SASE vs SD-WAN: Why Layering In Security Matters

Over the past couple of years, the need for organizations to be agile to react to changing business needs has accelerated network transformation at all levels. But SD-WAN, while a step in the right direction, only addresses a very small part of the networking footprint. That’s where Secure Access Service Edge (SASE) enters. By taking a look at the entire scope of connecting people and assets, SASE can allow an organization to function in a fully agile IT mode without compromising its security posture.


Listen to Matthew McKee, Director of Technology and Transformation at Bluewave, and Rich Korn, Security Product Specialist at Masergy, discuss these topics and more:
  • SASE as a framework, not a solution.
  • What is SD-WAN technology’s role in the SASE framework?
  • What are the four CORE security components of SASE and what are their roles?
  • Is a SASE approach to network transformation right for everyone?
Transcript

Matt McKee:

Hello everyone, and welcome to our SASE versus SD-WAN webinar. We’re going to give everyone a few minutes to roll in here, and we’ll get started in about 60 seconds. (Silence). All right. The attendee role has started to level off, so we’ll kick off today’s webinar. First, I’d like to say thank you everyone for joining. We’re very excited to present this topic to you today. As a reminder, this is being recorded, and you will receive a link with the follow up video if you’d like to share that with anyone who wasn’t able to attend or for later review. Bluewave is happy to host Rich Korn from Masergy to discuss SASE versus SD-WAN: Why Layering in Security Matters.

Matt McKee:

It is a very hot button topic with a lot of marketing around it, so we look forward to hearing how Rich helps clients demystify this space and understand what can actually drive them. Rich, thank you for your time today. I’ll turn it over to you. But before we do, real quick, we do want this to be interactive, so feel free to ask questions in the question and answer section. We will interject those in the appropriate slides or we’ll address all questions at the end of the presentation. Thanks. Go ahead, Rich.

Rich Korn:

Cool. Thanks a lot, Matt. As Matt said, my name is Rich Korn, security product specialists for Masergy Communications. I’ve spent about 25 years in this industry now, so I’ve been selling a whole lot of different providers over the course of the years. When I do these kinds of presentations, I try to make them as educational as possible. Not so much going to be Masergy-specific. I do have to put a couple of plugs in here and there, or they’re not going to let me do these moving forward as far as my own company goes. What I want to do is, really the goal is to try to make you think today, what are you doing well, what are you not doing well, what kind of changes should you be making, and how you should really be approaching the topic of SD-WAN, SASE and the new SSE, all these wonderful industry buzz words and buzz terms that kind of come out.

Rich Korn:

So this is going to be more general. I’m going to point out a couple of my core security tenants that I believe in. And we want this to be interactive, so as you come across with questions, please pop those into the Q&A. That will be monitored. Matt might answer some of those immediately in the Q&A section, he might interrupt me to ask a question throughout, worst case scenario we’ll [inaudible 00:03:58] to the end or follow up with answers to those questions individually.

Rich Korn:

So what we’re really going to cover today is really how to think about SASE as more of a framework, as opposed to the industry definition out there and why. We’re going to talk about SD-WAN and where that role fits in, and I might even pick on Gartner a little bit and address the fact that they now have this new SSE, secure service edge, and they’ve removed the network portion. Big mistake in my opinion. I’ll kind of explain why. We’ll talk about the security components included in the SASE definition, where they fit, where they’re good, where they’re not good. And most importantly, we’re going to focus on what security components are missing in the definition of SASE. And then lastly, and I think the most relevant to you is going to be some information questions to ask how to approach things internally, who to involve to make sure that you end up with the right SASE solution for your organization, as opposed to what the industry themselves is trying to tell you to buy.

Rich Korn:

So let’s go ahead, and I’m going to start off with a couple of questions here from a poll-based perspective. So I’m just going to pop these up. If I can get back to it, question number one, and hopefully… It didn’t do that. All right. Well, the poll needs to get restarted, and I really have no idea how to do… There we go, relaunch poll. That’s the button I’m looking for. So Matt, can everyone see that first poll question? Looks like we’re good to go. Okay. Just give a couple of seconds on this one. And I’ll explain why I asked this question here in just a moment.

Rich Korn:

All right. We’ve got about 15 people who have not answered the poll question yet. All right. We’ve got most people have responded on that, and I’m actually pleasantly surprised at the answer. We’ve got probably about a quarter of the people on this call have more than six people dedicated to security. When I say dedicated… And this might change your answer, I mean they’re not wearing multiple hats, they are only doing security. And yeah, immediately that just dropped my number. Okay. So here’s what we’ve got from that one there with regards to the first question.

Rich Korn:

Typically what we’re finding is that most people don’t have more than six people for security. Well, my core security tenant number one is that security is a 24/7 job, meaning you need to have about eight people minimum in order to be able to do that job. You need to have three eight hour shifts per day, plus vacation coverage, and then maybe a little bit of expertise beyond that. All of that is to say that most customers have been set up to fail when it comes to security. They’re overworking their poor security people. All right. Let’s go to question number two. And I’ve got to reset that one again, because we did a test earlier.

