- Welcome to "Cyber 5" where security experts and leaders answer five burning questions on one hot topic and actionable intelligence enterprise. Topics include, adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winklevoss, co-founder of NISOS, a managed intelligence company. In this episode, I talk with LimaCharlie CEO and founder Maxime Lamothe-Brassard. We discussed the future of what's known in the security industry as, "X D R" which is essentially an enrichment of endpoint detection response products. For context, starting in and around 2010, cybersecurity vendors started deriving stronger antivirus solutions for endpoint computers and servers. Antivirus was only catching malware with a known signature, and not able to detect more malicious lateral movements that are common in today's attacks. Every endpoint detection response platform has its own unique set capabilities. However, some common capabilities include monitoring event points in both online and offline mode, responding to threats in real time, increasing visibility and transparency of user data, detecting stored endpoint events with malicious malware injections, creating blacklists and white-lists, and integration with other technologies. Now that endpoint detection and response solutions are firmly within the market, they need to be integrated with other tooling, including threat intelligence, to be effective at scale for enterprise, and that will be our discussion today. Stay with us. Maxime, welcome to the show, sir. Would you mind sharing a little bit about your background for our listeners please? - Yeah, super happy to be here. So, my name is Maxime Lamothe-Brassard, I am a Canadian, had my entire career in cybersecurity, starting in the intelligence sector in Canada, here for an organization called CSE. Eventually made my way to another small company at the time called CrowdStrike, then made my way to Google, Google X and Chronicle. And now I am the co-founder at LimaCharlie. So at LimaCharlie, really what we're trying to do is we're taking an approach that providing the fundamental tools for cyber security, to people, as infrastructure is what matters. So we build cybersecurity tools starting from things like EDR, and getting into things like more aggregation, log aggregation, or some XDR types of use cases. And we make that available to every security professional out there as a simple self-serve platform. So think of it like a AWS, we think of what we build like AWS for cybersecurity. We make it easy, there's no vendor walls, no pay walls. You don't need to go through 10 different salespeople, it's just like AWS, scale up scale down, take the tools that you need for cybersecurity professionals to implement that as they know they need for their own organizations. - Thank you for joining the show today, this is gonna be exciting. We've been wanting to talk about the evolution, really of XDR and SIEM, and SOAR, which of course is secured orchestration automation. And of course, to how that blends in with threat intelligence. To start off the conversation, kind of provide a baseline of what XDR is, and just kind of go from there. - Sure, sure. So XDR means slightly different things to different people. I think the fundamental you've kind of touched on, which is this idea that, if we look at historically, cybersecurity really started with a lot of network monitoring, right? So we had this network detection and response, and then we went into the endpoint. And so we had this endpoint detection and response. And so XDR is kind of the fundamentals of say, look, as we have more and more different platforms, cloud presence, multiple cloud presence, many types of software that we use that's from the cloud, we need to be able to bring information from all of these in order to do a good job securing whatever we're trying to secure. So that kind of core philosophy is very good, and I wouldn't say that it's completely new, but I think we've kind of put a term on it, which really helps define it and so that we can now talk about it. But that XDR concept kind of extends, and I think personally, that's a little bit the Achilles heel coming up with that term is, a lot of vendors have taken that term and really integrating it into their marketing tool set. And I think that's the reason some people, when they think of XDR, they don't think of, here's an approach at detecting things and responding to them, but rather they think, "Oh, here's the piece of software that I have to buy from this vendor and deploy it. And it gives me XDR." And I think that's kind of the flaw in that approach, personally. But I think that's sort of generally what people understand from the XDR term. - From 2000 to 2010, antivirus was what you put on your end points. And of course, starting in 2010 through current day, you had antivirus really start to be upgraded into what's called endpoint detection response, and ultimately looks at, just doesn't look at signatures, but looks at behavior of malicious attacks, the flag on those types of events. If you're a defender for, let's say a big bank, you're a defender for a medium sized business, what is your challenges I guess, so to speak? Even with EDR in the current landscape work, XDR has needed to evolve? - Yeah. Yeah. I mean, it's not one or the other, I think it's important to understand that EDR, again the concept, not necessarily the specific tool you buy from a specific vendor, but the concept of, "Hey, we need to have visibility