eSentire with J. Paul Haynes (President) | E111
Protecting the mid market from cyber threats.
Summary:
In this 111th episode of Fintech Impact, Jason Pereira, award-winning financial planner, university lecturer, writer, and host welcomes J. Paul Haynes, President and COO of eSentire, to talk about evolving cybersecurity threats, the challenges of the mid-size market, and more.
Episode Highlights:
● 00:58: – eSentire is disrupting the way cybersecurity is managed.
● 03:28: – There are over 70 categories of cybersecurity companies because the problem keeps changing as technology evolves.
● 05:00: – eSentire serves mid-size companies with between 200-2,000 employees.
● 07:05: – Instead of offering certain features, eSentire sees themselves as a threat partner, making decisions about traffic and servers as if they were an employee of your company.
● 09:01: – eSentire was one of the first to solve security issues with hedge funds.
● 10:20: – A security breach with a hedge fund would be not just a reputational hit, but could end the business.
● 11:17: – A security analyst can identify the details of a threat as it happens, isolate it, and use that model as an update for all of their subscribers and are able to shut it down across their network.
● 16:55: – When a threat is detected, eSentire has eyes on it in under 1 minute and has usually completed its investigation within 10 minutes.
● 19:05: – They see somewhere between 7-10 million raw events every day, and of every 1,000 of those only about 1 needs to be investigated by a human.
● 21:48: – Half of the threats they see every day are unique to their network.
● 22:50: – When J started in this business 10 years ago, threats were measured in the 6 week range, and now it’s in the 5-7 day range, but eventually it will be down to minutes and seconds and the threat detection industry has to be able to keep pace.
● 23:30: – These breaches are mostly committed by opportunistic criminals, so you look at means, motive, and opportunity.
● 25:45: – As quantum computing becomes mainstream, we will first have to worry about state secrets of smaller nation-states.
● 28:39: – Most of these efforts are information-gathering rather than disruptive.
● 30:10: – A majority of data breaches are from self-inflicted wounds like clicking a link in a trusted partner’s email that you don’t know is compromised.
● 31:21: – If J could change one thing, it would be to flip the industry so that security conversations are had on the business’s terms instead of the tech terms to help with overall understanding of stakes.
● 34:39: – J’s biggest challenge has always been recruiting the talent he needs.
● 36:36: – What excites J the most is that there’s always a new challenge.
3 Key Points
1. The needs of cybersecurity are constantly evolving as technology evolves.
2. Many cyber threats seem innocuous and go unnoticed because they are
information-gathering rather than disruptive.
3. AI improves how quickly a threat can be identified but we still need humans to verify and
respond to those threats.
Tweetable Quotes:
● “We will be your threat management partner... We will make decisions as though we were one of your employees. We will actually block traffic and we will shut down servers and then we will tell you what we were just able to stop.” –J. Haynes
● “The notion of relying exclusively on protective controls as the 100% solution is naive. They will fail, so you have to get competent at detecting when they fail and be able to react to that in a timely fashion.” –J. Haynes
● “No matter how good the AI gets, bad guys have AI too. They have cloud storage, they have all of the things that we have without any of the friction of rules of business or regulations. I often say, while they are morally corrupt, they are phenomenally gifted.” –J. Haynes
Resources Mentioned:
● Jason Pereira’s Website | Facebook | LinkedIn
● Fintech Impact
● eSentire Website
● J. Paul Haynes Linkedin
Full Transcript:
Jason Periera: Hello and welcome to FinTech Impact. I'm your host, Jason Pereira. Before we get started, just two pieces of housekeeping. Just another reminder that if you've yet to sign up for my newsletter@jasonperera.ca please do so. I see several of you doing it, but not all of you so please get on it. Onto my second piece of housekeeping, the 2020 IFID conference, that is the Individual Finance and Insurance Decision Centre conference of which I am on the board of is happening on April 7th, 2020 in Burlington, Ontario. If you're in the area, please take the time to come out and listen to three speakers on the topic of the value of financial advice. Tickets are free and you can find them and more information at ifidconference.com. Now, on today's show. [inaudible 00:00:40] show, I have J. Haynes, CEO of eSentire. eSentire is a security company that provides digital security services for mid-level companies, specifically in the finance space. Here's my interview with J. Hello, J.
J. Haynes: Hi. How are you doing?
Jason Periera: Very well. Thank you for coming in today.
J. Haynes: Happy to be here.
Jason Periera: J. Haynes, president and COO of eSentire. Tell us about eSentire.
J. Haynes: Well, eSentire is an interesting story. It's somewhat disrupting the way security has been delivered in the past. We set out years ago to solve a problem that was really a customer ask and they said, "Can you help us with this particular problem?" We didn't know you couldn't do it this way and ended up creating a new category in cybersecurity.
Jason Periera: Okay. We're going to get into what that new category is. But before we get there, you actually went to the history. Talk about your history before you came to it and what led to that entire development of eSentire?
J. Haynes: Yeah. My background, I'm what they call a serial entrepreneur, which some might argue should have a sentence that goes with it, but this is about my sixth or seventh company since-
Jason Periera: Padded room sentence?