Rich Korn:

So question number two did not show up properly. All right. You know what? We’re going to skip the poll. Question number two should be this one. And just think about this one to yourself on how are you monitoring your alerts today. I have a lot of customers who have a SIEM, that’s great. I’m from the Midwest originally, so I refer to a SIEM as a junk drawer in the kitchen. It’s where you put things, and then when you have an issue, you go back and say, hey look, yep, there’s my alert, I wish I was monitoring that 24/7.

Rich Korn:

Some people say, hey, we get this SIEM, we get these critical alerts, we handle those. If you’re on a sinking ship and you’re only patching the big holes, you’re still going to sink. The really question mark comes into play is, how are we getting that 24/7 eyes on glass across all of our individualized tool sets, and that’s very, very hard to do without a lot of expertise in all different categories of security. Now for today’s topic at hand.

Matt McKee:

I would also just real quick add, as you think about SIEM tool, think about also what’s going into that, or if you have outsource monitoring, what are they actually monitoring, because the less data you put into it, the less details and accuracy you’re going to get out. So even if you have a tool, there may be still room for improvement there.

Rich Korn:

So this one I was able to pop back on, and I do want the answer to this particular question. How comfortable are you with the SASE conversation today? And if anyone replies back that they could give the presentation themselves, I might put you on the spot. For the people who are saying, it sounds like their kid’s attitude, I get a lot of that. And then the most popular one right now I’m seeing pop in here is the, heard of it, but I need to learn more. And part of that is… Matt made the statement earlier, all the marketing. There is so much marketing information out there. Everyone has their SASE story, that it really becomes, I’m going to call it impossible for customers to understand what their options truly are. And we’ll address that right at the end here. So let’s go ahead and just kind of pop that up there as to… Most of you are in that exact same boat, which is good, because that’s probably why you’re on this particular webinar today, and we’re going to address a lot of that information.

Rich Korn:

So let’s jump into this. When we talk about SASE, simply put, it is nothing more than the integration of network and security, and this becomes very, very important in the world that we’re in today, because as we started having this transition, the digital transformation to the cloud… I think Matt even has it in his title, it comes into we started taking data outside the castle and putting it out for a walk. And that was still fine, because everyone had to come check in at the castle in order to go get that data. That’s where the security was. Well, then comes the fastest digital transformation tool ever known, and that’s COVID, and everyone started working remote, working from anywhere. I go work from the side of the mountain quite often, because I can do that now.

Rich Korn:

The problem is from a security perspective, security is about visibility everywhere there’s data. And I’m going to come back to that. That’s my security tenant number two. Now I’ve got remote workers accessing cloud-based applications, and all of my security is sitting back at the castle, which means either you make everyone VPN into the castle and hairpin back out, that can degrade application performance, creates a huge choke point, or you’ve got to find some other way of getting that visibility into what those remote workers are doing with those applications. So in today’s world, I like to say you really cannot have rational conversation about network without talking about security, and the reverse is also going to be true.

Rich Korn:

So I love the fact that the industry is driving this integration conversation, I hate the fact that they tried to define it. In my opinion, SASE has two goals, and two goals only. Number one, improve security, number two, optimize application performance. Now how that gets done is going to vary for every single individual customer, because every customer’s environment’s going to be different. Their data might be in different places. Most customers I’m talking to are a hybrid-based environment. They’ve got data in the cloud, data on-prem, data sitting in a colo, they’ve got data on endpoints at home, which is probably a company violation. I may or may not be guilty of that. This was recorded, wasn’t it? Whoops. So how do you get that visibility across the board? How do you get access to it, secure it without degrading the application performance? That’s really what SASE’s trying to accomplish.

Rich Korn:

Unfortunately, the definition that they came up with contradicts those two desired outcomes for most customers that I talk to. Just to give you an example, I live up in the mountains of Colorado now, my closest pop is two and a half hours away in Denver. So if I have data on-prem, how does it benefit my application performance to go all the way down the mountain to Denver, do all of my security checks to come all the way back to access the data that was 15 feet away at LAN speeds, and instead I’m trying to use mountain WAN speeds? That’s going to degrade my application performance and violate my two desired outcomes. So how should we be thinking about this? Think of it as a framework. The definition of SASE is on top, and I’m going to come back to pick on that later. It really comes down to is, what should my network look like on a site-by-site basis, what should my security look like on a site-by-site basis, and then you begin to customize that and build that particular solution.

Rich Korn:

That’s really what it needs to end up with. So I’m going to start with the network component, and then we’re going to go ahead and build that up from there and we’re going to talk about what’s potentially missing from the SASE framework. I’ll give you a really big hint. Gartner has been saying since June of 2016 that the detect and response stage of the NIS cybersecurity framework are critical to a good security environment, not important, critical, but they’re not part of the definition. Oops. Now in Gartner’s defense, they have also said that SASE is a journey, not a destination. So they gave themselves a little bit out to tweak that definition as they go. Now, how they tweak it, different conversation.

Matt McKee:

So Rich, as you think about the last slide around the unification of network and security, a lot of customers have legacy infrastructure teams, and in the era of cybersecurity, they’ve gone and hired one or two, maybe six plus people who own security, but they’re still often looked at as separate functions. I’m a network guy, I’m going to stay in my lane. I’m a security guy, I don’t know what the network team’s doing, but I’m going to create standard and push it out to them. Outside of the synergy you lose there, what risks do you actually impose using that kind of a model and not looking at it as a unified conversation?