from the endpoint, with detailed visibility." Exactly like you mentioned, the antivirus kind of started this whole thing and they're still very important. We need quick automated solutions to catch the low hanging fruit, that's how I see antivirus. EDR goes one step further around, "Hey, we need to have the detailed information and telemetry about what's going on on an endpoint. And we need to have the more generic way of being able to respond to this through a tool." Which in this case is EDR. So that requirement, that part of the tool set is still crucial. I think when we think XDR, it's not so much that we're replacing this, as much as we're kind of making the statement, "Hey, this is great, but there's just so much more to be done in terms of detecting and responding holistically, by being able to tap into your identity provider" for example. And being able to look at the box. And the reason is very simply, that the surface area of things that can be hacked in your company, I'm gonna generalize it that way, are not just on the endpoint anymore, it's not just like I have my laptop, but now my identity is being managed through another service in the cloud that manages my connectivity and my identity to perhaps hundreds of other sites and apps. And so it's important to have, again, that same visibility, it's the same core fundamental requirement, which is I need to be able to see this activity and respond to it. So I think XDR is addressing that challenge for companies that are trying to see very different types of hacks. So, traditionally we think of, I don't know, there's a piece of malware installed on my box and that's kind of, I think the big wave of APTs, I'm gonna say like 2013, 2015, kind of timeframe. And yeah, that still exists, that's still very true. However, when you start to look at the type of footprint that we have in the cloud, I mentioned identity provider, but we have cloud providers as well. So we have more and more machines in the cloud, we have just various forms of services. If you start to squint a little bit, you just see another surface, another form of endpoint of where things are happening, and there's new types of hacks being done there. It's not the same old, like I install a piece of malware, but now I'm able to hijack a session from my identity provider. And then I'm able to leverage that to gain access to some other softwares, as a service platform on the web. And I'm able to go and achieve my goals, doing that without ever talking about a file or a hash, or a physical piece of malware. So, it's another dimension to all of this. So that's where XDR is really important. Don't think of XDR as, "Hey, it's a new type of tool." It's really an extension of what we've been doing all along. That's really how I encourage people to think about it. How you're just trying to get the same things we've learned to get from end point, but now to get it to various cloud platforms. - I'm kind of interested to peel back the onion on what that looks like. But I guess before we do, I guess I'm just kind of curious, when Gartner came out with that statement, that they expect 50% of mid-market buyers to adopt XDR strategies by 2027. That really caught my attention. I'm kinda curious, why does the XDR market have a long way to go by 2027, and how does this truly get to mid market and SMB? - Yeah, so that's a really good question. I think it's the very beginning of what you were saying just now, is kind of the key here, in my mind. The XDR strategy, and I really love talking about it in those terms, sometimes I'll refer to, I'm kind of zooming out one level a little bit here, but as an industry, I compare it to, we're trying to learn to build bridges. What's really beneficial for us as an industry to learn, is sort of the set of equations and how to think about how load is spread on bridges and the different forms and different types, all those equations, all the approach to it. And that's what's important to us as an industry, not to have a company coming in and saying like, "Hey, I've got the bridge builder 5,000, you press this button and your grandpa is able to just build the bridge across any river in five seconds." That's not beneficial. That's why I really love when we about XDR strategy, because fundamentally it's not a product, it's an approach. And coming back to your question around, mid market and being accessible, I think where in the middle of this shift, where people are realizing that it's not the bridge builder 5,000, they want, it's the engineer that has taught and has been taught how to build bridges. And so I think we're kind of entering this shift, and what it means is that it's going to make an XDR approach a lot more accessible, because fundamentally the XDR approach does not involve a high cost. When people think of that really high cost, what they're really thinking about is the vendor trying to sell them a widget that they stamped XDR on it and says, "Hey, don't worry, we stop all hackers automatically." And that's needed for a segment of the world, I'm not really talking about the very small businesses here, the dentist's office is not gonna hire security people, or something like that. But for the rest of the world, for the rest of enterprise, it doesn't have to be that expensive. Fundamentally, all of the tools are kind of already there. That being said, of course, there's a lot of open source tools and there's all that overhead kind of ramping that up. And so I'm not