that it was 2021!

Topics

  • Security poverty
  • Understanding threat intelligence
  • Adding value with security services
  • Complexity and context
  • Demonstrating value
  • Living off the land (hackers abusing your own software)
  • Phishing
  • Become an email security expert
  • Ransomware as a Service
  • Zero day attacks are up
  • The role of security testing
  • Cyber Essentials and ISO 27001
  • Can Microsoft and Apple solve security?

Sign up to our newsletter!

Other resources

Transcription

(Generated automatically)

Simon Edwards 0:01
Welcome to DE:CODED, providing in depth insight into cybersecurity. Do small businesses face the same cyber threats as large organizations. Are your security solutions 100% effective? And how do you pick a good one? Where are the opportunities for MSPs to add value and make more money? We answer all of these questions and more with special guests Martin Lee from Cisco, Chad Skipper from VMware, and Luis Corrons from Avast. Show notes, including any links mentioned in the show, are available at DecodedCyber.com.

In June 2022, we set up a panel of security experts to help and advise companies selling managed security services, managed service providers or MSPs need to choose a set of security solutions that they can use or possibly resell to their small business clients, known as SMBs. The clients face the same cyber threats as large organizations, but they’re far less equipped to handle them. Joining me onstage was Martin Lee from Cisco, VMware is Chad Skipper, and Luis corones. From Avast. We had a good mix of perspectives covering network virtualization and endpoint security. And I represented the security testing world. The panel got together in London to help over 100 Different MSPs identify new opportunities in the cybersecurity world. And we informally recorded the session and now you can listen to the top grade advice my excellent guests imparted.

That this is good afternoon, everyone. Thank you so much for coming to listen to us talk about security, and how we can make your life easier in lots of different ways.

So to begin with, we have a panel starting with Luis Corrons has come from Spain to date from security company have asked if they’d like worldleading antivirus software amongst other things and VPN, and things like that. We’ve got Chad Skipper, head technologists from VMware, his CV is so big, I can’t even begin to outline where he’s worked. Dell side at Cisco site, I can’t have any start listing. And then we’ve got Martin who works for the Threat Intelligence Department of Cisco itself. So if there are three gentlemen who know what side effects look like, these are the ones in the world that are able to talk about it publicly. And then there’s myself Simon Edwards, I’m basically a hacker. So I also thought that the first like, and the reason that I know is because I test the products that these guys sell the products that you guys often read, sell or provide support to. So I work in SE Labs, and we are like a third party dependency tester, VMware, Cisco will claim that they stop threats that the bad guys do we learn that bad guys behave. And then we test right habits. And we say to them, Well, yes, you succeeded. Or maybe you need to fix this. And we also publish your quarterly reports for SMBs for free. So if you want to learn how these products work without spending a penny, just go to se labs.uk. And you can get those reports. Anyway. So I’ll give you a quick overview of what we’re going to talk about. And then if you think we’re missing something really, really burning the important, stick your hand up, and we’ll add it to the agenda. So first of all, SMBs don’t have a lot of money, we will say that they have cybersecurity poverty. So we’re going to cover a bit of that. And we’re going to look at product expectations. Do you think that your antivirus or firewall will be 100%? Effective? Is that even possible? We’ll look at value ads, how can you reach sell services to to make selling these products or getting its products out worthwhile? And we’ll talk about how to pick a winner when you’re looking for the right product to sell, which is the best not only for you but for your customer. And we would say some prospective customer.

Find Finally we’ll talk about security testing. What is security testing? And who does it How does that work? So given that short list of things that we probably won’t have half the time we need to cover is there anything else you’re thinking about which these guys you know, everything about cybersecurity can tell us?

Excellent. So first of all, and let’s talk about SMBs first of all, so would you guys say that because they’re small and don’t have as much money as large enterprises that they are less vulnerable to attack less interesting to attackers Luis?

