This Week in Enterprise Tech 507 Transcript
Curt Franklin (00:00:00):
On This Week in Enterprise Tech, we talked about the CDC wrestling record control back in house and talked to Doug Howard CEO of Ponderance about M D R .TWiET on the set
Announcer (00:00:19):
Podcasts you love, from people you trust. This is TWiT
Curt Franklin (00:00:28):
This Week in Enterprise Tech episode 507 recorded August 19th, 2022. R U pondering MDR? ,
Louis Maresca (00:00:41):
This episode of This Week in Enterprise Tech is brought to you by to Hover whether a developer photographer or a small business Hover is something for you to expand your projects and get the visibility you want. Go to Hover.com/TWiT to get 10% off your first purchase of any domain extension for the entire first year. And by IRL original podcast from miss Zillow. IRL is a show for people who build AI and people who develop tech policies posted by Bridget Todd. This season of IRL looks at AI in real life. Search for IRL podcast player. And by Userway.org, Userway is the world's number one accessibility solution. And it's committed to enabling the fundamental human right of digital accessibility for everyone. When you're ready to make your site compliant, deciding which solution you use is an easy choice to make. So to use Userway.org/TWiT for 30% off Userway's AI powered accessibility solution,
Curt Franklin (00:01:39):
Welcome to twit your weekly home for everything that matters in the world of enterprise tech. I'm Kurt Franklin. You are a host for today and we have yet another great episode of TWT for you. I'm happy to be sitting in the host chair while Mr. Lou Marasca is off on assignment, but I can't be here by myself. Fortunately, I'm joined by my close friend and close neighbor, Mr. Brian Chee, Brian, how are things down on your end of the city? Beautiful.
Brian Chee (00:02:16):
You know, it's been great, you know, it's take you a little getting used to having a daily thunderstorm in the late afternoon and the city beautiful, which by the way, folks is Orlando. Um, but you know, not so bad, uh, because I don't have to pay the city or whoever for water. Um, but it just means I gotta mow the lawn more often, but you know, life is tough, but I'll tell you one of the cool things is I've been playing around with a bunch of, uh, tiny little cameras from Mon coast, spelled M O N K O S E. And I used one kind of like a document camera last night at the Makerspace, cuz I was teaching, uh, unshielded tri repair termination, and they're actually pretty spectacular little cameras and they come in H D M I and SDI version and they have a cement Mount lens.
Brian Chee (00:03:09):
So the one that I got was 105 bucks off Amazon, um, little bit less if you buy directly from them and it has a manual focus and manual zoom. So that's the 4k version. There's also a small square one. Um that's oh 10 80. And then those work great with the H EMI going into an eight, 10 mini. And uh, there you go. So those are actually really nice little cameras and for under a hundred bucks for the one that's on the screen, it's pretty cool. So if you're thinking about doing podcasting and so forth, there's two there's one from center cam. That's what you're looking at me on. Now it's a tiny, tiny little camera on a flexible goose stick that actually is sitting in the middle of my screen. So I can actually read things and still look like I'm looking at the audience. And then I have a couple of the Mon cameras, so I can flip back and forth, uh, documents or, um, small stuff. So just thought I'd share that cuz I know a lot of you folks are doing more and more podcasting and USB webcams are great, but sometimes you want just a little bit more,
Curt Franklin (00:04:26):
A little bit more is always a great thing. And, and speaking of that, I wasn't here last week. I was out at, uh, DEFCON and black hat. And one of the things that I picked up back there, you know, we've talked about challenge coins in the past. This isn't a challenge coin. It's more of a challenge poker chip. This is a poker chip from the us state department, uh, specifically from the rewards for justice program of the us state department. That's a program by which they are offering a reward of up to $10 million for evidence leading to the arrest and conviction of people from outside the us who try to illegally influence us elections, uh, that is typically in their mind done by hacking into our systems or otherwise illicitly using technology to, uh, well, try to pull some strings of power that they shouldn't have.
Curt Franklin (00:05:31):
It's fascinating getting poker chips from government agents, uh, when you haven't even had to sit down and play poker with them, we've got a lot more to talk about, but before we get deeply into our show and meet an outstanding guest, let's talk about some blips. Now, if you're sitting in front of a Mac keyboard, listen up an article on dark reading has detailed and expanded and enhanced malware campaign called operation intercept shamed max running on the M one chip at its courtesy of our old friends, north Korea's own Lazarus group. They're using some time tested techniques in the new operation and threat researchers at ISSET have announced that they discovered a Mac executable camouflaged as a job description for an engineering manager position at Coinbase, according to the researchers, Lazarus actors used Brazil as the launchpad for this new malware route of the attack file called interception dot DLL executes by loading three other files PDF document with the fake coin based job posting and two executables finder fonts update or.app and safari fonts agent.