saying that today, anybody can just jump in and take this XDR approach. But what I'm saying is, it's not a question of a couple vendor having a magic secret sauce, but rather it's just a question of the vendor ecosystem responding to this new concept of XDR and putting reasonable tools in front of people that allow them to take this XDR process, this XDR view on security. And that part doesn't have to be very expensive. It not like we have to invent a whole new thing that is incredibly complex. All these cloud providers, all these SaaS, these identity providers, everything is producing a log, logs are all there. Fundamentally, log aggregations existed for a long time, and I think that's kind of the fundamental piece at a technical level, how you start your journey into the XDR space. So I'm not surprised, I think by 2027, absolutely it's gonna be available. I would argue that most of it is already available to mid-market already. It's a question of what's the incarnation of XDR that you're looking at, if you're looking at just the big vendors selling you, here's the high sticker cost thing that will just automate everything, or if you're actually saying, "You know what? No, no, no, let's do this properly." If we have a security team, let's get them involved into getting access to those capabilities. And if we don't have a security team, let's work with an MSSP that is able to help us get that kind of visibility and that kind of protection. - Let's peel that onion a little bit. Let's start with a large or medium size enterprise. What are the critical functions that they deal with around automation tools, within XDR? - So I think there's two questions in that; I think the two questions are, what are the issue around that high number of tools that need to be leveraged by those companies? And I think there's a second one, which is, what does the automation piece look like around this XDR concept in those organizations? I mean, obviously they're linked, but there's still two kind of different questions. So one around the number of tools, I don't think anybody's going to tell you anything else then, there's just too many tools that are needed from too many different vendors. There's an incredible vendor sprawl, I think that's something that's gonna be changing when we look towards that 2027 milestone, that's something that there's going to be some aggregation, some consolidation in that space, because today, I sometimes joke, that enterprise, they end up buying 20 tools from 20 different vendors, and then they have to buy five other tools from five other vendors to glue those 20 together. It's just not sustainable. I think that's something that was needed in an environment where a lot of those tools are very novel, they provide a brand new concept for the new startup, something that's really new thought, to the industry. And so we ended up having multiple vendors, put those things forward. As we mature as an industry, that set's going to go down as vendors, as people realize that they start to understand each of those tools really well, individually, and understand the underlying security principle behind those tools. So they see less the widget that they buy from somebody, and they see more of a use case that they need behind this tool. So there's going to be a drastic reduction in those tools, and certainly that's exactly what we're putting our money where our mouth is, in our case, in terms of consolidating that space and making sure that those tools work together without having to buy more. But, that sprawl has an impact around the question of automation and XDR in enterprise, because obviously it doesn't make things easier, right? If you have 120 tools, it's not exactly easy to start thinking about all of them in a related way, and automating things across the board. So that being said, I believe that the idea behind XDR, that's a very sexy idea of, "Hey, we're going to correlate and automatically detect really, really complex behaviors and things across all these different cloud platforms." All these different things, I think it's very sexy, I think it will be very interesting to see how we live up, how we fill up that vision. I don't think we're there. I think several vendors have really great demos of, "Hey, I can automatically correlate this thing happening in IAM, in your identity provider, and this thing in the box." But the Delta between that and the marketing is pretty high right now. So my professional opinion is that, don't get too locked up into this idea that you need to have a thing that has magic ML blockchain learning to detect things across the board. Start with observability, start by having the ability to look at those things, and start small in terms of the correlation that you can do across those. Now as an industry, I'm sure we're gonna live up to it eventually, but there's just too many unknown pieces of the puzzle that are just starting to come up for, realistically us as an industry saying, "Oh yeah, we got this." - I've talked to so many different cybersecurity professionals. It is a pretty common line, right? We had an incident, we had a breach, now we are just opening the flood gates of technology. We're opening the flood gates of capability to really detect anything and everything. And they of course literally go out, buy all these different tools, and it gets to the exact same types of things that you were just discussing. How does everything that you were just saying there overlap to