Episode 105: You Will be Breached with Kerry Bailey

Jon Prial: Whether it's life or business we're always faced with trade- offs. I mean, do we go out to a fancy restaurant or should we stay in and save the money? If we are going to spend money, how should we spend it? Should it be on something tangible or maybe we should think about experiences? Uneasy discussions, but very doable. Now how about as business leaders? Should we clean up some technical debt to ensure a smooth product futures? Or should we bolt on another whizzbang feature? Maybe we should hire more sales and get that revenue up, or we should invest more in customer success resources and keep our churn down. One might argue that the answers are easy to get to. Then again, all businesses are different as are their leadership. Now what about security? Is that just another trade- off where there are a few fundamentals that we should be much more aware of? Today, we're going to do our best to prove the ladder it's while we published our thesis of security first back in 2015, and it's more relevant today than ever. So let's take those rose colored glasses off and dig into this most critical topic. I'm Jon Prial and welcome to the Georgian impact podcast. With us today is Kerry Bailey, CEO of eSentire. eSentire has been part of the Georgia portfolio since 2014 and Kerry has been with eSentire for over a year. Kerry brings decades of IT executive leadership experience with a career that spans early stage companies to fortune 100 companies. Kerry, welcome to the podcast.

Kerry Bailey: Hey Jon happy to be here with you.

Jon Prial: This is often a standard question, although I think it's more relevant in the security space than other spaces like marketing or sales automation because security evolves so quickly. What's your take on kind of the level of integration that exists in the security market? Can companies pick best of breed pieces or is there still reasons for companies to have that old classic single vendor strategy?

Kerry Bailey: The traditional business had all of its infrastructure and applications sitting in a data center. Now, all of a sudden, your supply chain, who your customers are, how you reach your customers, where your data is flowing, all of that is now sitting in a highly distributed world. And yet in the security industry, we are still trying to put point solutions at this problem. And as you notice the number of breaches and the number of problems that the industry is having is security is not moving as fast as it once did. So my view is, we thought of the IT industry of being kind of the new style of IT and it was the new style of how you wrote apps, how you delivered infrastructure, all of those pieces. We now need the new style of security and yes, products are very important, but you can't as a throw 50, 60 security products because you've got to start planning. You will be breached. You need to know where your data is. You need to know you're going to have vulnerability somewhere in this very distributed world. So, today we really feel strongly on the idea that you have to assume you're going to be breached. Yes, you need all kinds of next gen security products and security managed services to give you full visibility of where is my data, where are my customers, where are my users and how to begin to monitor and react in seconds, instead of kind of how we used to do things by putting a firewall in and putting anti- virus in and saying, Hey, we'll look for an alert to go off. It's a different world right now.

Jon Prial: And interesting coming about the cloud and the data. And I think you're right, that the data isn't really what it used to be in the data centers. It's been out in the cloud, augmented with other points of data. So I guess what's your take on the convergence of attack vectors versus an explosion? I mean, how fragmented are we today as things somewhat get consolidated in the cloud versus kind of where we were in a data center in terms of attack opportunities?

Kerry Bailey: I think the first thing that happens is the attack vector has broadened because we are now living in this big distributed world. End points are everywhere. Cloud workloads are everywhere. Data is flowing across all different types of applications and products that are being sold by companies. So because that we've moved outside of the four walls. Now, all of a sudden, it was hard enough for an enterprise or even a small medium business to say, I know where all my assets are. I know where my databases sit. I know where my applications are communicating. That was hard enough when it was in four walls. But now all of a sudden because everything is distributed, that means the attack vector and the landscape in which you can go after vulnerabilities that are out there and actually collect information as an intruder, it's very, very broad right now. And I think enterprises have lost the basic element of where's my data, what are my assets, how valuable, what is my most valuable assets? And then how do I protect them? So now from an adversary standpoint, it's wide open. Data is everywhere and they're exploiting it every day.

Jon Prial: So do you see then that we're going to be always be reactive to new attacks or do you see ways or companies to get out in front of some of these emerging threats?

Kerry Bailey: There's always a way to get preventative in, in your actions. And I still say, we advise our customers that basic security is still absolutely necessary. And I would call that, yes, where are my assets? What are they, am I doing standard audits? Am I doing standard vulnerability scanning? Am I doing all of those things? Because still, when you look at some of the bigger breaches like Uber and others, it was still basic security principles would have solved it. But here's where I think the next piece comes in and it's a mindset that companies have to have. It is you will be breached. That is the bottom line and the mentality that has to be thought of by companies that are out operating in digital world. And then that means, if I know I'm going to be breached, I need to be able to say how quickly will I recognize that? We know from our business, an adversary can get in, exfiltrate data and get out and usually on an average of less than 10 hours. So you've got to have the ability to not just do point in time security, but you've got to do 24 by seven. You've got to be detecting. You've got to look for anomalies. You've got to look for patterns. And you've got to look across even your inside traffic that moves back and forth. So I think it's a combination. Yes, let's keep doing the defense in depth, the security, standard security that we've always done, but then begin to look for new approaches that give you greater visibility to your environment, and you can react quick.