Curt Franklin (00:06:49):
Oh, and in case you're feeling saved by your own procrastination. The software can still attack max using the older Intel processors as well as the new M one chips. So there's no joy in sitting around and waiting. Now interception, as we're told, been studied by E set for the last three years, originally a very tightly targeted program thrown against aerospace companies. It's now being used against a much broader range of potential victims. Those victims find themselves the proud owner of a brand new data logger and business email compromise engine as is often the case North Korea is after data and specifically data that might be used for ex full trading, critical infrastructure files, critical defense files and cryptocurrency. Fortunately all is not lost last week. Apple revoked the certificate that would enable the malware to execute after ESAT alerted the company of the campaign. So now if you're running computers with Mac S Catalina version ten one five or later, you're protected, uh, assuming you use at least basic cybersecurity awareness
Brian Chee (00:08:16):
While this one you may have never heard about <laugh> the court, the courts have ruled that the FCC is allowed to reassign the 5.9 gigahertz bandwidth killing a protocol called V two X something you probably never heard of. Well V two X is basically vehicle to anything and it's I call it the te technology. No one knew about vehicle to anything was supposed to allow for vehicles to communicate to roadways toll booths and other vehicles and was supposed to happen in the 5.9 gigahertz frequency range and then nothing. Well, the, our technical article goes on and says the frequency set aside happened back in 1999, with the hopes that it could be used to alert vehicles of dangers. And the plan was to use what's called DSRC dedicated short range, radio communications to actually power the system. Well it's 20 years later and your car still doesn't have a way to talk to DSRC and with no installed user base, the FCC finally decided to reallocate the 45 megahertz swath from 5.850 to 5.952 gigahertz and gave it to the folks in the wifi world.
Brian Chee (00:09:38):
Well, the intelligent transportation society of America and the American association of state highways and various other transportation officials have all tried to prevent this move. But according to the ARS, um, tech, the, our technical article, the legal challenge is over as of last week, it in a too little too late arena, Qualcomm did debut a CV, two X. So, you know, uh, chip said a couple years ago, but apparently automotive designers didn't move on it. So the science fiction world of cars talking to the highways will have to happen over some sort of other wireless technologies instead of a dedicated frequency band.
Curt Franklin (00:10:30):
So where should you spend your time? If you're on the security team, which bugs and exploits will come back to bite you now, there are a couple of ways to figure out just how bad a vulnerability really is. One is looking at the consequences of the, a exploit, how bad the damage could be if it's exploited. The other is to look at how easy the vulnerability is to exploit in the first place. Dark reading has reported that a team of university researchers has created a model for predicting which vulnerabilities will likely result in a functional exploit using machine learning, trained on data for more than two dozen sources. The expected exploitability metric can catch 60% of the vulnerabilities that will have functional exploits with a prediction accuracy of 86%. For those who aren't deep into this sort of thing, that's pretty darn good. One use of the model is to allow companies to focus their energies on patch, full patching vulnerabilities that can re realistically exploit it.
Curt Franklin (00:11:35):
Another is to allow cyber insurance companies to work with their customers, to realistically post risk numbers for systems that are slow to be patched. Many of the earlier attempts to figure out exploitability relied on human analysts to make the call, but the expected exploitability metric can be completely automated. The researchers used information on nearly a hundred, 3000 vulnerabilities then compared that with the 48,709 proofs of concept collected from three public repositories exploit DB bug track and vulner, that represented exploits for 21,849 of the distinct vulnerabilities. They then refined that information with the knowledge that proofs of concept often just trigger a, a reboot or a crash. They don't do any genuine harm and they can't reasonably be weaponized. So the final model aims for a realistic picture of a vulnerabilities danger to the organization, and particularly might provide a realistic Waypoint in the company's roadmap to effective both functionally and cost remediation.
Brian Chee (00:12:58):
All right, so this is yet another artist technical article, and some of you aren't gonna like it. I'm sorry, but I'm gonna try and stay with as much of the fact as possible and less opinion, but the CDC is going to be taking back the control of us hospital data after then president Trump sees the reporting of COVID statistics away from the CDC into a private company. Well, so this December, so this coming December, the us centers for disease control and prevention will finally regain control of the national COVID 19 hospital data, which the agency abruptly lost early in the pandemic to an inexperienced private company with ties to then president Donald Trump. My key takeaway from this, our technical article is that TeleTracking had the ties to the president Trump and had little or no experience in handling multi-level national multi-level national database containing vast quantities of health information.
Brian Chee (00:14:09):
The number of fingers being pointed in both directions is staggering, but the bottom line is that contract ends December 31st. And according to the, our technical article will not be renewed. And hospital data will again be reported directly to the CDC. While my comment is that I was briefed on reporting standards and procedures during some joint pandemic exercises over the years. And while cumbersome, the error checking procedures were more than appropriate. And the difficulties complained about by the Trump administration. Administrators are looking more like their unfamiliarity with modern data management systems. Oh, and by the way, the article also points out that TeleTracking was awarded the contract and renewals without a bidding process, which if I had done that as a contracting officer, I would've had some jail time.
Curt Franklin (00:15:06):
Well, that's it for the blips. We have bites and more coming up. But before we do it's time to hear from Lou who has a great sponsor of this weekend enterprise tech to tell us all about,
Louis Maresca (00:15:21):
Thank you guys, we'll get you back to your enterprise. And it news in just a moment. But before we do, we do have to thank a really great sponsor this weekend enterprise tech and that's Hover. That's time to make plans and let Hover help you achieve them. If you're a blogger, creating a portfolio, building an online store, or just wanna make a more memorable redirect to your LinkedIn page, Hover has the best domain names and email addresses just for you. Email at your domain name is key to connecting with customers and building trust for your brand. They have domain based emails for all of your needs, small or large. It's easy to set up. You can add as many mailboxes to your domain as you need. When your domain renews, your mailboxes will two. Now the prices are unbeatable. Their most popular mailbox is a no brainer solution for business owners get access from anywhere.
Louis Maresca (00:16:08):
Use your email app. You're already comfortable with if apps aren't your thing. Their web mail can be accessed anywhere. Personally. I really love Hovers. Ease of use. They have a huge collection of TLDs plus super easy to transfer. That's why it makes your life a lot easier. If you've already tried to transfer using some of the other guys, it's always a headache. Hover makes it easy. Hover. Isn't here to upsell you on stuff you don't need. They just wanna help. They have pro level tools. They have powerful domain and email management tools that are intuitive and easy to use. Whether you're a web pro or just getting started, plus private and secure with who is privacy protection included with your domain purchase, your private information will remain just that private. It's a great way to reduce spam and protect yourself from unwanted solicitations, Hover connect lets you pick the service you want to use to build and host your website.
