kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

Prevention vs. Detection

What’s the difference between prevention and detection and why is it important? If you are relying on antivirus to protect your business, you are left vulnerable to cyber criminals.

Prefer to read? (Transcription)

KINDSEY: It looks like it is right about 2:00. I can get us going while everybody else is joining in. Per usual, we do have the chat box and the Q&A box at the bottom of your Zoom screen, and we will be addressing any questions, comments, anything like that at the end of the webinar. Today we do have a special guest, and it is Richard Glenn with Perch Security. Richard, I’m going to stop sharing my screen and let you take over and share yours.

RICHARD: Yes ma’am. Hopefully you can see my screen.

KINDSEY: Yes, I can see it.

RICHARD: Success. And let me know when you’re ready for me to start.

KINDSEY: Yeah, I’m ready when you are.

RICHARD: Oh, okay. Thank you, everyone. My name is Richard Glenn. I am the Channel Account Manager for Perch Security. My responsibilities include the states of Alabama, Louisiana, Mississippi, Arkansas, Oklahoma, Texas, and New Mexico. I am the channel manager supporting all of our partners in those fine states.

Today I’d like to talk a little bit about Perch Security and prevention versus detection. Here at Perch Security, if you’re all not familiar, we provide SOC, SIEM, and IDS as a service. Our platform was created in 2014 by a gentleman by the name of Aaron Chernin. We just recently were sold to ConnectWise for $80 million along with StratoZen – two acquisitions that ConnectWise just recently made. So we will become part of the ConnectWise family, and also we will be able to enhance our product even to a greater degree with the inclusion of StratoZen, some additional AI functionality, and with Perch SOC and SIEM, which has been world class and has done a really wonderful job of providing security to the SMB marketplace, which was our focus.

Today in security, we tend to have an overreliance on prevention. Many people get confused: are you secure already, or do you need additional tools? Prevention – firewalls, antivirus, malware – blocks threats that have already been identified, so they know what they’re looking for. Detection, on the other hand, finds yet unknown threats that get past your preventative controls like your firewalls, your antivirus and your malware. Those tools can only stop those threats that have been identified. If it’s a new threat, they can’t stop it, and once it gets past, they’re pretty much useless to prevent any damage downstream.

In today’s environment, the best type of security is to have a layered security solution. The best way to compare a really good cybersecurity solution is to compare it with either your alarm system at your home or your office. In those cases you have preventative measures at the doors. You have locks, you have cameras, you have alarm systems, you have glass break sensors. You even have security cameras both exterior and, for some weird reason, interior. Always thought that was kind of weird, videoing the interior of my house. But you can certainly do that.

But more importantly, you have people at the alarm company that are monitoring all those tools, and if something happens at night or while you’re on vacation, they’re going to take evasive action on your behalf. They’re going to notify you, they’re going to notify the fire department, they’re going to notify the police, they’re going to go down their list and notify people so they can take the appropriate action to prevent any additional damage.

Unfortunately, in today’s security market, people tend to have that reliance on just preventative measures. As a business, they feel that if they have a firewall or antivirus, they’re protected. Unfortunately, that’s not the case. The bad guys get past preventative measures every day, all day long. That’s why we keep reading about the increase in cybersecurity crime. That’s also why they’ve become organized and they’ve become extremely dangerous. It’s no longer the days of a guy with a cigarette dangling out of his mouth in a basement in some Eastern European country with a lightbulb hanging over a PC.

These are organized crimes that do this service. You can simply go onto the Dark Web, identify the type of cybersecurity threat that you want to release, and you can hire somebody to do it on your behalf. All you’ll do is collect the residuals and pay a percentage. So they became organized, they became very good at what they do, and they’re very intelligent.

In today’s environment, you really need to continue to have that preventative measure, but you need to add Perch. With Perch, we will detect and respond to any threat that we see. We will review all the logs, all the devices within your network, and we’ll have human and AI intervention watching for any malicious behavior or anomalies within your network. We’re watching the north, south, east, west – what’s going on inside that firewall and what kind of traffic that is and what kind of threats exist.

Another unfortunate aspect of preventative measures is, how do you determine or how would you find somebody if they have gotten into your network, and how long will it take? Those are 2 very important questions that Perch solves for because, candidly, once they get past the firewall, once they get past the perimeter security, they’re the threat that’s most dangerous.

And in a lot of instances, especially sitting where we sit, your threat isn’t necessarily 100% from external. There’s a lot of threats we catch that are actually internal threats. One example was we were installed on a network for a large manufacturer, and within the first 8 minutes we identified that one of their system administrators had installed a bitcoin mining system in their server room. They had no idea. It’d been going on for 6 months. We identified it within the first 8 minutes. The employee was escorted off the premises by the end of the hour. That was a threat that was launched internally, but the company would’ve never known it.

One of the challenges that we have is the cyber detection gap. Once a compromise happens, a compromise happens in a fairly quick period of time. Exfiltration will happen in a very quick period of time, meaning not only are they in, but now they’re running up and down your network, they’re watching for payroll, they’re watching for large dollar amounts, transfers. They’re watching for information on email addresses for the CFO, the CEO – anything they can do to try to alter payment schedules.

