EPISODE
7

Innovations in Security with Open Systems Senior Director Dave Martin and Head of Sales Engineering Roman Jeitziner: SASE and SD-WAN Solutions | Ep. 07

May 19, 2020
1hr 3mins

In this episode, Max Clark talks with Open System’s Sr. Director of Product Management Threat Response, Dave Martin, and Head of Sales Engineering North America, Roman Jeitziner. Dave and Roman provide an in-depth discussion on Open Systems solutions and the many ways it’s tailored to their customer’s varying needs.

Transcript

Max: 00:03

Welcome to the tech deep dive podcast where we let our inner nerd come out and have fun getting into the weeds on all things tech. At Clark Sys, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven't heard of before. Hi. I'm Max Clark, and I'm talking with Dave Martin, who is senior director of product management, threat response, and Roman Yitzinger, who is the head of sales engineering for North America at Open Systems. So, we're here to dig into Open Systems.Max: 00:32

And, you know, as kind of like a foundational question, Open Systems, we know, started from a as a as a value added reseller and an integrator for checkpoint firewalls, and then you've evolved into something well beyond that in the space and your approach for security. Can you give me just a quick overview of what Open Systems does and and what your general, like, buckets of service and product are?

Roman: 00:57

Sure. Yeah. Like, the fact that we started as an integrator is probably the main reason why we are where we are today. When we just sold firewalls and then the need came up for WAN, global WANs, We kinda started to combine different platforms, and open systems itself started to realize in a very early stage that it that it adds an enormous complexity. Right?

Roman: 01:23

So you have new service chain firewalls, WAN platforms, routing, and so on. And based on that, we thought, let's shift our model. Let's shift from a hardware perspective to a service perspective, and let's start to build our own platform. And that was, like, 20 years ago, I would say. So back then, we said that whole service chaining, that doesn't work.

Roman: 01:45

It's too complex. Let's build our own platform, and that's where we started. The core of that is obviously SD WAN. I mean, that evolved from, like, just WAN and automatic failovers to more sophisticated ways to failover applications now called SD WAN, and then around that on the same platform, and that's the critical part, we also offer NG Firewalling, Secure Web Gateway, and network detection and response, and so on. And that's all in one platform.

Roman: 02:16

And luckily, Gartner came up with that terminology of SASE, Secure Access Service Edge, in 2019. And for open systems, that was the first time we thought, okay, this is actually where we belong. That's where we should be. It's not just an SD WAN box. It's not just a firewall.

Roman: 02:32

It's not just a proxy, but it's really a service platform which combines all of these different services onto one platform. And that's open systems in a nutshell.

Max: 02:44

You've approached this a little bit uniquely, and I think this also comes from where you started because we look at MSPs or actually MSSPs in the market today. It's usually a discussion around integration of other vendors' platforms. So what we were just talking about. So we've got this brand firewall, we want this brand SIM tool, and then we have this brand this, and we have this brand that. And very quickly, you start talking about layering on a lot of different product.

Max: 03:08

I mean, security for an enterprise at this point is a significant amount of different product in order to have the different maturity models and what you're you're trying to actually achieve. Right? I mean, that that gets pretty complicated pretty quickly. So I mean, how you see slides with, I don't know, it's just it's it's I think it's the favorite slide for most security people that are selling integrated services of here's how insane this would be to do it on your own and we make your life simpler. So I mean, what know, we talk about firewall and web gateway and etcetera, but, I mean, it's it's a lot more than that.

Max: 03:37

I mean, you guys go a lot deeper into this.

Roman: 03:40

Yeah. Definitely. I mean, this is kind of where we are coming from, and we have Dave Martin in the call because he's where we are heading to. So it's not just network and network security, but it's it's security as as a whole. That goes to the endpoint that combines SIEM as a platform.

Roman: 04:00

And and to to we wanna be able to provide the managed detection and response service, like a SOC, a full blown SOC. We already have and we had for years huge SOC components with network detection and response. Previously, that was called IDS, and we added value to that. It was not just an alert, but it was really some output. So our engineers in our operation center and security operation center, we analyzed these events and then provide a qualified feedback to the customer and said, Hey, look, this is something you should really look at.

Roman: 04:33

This is what we suspect. These are the actions you should take, and please provide feedback so that we can train our system further and be more proactive the next time. And this is we we wanna take that to the next level, and this is actually where Dave Martin is jumping in.

Max: 04:51

Dave, let's talk about that. What is the next level?

Dave: 04:54

Sure. Yeah. Happy to share that, Max, but also wanted to reaffirm what both you and Roman have pointed out, which is that the complexity in the security stack today is, very candidly just unmanageable. I mean, I talked to talked to a lot of CISOs, and, many of them are moving to try and consolidate that security stack to eliminate the complexity there. And a lot of, a lot of this is, I think, just a manifestation of where we've come as an industry where, for a long time, we use what I call a technology driven security model, where the idea was if I just bought, you know, started with the firewall, but then I said, hey.

Dave: 05:28

If if we just buy an IDS, we'll be safe. If we just buy antivirus, we'll be safe. And so on and so on and so on. And, you know, as an industry, we spend over a $100,000,000,000 in security related software per year. And yet despite all of that investment and, really smart people and good efforts, best efforts, damaging breaches continue to occur.

Dave: 05:48

And so this idea that we need to simplify and consolidate and then as, Roman was, mentioning, monitoring all of this is really key to to minimizing risk. And, you know, we do have the, entire platform, and we've added to that platform a number of, managed monitoring services, essentially. We, you know, we assume that despite best efforts, security controls will be bypassed, and the only way to really know that is is to be watching, to be monitored all the time.

Max: 06:18

You bring up this concept of, you know, we'll be safe, And an an enterprise will be safe. But that means a lot of different things to different people. And then also you mentioned users. And, you know, most users' perception of security is that security exists to make their lives harder. This isn't something that's actually benefiting them in any way.

Max: 06:38

Right? It's just like, oh, I can't access the system because of our security profile. I'm like, I can't work now. And Yeah. You know, you don't wanna throw your keyboard out the window.

Max: 06:46

So how do you balance those 2? I mean, I guess the first thing is as you're interacting with the customer and you're looking at, you know, what your service evolution is, how do you define safe? And how do people actually find that balance of safe for them? And then how do you do this in a way that the users aren't frustrated that you exist?

Dave: 07:03

It's a great a great point. And, you're exactly right. Even myself as a security person, you know, when I'm prompted to install an update on my machine and I'm right in the middle of something, a presentation or something, you know, it it can be a bit frustrating. So I completely understand back to what you're highlighting. And I always joke you know, I say to people that there is this spectrum that you're kinda highlighting.

Dave: 07:23

You know, the most secure device is the one that's not powered on. Right? But then again, is it very useful? You know? No.

Dave: 07:29

It's not. It becomes a paperweight at that point. So to exactly to your point, you need to strike a balance. And one of the things that we do with our service, our monitoring, you know, threat detection response services is we have an onboarding process where we sit down with the security team or the CISO or the person responsible for security, and we have a candid discussion about what is it about the am I safe question that you're worried about. And it's different, Max, for each customer's that spectrum, as you might imagine.