Luis Corrons 4:47
not at all. And you are only as small as your bigger customer is for example. And and right now with the amount of tax that happened to

Every day, I mean, I think most of the attackers don’t look at precisely, what is the size of these reasons. I just want to take to make money, right? So they indiscriminately attack me. I’m not assessing every organization. I mean, of course, there are targeted attacks, like they go for specifically for a specific organization. Right. But I mean, like, the try to go for the low hanging fruit. And that’s what the SMP sir.

Simon Edwards 5:29
Why? Why do you think Chad? Why do you think SMBs are low hanging fruit?

Chad Skipper 5:34
It goes back to what you just said, security, poverty, right. And the lack of expertise, especially when in the SMB, you’ve got a system administrator or network administrator on it, administrator, you got one guy wearing 17 hats, right? And so the challenge is, how do I how do I do those 17 hats in an effective manner. But let’s like take a look at the stats. From a ransomware perspective, 60% of SMBs that get ransomware are out of business within six months, because they just don’t have the the monetary that capabilities to pay that ransom. And so that is there is is a significant challenge around around the SMB from that perspective.

Simon Edwards 6:22
Do you agree with that?

Martin Lee 6:23
Yeah, I think, Well, every SMB is an expert in something, you know, you’re starting up an SMB, because you have an expertise, because you have a passion. And that is what your business should do.

Simon Edwards 6:35
It’s probably not antivirus

Martin Lee 6:37
it’s probably almost isn’t antivirus. Yet. There’s all sorts of other things that you need to do. If you’re running a business, you certainly wouldn’t try and do your, you know, your tax accounting yourself, you’d get in an accountant, you’re not going to write your contracts yourself, you’re going to bring in a lawyer to do that. And I think exactly the same thing with cybersecurity, you wouldn’t be expected, no one would expect you to be an expert in that. But it is still something that you need to do. And this really is the opportunities we’re here talking about the channel. Well, that’s right, you know, this is your opportunity to be that trusted expert to the SMB and bring it your expertise as supporting these small organizations in their cybersecurity, protecting them so that they keep operating and they don’t get they don’t become fodder for ransomware. This is great news. And actually, the best news is the security products that these guys make, and that I test, they’re not 100%. And they never can be. So without people like you providing the support and the added services, whatever you decide those might be, these guys have fish in a barrel essentially on that, yeah, they’re looking at the channel to be their trusted adviser. Right. And from that perspective, especially in the SMB, they’re, they’re overwhelmed with their daily business, the last thing that they’re really thinking about is securing their business against these advanced threats that are out there, right, they think, you know, if you have a singular product, that’s going to be, you know, the silver bullet in some cases, and there’s no silver bullet out there. And that’s where, you know, as a channel, you have the opportunity to come in and provide your services on top of, you know, the product in which you’re selling it from a security perspective. Yeah, know that. That’s why then on top of that, this is more business, they, they basically, most of times, they don’t know what they need, right? I mean, they know there is a risk and who is there to the time again, they cannot wait, okay, what kind of infrastructure you have, which which are the weakest points you have, what kind of protection you need in the different layers. So that sounds as education as something that could be done, is there anything else that these guys can help you with the threat landscape is in constant evolution, the bad guys don’t get any dumber, the bad guys are only learning from each attack. And as we’re expanding our use of technology, do all sorts of amazing things. There’s still the bad guys out there who are looking at ways of subverting it. And one of our problems, as we go back is actually understanding what is it that the bad guys are trying to do? And how are they going about it, and this is something which is continuously continuously changing. So we need to educate the customer to say, Look, these are the problems that are happening now. This is what’s affecting organizations such as such as you, you’re my customer, my trusted customer, I don’t want you to go under, because I like your money. I’d like your payment. So this is what you need to do in order to protect yourself. And by the way, it’s going to be slightly different next year, just because the bad guys are learning. Can these guys become threat intelligence experts or is this something that their partners in the channel can help them with? I think yes, you can be you know, there’s various

Different levels of threat intelligence, and simply knowing what the biggest threats are. And being able to explain that in a way that your customers can understand basically puts you on a good way up on the threat intelligence ladder. And if you can just do that you’re already doing a very, very good job, indeed.

