 So I'd like to give it a chance to welcome a good friend of ours Jarrett to the stage here He not only gave one of the workshops earlier. He's actually here to give our keynote. So please welcome Jarrett to the stage Get this mic in a good position. So Awesome to be here. Thanks to Tim and David and Gio All the tour con staff. Let's give them a round of applause for putting us together So, you know, it's interesting when you put together a keynote talk It's kind of like should I go deep in any particular subject, right? You don't want to do that for a keynote It's kind of more of a Overlook across the field and I've been in this field for 16 years. So I kind of have that unique perspective that Can I lean oh gosh Yeah, maybe oh Is this good enough if I just keep it here or should I hold it? Is that okay? Okay Okay We'll try this check Okay Restart so Keynote it's great opportunity to kind of you know shed light across the industry instead of just giving a deep dive talk and like hacking or Software auditing or malware analysis or hardware hacking or anything that you may hear get a chance to do You know deeper more hands-on and training or in some of the other talks throughout the con Keynote is a great opportunity to kind of give that perspective and there's a couple of subjects that have been kind of hot the last couple years One of them that came to mind was DevOps this whole like do we still do SDL and security and DevOps like we used to and sort of regular software security and of course the the other thing is Endpoint security next-gen endpoint security. What's up with that? We hear a lot about that lately and so I kind of wanted to touch on those two topics and so that's why This talk so wanted to talk about what's being done. What's being used across those? What the new hotness is and is it really that hot? Because I have a passion to make security better like I said I've been in the field a long time and I really love this field I love coming out to these love meeting people so stop by and say hi And I really have a heart to try to make things better across the industry And sometimes that means breaking things and hacking things and pulling them apart like we do and other times It just means staying staying abreast of what's going on in the field and learning and moving a little faster than the adversaries are learning and moving so You know in terms of what's new first of all and is it working? There's been a lot of changes There always is this field moves so fast right when you look across Devices and code what's going on with processors and Intel and Microsoft and other operating system vendors? What new mitigations we heard a lot about ASLR in depth the last many years And then there's new things like isolated heap and CFG and I'll talk a little bit about those I won't go into all the details because not everybody is Super familiar with every niche domain in our industry But I'll touch on some of those and then of course apps and rapid deployment and getting things out really quickly And this whole idea of bug bounties we see like even companies like like a taxi company essentially That's what Uber is right they have a bug bounty. It's really weird right only in our generation is this sort of thing happening This wouldn't have happened even ten years ago. We wouldn't see a taxi company Asking hackers to like try and hack their website. It's just not a thing that would have been done So there's a lot of cool things that are taking place With things like two-factor authentication and how to do rapid incident response and even regulation is something that's kind of new And starting to happen and there's some real debate about that we talk about debate in the political arena We have that in our own little field and community too right like should there be regulation around software security Some say yes, there should because without it Anybody can basically build something and ship it right and others say well We don't really want that because that would stifle innovation and open source and all of that So I think there's a healthy debate that can be had there. There's also a lot of other healthy debates around privacy and security I Was on Bloomberg West recently talking about the whole Snowden incident so like whether that was ultimately good or bad You know those sort of debates you can go look that up if you want to see you know what I had to say about that And of course a lot of the new technologies that are always kind of coming out to help Address these or try and help address with these and that's what I want to talk a little bit about So we see that even though our industry has made a lot of progress and we have a lot of cool new tools and techniques and expertise We see that it hasn't helped as much as maybe we'd hope right there's all kinds of breaches happening still Whether it's in Yahoo or the OPM thing if you have a clearance or there's you know Mobile phones or car manufacturing factories. There's still a lot going on So that's kind of what I want to do is talk a little bit about where we are with some of these subjects and where we can go with it So first who am I? Wow This was interesting so I don't know how many you guys have been around this a long time But this was actually a number a few years back probably with 2012. I think Microsoft had a blue hat prize contest thing and I ended up placing third in their contest so afterwards I there they had a big party and there was a DJ up on stage playing the drums and I was like dude Let me on stage let me up with you. He's like no dude. Nobody comes on stage while I'm jamming I