Louis Maresca (00:16:58):
Connect helps you start using your domain name with just a couple clicks at Hover. You're a customer and not a source of data. Take back control of your data with reliable track. Free email. Hover is trusted by hundreds of thousands of customers who use their domain names and email to turn their ideas into a reality, whether you're a developer photographer or a small business Hover as something for you to expand your projects and get the visibility you want. Go to Hover.com/TWiTto get 10% off your first purchase of any domain extension for the entire first year. That's Hover.com/TWiTfor 10% off your domain extension for a full year. And we thank Hover for their support of this week and enterprise tech back to you guys.
Curt Franklin (00:17:46):
Thank you Lou. We appreciate it. We'll be hearing from Lou again later on in this episode. Well it's now time for the bites and for a topic that is getting a lot more attention and that is skills among the workforce. When you look at the cybersecurity workforce, one of the things that is obviously true and that no one argues with is that we have a dramatic and critical shortage in skilled cybersecurity professionals in 2021. According to the article that was just on the screen from dark reading, there were some 400,000 fewer trained cyber security professionals than were needed in the field few years ago when I talked to the folks at, uh, um, one of the major training organizations, ISC squared, they listed 400,000. The article, my mistake says 500,000 and a recent report from the white house uses the number 700,000. So whether you pick one of these numbers or another, they're all big numbers, there's a huge gap.
Curt Franklin (00:19:08):
And furthermore, we know because of studies like one done by plural site that even among the trained cybersecurity professionals already in the field, there is a skills gap. So the issue isn't merely bringing people into the field, it's keeping people in the field up to date with their skills and their knowledge. So how do you do that? Well, one answer would be just to fire everybody on a regular basis and hire new people that has some problems. Uh, we'll go with cost being a huge one. If you've never had to hire a, uh, professional it person and especially a professional cybersecurity person. Let me tell you it's an expensive undertaking because not only do you have to figure out what their salary's gonna be, but you're going to pay on average about 50% of that salary just to get them hired. Another option is to say, I'm not gonna hire people at all.
Curt Franklin (00:20:21):
I'm just going to bring in a partner like an MSSP, manage security service provider and let them handle it all. I wash my hands of skills and training. There are problems with that. A third option is to train your own workforce. In other words, provide the training to keep your currently employed cybersecurity professionals up to date on their skills, and perhaps even provide training for people who are not yet members of your cyber security team. So what do you have to do if you want to train these professionals? It's good for me that we're doing this. I'm in the middle of some research on all this. Some of the critical things are provide the right resources. In other words, if you're going to train people, you have to provide them with training materials. That can be a course. It can be online classes. It can be, uh, old fashioned paper materials.
Curt Franklin (00:21:26):
There are all kinds of ways to do it, but you can provide them with materials and methodologies that meet their needs. Next is provide continuous learning opportunities. This idea of continuous learning is one that we're seeing more and more in all aspects of it. The critical fact here is that training is not a one time thing. No, we, we grew up thinking that once we were out of high school or perhaps once we were out of university, that our training was over, we were then ready to go out and be grownups and be professionals never to be trained. Again. We now know that the fact that our markets and our technologies move so rapidly mean that training is a constant thing. We must make training opportunities available constantly. And finally, we have to have a culture in which learning is appreciated. You know, if we have a culture where every time someone takes an hour, half a day, a day to up their skills, they're hit by managers asking them why they were slacking off their real job. You're not going to get an improvement in skills. So there are lots of ways to make up for the lack of skills, but perhaps the most important thing to do is make sure that your company's gap is as small as possible because you're always training. Now, Brian, I know that you have been part of education for much of your career. You know, what do you think about this idea of continuous?
Brian Chee (00:23:29):
You know, I've actually seen a couple of attitudes. I've had some good, I've had some bad, I've had, I've worked for organizations where if you wanted to up skill, um, there's a good chance. They're going to say, well, that obviously means you wanna move jobs and oh, by the way, here's the door. Um, and actually some very, very large corporations still have this attitude. Um, and interesting enough, sadly, quite a few military commands still have this attitude. It all depends on who's in the power seat. So if you wanna try and save money, cuz that's really what it comes down to hiring new people is expensive training people to be able to handle a little bit more and then rewarding them for the initiative to upskill is by far cheaper than having to hire new. Um, obviously we're gonna be talking to a guest about a middle ground.
Brian Chee (00:24:31):
Uh, I like, I like the model where you upskill some and you outsource some and strike some sort of balance. There needs to be a reward system sticks, don't work. I've tr you know, we've, I've been forced to use the stick methodology in couple of organizations, carrots work so much better. You know, just look at this. Um, one of my favorite examples of acknowledging the talent that you have is when Frito lay corporation ran a contest within their, um, employees on suggesting new flavors for their potato chips and a custodian. The guy that mopped the floor at night came up with their best selling flavor called Cheetos Flaman. He's now management. That's a beautiful example of promoting from within and recognizing that everyone has talent, if you give him a chance. So that's one of the things I like, you know, saying, you know, we, we have some good stuff and as far as resources, um, I'm going to actually plug one of our sponsors.