the nature of the cyber threats they're facing? Do you think that many technology stacks are over marketed for the APT threats, if you will, being the most serious? And almost under engineered toward threats they actually face, like account takeovers and business email compromise. Do we almost need to a step back and really have a threat based approach that really just discusses the risk? What are your thoughts really around that? - Absolutely. Absolutely. But I'm also very hopeful about it. I think what you're describing, the over-indexing around APT, this is taking the pulse. But I think we're a little bit getting over that in my mind, this really peaked in 2015, type of thing, where everybody was talking about APT and entirely focusing on that. And I think what we've seen is, a lot of the vendors that really started very firmly, pushing that kind of approach to threats, have been shifting over time in the right direction, in the direction of more general types of threats. So I think you're absolutely correct and it's getting better, but it's a really critical statement for us as an industry to understand, and to promote that threat modeling, because not all organizations are the same and certainly for many, many organizations to try to protect against APT is not money well spent. And so, as we mature, as we understand that what we're developing is a very mature profession, and a controlled way of looking at how to protect an enterprise. Again, I'll go back to the analogy around building bridges, I think engineering has figured out that if you're building a bridge for pedestrians it's gonna be very different than a bridge for cars. And it's not a question of what brand you stamp onto that bridge, it's a question of understanding the fundamentals and having a process that as an industry, as professionals, we've kind of agreed over time and shown that it's the right way to go. So to start by looking at what are the things that we're trying to protect, what are the things that we're trying to protect against, and how do those things overlap? And then what's the end requirement? We absolutely have to go in that direction, otherwise, I think there's going to eventually be a reaction from the business world that is a reaction of rejection of cybersecurity. Where, if we appeared to just be some kind of cost center where there's no rhyme or reason around it, about what we need, and we just end up buying more, and it's just impossible to reason about whether what we bought actually made a difference and how it made a difference, then that's gonna be really, really bad for industry. Now, that being said, going back to it, I think we're going in the right direction, so I'm very hopeful about it. - So you mentioned a couple critical things and everything that you're talking about there, I mean, that fundamentally, that is the business of security, right? - Mm hmm. - Security is a expansion function. It is generally not a At this point, it is not a revenue generator. Let's talk about, real quick, on how you make that risk management function translation. Talk through how you define that risk based approach to security, both from a threat intelligence perspective, but also really from a automation and tools perspective, let's call it the glue of tools. How does that formulate what an actual risk based approach should be, to where you're buying the right tools that mitigates the appropriate risk, and not an over marketed slick deck around advanced persistent threats? - Absolutely. I guess I will start by saying, I don't have all the answers, so that's probably an obvious statement, but what I mean by this is, there's a whole industry, I'm thinking of the insurance industry, actuaries that are kind of built around this concept of being able to analyze the effective things on possible scenarios happening. If we look at health insurance or car insurance, there's a reasoning behind the types of rates that you get. And I think that's for cybersecurity a really, really difficult problem. I think a lot of the things I mentioned around risk evaluation, will eventually someday reduce down to something like insurance providers, having their models that they can apply onto a company to determine effectively, the kinds of rates. I'm not saying that cybersecurity is just that, or it's gonna be as simple as that, but that it's going to be an indicator for the fact that we really understand how to model these things. And so end up putting a number on it, and I think nobody's there yet. People are starting to try to do that, and honestly, that's just not something I can do. That's not something we can do. So we're kind of looking forward to the industry moving in that direction. That being said, I think at a more practical level, the way that we are thinking about this, the way that we are seeing this, is from a perspective of increased IT, infrastructure, attack surface. So if we look at it in terms of, how much IT is there out there, and how diversified is it? And the reason that I kind of hit this specific question is that, if you're trying to defend something that has a very wide attack surface, and that is very diversified, that is very unique, then what it means is, that you are going to have to have an equally diversified and unique approach to securing it. So the first step of determining what exactly is of worth in your company, again, I would say it's not my focus at all. I think there's some people that are doing this in really