Jon Prial: Interesting. We've had a podcast on quantum computing. And so I think about the future, they're saying perhaps this first sweet spot for quantum is going to be quantum safe encryption. Things are happening so fast. So I like your point about what CEOs have to begin to focus on because something's going to happen, something bad is going to happen, and they need to be prepared as quickly... They better be prepared yesterday.

Kerry Bailey: That's right. That's right.

Jon Prial: So let's talk a little bit about eSentire and the kind of your role in this landscape. One thing for me as well, when I looked at you, you do need to put... You put hardware devices into the network. I mean, I think I've always probably incorrectly called them sniffers, and you've got a SOC, a security operations center. How do you put that all in context of the things we've just spoke about? How does that fit? Is that the leading edge of the... Is that the thin edge of the wedge? How does that sit in terms of this broader landscape?

Kerry Bailey: That's a great question. So I think the first piece to your statement, it's about visibility and cybersecurity has become a big data problem. I mean, that's what it is. I like to say it's probably the best use case in the world for AI. And when you couple expertise, so in our case we've got 300 security experts in our company. When they are sitting there being able to look at a variety of column signals coming in from an enterprise, with the AI engine and our security experts, we can get right through the noise, find the needle in the haystack and shut it down. But what we ultimately do with our customers is, we, we don't want our customers to be buying all new security products and those pieces, what we really want is data feeds. And if you think about the most important data feeds in an environment, we want to see your network. So we have an appliance that we will put on a customer's premise to begin looking at all the network packets and capturing the network data. We also want to look at end points and end points provide us some of the most valuable signals that we can get as that is where some of the attack vectors go. Of course, when someone opens up a phishing campaign or those pieces. We also want cloud data, cloud logs, or any other logs that we can get out of the customer. So we take that information and we pull that back into our technology stack, which is driven around AI, and it begins filtering and looking for knowns and unknowns coming from all of that data. And then our security experts sit on the back end, because this is where you really have got to have... AI and security experts go extremely well together because you're constantly tuning, you're constantly putting that expertise on top of the cyber problem.

Jon Prial: Let me ask you a question on that. The expert, this is kind of cool because you've been around so long. I think your company has been around since 2001, and obviously you've had these experts sitting in these SOCs, these operations centers. How have things evolved as you've collected more data and you've put more machine learning and AI in front of it? What percentage, I don't know, pick your year, whatever works for you, five years, eight years out, were first seen by a human being and now what percentage are now being seen by the AI? Have we seen that the technology has driven that change?

Kerry Bailey: I would even say in the evolution of eSentire and frankly the evolution of the MS security market in general, the managed security service provider market, it really was initially built on saying if your anti- virus fires off or a firewall, we detect a firewall change that's bad, it was all human, it was all human driven because it was... Security was becoming more complex because it was now exposed to the internet and it was exposed to many different networks around a company and you had people that were literally trying to watch firewalls and AV firing those pieces.

Jon Prial: It's worse than being a mock content moderator on Facebook.

Kerry Bailey: That's exactly right. But then what changed was, and I really, this is where our passion is and my passion, I love the transformation in the market from an IT standpoint. As soon as it became very easy to use all of a sudden more and more workloads, the businesses became digital businesses and then that's where the overwhelming piece began to hit a lot of companies that were in the managed security market. Because they didn't have a technology to actually help them go through just tons and tons of data per hour. So I would say, for us, it was probably about two and a half years ago where AI really began to play for us. And we built a use case and because we said we think we've got 70% noise coming in from our customer's networks or end points, et cetera. And we focused an AI on it and we reduced the noise by 70% which allowed our analysts to really do deep investigations. But now that data has, our data now is probably 10X what it was a year and a half ago. So, there's no way a human will be able to find the needle in the haystack and react in seconds any longer. So I would say right now, we're still running kind of in that 70% is done by our AI engine and 30% is the deep investigations-

Jon Prial: That's pretty good. crosstalk

Kerry Bailey: ...Especially because the data is going up.

Jon Prial: Exactly. Now you mentioned, I think this is one of the piece of collateral I grabbed on the company. You talk about detecting threats that traditional security defenses miss. Does that mean the AI? Does that mean the sniffers? How do you inaudible.

Kerry Bailey: And I think this is some of the biggest value that we offer. And we we've discovered so many zero day attacks or unknown threats across the world. So, the security industry was built on, if you go all the way back to AV, it was built on signatures. Hey, this thing was discovered, let's update our AV systems to now detect for that thing.

Jon Prial: Every time I updated my anti- virus, every week, another update crosstalk

Kerry Bailey: Another one, another one. But what's really happened now though, is that you have to look for anomalies. You have to look for behaviors that don't look normal. So, a lot of the things, I'll give you a couple of examples, is, if your credentials, let's say you're on Office 365, and you're a law firm and your credentials become compromised. There's nothing that's going to alarm from a security standpoint but your behavior, if all of a sudden you start offloading a lot of your corporate data onto, Dropbox or whatever it may be. All of a sudden, you know that's a pattern that doesn't look right. And I will tell you, and again, we are big believers in the technology and running AI the right way. But that, looking for those patterns, anomalies and what has allowed us to find these zero day attacks or things that are going wrong. So again, it's visibility and it's the ability to say, yes, the security controls that security products offer is still very, very good, but it's not the complete answer.

