Speaker: Damian Ehrlicher – CEO of ProtectedIT
Interviewer: Willy Leichter, VP of Marketing, Virsec
Willy: Hello and welcome to our next installment of Inside Security from Virsec. We’re pleased to be joined today by one of our premier partners. ProtectedIT is a integrator and reseller based in the Chicago area covering most of the country. And we have Damian Ehrlicher, the CEO of ProtectedIT, joining us. So, welcome, Damian, thanks for being here.
Damian: Thanks for having me. I appreciate it.
Willy: Well, Damian, great to have you here, and wanted to get into a few things. Maybe you could briefly introduce yourself and introduce ProtectedIT?
Damian: No, absolutely. So, ProtectedIT is a MSSP. We’ve been going now for about two years. We evolved out of the Chicagoland marketplace, basically working with a lotta the incubators here, Polsky and a couple other ones, just to name a few. And have grown to – just over the past year specifically, obviously with COVID, it’s been kind of interesting. But nonetheless, have continued to grow, have continued to partner with some of the groundbreaking and leading cyber-security companies as a whole.
It’s been kind of an interesting run as of late obviously with COVID and some of the market conditions we’ve had to face. But nonetheless we’ve been up to the task and we have a great team over here and are very excited to continue with the partnership that we have with you guys over there at Virsec.
Willy: Great. Yeah. Perhaps young companies have to be more agile, and it’s a big adjustment for everyone, but maybe we’re more used to the kind of rolling with it and being very flexible. So, congratulations. I heard today, Damian, that you were accepted to the Forbes Technology Council?
Willy: Can you tell us briefly what that entails and what it means to your business and customers?
Damian: Absolutely. Forbes is obviously an amazing brand name in the marketplace, and the technology council is a group of forward-thinking technologists and business professionals that are just looking to collaborate and solve hard problems and discuss some of these harder problems within the Forbes kind of marketplace. We here at ProtectedIT are always looking to solve the perceived unsolvable problems for customers within the cyber-security landscape. So this council allows us the privilege to bounce ideas off of peers in the marketplace and discuss potential solutions in a very open forum.
Willy: Great. I love the term “perceived unsolvable problems.” Maybe we’ll kinda bring that back into the discussion. So you talk to a lot of business leaders, CISOs I assume, security professionals. What’s been top of mind? Now that COVID has been here for a couple months, what were the initial challenges and how are they evolving?
Damian: You know, I think that business continuity was the original discussion, and it was paramount to it. Security and risk have taken on a new kind of unparalleled track where for all this there isn’t a playbook. So everyone’s kind of learning on the fly, which is interesting.
Security as a whole has changed due to the pandemic, and the traditional corporate office is all but dead. So, first and foremost obviously, the health and safety of the employees, vendors, and anyone who physically has to be in an office space to do their job is really what made that curve break.
What I’m hearing from our CEOs and people responsible for risk is that they don’t want to make any rash decisions that put people at risk, right? Whether it be travel or anything that involves physical interactions, it’s 100-percent on pause, right? Until the pandemic is handled, whether it be a cure, treatments, whatever comes down the medical pipeline that decreases the risk for people obviously catching the disease.
This by default increases your cyber-risk though because of the fact that, in order to try and meet business demands, companies’ virtual business practices have had to evolve at hyper-scale speeds. Just not only to meet their custom requirements but to also meet some of their internal requirements.
With the increase in the digital landscape, comes the larger attack surface for bad actors. So executives have had to mitigate the risk with a mantra of new processes, whether implementing AI, ML, security protocols, or just looking to get more eyes on glass. Executives are now open to tailoring the investment in their cyber-security business to more of a business continuity play, and what that means to revenue-impacting areas. So tiering these new critical applications that they basically onboarded and making sure the new crown jewels are protected has changed the conversation quite a bit.
Willy: Yeah. It’s hardly new, this sort of disappearing perimeter and people having remote access. But I think we saw maybe, I don’t know, three or four years of change and evolution in about a week. I mean, unprecedented. Remarkable how well companies have done. But I’m wondering: with things – they must be exposing more legacy applications, more back-end things that were at least viewed as having a little bit of security by isolation. Is that concerning: that everything is exposed now?