Simon Edwards 10:23
And the other thoughts on how vendors can help MSPs and other resellers where they’re threatened to,

Chad Skipper 10:30
while there’s, from a vendor perspective, and and how we enable the channel lavar. The MSPs, those types of things, is this from the threat intelligence capabilities that we produce, that enables them to then add their value added risk value added value added services on top of that, because from a product perspective, we are, we are building a product to detect those events, threats, but there’s that the detection is just one thing, right? So from a service standpoint, the channel, what do you do once you detect this? Right? How are you going about mitigating that particular threat? How are you educating your customer on the potential changes that you need to make inside of your organization inside of the organization to mitigate that threat, it could be as simple as segmentation, firewall rule policies, it can be certain other capabilities that they need to deploy in order to detect those things. And so that’s where that’s where the channel is looking to us as vendors to help them fill those gaps. And then what they do is provide those services on top of

Simon Edwards 11:34
that, yeah, because as an SMB, we’d be thinking I don’t want to even know about any of this stuff. Can you give us just handleless? Just?

Chad Skipper 11:39
Yeah, it’s absolutely right. So basically, take the problem away from me, just tell me I’m safe and secure so that I can focus on the widgets that’s going to bring in the revenue.

Simon Edwards 11:49
Right. Okay. Well, I like Yeah,

Martin Lee 11:53
I think it’s all about managing complexity. You know, the threat and the threat landscape is incredibly, incredibly complex. So we were talking about this earlier about about the threats. And if you really want to get into the binary code of exactly what’s happening, you can, but it is incredibly, incredibly context, what complex, what organizations such as our own do is remove that complexity, you don’t need to know the details, you just need to know that this was bad. And we’ve blocked it. On top of that, there are other layers of complexity that you touched on, which is about well, what do I do now we’ve detected something, or we discovered, something’s got past the first level of of protection, what does that mean? How do I need to respond? And I think that’s a lot of the opportunity for the managed service providers is to understand that level of complexity, and then abstract that to the customer. So you just say, look, it’s okay. Don’t worry about it, this happened. We saw it, we solved it, we resolved it, we’ve taken action to resolve that because we’re linking all services together. So it’s not don’t just think about cybersecurity, in the absence of everything else. You’ve got identity management, you’ve got the provision, network provision, all of that, especially coming from Cisco, you know, everything should be should be tied together, so that you can look after that level of complexity. So you can just say to the end user, it’s sorted, it’s done. This happened, we resolved it, all you need to know is that it’s under control?

Simon Edwards 13:25
Well, that actually has we’re gonna come on to in a minute about how do you choose a product. In the old days, a security product might just block threats, and maybe not even reported much detail. But if you want to demonstrate some kind of return of investment, as we spoke about earlier public, if you’ve got products reporting back to you, and you can monthly, not daily, but monthly, go to your clients and say these things happened. This took down this big company that got ransomware handled, but we stopped it. Here’s your monthly report of what how we demonstrated the value. That has to be useful, isn’t it?

Chad Skipper 13:58
Absolutely. Because from a from a point, when I’m, when anybody consumes a service, they want to understand what the value of that service is. So the ability to have those quarterly monthly type of reviews showing when we stopped this attack chain, we detected these types of things and tell them if that wasn’t here, this is the outcome of what what happened.

Simon Edwards 14:20
So I only want to get that phone call with the middle of March and something’s gone wrong. Yeah, something’s gone wrong.

Luis Corrons 14:25
That’s what usually happens. That’s the

best way to solve the value because otherwise it’s like, okay,

the good way, usually, for most people, like if antivirus is working sci fi. Know that it is right.

