Stopping SolarWinds Breach with Jared Phipps
2021-03-02 00:42:33 Author: www.sentinelone.com(查看原文) 阅读量:240 收藏

#34 Stopping SolarWinds Breach with Jared Phipps from SentinelOne.mp4: this mp4 video file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Now, we have heard a lot about the solar winds breach, it was one of the largest and most sophisticated attacks in history, Microsoft President Brad Smith said. When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks? And the answer we came to was, well, certainly more than a thousand, but not everyone got hit. There were those who were able to defend against this attack. Today, we're going to talk to a company whose security product defended against this attack.

So stay tuned.

Hey, everybody, welcome back to another future tech video podcast, the audio version of this podcast is available on Apple podcast, Spotify and most of the others, or you can find it at Futura Buzz Sprout Dotcom. Today, we're talking with SentinelOne one. Their product fared better than most against the solar ones attack. To quote their site, SentinelOne Labs, the research division of SentinelOne has confirmed that devices with SentinelOne agents deployed were excluded from the sunburst attack from an early stage even before any communication with a malicious setu. Technical analysts have confirmed that Sunbus was unable to disable or bypass SentinelOne one in any environment. And I'll just let that sink in for a second. Today, we have with us Jared FIPS, senior vice president of Worldwide Sales and Engineering at SentinelOne, to help us understand what it was that they did right and to tell us about their recent acquisition of Log Data Management Company Scalar and what that means for their business. Welcome, Jared.

Thank you. Pleased to be here. So so, Jared, thanks so much for coming. Tell me a little bit about SentinelOne. You know, like what's what's the founder's story? What was the problem that they saw in the market and they wanted to solve?

At Tumer, Weingarten, founder is still here. He's still the CEO. It's one of the things I actually thought was really attractive coming here myself. But when he's a serial entrepreneur, he's done businesses before. But when he was looking at starting SentinelOne one, he understood that the security space was problematic. He had a bit of a security background himself and what he thought was an industry that was continually looking for new solutions, new solutions, just sort of a constant churn. He looked at models that really seemed manuell slow, really, really, you know, a lot of investigation intensive. And he was trying to figure out how can he leverage I am autonomous operations to transform an industry. And he looked at a few different things. But security is what it kept coming back to is his thought process was doing something like like you get with most entrepreneurs and founders. Right. He wanted to change the world, literally change the world. And he felt that doing so through the lens of security was was open, especially by leveraging A.I. So I started off in the early stages of the company focusing on Mac. Believe it or not, that's generally not where people start. But we started on Mac and Linux and then move into Windows after that. But based on a couple of years, just really building, doing good R&D and building before they took a product commercial. So by the time they went commercially, had Mac, that Windows and Linux was a it was a true, I would say, evolution in terms of what it had done on endpoint security in our industry. Endpoint security has been dominated by. A V and EDR AB was there to block everything you could block, and then EDR was there to capture and investigate everything and what tomor want to create and start was a business that unified all of that security under one umbrella. And it just took A.I. on autonomous operations beyond just file inspection, but into everything that goes at runtime. And that's, you know, that's what he's done with SentinelOne. So that's that's our genesis.

So you guys fared very well against the Solondz breach, you know. Tell me a little bit about, you know, tell me a little bit about what what what you're seeing from the solar winds breach and what you guys saw, you know, from an attack perspective that you guys were able to address.

Well, that one's that one's interesting, right? It's got all the makings of nation state, I know a lot of people have come out and done attribution and tied it to Russia. I would agree with that entirely. When you're looking at a crime group versus a nation state, you're looking at a very different level of sophistication. Right. And I I started off my career in the Air Force. I've spent time on the defensive in operation and the offensive operations side of the house here. So I would say that when you're dealing with nation states, you go into a far more complex cycle where supply chain risk management becomes a concern, where the the ability to select targets from a desired set and then and then really focus on those targets in in a bit more granular detail.

Those are the hallmarks of it. Cybercrime is very opportunistic. When something when something happens, they'll chase every one of them. So, you know, the solar winds is really the classic supply chain, right? If you can find software that runs on all of the different enterprises around the world and you can inject your code into that software, that's the Holy Grail from an attack perspective. Yeah, and solar winds offers software that gives you visibility over the entire network, so makes them the perfect candidate to be a target. And all they had to do was, in this particular case, remotely access and implant code. And then just watch and determine if they were able to identify the code had then put into the solar winds, you know, hindsight is 20, 20. We can all look back at it now and say, here's what happened. But the reality is, while that's going on, it's very hard to capture. Supply chain is very, very difficult to control. So I'm not going to get into the into the nuances there. What I will say is that, you know, after the solar winds breach comes out, after the artifacts are there, we can go through it. We can reverse engineer the actual malicious code, the sunburst attack. When we reverse engineer that, we can we can get a bit more of an understanding of how the attacker was working in those initial phases and what we saw was actually pretty compelling when the when the solar wind software installs on a machine, it intentionally lays dormant for approximately two weeks, a minimum of 12 days.

