David: Hi, my name's David Hasfurter, senior systems engineer. I'm here at New York Tech Summit 2019, our 15th year anniversary. And I'm sitting down with Jeff Miller to do an interview. Jeff Miller just recently joined Arctic Wolf, which is a security firm that kind of listens and watches what's going on within your firewall and within your network. So, please enjoy as I sit down and talk to Jeff Miller.
David: My name's David Hasfurter. I'm a senior system engineer with TERACAI. I'm here with Jeff Miller who is working with Arctic Wolf now. What's your exact job title actually?
Jeff: So I'm the Northeast channel account manager, so DC up to Maine and then Buffalo to Boston.
David: Gotcha. So you know, obviously working with TERACAI and working with other partners, but overall Arctic Wolf is kind of new to TERACAI's portfolio. But overall, how would you explain Arctic Wolf at a higher level?
Jeff: So you and I were talking about this earlier and there's the five pillars of NIST, right? Identify, protect, detect, respond and recover.
David: Yep.
Jeff: And Arctic Wolf really plays into those, the detect and respond, right? So it's known as a managed SOC, so security operations center, and it really fills those two out of the five pillars of NIST where we'd know what a sunny day looks like on your network, and we can tell you when it's rainy. And we do that with a sensor that goes as a tap to your switch. It's looking at what's going on in what's going out. It's getting all the feeds from the various log sources and CIS log and things like that, as well as an endpoint piece, that shipping logs to it. So we have that intelligence and somebody smart babysitting essentially.
David: Wow. Yeah, that's pretty cool. So you say on the switch side, so you're saying inside of the network, or would it actually be what I consider the edge or on the firewall level?
Jeff: Nope, it sits behind the firewall. So a tap or a span on a core switch typically.
David: Okay, nice. And so you guys are able to ... You guys have a team that's located here in the United States that are monitoring it?
Jeff: Absolutely. Well, we have a team in several different areas. So corporate is there in Sunnyvale, California. We have a team in Utah who's part of the SOC team. Most of sales is in Minneapolis. And then we also do have a team just South of Toronto where there's a bunch of SOC people up there. I call them SOC people, but you know ... It's obviously--
David: Sock puppets.
Jeff: No, very animated sock puppets.
David: So those different teams are kind of watching the networks and stuff like that. You know, we talked about earlier off mic where some of the IT people, some teams for companies aren't that big and they just can't monitor every single thing that's going in. So that's really where your team comes in and looks at all that.
Jeff: Yeah, I mean, we have a sweet spot. So I mean, you're going to have huge enterprise businesses and they have dozens of security team people inside where they have the ground workers, team lead, supervisors, we don't ... That's not the space that we attempt to play in, right. I mean, you're huge, healthcare conglomerates and those sorts of things, or financial institutions. But companies that are getting big enough where there may be a couple hundred, maybe a couple thousand employees, they don't have a security team. Or maybe they have one security guy and he's kind of buried in policy. On top of that he's sleeping at three o'clock in the morning, right. So our team, we pick up the phone and call you at three o'clock in the morning letting you know, "Hey, we think there's an incident," so that guy can get his rest.
David: Yeah, that's nice. And I think some of the parts that I don't fully understand in my role, even on presale engineering role, is that there's a lot of government changes, a lot of standards being pushed to enterprises, a lot of things that enterprises, all different verticals, right? Healthcare, education, sled, you know, all that stuff. They have different requirements. So, what are you seeing kind as an industry trend in some of these standards that are being pushed?
Jeff: Yeah well, in New York state, you have the Department of Financial Services and just over two years ago they put out this DFS 23 NYCRR 500 to be specific, to be oddly specific, regulation and section 500.09, to again be oddly specific says, "Hey, you need to be doing continuous monitoring. And if you're not, you can do penetration testing and vulnerability assessments." But think about vulnerability assessment's a point in time snapshot and then two weeks down the line, who even knows what's changed on your network and what patches are missing and what right, what zero days were discovered in between then, right, so.