Brian Chee (00:25:49):
It's, um, ITPro TV. I've actually used that to upskill myself on certain things and the system's great. Um, their education material has been spectacular and the reporting features are kind of neat, cuz it'll actually give you reporting on who's going through the material, how long they took on it and things like that, so that you can go and customize the resources for your employees. It's a good way of doing things. You know, Kurt, I think we ought to talk a little bit about the balance. You know, we need people, but we aren't always gonna have enough maybe outsourcing, uh, and balancing that with upskilling is a better answer if you, you know, wanna talk about that. Well, I think that
Curt Franklin (00:26:38):
It can be, and I think the, the key for organizations is recognizing the best use case for each one. I think for most general cybersecurity or it in general, that having well trained employees is critical because your own employees have the greatest to understand the business use and the business case. And we all know that integrating cybersecurity within the business is critical for success. With that said, there are always going to be cases where there is one thing there's a specific threat. There's a specific need where you have to go to an outside provider as the most cost effective and most time effective way to solve the problem. And for many organizations we're seeing now they're looking at how their security is put together and saying, what I really need is basically a layer of interface, employees, people who understand cyber security and understand my business, who can then be critical in managing the relationship with outside service providers, uh, that can work too.
Curt Franklin (00:28:04):
You know, the, it all comes down to exactly how you want to define things that are critical to your business and how you want to invest your company's money, whether you follow the, um, the model of, we invest only in our primary lines of business, basically those things that bring us revenue and services, our customers, or whether you take the view that you want to do things that support those big functions, a valid bus business case can be made for either. And the important thing is if you do go with a partner, make sure that it's a partner who you trust, make sure that it's a partner who is able to do the job and make sure that you are, uh, managing that partner internally with people who understand how the security meets the needs of the business. Brian, do you have anything to add to that before we move along to our next section?
Brian Chee (00:29:14):
No, I'm just giggling at all the comments in the chat room about flaming Cheetos. I knew they were gonna have fun with this. I just think it's one of the most examples on using your internal talent, cuz the people inside your company know your product line or your service better than someone from the outside. You know, I'm not saying it's bad, I'm just saying one of the things, things that I experienced with the federal government is we weren't allowed to hire, you know, human resource is very expensive and what we also had a really tough time keeping talent, uh, especially when you start dealing with military because they, the military will rotate out. So I'm constantly spending fun training. So I had to balance using contractors and internal and for me it worked pretty well. Um, I don't recommend it for everyone, you know, but having the ability to ha draw upon a pool of training material, um, was actually really good.
Brian Chee (00:30:27):
And being able to upskill my workers meant I didn't lose all that internal knowledge, which was really great. So it's the answer. Isn't going to be a straight black or white. There's gonna be a lot of introspection. Take a good, hard look at what your people do or don't do. But the big recommendations from this article was providing the right resources, create the continuous learning opportunities for your people. And I strongly support using carrots rather than sticks and actually go and work on creating a culture of learning. So lots of good, um, suggestions in this article and good luck, everybody
Curt Franklin (00:31:17):
Sounds good. Well, that's going to do it for our one and only bite it's time to move on to our guest to oddly enough is in a company that meets one of the things we talked about, managed detection and response. We're gonna talk about what that is, uh, who our guest is and much more right after Lou Moresca tells us about another fabulous this week in enterprise tech sponsor.
Louis Maresca (00:31:53):
Well thank you guys. I will get you back to your enterprise and it news in just a moment. But before we do, we do have to thank another great sponsor of this week in enterprise tech. And that's IL an original podcast from Mozilla. IL is a show for people who build AI and people who develop tech policies hosted by Bridget Todd. This season of IRL looks at AI in real life, who can AI help, who can at harm? The show features fascinating conversations with people who are working to build more trustworthy AI. For example, there's an episode about how our world is mapped with AI. That's right. The data that's missing from those maps tells as much of a story as the maps themselves. You'll hear all about the people who are working to fill in those gaps and take control of the data. There's also another episode about gig workers who depend on apps for their livelihood.
Louis Maresca (00:32:43):
It looks at how they're pushing back against algorithms that control how much they get paid and seeking new ways to gain power over data, to create better working conditions for political junkies. There are episodes about the role that AI plays when it comes to the spread of misinformation and hate speech around elections, huge concern for democracies around the world. Now I really like the season four episode one checking out online shopping. They talk about the hidden costs of shopping online and offline. What you're actually giving up. In fact, meta brown, a data scientist from Amazon's on the show and talks about what happens when you make an online purchase just may shock you super compelling episode. Definitely check it out. Search for IL and your podcast player will also include a link in the show notes. My thanks to IL for their support of this week and enterprise tech back to you guys.
Curt Franklin (00:33:34):
Thanks Lou. We appreciate that. We'll hear from you at least one more time before this episode's over. Well, it's now time for our guest, which if you ask the host is always the best part of this week in enterprise tech. And this week, our guest is Doug Howard CEO of ponderance. Now ponderance is an MD R company that's managed detection and response. We're gonna get into what that is and why it matters in a moment. But Doug, welcome to this weekend enterprise tech.
Doug Howard (00:34:10):
Thanks Curtis. Thanks for having me.
Curt Franklin (00:34:13):
It is a great pleasure. Now, one of the things that our re uh, listeners and viewers always love is to hear how our guests got to be where they are the origin story, if you will. So can you walk us through the path that you took from your humble beginnings to the CEO's chair at ponderance?