Dave: 07:55

And some customers are worried about ransomware and getting locked out of critical data. Others are worried about theft of intellectual property. Others are worried about spear phishing or, you know, business email compromise attacks, these kind of things. And so when we engage with customers, we start with that dimension. Like, what is your what what do you really consider most valuable?

Dave: 08:14

And then we build and tune our protection and detection around that. And I only say that security is a a journey, not a destination because that's just a starting point, frankly. I mean, this is the value of having a service, is that you need to be tuning it all the time as you're learning and as things change in the network, in your applications, in your business, and so on.

Max: 08:32

But, I mean, Dave, isn't that a little bit of the cart leading the horse? I mean, if somebody comes to you and says we wanna bring in and we're worried about ransomware, I mean, how do you balance, like, worried about ransomware because I just read this article in whatever newspaper, and I should be worried about ransomware as a result. I mean, everybody should be worried about ransomware. There's a lot of other threat factors that they should be worried about as well. It's just maybe, you know, that that's a very, like, human response in terms of what my priority chain is.

Max: 08:54

Like, okay. I'm worried about ransomware because I just read something horrible about it, but I'm not worried about phishing. You know? Like, I I mean, that's also, you you know, a balance. Right?

Dave: 09:03

Absolutely. And it's one of these interesting dynamics where, for a variety of reasons, as you probably are aware, know, every organization has, different levels of cyber hygiene. Some are very sophisticated. They've they've got it, and got things really well well mapped out. Others others, not not so much.

Dave: 09:20

And to your point, sometimes there's I I wanna focus on x when you realize some of the basics really aren't done. And so this is a part of our role as well in in becoming more than a, you know, a monitoring or service provider for customers has become their partner in security. And we we explained to them, here's you know, I understand that's the direction you'd like to go. Here's some investments that we think are will will will go a lot further for you. And we have those discussions.

Dave: 09:45

We have opinions about those things because we see we see it it happening. We see the results of of this, you know, every day. And in the end, it's the customer's decision. Right? There's always a trade off in security.

Dave: 09:56

It would be wonderful if everyone had unlimited budgets and and could throw, everything at the problem, but that's not reality. And so we very much view our job as as trying to highlight customers areas where we think they can improve, should evolve to, and then and then essentially try and make the risks known and managed to them.

Max: 10:13

I mean, the conversation I have a lot related to security now is is really what's the goal of security and where are you actually trying to get to? And, you know, we talk about so you'll be safe. You know, I've stopped thinking about security in context of you're going to prevent a breach or an incident. And I think about a lot more in lines of you're gonna limit the damage that incident causes you. So you're either gonna detect that incident faster and be able to, you know, carve it out before, you know, a lot of damage happens.

Max: 10:38

You're going to be able to, you know, block somebody from exfiltrating data from you or you're going to prevent You know, in the case of a ransomware, you're going to have the ability to roll back and remediate your systems much faster. How do you guys view this? Because you also in a relationship with a customer, you keep using this language, I think, very intentional. We can advise and we can interact and we can recommend. But I mean, the customer still controls their infrastructure.

Max: 11:02

I mean, how do you balance those 2 of like, there's this going on and this is what you think you should do and you've decided not to do it? How does that work?

Dave: 11:10

Yeah. And and, actually, I'll I'll hand it to Roman here for for just a minute, but with a little preface, which is that you're on such an important point. Some of the value of what we have as a platform here is that when we do detect threats, because we control the security stack, we're able to often, contain those threats earlier in the cyber kill chain. And, you know, there's many studies, Max, that have shown the earlier you can detect and contain a threat in the cyber kill chain, the less the impact of the organization. So this is a real strength of having an integrated platform.

Dave: 11:40

We've done a fair amount of automation, and Roman can can describe that in our platform. Before I ask for his, help here, many of these decisions, when it's not straightforward, there's a human involved that ultimately is making the decision. And and, you know, we have instant response plans that we develop with customers when they come on board with the service. Some things we can do automatically. Others, you know, we require authorization, and we work together to do that.

Dave: 12:04

And I'll I'll turn it over to Roman. Maybe, Roman, you could touch on some of the automation we've done with our platform.

Max: 12:09

Actually, Roman, let let's let's start a little bit more basic and work our way up your stack. I think this will be helpful for me as we talk about it, which is, you know, you talk about, you know, this precursor to SD WAN and this appliance that gets installed at a physical location. Right? So there's you have a you have a box that gets installed, and you have intelligence on that box, and that box connects to your service. And as well as that, you have software that gets installed on PCs and on servers, etcetera, that can also provide intelligence and feed data back into you know, to and from open systems.

Max: 12:39

And so these are are pretty kind of foundational elements to to deliver your service. And let's talk about what those things actually do and what the layers are going up from that, and I think it'll drive us a lot.

Roman: 12:51

Sure. Yeah. I guess in sales engineering or in sales in general at Open Systems, one of the pictures we often use in the process is the kill chain, as Dave, mentioned. So we should not just look at one aspect of the kill chain, but at the kill chain as a whole. And that starts, on the left side with reconnaissance.

Roman: 13:12

So firewalls, for example, they can prevent an attacker of of finding out what's going on. Right? They can also prevent the spread of a of a malware within a network if it goes from one side to another. So that's that's a mechanism to prevent that. And then we have mechanisms like the the proxy to secure web gateway or or DNS filtering, which these are all, like, elements on the prevention side.

Roman: 13:37

But as we established, like, we still expect breaches to happen, and this is why this detection and especially the response part is is critical. And from a detection perspective, we have 2 main sensors, I would say. 1 is on the network level, so the network detection response sensor, and the other one, as you mentioned, is the endpoint detection. So that gives us, like, 2 sensors at at critical points in in a company's environment to detect incidents. And now the critical point is that, obviously, the sensor data is not all we we need more.

Roman: 14:15

Right? So that's why we correlate that information in in a SIEM. We take the sensor data, we take firewall logs, proxy logs, and so on, and we take some context logs from Active Directory, for example, and we correlate that in that platform. And on top of that, we provide our service, which we call the managed detection response. Now one of the key differentiators at Open Systems is that our service model is unique, I would say.

Roman: 14:42

When we built that years ago, we we we said, like, okay. We don't wanna build that, like, level 1, level 2, level 3 support center because it's first of all, it's annoying, and it doesn't work. I cannot imagine anymore to to call somewhere and and say, like, oh, yeah. I have this one problem. And then they tell me, have you tried to turn it off and on again?

Roman: 15:02

Because yeah. And we we we always take this analogy. Let's imagine your your kitchen is on fire, and that's comparable to a major IT incident, like a security breach, for example. And now the fire brigade is arriving, but they they send in the most junior firefighter there is, like, just because it's level 1. Right?

Roman: 15:26

And and this firefighter is coming in and says, like, Yeah. That looks like a fire. I think we should do something. I hand you off to level 2, and then the kitchen fire all of a sudden is like the whole building is on fire and so on. It's not how it should work.