Rich Korn:

Holy cow, Matt, that’s a separate two hour long conversation. I’m going to say the first thing you’re losing… And I’ll kind of jump right to it here, is that holistic approach. That’s my security tenant number three, is it requires a holistic approach. Being able to incorporate different things and making sure everyone’s on the exact same page. And I’m actually going to talk about this a little bit, as to how to approach that conversation internally and why. My wife ironically works in risk compliance for a global finance company, and what I find in talking to a lot of customers is, the risk compliance team is looking to check a box, the security team is looking at security, the networking team is looking at optimizing application performance. Instead of being on the same page, they tend to be looking at products, A, B and C, whereas option D could have covered all three of those for less than A, B and C combined, which is why it’s also important to have the executive leadership and finance involved in those conversations.

Rich Korn:

So breaking down those silos. Anything in security, silos are bad. Another reason why we talk about that holistic approach in security. Very, very similar, having those different department segmentations, those are bad. Now my wife’s company, which will remain nameless for right now, I’m going to pick on them. I used to play hockey with one of their security guys, she worked on the risk compliance side, and their two bosses never spoke. So my wife was having lunch with them one day, talking, having a conversation, they realized this, they invited their bosses to lunch, and now they meet once a week to make sure that risk compliance and the security team are on the same page as far as what they’re looking to accomplish. That becomes a major challenge within a lot of organizations.

Rich Korn:

We’re going to come back to that in more detail later. So let’s jump into the network. When we talk about the SD-WAN part and its role, this really becomes important because of application interdependencies. I might be working from home accessing a cloud-based application, that might be the front-end for an [inaudible 00:16:47] sitting in a colo, and that might be pulling finance data from a finance server that’s still sitting on-prem for security reasons. So when we talk about that goal of optimizing application performance, you have these application interdependencies. This is why that backbone still matters.

Rich Korn:

When I talk about security being about visibility everywhere, that also includes in transit. If you use watching movies, bank robbing in the beginning of a movie, bad guys go in, they rob the bank, they come out, there’s a police chase, helicopters following the getaway car. In the beginning of the movie, the bad guys always get away. Why? Parking garages, tunnels, overpasses, airports. The helicopter loses visibility in transit. So this is why I like to say the backbone for most scenarios, depending on what the application is, it still matters. When we talk about SD-WAN, there’s really three different kinds of SD-WAN. And very, very relevant point here, if anyone ever walks into your office and says that SD-WAN replaces MPLS, show them the door, because they don’t understand basic networking 101. MPLS, point to point private line, public internet, broadband, wireless, two cans in a string, those are all transport technologies.

Rich Korn:

SD-WAN is an application routing technology that’s transport agnostic. It doesn’t care what the transport is. In fact, part of its job is to be able to pick the proper best-performing transport in order to optimize that particular application performance. So when we talk SD-WAN, three very basic types. Number one, I call the box pusher mentality. This is going to be people like Meraki, people like Fortinet, who we use at Masergy for our own appliance, but it’s part of the Masergy SD-WAN… I’ll get to that in a moment, but Fortinet has their own. You might hear this referred to as over the top. They don’t care what the transport is. Transport can be anything. The benefit to a box pusher mentality is it’s very low cost, it’s transport agnostic, you can mix and match as you need to. The downside to it is, it only has visibility for ingress and egress. There’s no network for it to keep track of it. It doesn’t have visibility into that.

Rich Korn:

Second type I refer to as internet access providers. They don’t want to deal with the circuits. Most of you on this phone call right now don’t want to deal with circuits, because where’s the biggest problem in your network? The local loop. You get to deal with the telecommunications companies and deal with circuits. So the internet access provider SD-WAN companies said, we don’t want to deal with circuits. They found a way around that. They put together their own private backbone, usually linking a whole bunch of Equinix data centers, and they said, bring your own internet connectivity and just get to our data center, and it’s a private backbone from there.

Rich Korn:

That’s a decent solution, so long as you are in major metropolitan areas with multiple high quality redundant internet connections. In my career, I have put lines in a gulf coast barrier island, I’ve put lines off the pacific northwest coast on a barge, I have put lines in a gold mine in Suriname. I’m good at geography, I had no idea where in the world Suriname was. It’s just north of Venezuela, in case you care. The point is, none of these areas had good high quality internet connectivity, especially redundant internet connectivity. So that would’ve been a poor choice for those particular organizations, yet if you look at the definition of SASE, they say it needs to be native internet, that degrades application performance for a lot of customers.

Rich Korn:

The last component that I want to refer to is the MPLS providers, and they tend to force you to use MPLS for a certain percentage of their network, because they’re trying to maintain the network they’ve spent billions of dollars on and probably haven’t paid for it yet. They’re convoluted, bureaucratic and super, super expensive. I’m not going to mention them anymore. The Masergy philosophy. I said I had to give a couple of plugs in here and there. We customize our solutions for every individual customer. So when I talk about creating your SASE story for your specific environment, I want to take into consideration what’s the proper transport options for each individual location, take into consideration their application performance requirements, their security requirements, their redundancy requirements, and their budgetary requirements. Now we chose to use Fortinet true next gen firewalls as our edge appliance. We can get all kinds of security components with 100% software defined core network, sub-millisecond jitter SLA, 100% in sequence packet delivery.