J. Haynes: Yeah, exactly.
Jason Periera: Wow. Wow,
J. Haynes: Since university. I started my first company when I was doing my Master's in Engineering at University of Guelph and what's called SCADA or now the industrial internet of things because they had to rename it. My background had always been technical and I started the first business back then, which I ended up venture funding and selling to Enbridge, which was an interesting journey right out of school. Then, another of other companies along the way, including working with a European shareholders, which was also an experience. I do things quite differently over there and the tech community than they do here. I did a tour of duty and engineering software, 20 odd years later. Then, from that company, I joined into eSentire and I also had a another stop in healthcare software.
J. Haynes: Very challenging industry that there's not a technical problem that we can't solve. There is more of a political line that's [crosstalk 00:02:35].
Jason Periera: I was going to say a low barriers to entry when it comes to regulation.
J. Haynes: Yeah.
Jason Periera: You just really don't like working for anyone else?
J. Haynes: I guess so. Yeah.
Jason Periera: Okay. You teased us with-
J. Haynes: Or I'm unemployable.
Jason Periera: Well, this is the thing about all entrepreneurs. They become highly unemployable after a while. Basically, you teased us with this new category of security. Tell us what you meant by that.
J. Haynes: Well, the background of the industry, and this is still largely how it works today is you have a lot of firms, somewhere in the 2,500 range right now. It's shrunk a lot when there's a lot of consolidation in the mid- 2000s. The McAfee's, the Symantec's bought up a bunch, but the problem keeps changing. A bunch of new solutions come to market. These firms are typically building a business plan, solving one of the many problems today in the enterprise world. CSOs are dealing with 70 or up to 70 different security technology categories, which is ...
Jason Periera: 70?
J. Haynes: Yeah. Seven zero.
Jason Periera: Oh, good Lord.
J. Haynes: They certainly no fewer than 50 and that's at the enterprise space and they are probably a 10-year lead on the mid-market. The mid-market is still trying to figure this out, and the mid-market are our critical suppliers in many cases to the enterprise. What has happened is the motion is build a plan, get it funded, try and get a bunch of enterprise accounts and get to 30 or 40 million in a single category. Then, you have like exit opportunities. That's a venture cycle.
J. Haynes: I got this repeated to me countless times. I was funding the business growing it where they would say, "You guys are so different. You don't actually have any enterprise customers. You're all selling the mid- market. Your biggest customer is less than 1% of your revenue." It's quite refreshing for the venture and how long or secure are these contracts?
Jason Periera: Yeah. Exactly.
J. Haynes: Yeah. SaaS, we can get into that a little bit later by the time. That clued me into, "Hey, why is it that way?" The reason it is that way is fundamentally at the enterprise level, the chief information security officer or CIO/CTO organizations are the solution providers. They've got a very specific view on their business and a context and they know all the different problems that need to be solved and it's vast and it's complex and they have small armies of people.
J. Haynes: If you look at a company like Goldman Sachs, they'd have 10,000 people in IT. There's probably 10% of them, plus or minus that are in some security related functions. That's larger than most security companies on the planet just to give you a perspective, so you're all the way down to the mid-market firms and we characterize our lane is between 202,000 being the sweet spot, but we have customers with 20 employees and others with 40,000 employees, but the range is 202,000. That, we would characterize the mid-size enterprise or SME. There's lots of different ways of characterizing it. In that segment of the market, they still have the same problem. They have attackable assets, and the adversary is really a ... It's like it's which one is easiest to attack this week?
Jason Periera: Exactly.
J. Haynes: If you don't have your defenses up at the level of like a Citibank or JPMC, Royal Bank in Canada, you would see great success. This is the problem, and these people don't even have a lot of times that chief security officers they have.
Jason Periera: It makes total sense, right? At that scale, you've achieved enough scale that you can afford the full time staff to do that. Not only that, you're typically, especially in banking or something like that, you are in any highly sensitive honeypot of an industry that people are going to want to attack at which way possible, so you have to commit yourself at the top level of that. Whereas if you're small to mid-market, you're typically not necessarily in the infrastructure provider to start off. You may be using a custodian, they handle the money side of it. Therefore, you're relying on their technology but not only just to keep things secure, but then there's that mid piece where you're transitioning from the outsource provider to the in source provider. That's got to be a real challenge for people to stay secure in.
J. Haynes: Yeah. In financial services, you were getting very close to the origins of the business here. We decided to take on the easy problem of securing hedge funds. The buy side is like the Wild West. Anything that looks like a drag coefficient on getting a transaction done or a particular strategy executed.
Jason Periera: Yeah. Cut me [inaudible 00:06:43] of a percentage of a second. Not a chance. Yeah.
J. Haynes: Yeah. Yeah. It goes out the way. What you have to do is, as I understand, they're a problem from the executive level there and from there ... Where I'm going with this, is the CISO is a solution provider in the enterprise and they figure out which of these 70 technologies they need. The mid-market doesn't even know what the question is, and so they need an outside party to come in.
J. Haynes: We approached security instead of a set of features as solving the threat problem for them. Very specifically, we will be your threat management partner. We will stand up a business that is basically an extension of your organization. We will make decisions as though we were one of your employees and we will actually block traffic and we will shut down servers. Then, we will tell you what we were just able to stop and that's how [crosstalk 00:07:27].