Roman: 15:42

It's the same the same in in IT. It's not how it should work. When you have an incident, you wanna have the most experienced person available to have a look at that, and that's how it works in open systems. We we call our operation center mission control, kind of based on on NASA, and the most experienced person is is the captain. And the captain is responsible for triaging all the incoming events and and tickets.

Roman: 16:07

So that person is the most experienced firefighter on the brigade and says, okay, this is like a small fire. We just need a fire extinguisher. We hand it off to the junior one. And on the other side, we say, oh, that's the building on fire. We need the whole brigade.

Roman: 16:22

Like, everyone needs to come and everyone needs to fight this fire. And this is the absolute key differentiator, and this is why our customers are very happy. Because they, first of all, don't have to go through that level 1, level 2, level 3 because it's annoying, as I mentioned. And on the other side, everyone who picks up the phone in mission control, they can really help our customers.

Dave: 16:44

Yeah. We should probably also share with you, Max, that in addition to what Roman just described with MDR, we have a model where we have security analyst team that we're, essentially assigning to some number of customers. Those teams only deal with those customers. And the principal reason for that is that we believe that the better you know an environment, the better the threat detection will be, the the more accurate it'll be. Because the the humans are the are you know, we do use a fair amount of AI and and automation, you know, supervised machine learning and so on to reduce noise and amplify signal.

Dave: 17:15

But at the end, the human is still the best at spotting the gray areas, the things that just don't quite look right. And so we we look at our platform as trying to make the human better versus versus sort of replacing the human. And that model Roman describes is what we use. And then we've doubled down on that by adding this additional dimension where we have a security analyst, get to know the customer, and get to know that environment very well.

Max: 17:35

So with the with the network compliance at a physical location or with endpoint software running on devices and then overlaying that with the web proxy and overlaying that with DNS, and you start talking about rolling all these this log data up into a into your SIEM tool. Right? We'll use the industry terminology for it. And And then you pack in, you know, threat intelligence, you know, some other signals coming from other places as well. And, and you roll all that up into, like, this giant, like, kind of slush pool of, like, data.

Max: 18:02

Right? Well, now you have to process that and evaluate what's actually normal and abnormal on a customer by customer basis as well as a you know, like, this is something we know is bad on the Internet in general. Right? But then you have lots of options. We say talk about kill chain, of where do you actually attack and kill that thing.

Max: 18:18

Right? Are you killing it in your proxy? Are you killing it in the DNS? Are you killing it, you know, on appliance? Are you killing it on the endpoint?

Max: 18:24

So that's that's awesome. And then you also have lots of different customers. I mean, how much of this is this collaborative data that comes into Open Systems as a whole that you're, like, you're you're getting all these I mean, because my traffic is gonna be very different from somebody else's traffic. You know, how much how much correlation correlation isn't the right word, but how much information can you glean from, you know, your your customer base as a whole to then apply and make those decisions across to everybody? I mean, is this something literally like if one of your banking customers gets attacked and you build a rule for it, you go, okay, boom, apply this rule set now to everybody else, and, like, that particular threat vector is just gone on our network?

Dave: 18:57

Certainly, we we do, share rule sets generally, that are applicable, you know, so that our customers get the benefit of of learning about these different threats in in different types of environments. But, Max, your honor, really interesting point. Roman mentioned earlier that when we deliver our service, we use sensors. One of the main reasons we do that is because those sensors become our source of truth for what's happening in the environment. When you're trying to do threat detection with, you know, multi vendor complex security stack that you don't know, you don't know how it's set up and so on, the effectiveness of that approach is, is, really poor.

Dave: 19:31

And I I can share with you that, you know, we we've gone back and sold MDR to, managed service to cuss companies that are that are disappointed with the current model where they're just trying to use their own kids. So you don't have to have our entire platform. We should probably be clear. We sell MDR separate from the platform. You don't get the benefits of the kill chain integration that Romer and I have talked about.

Dave: 19:51

But, essentially, we would drop our sensors in and then collect, other other log data, and do correlation. And the idea is that our through that SIEM, as you correctly described, it it has, threat intelligence. It's got a default set of rules. And, by the way, we use, we use the MITRE ATT and CK matrix, if, if you're familiar with that framework, to measure our detection and improve it over time. And we focus on the techniques that threat actors use rather than the actual attacks or, IOCs, if you will.

Dave: 20:20

Because if you can identify the technique, you get a lot of return for that investment. You you know, you can spot 100 or thousands of threats that utilize the same technique just by being able to recognize that, that technique or that tool. You know, we learn from, customers, and and we we apply that, generally speaking, when it when it's appropriate.

Max: 20:38

I mean, there was a mention of, like, ticket creation and triage and maintenance and, you know, remediation. I mean, if if I'm an MDR customer and we actually restate that if my company was an MDR customer, Open Systems, and I've down you know, open up my Outlook one day and click on a on a link. Am I gonna get a phone call from somebody Open Systems that says, like, hey, Max. You you open this link or you went to this website? I mean, what are you up to?

Max: 21:01

Like, we've gotta, you know, do something now. I mean, I mean, that's gonna feel a little big brother creepy ish. I mean, are you going to the IT departments? What is what is the interaction for MDR? Who's responsible for what?

Max: 21:12

Like, how do you find those and and I'm asking this question because you read a lot of horror stories about, you know, like RFOs from security incidents where there was a system in place that detected and and notified and said there was this problem, and then it was ignored. You know? So detecting an event that goes to a person to make a decision, and then either it's just auto filtered into a folder in their in an email inbox, or it's just like, oh, we don't care about that. That's a that's a false false, you know, whatever, and we're just not gonna do anything. Oh, you've got this device that's doing something really weird on your network.

Max: 21:46

I'll get to it on Tuesday. You know, like, how do you balance that? Like, you know, because this is again, you're talking about this is your customer's platform, not yours. Like, how do you interact with them?

Roman: 21:59

Yeah. No. That's an important point. And as you say, we have different customers, and and every customer is different. So one of the major, things we have to do in the in the early stage of the partnership is we have to establish these processes.

Roman: 22:14

They can they can vary. But let me let me make a a general example, or pick up your example with someone clicks on a link in an email. So first of all, we wanna have protection in place, which would protect you from getting, infected by clicking on a link. So we have different, on that kill chain, we have different services in place, like the the DNS filter, which would check the link you click. We we have the proxy, so you would also, be checked for for malware and so on.

Roman: 22:47

But now it could still happen that something kinda goes through that mesh of of protection, And this is when then the sensors would pick it up. Right? And I myself had had an interesting example when I was working in mission control that one of our sensors picked up a key logger activity. So I was able to analyze the traffic, and then I was able to generate the text file, which had usernames and passwords to specific domains, which were sent to the to the commanding control server. The immediate action was to kind of block that that destination.

Roman: 23:24

And my next action was to to pick up the phone and actually call the customer. I did not contact in this case, did not contact the end user itself, but we contacted the IT department based on on our established processes. And, again, it's it really depends on the customer. But but in a major incident like that, the phone is is usually the way to go. You say, hey.