Rich Korn:

So we don’t even need to use forward error correction. That’s a crutch for an inferior backbone in my opinion. And we can mix and match those different transport types, even to the point of bringing in your old decrepit competitor’s MPLS network that you bought a company, and it came with a five year contract. You can bring your own internet, we can provide it, doesn’t matter. In our world, our dedicated access is a true point-to-point clear channel private line all the way to our pop. This is all done with those two goals of optimizing application performance on a site-by-site basis and improving security. And I’m going to come back to improving security more in depth here in just a moment.

Rich Korn:

When it comes to connectivity, well, we just talked about all the different transport options we can integrate, but now where’s all that data? Is it in colos? We’ve got that covered. Is it in prem? We’ve got that covered. Is it in the cloud? We have access to over 200 plus cloud providers from right off of our core backbone. Being a founding member of the Equinix Cloud Exchange, we’ve got Megaport, ExpressRoute for Azure, Direct Connect for AWS, et cetera. And then that security component. I mentioned the Fortinet next gen firewalls, our philosophy when it comes to security is not to put security in the cloud, I want to put security wherever it needs to be enforced so I don’t degrade application performance. So I can put firewalls on-prem, in the cloud, colo, between departments, at home, even all the way down to the endpoint itself.

Rich Korn:

So I want to enforce my security policy, but I want to centralize the management of that security policy. Speaking of management, we sell fully-managed solutions, but being a very, very transparent company, we give full access and control of layers four through seven to the customer. So you can have as involvement as you want within that environment, or as little. I have some customers who live in there, could probably give portal demos to other customers, I have other people, if I put a gun to their head and said, log in, they’re going to be in trouble. So when we start to talk about the SASE story-

Matt McKee:

Rich, real quick on that last slide, if you look at that cloud connectivity layer that you have there, so obviously most people are familiar with the logos that we have up here to the traditional cloud providers. You mentioned that there are over 200 in your ecosystem through the Equinix Cloud Exchange, Megaport, et cetera, what are some of the ones that are being adopted that traditionally have gone straight over the internet, but customers are finding a security or performance increase that they may not readily think of off the top of their head of, oh, we do use that, I didn’t ever think about bringing that into the SASE conversation?

Rich Korn:

Oh, that’s a great question, and it actually brings up a very important point I’m going to bring up, so thanks for the plug on that one. You set me up nicely.

Matt McKee:

My pleasure.

Rich Korn:

Office 365 probably been the biggest one. You’ve got a whole bunch of unified communications providers out there that are public internet based. How are they performing? Where’s the problem with their performance? Where’s that actually coming into play? Things like Dropbox, Salesforce. I mean, the list goes on and on as what people are actually utilizing over the public internet. And for a lot of those, you might be fine. For some of those, you might be going, maybe we should be running this over a private backbone as far as possible. You look at application performance and part of their importance of that private backbone. The public internet is really a network of network networks. There’s no visibility. There’s no control. It’s hot potato game, want to get the packet off my backbone as quickly as possible.

Rich Korn:

So if I’ve got locations across the globe, and I want to communicate let’s say from here to London across the pond, that’s potentially a lot of latency if I’m using the public internet, but if I use internet access to a private backbone that has a sub one millisecond jitter SLA and can guarantee 100% in sequence packet delivery all the way over to London, now I have consistency in my application performance. So maybe that application for that particular environment makes more sense going over the private backbone. Now, one of the things that we do, being 100% software-defined core network and being application aware is, we can actually provide that level of telemetry to the customer on a circuit by circuit basis as to how their applications are performing.

Rich Korn:

So we might come by and say, hey, these 100 locations, these 98 perform better over our private backbone, but these two… Maybe they’re across the street from the actual storage place where that application’s being hosted, perform better over the public internet. And then we have referred to as our machine learning, which we call AIOps. Think of it as a virtual engineer built into that backbone pulling all this telemetry data and making recommendations all the time. So part of that is guesswork, how’s this going to perform over the public internet versus the private backbone. In the Masergy world, we actually give you that level of visibility to make those kinds of determinations.

Matt McKee:

And then when customers do incorporate their core business apps into this kind of a framework, I assume it will also give them visibility into potential shadow IT or data leakage sources where they weren’t able to identify those, but now they have an application aware infrastructure they can?

Rich Korn:

Yeah. And that’s something that we tend to get much more in depth with in our conversation across our own backbone. Being the fact that it is 100% software-defined, means it is application aware. So we can see every single application going across that backbone. And then one of the reasons why we chose Fortinet as our edge appliance is, we now combine that application information with Fortinet’s application risk scores. They’ve done a scale of one to five for about 4,400 plus applications now. So you might say, hey, here’s some banking software because we’re overworking our poor security person who’s in charge of everything. So he’s doing personal banking from the office. Perfectly fine, perfectly safe, we’re going to let that go, mark that as [inaudible 00:28:02] risk score of one. Here comes Matt. Matt’s on TikTok at 2:30 in the afternoon, taking up all kinds of corporate bandwidth. TikTok is a risk score of four. Personally, I think it should be a risk score of five. I don’t want TikTok running across my environment. So I can literally click on a button and block TikTok from my entire environment.