was like come on I just won like you know third in this contest let me up and so he finally let me up and I started jamming with him and It was actually pretty I think he was surprised that I actually had rhythm because I actually used to play drums On high school and stuff so we actually had a pretty good jam up there So I thought I thought I'd throw that in there. That was pretty fun. That's not what I'm best known for I don't think I can make a living doing that I'm best known for being a hacker builder a trainer. I do a lot of teaching at conferences and stuff like that I'm the CTO BDS and a founder of VDA labs and a plural site author and I teach at university as well So I've got a bunch of things that I'm involved in I'm happy to talk to you more about that But I don't want to make this talk about me. I want to get into The topics at hand and one of the what are the issues that I see In our field and this is really like the TLDR, right? So if you fall asleep halfway through this talk Like this is the summary of the entire talk. I'll just give you the summary up front so you can happily doze for a little bit I know it's early So one of the things that I want to point out is our software security and endpoint security or in other words like Manufacturing things like operating systems and software is that very separate than enterprise security endpoint security firewall security network security, whatever it is and They they are in some ways right in our industry They're treated very separately the people that work on one don't work on the other. There's not much cross-pollination, right? Like a software security person that works at Google or Microsoft doesn't ever go and work in like enterprise security generally speaking Right and like working a sock or configure a firewall or they're kind of separate But there maybe shouldn't be so separate because it's all needs to work together to make this thing safer and So I've got this little stack right of and I don't know how well you can read the slides, but I'll point it out And if you start kind of at the very end of the stack that is basically an attackers on your system and you want to like search for logs or Try to protect things with VMs or run some antivirus or something like and it That's what that whole blue hat prize contest thing a lot of the research that came out of that went into a tool That Microsoft made called and that the enhanced mitigation experience toolkit And it was all about trying to stop Rob exploit so some of the research I did kind of went into that so I kind of feel somewhat prideful that I helped make this industry a little bit safer with some of The some of the research I've done so that was pretty cool But ultimately those aren't the best places to do security in other words once somebody's in your network or on your system You can like find them and detect them or like stop the attack or whatever like that's like the hardest place to stop an Attacker, right? I mean when you think about it, right? It would be like better and ultimately cheaper and this is really my call to action and my sort of takeaway if you fall asleep It to work upstream basically if we made things secure by design or safer from the get-go So that a lot of the vulnerabilities that happen just couldn't happen That would essentially mitigate the need downstream for all these other tools and techniques and technologies and people and all this Other stuff that are being done now. Of course, that's not really ever gonna happen exactly, right? We're never gonna be able to design a perfect system right and make a system totally secure So there's always gonna be a need for these security products and security companies and security staff and like that'll always be a need I'm not trying to say that that's not a need But what I am trying to say and what my sort of call to action and sort of try to motivate you a little bit How can you think in your field and it's different for every person where you're at? What you're doing, but how can you think a little bit about how could I work upstream a little bit? I'll give an example of that. I know a guy Really really smart really good in software security and he was looking at taking a job at yet another company I don't know if it was you know because they paid good or whatever it was But he decided he could apply his skills to actually like, you know Like making patches and pull requests and stuff to the Linux kernel because he's really good at like Kernel security and stuff like that and he decided that if he worked as far as he could upstream like on the actual kernel That stuff ends up in Google that stuff ends up on your car that instead of like working at the car company or whatever He was gonna do he realized that if he worked upstream somehow he could actually make a bigger difference across the entire planet in terms of code security, right and That thinking is pretty forward-thinking. I don't think most of us think like that I think most of us just think like hey I can make a buck at this company, right or whatever and we don't really think about how can I kind of work upstream a little bit And it might not doesn't necessarily mean you need to be good at kernel security, right? That could mean that instead of Finding yet another cross-site scripting vulnerability Maybe you work on Docker a little bit and help makes app deployment a little more secure Whatever however it is in your industry in your field and you're with your skill set and your domain Think a little bit more about how can I kind of work up this stack like I could work You know, maybe with the