And then after that dormant period, it'll make out a beacon. So it'll do a command and control beacon out to about the cloud dot, which is a domain of being registered, and then they and affiliated with various regions. So east and west and various regions around. Now, the good news is because they're reaching out to a registered domain, we do have DNS historical data. It gives us the ability in retrospect to go back and look for all of the initial command and control campaigns that have reached out to that domain name. So no one is we can tell every organization that had those two beacons contacting on there the way that we've looked at. And then two, we actually have the Paleozoic in reverse engineer it. And by going through a reverse engineering, yes, we can see what they're doing. And what they did is they started to encode different commands on that initial that beacon out. So they're capturing information. On the very first install beacon that they send out there, capturing information around the security products, they're installed on the machine and they're capturing the state of those products, whether they're running or they've been able to be stopped. Right. Really, really pertinent information. If you're thinking about this from a nation state perspective, when you do a supply chain attack and you're expecting to have massive access, your access is going to be larger than the actual targets that you want to execute against.

Right. And so having the status of security products in those beacons back is pretty compelling. And you can see in the source code, when you look at it, that they do look for running services and processes and there's actually some some attempted anti tamper and some attempted disabling unmowed events that they'll do. In the case of SentinelOne one, they they look for the they were looking for systems and processes. They actually will eventually get down to looking at the driver level. And they were doing various techniques, you know, going into a registry and overriding the first values to try to decode the registry to to unload agents. In this case, what we saw is they simply wrote code inside of the sunburst malware that if they identified SentinelOne one to simply exit them, they would go back into a dormant status and then they would recheck after that randomise, again, another minimum 12 days and just come back and keep rechecking, hoping that no has been uninstalled or the admins have done something with it. Right. And just a bit more opportunistic. Well, that's nice. That was the kind of interesting case here, is we didn't really have to stop the attack after all of that because it just wouldn't execute if SentinelOne was installed.

Well, that's a nice endorsements from some Russian hackers.

Yeah, I mean, it's. You take it for what it is in this particular campaign. That's that's the decisions they made.

We do have some some federal customers who have been targeted by that organization in the past. So while it's a hypothesis on my part, I don't think it's rampant speculation to think that, you know, they are aware of who we are and where we're running. You can generally go find endpoint agent code. Just go look for virus to go look for different places. I don't think it'd be impossible to get access to SentinelOne binaries, but it would appear here that they they've had a little bit more recon, a little more time to try to focus on it. We have a lot of anti tamper majors in place in the product that prevent the agent from being unloaded through the registry, through the methods that they were trying. And so it would happen here, even though it's not something I can prove, it would appear that they had awareness that they that their methods were not going to unload SentinelOne one. And it would be better to simply avoid raising alarm bells. Someone start tampering with your agent. Right. That that alone sends up an alarm bell. So they're trying to avoid sending alarm bells. So if they see someone, they just exit and they don't want to try to mess with the with the anti-malware capabilities. That's my hypothesis.

Yeah, that's really I mean, it just goes to show you the level of sophistication of this attack. I mean, you know, when Microsoft saying they they see the fingerprints of at least a thousand different, you know, hackers on this one working, you know, from a nation state, that's a that's a significant foe for sure.

Yeah, I mean, again, so I don't know that I would personally agree that they've got a thousand people building building on the code. Like like all things, great things happen in smaller teams. Well, I think there's I think there's a military unit. I think there's a lot of design behind it. I think there's some very good minds behind it. I just wouldn't put the number of the thousands I put in the hundreds. What comes back is the notion of target selection. Yeah. If you're in the military and you have available targets, you have to go through quality target selection. And that's what I think is probably more aligned to the case.

I mean, I've done some analysis just based on the the C two beacons that have come out. You know, it's you would figure this is Russia. They're targeting government. Only about 20, I think was twenty two percent. If you round up of the initial C to Beacon's come back or even government related technology like, you know, manufacturers of supersonic jet engines, like it's not just tech, it's very specific tech. And they're showing a lot of state and local governments, which which is interesting. And then it was pretty heavy in health care and finance stuff. Finance is always targeted. I mean, yeah, that's the thing about finance. You're going to be hit by crime groups, by by nation states. You're going to get anything you can imagine if it money flows.