David: Who comes out with a new attack that wasn't ... That was patch for a while ago, but now all of a sudden is new and advanced.
Jeff: Right. So in addition to the manage, detect, and response, we also have what we call our managed risk product. And that's essentially a continuous vulnerability scanner. So we load in your subnets, we know we're scanning and we just continuously go through. So there's no, like in that example, there's no two week gap where we said, "Okay, we've got a snapshot and now get another snapshot and, 'Oh by the way, your attack surface was this large in between.'" You have an opportunity to reduce that attack surface each and every time we find something live.
David: Yeah. And you know, what would you say Arctic Wolf's maybe five year goal. Are they looking to expand out and try and cover different areas or are they really going to stay in this niche of really monitoring and really taking on that role versus maybe selling firewalls for example?
Jeff: Yeah, I don't think for corporate purposes I can say too much on that-
David: Okay, sharp.
Jeff: But I can tell you ... What I can tell you is that we're in rapid growth.
David: Okay, that's awesome.
Jeff: Company has doubled over the last 12 months.
David: Wow.
Jeff: It's just, it's every month, every, I think it's Monday every few weeks there's a new higher class sort of thing. And it's almost like on your first day at college and it's all, everybody with bright eyes and the team there is just a team of A players. They're people who want to get stuff done and they want to serve the customer and just eliminate the noise of SIM, right? Everybody's like, "Sure, I got to SIM." And yeah, so we call those noise generators, right? That's why you need a team of, we call them concierge security engineers, looking at what's going on and taking those millions of alerts, converting them to thousands of incidents and then ultimately maybe a hundred actual things you need to deal with.
David: Absolutely. Yeah. And I'm not huge into firewalls and stuff like that, but even looking at my Collab stuff, right? I can see my Collab stuff getting hit constantly and you know, it's using a lot of civil traffic and stuff like that. People are trying to hack into that, trying to ... And I'm not monitoring that log. You can't, you can't sit there and watch that all day.
Jeff: Let me give you an example. So, and I can't, for nondisclosure purposes I can't say, but-
David: Sure.
Jeff: ... there was a pest control company and again, Collab they had, I don't know if it was Cisco or what it was, but they had a system that was internet accessible. You know, it's one of those things you can schedule meetings on it and that kind of thing, right? So it's like a regular windows server running this backend Collab software. A hacker in France hacked into that.
Jeff: So through their essentially voiceover IP system, they got into the network. These guys were down for several days and their revenue lost per day was over $30,000 a day, literally just shut down their call center. So I mean proactively, like what would it cost you to do this versus are you willing to tolerate something like that? And the embarrassment, right. You know, I tried to call your call center, your ad was running and I just got nothing, that kind of thing.
David: Yeah. I mean, a lot of companies they understand insurance policies but they don't understand it for network security still. And it doesn't make sense. I mean, T.J. Maxx, Home Depot, all these big companies that we have ... Everybody has seen globally that just get nailed. And to your point, $30,000 a day is nothing for them. That's a lot for them to lose. But it's not a lot to pay for an insurance policy to have you guys coming in monitoring.
Jeff: Honestly. Yeah, that's the same thing as auto insurance, I mean. So yeah, a couple of dollars a month versus you lose your car, there's 20 grand like. I mean, it's the same thing and smart people ... So people that we think are doing it right, they're mindset is security and not compliance. And what we always say is if you're focused on security compliance will just be a joyous side effect, right? If your mindset is of excellence, of protecting private data of like you said, being proactive, compliance will just shake out. And then shake the tree and compliance will fall out.
Jeff: But you're focused on compliance and just checking a box. You're not really strategizing, you're going with the lowest dollar amount there and you're not really putting the pieces together. But we really help people, again that DFS regulation, there's a lot of new Regs that are being copied and pasted. We call that regulation creeps, and New York puts this reg out. Oh and by the way, South Carolina as of January 1st has a copy and paste regulation of that New York state reg with minor modifications.