hardware and trusted computing or I could work on compiler security enhancements right to GCC or with the operating system itself for We had ASLR in depth which were some exploit mitigations and Microsoft has a new thing To that's kind of meant to supplant eminent some of the other stuff They've done called control flow guard, which is all about control flow integrity so trying to enforce the actual execution of a program to be sort of Semantically sound rather than just hey, I just overwrote this function pointer I can jump to anywhere and do a stack pivot and start a rock chain and now I have code execution on your computer all that madness That can take place otherwise We could stop some of that from ever even happening And then we wouldn't have to go and detect attacks and make sandboxes and do a lot of the other stuff We do because it wouldn't happen in the first place. So that's it's not always it's not like like I said It's not gonna completely happen. We're still gonna need detection and all these other things But that's that's that's my sort of summary of the entire talk So let me let me move beyond the summary and kind of get into a little bit more of the specifics then One of the things I hear a lot and it makes me laugh hard is I ask somebody like so Hey, do you do like sdl or security where you work and they're like, oh no, we're agile And that kind of makes me laugh because I'm like, okay So you don't need security because you do agile or you do dev ops and so security is just not a thing for you I guess. Okay, cool fine Um Though to balance the discussion there is some merit to what they're saying In other words, what they're saying is we can't spend a year-long waterfall traditional software design sdl expensive heavyweight thing Because we're pushing out code like every week. So that doesn't work for us. Fine. I get that I'm on board with that But you I think you can still do security And so I'll briefly walk through some of the sdl steps and we'll hopefully see that they still apply to Rapid development which is what things what people do nowadays people don't really spend like a year writing software And shrink it in a box and put it on the store at walmart and people come in and buy it and they like just You know run it on their computer in a closed environment like that doesn't that era is gone Right the shrink wrap and ship and stuff that that time has done has done now Uh, we live in an era where if you didn't think about security from the get-go, um And you didn't think about how am I going to update this on the fly Then you didn't Do it right Basically, okay, because you're gonna have to think about how can I how can I patch my product over the air? So let for example when christin charlie did their jeep hack Chrysler had to actually bring all those jeeps into a dealership and like plug a usb key in and they had to patch it And fix the bug right it was kind of less than ideal where tesla's had a number of bugs But that's they've not made a big deal of it. They just patch them over the air So they had a little better patching strategy, right? And I think that's the wave of the future is viewing tesla views themselves as a software company not an auto manufacturer, right? And that is the future right that idea of hey, we build software and we know how to update it, you know in real time so um One of the other things I hear is oh well, you know We make stuff so fast. We don't have time for security and and we'll talk about that like that's not necessarily a bad thing That you're able to push things so rapidly because you can push fixes so rapidly too. So Will we still need antivirus or av or emet or something like that in automobiles? I hope not That's not ideal, right? I don't want yet another like macafe product in my automobile I didn't want it on my desktop to begin with like I don't want it in my car for sure no offense if you work for macafe, but It is what it is, right? But I think that's the world we're headed toward right because there's still not enough security baked into our products That you probably will have an ids on your can bus at some point or something, right? That's we're headed toward that just so you know and it's not a bright future, but that's we're moving toward that so I think we still have time to avoid that If we get enough people involved in the right places that work upstream enough And that's why I keep talking about that upstream thing because it has to be done there Doing it later on by putting an ids on the can bus It's that's more the same right and it's not progress In my opinion a lot of people would probably want to throw me off stage for saying that right because they work for a vendor that Wants to do that, but it's just my opinion so Okay Having said that this is my balancing slide that yes, we still probably might have to okay We might have to have those we design it best we can but still have Some kind of a sensor in the car that detects if things go wrong like essentially an ids or something, right? We might still need that because defense in depth we have it's shown that We're not able to do it right at any one layer so having multiple layers Probably is still necessary history shows us the way on that. It's just not It's not as exciting to me. I would rather see a culture where you've got a team And this can work in small businesses, right? This can work in a business where you've only got two or three developers And you don't have the big sdl budget and you don't have a full-time security engineer on staff You don't have any sdl heavyweight stuff this can still work You just have to