Unfortunately, discovery has taken an enormous amount of time: over 390 minutes, and in some cases over 127 hours that span weeks and months. So as we’re trying to identify and trying to contain the threat, it’s already been running rampant for some time. That’s right now where we stand, and that’s what Perch addresses.

Our problem isn’t a lack of data, but the absence of the ability to quickly detect and respond to a threat. Again, how do we find something that’s inside our network that shouldn’t be, and how long is it going to take? If you don’t have an answer for that question, you’d better start planning for it.

I look at it like your children. I was very protective of my two daughters. I love them to death. I made sure they had everything they needed to succeed in my life. But somehow, some way, they managed to catch a cold or the flu. I couldn’t stop it. I couldn’t prevent it. But I could treat it. That’s really what we need to be looking at, not only in security, but also what happens if somebody gets through.

Most organizations tend to struggle with a SIEM, a security information event management. It’s a record of all the logs and all the activity from all your devices – your firewalls, your routers, your switches, your antivirus, your phone system, your refrigerators. They put refrigerators online now, so you’re going to need to know because that’s a very vulnerable piece of hardware. 9 times out of 10, the appliance manufacturers weren’t very creative with their passwords when they set them up – 123passwordxyz. Very common, and the bad guys know it.

But a SIEM is really not built for threat intelligence. A SIEM is built as a record of that threat. Finding value in a SIEM, the challenge with most organizations is, who runs it within your organization and maintains it? Who continually tunes it, and where are the analysts? I can tell you that to create a SIEM, it’s a $4 million minimum investment and it’s a $2 million annual cost at a very minimum. Most organizations can’t afford that, and they don’t want to even have that responsibility. They want to outsource it, and that’s certainly where Perch comes in.

We help with cost control, licensing models. And you’re not being punished for being a good security practitioner. You’re not having to spend a tremendous amount of capital dollars. Also, you’re very flexible. You can move in and out of the platform if you need, if requirements require you to do so. We don’t know what the future holds, but having the ability and the flexibility to take advantage of a SIEM and a SOC today, but also having the flexibility to move on in the future is certainly a lot more attractive than building something and then having it sit dormant after a couple of years.

Then also, what about the cloud? Everybody’s migrating to the cloud. Office365 and Google Apps have been exploding with popularity because of remote workers. Those 3 areas are very, very, very high level of vulnerability. You need to monitor what’s going on in all 3 of those areas. Here at Perch, we provide cloud visibility.

We have a standalone Office365 and Google offering, so if you just want to cover your remote workers, you want to start out protecting them and then work into your internal network when people start returning, you have a very, very inexpensive way of doing that with Perch, and it covers the entire solution and also includes file integrity management. So for SharePoint, if you want to make sure you’re locking it down because now everybody’s remote, you want to make sure that no one’s doing something malicious like downloading 30 or 40 or 50 files at once, downloading files from outside of the zip code, the area code – we do geofencing. You can basically dictate who can download what files, and where and only where they’re able to do so.

Maybe you have interns for the summer. Certainly going to want to make sure they’re very careful with the files they’re downloading, so maybe you just put Office365 SharePoint focus on those 3 users and let the platform go ahead and monitor the rest of the users in a normal fashion. You do have that flexibility with Perch.

Why we started Perch all along? What we saw as a result of our experience in large banking was that the large banks and the large companies could afford security. They could afford threat intelligence. They could afford analysts. But the small- to medium-size businesses couldn’t. We needed a way to bring all of that threat intel, all of that protection down to the smaller size businesses, and that’s why we created Perch.

Perch is a multitenant platform. It was created specifically for the MSP market, and it’s priced based on a per-seat model, so hopefully it fits within the way current MSPs are pricing. We create and enable communities to protect themselves. We also ingest all of the ISAC feeds and threat intel from people like Cisco, Fortinet, several others, so that we’re using that threat intel in a very productive and positive way. If you have any experience with any of the ISACs, you know that that information can be overwhelming.

We actually will ingest the ISAC threat intel, whether it’s H-ISAC, FS-ISAC, utility ISAC – we will ingest those threat feeds and use that to hunt for threats within that specific subscriber’s network. So if you’re a bank, you subscribe to the F-ISAC, you’re overwhelmed with the amount of information – subscribe to Perch. We’ll ingest it, we’ll use it on your behalf to hunt for threats, and you’re certainly getting what you paid for.

We also wanted to allow full visibility and threat detection and response. Our SIEM is visible from both our MSP partners, but also the end users through read-only access. If you have end users and if there’s an incident, they’re going to want to have access to those SIEM logs as quickly as possible. With Perch, they already have them. You can extend user rights only, and they’ll have visibility into their own SIEM should they need that quickly.

The other thing about Perch is we focus less on marketing buzzwords and more on what matters. That’s really the focus of Perch. We’re cutting through a lot of the fat; we’re getting to what really is needed and required, and we’re delivering it to the small- to medium-size business.