Doug Howard (00:34:38):
Yeah, so, um, I'll try to make this as short as possible, but the long story is I, you know, enjoyed tech, like a lot of people in the industry wanted to do something, lived in a really small town, um, literally 1100 people and, um, didn't didn't really have a path. Um, you know, I could obviously go the educational route, go to college and then kind of work from there. Um, but a few of my friends had gone in the military. So I followed that track, went in the us air force, worked at the Pentagon Cheyne mountain, Israel, a few other, uh, stations and ultimately, uh, took that skill, um, which really pointed me towards cyber and then specifically into it security, which was still relatively early, uh, at the time and was able to turn that into a career, you know, call it a bit of an accidental path. Wasn't intentional from the very beginning. Uh, but you know, followed the passion, followed the track that, uh, allowed, uh, for me to, to be able to take that passion and ultimately, uh, make a, a complete career around it. And, uh, you know, timing is everything. And so obviously combination of cyber and, and the threats in the world, uh, continued to grow, um, leveraged that in the military and then ultimately in the commercial world.
Curt Franklin (00:35:57):
Very good. Well, we're happy to see you here now. Ponderance is an MDR company, managed detection and response. Can you briefly tell us what managed detection and response is? What, what does that three letter acronym really mean?
Doug Howard (00:36:18):
Yeah, you mentioned, uh, earlier MSSP managed security, uh, service provider and what has evolved. And, you know, some of this is analyst driving the dis distinction between different classes of, uh, service providers in the security space is originally MSPs were oriented around primarily logs. And so, uh, ability to collect logs, be able to do some analysis, uh, and there wasn't a lot of what I'll call, uh, deterministic confirmation that, um, something that you provided to the customer as a service provider was ultimately something that was critical and that they had to take action on. And so over time, what has originated from that is, Hey, look, you need to have multiple sources of, um, of view into the customer's environment to provide a good and correct, um, analysis of what is happening in the customer environment. So not just firewall logs, not just server logs, uh, but more elements around what is happening on the server.
Doug Howard (00:37:22):
More elements of what's happening outside of the customer environment, more, uh, elements of what is, um, um, contextual in the customer environment. So what systems are important, ultimately, what vulnerabilities exist in those areas and so forth and pull that together in a much more, um, concerted effort that allows you to tell customers what threats they really should look at at that particular time, not just a lot of it noise within the customer's environment. And so that has led to a combination of network visibility, endpoint, visibility, the current log structures that you referred to earlier on kind of the legacy MSSP space and the ability to actually respond. So not only have the service providers in the space, such as ourselves able to give you more concise, more precise information about what you need to do, but we can actually respond on the customer's behalf through the technology capabilities that we have access to and the customer print. So let's not just wake up the customer at 2:00 AM in the morning and say, Hey, you need to do these things rather, let's do those for them. And ultimately that way, when they come in and do their normal job, they don't have, uh, to, you know, deal with the fact that they were woken up multiple times over a, you know, a 2:00 AM event that easily could have been blocked at a firewall or at the EDR, uh, being the endpoint itself.
Curt Franklin (00:38:48):
All right. I, you mentioned your customers a couple of times. We're gonna talk about those customers in just a minute, but before we do, one of the questions that I often have is when you engage with customers, do you see yourself being part of their security solution or their security solution?
Doug Howard (00:39:11):
Yeah. That's the, uh, contextual awareness that, that you really need to understand. And so ultimately at the end of the day, the customer has to own the responsibility of their security program that said, you know, the smaller, the customer, the less likely they are sophisticated enough to be able to have the personnel on the, the team to be able to actually provide what I'll call, you know, continuous value in that scenario. And so, as we, you know, if you look at our customer base, you know, um, 80% are customers that don't have CSOs 80% are customers that have, you know, developing it, uh, security programs. Whereas the 20, 30% of those clients ultimately are more sophisticated, larger, have a CSO on staff, uh, have a security team on staff and we augment their capabilities. So the objective of me, any MDR player is ultimately understand what the customer's objectives are from a security perspective, understand their it environment, understand what their crown jewels are from an it asset value perspective, from a data perspective, what are their regulatory risk?
Doug Howard (00:40:23):
What are their revenue risk, their mission risk. And ultimately, are there any elements that are, uh, connected into a environment that could provide human health impact as well? So, you know, death because you're connected to a healthcare device that could impact the human life obviously would be one of those most critical things, autonomous vehicles, those types of things. So there's a spectrum. So you want to get to a, a point in a relationship with a client that they're making the strategic decisions on what they need as a business. And ultimately as they continue to mature, make some more technology decisions, um, and start running some of those programs, especially from a regulatory perspective, but in, in the reality of the world, you know, most customers do not have the security expertise to do a lot of that. And so our objective is to be able to provide that advisory at every touchpoint, uh, for those smaller clients, and then be able to support those larger clients.
Curt Franklin (00:41:29):
Uh, I like the sound of that because I'll be honest. I come from families that own their own business. I, I have lived in the world of small business for a fair chunk of my life, but here's a question for you. Now, you're talking about organizations that don't have a dedicated security staff. And to be honest, that's how I have defined SMB in the security context for a long time. The company did wasn't big enough to have a dedicated security staff or even a dedicated security person, but was instilled doing security as part of general. It, then it was a small business, right. But from an organizational size standpoint, how small is too small. I mean, it, I have talked to companies who defined, you know, a small business from their perspective was any company that was turning over less than 50 million a year. Uh, you know, how do, how do you define the small business that is still an organization that you can work with?
Doug Howard (00:42:42):
Yeah, so, um, we have segmentation based on industry segmentation based on the client size number of people, revenue and various other things that we look at that said, uh, we also have a, um, a growing number of clients that are extremely small. So I will call them startups of the truest nature, five, 10 PE employees. Uh, we have, uh, franchises that sometimes are only a couple people. You have financial services that, you know, maybe are on the brokerage side and there's new SCC regulations that are coming out, uh, on all of these areas that ultimately drive every organization to have a level of security. Now used to the industry would say, you want to be able to provide a fortune 500 level of security to a smaller client. And I think sometimes clients would get confused. That what that means is that you're having to have all the sophistication in your infrastructure, all the sophistication, uh, from a people perspective, to be able to provide that level of security.