have the right desire the right people the right dedication the right mandate the right response All of that has to be done and it has it's harder I think for small businesses in some way because basically the developer has to also be the security expert It's kind of a tall order. I think it's possible. I've seen it done But it it's you know, it's kind of a taller. So you have to start with training You have to start with deep technical engineering security Basically skilled people And have also some time in budget to go back through and do even if it's not heavyweight sdl This is what i'm trying to point out for devops and agile You still need time. You still need training. You still need budget to do that. You also need experience You need somebody That has the performance of of past, you know work in Security projects dealing with authentication rules data all of that stuff. It only comes with time, right? I mean somebody directly out of college may not have that so you might have to actually invest in people a little bit to grow the people you need so That's kind of that's sort of not changed, right? Rather. We're doing agile or we're doing You know some other waterfall or whatever that whole thing hasn't really changed so We need people that have the Knowledge about how to integrate that into our process if we're going to be releasing code every couple weeks We need to know how to do that in a way that's sane and secure and safe And have the right processes in place to do that Because not every bit of code and this is the whole like thing with agile development Not every bit is truly security sensitive, right? If you're making an angry birds app And your first thing is birds just fire and then your next thing is now you have colored birds that can fire Whatever and you're pushing updates every two weeks to your mobile app or whatever. That's fine for the most part There's really no Big security issue with that but you need somebody on staff that goes oh and by the way on in 1.3 We're going to pull information out of your context and shoot birds at like people in our contact list or something now It's like oh, we'll hold up now. We need to think about that, right? Do we really want to just throw that out next week without the right testing because that sounds like a privacy issue That sounds like it has security implications and only people that have been around this industry would pick up on that so quickly I think so What tools and processes can we have to catch those things before we decide to ship that? We have somebody with the right experience to to figure that out And that comes with maturity. It comes with the right hiring. It comes with the right workflow Chris Romeo says that security is a journey not a destination and I agree with that, right? It's it's any sort of maturing process right takes time. It's not something that you're just like Hey, we're figured out security. We're all done this week. We can all go home. We're done No, we still need we still need to be on that journey We still need to be doing the right sort of engineering and figuring out What type of testing rather it be static testing static code analysis or whether it be dynamic code analysis You know, what is the right amount of engineering for us in our process? For example with native code, we've known for a long time And there were a few talks yesterday if you came to the seminars about fuzzing so memory corruption and fuzzing That's been a thing for a long time in native code. Hopefully we know that if you're writing Code in cnc plus plus you ought to know a lot about that on the other hand Most of the new code we see being written are not most but a lot of it is managed code, right? It's web code. It's net at c sharp and it's all that so Fuzzing is a different thing, right the way we test it's different And we need people with the experience that understand the subtleties and the differences behind that We need more end to end we need to understand how does docker help our rapid deployments How is fraud going to be an issue for uber or you know any sort of mobile app thing? We're not necessarily looking for crashes and buffer overflows and stuff like that the type of security testing we do Is going to be very different than what we've done before we still need both and we still need people that understand both But you need domain experts as always And that kind of stuff is best done In the engineering process up front, right? It's sort of worse done just like with product security The worst place to catch an attack is like later on when you're reviewing the logs or some incident response or something You're not gonna like it's it's good that you can go back and catch it We need to do that But it's like too late right there the attack already happened So in terms of pen testing your own code, it's better to do you know the bulk of it in-house Like peer review and all of that in testing and stuff You still want to do a third-party pen test right of your code in your app But that's the most expensive worst way to catch all of your bugs It's better if it's just baked into your process right and that makes sense We need to do all those things still but but it's better to do them up front So um to kind of summarize a little bit having a as far as dev ops and sdl goes having a support plan Super important right having a patching plan super important Having an incident response communication a partnership with industry like bug bounties That's kind of a new thing still a lot of companies are still kind of looking at that and evaluating that and trying to figure out If that