Rich Korn:

So yeah, that’s at large what that shadow IT discovery is going to be for. We include that, and then we include the WAN identity analytics, so instead of having an IP address and then have to go back and compare that to DHCP server and say, who got assigned this IP address at 2:30, it actually says Matt McKee. So I know exactly who I need to go have a conversation with about being on TikTok at 2:30 in the afternoon.

Matt McKee:

Okay. And I think it’s important to just… You mentioned kind of in that example, all of that transparency is endpoint and transport agnostic, whether I’m a remote user, I’m in my office, I’m on a tablet on wifi on an airplane, IT gets that level of visibility across the board.

Rich Korn:

So long as it’s hitting the backbone. And this is where-

Matt McKee:

Right. And as long as I’m a remote access user, and I’m tied into my corporate SASE framework.

Rich Korn:

Mostly, but with one little caveat, if you’re talking about the Fortinet environment specifically, and you get the EMS client on the endpoint, I can now see and enforce and monitor that policy at the endpoint without having to have them come back to the core backbone. So they could be sitting in a Starbucks and decide, I want to go to poker.com, potentially nefarious website, it is blocked at the endpoint level, doesn’t have to come all the way back to the corporate network, and if I have that 24/7 monitoring service, which we’re going to come back to here in just a moment, that log actually gets put through that I tried to go to poker.com. So that’s one of the main advantages with regards to that Fortinet environment, it doesn’t have to come back to the castle anymore. I don’t have to take up corporate bandwidth, and I can still enforce and have visibility into my security policy on that endpoint. That becomes critically important when we’re talking about work from anywhere.

Matt McKee:

Excellent. Thanks.

Rich Korn:

So SASE does have security in its definition. Now I already beat the horse a little bit on the native cloud internet, so I’m not going to come back to that part of the network. Public internet’s like GPS, it can give you the best route at any given point in time. For anybody on this call whose from Chicago, what is the optimal route to get from Libertyville on the north side to Sauk Village on the south side during rush hour? If you talk to Oprah, it’s a personal helicopter. I don’t have a helicopter. There is no optimal route. Dedicated connectivity with a private backbone, you now control the traffic much, much better from an application performance perspective… Remember, that’s our goal, optimizing application performance, than the public internet would be. Cloud based firewalls, cloud-based zero trust. I’m going to come back to zero trust in a second. Secure web gateway.

Rich Korn:

All those security components are critically important, but they should be enforced wherever they need to be enforced so I’m not degrading application performance. If you’re putting it all in the cloud, who does that benefit? The vendor who’s selling you that solution, because they have to manage one firewall instead of managing multiple firewalls. Now cloud-based zero trust, let me pick on ZTNA for just a moment. I am a huge proponent of zero trust network access, but security tenant number four, security requires defense in depth. SANS Institute made a statement, 76% of the most damaging breaches, meaning actual data loss, come from within an organization, not from without. In other words, these are people that had username, password, single sign on, multifactor authentication. These were people that were trusted employees. So when I talk about zero trust, to me it’s a methodology. I don’t want to trust the people I do trust.

Rich Korn:

So I want strict access controls, but then I also want strict policy controls. Can you get to the application? Great. What are you allowed to do when you’re within that application, and then how can I modify that based on things like time of day, location, what machine I’m using? And then just because you have permission to do something, doesn’t mean you always do it. So I want behavioral controls. If you’re looking at zero trust network access in isolation, what it’s doing, it creates what they call a TLS tunnel of one from my endpoint to the application, and nothing can see within that tunnel. The knock on VPN is, it can be sniffed. Well, that’s why you have defense in depth. The problem with the TLS tunnel by itself is it actually eliminates the visibility in many cases that I might need for that behavioral component, and it’s actually going to help a nefarious internal actor get away with it, if it will.

Rich Korn:

So that’s why I want that defense in depth. The analogy I like to use is, think of a gym. ZTNA just has the access… Hey, can I get into the gym? But once I’m in there, an employee has different permissions than I do. Maybe Matt pays extra for the climbing wall. And then you have time of day based policies. So Matt goes to the climbing wall, but it closes at nine o’clock. So after nine o’clock, the rest of the gym is open, but he can’t go to the climbing wall anymore. And then you have to have that behavioral component. Rich Korn has access to the dance studio. I guarantee you if you ever see me in the dance studio, that’s a behavioral issue and should be triggering an alert. That’s kind of the analogy I like to use with that.

Rich Korn:

Now, CASB, hey, they got that one right. CASB to me is critically important, because it’s an identity-based visibility and security controls specifically for those SASE applications sitting out in the cloud. That’s critically important. Excuse me. So what’s missing from SASE when it comes to security? Big one. And I kind of already gave you that hint. The detect and response stage. I am big on analogy, so I’m going to use a sippy cup. I have yet to see a sippy that a two year old cannot get to leak. So here’s how this works out. Identify what the risk is. That’s the milk in the sippy cup. The protect stage, that’s the lid designed to keep the milk in.