Everybody wants to understand who, what, when, where, how, when it comes to money. So you're always a target if you're finance. Yeah, but health care by a nation state is not normal. That that's just not normally what you would see. So one aspect of this is, hey, they went after solar winds. That's a very Ebiquity software. It's available. It's going to make a very large target set. And that's true, right? You're going to tons of machines reporting and. Yeah. What they chose to actually execute against what they selected off of that target list, though, is pretty telling, and you've got to make your decisions and your determinations of what to process in what order process. Look, we didn't we didn't see this thing until December. It kicked off in March. The campaign executed. This wasn't like we didn't have this miraculous find and stop, but it was that all the DNC activity, everything was telling down. They did a great job, well executed, and it was successful, a successful campaign. And I don't think anybody can call it anything other than that. Yeah, there's definitely going to be some people in the US government right now with some very hard conversations. This was a successful campaign.

Yeah, I'm sure. Well, in that regard, you know, like you mentioned, this this was out there for a very long time. I mean, it's amazing that, you know, people didn't catch it. I mean, like you said, hindsight's 20 20. Right. But what were some of the things that they were doing that that made it so incredibly stealthy?

Well, OK, so this is what Rush has always done when they get into an organization. And if you're a crime group, you're trying to drop in crypto miners or drop in ransom where you're trying to figure how to get paid and what you've done. If you're Russia, you're coming in, you're trying to avoid detection at all costs and you're trying to discover information. Right. So at the end of the day, if you're a nation state, you're doing a cyber aggression for two primary reasons. I'm going to leave China outside of this because they'll have a third. But one is denial, disruption of services. The power grids think equities and trading markets, things that you can cripple a country by taking down. Number two, which is the more prevalent use case, is intelligence gathering. So machines create data and information meant to be consumed by people. So you want your people to consume what you're what your enemies are adversaries out there would have. So that's that's why nation states hack each other, right. So when you're an organization like Russia and you're going in to do an attack like this, you're going to go after credentials, you're going to make yourself appear to be a legitimate user inside of the organization.

And you're going to get access as much as you can to join conversations, to monitor conversations, to to have access to data, to move around the environment and to do so. In today's day and age, you either need identity certificates or identity accounts. And that's what they focused on. Yeah. Interestingly enough, you know, although we didn't have any SentinelOne customers compromised, we did open up until everybody had one incident. Response teams, if you want to help to investigate some leads, we're happy to do so. We as a people are concerned and investigated. There were dead ends everywhere. But following the national conversation, what's pretty clear is that the follow on activity was using cobalt stripe, which is something this no one does really, really well against. So there's there's telltale signs to catch the follow on activity once they get in. The companies and probably other organizations, I should say, not companies. Organizations, I think should have been able to detect some of that activity. So that's a little bit disappointing that it got as far as it did there. But, yeah, once they get in, once they get access to those crowds, then everything else just looks like remote connections and it starts to look very legitimate.

And the case where you saw the FireEye, right, they got a little clumsy, not not excessively, but a little clumsy when they tried to do the two factor authentication registration, the publishers kept focusing on certificate's. That's that kind of tripped a wire. The difference is Biri has people who are used to doing deep dive investigations, and when something weird pops up, they don't mind taking the time to delve in and do that investigation. Security companies will do that. Other organizations, they'll just write it off as a glitch or it's it's an anomaly. Or maybe somebody tried something, but whatever, they didn't get through because we didn't create the account. They deactivated the move on. They don't really have the resources to dig in and understand what's going on. That's the bigger concern, because there's probably again, I don't know, I'm not part of the conversation, but I would have to suspect in retrospect, there's a whole bunch of red flags showing up that should have been watched that simply weren't I mean, I would bet almost anything that that's the case right now inside the US government. There's probably some really hard conversations around that right now.

Yeah, well, I think I think you touched on maybe one of the biggest problems in security today, right. Is the fact that there's not enough qualified people to go around. Right. And you look at red team, blue team and, you know, in dividing people up and you know how it all plays out. I mean, it's a it's a massive task to to not only just, you know, be very vigilant about this, but also to understand the types of things that are going on.

And when you see something that looks a little unusual, being able to do that deep dive to figure. Things out, and I know, you know, one of the things that you mentioned in sort of the Founders story about SentinelOne was the desire to apply, you know, artificial intelligence, machine learning and things like that to the process, which I think is is kind of an important piece to this puzzle.

Right. Because if there's not enough people to go around having some intelligence in the apps that can help people who may not have the level of sophistication that they may need to derive answers and insights, I think is a really important piece. Right.