makes sense for them if they have budget for that if they really want to get involved in that and be public about their Bugs and kind of admit to the world that they might have bugs It's kind of strange that we're still you know, there's we're still having that discussion right because I think like any forward thinking Company would know that they're going to have bugs in their product and they'd be okay with that They would rather engage the community than sort of try to sweep it under the rug But that that discussion is still very much ongoing. So you're probably going to have that in your organization if you're involved with that So yes in summary for you builders for you people that do agile and dev ops Yes, you still need security even if it's an mvp right a minimal viable product A small thing that you're just shipping out the littlest parts for you can still think about all this front You just have to be more creative and if especially if you're a small business You might not be able to afford full-time security engineers to sit on staff with you and stuff like that So you're going to have to be a little more creative and you're going to have to think about what can we do kind of upfront or upstream That helps make this whole thing better rather than just kind of like ship it and then we'll like look for cross-site scriptings Afterwards by hiring a pentest team to come blow up our product Which you know is going to happen right if you didn't think about it in the first place So thinking about it up front is kind of where we're at. So let's change gears to end points All right, so What does next gen mean anyway? We hear that a lot right? There's next gen firewalls. There's next gen wafts There's next gen ideas. There's next gen endpoint security. There's there's a lot of next gen And what does it really mean? Well, I guess we have to first define what was prior gen right? So when we think about hips and hids firewalls personal firewalls ideas here on the host Antivirus particularly looking at files with known bad hashes kind of like a list of bad things that will block if we ever see this file That for sure is like prior gen right because all it takes is a recompile then the file's got a new hash and the malware gets through right so we know that that didn't really catch all the things and That's why there's been this push for something that does something else or or at least does more right? So that's that's where this next gen terms comes from so what do we have for next gen? What what type of capabilities if you're working enterprise and you're looking at end points and you're thinking hey We should go out and look at next gen stuffs. What kind of features? You know or products i'm not going to name names like particular vendors or products I'm not going to you know even go there, but what are the types of features that you could go and look for? Well, there's functional runtime analysis Something like emit for example it does api analysis so looking at how functions Work there's isolation technologies like sandboxes or vms. So security through isolation There's all sorts of novel detections either statically or behavioral And there's various versions of math that you can throw on there right to analyze binaries with machine learning either statically Or you might have some other attack your heuristics more behavioral type Of technologies based on sort of known techniques in the industry So we'll talk briefly about each one of these again. I'm not trying to pitch you on any one of these I leave you to completely draw your own conclusions about you know what you think might be best for your organization I just wanted to have the discussion because i've actually worked for a couple different Next gen endpoint security products So I feel like I can bring a fairly unbiased opinion to the matter and just kind of give you some of the data Like here's just how some of these things work you go and look at them yourself So um I can mention emit for api protection. There are commercial products too, but emits free and stuff So I can say that one without and you know without getting in trouble I think on this one So the the use case is basically the way emit works if you don't know and I certainly don't have to Time to like go into detailed explanations of all these but they do some analysis at certain checkpoints right so A program's running and they've hooked certain apis like virtual protect Which is a way that you can change page permissions in windows So when virtual protect's called I'd like to make sure that the stack pointer still points to the stack And if it doesn't I think I'm under attack I think there's a romp attack taking place a pivot just took place and I'm going to crash the program Okay, that's sort of how api type Technologies work and it's kind of next gen. It's an exploit mitigation sort of thing right It's not something that avi did in the past Or you could have a different sort of technology But also watching certain apis like anti ransomware thing that if I ever see the api called that deletes the shadow files In other words the backups on your computers Because all ransomware does that right before they encrypt your junk They blow away any backups to make sure that you can't like just recover So if I ever see that called because that doesn't get called normally Like nobody wants to do that like no legitimate enterprise product wants to blow blow away your backups If I see that called I think there's a ransomware about or in-flight actually running right now So let me let me find the process that called that and kill that