Simon Edwards 14:39
But you still have to show that you’re doing something otherwise it’s a waste of money. Yeah, no,

Luis Corrons 14:42
I mean, the data there is no kind of alert or anything. Maybe something bad, right. And you the customer doesn’t know what’s happening. I mean, if you can add that value, like okay, look, this is what what has happened during this month during this quarter. Right? Yeah. We haven’t stopped these many attacks at these levels, we have identified where most of the attacks you’re receiving come from, etc, we can, you can even upsell some of the things, okay, we’re getting most of the tax from this way. So maybe we will add an extra layer

Simon Edwards 15:14
via a web filtering service, you can see because they’re always being attacked from the work,

Chad Skipper 15:18
there’s always a pull through service that you can add on, based upon the telemetry that you’re seeing, by the products that you have, that you’re managing within the customer environment, it might be look like you said, they were able to get the initial access, and what we’re seeing from that initial accesses, then pivoting inside of your network, we might want to start looking at all your traffic within the network east west, so that when we do see something, you know, get a breach because there’s no silver bullet, right? We at least have visibility into how they’re moving laterally within the organization, because here’s another stat for you. Right? It takes about 197 days before and the threat of that threat actor is detected inside of an environment on average, right when one has been breached, when one has found that they had been breached, right, they had been breached 197 days previously. So this is like having, you know, a crook. You know, a burglar that’s just living in your house for 197 days going room to room to room without even knowing because they go security products. Why was this happening? Well, it goes back to what we just said is the threat actors are advancing incredibly fast. That sometimes outpaces the technology. It really does. I mean, I’m we’re vendors up here, and we’re fighting it every single day on trying to understand, you know, the advancements of these threat actors, how they’re evading technology, and how they’re remaining resilient within organizations,

Simon Edwards 16:46
right. So in the old days, you’d have a firewall there anti virus and stop the threat coming in, or it wouldn’t. What we’re seeing now, well, we, I think we’d all agree, and I’ll double check that in a second. But threat actors, hackers, whatever you want to call them, they attack they get into the network, and often are able to move between systems, which is what we mean by lateral movement, trying to find the targets, I’m not going to necessarily want to ransomware Chad’s laptop, or whatever. Ransomware has surface, for example. So that’s what we talked about with East West, moving around inside the organization, just attack and say,

Luis Corrons 17:18
they are not getting done tomorrow. And as you see nowadays, however they do that most of the tools that you’re using are tools that you already have in your company. So it’s not that they are bringing malware a specific way. No, I mean, at some point, they can. But they use illegal tools, tools that you might even be using in development.

Chad Skipper 17:39
And that’s what we call living off the land. Yeah, living off the land, right. So things like PowerShell PowerShell, is used a lot from an IT administration perspective, it’s a very powerful aspect of managing your infrastructure. But it’s so powerful that if PowerShell is part of your environment, that threat actors is going to take advantage of that. And use PowerShell. To do to do very

Martin Lee 17:59
even easier, I’ll just politely asked you for your username and password. That’s right. And then I become you one of your users and I can do everything that your user can do. And basically, if I can get to your email server, I can then discover everything about your company, your suppliers, I can launch frauds against them, because I have the invoice numbers. Or yeah, I can just ransom hit your email server with ransomware. And bang, it’s gone. You

Chad Skipper 18:26
know what scary, we’re seeing the same thing. But in the financial institutions, they’re actually staying in so that they can gain information so that they can short the market.