It is tremendously important. I can give you it's it's interesting, very early on the cybersecurity industry and you can put myself on this list when I when I was in the Air Force and people are talking about A.I., I was very resistant to the idea that a computer was going to offer any intelligence or analysis that the analysts we had couldn't handle.

But other industries have figured out how to let computers do some great things with it, like autopilot in the airline industry being one autonomous safety systems around transportation. I'm just look for your vehicles, right? When I was in college, I drove a nineteen seventy two and write A to Z. It had no air conditioning, it had no power brakes, power steering, like it was as basic of a car as you could get. Now I told people I was driving because it was a quote unquote drivers car. The reality was five hundred bucks and that's what I could afford. And and today I drive a car that has lane departure warning, forward collision warning, auto braking, rear collision, avoiding crash avoidance, front airbags, side airbags like this car has so many systems. I'm still the driver. I still control the car. But when reaction times are where they are, it can start to react. You know, for me, it can tell me if I'm trying to transfer in. Someone's in a blind spot that someone's there. Like this is what you want from autonomous systems. If you go back to airplanes, right. You have all different types of safety systems that help pilots avoid mid-air collisions, things of this nature. The only time that crash has happened is when pilots ignore the systems, telling them what they should be doing because they want to be smarter than the system.

So let's talk in cybersecurity world. Why do we need a high volume of data is number one and speed is number two. And by volume of data, we actually the buzz term in the industry now for this, which is alert fatigue, I would tell you it's more like drowning unless I unless you've lived it firsthand, like walk in and see your SIM with ten thousand alerts in them and then you sit here and look at your stock and say, OK, well now our tier one is going to analyze all the high and critical and you watch them and they're opening up the screen looking at some stuff and then deleting or they're, you know, like there's nothing happening at that level that's incredibly valuable. And then the hard stuff is supposed to be caught by your huntings in tier three or tier for finding the stock that I've been working with. And these are for organizations that can afford the SOC and can build the SOC. Yeah. So, yeah, I've worked commercially, primarily in the energy and financial sectors with some teams that truly have world class security operations and they use orchestration, autonomous operations to enable them to scale like everybody else. How do you get there. Yeah. You're not going to have the security, but it's the best, and so I think it's fair.

I mean, you know, I've come a long way and obviously now with no one, where do I an autonomous operation, behavioral analysis, we are taking what is really, really complex stuff. But we're taking tier one responsibilities on ourselves. And this is this is fantastic for organizations that can't afford the SOC. We literally have the teams to do that. Right. We can be the solution for other organizations that have the SOC. We can we can offload a lot of that Tier one and then we take all of our threat hunting and augment what they're doing. So it's like having this really, really specific expert system. It's not just a software as a service, but it's a software as a service that has expertise and behavioral algorithms that will process anything faster runtime and the human ever will. And then it's augmented in the back end with an exceptionally good team to expand out your certainly that's the right model for the industry today. And that's that's what Toma's Vision wants. And is vision proved correct? Right. So, yeah, where we sit now, we're the fastest growing company in our space. It's amazing how fast we're coming along here. And the adoption is because we're solving a real need, a real pain. I'm taking some some pretty challenging problems on on behalf of our clients.

Yeah, I remember. You know, when you talk about alert fatigue, I remember back in the day at a global 500 company installed a security product. I won't mention the name of it, but and, you know, a few weeks in, they were getting, I think, somewhere upwards of over twenty three thousand alerts a day. And obviously, you can't that's completely not actionable. Write and edit. And after a while, they just stopped looking at it. And that's after spending millions of dollars to get everything in and installed and stuff like that. And know just they didn't make the kind of investment to tweak and tune and do that, which is a full time job and in and of itself. But it is amazing and it continues to this day with a lot of a lot of organizations where there's just too much data coming at them. Right. Crazy.

Oh, yeah, it's insane. I mean, anybody who's had a home alarm system probably knows you get more false alarms in a year and you risk getting fined by the police than you people working in your house. Yeah, yeah. I mean, and that's at the most benign possible scale. Take that and throw that into an enterprise environment. Twenty three thousand alerts, even if you can analyze all the highs and critical. How accurate is that analysis going to be? Yeah. Think it's just not going to be I it's that's not a hypothesis. Right. That's just what I've lived multiple time and it's it's just not going to be accurate. So the other though, I think it's not just about the alerts, it's also about closing the cycle of the investigation. And this is where I think the autonomous side of SentinelOne kicks in a bit more, think the industry as a whole, the security industry as a whole has come along and says, yeah, we can we can use A.I. models to replace maybe everybody's really comfortable with that and we can use behavioral rules to trigger alerts that are higher fidelity and everybody's come along and are comfortable with that.