process. You could write a kernel driver that did that So that's kind of cool My thoughts on those approaches They're pretty easy to implement relatively I mean none of this is easy right let's be honest if you're not a developer none of this is going to be easy But like relatively those things are fairly easy for a development company to stand up and get going They have relatively low impact on your system and performance if they're done, right? That you could also screw it up if you hook too many apis and you can you can like make processes crawl if you do it wrong But if you do it right The cons are that both of those are fairly easy to bypass and the reason is You're basically like there's an attack in flight So somebody has like successfully run an exploit and they're in the process of like running a rob chain or like Doing a ransomware and you're trying to like stop it like as it's happening It's not the best theoretical place to stop an attack right because if they've got some access Maybe they can just not call that api or do it in a slightly different way that your thing isn't looking for and then they Can bypass your thing so in general And i've done this a lot like i've you know i've spent a significant part of my career sort of looking at products and going Oh, this is interesting. How can i bypass it? And usually you can right usually you can like if you just reason about Whatever it is right and we see this all across our industry right it's not just software We see it in physical like there's a door lock and we see we see in the videos where the guy like blows You know like i don't know some water or whatever through the door and it trips the internal sensor in the door Unlocks and he just walks in like that those sort of like so there's a security thing. How can i either turn it off or bypass it? That's how we work. That's how our sick twisted minds kind of operate so um The recommendation on these kind of technologies is like well if it's free Why not right like emit was a free tool that microsoft put out? So it was particularly helpful to like xp because it brought apps up to a Like windows 7 like security standard they enforced a slr and app It wasn't just api checking emit did some other things too So like why not right because a lot of these products don't just do one thing they a lot of times they do multiple things so It's kind of dying though emit just so you know windows is basically putting all their eggs in a basket called cfg with windows 10 That's their new like security in terms of stopping memory corruption control flow guard. I can talk to you about it later I don't really have time to go into what that is and how it works deeply now, but that's They're kind of moving in a different direction as a company, but um, so that those are kind of my thoughts on that How about some other things? I've got about three three different more sort of next gen approaches that you could think about How that how do they work? How about sandboxing? What is that good for? The idea with sandboxing is to trap native code vulnerabilities in a Lower privileged environment and it's a good idea all these all these ideas are sort of tried and trued sound sort of ideas in the Security industry that's why we did vlands just so you know right because we don't want everybody on the same hub Right so isolating people or separating people or putting them in least privileged containers is a good idea We've done it for a long time in other domains. So um Do that There are some commercial products for it Which was a little confusing to me because the operating system basically gives you this right? So like chrome and ie and they all do this they put each tab runs in a lower privileged sandbox relative to the master browser process so My thoughts on it are like it's a good idea to enhance the security It's not perfect. Uh, they're weak against kernel vulnerabilities. Usually you can escape the sandbox It typically is expensive. It requires some re-architecting the app like hey, you can make your app secure If you just spend all this money and time making it more secure. Okay. Well true Not every product and company is going to want to do that. So That's kind of the downside. Um, I feel like it's sort of best done by the makers of the app in the os rather than third party vendors, but You know, you're mileage may vary on that What about other sorts of more extreme versions of sandboxing? So besides just putting things in a kernel enforced sandbox, um in a lot of people there's confusion I think across the industry. There's been some confusion for a number of years now There's actually a difference between like a docker container that uses Kernel enforced sandbox and an actual true vm right a hypervisor enforced vm There's there's a difference between the to just so you know, I think a lot of people I talk to people and they don't get that they haven't it takes a little bit of time to like really understand the difference The difference is If you find a vulnerability in a sandbox if it's a kernel voln You can usually get out to the host like because there's nothing else if you find that vulnerability in a Hyper or like in a vm You have to like get a kernel exploit to get root and then find a hypervisor vulnerability to get out of the hypervisor as well So there's like a whole nother layer basically You have to get out of so There's some commercial products microsoft is looking at this was what they call vbs virtual is it virtual base security It provides Stronger security than sandboxing so that part of it like especially in terms of memory corruption Is good It