Jason Periera: You're managing this on their behalf?
J. Haynes: Exactly.
Jason Periera: You're an outsource, basically CISO in a lot of ways?
J. Haynes: Exactly. But a whole security operation center to get the full extent of it. In terms of those 70 technologies, we have competence of our own stack and somewhere around 20 of them, the 20 most critical lines, [inaudible 00:07:44] in the mid-market, they are still dealing in the top 10. They don't even get down to ... There's some nice stuff and 40 or 50, all the new AI-based capabilities. They're still just basically trying to get the doors locked and get the window latches on and have motion sensors and have that work consistently.
J. Haynes: It's very hard for them because they have ... Take a hedge fund. They got 10 billion of assets under management. They're doing hundreds to low thousands of trades a day. They've got four people in infrastructure technology. They might have a few people in the investment officer's office writing algorithms, but for the most part, they don't have anybody doing security. To monitor 24/7, you need a team of minimum of 10. You see the problem here. You just don't have the resources to be able to do what the big guys do, yet they solve the same problem. They have the same exposure.
Jason Periera: Yeah. It makes sense. Their mindset is that every resource is towards generation revenue. End of story. Right?
J. Haynes: Exactly.
Jason Periera: They see other IT person there. I can just imagine they hired someone to run the security and be like, "Hey, can you run this? We're running short on bodies. Can you run an algorithm to do whatever?"
J. Haynes: Yeah.
Jason Periera: I can see that very quickly getting reappropriated just because that's the way they are. That's their mindset. You're managing this stuff. Are you putting people on ... I'm taking that it's remote. You're not putting people on-premise?
J. Haynes: Yeah. That was part of the problem. The constraints that were given to us ... The reason I want to spend a bit of time on the hedge fund is because solving that problem for that market actually opened it ... That was five years ahead of the rest of the world in terms of mid-market. The main buying reason for them before any of the regulation came in out of the SEC, which is more like guidelines and regulation. But before any of that happened, it was really they wanted to protect their reputation.
J. Haynes: They're also known as liquid alts and we've seen redemption cycles of 90 or 120 days and they make their money on 2% and 20 the way that all of the asset managers do in one form or another. If they could get hundreds of millions redeemed on a drop of a hat, basically you can't stand a business up in Manhattan on low hundreds. They got to be starting with a B kind of thing.
Jason Periera: Yeah.
J. Haynes: They want to protect that, plus they can't put it to work if they don't have it. We very much were charged with protecting their reputation because they didn't want to be the hedge fund that had the strategy that was identical to the one down the street that had sloppy security, and that money is lifted and went down the street.
Jason Periera: Yeah. I almost feel like in that space, there's far less forgiveness. Right? If I was to imagine a major Canadian bank getting hacked or whatever, or it might be American bank getting hacked and there's a release of information, which to be honest, this happened specifically in the credit card issuers and whatever else. I feel like they take a reputational hit, but not a almost career business ending one that I think the hedge funds would be exposed to.
J. Haynes: Yeah. It's exactly the terms I use, a business alternative bridge could be somewhere between career and company ending. That's one of my lines actually.
Jason Periera: Oh, yeah. It's something that should be frightening, should be keeping them up at night and being a priority. Securities is an ever present need in this industry. Interestingly enough today, I just recorded from my other podcast, an interview with a specialist in cybersecurity. We've had this conversation here [inaudible 00:10:42]. Tell me about how you actually deploy the solution? Besides making sure that your solutions do not get in the way of the microseconds that they need to transact, what is it you're doing for them? How are you implementing?
J. Haynes: The technology stack has evolved, but in today's day and age, a lot of encryption and so forth, what we do is we have a sensor which is a super high capacity server to record all the traffic going in and out of their network as well as some of the internal segments of the network. That's like a DVR, if you want to think about it like that. Now, this is a method. It's called full packet capture, but think of it as the ability for an analyst who gets a signal that something weird might've been going on to be able to rewriting the tape, rewind the tape and replay the crime scene happening.
J. Haynes: That crime scene is electronic. From there, we can harvest the details of the threat that's come in. We then isolate those and move them into a contained area and then call it detonated, but there's a lot of Hollywood in this industry, but basically pull all of the ... What we call indicators of compromise, see what the trade craft was up to. From there, that's how you actually develop threat intelligence. As soon as you gather that and you can make an assertion that this is a systematic threat, then we can take those indicators and push it out to all of our subscribers. It's like a crowdsourcing model. Then, immediately, as soon as we see it, we block it before it even gets in.
Jason Periera: You've crowdsourced the entire threat assessment situation. If any one of your clients basically has one of these threats, someone starts sniffing around a certain way you haven't seen before, you quickly isolate it, identify it, basically figure out what the playbook is for and systematically shut it down across the entire network?
J. Haynes: That's right. Now, the one most at risk is going to be that first [inaudible 00:12:22].
Jason Periera: Yeah. That first [crosstalk 00:12:24]. Zero days in trouble.