Jeff: But everything you had to do over here, now you got to do it over here in South Carolina. Rhode Island has a bill out there. It's essentially a copy and paste. So I tell people, "If you're not regulated now, just wait, I mean you will be, so you may as well get ahead of it."
David: Yeah. I want to go back to that point that you made of compliance versus-
Jeff: Security versus compliance, the two mindsets.
David: Security versus compliance. Yeah, yeah, so that's interesting because one of the companies I worked for was that mindset of doing the compliance stuff first versus doing the security stuff. And I think that's a good point to take away that you focus on the security and have that well done. And like you said, "Boom, right here is all the data for your compliance." And it takes care of itself.
Jeff: Yeah, I mean, in the United States the NIST cybersecurity framework is the de facto of standards. If you're aligning with that framework, I mean all the different Regs, it's like a Venn diagram where 90% is overlapped in the middle, right? So if you're doing risk assessments, if you're doing vulnerability assessments, if you have a SOC like Arctic Wolf, if you're doing all these things, aligning them with the NIST framework and then, "Oh by the way, I need to be HIPAA compliant or PCI compliant." Well that's going to follow.
David: Yeah.
Jeff: Just do this over here. And maybe 10% are going to be on the fringes, but you're already hammering out 90% of where your compliance needs are. So start with security.
David: Yeah, absolutely. I mean, it's silly for any company nowadays to not think about security. I mean, phishing attacks and all these sophisticated stuff. The cryptos and stuff like that.
Jeff: Yeah. Crypto mining is actually, to your point there, crypto mining I've seen ... I mean, studies are ... Statistics for, take them for what they're worth. But I've seen many recent news articles that crypto mining is actually surpassing ransomware, okay. So that's another thing that we find at Arctic Wolf. And I can again with-
David: Sure.
Jeff: ... non-disclosures but we can see that stuff going on, and we can, "Hey, this machine is reaching out." And stuff that normal AV isn't going to find.
David: Right.
Jeff: But through AI and machine learning and all the peeped eyes on the glass kind of thing, we pick that stuff up.
David: Yeah. And from TERACAI's perspective, when working with Cisco as one of our main partners for doing security, they mentioned it in the Lightning Talk. Earlier today Sean Miller mentioned, at New York State Tech Summit 2019 he mentioned a lot of times people just put a firewall up and, "Hey, I'm secure." Well, it's way more than that nowadays, right? There's so many more layers. You can have the firewall, but if someone takes that laptop home and then brings it back into the network, you got that vulnerability and you got the constant hacking on the firewall in way more sophisticated fashions than we've ever seen before. So more than ever these types of stuff is needed, so.
Jeff: Yeah, I want to make a point on firewalls. So Google has this transparency report, they call it, the Google Transparency Report. So Google Transparency Report, two Google's there.
David: Do I Google it?
Jeff: Yeah, you Google, just to be clear. And the last time I looked at it and it fluctuates, but their statistics are based on the Chrome browser. Basically crowd store statistics if you allow anonymous stats to be sent back and forth. Over 80% of both web and email traffic, which by the way, those are the two primary workflows in any business is HTTPS or TLS.
Jeff: So the fact that people have these firewalls and they're setup and they're great, but they're not decrypting that stuff. So it's kind of marching through your front door. During that connect string you can see where something's going, but not necessarily what is happening after that. So, so much is going on and just marching through people's front doors. And I just evangelize, you need to be doing SSL decryption and I know all the Cisco firewalls are capable of it. I think people are just scared about certificates and deploying them and ...
David: Even on the engineering side, consulting site certificates kind of scared me because of how involved it is to learn it and to understand it and deploy it correctly. But once you do it, man, it really helps take your mind off of it and it is that much more secure. Why not have certificate signed security?
Jeff: Yeah.
David: It's not that hard to really grasp and learn once you ... Especially once you do it a couple times. And even us as consultants, we've done it on VMware, on the Cisco stuff and stuff like that, so we understand it. But for internal customers, even having that Microsoft certificate server that's updated with the certificate authority and that pushing certificates out to their servers, that's better than having everything not signed-
Jeff: Right. Right.