Jon Prial: And I like the thought that, we used to know something because we figured out it was bad then we reacted and then the signature got leveraged. And maybe even you can figure out what a future signature might look like. But this anomalous behavior is different. So you've got the ability because you're looking at so many things across the network to figure out kind of what a human being bad behavior might be, not tech at all necessarily.

Kerry Bailey: That's right. That's right. And that's why I say, security has become much more of a... If you assume you're going to be breached or you're going to be under attack by an adversary that it's risk management. And I know we've talked about risk management, every different level of a business in the past. But right now literally cybersecurity is I think the number one kind of core pillar of risk management for a company. Because it is, the insider threat, so many companies will have third parties that are helping them develop applications or are helping them do marketing inside their environment and they have access. You just don't know what that user behavior is doing or are they compromised or what? Security is so much more than looking for the known now it's looking for the unknown.

Jon Prial: I love it. So, getting to this person that's putting stuff in Dropbox. We're now talking really about social engineering. We're getting broader into kind of our thesis, the Georgian thesis around security first that it's more than technology. It's getting the people involved. So as we think about this, what do you see in terms of how much of a CSO's job should be thinking about training and culture versus just getting the tech working? Is it a CSO's responsibility? Is it a CEO's responsibility?

Kerry Bailey: We do it here. We're a security company. We have to be always educating and making sure everyone in the company understands the latest threats and the latest phishing attacks and making sure that we protecting ourselves. But I will tell you, I think that the CSO must spearhead this, but it also should be, and people react when I say this, it should be a board level item. And here's what some boards do, some boards go, let's have our quarterly audit and let's have somebody come in and say, Hey, we passed all this. We found these issues. We've remediated them. And they're out. That is not the conversation at the board level. No, it should be much deeper level and you should be running a tax on yourself. There's great tools out there to do that. But I do, I think it starts with the education, driving a culture that it's okay to say, there is a problem here, or, Hey, I'm worried about this or I saw this employee or this contractor doing X or Y. That's the first thing that's got to be built in an organization. And then, as we say, if you see something, say something.

Jon Prial: So when you're out there making calls and you're talking to the CEOs and C- suites, what's your level of comfort or that they get it sufficiently enough that their head is out of the sand? You're not the one calling chicken little here, are you comfortable that they recognize there is a tech solution, there's an eSentire role to play, there is this HR training role to play? As we think about this broader security first thought, what are you seeing out there in terms of the, I don't want to say the maturity, but the level of knowledge that your customers have out there, are you comfortable or are you nervous?

Kerry Bailey: I'm very nervous. And I say that just because we're in such a change right now, and again speed is so fantastic for business as they're changing into much more of a... They're changing their business model being more digital, that's fantastic. But on the other side, the speed is actually hurting so many companies because they're not taking time to elevate a new style of security or thinking about security in a different way. And originally our thinking was, if you were originally born on the cloud and your business was already born as a digital entity, that you wouldn't have any problems. It was kind of a innate in how you thought, but that's not the case either. We have seen, even if you look at some of the big attacks, the Uber attack using, get hub where they put code for developing. That that was a basic security breach of credentials and they weren't even on their game. So that's why I say, I think we've got a long ways to go. I think we're getting there. I think we have a... Our whole company feels we have absolutely the need to make sure the community understands that it's our responsibility, it's their responsibility because this is our new world and we can't keep doing things the same way.

Jon Prial: Well, I'll tell you, the only thing I can think that's a good thought here is as we're getting bigger and more data out there. I think the most exciting news for me that I heard was that the ML tools, the AI you putting in place is actually getting out in front of humans. You're doing a little more prediction as to what's happening. I think we are helping ourselves on the tech side. I think we need to make sure we pull ourselves up by our bootstraps and help ourselves more on the human side and the social engineering and put the two together. Hopefully we're in better shape than we were before.

Kerry Bailey: And we've had some customers, which I really respect. Even when they had a breach and they came to us to help them and became a customer of ours after this breach, they wanted to publicize the lessons learned. And I think it's fantastic. And I also appreciate when the companies say security will be a differentiator for us. They may be a company that's a law firm and they go, look, we want to show our customers we are protecting their data. It's top priority for us. So we want to be a differentiator in security. I think you're right. We had the technology, the education, we get businesses to begin to get on a proactive stance on the value of security. I think we start to solve this problem.

Jon Prial: I can't have a better way to finish this. The value of security is much more than just the security, it's getting your company differentiated. That is a big deal. Indeed. Kerry Bailey, thank you so much for being with us today. What a pleasure.

Kerry Bailey: Jon, it's been a lot of fun on our side. Thank you.