J. Haynes: Yeah. It's immediately onto their network and then everybody else, but usually within an hour around the world. We're in 3000 data centers, 700 customers, which could be a rough idea. Security got over six trillion of combined AUM, which causes us to pinch ourselves every once in a while because you've got a fairly high responsibility. We are the primary security organizations for those customers, not the backup.
Jason Periera: It's interesting. As you think about the larger case providers that you said, right? God forbid, there's a threat assessment that comes in and one client basically leaves because they're so angry with them, right? That can really devastate that company because you're dealing in the mid-market. That risk of customer loss is smaller. Yu catch it, you do it, but that person, that company is just still like, "Oh, you didn't catch this before it even happened. You weren't a pre-cognitive protection, so we're getting rid of you." "Okay. Go ahead and get rid of us, but now we managed to at least ... You left, but we saved everybody else." Right? From a business standpoint, it's a lot more sustainable quite honestly.
J. Haynes: Yeah. We don't have the high concentration rescue and it is a very competitive market, so we are a premium service. We probably cost 30% higher than the next closest, but we actually do quite a bit more. If we come back to what I talked about creating this new category, we had a bunch of different names for them, but what it's known as now is Managed Detection and Response. There's a big analyst firm. You may have heard of Gartner Research.
Jason Periera: Yeah.
J. Haynes: They came up with this whole classification of security technologies and they have ... One category is called protective technologies. Another one is predictive technologies and then detection technologies and response technologies. What they would basically say even including the enterprise is that ... Well, they may be a little over indexed on protective and predictive. They are way under indexed on detection and response. The reason for this is-
Jason Periera: [crosstalk 00:14:13].
J. Haynes: Yeah. Well, no. The reason for this is because the notion of relying exclusively on protective controls as the 100% solution is naive and they will fail, so you have to get competent at detecting when they fail and be able to react to that in a timely fashion. If you can't do it yourself, get a service [inaudible 00:14:32].
Jason Periera: Bring soldiers on the walls as opposed to keeping some back and someone kicks, someone breaches the wall?
J. Haynes: Yeah. Yeah. We created the category. We argued with these guys. Let me clear on that. For five years, we threw chairs at each other in our analyst briefings because they just didn't get it. They wanted to call us basically an MSSP or something of sort of outsource or kind of model that you think of a sweatshops in far away places. That was not what we were. Then, all of a sudden, they became the smart test analysts in the world and came to their senses in 2016, so there was 10 ...
Jason Periera: We'll just write down what you've been telling us the entire time. That's basically it. Yeah.
J. Haynes: There was 10 companies in the first year. This year, there's over a hundred that claimed to have these capabilities. We are in the league. We're the largest pure-play doing this and we are getting chased by a hundred and ...
Jason Periera: That was good.
J. Haynes: It's good, but it keeps us on our toes, for sure.
Jason Periera: You also have a network effect, right? The more companies you have, the more potential tax surface of your entire network. Right? If any one of them gets attacked, you detect and basically you're able to push that out. There's definitive safety in numbers here, right?
J. Haynes: Yeah. There's another ... It's interesting because people look at it as binary. The breach is not binary. Our definition of success is preventing business altering [inaudible 00:00:15:43].
Jason Periera: Yes.
J. Haynes: Typically, what we see is already bypassed all of your controls, right? They're already in and it's a question of can they achieve their objectives? I'm not going to try and make an expert on cybersecurity in this short a discussion, but think in terms of an adversary needs to do somewhere between 15 and 20 actions in order for them to achieve their objectives. We have to catch them and stop them some time before they hit the last one. You never know what the last one's going to be, but the name of the game is early detection containment. Dwell time is what we aim to minimize. We often will ... We will get one to three compromised systems. We shut them down, contain them. Business carries on. The most we've had, we're dealing with a nation state ...
Jason Periera: [crosstalk 00:16:25].
J. Haynes: Yeah. It's not a favorite of let's say, our friends south of the border.
Jason Periera: Was that down in the town?
J. Haynes: Yeah. Down. They were thereafter a very specific individual who was speaking nasty things about their government. Billionaire, I was trying to get land immigrant status in the US, so we had 30 or 40 attacked simultaneously coming at us. Usually, we're dealing with one at a time, but that's an extreme case.
Jason Periera: Yeah.
J. Haynes: That's what we're all about. It's to give you some sort of idea of speed and reaction. When we detect a threat coming in within 45 to 60 seconds, we have eyes on glass and on average have completed the investigation under 10 minutes. Time is of the essence and it's self-serving for us, but it's also exactly what the customer wants us to do because that minimizes the risk exposure.
J. Haynes: For us, it's self-serving because the sooner that we can contain it, the lower the chances are that we're going to have it spread to one, three, 10 systems because as a SaaS company, a software as a service company, we have a fixed price contract. The more people hours we have to spend on mitigating it-
Jason Periera: The less profitable [crosstalk 00:00:17:30].
J. Haynes: Exactly.
Jason Periera: Yeah. I guess I'll go back to [inaudible 00:17:34], the men in the walls versus holding him back. The guy, they breached the walls but they haven't breached the key. Right? You're basically ...