Doug Howard (00:43:44):
And, and the reality is the smaller number of clients that probably don't even have firewalls don't even have much of an it infrastructure, especially post COVID, where they're working from home. Uh, those environments are gonna be oriented around two aspects, obviously the endpoint, the PC that they're working on, and maybe some SAS services that they acquire such as office 365 Salesforce, those types of applications. And in those environments, it can be extremely cost effective even for a MDR provider to provide those. So, you know, you are thinking of, you know, sub thousand dollars a year to provide, uh, uh, what I'll call a high level of security appropriate for that size, uh, organization versus maybe tens or hundreds of thousands of dollars for a much larger organization that have full suites of security products, because don't think don't forget that a PC with EDR has a level of security that probably wouldn't have existed five years ago. Um, that is now standalone independent from having a firewall it infrastructure, you know, all of those things. Um, so you know, an integrated approach that really protects a desktop of a small organization was called it, you know, no office and five or six people, um, is absolutely attainable, um, with a outsource service provider and the underlying EDR type of technologies that really protect that endpoint as well as take sources, uh, from those SaaS applications that are hosted that support them.
Curt Franklin (00:45:20):
Doug Howard CEO of pond runs is talking with us about MDR and we're getting some great answers and some intriguing possibilities for who the customers can be. But before I can be joined by my co-host Brian ch to ask some more questions, we need to hear one more time from Mr. Lou. Moresca about another fabulous this week in enterprise tech sponsor.
Louis Maresca (00:45:47):
Thank you guys. I'll get you back to your enterprise at it news in just a moment, but before we do, we do have to thank another great sponsor of the suite enterprise tech and that's user way.org. Now for every website, without exception, it needs to be accessible. User way is incredible. AI powered solution tirelessly enforce the hundreds of w CAG guidelines that are out there. A matter of seconds, user way, AI can achieve more. The one, an entire team of developers can do in months. At first, it may seem overwhelming to make your website accessible, but user way solutions make it simple, easy, and even cost effective. You can even use their free scanning tool to see if your website is actually ADA compliant as well. Now, if you're an enterprise level website with thousands of webpages out there user way offers a managed solution where their team can handle everything for you.
Louis Maresca (00:46:37):
User Ray's AI and the machine learning solution powers accessibility for over a million websites, trusted by Coca-Cola Disney, eBay, FedEx, and many more leading brands out there. Now, user Ray's making its best in class enterprise level accessibility tools available to small and medium size businesses as well. You can get started today for as little as $49 a month on user ways, monthly plan, your company can be ADA compliant, reach more customers and even build loyalty. And remember, you'll get 30% off. There are a billion people in the world with disabilities. That's roughly 13% of the population that you don't wanna lose is potential customers because you're not compliant. Think about it, but not being compliant. Fines and revenue loss will cost you so much more user way is the leading accessibility solution in the market today with a market show 61%, the biggest in the world for years user way has been on the cutting edge, creating innovative accessibility technologies that push the envelope of what's possible with AI machine learning and computer vision user way, AI automatically fixes violations at the code level.
Louis Maresca (00:47:44):
And here are some of the things they can actually do. It can auto generate image olds. It writes image descriptions for you. Remediates complex nav menus and ensures that all popups are accessible. It fix vague link violations and any broken links that are out there ensures your website makes use of accessible colors while remaining true to your brand and use your way gives you a detail report of all the violations that were fixed on your website user way is platform agnostic and integrates seamlessly with WordPress Shopify, WIC site, core SharePoint, and many more let user way help your business meet its compliance goals and improve the experience for your users. The voice of Siri, Susan Bennett has a message about user way.
Speaker 6 (00:48:29):
Hi, I'm Susan Bennett, the original voice of Siri. You won't hear me say something like this too often. I'm sorry. I don't understand what you're looking for, but every day, that's what the internet is like for millions of people with disabilities user way fixes all of that with just one line of code
Louis Maresca (00:48:50):
User way can make any website accessible, ADA compliant with user way. Everyone who visits your site can browse seamlessly and customize it to fit their needs. It's also a perfect way to showcase your brand's commitment to millions of people with disabilities, go to user way.org/twit and get 30% off user ways. AI powered accessibility solution book, Aho call and get their accessibility guide user way, making the internet accessible for everyone. Visit user way.org/TWiTtoday. And we thank user way for their support of this week in enterprise tech back to you guys.
Curt Franklin (00:49:30):
Thanks Lou. We appreciate it. And I think it's time for me to stop talking quite so much, Brian. I know that you have worked with companies large and small and have dealt with security issues across the board. And I know you've got some great things to talk to our guests about.
Brian Chee (00:49:48):
Well, actually one of my big questions is some of the material your PR people sent me is alluding to a Forester consulting survey that you guys did about, um, your customer base. Let's talk about that, that, you know, there's a lot of variation when you can say customer base from mom and pop stores up to, you know, large corporation like Disney, um, what's appropriate for your services.
Doug Howard (00:50:21):
Yeah. So, um, you know, I, I think user experience, and when I say user experience, you can break that down into a, a two primary areas. First would be the user that is using the it infrastructure. They want transparency, right? Like they don't want to know about security. They don't wanna see a lot of popups. They don't wanna see interruptions. They don't wanna see friction. And that happens whether you're the smallest, um, you know, company in the world or if you're the largest company in the world. And so that's consistent. The second component of that is if you think about a, uh, large enterprise, they have people that are dealing with sophisticated, uh, elements of it, security. They're used to these very complex interfaces, uh, that they have to maneuver around. And with every time they buy a new security product, what we found is by focusing, um, on the smaller enterprise, they want ease of use.