Martin Lee 18:34
Actually, I’ve got a very good example of that. Where working in this industry, you have people coming to you. So a friend of a friend or a family member has had a problem. Almost certainly the root of this issue is an estate agent has been compromised, never like those guys. Yeah. And I have a, like a nephew of a friend of a friend who’s buying a house. And the solicitor emailed them and said, Okay, house purchase, it’s all done all good. wire the money to this account, and you’ll have the keys tomorrow. And so they wired the money got in touch with a solicitor who said what, no, that didn’t come from us. And almost certainly somewhere along the line, and my strong suspicion is the estate agent, someone’s got compromised. The attacker is waiting there for hundreds of days is picking up on the various transactions and using that to commit fraud. So this individual wired 200,000 pounds to a

Chad Skipper 19:33
criminal. That’s right. And then once it’s wired, it’s gone. You can’t do anything about it. Yeah, yeah, absolutely. And so that same scenario, in the global financials, and that’s what they’re concerned about, is once that threat actor gets in, how are they how are they staying in? How are they getting bed at the middle of the night, the market,

Simon Edwards 19:49
this this kind of conveyancing fraud and affects consumers. But we see exactly the same methods that attack in large organizations too. So I’ve worked with a manufacturer of physical Tables, and they had an email that said, pay this invoice, they were expecting the invoice it looked exactly as it should have looked, the format was correct. They paid it. And it went off to Africa, basically. And what had happened is their email had been compromised, and the attackers knew exactly what deals were being done. They knew the invoices expected for 150,000 euros, they issued it, and they just gave different bank details. Things are slightly different today. Because certainly in the UK, the bank sorted the account name has to more or less match what the bank adds. But three, four years ago, that wasn’t the case. And I suspect, if you can convince someone that’s a real invoice, you can convince them to wire money with money transferring type technologies, and no one cares, you just need that number. So yes, it’s a bad thing, isn’t it? And this is an opportunity for you guys, because the products cannot handle this all on their own. And email service security service, like Microsoft or Google didn’t stop that from happening. But someone monitoring the emails and noticing there’s a forwarding like, this is super easy consultant, right, you can go well monitor your email accounts on a regular basis. Did you know that every email that comes in is forwarded to this random Gmail account? You know, okay, well, we should stop that, then. It’s not actually rocket science, it much of hacking isn’t is it?

Martin Lee 21:16
The fifth thing at the scene of every crime, there are big, sticky fingerprints. But you have to look for them, you have to know what they’re what they look like. I mean, this is this is the bread and butter of our business, it’s knowing what those fingerprints look like, and being able to find them and spot them. There is always an area of doubt, in some cases, it’s very, very clear that this is something malicious, and you can just block it. In other cases, it’s clear that something is entirely legitimate. There’s always a gray area in between. And really the challenge in cybersecurity is understanding that gray area where something maybe looks a bit wrong, or you know, could be okay, could not be okay. But yeah, having that relationship with a client sometimes can be key, because if you are detecting something which is suspicious, you can reach out and double check, say, hey, you know, we looked at this, it looks a bit odd, or someone’s downloaded something really bizarre on their laptop at 3am. You know, from Eastern Europe, you sure about that. Or maybe

Simon Edwards 22:17
you make the argument that as your MSP were the only people on the network allowed to use PowerShell. And then the whole PowerShell thing goes down. And then the good guys can’t do anything, but they shouldn’t be. And the bad guys guys can’t do anything, either. So just by being present in their network, you can actually strengthen things. And there are products that you can sell them as well, which will do the same thing with policies and say, Well, maybe Chad is allowed to use PowerShell. Because specifically, we know he needs it and can use it. But Simon’s flipping idiot and shouldn’t have access to it at all. And then Simon safer,

Chad Skipper 22:48
you know, you made a point. It’s becoming easier. Let me let’s double down on that point. How many of you have heard of software as a service? Right? Did you know there’s ransomware as a service, I can actually go in three clicks get ransomware at my disposal to send it out across a campaign sit back on that platform and take 40% of the revenue. All I have to do is three clicks.

Simon Edwards 23:09
So and there’s no risk to you

Chad Skipper 23:12
know, there’s there it’s all over Tor and onion and all that other good stuff, right? But here’s, here’s the thing, when when, when a 14 year old and this is true, a 14 year old in mom’s basement is able to do massive malware campaigns campaigns with ransomware. And you know, he’s not necessarily an expert, but he was given the tools that allowed him to easily make some money in the underground.