Roman: 23:48

This is what we saw. This is what we recommend to do, and get back to us as soon as as you did it. And then we have some additional, capabilities. So we could lock down the host, for example, if we have endpoint, an endpoint client installed. We could lock down the host.

Roman: 24:04

We can lock the host on the network, so the the host could not go to any other site or through the proxy or anywhere anymore. So we have different capabilities to to isolate that host, but that really depends on the feature set the customer has, enabled and the processes we have established with the customer.

Max: 24:23

I mean, so mobile device management, a lot of people are going to just from, you know, fleet management, what software is installed, but also because it gives you this ability to say, okay, this thing is lost. You know, secure wipe it if ever connects to the network again. Right? But you mentioned, like, if the customer subscribes to it, I mean, you know, somebody, you know, hasn't opted into, you know, the Rolls Royce and, like, all 57 packages of options, you know, with open systems. And and you have an event and it comes down to, you know, we've we've got this thing running and we know this is in the wild and it's on I'll pick on HR.

Max: 24:56

It's on the HR, you know, director's computer who's gone, you know, on vacation or whatever. You know, can your customer say to you, let's enable this feature, lock that box down, you know, we'll we'll deal with this on Monday. I mean, how does you know, I I I'm curious. I mean, is that is that a predefined support boundary that gets established because they you know, we haven't integrated a service? Or is that a service that you can just say, hey, we're gonna we're gonna turn this thing on, and we'll get back to it?

Max: 25:24

You know, we'll settle up in the future, but for right now, we're gonna take care of this.

Roman: 25:27

Yeah. And that's that's actually something that happened in the past. Unfortunately, I have to say, we have for example, we started with the rollout, and the rollout was delayed. So only a few of the the clients were actually protected by an agent, for example. And we detected that they helped me.

Roman: 25:48

What what kind of malware was it? Like, a crypto locker something?

Dave: 25:51

Yeah. Exactly.

Roman: 25:52

Yeah. We we found a crypto locker. But, obviously, it did not originate. But we we were able to see that it kinda spread around the network, and it originated from a host which was not protected. And then we were able to kinda push that further so that we kinda were able to roll out the the rest of the agent and and kinda get the whole network protected.

Roman: 26:13

So that's kind of one one scenario. Another scenario is that that customers have incidents, and they they got it from somewhere else. And then they ask us, hey. Can we can we spin up these, additional sensors, for example? And this is kind of like that's the nice thing because it's on the same platform.

Roman: 26:30

You just spin it up. It's it's not no additional hardware needs to be deployed. No no roll on project. Nothing. It's the same box, and it's fully integrated.

Roman: 26:40

That's that's the nice thing. For example, on the proxy, we we decrypt encrypted traffic. Right? So all the SSL, TLS traffic, it's decrypted, but then it's automatically sent to the sensors. Now imagine you have a proxy solution and you have an IDS solution or a network sensor, and these are 2 different products.

Roman: 27:01

You would now have to make sure that you send traffic when it's decrypted from one box to the other. And this is like integration efforts on your side. You have to make sure or your MSSP has to make sure that it works. It's probably like some API connection or, yeah, commonly known as a service chaining. And and this is just complex.

Roman: 27:21

You have to do it. You have to make sure it it it still works once you update one box or the other box. And because we have all of these capabilities on one end of the same box, they're all fully integrated. So when I receive an email, for example, that email link is already checked by the proxies engine. So it already runs through the proxy virtually to check if it's bad.

Roman: 27:48

And if it's bad, the email is already blocked. So we talked about the kill chain. Kill it as early as possible in that chain. We use different mechanisms from services which would usually come later, but we use it we already use it in an earlier stage to block that malicious activity. And, yeah, this is this is where the the big benefit comes into play.

Roman: 28:11

You you don't have to care about that integration or anything. It's just there out of the box. You can spin it up, if you need it. And, yeah, that's that's how it goes.

Max: 28:24

Hi. I'm Max Clark, and you're listening to the Tech Deep Dive podcast. At ClarkSys, we believe tech should make your life better, searching Google is a waste of time, and the right vendor is often one you haven't heard of before. With thousands of negotiated contracts, ClarkSys has helped hundreds of businesses source and implement the right tech at the right price. If you're looking for a new vendor and wanna have peace of mind knowing you've made the right decision, visit us at clarksys.com to schedule an intro call.

Max: 28:49

You you know, I remember the first time I installed Snort and enabled it. And we had it running, actually, at that time, it was on the corporate network, single location, as well as, in the data center environment, powering a web application. And I think Snort ran maybe for 3 or 4 hours before we had created Outlook filter rules to filter all of its logging data into different folders. And I think we made it another few days before we disabled the email notifications from Snort completely and just would refer back to it when we were looking for things. And this was I won't date myself.

Max: 29:25

This was a long time ago. You know, when I look at this now, and I'll I'll I mean, at the risk of making an absolute statement, I'll make one. I mean, IT teams are completely overwhelmed. I mean, there is you know, just just your normal job. I mean, you know, industry averages right now are pushing a 150 employees per IT staff member.

Max: 29:42

I mean, that's just a lot of just day job. Forget, you know, any sort of, you know, massive event correlation, security overlay, and service chain, and everything else. I mean, trying to get a firewall talking to a SIEM with a threat intelligence overlay on top of that with endpoint detection and response integrated on top of that, and then being able to correlate and investigate valid, this is not, this is valid, this is not. I mean, that's you know, it it seems to me at this point, I I mean, I would probably not make it very long in an environment where that was my job. I just I think I would just ignore it.

Max: 30:15

And that's just because of the volume of data that would come towards you and and the percentage of false positives as well. I mean, that was the one that was really exhausting for me. It was just the percentage of just absolute, oh, you know, we think this traffic is is bad. Look at it. You're like, okay, great.

Max: 30:28

Now what do I do? 4 hours later goes by and you're like, yeah, yeah, yeah, it was totally fine. We we talk about your, you know, machine learning. I won't use the AI term because it's really machine learning and automation with an open systems platform. I mean, how how much of your r and d energy goes into automation?

Max: 30:45

And how much of that is informed by manual investigations that occur? And and and what does that cycle, that rinse and repeat cycle, really mean for open systems and how you evolve yourselves to get faster as the market in general speeds up?

Dave: 31:03

First of all, I can completely identify, Max, with the environment you described. Many of our customers are in that state where they're just inundated with alerts. I mean, we have we have one, early customer for MDR service, the CISO enabled, Sentinel in their Azure environment. And, immediately, Sentinel started producing a ton of alerts. And, frankly, it was a question to see.

Dave: 31:26

So it really didn't even know what to do at that point. Am I even am I under attack? Right? Just that sort of, very basic question was difficult to answer because of the noise that was generated in your snort examples, you know, another one of of that. And so we have a philosophy here where we only say outcomes, not a works, that our customers want outcomes.

Dave: 31:44

You know, these systems are gonna generate a lot of noise, and our job is to reduce the noise, amplify the signal, and only deliver the outcome. And people don't buy a SIM for the SIM's sake or the security technology for the technology's sake. They want the outcome of these products. And that's that's really, really where where our focus lies is, is in delivering that that outcome and and, you know, simplifying that. It is a process.