Rich Korn:

Here comes the toddler, knocks it over, it’s leaking on the glass coffee table. Detect is nothing more than recognizing that that milk is spilling. That’s like your dentist coming in, doing the analysis, and then leaving the room. They know you have a cavity, they haven’t told you anything. Respond is nothing more than me going, hey Matt, sippy cup’s leaking. That’s technically all respond is. Now in our world, we go more in depth. I’m going to come by and I’m going to say, hey Matt, sippy cup’s leaking. Just so you know, paper towels are right behind. You want to pick that up, grab a paper towel. Don’t forget the Windex, so it doesn’t form a milk [inaudible 00:35:20]. That’s an in depth response, along with instructions on how to clean up the mess.

Rich Korn:

Then you have maybe even immediate mitigation. We can do this by blocking an IP just at the firewall level, we can just by quarantining a machine or killing a process with EDR and point detection and response. We’ll come that in a moment. So I might pick up the sippy cup, and then give my instructions to Matt on how to clean it up. Recover is cleaning up the mess, Matt cleaning up the spilled milk, and I do that on purpose. Identify and protect are things that we do before a compromise, detect and respond are things we do during a compromise, recover is what we do after a compromise. I want checks and balances within my organization. So if you’ve got the same company coming in, they’re in charge of configuring your servers, patching your servers, running your vulnerability scans, who’s to say that they didn’t misconfigure something, didn’t find it for three months, found it, fixed it, and just never bothered to tell you? So I want those checks and balances put in place across my different aspects, my different parts of that framework.

Matt McKee:

And I would also say that’s one of the reasons why with all of our customers, we really encourage everyone to have a test plan against this. It’s not just good enough to say, hey, I implemented the control, that should do it. You need to test and actually game out how well you’re defended. And so thinking back to the beginning of this conversation, most people on this webinar and most of our clients don’t have the dedicated cybersecurity staff to stand up a full red team, blue team model to test against their own defenses, and so we’ll talk about in later webinars the ability to outsource some of those checks and balances.

Matt McKee:

But I definitely encourage everyone on this call, if you’ve implemented some of the NIS cybersecurity framework, or you believe that you have protections in place, absolutely review your detect and respond and determine how deep that is, but also come up with a strategy to test against all of your controls, your defenses, and your response and recover plan to make sure it will work in a real world scenario. I can tell you from personal experience with the clients we’ve worked on, but I followed the rules in the guidelines, and we still had a breach, doesn’t save anyone’s job.

Rich Korn:

I checked the box. Yeah. And Matt, I’m going to give you a really quick one to test right now, and it’s a simple question. Where are your response procedures? Here’s the importance of testing these. I did a presentation to about 75 CIOs in Ohio a couple years ago at Ohio State University, and I asked that particular question, because if you have these digitally saved, and you get hit with a ransomware, and you go to pull up your process, okay, what do I do, let me pull up my process, that file’s encrypted. Those simple things. Similarly I asked, what’s the number to the FBI and local law enforcement, to the FBI for your cyber crimes division, they’re like, oh, we’ve got it in our file in our response procedures, which is now encrypted.

Rich Korn:

So those simple things like DR plans, I love those. We have our DR plan in Houston, and our DR plan is that we’re going to take it that point in time when the hurricane’s coming, we’re going to offload all of our data and drive it up to Dallas. That’s never going to happen, because those employees are going to be home boarding up their own windows. They don’t care about corporate data at that point in time. This is why it’s important to constantly be testing it, and to Matt’s point, have professionals come in and review it with you to get a different set of eyes.

Rich Korn:

Now, hopefully when you’re doing that detect and response stage, you want to take the holistic approach. Ideally you want to come in and take as much data as you can get your hands on from as many different data points, correlate it together holistically… Remember, in security, silos are bad. I want it all coming together. Unfortunately, I tell customers, I can make them as secure as possible, and I’m going to put them all out of business in the process, because they can’t afford it. So the next question is, where’s the value? Where do we start? What’s the best bang for the buck? And this is something else not in the SASE definition that probably should be, and right now you’re all probably saying to yourself, ransomware. How often do we hear about ransomware in the news? Way too often. And it makes me cringe every time, because all of that was preventable if they had the proper endpoint detection and response solution, and… This becomes important right now with regards to cybersecurity insurance conversations, they’re rewriting their policies.

Rich Korn:

Having EDR isn’t good enough. It has to be monitored 24/7 with the ability to respond within one hour, meaning complete mitigation within an hour, otherwise they’re not going to pay up the insurance policy. I have a customer of mine, they had CrowdStrike for EDR, great tool, they had three people dedicated to IT security, which is still not enough, VP of IT clicked on something at three o’clock in the morning… And for those of you on the call on the security side of things, you’re going to kind of snicker this. Typically what you find is that executives at organizations are set to detect not to protect, meaning instead of blocking something automatically, it’s going to send an alert to the IT team.

Rich Korn:

And the sad reality for that is, if you kick the executives off the network too many times, they’re going to kick you off the payroll. So a VP of IT clicked on something at three o’clock in the morning on a Saturday when their three IT security people were all asleep. They had the EDR tool, they had the alert, the detection, they had the initial response that said they had the issue, but no one saw the alert until Monday morning, and it still took them over three months to recover, and their cybersecurity insurance company said, gross negligence, too bad, we’re not paying you.