great ways into the policy realm of things in advisory firms, all that. So I would just strongly encourage people to go see professionals about this, and people that help them reason about those things. Because the one thing I do know, is that the critical risks are often not what people think they are. It's not always just my production server running somewhere. Sometimes it is just information about my employees, things like that, working with different vendors. So that second part of the equation is honestly, where I know a lot more what I'm talking about. So it's this idea of, how do we protect all of these things? And that's where it connects a lot into the vendor sprawl. So we have two solutions; we're saying, "Look, we have a pretty diverse and wide attack surface, we want to protect it." We have two solutions. One is, we're going to go and try to buy hundreds of product. And I think we've touched on the types of difficulties that are associated with that. One is, it's all from a business perspective, it's just a humongous number of vendors to manage. It's also going to be very expensive. The second one is, we go and we try to build it. We try to build from scratch, all the things that we want to go and detect, that we think that we need to be able to detect in each of those environments. And that is a very expensive solution. For some people, it's probably still within the realm of the affordable, if for very large companies, but not for most, I would say. The third possibility, which I won't mention, is the idea that we're just going to buy one vendor and somehow they're going to stop all the breaches. It just works, right? And I think that's the one avenue that's becoming more clearly not the right avenue. It's just not realistic. So I think where we want to head into is the middle ground between the first two options that I mentioned, which is, why is it that as a security industry, do we identify that either we work with products that do every single thing automatically, here's the blinking red light, if it blinks, you've been hacked. That, or we go and we build everything from scratch. I think that's not the way that we should be seeing the way forward of how we want to go and detect things in all the different environments that we have access to. And that's where we come in, right? That's our position. And that's where we believe pretty firmly in providing security primitives. So it's this idea that as an industry and as a profession, we now have a good idea of what the things are, the tools that we need to be able to detect things. That we've got a really good idea. We know how those tools work. We know what type of information's necessary, we know all of this. What we need, is people to bridge the gap between having access to those tools and implementing what they know. Most security professionals in large organizations today, they know what they need to detect in their different environments. That's not something new, that's something that, as an industry we've learned pretty well now. So what we need is, we need to enable those people more. We need to enable those people to put in place, the security posture that they know they need, and not everything else. It goes back a little bit to, if you're trying to protect something that has nothing to do with APTs and everything to do with cyber crime, you don't need to buy the solution that somehow just prevents all APTs. What you need is you need to be able to say, "You know what? I know that this database, this type of access should not be occurring in this environment because we've analyzed this as one of the bigger risk, and I just need an easy way to go and apply this security control in that environment." And I think that's the long term key for most medium to large organizations, to scale in terms of cost, and to scale in terms of effectiveness and understanding what they're protecting against. So that at the end of the day, as a security professional and data organization, what you're able to say is, "Look, we've identified the following five things are really risky in that factory that we have somewhere in the US." Those are the things we're worried about happening from a cybersecurity perspective there. And those are the five things that we are protecting against. And we know we're protecting against it, we're not relying on some vendor promising us that somehow their ML is detecting that, we can reliably test it, we can reliably show it. And now we're approaching a lot more of a science and less of this black box risk evaluation. - Almost a science in a modular approach. Would you agree with that? - Absolutely. Absolutely. And it goes back to XDR, right? That's why I think XDR is a great thing for our industry as a strategy. That's why I think MITRE is a great thing as our industry. Like you say, it's modules, we're thinking about this in reason, scientific way. - Maxime, love what you're doing at Fraction Point and LimaCharlie, I can't thank you enough for joining the show and I appreciate your time today. For the latest subject matter expertise around manage intelligence, please visit us at www.nisos.com. There we feature all the latest content from NISOS experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all NISOS teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane, and conduct high state security investigations. Without the value the team provides day in day out, this podcast would not be possible. Thank you for listening.