David: ... to start, so.
Jeff: No, exactly. And once you're able to ... I mean look, we say it's dubious security. Would you allow 80% of the stuff through your front door if you didn't know if it was good or bad? That's crazy, right?
David: Right, yeah.
Jeff: So I just, I evangelize on that point. And the other point I evangelize on is MFA and it's silly that even today people, "Oh, I don't want to burden my people with multifactor authentication." And I'm just like, "So hitting approve on your smart phone is causing a burden for your employee?" Let me get that right, okay.
David: Right, so on that point and kind of switching topics from our two businesses and kind of going into real world examples and off topic a little bit per se. So WWDC or whatever, your Apples, you know, big conference just was, they talked about that app sign on. Did you follow that at all?
Jeff: No, I've been on the road for how much weeks.
David: So, one of the big things that they pushed and that they're starting to do is they got the facial recognition. We all know that's how [inaudible 00:14:31] up phones. But what they're starting to do now is to log into apps. What they're going to do is allow you to generate a generic email address that Apple provides, generic made, but then it uses your facial recognition as the security password. So they're giving you a 1325 digit hashed password that's incredibly hard to decrypt. But obviously nothing's impossible. But then it's using this anonymous email almost to login. So, and that's at the app level.
Jeff: Wow.
David: So you know, that's kind of ... If you think about where Apple is going with security, I really like Apple security. I like Siri. I personally don't like Alexa and Google Home. I just feel like they're listening too much and-
Jeff: They're listening, I'll tell you. So just to jump in. So I'm a Pixel user, love the Pixel, love Android, love the design, everything about it is beautiful, great camera. But we're having a conversation right now. I guarantee you in 10 minutes when I go to flip right and look at my feed, we're going to have pieces of this conversation just magically show up-
David: Right.
Jeff: In my results of my newsfeed. And it's like, "But I didn't write it down and then it wasn't on a computer or there was no email." And it's just, it's like just a listening device.
David: Yeah. And Siri is obviously listening as well and they're collecting data and how much Apple is using that data, I don't really know. But I've heard too many examples of Alexa listening in and doing that same thing. All of a sudden on your Facebook you have an ad for something that you'd never even searched for and boom, it was listening inside your house. So what's your kind of take on AI machine learning and all this data. I mean, come on, it's more, I don't even know what's bigger than that. It goes gigabyte, petabyte.
Jeff: Exabyte and-
David: Yeah. I mean they got to have that type of level of data being stored on their servers.
Jeff: Oh yeah. I mean, it's crazy. And who even knows what the architecture is? I've heard there's a lot of commodity gear and they're just using crazy super awesome algorithms. So the storage is super cheap. I don't know how they're doing that-
David: Oh okay, Compress or whatever.
Jeff: Yeah, yeah.
David: But still the data that they're collecting on us, right.
Jeff: It's huge.
David: Yeah.
Jeff: Terabytes used to be like, "Oh, you got a terabyte hard drive."
David: Right.
Jeff: That's massive, right?
David: Yeah. We can go back to my first PC was a 100 megabyte hard drive with 16 megs of Ram.
Jeff: Wow. I remember having a Tandy 486 or one of the 80s, x86 is where you can press a turbo button. It would like double the clock speed. It's like, "Why would I not want to press that?"
David: And then, when I was going to college, I remember getting my first flash drive of 75 megs-
Jeff: Wow.
David: ... compared to the 1.4 megabyte diskettes and stuff. So the amount of data and stuff and with Moore's Law, it's just incredible to see change over our timeframe. But unfortunately, I can't give credit to who said that joke. But going back to the Alexa and Siri, it was, a guy walks into his house and he whispers to his wife, he goes, "Hey, what do you think, how was your day today?" She's like, "Why are you whispering?" He's like, "Well, I don't want Mark Zuckerberg to hear about this." And she's like, "Oh, that's funny." He starts laughing and then Siri starts laughing, Alexa starts laughing. Because you know, they're listening, right?