tends to break workflows tends to be complicated tends to be expensive right those are sort of so my my thoughts On this are You know the pros are that it definitely is stronger than say sandbox enforcement in terms of stopping memory corruption bugs But memory corruption bugs are Not as prevalent as they used to be anyway. So some people argue well Do I really need that extra like 0.01 percent of security like a sandbox In chrome running on windows 10 latest everything is pretty good. Do I need to like wrap it in a vm too? particularly if That's going to break my workflow and break my document My macros can't call out to a database and like a lot of the things that used to work might get broken in your environment based on that So there may be some deployment issues basically is the huge con there So I would say my recommendation with with virtual base security is use it with care I think it has a place particularly as like a malware cage It works pretty good for that because you can throw some malware in there and blow it up And it won't get out to your host generally speaking So it has a lot of like use cases that are like really sound Um, but I would say you know look into that and make sure it works for you and your environment What about next gen detection? What about static analysis like looking at the binary and say hey when I see this executable come to my machine I'm going to run some magic math on it and then I'm going to detect that it's bad Like is that good heuristics machine learning Or is it better to sort of let it run in some way and go I'm going to look back through the events after it's run and if I ever saw it do this this this this this Or this then I know it did that lateral move in or whatever right you so there's behavioral sorts of Detection kind of pre or post execution. You could combine the two as well There's probably product companies doing that too But those are sort of the general approach is basically either I've got the people on staff that know about apt and pentesting and all this stuff to do behavior Or I've got the math and the science and we're going to figure this out before the thing ever even runs Um The other thing is with all of these products and I mentioned it before but with any of these sort of next gen Whatever's a lot of them aren't just on-prem anymore A lot of them can like run in the cloud Which means that basically they'll report back to some sock not in your workplace So Which is better for your environment to have sort of the on-prem or the off-prem Approach in terms of how the reporting the analysis the logging dealing with the tuning the false positives looking through the alarms The alerts who does who does that who's going to deal with that? Is it going to be you? Or is it going to be an mssp basically It's in both are fine by the way. I'm not trying to as I said, I'm actually I'm actually trying to just give you the data I'm trying to be completely unbiased. I'm not trying to like pitch you on one or the other I'm just saying these are the options we have in our field these the options We have an industry the one that works for you may not work for them You know, well, especially when you think about like small business They probably don't have their own sock right so maybe the mssp option really is better for them Is it medium business? Maybe it's larger business. Maybe they already have a really high tech stock and they'd rather deal with it themselves Okay, right. I'm not telling you what which one is best. I'm saying these are the options also In terms of those all those detective things that we can do on an end point Do you want the haystack or do you want the needle? And again, I'm not necessarily saying one's better than the other I'm just saying those are your options because there's products that do both And they both have pros and cons right the haystack is Kind of an issue in terms of so well, let me just I'll give you the pros first So the the pros of any of those depending on which when you go with is that it gives you visibility and the stuff that you Probably would have missed before right your avi and stuff like that. They're not doing all that stuff. So cool enhanced visibility. That's awesome That's definitely a huge pro Some of the cons especially with the haystack is you probably get a lot of beta So you're going to have to have a huge server rack and it's going to be expensive And like you're going to have somebody's going to have to deal with that right on the other hand if you just get the needle If you miss needles and you'd like to later go back and do in some incident response or whatever it might not be enough So there's definitely a trade-off. There's definitely pros and cons And my recommendation on on both of those would be consider the workflow consider which which is going to work best for you For your team for your sock um And and consider, you know, what are the features that all of those products have are there are certain products that combine Different elements like can some of them if they do detect something they can take the note offline There's a lot of like, you know features and buzzwords and stuff like that that could may or may not be Truly useful and helpful to your organization So look into those And see which ones can work best for you also consider tuning because all of these next gen tools all of them across the whole industry They're all pretty new a lot of money's being spent in the industry over the last three or four years Just to like build all these next gen products that are going to replace avi But a lot of them need some tuning and