Martin Lee 23:37
So we have a case in Oxford, one of the big ransomware games lapsus. One of the members is 16 year old, from Oxford, his parents have for as far as we know, no idea. And yeah, he made multimillion in Bitcoin from ransomware as a service a few years ago, we took out what was probably one of the largest ransomware gangs at the time. They were pulling in $50 million a year from ransomware alone. So it is think twice about it as a business. We will come down but there is a lot of opportunity out there for the bad guys. It’s a modern money to be made trillions.

Luis Corrons 24:16
Yeah. And it does not be does not rocket science, as you were saying earlier, like you look at the pipeline, Colonial Pipeline. It was just our credentials compromised, with no two factor authentication. And that was a that’s the way they got in.

Simon Edwards 24:33
Same with the Clinton act. When Hillary Clinton’s party was hacked. It was a phishing email, and even passed around and said, Is this for real and volunteered? Oh, no, that’s okay. The guy clicked it and that was

Martin Lee 24:45
the end. This is the bit this frustrates me enormously. We can stop these threats and in the right environment with the right support. I mean, currently we’re active in Ukraine supporting the Ukrainian or Authorities, and we are equal to the most sophisticated threat actors out there. If you divert the thought you devote your attention to it, you have the right tools, the right monitoring, we can stop it, and we do stop. The problem typically comes, yeah, things are either overlooked, or we think, oh, yeah, we don’t really do that. Who would attack me? You know, why? Why would they bother? Or the other big issue is sometimes we come across environments that have been forgotten about someone set up 10 years ago. And it’s just been chugging over without any security oversight. And those are the types of things that we get from of course, the other big thing are people people doing dumb stuff.

Chad Skipper 25:42
But and, and, and from a channel perspective, and the way that y’all can look at this from going going to market and helping your customers is it keep it simple as to there’s what we’re saying, there’s two major ways for that initial access into into customers are 33% of the time, they’re going to try to interact with your user, right email, phishing, those types of things, I’m going to click on this, enable a macro, and then in the game over, but 34% of the time, it’s a silent one where they’re not interacting with your user, they’re actually a targeting of vulnerability that has not been patched inside of your network, right? So think of MySQL, Apache Tomcat, these types of services within the SMB, that they’re that they’re exposing, out to the real world for the customers come in, it has a vulnerability. Now I can exploit that vulnerability that allows me to do like a remote execution, remote code execution. And now I’m in that way, right? So there’s multiple vectors that you as a channel can encourage and enable your customers to say, Okay, what is the most viable vector for you right now, and let’s focus on that vector, right, and move forward with solutions and technologies. Because you’re right, he can be stopped, right, we do have the technology to stop these things. And, and as we see this past year, 2021, was, was one of the highest zero day vulnerabilities that was recorded, right. And so from that perspective, you got to have those tools in place that are able to detect that previously unknown, never present before exploits or malware. And there are tools out there that can

Simon Edwards 27:10
absolutely do that. So I’m just thinking chat, like if if I was an MSP, and I’m looking for a security vendor to partner with, I’m just thinking myself, and you can correct me if I’m wrong, I’m thinking about three things, probably I’m thinking about the margin I can make. by reselling a product. I’m thinking about what services can I add to it? If it’s a very non functional product to one that doesn’t report much? Maybe there’s not much I can do. But the other thing I was thinking is, what’s the advantage to me of providing a really effective product? Why not just sell something that’s