Dave: 32:07

I mean, we automate where we can to reduce the noise, but but, ultimately, our platform surfaces things that it thinks are suspicious that our team needs to run to ground. And we do that. We we correlate it with other sources, and we say, you know, is this a true positive, security incident, or is it a false positive? And in a strange irony, if we're doing our job well, Max, our customers wonder, well, what are they actually doing? Right?

Dave: 32:30

Because they should only be hearing from us when there's a true security incident. And so one of the interesting side effects of delivering the services, fortunately for us, we we have a model where we have a monthly meeting with the IT team at our customer, where we review the performance of the SOC so we can show them the, you know, the the value. And then also we use that opportunity to work on some of the cyber hygiene and guidance things you and I talked about earlier. But, yeah, you're exactly right. If you're this is the big difference between a a a, you know, provider that is is just monitoring the infrastructure and tossing alerts over the wall and one that is actually has a, a structure and a and a model in place where they're producing the outcomes that the customer's looking for.

Dave: 33:05

Because these IT teams are burdened. One final point I'll make here is that it's not uncommon for me to talk with security teams, and nobody has touched the firewall policy in a long time. You probably can identify with this, but,

Max: 33:19

come on, Dave. Every security firewall policy ever, allow Here's here's my natural inbound. Allow everything outbound. You know? I mean,

Dave: 33:28

I mean, come on. It's really it really is. And by the way, I don't blame people because the way this technology works, you can inadvertently open up a hole and expose a vulnerability. Right? And so it's very, people tend to only do things when there's a breach or when something's obvious.

Dave: 33:42

And and security, we we should be doing better as practitioners than than that. And this is where monitoring can provide that feedback loop to that security stack so that you can always be be optimizing and tuning. And, you know, security is like a complex system. It needs a feedback loop to be working correctly.

Max: 33:57

I mean, Dave, I hate firewalls. I mean, going going back 20 plus years and selling firewalls. Right? You know, this this this belief that gets sold of, like, you put install a firewall and your system's secure. And Right.

Max: 34:07

You know, and and the percentage of of of really bad things that I've seen happen because it was the application that was vulnerable that was surfaced through the firewall, and the firewall did exactly what was configured to do. You know, it allowed traffic to a known service based on a known role, and that service is vulnerable. You know? And and, you know, credential stuffing attacks or, SQL injection attacks, all these things I mean, it's not like the I mean, just firewall does what the firewall's supposed to do.

Dave: 34:31

That's right. No. You're spot on. These attacks are much more sophisticated. Our our security model needs to needs yeah.

Dave: 34:37

And nuance. These attacks are sophisticated and nuance. I mean, a determined threat actor I mean, they use, you know, obfuscation. They'll, weaponize. They use steganography to hide hide things.

Dave: 34:47

I mean, it's you know, this idea, this notion, Max, to your point that we have a firewall and some other additional security technology should be fine. It's the problem is just much more nuanced than that these days. And this is why I think, you know, services like like ours are becoming very, very popular. This is really becoming a best practice, I think, to minimize risk. Most CSOs are either looking to outsource a SOC or build one themselves.

Dave: 35:07

So it's sort of on that on that trajectory these days.

Max: 35:10

There was an article security not too long ago, and it was a, it was like a confessional. I am a engineer at a cloud company in in Silicon Valley, and I was socially I mean, for lack of a better word, I mean, he he was he was or she was victimized by a social engineering attack, which ended up exploiting and gaining access to their bank account and wiring a significant amount of money. This is a person, you know? And again and the confessional was, well, you know, I'm a a relatively sophisticated person and I fell for this. You know, there's there's this idea.

Max: 35:47

And I mean, this is started a long time ago when it looks at risk of organizations and and threat vectors for organizations. Right? It was, you know, accidental acts by internal employees. And then I mean, it's not just like say that you'd blame or target or focus on like, oh, it's my users are the problem. I mean, I don't think users have a shot in that.

Max: 36:03

Like, there's no chance, you know, for people, the average person nowadays, to be able to defend themselves and make these decisions because the sophistication of it, to your point, has gotten so incredibly good. And it's so you're doomed almost, you know, if you're talking about now you've got, you know, the rank and file employees trying to do their jobs that are clicking on opening a file or and that's that's outside of training. I mean, are you helping customers go through training models? Are you helping people educate? Are you providing materials?

Max: 36:34

Are you leading that? Like what's you know, because this this goes a little bit deeper than just install systems and sensors. This goes also down into the stack of what users can and cannot do, and are they educated, and how do they know, and what they respond to in phones. And if it's customer service or contact center, what what information are they releasing? Like, how how deep do you guys go?

Dave: 36:53

We don't offer any security awareness training services ourselves. Max will will recommend, vendors to our customers, and and that's a good thing to do. I mean, those kind of things that you're describing, for sure, companies can do. One of the things that we're going to be doing in the future, we've not yet, implemented this, is in our MDR service, I mentioned that we have monthly meetings. One of the things that we wanna start doing is taking, a cybersecurity framework.

Dave: 37:17

Yeah. I mean, there's a lot of them, but the one that we're, sort of partial to at the moment and looking at more closely is NIST NIST, cybersecurity framework, and take a piece piece of that, like identity or detect or protect, and just kinda go through that with the customer to offer advice or areas, you know, they can they can improve so that there's a little more structure around these discussions so that we can help, from a training perspective. And not necessarily deliver the training ourselves, but just basically increase the awareness around that and then, make some general recommendations. And then if there's further there's a lot of security professionals, as you're well aware, that, can go in and do a very, rigorous assessment and, auditing of, of security controls. And, and, you know, we don't offer those today.

Dave: 37:58

But, again, we we we like to think of ourselves as a partner with our customers on their on their cybersecurity journey here. And so we're because we're in this unique position where we have complete visibility into into all the potential attack surfaces, we have a lot of information that we can provide to the customer, to help them improve over time. You know, we set up a a model or service where we can deliver those improvements, you know, continually.

Max: 38:21

I mean, to some degree, all security is reactionary. Right? It was a best practice. We know we should have these things in place. And these things should detect and and and track and block things we already know about that have occurred in the past.

Max: 38:33

Right? Like this is something that's happened in the past. We know it's not good you know, it shouldn't happen. Right? But but that's still reactionary.

Max: 38:39

I mean, this just builds on 25 years of experience to some degree. Right? Yeah. So I mean, what's the actual in like the aim? What is the end result when we start getting back into this kind of concept of, you know, we're safe?

Max: 38:50

Like, what is what is the goal of security? Because if everything to some degree is reactionary, there's a preventative measure with security. And then it's, you know, and then the the hairy kind of things of of new ransomware attacks, these things are are very much reactionary. And so it's not so in that case, it's not prevention. And it's not an insurance policy.

Max: 39:09

You're not getting paid out if you can't, you know, get access to your computers or if you have to go through and and, you know, reimage a fleet of a 1000 machines or whatever it actually is. So, I mean, in your mind, like, what is the actual end state, the goal, and what what you're actually trying to achieve for your customers?