J. Haynes: It makes sense.
Jason Periera: Just because you get in doesn't mean suddenly the entire database got downloaded. You're looking for specific things. You're looking to change certain things. You're looking to modify certain things. Right? Any number of things or potentially like we discussed earlier in this other podcast, it's ransomware the entire place and encrypt everything, right? As long as you can stop them at some of those actions, congratulations, you've breached. You came away with nothing.
J. Haynes: The ransomware is an interesting case because a couple of years ago, it was very, very smash and grab and they'd encrypt and demand ransom and typically targeting consumer level individuals. Now, they're much more studied. They acquire a lot of G2 on the site. They have been in for a while before these larger ransoms were being demanded. There's a good probability that vex filled all of the data that can ... Certain recent breaches where they demand a ransom to get the data back.
Jason Periera: Oh, [inaudible 00:18:31]. Those enterprises, there's been a number. I've seen like hospitals seem to be the honeypot for this sort of thing because they typically do not have up to date software and everything because either they don't have the budget for it or they can't because it would not make it possible to run certain equipment. You get lots of holes there. Yeah. That's a troubling one. Tell me ... We know what you do and you seemed to be doing a very good job of it. Tell me about the different types of threats you're seeing your clients face? What's on the rise? What's happening? What's the commonalities these days? It was a prevalence of this. How frequently is this happening? Are you seeing these tactics?
J. Haynes: Well, I can talk to our data. We see somewhere in the seven to 10 million raw events every day. These are after-
Jason Periera: Seven to 10 million raw events every day?
J. Haynes: I can go into some details, but we've actually ... We had acquired a leading AI company out of Seattle. We were in the headquarters in Toronto area here of big data and artificial touch. We couldn't build the team fast enough because there's such demand, so we actually bought a whole company called Versive out of Seattle and they brought the capabilities to us to apply analytics at a scale that we knew we needed to do. The numbers are for every 1,000 bra events, we're using analytics, AI and a bunch of other capabilities to narrow that down to one that has to be investigated by a human. Of that one that's investigated by a human, or sorry, for every 12 they're investigated by a human, there's about eight or nine of those are all related to the same threat with a different signaling because they don't come with calling cards, so you don't know exactly ...
J. Haynes: Now, you get some false positives in there as well, but we have to keep the falses at a certain level to maintain efficacy. Then, you would have, of the order of 800, let's say a or 400 to 800 in any given day where alerting a customer ... These are valid threats and somewhere in the neighborhood of 10 to 12 of those are live hand to hand combat. We're dealing with an adversary. Yeah. That's across those customers that aren't all hedge funds. That's probably a little over half of the 700 are in that segment. A bunch of other financial services, legal services, healthcare, manufacturing, engineering and architecture, management consulting. A lot of service private organizations seem to be ... No one to the adversaries is a nexus of proprietary information and typically in the mid-market, somebody that's not got the controls in place to prevent the entire network being encrypted, so they get targeted a lot.
Jason Periera: Wow.
J. Haynes: The day that the president was announcing the executive order on technology companies dealing with China, i you recall last fall, that exact day, we had a 5G supplier under attack and we were able to act [inaudible 00:21:11].
Jason Periera: [inaudible 00:21:12].
J. Haynes: Yeah. Maybe it was, and we had to convince their senior exec to escalate this and bring in law enforcement because it was at that level, right? We were defending them, but there was a systematic thing. These sorts of things do happen and we have a shared view with a lot of the intel community on the adversary and with what you hear, we have a lot of threat intelligence partnerships with ... For instance, in Canada, our signals agencies, CSC, we have a feed from them. We have commercial feeds, some of the biggest companies in the industry. Half of the threat intelligence that we are putting into action and every single day is unique to what we've discovered in our networks, which ...
Jason Periera: So 50% of everything you see is unique to something-
J. Haynes: To our network.
Jason Periera: It's first time you've seen it?
J. Haynes: That's right, but we're paying big subscriptions like FS-ISAC. I don't know if you're familiar with that one.
Jason Periera: No.
J. Haynes: This is the largest threat sharing organization in the world. Financial services, information sharing and analysis center. They've got somewhere north of 5,000 members, all the big banks. Everybody is in it, and they're sharing threats. It's like one of us gets hurt, all of us gets hurt. That's what the whole notion of it is as one example, and then our signals agencies and so forth. But the point being that even with all of these feeds, which we're paying tens of thousands a month for, it's still latent to the actual life threat.
J. Haynes: It's latent by five or seven days and the bad guys have access to all this same stuff. As soon as they see their indicators being shared, then they pivot off of them and come up with new ones. When I start in this 10 years ago, these were measured-somewhere in the six-week range or four to six week range. Then, it was 10 to 20 days. Now, it's five to seven. I know where this movie ends. It's minutes and seconds. That's what scares us is can we be fast enough on our threat detection?
Jason Periera: That these guys are going to basically pivot literally the second they get caught, that's ...
J. Haynes: As long as they have humans in it, then they have the same ... That's the same limit as us.
Jason Periera: They're the same limititations.
J. Haynes: Yeah.
Jason Periera: Well, artificial intelligence is going to push that. That's the reality of it. Oh, that is a lot. No, those numbers are staggering quite honestly. What else should I know about what it is you people are doing? Because right now, I'm a little bit overwhelmed by the size of the threat.