What people are not recognizing is that we're we're taking it a step further than that and that we're tracking everything into a single storyline, everything that occurs on that point to a single storyline. And we can not only stop the attack, we can surgically remove that attack from the endpoint. And that means we're automating not only the detection and the deflection of the attack, but we're automating the recovery from the attack.

And if I go back to where I was in 06 and 07 in the Air Force, where we were trying to define his visions, grand vision of a self healing endpoint that would allow us to operate through cyber attacks, central ones delivered that more so for our customers, the endpoint, like we will attack, block, remediate and attack that entire cycle, the entire investigation, remediation trigger cycle, that whole piece of it can be done in point two seconds. Yeah, right. That's operating at the speed of compute. Can we do that for every single attack. No. Can we do that for the vast majority. Yes. And for the ones that take a little bit longer, like a long cycle for us is maybe ten minutes. Right. And most of the industry is trying to get to benchmark standards that are that are multiples above and beyond what we're delivering today. Yeah, and this is probably the most shocking thing because I don't get on with the Fortune ten companies. I'll get on with the Fortune 100 companies. I'll explain to them what we're doing. The same we're not we're going to be OK and we do it like, wow, you are. And that becomes a very different conversation. So. We're doing it, we've been doing it, we're doing it a skill, and we're going to continue to drive on excellence in this fashion because it's not about generating alerts. The security, security products and security vendors have got to get a mindset of generating and alerts is about deflecting attacks and keeping intruders out of the environment and doing that as seamlessly and frictionless as possible for the users of that company.

Yeah, yeah. Well, you know, I mean, there's there's a there's a million different security products out there right now. I mean, this is a very disaggregated market. And I think that, you know, there's so many companies, you know, some of which, you know, are more of a feature than a the whole platform or a product even, you know, attack very specific areas of the of the security chain. Right. You guys kind of playing the EDR space, which is, you know, kind of this evolving, you know, space of what fits into the definition of XDR. Where do you see your guy, you guys fitting into the whole security chain? And how how do you play in that that whole mix?

Well, the point is interesting and compelling because you're at the point of data consumption, and so it's really your ultimate last line of defense, the EDR space has gone from being a sensor telemetry driven system to an autonomous attack. Deflection position is where we have it now, where we can do seamless remediation, et cetera. Likewise, there's been an NDR concept for a while. Network detection response responses started back with full Peka vendors and they went into metadata because PopCap was too hard to record, but again, storing on telemetry and then analyzing the events after the fact and then Djerriwarrh to tell you what happened. That generally means need to kick off an investigation. And so we've done integrations within EDR vendors and EDR, and a lot of that is driven through systems as well. So all of the standard integrations through since I think what's the vision of the EDR vision? Is that crostini, detection and response? Right. We are not leaving NDR as a silo reporting into the SIM and EDR as a silo reporting into the SIM. You're now moving into cross domain detection and attack. And I would like to our detection response and I would almost like to think of that as deflection in the SentinelOne methodology, meaning cross demesne. What automation's can I drive cross to mean, what types of responses can I automate? And so what? We've done this with several different firewall vendors in the fabrics, looking for the fabric, for example, where we can push intelligence back and forth between the two, but we can also now adjust in terms of an automated response.

And this is typically been the domain of orchestration. And you had orchestration vendors building up and then you kind of see the same vendor sort of gobbling up orchestration. And at the same time, data is a lot more prevalent. When you started doing XDR, we start going crostini. You no longer care that the data is coming from just your endpoint telemetry instead of pulling data from any network or any other security appliance, logging, applying anything of that nature, allowing that data to come in. What we're doing here and why this is such a good fit for SentinelOne is our core competency is working with data. We are in A.I. Behavioral Analysis Company. We do amazing things with data and we've proven it on the endpoint point, which is probably the most difficult space to operate in, at speed, at scale, with accuracy. We've proven it there. Now we take that into the EDR space. So what are we going to do? And this is literally why we bought scalar, which you kind of referred to earlier. But when we can start to move and operate at the speed of compute on large data sets across fabrics which include network and cloud and point, the fabric simply becomes compute, the protected becomes the data and the protected becomes the user of that data. And that's really the vision we're driving for. We will continue to invest very heavily on that data driven vision as we go forward.

Yeah, well, you brought up scalar. You know that that's quite a significant acquisition. Could you talk a little bit about what scalar does and what scale it brings to to the game here?