Dave: 39:25

I think most organizations are have come to the understanding, Max, that they're in a position where they're just trying to minimize the risk, that these these things, you know, these things can happen, you know, as you say. And so having a strategy around what's truly important, you know, if if there was a certain incident that would be very damaging to the to your business as an organization, and then focusing your security around minimizing your exposure there, I think, is is probably the best thing you can do. Right? I mean, I get asked all the time, can you guarantee you'll, you know, detect every threat? Or, you know and and the short answer is no.

Dave: 40:01

Nobody can do that, to your point. But what we can do is, with the through a combination of the existing preventive controls, And then assuming that they're going to fail and always be monitoring, you can really minimize your risk. And, you know, we have a model where we when we deliver this service, there's generally speaking 2 classifications of threats. There's known threats. And, usually, the security prevention layer will be updated with known threats.

Dave: 40:24

Right? Everyone had your your analogy earlier about snore. There's a signature base. Most companies so, you know, here at Open, we update our signature base every 24 hours with the latest intel unknown threats. But then there's unknown threats, so called 0 days.

Dave: 40:36

These are new techniques and, things that have been developed. And the only way you're gonna catch these things is by monitoring. And so, we feel like if you have those 2 controls in place, you're you've got a strategy for detecting known threats and then you have a strategy for detecting 0 day that, really, that represents kind of the state of the art for today. And it is a bit unfortunate, like you say. You know, this may sound a bit corny, but I I feel good about the fact that we're helping to protect people that, you know, otherwise wouldn't have the the means because of the, you know, for whatever reason, cost or it's not their focus or or whatever.

Dave: 41:08

You know, that that's sort of what drives drives me and many others at that, you know, at at the company every day. But you're there's no guarantees to your point, and you you just have to continually improve. This is why I always say, I mentioned earlier, security is a journey, not a destination. That's just the nature, I think, of the problem right now.

Max: 41:22

So for a company that's already I mean, that just recently deployed firewalls or an SD WAN service or, you know, endpoint detection system or a SIEM or all these different things, you know, part of your sales team's engagement will would come back and say, that's okay. You know, you can you can use us for everything else and we'll we'll get back to that some point in the future. But if we eradicate certain parts of that service chaining, that does degrade your ability to see information and respond to information and interact with information, you know, so how from a practical standpoint, if I'm not replacing my firewalls when I'm onboarding with open systems or if I'm not replacing my endpoint, you know, with with with your sensors or, you know, using your web proxy or, you know, how much does that really impact the effectiveness of your service of your platform and how quickly are your customers changing that decision of, you know, we're gonna keep our big box firewall that we had when we came on board. And 3 months down the road, are they saying, oh, this is we're getting rid of this thing?

Max: 42:20

Like, what what actually happens there? Because obviously, from a sales perspective, being able to say, okay, you know, we'll we'll work with you, you know, is is the right response. But I'm interested in what's the practical reality of actually providing the service delivery.

Dave: 42:33

Yeah. You're an important point because we we tend to have customer engagements on in 2 dimensions. 1 is from the networking side, and then the other is from the security side. And on the the short answer to your direct question on the firewalls if we don't own them and so on, the greatest impact really is just on the containment side of it. When we deliver our MDR service, we collect those firewall logs.

Dave: 42:54

We we use them in investigations, even if they're not our firewall. Same with endpoint, Mac. So, the detection side is not not really impacted in that sense. It's really more in the containment. When when when it's not our stack, you know, we're not able to update the security policy.

Dave: 43:08

But we, you know, we would provide the customer with a response to an incident and suggest that, that that someone on their team do that. But we're not able to take those actions on their behalf. And I think what happens I know, from personal experience with a lot of customers, we start with them on the monitoring, MDR. And then there's, this idea that there's strategic alignment with the whole stack because, over time, they do wanna consolidate. They wanna, you know, they wanna get rid of their existing firewall and move to something that's more integrated.

Dave: 43:34

And so it's a way for us to get engaged and then have a longer term road map for how to improve and save money for the customer, you know, and end up with with better security and and cost savings over time. And, Roman, I don't know if you have anything to add there on those lines. Yeah.

Roman: 43:51

No. Yeah. The only thing I would add is is, it's not an all or nothing solution we provide, as Dave mentioned. We often like, the first engagement often is SD WAN because customers are looking for SD WAN, or even just like transport layer, so ISP lines at each and every location. That's one of the the gates we we often step in.

Roman: 44:15

But then it's our job as a sales team to to educate the customer that it is not just SD WAN, that they should not just look at 1 silo. Right? They should look at the environment as a whole. And that doesn't mean that it needs to be a a day 1 switch from from old world to new world, from from point products to SaaS solution. But it's it's kind of like that that that mindset change needs to happen.

Roman: 44:41

And then they they realize, okay. Let's start here with SD WAN, then let's move on. And once our firewalls and proxies are end of life, we we already have the platform in place. We don't need to change anything. We just spin it up.

Roman: 44:53

Right? And then on the other side, towards the security, we started with with these locks, which are available from the from the products they have in place. We integrate them. We take them as telemetry and and and act on it. And then over time, we lift and shift if the customer wants that.

Roman: 45:11

That's that's how it often works. We we start small. We can expand if if the customer wants that, or they're just interested in our MDR service without the stack, and that's also possible.

Max: 45:24

So I know open systems in general was very happy when Gartner announced and launched SASE and defined it and then started tracking SASE. And, you know, my response is is is both, right, happy and sad. In one sense, it's like, okay, great. Now we have a definition around these things. We have validation around, you know, further, you know, maturity and evolution of security and security delivery.

Max: 45:43

And of course, I'm sad because I know the reality of it is lots of marketing departments are gonna be trying to figure out how to classify themselves now as SASE. Just you know, I mean, we talk about SD WAN. Right? Like every box has been trying to figure out how do you shoehorn this into, you know, saying, you know, it's an SD WAN box, even if it really isn't. It's like, oh, it's a box.

Max: 46:00

It's on the Internet, and it manages your Internet connection. Okay, great. It's SD WAN. You know? So, you know, so, yeah.

Max: 46:06

So I mean, I'd say it's probably it's great for you guys because now you have a lot of additional awareness that's come out because Gartner is saying, okay, you know, SaaS is important. You know, the other thing though, you know, for me, when I look at this in in terms of, like, maturing operational structure for companies, and now we talk about distributed and remote being a primary mechanism. You know, this concept of people being in offices has already been decreasing as time has been, you know, passing. And we have larger and larger organizations that have been completely remote. We expect that to increase now, you know, post COVID, that the amount of remote and distributed workforce is going to only scale up.

Max: 46:41

You know, and I've been a big fan of 0 trust since, you know, Google released a research paper however many years ago. I mean, this concept of how do you establish and determine, does this person or device match a policy that allows you to gain access to a resource and then do things? And, you know, I'm kind of curious when open system starts announcing and and branding yourself as well to some degree as 0 trust because you have a lot of the components that actually come into it of how you're deploying your software today.