J. Haynes: Yeah. There's really ... We always like to characterize it. Well first, you look at means, motive and opportunity, which is the way the FBI started studying crime back when it was created. That still applies here. You've got opportunistic criminals that are very much the smash and grab guys. If they can establish a beachhead, they can actually sell that. They can sell it outright, or they could sell them as a percentage of the proceeds and somebody ... They get into a law firm and they don't know what to do in a law firm, but they can find someone on the dark web that does. Now, all of a sudden, they're instant partners [crosstalk 00:00:24:01].
Jason Periera: Or drop at the Wikileaks because you know it was a law firm out of Panama, whatever.
J. Haynes: Yeah.
Jason Periera: Yeah. No.
J. Haynes: Former lawfirm. Yeah, exactly.
Jason Periera: Former lawfirm. Good movie about that, I watched it the other day.
J. Haynes: You've got this whole idea of what they're after, and the ability to get at it. The tools and the methods that used to be fairly scarce and somewhat secretive are widely shared. Just the same way as Linux is an open source operating system, there's open source bad guy too. To the point where nation states now can have equal effectiveness using open source tools that regular cyber criminals are using.
Jason Periera: These are stuff that you develop in house [inaudible 00:24:37] security.
J. Haynes: That's right. A lot of that stuff has come from stolen. Like the Iranians lost some, the NSA lost 75%. All of those tools are ... If you remember WannaCry?
Jason Periera: Yep.
J. Haynes: That came out of the NSA tool set, the SMB.
Jason Periera: Oh, yeah. I remember that. Honestly, we're having this conversation at an interesting time because the attorney general just filed against ... Just basically starting to complain that Apple's not turning over the key. They want them to help that shooter phone get unlocked. Apple's like, "Again, we can't just make a backdoor for good guys. This is not possible. Look, the NSA let all this stuff. Are you kidding me??" Right?Oh, it's [crosstalk 00:25:16].
J. Haynes: Yeah. Then, hit the fast forward button, what we should be worried about is everything that's been stolen that's encrypted and no one has spent the time to decrypt it because that's very expensive compute time, not possible, but you've got a lot of patience. All of that stuff with quantum machines can basically crack in a hard demand. There'll be a period of time where all the secrets are set ... Historical latent secrets will all become-
Jason Periera: All the stuff that's in there with a still locked in boxes, those boxes are going to get cracked open once quantum becomes proliferative?
J. Haynes: Yeah.
Jason Periera: Then, it becomes an arms race on the quantum side?
J. Haynes: Yeah. The good news is that we'll probably start with nation states. It'll be fairly isolated. The bad news is it'll start with nation states, so we don't need to worry about our consumer reputations as much as ... Or company reputations or consumer data as much as state secrets, but that's a different threat actors. You've got the criminals, which will basically get into a network, figure out how to ... If there's fungible assets or somehow to monetize it, one way or another, ransomware has become so effective now. There's even firms and this makes me sick to my stomach that their whole business is to help broker and negotiate the ransom and figuring out Bitcoin for the customer that started out with Bitcoin.
Jason Periera: You said the conversation with the insurance guy because essentially it's like, we do everything we can to see if we can not pay these guys. At the end of the day unfortunately, you're in some situations where the company's got no choice and all you got to do is hope that they're going to release the keys. Luckily, they can do some investigation to see what the probability of that is, but it just isn't ... We'll go back to it. There's an old saying, Brazilian jujitsu. When you ask the instructor and you say, "How do I get out of this move?" If they don't have the answer to the classic answer, simple, don't put yourself in that position.
J. Haynes: Exactly.
Jason Periera: It defenses the first line of offense in a lot of ways.
J. Haynes: Yeah. You've got the criminals and there's a range. There's organized crime as well and hackers are celebrated in other parts of the world. Like in Russia, there's [inaudible 00:27:10] called Hacker where ...
Jason Periera: Really?
J. Haynes: It's scantily clad women on the front of yards with Lambos and they celebrate their successes. It's that kind of scale. You've got a hacktivist, which they do not believe in what you're doing, so they want to disrupt your business on moral grounds.
Jason Periera: [inaudible 00:00:27:30].
J. Haynes: Then, you've got nation states.
Jason Periera: Yeah. Nation states.
J. Haynes: Yeah. Nation states. Nation states have traditionally a few exceptions. I'll go through a couple of those. They're mostly gathering intel. Low slow, go in, take the stuff or observe continuously and get out. They don't have any intention on disruption. Now-
Jason Periera: Well, that happens on occasion. Let's not forget the entire [inaudible 00:27:47] and nuclear fiasco.
J. Haynes: That was Stuxnet and then the Saudi Aramco had their systems wiped out. That was attributed to the Iranians. The Lazarus group, which is attribute it to North Koreans. We did hand to hand combat with them, are the ones that took out the Sony network over that movie.
Jason Periera: Yeah. Which was a great movie anyway.
J. Haynes: Yeah. I thought it was funny, tongue in cheek.
Jason Periera: I liked it, but I thought this is what you got so worked up about.