Well, the the real key piece of what scale it brings to the game is that, again, when you're talking to SentinelOne, hopefully what you've gotten for me is the autonomous and the speed at which we're working right now, measuring things in hours or minutes. We measure things in seconds as much as possible. There are things we have to measure in minutes, but maybe even an hour every every occasionally. But we want to deflect and stop as much as possible. So when he starts looking at data, data aggregators, log aggregators, all that type of stuff that's out there, there's a lot of them in the market. What's intriguing about scalar and what I think was really compelling for us is that it can ingest unstructured data. So we don't need to have a predefined nomenclature or anything of that nature for the data set coming in. But more importantly, is ingesting and allowing us to take operations at the speed of ingest on unstructured data. So while we think we're going to have gains from scalar in many, many different aspects of operating a security program, we think that among the most important is it's going to align with our philosophy of deflection on autonomous operations.

And we started to get pretty excited when we think about where we can go in the future. The future of compute is data. We all know that. And there's a lot of companies out there that are working on making it easy. To stand up data infrastructure, making it easy to scale data infrastructure and SentinelOne is going to do that, but we're going to also let you do that security. So if you think about this, then it's not just about how SentinelOne one is able to leverage scalar technology for our security mission, but how we're going to be able to help people consume and leverage data securely in their environments. Because I've really never met a CEO, CIO that said I want to take on more security risk. I want to have more security burden on my team. They just want to be able to provide the business mission to their organizations if we give them a secure path to data compute. And that's that's pretty compelling.

Yeah, I think it's interesting that I love to see acquisitions in this space because I think the the security market needs some consolidation.

Some of these need to be wrapped up in a broader suite of products brought together that are all integrated and, you know, kind of a single pane of glass sort of thing. And you guys are an interesting case because you guys raised quite a bit of money. I mean, I think you've raised almost upwards of 700 million dollars, you know, so I got to imagine you guys have a little bit of, you know, acquisition power, you know, even beyond scalars. So, you know, I know you can't talk about what the future holds in acquisitions, but I got to imagine there's some really interesting opportunities out there for you to do some consolidation.

Well, we'll always be looking for things that are strategic that that give us the ability to deliver the most value to our customers over time. Yeah. And when those types of opportunities present themselves, we'll definitely take advantage of them.

Yeah. Yeah. Well, that would be interesting to see. So tell me a little bit about what's next for for for for SentinelOne. What, what, what do you where do you see things going for you guys.

Well, we have to continue on the rapid growth path, that's what this industry demands from a business perspective. So scaling a business operation, doing this at the speed at which we've been doing this and I think we've settled into a pretty polished approach of this is really important. We need to keep innovating. So scaling the business is going to be one things we keep focused on innovation. This is this is the heart and soul of SentinelOne. We can leverage some exceptional talent. We have core competencies, fundamental core competencies, and what we believe is world class expertise in in the realms of machine learning, artificial intelligence, behavioral analysis. So how do we take that core competency and expand that into the EDR world? We've been doing that. We've been doing that actually for some time now. I think where we're heading on the EDR vision is providing a greater security blanket. And more importantly, we're not going to walk in and force an organization to rip and replace everything they have. Yeah, and it's one of my pet peeves, right, is yes. We're building an amazing platform. And yes, we have a lot of stuff you can do on this platform, but you've already made some investments are going to be strategic that you don't want to change. And you know what? I had always wished the vendor would have told me when they walked in, said, I'm going to make your existing security investment better. I've never had a vendor tell me that when I was in the buying side.

But what we're focusing on now is taking the singularity platform the SentinelOne has and applying that into our customers environments in a way that lets them get more value out of their existing security spend and putting that and really driving towards that EDR vision. So that's, you know, that innovation pace that we maintain. We will continue to innovate internally very rapidly. And that's that's going to be a main focus of us. And then the probably the big elephant in the room that nobody wants to know is when is the IPO? I can't tell you what the month exactly is. I can tell you that that is definitely the next phase. I actually look at the IPO as the starting line. I think we've all got the warm ups done and we've been doing a lot of work and training to get to this point. But we're all really, really excited to get on the starting line and really take off. So we're going and I think you're going to see a bit of direction just with the staler acquisition alone. What we think is this the strategy for the future, but it's going to be building and securing and providing a pretty comprehensive offering that appeals not just to a sister, to a CIO and to a board. So you're going to see that, you know, that business side of the house.

You'll see the IPO, you know, unless some crazy market conditions occur, you know, you can never predict the future and your senior year of college or September 11.

So, yeah, it's it's a it's a strange world we live in these days. Nothing's entirely predictable.