Jeff: Yeah, yeah.
David: So just, it's crazy to me and I ... Me personally, I'm an Apple fan and I think Apple is doing a good job with the security. And that was one of the things that they pushed at their conference.
Jeff: They're forcing encryption on the devices for ages, right? Like they were always just that was their big thing. I think Google is doing a good job too. The latest iterations of Chrome are sort of HTTP shaming some people call it. There's a big debate out there, but-
David: Like shaming and like not allowing websites to go through because they're not meeting their security standards?
Jeff: Big. Like, "Hey, this is a security risk. It's an unencrypted website. You want to proceed, proceed at your own risk kind of a thing." And the use of HSTS forcing, an encrypted connection. So they're making moves too, but definitely a little bit room for improvement I think on their mobile devices. I mean, when you're going back to machine learning too, one of the things I do like on my Google phone is if I swipe to dismiss a notification a certain number of times in a certain period it will come up and be like, "Hey, we saw that you aren't really digging those notifications. You want us to kind of mute those things?" I'm like, "Yeah, actually that's super handy." So, and that's like a very basic form of machine learning.
David: But it is.
Jeff: Those little things that we don't even think about, they're in our lives.
David: Oh yeah. And it's only going to get more and more prevalent as time goes on.
Jeff: That's right.
David: It's not stopping. We're seeing, we're right now we're seeing that growth spiking. We're right at the forefront of it. So, I think it's a very interesting topic and security is definitely going to be playing a big part of that because they are collecting this data. What's happening with that data? Can other countries see that data?
David: Everybody was worried about the NSA tapping into our phone. Well, that was a directed phone call. One-on-one phone call that they were listening in on. Not, here's a Google Home in my daughter's bedroom.
Jeff: Right.
David: You know what I mean? That could potentially have tons of data that I don't want any other people to hear about, so.
Jeff: Yeah, it's wild.
David: Yeah. The industry is just fast pace, always changing. Keeps us on our toes. We're in different industries, but at the same time it's ever evolving in our own industries and stuff like that.
Jeff: Yeah. We're going to be gainfully employed for the foreseeable future here. I always think about, I always ponder like, "What is, because technology comes and it goes, and when is VoIP going to go away and when is this going to go away?" So, cybersecurity, it's not going away.
David: Oh no, oh no.
Jeff: It's here to stay.
David: Yeah. I look at VoIP and stuff like that. And businesses are always going to have phones. They always need to be able to communicate, where the big changes is in the contact centers, right? So you call into an agent, well we've already seen it change from live voice to automated. Now the automated's getting machine learning. Oh, I recognize that David called in at two days ago, talked to this rep and had 20 minute conversation and this rep is now available again, I'm going to route the call directly to that rep because he's already talked to that person.
Jeff: He's doing the connection there. Wow.
David: Yeah. So it is that type of machine learning and AI being inputted more into contact center. Not so much the big evolution I would say with VoIP is going to the cloud, right. So that's the big change that I see there. But like you said, will be employed for a long time.
Jeff: Amen. Absolutely.
David: So kind of wrapping things up. I appreciate the time Jeff talking, just having a casual conversation about what we see in our industries and everything. So again, we're here at New York State Tech Summit 2019. Hope you enjoyed this podcast, anything, any last word?
Jeff: No, just check out Arctic Wolf, check out TERACAI. We can help you out, work great as a team and that’s it.
David: Absolutely. Yeah, thank you guys.
David: Thank you so much for listening to that interview with myself, David Hasfurter, with Jeff Miller from Arctic Wolf. I hope that you learned a little bit something about security and within where machine learning and AI is going and how security is going to play a big role in that going forward and kind of our thoughts back and forth on that. Again, this is David Hasfurter at New York State Tech Summit 2019. Don't forget to follow us at TERACAI and Arctic Wolf.