J. Haynes: Yeah.
Jason Periera: That was extremely destructive.
J. Haynes: But those are a few of the very rare exceptions and there was the Ukrainian power grid. A good chunk of you got taken out by the Russians [inaudible 00:28:24] crisis. There was a dam in Westchester, New York that the Iranians are purported to have broken into. It was just a tiny little water control dam of 10 feet of water behind it.
Jason Periera: Yeah. But they were testing the ...
J. Haynes: They were testing. but besides that, and we're probably talking like decimal something percent of all of the nation state attacks, all the other ones are information gathering and planting latent capabilities for future use. Their whole job is to stay cloak. We don't know how extensive it is. The interesting thing is the mid-market has been easy to get into for a long time. Assume that there's beachheads in there and it's true in larger enterprises, but it's going to be far less true in larger enterprises.
Jason Periera: How much of this is systems? How much of this is people at this point? You're seeing attacks. You generally deal with attacks that are inbound, right? How much of this is actually being perpetrated just through to ... The weakest link is typically the staff, right?
J. Haynes: Well, there's two parts to that answer. One is the white collar crime insider threat is still probably the most prevalent, most costly that we don't generally deal with that. That's tougher. Larger organizations have internal investigators and so forth for that, but we're mostly dealing with external actors. There's that category of the internal threat, but really if you look at our traffic, 90, 95% range high confidence and self-inflicted wounds. Humans have actually triggered and have invited ...
Jason Periera: 95%. Yeah.
J. Haynes: We've got hard data on this. They have invited the adversary end by either clicking on a link in an email, opening an attached document, opening attached document from a trusted party, and this is where we can just come back and talk a bit about supply chain, but we're in a trusted business relationship. You send me a document, you don't know this got a payload inside of it and I open it, then I get compromised. It's self inflicted wounds and I'd like to describe what we do is we lie in the weeds and we keep the customer safe from themselves at that point in time when they click on that link.
J. Haynes: When they click on the link, they are going internally to externally through their firewall and inviting that payload to come into their machines. Basically, the adversaries have ... Sure, they can brute force firewalls, but if your firewall is configured properly, that can have a success. They're not all configured properly. That's why it's still happens. So called pen test, which is a bit of pretend when you're blasting away at a firewall. Any given business has got between 200 to 500 knocks at the door every single hour on their firewall and none of those things are worth responding to because your firewall set up properly. Those things don't matter.
J. Haynes: It's when somebody invites you in and you come in with full permission, "Oh, yeah. Come on in. Door's wide open and have a seat over here." That is what's happening. Unless you create telemetry to be able to detect that, then they're going to come in all day long.
Jason Periera: You gave us a glimpse behind the curtain of a cyber warfare, my friend. Well done. The numbers and scale are staggering. Before we wrap up, there's three questions I ask everybody. If you had one wish for something you can change in your industry or your company as a whole, what would it be?
J. Haynes: Well, there's a self serving element of this. Regulations to compel people to do what they should do makes me crazy and worse than that where you have people advocating for the government to pay firms to do what a normal business person should do anyways. That part, it's all upside down. What we have is we have a challenge and that the entire industry ... Can I say sucks in this thing?
Jason Periera: You can.
J. Haynes: Okay. They suck at being able to convert cybersecurity risk and the terms that boards of directors and executives understand. This is a business risk. It's the same as health and safety, environmental, foreign exchange, all the risks that everybody knows how to deal with, and we show up with our propeller caps and we talked zeros and ones and packet capture and deep inspection and all this stuff. That makes me crazy because it's kind of like ...
Jason Periera: It's all jargon.
J. Haynes: These people aren't smart enough to understand. Well actually, we're not smart enough to translate it into terms and understand.
Jason Periera: To communicate. Yeah.
J. Haynes: That's where I want to see. That is one wish, is to have the conversation business terms. It's a risk and needs to be mitigated with things that you can do easily in house. Bring in the extra help to reduce it more, transfer a little bit with insurance because most of it doesn't transfer. Then, self-insure the residual and that is how business runs all the other risks, so why can't we do that in cybersecurity?
Jason Periera: Honestly though, how many weeks go by without a major [inaudible 00:32:52] at these days? [inaudible 00:32:56] weeks. How many days go by?
J. Haynes: It's daily.
Jason Periera: It's daily. Right? It's daily. The scale of them ... Not all of them are as stupid as the entire Equifax admin username and admin, password, which by the way, just how is that guy not in jail?
J. Haynes: Well, that was the CSO ...
Jason Periera: Who?
J. Haynes: A chief scapegoat officer.
Jason Periera: Who had a background in music or English, was it?
J. Haynes: Yes.
Jason Periera: Yeah.
J. Haynes: Actually, nobody has ... Anyone with gray hair can't have a background in security from a university because ...
Jason Periera: It didn't exist? Yeah.
J. Haynes: It didn't exist. Those programs are just coming to bear now.
Jason Periera: Oh, boy. Yeah. If I'm a company that has to deal with all those things, forget it. Talking about business risk, this to me has to be the number one business risk. You have again, the enemy who could basically A, cripple your operations, B, steal your data and destroy your reputation. C, basically steal your money. Once they're in your systems, what is it they can't do? It's the same thing as literally opening up the door and saying, "Hey, criminals. Come in and do whatever the heck you want. By the way, my staff's just going the move aside from the keyboards while you do it."