Dave: 47:12

Yeah. It's it's interesting. You've touched on a a a lot of points. Obviously, as you highlighted, it's helpful that, that Gartner's coined what we're doing. It it it is an evolution of the networking space.

Dave: 47:21

But more broadly, you know, it's interesting. I often tell customers I wouldn't necessarily want to be in their shoes because of all the claims that these vendors make in general about things. And, you know, it's, even managed detection and response, there's no sort of formal definition. So you get a wide range of companies that say they're MDR companies when, really, they're not. They're just doing managed firewall, for example.

Dave: 47:41

And it's one of those things where I think you really need to look beyond sort of the label and actually understand what what what it is or what what the action is, what what what what you're looking at. I mean, you mentioned AI earlier and and, sort of skepticism. And I have to tell you, I I kinda share your sentiment. I always as you might imagine, I have vendors that that have different AI software solutions saying, hey. You guys should use our artificial intelligence, your threat detection.

Dave: 48:04

And then you dig a little deeper and you start asking, well, what's the rule sets? What's the data that it's operating on? And and when when I don't get those answers, I start to you know, my my spidey sense starts to tingle. Right? It's like, something's not quite quite right here.

Dave: 48:17

And so I think as consumers, security professionals, you we need to dig a little bit deeper on these things and not just take these things at face value.

Roman: 48:25

Yeah. Let me add to that. I I think over the years I'm with Open Systems for 6 years now. And and in the beginning, I think it was our challenge to explain to to customer why a hybrid WAN with their existing MPLS and and all of a sudden a new Internet line would be a great thing. And then, Gartner came up with SD WAN, and that made my job easier because I now had a term and everyone was interested in SD WAN, but it was nothing else as the day before.

Roman: 48:52

Like, I I I just had a name for it. And and last year, the same happened with SD WAN. I had a hard time to explain why it is an interesting concept to have SD WAN box and the firewall and all of that stuff on the same platform. Right? And and now it's just easier.

Roman: 49:08

So my job changed, like, every 2 years from explaining why something is interesting to why you should now pick open systems before someone else. Right? So that everyone I I fully agree that everyone tries to get in that space. I guess, for for people looking into sassy or whatever, the important thing is don't look at at a at a word or at a label. Always look at what are your requirements.

Roman: 49:35

I I answer a lot of RFPs, obviously, and and the worst RFPs I see are RFPs which ask for specific features. They say, do you do deduplication, or do you provide this specific feature? And the question should not be, do you provide a specific feature? The the statement should be, this is my requirement. What solution do you have to this requirement?

Roman: 49:58

And it kinda would shift the the conversation because it it it forces us often into saying, yes. We do it, but we kinda do it differently, or, hey. Have you looked at this? Because they are looking for a feature or a a datasheet. Right?

Roman: 50:13

And they're not looking for what's their actual requirement. At the end of the day, you have users and you have applications, and you wanna make sure that the users, wherever they are, get to your applications and that all of that is secure. So that's that's what you should care about. And the providers, they should make sure that with their the solution they provide facilitates and fits that requirement. This is this is key.

Roman: 50:38

And and if it's called 0 trust or if it's called SD WAN or SASE, that, at the end of the day, should not matter. It just it it makes it sometimes easier for us to start the conversation because we now have kind of a a word around what we do.

Max: 50:52

I, I feel for you that you have to work on lots of RFPs. I I constantly wanna fund a study of trying to figure out, like, how many hours a year are lost collectively between, you know, both sides of the RFP process and what what's actually I mean, I get it. You know, a corporate procurement department, you know, has to go through, and this is the most efficient way for them to try to standardize and and, you know, cut it up. But you can't you can't standardize and cut up and and, you know, do apples to apples comparisons on these, know, when you when you get into sophisticated services. It's just the RFP process is so so deficient and such a time suck that, like, you just I mean, it's anyways, pet peeve of mine.

Max: 51:31

But, you know, so I'm expecting an opinionated response to this question, and I'm hoping I get one actually. When we look at other security vendors and MSSPs that are in market that are coming about this and approaching the market as, you know, we've partnered with firewall vendor a, and we've partnered with SIM vendor b, and we've partnered with, you know, endpoint system c, and then we've got, you know, threat intelligence d. And and they've gone through and and are attaching to the labels of this is the, you know, leading vendor in each one of these spaces. And now we're gonna integrate the service chain for you. And we're gonna manage the service chains for you.

Max: 52:07

And on our value as your MSP is we're gonna be your SOC, and we're gonna do your, you know, managed security. And we've got, you know, best in breed across each one of these service chains starting from, you know I mean, maybe it's as basic as identity and access management all the way up the stack. Right? That is different from what you're doing and how you've approached it. And why shouldn't a customer go into an MSSP delivering in that manner?

Roman: 52:32

That's a that's a good question and something we have to to highlight often because it is a key differentiator. So if you, as an MSSP, provide someone else's product to a customer and the customer has a problem, like, we know everyone has bugs. Like, that just happens. But now you, as a customer, you notice there's something wrong with your technology stack. Now you go to your MSSP.

Roman: 52:58

Now the MSSP needs to be big enough to talk to their vendor, like to the point product they operate on. They need to be big enough to really say, Hey, can we please talk to product management because there is something wrong here and it needs to be changed. Compare that to Open Systems. We develop our own stack, and and we we operate the our own stack. So the developers, because we have a DevOps, model, each and every engineer at Open Systems, including myself, we work 15 to 20% of our time in operations.

Roman: 53:31

So that also includes our CTO, for example. It includes all the developers. It includes all the customer success engineers and so on. If we see that something is not working, it is a direct feedback loop. We have the capability to change it instantly.

Roman: 53:48

It's not we don't have to go somewhere else, wait for a patch, and then the MSSP has to deploy that patch to all, like, I don't know how many 1,000 devices, and it takes too long. Open systems, we have, I think, currently, like 8,000 plus devices deployed worldwide. It takes me one line in my shell to patch all of them at the same time. Right? And our people in development, they can if there is a problem, they can fix it, and we can roll it out instantly.

Roman: 54:18

So there is no going back and forth between vendor MSSP and customer, but it is when, it's customer, and we see ourself not as a vendor, but as a strategic partner to the customer because we have these capabilities.

Max: 54:34

You know, we haven't touched on this at all. You know, Open Systems is, a Swiss based company. You started in Europe. You've expanded. You know, you've been in the US for some time now, but you're not really a really known name here.

Max: 54:45

I mean, this hasn't the the word's not out yet. And you have some interesting customers. We don't have to name them by, you know, specifically if we we if we're not allowed to. But I mean, you know, banks, you have banks as customers. I mean, you have big enterprises as customers.

Max: 54:58

I mean, you've got the type of people as customers who actually are trying to protect something of of significant monetary value. And and, you know, so banks, right, they need to protect their assets. And that's usually what people think about when and with security first, right? What am I protecting? Is it is it valuable?