Rich Korn:

And unfortunately I’ve got stories of those I could go on for hours. So when you’re talking about the best value in the industry right now, in my opinion, especially because of the remote worker, it’s endpoint detection and response. It replaces antivirus because it’s behavior-based, still has the signature components in there. It can be proactive with threat hunting. It includes deep inspection forensics. So if there ever is an issue, you can go all the way back and see what’s going on. Now, Masergy plug coming up right here. We utilize SentinelOne for this, and we chose SentinelOne for a couple of very quick reasons. Number one, it works on the endpoint itself, it does not need cloud connectivity to function. So if I’m flying between London and the US, and I plug a USB drive in to add to a marketing document I’m working on, and that had malware on it, my EDR tool still works over the North Atlantic.

Rich Korn:

Number two, and most importantly, it has a patented storyline technology that ties into Microsoft shadow cache. What that means in English is, it’s literally tracking every single change to every single file on that machine, creating that storyline. So if God forbid that executive does click on that PDF file and launches some ransomware, I can go back in via the management council and see what process launched that ransomware, snip, failback to a safe version, not encrypted anymore, and then it’s smart enough with its machine learning to find that same process pattern across all the other files. And you can do a quick Google search on SentinelOne in reverse ransomware, and you can watch this happen. 30 seconds to five minutes, that machine’s fully visible and clean. You can give the big, giant middle finger to the bad guys, you’re not paying them a penny, and more importantly, your company’s not in the news for all of the wrong reasons. Can you imagine if JBS meats, Colonial Pipeline, Bridgestone just got hit last week, if they had this tool in place, they wouldn’t have been in the news.

Rich Korn:

If you do not have a fully monitored and managed EDR solution today, please call Matt right after this call, and he can get me in touch with you. All right. So when we start looking at this different environment… Oh, one more important on this one. I mentioned budget. If you need help getting something going internally, this is your gateway. You can walk up and say, hey, we need EDR, here’s why we need it based on value, based on lower cost compared to the full SOC as a Service environment, and then they’re going to see the value of that, and then you can grow that solution to a full SOC as a Service environment over the course of time. Sorry Matt, go ahead.

Matt McKee:

No, I was just going to actually mention with the SOC as a Service, I think the other important thing to consider about having an EDR platform is, you want that managed response that Rich was talking about, but it’s also important to not silo your managed response across platforms. So we have a lot of clients who say, we bought a log SIEM that’s being managed by a company, we bought an EDR platform that’s being managed by a different company, we’re doing behavior analytics on servers with a different company, we’re doing VPN access and behavior MFA with another company… And Rich mentioned this at the beginning of the call, silos cause problems in security. And so it’s important you think about the ecosystem of pinpoint solutions out there. It’s really important to… I like to refer to it as the ecosystems of chaos, because there’s a lot of options out there, but those options cause chaos inside of an organization if they’re not properly integrated and managed. And so you can’t just look at pinpoint solutions, even if they are fully managed, because you’ll create more headaches for yourself.

Rich Korn:

That’s a great point. And the new thing that you hear a lot of people talking about is XDR. All XDR really is, one vendor saying, buy everything from us, they can take their antivirus, maybe their CASB or their cloud protection, they put them into the same portal, and they do machine learning across that, but you still have a silo, because what about your DNS component? What about your Windows event logs? All these are pieces to the equation. What a full Sock as a Service is going to do is, it’s really going to be vendor agnostic. So now you have the ability of taking the best of breed in each of these individual components, but then collecting all of that data that they create and making all of that data work together to get a true picture of what’s going on across your environment. Great point, Matt. Thank you.

Matt McKee:

And as Rich has to make some shameless plugs for Masergy, I have to make one for Bluewave. That’s something that we specialize in helping customers understand, is when they have a large security or transformational ecosystem, how to bring that all together in a cohesive manner.

Rich Korn:

And I got a plug for you coming, don’t worry. So how do we figure out what the right solution for you as an individual organization is? That’s really the challenge. So number one, question what you’re hearing. You’ve got people like Gartner, they’re contradicting themselves. So the industry analysts. Well, where do they get their money from? From who can pay to be part of their studies. So going from SASE, which they wrote with a couple different providers who forgot to include things that Gartner themselves has been saying for years is critical because they didn’t do it, you’ve got them now saying, well, hey, all these vendors want in, so let’s get rid of the network portion, and let’s talk about secure service edge. We’ll get rid of the access portion. Well, that now allows a whole bunch of vendors who don’t have any network to speak of whatsoever, and don’t want to, to get involved.

Rich Korn:

You’ve got the public internet. Everything you read on the public internet’s true, right? You’ve got vendors like myself. Every vendor you talk to is biased. I’m biased. I left the partner community to go work for Masergy for a reason. I believe in their offerings, but I’m still biased toward Masergy. Is Masergy going to be the right fit for you? I hope so, but I can’t guarantee that. We might not be. God forbid you are getting help from family and friends, because if it’s the wrong solution, that can cause some serious chaos, Matt. So the real question mark is, where do you get the information that’s viable? And here’s where I’m going to put my Bluewave plug in here. Your partner community has 150-200 different providers in their portfolio for a reason, because Masergy might not be the right fit for every customer. We’re the right fit for a lot of them, because this is the exact same kind of an approach that we take, and that’s part of why they asked me to come speak today, but there’s going to be customers that have solutions where we’re not the right fit for.