Chad Skipper 27:42
rubbish, op X, op x op x, right? Okay. So what I mean by that is, if you have a fairly high efficient capabilities, and it’s been tested, and you know that it’s bringing high fidelity, you’re gonna bring in the, you’re gonna lower the overall op X and make more margins for you, because you’re really looking at that, that fine pane of glass that allows you to really understand what that threat actor is doing. If you have a product that’s forcing so many false positives upon you alerting upon everything that’s there, that’s going to overrun your operations, and it’s going to incur higher costs. And then your customers gonna be like, Well, what’s what’s going on? Why,

Simon Edwards 28:22
so if it’s too cautiousness detecting everything, it’s a threat, I’m dealing with an unhappy customer who’s dealing with false positives, so blocking word or something. And if instead of viruses through then you’re having to spend your time d infecting the imaging

Chad Skipper 28:35
system infecting it, right. So that’s why I mean, all of us believe in testing our products by third parties, such as yourself, because even in our organization, our QA teams, yeah, quality assurance, naturally, we test these things. And naturally, we’re looking at new ML and AI, and those things and trying to do other aspects. But having a third party come out of this and real world hackers that take those advanced persistent threats, the tools that are used by cyber criminals, and replicating those over the network to determine how we are detecting that brings confidence to you as a channel and to the customer saying, I want to deploy this and it’s got a high high fidelity, high efficacy, and that’s only going to help you with your overall margins, overall operating costs.

Simon Edwards 29:20
So I don’t know if you guys know much about security testing. It’s a bit of a niche part of the world. You have these vendors that sell products, and then people like me come out and say, You’re rubbish or you’re brilliant leads. It costs money to engage with someone like they Why do you guys bother risking a potentially bad award or not award?

Luis Corrons 29:42
Well, we believe in what we’re doing right and we want to protect our users. You help us in many ways. First, we can show the world how good we are. Or test if we are as good as we say. Right? And then you put our solutions to stress somehow. So a number of times testers can find out problems, it seems that there are easier solutions. And you can fix them, you don’t have to wait to your customers to find those problems. And so, so that hates a win win situation. If, if you don’t get an award, or you don’t get like good results, you know, you have an issue, there are a number of issues so you can work on it. And it’s not that you always need someone from the outside to see how well you’re doing compared to their competitors.

Simon Edwards 30:47
So these guys when they go out, and they look at different security products, is every security awards equal to every other testers? The same?

Luis Corrons 30:58
Not at all? I mean, there are many problems in this world. But one thing I mean, like if you look like last century, when antivirus were attacking, then the new viruses appear. And then antivirus word is added, like Part One signatures to block that

such fingerprint spaces. Yeah. And then, and nowadays,

things have changed a lot. But in like, there are a number of testers that are still doing testing if you recognize that pattern in a particular file, which is okay, but it doesn’t say

Martin Lee 31:37
it’s a bit out of date, what you’re saying, yeah,

Chad Skipper 31:39
99 is testing is no longer valid for, you know, the new millennium, the year that we’re in the 2020s. Because Don’t Don’t kid yourselves, threat actors are communicating, they have their own dev SEC ops, they’re using a lot of evasion techniques to specifically evade security products, right? Because the last thing they want to do is get caught. Right? And from that perspective, what what testing the advancements of testing organizations such as yourselves is no longer looking at past, past, you know, behavior to indicate future behavior of the product is about threat intelligence and our threat intelligence. And it’s about understanding your threat actor, and being able to duplicate what they’re doing in order for us to effectively detect these.

Simon Edwards 32:24
Guys, I think, given the five minute warning about three minutes ago, does anyone have any questions they would like to ask us, please?