Doug Howard (00:51:15):
They want ultimately the decision making of underlying pieces of technology, underlying elements of that stack to be not something they can, they have to think about on a regular basis and nor candidly do they want to often be involved in that decision making. Now, funny enough, you know, I've done this for now, you know, almost 30 years, primarily around the MSSP MDR space is all those benefits that you bring to the small business of ease of use, and ultimately, uh, making it as transparent as possible. But again, ease of, um, utilizing and applying security to their existing. It fabric is actually enjoyed by those largest clients as well. So if you can make a smaller enterprise happy and you can scale and do all the complexity of, for our large enterprise at the end of the day, being able to provide that transparency to the users, the lack of friction, and ultimately that transparency of transparency of technology in a way that they don't have to worry about it, but they get all the features and functionalities is a winning combination there.
Doug Howard (00:52:23):
So that's why we have a spectrum of small businesses as well as large businesses. And if you think about affordability 24 by seven, most enterprises that are smaller. Uh, so we talked about obviously the, the one to 10 person shop, but even with hundreds or even sometimes thousands of clients, they're not gonna go out and staff a two and a half million dollar, um, SOC operations around 24 by seven one, everything you guys said about training personnel, attracting personnel, those are hard for every company, no matter how big they are and the smaller they get, obviously the more critical single, uh, threads of individuals, uh, become
Brian Chee (00:53:08):
Cool. Well, let's go and ask a slightly different question about the market and how it's changed over the last couple years, or even just changed during the pandemic. Um, a lot of things that, you know, move towards SaaS, you know, software as a service, and obviously folks like Salesforce have been a big driving force in that, but has that changed the MDR world? Um, has your market changed? Is it pushing further and further down into small and smaller companies because you don't need a data center anymore. You can actually run a fairly major operation with everything in the cloud. How has that changed the MDR world?
Doug Howard (00:53:52):
Yeah, so it is a great question because there has been a significant number of changes. Uh, so first of all, a lot of new businesses that have been started over the let's call it the last three years, especially during COVID are, um, what I'll say, you know, start in the digital world, uh, where cloud is their primary delivery mechanism. So they're not going out and building data centers, they're not building, you know, racks and racks of their own compute power in a particular, uh, data center environment they're using cloud. And then more and more, especially during the COVID time, all of those people that were even moving into cloud have moved to SAS applications that ultimately deliver the same value of having maybe multiple people in it, you know, manage a mail server, manage, um, SharePoint, manage all of those environmental things that sometimes were set up in the cloud.
Doug Howard (00:54:48):
Now they're completely outsourced all together at the same time, existing businesses have accelerated for remote usage and clearly cloud. And clearly those SaaS applications have driven the adoption of many of those early cloud offerings of SaaS applic. As you mentioned, Salesforce office 365, Google cloud, all of those offerings now have been accelerated not only by small businesses, starting in the cloud, born in the cloud as we refer to 'em, but also those larger and mid-sized businesses have pushed more and more applications off of their own environments off of the cloud into SaaS applications provided by a lot of these software vendors and now application cloud vendors. And that, and let me finish that to ultimately what that means from a ND MDR player is we need to support those native services. So if you were only looking at the cloud, if you were only looking obviously at the customer PRM, their PC, those types of applications, you would ha you would be blind to what is happening, um, at those SaaS applications. And so more and more MDR players, not only support, as I mentioned before, network logs endpoint, but also all those cloud applications that ultimately generate their own activity, logs, their own security logs that we have to integrate into that bigger picture, um, across the, the spectrum of, uh, security, risk and compliance.
Brian Chee (00:56:23):
Cool. Thanks for a slightly long, uh, great detailed answer, cuz I was actually doing a fast lookup. I can't, I couldn't remember if Salesforce was a sponsor or not. Uh, they used to be anyway, um, for our viewers, what kinds of homework should they do before they call you? You know?
Doug Howard (00:56:45):
Yeah. So our ability to support a client is, um, about understanding the context of that client and context can go across multiple spectrums. So what is your it environment supporting that pro that would ultimately be at risk of impacting your revenues? What impact would that have to regulatory compliant? What risk does it provide to human life? If you're medical or have, um, autonomous vehicles or anything that might impact human life. Um, and then ultimately, you know, are there mission impacts? You know, if you're a nonprofit, if you're government, um, that don't always fit into kind of that revenue, uh, bucket as well. And so the more we can understand about what criticalities exist within your it environment, what the dependencies are, what the impact are, the better we would understand, and then also think about, you know, what is it and how is it that you best interact with a service provider as well?
Doug Howard (00:57:46):
So, you know, we're gonna ask questions about, you know, Hey, we saw this bad thing. We're gonna stop it in the middle of the night at 2:00 AM. Like I used this example earlier, do you want us to wake you up? Anyhow? And in that particular case, understanding kind of the risk tolerance of an organization, what technology stack they have in place and what that ENT, uh, contextual, uh, impact would be, or are critical elements here. I I'll be honest with you. I wish every customer could come to the table thinking about that. Uh, but very often they basically come and say, Hey, we have a regulatory problem, or we have this threat that we're really worried about, help us, how can you help us? And, and we're well equipped to be able to do that as well through guiding them through a few quick questions, to help understand exactly where their risks are,
Brian Chee (00:58:36):
Mention it really quickly regulatory issues, um, is your company, is your, are your people prepared to deal with, um, GDPR, HIPAA, um, FERPA and so forth?