Rich Korn:

You might be a perfect fit for the actual industry definition of SASE. Who knows? That’s exactly why you have that partner community to come in and have that kind of a collaborative conversation, which leads me to that collaborative conversation topic. You want to have the right resources at the table as part of that conversation internally. You want the network team, you want your security team, you want your risk compliance team, you want your executive leadership team. If your large enough and your endpoints are done by a help desk, you want them involved. You want executives involved. You want someone from Bluewave involved. And then you want the technical resources from whatever vendor or vendors, depending upon what you’re looking for. What Bluewave feels is relevant to the conversation, based on direction. And you want them in a conversation to customize the solution for your specific environments needs.

Rich Korn:

That’s really where you need to go. Now all those people, depending on the organization, that might be 9, 10, 15 people, that might jam. That’s going to vary based on who needs to be involved. You’ll know the answer to that question better than I will for your own organization. Bottom line, that question the assumptions one for me is huge. It really comes down to understanding your own goals, those two goals, optimizing application performance and improving security. Nothing else matters in the conversation. And then the question is, what network components, what security components are relevant to you, how are you going to manage that, how are you going to get visibility into that 24/7?

Rich Korn:

That becomes the question, and that’s the kind of things that Bluewave can come in and help you with on a day-by-day basis for you. He mentioned pen testing and the assessments and the war game things, I don’t do that at Masergy, they have people in their portfolio that do. If you need somebody who can come in configure all of your routers and your different servers and your firewalls… I work with MSSPs, because my focus is on that detect and response stage. So that’s part of being able to put those different providers together in a holistic solution. That’s the benefit of the partnership community such as Bluewave.

Rich Korn:

So SASE stands for secure access service edge. I am hoping I’ve taught you today that that really means absolutely positively nothing. If you want a good definition for SASE, this is it, security, agility, scalability… You want to put support in there, that’s fine, and empowerment. The right solution should empower you and your team to be able to do their jobs. I don’t even want to call it make it easier. If you’re talking about security, I want to make your job possible. All right. My goal, Matt, was to save about 10 minutes for Q&A discussion and add-ons. I saved nine.

Matt McKee:

And we have answered all of the current open questions throughout the conversation. We’ll give just a few seconds to see if anyone has any to submit. While we’re waiting on that, I’d like to thank Rich and Masergy for the participation today. I think this was extremely insightful, and hopefully all of our attendees learned something. And then to Rich’s point early in the presentation, this is a framework and needs to be customized to every single organization’s needs, current state and their desired business outcomes. So I encourage everyone as a follow up to this to get with your Bluewave account manager or account director and schedule some time to understand how we can leverage these tools, platforms, and methodologies to help accelerate your digital transformation.

Rich Korn:

All right. And Matt, if I’ve got a little bit of time, I’ve got one more important story.

Matt McKee:

You can go right ahead.

Rich Korn:

I’m going to say, don’t wait to have that conversation as a word of caution. I had a customer was in a scenario where, hey, he didn’t have a whole lot of budget, so he didn’t have budget for the holistic approach. He’s like, my goal is to get budget approved for that for next year. I need just to eat EDR for this year. $713 a month is what it was going to cost him to get in the door for what he needed to have immediately. His boss decided to wait and to wait and to wait six weeks. I am admittedly not a morning person. I got a phone call on my cell phone at four o’clock in the morning on a Saturday from this IT guy in a complete panic, they got hit with ransomware, they got their backups, they got everything, and he’s like, “What do I do?”

Rich Korn:

Me not being a morning person, my response was, “You jump in your time machine, you go back six weeks, you sign the paperwork I gave you six weeks ago, because it would’ve been implemented in less than two, and now you’re not waking up at four o’clock in the morning on a Saturday.” Obviously not the response he wanted to hear, but if you already have the issue, the ransomware is already there, it’s too late, I can’t help you anymore.

Rich Korn:

In this industry, no one seems to have budget, no one wants to spend the money until they have a breach, and then it’s make it rain, that organization is out of business. For them, it was too late. So if you need to get something in a phased approach, great, we can take that kind of a phased approach to get you the best value in the industry for now, and then help justify that growth over the course of time, but please do yourself, do me a favor, I am a sensitive guy, I don’t like seeing people suffer, don’t wait to have those conversations with Matt and his team. Did I stall long enough for any more questions?

Matt McKee:

No more questions came in, so we’ll give everyone a few more minutes back in their day. Again, Rich, thank you for your insights today, and look forward to meeting with some of the clients on next steps.

Rich Korn:

Greatly appreciate it. Thanks everybody.

Matt McKee:

Thanks everyone.

 

CONTACT US

1719 Route 10 East, Suite 313
Parsippany, NJ 07054

NEWSLETTER SIGNUP
Join our newsletter to receive relevant information on current technology trends