Damian: Not as much. I think that the rush was the big concern. So we have one customer that took a two-year digital transformation plan, got it down to two weeks just to meet the increase in business. You know, the isolation versus the connectedness question is really interesting. Because as you started to increase bandwidth and employees’ remote enablement, it shifted the business dramatically. And, by default, with the larger attack surface and more vulnerabilities to protect, it’s put a ton of pressure on these SOCs to look at either partnering with other MSPs in the marketplace to really meet business demands, to overlay with them, and to enable these teams, which are basically being buried and overburdened, right?
And a lot of these access to remote employees to what they originally had as these remote systems or the security-isolated systems has really changed the game quite a bit because they needed to open those up to a connected platform in order to have their remote employees be able to do a large portion of their jobs.
I think that access to critical systems and limiting the access to these systems has always been the practice. Don’t get me wrong. I think that as more and more devices have become connected over the past three to five years, with IoT becoming pretty prevalent in the marketplace, best practices – they’ve evolved to ensure these devices – whether it’s a mainframe or some type of IoT car, you need to maintain a level of security that balances the security risk while enabling the user experience, whether it be a B-to-B or a B-to-C platform.
So the IoT quandary has been addressed at the network level initially. But as bad actors have evolved – and they usually do – so have the processes, procedures, and the technology. Like in memory protection. That’s something that has evolved to meet these bad actors at multiple turns.
So I think each business has to look at this as a balancing act. And at the end of the day, it’s a constant evaluation. So: understanding the potential risk to the business and constant evaluation of this on a regular basis is the only way to really mitigate the risk of this excruciatingly tough balancing act, right?
Willy: Yeah. Well put. So, we’d like to talk about protecting applications from the inside. And I’m wondering, from your perspective – you mentioned people are focusing more on their crown jewel, on getting this embedded security. Are they looking to automate more? Are they now rapidly trying to shift their focus from the traditional perimeter model, which was already kind of waning? What’s the thought process with you and your customers? And we titled this “Modernizing Security,” so I’m wondering: are we pushing them or are they pulling us along?
Damian: It’s a combination of both depending on the IT department that you speak to, as you well know. The more evolved ones still have that level of defense. If you’re looking at it from the olden age of a castle, everyone still had the moats, right? And even though you could get around the moats or the castle walls, you still build the castle wall. So just throwing away network security isn’t the right answer. But I think that there’s a ton of commoditized products out there, whether it be firewalls, IDS, IPS. You know, they’re evolving to take on more of the application space as well.
My conversation when I go in to talk to CIOs, CISOs, and CTOs, is: obviously have an understanding of what the network is, but you don’t need to focus on it as much as the application. Or really the application stack, right? Knowing your application and the interdependencies are really what’s critical to building a true resiliency posture. So at the end of the day if someone is dead set on getting to computer A, they’re most likely gonna get there. So understand that and build your security posture, and your disaster recovery plan, to mitigate the risk as much as possible. But understand that if somebody is going to get onto your network and poke around, build your security posture, build your disaster recovery plan, and build your business continuity plan around that knowledge that if someone wants to get on there, they’re most likely gonna be able to do it. Unfortunately.
Willy: Or probably the next attack is from some threat that’s already inside your network somewhere.
Damian: That’s the even tougher part to mitigate, right? The bad actors on the inside.
Willy: Right. Yeah. They are there, unfortunately. So, what brought you to working with Virsec? I know we were involved in a lot of opportunities, but what caught your attention?
Damian: I think that just the forward-thinking aspects of the industry, and you guys taking something that really wasn’t out there and creating a new kind of position within cyber-security for it. So no one was looking at securing it at the level that you guys were at Virsec. So it was at the memory level, understanding that if there’s changes to code or as new code gets pushed, sometimes it’s very difficult for IT organizations to understand that there’s been some type of change to the code. I think that you guys solved that big problem. And in today’s day and age, DevSecOps goes hand in hand. I think that still even DevOps is being dragged along in some IT organizations. And you guys created a one-stop shop, for all intents and purposes, that alleviates that problem.