some work and like some deployment setup and like it's not going to come Easy it's going to just so you know in full disclosure, right? It's going to take you some work to get them to get them set up So how's that going to work for you when who's going to deal with that? Is it going to be them? Are they going to deal with in their sock or is it going to be you? Are you going to deal with the tuning tuning is like, you know How you deal with the alarms because not every alarm is important to your environment for one environment They get an alarm and they're like, oh, that's really bad for us for another environment They get a certain kind of alarm. They go, eh, it doesn't matter to us. We don't that's not a threat to us So okay, so but somebody's going to have to know that and deal with that, right? It doesn't just magically work even though it's next gen So there's going to be a need for us security people for a long long time to deal with that sort of stuff The other thing is kind of very similar to detection, which is search, right? So ignore the commodity sort of junk and just go hunting And see that's that's a big thing a lot of organizations They have a hunt team and they're going to do hunting and threat intelligence and all this cool stuff It's all cool stuff Um But how does it work relative to the other stuff to protection and detection and all you know all the other stuff Do you have like a plan that sort of makes cohesive? Sense and uh, how are you going to find those unusual things in your environment? Which type of technology is going to help you do that best so? The pros on search are that it's cool. It gives you the retroactive incident response It gives you other things like it discovery that you might not have had before search across your enterprise The cost of course is the same with the the other sort of big data products Which is like, you know It's going to cost you money to set it all up and store all those things and look through all the things You're going to have to have experienced people to know how to do hunting all of that stuff doesn't come come for free So I would my recommendation there is if you think you want to do that Compare it to the other detective type technologies and see what makes sense for you to give yourself an honest Representation of what kind of people do we have on staff like maybe we don't have The people to deal with a haystack. Let's just go with something that gives us the needle or vice versa Right, whatever's good for you. It's kind of my thought so Just summarize. I'm kind of to the end. I made it through all that hope you enjoyed that When you when you want to you know have a plan for your enterprise in terms of security, so Think about what's your what's your tool agnostic plan? First of all, so don't start with hey We're going to buy this and then we're going to find a way to wedge it into our environment It's not the best way to do that right so start with a hey, this is the people we have And this is the tools that we think the types of technologies we think we need And then once you've done that then you can consider each layer in the solution and figure out What's going to be best for us? Is there a certain suite that works? Are there various point solutions? Are there various people we could hire? Like approaching things a little bit more methodically Even in that sense is slightly more upstream not you know as far as I was talking about before But a little earlier in the process is a good way to go and then are you going to buy that or build that? Because for some of these ideas for some of the search and detection You could probably build some of that stuff too. I know organizations that have done some of that If you've got super highly skilled developers and whatever software people and stuff on staff You could even build some of your own detective stuff So there's always that option and it's something that every organization bigger small To take an honest look at and and see where they're at so My final summary for both the Software security and the endpoint security side is to us as an industry. I'd love to see us stay classy, right? There's a lot of fun in our industry There's a lot of marketing and it's a lot and it's very hard for just so you know If you're on the other side of it if you're an it buyer or something It's very hard for them to wade through all the junk to figure out which products do what and what's really Would be helpful to our industry. So I would say Try to help people in that Do things that you think would help others rather than just trying to snowball people for your own gain and profit Well, we're going to see more and more of that across our industry, right? Because it's a profitable industry to work in now and it didn't really used to be so that's that's something that I think I would love to see us kind of stay classy in that regard The other thing that you can do to help and kind of make the world a better place is start thinking about How can I train the next generation if I have the expertise to understand some of these things about software security and endpoint whatever it is How can I share that with somebody else with maybe the new people or go out and whatever teach a class at a conference Whatever it may be That's something i'm really passionate about And then again whenever possible think about how can I make this better across the industry working upstream a little bit Rather than just finding one more bug or whatever it may be in your environment. So That's all I have for you. I hope you guys have a great tour con and we'll see you around today