Max: 55:14

Somebody wants to get me because I have something of value versus like, oh, I I have no risk factor because I don't have anything of value. So who you know, as as companies are looking at a security vendor or trying to integrate these sorts of things and are looking down these paths, I mean, what is it about you that has has, developed the relationships and the lineage with your customers that you have. I mean, what makes a good customer profile for Open Systems? I mean, I mean, what do you guys need also to be successful with your service delivery with with a company?

Roman: 55:45

Yeah. I can agree. So we are in a lot of different verticals. So we work for banks, a lot of NGOs. Manufacturing is is, I would say, our biggest vertical.

Roman: 55:56

So it's it's not really specific to to an industry because everyone has the need to connect users and the application in a in a efficient and secure manner. Right? So that's not specific to one industry. Now, open system is like the ideal customer, and the salespeople will probably say something different. But I would say, like, it starts at a 1,000 user.

Roman: 56:16

It can also be smaller. We have smaller customers, and it it also makes sense. But I would say what I'm looking for is a a 1000 users plus, and then the idea customer is global because then that's where we can really shine. But it could also be a US based customer only because the US I mean, you you mentioned that we are from Switzerland. Switzerland is a very teeny tiny country.

Roman: 56:38

So the United States as a country itself is, like, big enough to profit from these, services we can provide. But it's a 1000 users, 10 locations, for example, that's where it kind of starts. But we have customers. They have 20,000 users and 400 locations. That's also the case.

Roman: 56:55

Or we have customers. They have just a few locations, but 30,000 people are sitting behind our infrastructure. So we cannot pinpoint it to to one industry or to one type of. But I would say it's definitely not the mom and pop shop that that we can say. It's not the the 10, 20 users.

Roman: 57:14

That's not our area. We would be too expensive, I would say, because it it doesn't scale. But the more user, the lower the price kind of per user.

Max: 57:24

So really, also, probably within that, you're you're talking about organizations that have had enough time and experience trying to integrate and manage these systems on their own and have really come to the conclusion that they shouldn't be in this business anymore and need a partner to help integrate and maintain the systems for them. I mean, I think that's it's probably the resounding thing I've noticed with a lot of especially security at scale. Right? You know, it is this is a complicated animal. There's a lot of different platforms, requires a lot of people, require I mean, shift work, you know, is difficult.

Max: 57:55

You know, 7 people for a one one desk in 247 cycle. I mean, all of a sudden, that's a very staffing heavy requirement to actually scale. So people you said earlier, people talking about building out and maintaining their own SOC or not, you know, infrastructure. And you start looking at it and you say, okay, well, how many people do you have to have on shift? Well, that's a measure of how many devices or how many end users are they supporting.

Max: 58:17

Okay. Well, if you need to have 5 people on shift and all of a sudden you have to have 7 bodies for every 1, you know, desk, you've got 45 people in your SOC that you have to go hire and train and staff and maintain and and then, you know, deal with attrition and everything else. I mean, that's that's a pretty complicated, you know, process to to to support. We're not even talking about now actually integrating or responding to anything. We're just talking about staffing.

Dave: 58:39

That's right. No. You're you're right, Max. It does very much tend to be a build versus buy decision at the initial stage. And, for all the reasons you've highlighted, more and more are landing on that we need to we need to buy it, not build it.

Dave: 58:52

Staffing is a huge issue. I mean, there's a negative unemployment rate in cyber right now for security professionals. And, you know, I talk to CISOs that say that, not only finding them, but then keeping them interested because as a security professional, you're looking at the same environment every day. That gets stale after a while. Right?

Dave: 59:07

So you you wanna move on, and so staffing is a real problem. And I think that mo most people are now recognizing all this. And more, what I find myself spending my time doing is explaining how would the customer's existing team work with the service. That's where a lot of the interest lies. It's you know, they sorta get that, yeah, there's too many alerts.

Dave: 59:24

We are to your point about 247, we don't have enough people to staff it. But, you know, there's a lot of questions that tends to be around how do we interface with your service, which is good, you know, in in in the sense that they're kind of along that path of recognizing that, hey. This is not my core job or responsibility, but how how could I contribute? How would I interface with with all of this? And so that's where, you know, where, technically, a lot of the conversation tends to go to these days.

Roman: 59:50

Yeah. I guess we have we have one customer, the CIO. He said, I have no business being in security. And that I think it's the, the favorite quote of David Nudi, our head of channels here in the US. But I have no business being in security was was a statement.

Roman: 01:00:06

And it it's kind of like a perfect example of why we can provide value to to our customers. Open systems was exactly what he was looking for because he does not have the resources. He does not have he doesn't even want his people to do that daily operation stuff we do. Like, he doesn't want his people to to make sure that the the the policy sets are up to date, like the the the patches and the signatures and all of that stuff. It's just cumbersome.

Roman: 01:00:34

We can do it for thousands of enterprises, for 100 of our customers at the same time. But if you do have to do it, if you wanna spend your resources, your valuable resources on on patching and stuff I did it myself, back in the days when I was a systems engineer. It was definitely not the best part of my job when I had to check, install Microsoft updates, or patch the firewalls we had in place. That was not the funny part. It's not I cannot add any value to the company.

Roman: 01:01:03

I can add value when I can talk about how should I structure my policies, what kind of processes do we have to define to to act to specific incidents. So this is where where, an IT professional's job gets interesting. And it's not about, like, patching and and all that rather boring stuff, I would say.

Max: 01:01:21

Absolutely. I mean, that's an interesting topic on itself. I mean, the shift in IT and how IT adds value into organizations, I think, is is definitely maturing and it's evolving. This thing that we've, you know, talked about for a long time, it started with you know, we started seeing it with a lot of these shifts into class and cloud and SaaS applications, SaaS delivered applications, and then how do you support users? And of course, you know, companies and IT departments got compressed in terms of ratios.

Max: 01:01:49

But I think that dialogue is finally getting to a point where most organizations are looking at their IT staffs of how do we have a strategic asset here that makes the business run better, more efficient, and gives us competitive advantage over other organizations, and not so much who's doing our patch management and who is doing our fleet deployment and who's doing this. And for me, that's really encouraging. I'm happy to see that and have that conversation more with people because, you know, to your point. Yeah. I mean, come on.

Max: 01:02:16

Microsoft SUS was wonderful. It made your life so much easier. You just pushed a button and pushed everything. I mean, come on. Who wants to do patch management?

Max: 01:02:21

Nobody wants to do patch management. You know, that's that's, like, the last thing you wanna deal with. I agree with you completely on that. Dave Roman, thank you very much for your time. It's it's been a pleasure.

Max: 01:02:32

I feel like we've just scratched the surface here and could probably, you know, do this another 5 or 6 times before we, you know, really, really get everything, but but this was excellent. Thank you.

Roman: 01:02:41

Thanks a lot, Max. Great. Thanks. Thanks, Max.

Max: 01:02:45

Thanks for joining the Tech Deep Dive podcast. At Clarkesys, we believe tech should make your life better. Searching Google is a waste of time, and the right vendor is often one you haven't heard of before. We can help you buy the right tech for your business. Visitus@clarksys.com to schedule an intro call.

Transform your business without wasting money.

We help you identify, audit and implement technology changes within your business to create leverage points to scale your company faster.