You never predict the future. But I would say that's definitely something that we're very we're very focused on, is letting that IPO that's that's getting us to the real starting line. And that allows us to have a foundation to build a very formidable long term independent company for the four decades to come. That's that's the focus. That's the goal.

So, Jared, I keep hearing from so many people, it's hard to find really good security people. And I have found that to be true for us as well.

So where are they? Like, how do we where where do we go to find the folks that actually have the not just the theoretical expertise, but the practical expertise? Yeah, it's an interesting question.

You can find I would say you can find people anywhere, and that's that's not the only one here. But I'll tell you what, it's really easy to find are people that understand the buzzwords and they know how to swing the buzz words and they can talk about the buzz words. People that understand how to be a practitioner is a bit more difficult. There's training programs and they get people leveled up to be a tier one analyst. I think we can figure out how to get to one analyst and you can go find them at any of the larger organizations where they run their socks and they pay them sixty five thousand a year. And it's pretty easy for company come in, hire them into a senior role and give them ninety five thousand moving somewhere across the country. So, yeah, you can find a lot of those in San Antonio around the officer. You can find them in different cities around the deserts in the federal service, and you can find them around the large organizations, especially the ones based in California. People are people are definitely wanting. It's very difficult to live on. Eighty five a year in the Bay Area. So people in those sorts out there are those socks for the organizations out there. So that's where you find the tier ones. I think the challenge and I think really what the question that you're getting to is how do you find the person that would would have recognized that two factor authentication registration as not an anomaly, but security that you dig into? That's harder, right? Because now you start to go and you start to touch into forensics. But really, what you're looking there is an incident responders.

Where do you find the people that can drive a really, really good security program? You find them in the incident response world. People that have come out of college, they started working for an auditor and they got moved into the the IRR teams or people who were sysadmins. And they got kind of sucked up into EDR teams and doing instant response engagements and been dabbling in forensics and memory analysis. And they understand that world. That's a pretty good place to recruit from. There's actually a lot of companies out there that do that work. And, you know, that's that's where the talent gets a bit more expensive.

Can we build those? Can grow those?

I, I do see some corporations doing that, but I see the majority of that growth even today being done inside of the military. So Air Force LSI, they do some great cyber crime investigation staff, the any of the operations down the AF cyber teams, they get programmatically of different types of skill sets down there.

We do have a lot of core operators, a lot of core testing, run teamers, and then even the large the big five have some decent programs that can get you some some basic skill sets. The problem is that pipelined isn't big enough. Yeah. And the problem is you go look at the universities who are doing cyber training and it's far more problematic right now. Like as a comp sci student, I had a class on compilers. I hated that class. I have nightmares in that class, this data. Right. And I'm not a software coder because I figured out in college I didn't want to be a sci person, but I did that because I had to write a compiler. I did that because I had to write at sea level in Perl and then Java and all these different programs and write different applications. You go through a cybersecurity program. Are you doing memory forensics? Are you doing Foldes acquisitions? Are you trying to do these things remotely? Now you're kind of learning some tools, some skills, but it's still a little too programmatic, a little to a high level things that are still a topic that you cover over a module like memory. Forensics should be a course or two and they should be just as painful as compilers was. Maybe so. So that's a challenging set. Right. And it's it's fine that people to have enough of the understanding of coding and forensics and back and find that right mixed together is what makes challenging. So at the end of the day, the problem is we don't have the right educational pipeline to scale and put out the volume of security analysts that are needed. Yeah, it's it's still reliant on a lot of self help, self teach, self learn or proper exposure in the limited places you get. And that's the challenge.

Yeah, well, I, I think, you know, schools have a have a big challenge in that because to develop a curriculum is hard. And when you're dealing with an industry that's moving at the pace that security is and the level of change that happens in that that world, I don't know how you get around, you know, finding people who are very self-motivated to do that learning. Right. I don't know.

I think it comes down to some expectations and to raising the bar a little bit. The two parallels I would give you here, and obviously an Air Force got to go to aviation. Aviation is a pretty innovative industry. You can go get a degree in aeronautical engineering and you will have some really challenging courses and you'll have a high a high washout rate. But you'll also have a good job when you're done and you're going to be picked up by. Boeing or a Lockheed or someone big, and you're going to apply all of those math and physics models right away, right out of the gate, you're going to learn some skills and you're going to have a very defined specialization within that industry. And there's a fit for you. Yeah, the difference is Boeing builds airplanes, they sell them and they make money on it. Now, you do this as a cyber security person. Let's say you became one of the best forensics analysis analysts out there. Companies don't make money hiring a forensic analyst. Right. So this goes back to the core problem, that cybersecurity is a risk difference. It's not revenue generated. Yeah. And so I can bash on the industry a little bit from the educational side of outsourcing. We're not ramping up and preparing people properly. But unless you're a cybersecurity vendor, you're in a world of cost avoidance, cost deflection. So there needs to be a change in the mindset. And if you look at a system is a business a member of the executive council, as a business member, they're out there to try to figure out how to maximize revenue.