Perch is a monitored detective control. It’s almost like a network detective. Our SOC is just like an alarm system. Our network sensors, which can either by virtual, which are free, or physical, which is a one-time fee, go behind the firewall on the inside of the network, and they’re going to ingest all the logs from all the devices as well as the security solutions like Webroot, like Cisco, like Meraki. We’re going to ingest all of those logs so you don’t have to, as well as the alarms so you don’t have to go into multiple platforms to identify or suppress alarms. Perch is going to adjust all of that.

We’re going to absorb the false positives; we’re going to absorb the network hygiene issues. We’re only going to forward those threats that have been identified as true threats through deep packet inspection. And we’re one of the few that do that.

The value prop to the MSP community is your techs are going to be more productive and more efficient because they’re not sorting through lines of code or logs or alarms. They’re going to be presented with het exact threat, what that threat is, where it came from, and the analyst’s phone number and name. That way, if you’re not familiar with that threat, if it’s something new, you can pick up the phone and call that SOC analyst. They’re not metered, so they’ll speak to you as long as you need. That way you can identify the threat, understand it, and remediate it as quickly as possible.

Then our threat intelligence platform is like your personal CIA. We’re looking for the bad guys so you don’t have to, and we’re doing it based on intelligence that we’re able to glean from a number of sources. Our elastic backend and SIEM are just like your CCTV cameras. We’re recording, we’re watching all the logs, we’re identifying those threats. And then our SOC analysts, along with machine learning, are your security robots that are protecting you. And then at the very end, our security tool integration for threat mitigation, that’s really how we’re going to help protect you.

The things that you can do with Perch, pretty cool. You get true security monitoring, 24/7, 365 for all sources of data. Our SOC analysts run nonstop. There’s a minimum of 12 onsite at any one time, and that grows depending on the number of clients. I actually think now there’s up to 14. All of our SOC analysts are located in the United States. They’re all U.S. citizens and they’re all badged Perch employees. For anybody that’s doing work with DoD, CMMC requirements, we meet those as far as having U.S.-based SOC, SIEM, and employees.

We solve for cloud-based threats like account takeovers, data leaks, access monitoring. We also help resolve regulatory requirements around log storage retention and review. Some medical organizations have to have their logs stored for 7 years. We certainly can do that. Also, with CMMC, there are some requirements you have to meet; we meet some of those as well. We don’t meet them all, but we meet the ones that we can address, and that certainly helps you identify where the gaps are to meet that specific requirement.

Now just a couple of examples before I close. One example is a small bank that we had as a client. 15 full-time employees and another 30-some contractors. Unfortunately, they had an email compromise. They were clicking on that free Pizza Hut pizza offer for lunch, so certainly they got compromised. The bad guys ended up watching their email platform and identifying who their cellular provider was.

They were able then to intercept and route the SMS messages from that cellular provider to them, and the bank itself, the only second factor of authentication they had was in fact SMS. So when somebody went in, they logged into their bank account, they had to go ahead and get an SMS approval. Once they did, they started forwarding transactions to their own bank account, and the next thing you know, after 3 different transfers, the bank was out almost $100,000. The threat to the business – it was a very, very quick theft, and it really threatened their ability to make payroll.

Fortunately, with the bank and the FBI, we helped to recover almost all of it, but a lot of lessons were learned by this organization. Truly, the small organizations are the most vulnerable, and from not only a cybersecurity but also from a going out of business perspective. This particular bank, again, was able to recover most of the money, but for about 4 hours it was a really, really rocky experience and no fun for anybody involved.

Lastly, a more common story, email compromise. Bad guys get in, they start forwarding emails to an alternative mailbox. While they’re in, they’re watching all the emails. They’re watching the flow. They’re watching for financial transactions and they’re watching for the frequency of those transactions. If it was a real estate office, they would try to alter the bank routing numbers so those transactions would go to them, not the actual bank.

Then they started impersonating the client to the client’s clients. So now their clients were getting emails from a third party thinking it was the original business they were doing business with. The bad guys were sending information about new bank routing numbers, and sure enough – fortunately, in this particular case, we caught it. We caught the traffic going north/south, and we also identified the IP address of the original threat. So we were able to alert the organization; they were able to take down the machine, isolate it, sanitize it, and obviously protect their business.

That’s really what Perch is about. Again, we are co-managed threat detection. We are on the inside of your network, watching north, south, east, and west, and identifying a threat after it’s gotten through your preventative controls, escalating that threat, and providing remediation help.

KINDSEY: Richard, that was absolutely great. Thank you so much.

RICHARD: It was my pleasure, and I certainly hope – if you guys have any questions, I’m certainly available.

KINDSEY: Yeah, throw them in the chat, guys, if you have any questions. Or in the Q&A box, that works as well. We’ll give them a few minutes to see if anybody does have any questions. It doesn’t look like it. Guys, next week we will be covering the history of hacking. Same time as usual. I will be sending an email out shortly for that. Richard, again, thank you so much for your time today.

RICHARD: It was my pleasure. Anything you guys need, just let me know.

KINDSEY: Yeah, of course. Thank you. Bye, guys.