Doug Howard (00:58:50):
Yeah, so, uh, not only are we prepared to have those conversations with clients understand exactly where those risks are, what the requirements are relative to those regulatory requirements to take it one step follow. We actually go through those compliance requirements ourselves. Um, we also have personnel that are certified. So for example, we're a P C I Q S a we're a CMMC RPO. We've done high trust in the past. We do a lot of HIPAA third party assessments for clients. We have relationships with auditors, uh, where we do SOC two prep for clients as well. So very well equipped to have those conversations, um, with clients about exactly what those regulatory compliance, uh, requirements are. Uh, and then obviously if they have an outside council that has driven some of those conversations, uh, we're very well equipped to interact with them. So we're on for example, about 15 cyber insurance, uh, panels, uh, where they bring us in, in the event of a proactive engagement, help customers do tabletops and make sure that they're set up, uh, to have the best defenses, but more often, unfortunately were brought in for a, uh, cyber insurance, uh, firm, uh, that has clients that ultimately had a breach.
Doug Howard (01:00:01):
And now we're in a reactive situation and work through, uh, reducing that, um, impact of that particular event as well. And then obviously the legal ecosystem that's associated with that as well.
Brian Chee (01:00:13):
Doug Howard CEO of NCE, we've had a great conversation, but where can our viewers go to go and get more information about your company? And you bought your services and start a conversation.
Doug Howard (01:00:29):
Yeah, so I, you know, I think there's, there's two parts. I mean, first of all, you know, I like clients here, something like that. And they ultimately are afraid to call because they don't know enough these and ask the questions in various other things. As I mentioned before, that's a, that's a easy problem to resolve. We're not judgy. We don't, uh, ultimately, um, you know, ask a ton of questions that you're gonna be uncomfortable with. Our objective is to help you. And honestly, easiest way to engage is just go to pondurance.com. We have a number of different contact. You, uh, as well as, uh, any of the, um, the demos are available online, you can request a conversation and we'll get back to you shortly. Um, so, you know, easy click and, uh, just give us your, your name, telephone number or email. And ultimately you can see a lot of information and thought leadership online from our website as well@pondurance.com.
Curt Franklin (01:01:19):
Well, we've been talking with Doug Howard CEO of ponderance, Doug, thank you so much for taking the time to be with us today. It sounds like you have a lot on your plate.
Doug Howard (01:01:30):
Thank you gentlemen, for having me.
Curt Franklin (01:01:34):
We'd also like to thank my co-host Brian chief for being with us today and asking such great questions, Brian, what do you have coming up for the next week or so
Brian Chee (01:01:48):
I'm going to enjoy being retired. Um, do a lot of reading, try and catch up on, you know, upskilling myself on different things right now. I'm trying to learn more about, you know, filling some holes in my knowledge on basic electronics, but you know what, one of the cool things I like doing is talking to you, talking to our viewers, um, you're more than welcome to throw stuff at me on Twitter. My Twitter handle is a D V N E T a advanced net lab. And, um, you'd be surprised. Uh, you know, one of the things I'm actually talking about, the, one of the last tweets I did was I put a picture of a document cam, a professional one made by Elmo corporation. And I'm thinking, gee, you know, there's some really nice cameras out there. Maybe I can go use some L E D light strips and go and create a home built document camera, um, for you at our Makerspace, and then put it on Instructables because I'm sure there's a lot of schools out there that would really like document cameras, but can't afford the commercial ones.
Brian Chee (01:02:57):
So that'll be fun. You're also more than welcome to throw me email. My email is cheaper, spelled C H E E B E RT twi.tv. You're also welcome to throw email@twtwit.tv and that'll hit all the hosts. We'd love to hear from you. Um, and we have viewers everywhere. So don't be afraid if, if you can, if you are listening and you need, um, to use a translator program, uh, and you're willing to send me questions, send it to me in your favorite language. And as long as you don't mind me using a translator program, I'll be more than happy to take a good stab at answering your questions. Just last week, I had someone asking me about fiber optics and things like that. So I will go and talk about just about any enterprise topic you'd like to hear about.
Curt Franklin (01:03:55):
Thank you, Brian. I appreciate you being here. And I appreciate all of our viewers being here as well. Now, as for me, I am as always going to be letting you know about what I'm doing at kg four GWA on Twitter. Uh, you can also follow me on LinkedIn. You can find me at dark reading, go to dark reading slash Omnia. I'm gonna be writing there. I would have frankly written this week, but, uh, I managed to come back from the desert, uh, and bring a whole bunch of viruses with me. So I've been wrestling with him this week. I think I'm finally about to, uh, declare victory over them should be back in the saddle completely next week. Speaking of being back in the saddle next week, all of us here on TW will be back in the saddle this time. Next week. We hope that you will be able to join us at that time as well until then remember if you want to keep up with all that's great. All that's necessary in the world of enterprise technology. Just keep quiet.
Speaker 7 (01:05:05):
Hey, I'm Rod Pyle editor in chief Ad Astra magazine and each week I joined with my co-host to bring you this week in space, the latest and greatest news from the final frontier. We talked to NASA chiefs, space, scientists, engineers, educators, and artists. And sometimes we just shoot the breeze over. What's hot and what's not in space, books and TV. And we do it all for you, our fellow true believers. So whether you're an armchair adventure or waiting for your turn to grab a slot in Elon's Mars, rocket, join us on this weekend space and be part of the greatest adventure of all time.