A member of the audience at this point asked why there is no minimum security requirements for the companies that we will deal with such as the estate agent involved in the conveyancing fraud, which now I think that might be I think, GDPR. And also, there’s another, another law in the UK

should, should stop this kind of thing. So I think technically, there should be I think, if your estate agent was as big as BA, there could be a situation where you could sue for huge amounts of money. He then made the point, that GDPR might require a business to have something in place. And as an MSP, he could then make that requirement actually useful and provide genuine value. And yes, the site cyber Essentials program from the UK Government as a CEO, it’s like the minimum bar that everyone really, really should, should hit. And certainly you’re doing government procurement. I think now you need to have cyber essentials. But yeah, being? Well, I think they said and this is what we need to develop the problem. I think, for me, the problem is cybersecurity is so new, that this has only recently become a problem and it’s getting bigger and bigger and society is constantly playing catch up. But but you know that that area of meeting the minimum requirements of something such as cyber essentials, I think is I think is key. I think as purchasers, we should demand this from our suppliers. And we can then build on top of that and making things better. And the interesting thing with cyber essentials, which the idea that the UK Government came up with was if you get this badge will be more likely to do work with you never actually took off. No one goes well you haven’t got psychosexual, so I’m not going to work with you. But that’s like a mini version of ISO 27,001. But in neither case does it say which antivirus HDX. It says use antivirus. So Microsoft would say for you to be able to work properly windows, you’d have to have a badge from either me or one or two of the other testing organizations. But you wouldn’t say Well, I’m not working with this bank because they haven’t got Simon’s recommended antivirus. They’ve got ISO 27,001 Great. All ISO 27,001. And cyber central says is you have to have antivirus. Not that it’s got to be turned on. No that’s got to be configured in a certain way. Just the baseline is so low. It’s so low. That’s No wonder we’re in a depressing situation.

Another MSP noted that he and others are overwhelmed by the breadth and depth of cybersecurity. There needs to be protection for networks identities device CES communications. Are we moving to a point where one company can provide it all? That’s get a quick answer. Like yes. No, maybe from each of us.

Luis Corrons 35:10
None of the majority.

Chad Skipper 35:13
Yeah, they’re super still best of breed not, you know, it’s a best of breed type of thing, or, you know, a vast spread of things. VMware is on the hypervisor. So we’re focused in the virtual world Cisco’s, you know, it’s out there in the physical world, as well as some

Martin Lee 35:26
Yeah. So if you ask all our marketing people who say yes, you know, washing machine rollers, however, I get realistically, the real world, you know, we have to we were going to work with this heterogeneous environment. And really, a lot of our challenges is doing the plumbing. So we can get the different bits, the different solutions talking together. So you’re making things easy for the security operations team to actually have that situational awareness, understand what’s happening, understand where the problems are, and understanding where the weaknesses are. And I’ll finish by saying I don’t think you’d want there to be either if we get homogenous situation where it’s only Microsoft, or only Apple or whoever, providing all of the security solutions. As a bad guy, I’ve only got one platform to worry about. It’s much harder for me, if you’ve got this antivirus, that firewall and all these different cloud services tied in together. Thank you ever so much, ladies and gentlemen, that’s us.

Simon Edwards 36:25
And now, just before we finish its security life hack time. At the end of each episode, we give a special security tip that works for real people in the real world, for work and in personal lives. This episode’s life hacker is security testing veteran, fine wine connoisseur and Chief Operating Officer of the anti malware testing standards organization. John Hawes.

John Hawes 36:50
Hi, I’m John Hawes, and this is my security life hack. When I’m traveling, I’m in a place where I don’t necessarily trust the security of the doors and windows may have valuable things with me. I try to hide them in somewhere either very boring, or quite disgusting. So it could be the vegetable rack in the fridge. What looks like an old pink tin. A cool book Safe is a handy thing. If you just cut out the square in the middle of a book. You can hide things in there. But don’t use things like a drawer in the desk or sock drawer those the obvious places that people don’t look.

Simon Edwards 37:31
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. We also have a free email newsletter. Sign up on our website, where you’ll also find this episodes, show notes, and bonus episodes featuring full length interviews with our guests. Just visit DecodedCyber.com. And that’s it. Thank you for listening, and we hope to see you again soon.

Feedback

Please send your comments, questions and concerns to info@decodedcyber.com.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

info@selabs.uk

Press