And when people are doing code pushes on a regular basis – I’m not talking daily, but sometimes hourly – and have follow-the-sun mentalities from a dev perspective, being able to secure that before it goes to QA and operational and production was very key. And there was always a gap in that that they were throwing multiple tools at to mitigate. I think that you guys have taken that, turned it on its head, and said, “Hey, we’re able to move with the speed of business now.”
So, with that being said, your TCO is significantly decreased because of it. There’s a bunch of other financial factors that are easy to lay out for CISOs as well, as well as CTOs. Because oftentimes internally the CTO’s responsibility is to move at the pace of business. Or CIO, depending on how an organization is set up. And the CISO’s responsibility is to protect that as much as possible. And oftentimes they don’t see eye to eye. Your product allows them to at least level set. So it’s a big differentiator when you start to get into the room and say, “You can move at the speed of your business and you could protect the crown jewels and whatever else you see as critical to your environment with one-stop shop and one product,” which has been kinda groundbreaking for the industry as a whole.
Willy: All right. I’m wondering – you mentioned some of the cost factors. Particularly in light of COVID and resources being stretched, are your customers looking to get products that’re less noisy, fewer alerts that they need to chase down? This has always been a complaint. And not just false positives, but the noise level in general, particularly when you have a lotta disparate products. But is that also a driver? Are they even more so now worried about that?
Damian: Yeah. Well, obviously false positives has always been the big thing, and understanding that, and dedupe from a ticketing perspective, even going back to the old network and NOC days. And depending on what day of the week it is, it’s a myriad of issues that they’re trying to address. And sometimes, as you well know, when one fire is put out, there’s another one burning right behind you that you have to cover off on. But wire coverage is a necessity for our customers. So they need to understand that.
And business doesn’t always stop or adapt to the needs of the SOC, unfortunately. Actually often it’s the opposite, which means that – you know, showing an ROI is difficult at times, and to get the CISO into playing internal politics – I mean, they have to kinda dance across multiple lines of business as part of their day-to-day job. So enabling them with a couple of arrows to go into a fight with is always a valuable thing. And with products like Virsec, we very rarely see false positives. So that’s something that’s amazing. It’s groundbreaking in the industry. I could probably count on one hand how many times in the past year we’ve seen a false positive with the product. And actually if I really think back, I think the majority of those were actually just weird anomalies.
Willy: And then the idea of virtual patching – is that resonating? I’m looking for a term. But preemptively taking care of vulnerabilities without patching at some point.
Damian: It’s happening through both I think. I think it’s a combination of eyes on glass – it’s people, process, and procedures, right? It’s people are your first line of defense and your decision tree, making sure that they’re understanding it, enriching what they’re seeing with –automation, AI, machine learning, and allowing some of those automation tools, whether they be SOAR or something else, to really fix a lot of the manual processes that’re out there. But I think, from a decision tree perspective, it’s all the above in a SOC, right? You need to look at human interaction, decisions that’re made with obviously a little bit of an AI and ML enrichment to some of those decisions.
But, as a whole, I think it’s all of the above. I think that, as you’re starting to go into cyber-warfare or look at these things, understanding how to enable the SOC, how to allow them to make better decisions, and how to free up a lot of their time so that they can focus on making better decisions that need human interaction – is the key to the whole game.
Willy: All right. Well put, Damian. I think we’ll probably wrap it up on that. I will mention that we’re doing another webinar in a few weeks with ProtectedIT and Booz Allen Hamilton. So stay tuned for that. But any final thoughts, Damian?
Damian: No. I think that we’re very excited to be partnering with Virsec to deliver some of this most advanced security that’s out there. I think that as the OT security market space is evolving, we feel that Virsec is a great go-to-market partner with a lotta this. And I look forward to our upcoming webinar as well with Booz Allen to get some other subject-matter experts. That’re living and breathing this from the business side to get a little bit more deeper understanding of how the market is evolving.
Willy: Great. Well, thanks again, Damian. It’s been a great experience working with you. I know we’ve got a lot of things in the pipe that’re gonna be exciting. But great to talk to you and thanks for sharing your experience.
Damian: Our pleasure, Will. And look forward to talking to you very soon.
Willy: All right. Take care.