Yeah.

And, you know, ransomware is probably the thing that has shifted a lot of board members that I talked to and a lot of CEOs that I talked to into understanding the financial penalties of this cited that people just didn't care like.

Ok, so Russia hacked us and they got a couple of things maybe and this is bad and we'll spend a couple more million, but they're not investing in it as if it's the same thing as the next product line is going to make them the revenue. They're not hiring the best talent so they can outcompete their competitors to produce the best revenue.

And that's one of the challenges. Maybe the medical industry's a bit closer of a parallel. We have a lot of complex systems. You have a lot of data that needs to be analyzed and you wind up with a lot of specialties. The difference there, though, is as a patient, you will go between specialists. You don't own them. All right. Right. And I think that's where the industry is going to trend closer towards. Companies are going to want to to look to people like SentinelOne and say, OK, you've got the numbers. But the end point, I want these services. I want to pick up all these components in your platform, and I want you to simply provide that service to this company. And I think that's the direction that the industry is going and will continue to go, because that's more aligned with cost avoidance than it is with revenue generation. Yeah, and and if we want to get into a world where there was enough cybersecurity talent for every company to hire and use them, they would have to be making money on the cybersecurity versus just avoiding using it.

Yeah, I think I think you're spot on with that. And I think that, you know, you talk about some of the key security folks that you have in your organization that can reach out and help your customers. I think that's kind of a really, you know, the model that's going to work in this world, because there's going to be concentrations of these really talented people. And I think, you know, companies are going to have to reach out to other organizations to get that talent to help them.

Well, you better be able to keep it when you find it.

Yeah, like this this is one of the things that I think is underestimated is when you've built a program and it generates a ton of data and a ton of alerts and a ton of noise, nobody in their right mind wants to be a tier one forever. That's like saying you want to work and the Help Desk forever. Like, yeah, no, there's everybody has that writing job early on in their career. And you do it and you work your tail off through that grind. And that's what tier one is in cybersecurity. If you hire really, really competent people and then you expose them at all to tier one grind repeatedly, they're going to go work for the place that has better tools, better processes, that exposes into less mind numbing work. Yeah. So I think I fully, fully expect industry to hold me accountable as a vendor to offload the mind numbing stocks. Yeah. And the way we're going to offload it is to isolate them.

Well, and I think another you know, we had the CEO of Arctic, Wolf, on a couple of weeks ago. And one of the things that he said is that, you know, so many of these security people that go into these organizations and half the time they're building boxes and, you know, doing server admin and stuff like that. And that's not a security person signs up for. And that's why he's like, I have an advantage to hire people because they do security work 100 percent of the time rather than, you know, like doing crappy busywork that the organization needs them to do. And, you know, and that's why I think, you know, like organizations like yours are going to have the advantage in that case because it's a more compelling environment to be in.

And at the end of the day, yeah, I mean, look, if you're a really good professional at what you do and you think you're a world class professional, then you probably want to work at a company who has world class tools. Yeah. And lets you challenge and challenge yourself with really complex problems. And if you can't give your top end security members that type of experience and. Yeah, they're going to go somewhere else.

Yeah. Jared, I got to say thanks so much for coming on. I think, you know, you brought some really interesting insights that, you know, we haven't really heard before, I think, regarding the solar wind's conversation. So I think that's that's really great information for folks. And I wish you guys the best of luck. And hopefully you continue your success and you have a phenomenal IPO and you can, you know, continue your consolidation of the market that we're hoping to build something for a long time.

So I'm excited. Thanks again for taking the time to talk to me today. It was fun.

Yeah, that was definitely fun. Appreciate it. Thanks so much. Thank you.

Thanks for watching. If you like what you saw, please click the like button, hit that subscribe button because that's super important for the channel.

And if you want to get notified when I post new content, click on that bell icon and you will get notifications and I will see you in the next video.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including automated subtitles, automated translation, collaboration tools, advanced search, and easily transcribe your Zoom meetings. Try Sonix for free today.


文章来源: https://www.sentinelone.com/blog/stopping-solarwinds-breach-with-jared-phipps-from-sentinelone/
如有侵权请联系:admin#unsafe.sh