J. Haynes: Yeah.
Jason Periera: That's the level we have to look at it as.
J. Haynes: Well, being FinTech focused, you think of, "There's not much that we do now that isn't got some electronic communication with a counter party and a trusting or an implied trusting relationship."
Jason Periera: Exactly.
J. Haynes: I see you've got an iPhone there, there's implicit trust when you go to that app, because there's the walled garden Apple model, but there's an implicit trust and you are surrendering immediately something that could compromise, but our economy is running at that speed, so you've got to weigh these two.
Jason Periera: It really is a difficult conversation. Yeah. Lots of difficult ... Everything's trade offs when it comes to security. Second point, what's the biggest challenge you faced in getting the company to where it is today?
J. Haynes: The biggest challenge has always been recruiting the talent that we need because as a service provider, different than a software publisher, every time we add X number of customers, we have to add threat analysts. Our ratios are fairly low, like five to one. In the managed world ...
Jason Periera: Good. Keep going. How many companies can they truly understand inside and out?
J. Haynes: Yeah. We've seen ratios as high as 100 to one.
Jason Periera: Basically, they have no idea what's really going on in the company?
J. Haynes: Exactly. Our challenge had been, and it remains today, is access to talent and we've actually integrated ourselves so deeply into the ecosystem here. Six colleges, three universities. We're on boards. We're giving lectures. We're helping with the syllabus. We have our whole internal training program. We actually are bringing folks in out of college with a three or four-year technology network with a bit of cyber, and we have to upscale them to be able to take our load and then have them pure watched for some period of time, and then they're capable to run.
Jason Periera: To run. Yeah.
J. Haynes: That has been, and that will remain the industry's biggest challenge because no matter how good the AI gets, the bad guys have AI too. They have cloud storage. They have all of the things that we have without any of the friction of the rules of business or regulation.
Jason Periera: Regulations. [inaudible 00:36:02]. Yeah. Exactly. We can't do that. There's no such thing as we can't do that.
J. Haynes: Yeah. I often say, "Well, they are morally corrupt or phenomenally gifted," and you can never underestimate the adversary. What essence of managed detection and response is using all these technologies to detect, but then having a human doing it last mile of gray matter correlation. There's just patterns that need to be observed and acted on that are way beyond any machine to discover today.
Jason Periera: Absolutely. What's that line? I think it was from Dr. Who of all places is, "The problem with good men is they have too many rules." Right? They're restricted. Right? Last question is what excites you the most about what it is you're working on and gets you up in the morning to keep doing what it is you're doing other than the fact knowing that there's imminent threats everywhere?
J. Haynes: This is going to sound a little crazy, but I did have ADD before I started in this industry and honestly I could work in another one because there's constantly new stimulus and you see the creativity of what the bad guys are up to. Then, we always think in terms of seconds, hours, days to come up with a detection and mitigation and so forth. It's constantly a challenge. There is never a dull moment and it's not like a, "I need the adrenaline rush, although I drive race cars."
Jason Periera: Maybe there's a correlation there.
J. Haynes: Extreme skiing. Anyways, it is a sort of thing that once you're in it, it is probably hard to leave. If not, impossible.
Jason Periera: Yeah. The constant stimulus, the constant rush. I'm sure there must be times where you even just sit back and look at the attack and be like, "Wow. That was masterfully engineered. I've been trying to quash and to feed the limits of humans and soon to be computer ..." What's the word I'm looking for? Imagination almost.
J. Haynes: Yeah.
Jason Periera: It's got to be quite the challenge. Well, I'm glad guys like you are on a chair.
J. Haynes: Well, we're doing our part. Also, I tell my staff when we do town halls. Like I said, "Just think in terms of the six trillion of AUM that we're securing. There's some percentage of your RSP or 401k that the pension fund has allocated into that strategy and every time there's a loss, then that's a slightly lower return and it's going to be death by a thousand cuts."
Jason Periera: That's it.
J. Haynes: It's our job to protect our own stuff.
Jason Periera: Absolutely. Once again, thank you for what it is you do and thank you for the time. This has been greatly informative and I looked behind the curtain of what we don't normally talk about in this side, but we do touch on security, but this has been quite the masterclass. Thank you very much.
J. Haynes: All right. Well, thank you.
Jason Periera: That was my interview with J. Haynes. I hope you enjoyed that and I hope you enjoyed pulling back the veil of the side of the world that most of us don't get to see. It was a little bit frightening, quite honestly. I'm glad guys like him are out there stopping the bad guys and they're legitimately bad guys, crazy enough to say. As always, if you enjoyed this podcast, please leave a review on iTunes, Stitcher, or whatever it's in your podcast. Until next time, I'm Jason Periera. Take care.
Speaker 3: This podcast was brought to you by Woodgate Financial, an award winning financial planning firm catering to high net worth individuals and their families. To learn more, go to woodgate.com. You can subscribe to this podcast on iTunes, Stitcher, and Google Play, or find more episodes at fintechimpact.co.