W. Curtis Preston (2): This week on the backup wrap-up we cover the world

of security monitoring and response.

We talk about SIM soar and XDR tools, what they are, how each plays

a role in your security posture.

We also talk about a scalable SIM solution called sea monster.

That does all three.

It was built by a red team to help blue teams, our guests and expert this

week is desert rock of sea monster.

And she has some definite opinions on this market that I

think you'll find very useful.

I know, we usually talk about backup and recovery here, but this popular episode

from last year will definitely help you to begin that conversation that you've been

wanting to have with the security team.

If you're not familiar with me.

I'm w Curtis Preston, AKA Mr.

Backup.

And I've been passionate about backup recovery, Dr.

For over 30 years ever since I lost data and I had no backups of it, I had to tell

my boss, we couldn't restore the database.

I don't want that to happen to you.

And that's why I do this on this podcast.

We turn unappreciated backup admins into cyber recovery heroes.

This is the backup wrap-up.

Welcome to the show.

I'm your host, w Curtis Preston, AKA Mr.

Backup.

And I have with me my senior H D M I consultant, Prasanna Malaiyandi.

W. Curtis Preston: How's it going?

Prasanna.

I'm good.

Curtis.

I'm I, by the way, my bill is in the mail, so, or invoice

W. Curtis Preston: Alright, I'll,

because once again, once again, you ended up having a fountain of

knowledge about a random technical topic that ended up being very useful.

I mean, the fact that you just were like, oh no, I think that's the, the H

G M I 1.7 spec that came out in 2009 or.

Um, and they're like, and then when I, so, so basically, yeah, so I have

a new Apple TV and meaning the, the little box, and I was trying to connect

it to my 2009 plasma television.

And, uh, it uses, uh, HDMI-CC.

Yep.

W. Curtis Preston: Yeah, to control the power off and power

on and it wasn't working for me.

And uh, I was just talking to Prasanna about that.

And then once again, you were like, oh, well if you checked the

setting and such, watch a macall it.

And you, you solved my problem.

Yeah, and I solved your problem that Apple

support couldn't even solve for you.

W. Curtis Preston: Yeah, yeah, apple support was worthless.

Uh, and this is all just a process of getting towards my new big giant

TV that will at some point arrive.

Um, I'm just, I'm just waiting for that moment to buy the big, the big giant tv.

But, um, I bought the soundbar first, so I have this old

Prasanna Malaiyandi: And was your wife happy

W. Curtis Preston: My wife was so happy that she could turn

the television off, you know?

I mean, it was so, it was such a burden for her to have to get

up and turn on the TV when she first starts watching television.

Uh, and

well, and I think, I think just to clarify, I think

off work, turning off the TV work,

W. Curtis Preston: off.

turning on.

W. Curtis Preston: Which is what made it so confusing off worked, but on did not.

And, um, but now they both work and my wife can watch

television without, you know,

Cursing your name

W. Curtis Preston: Exactly.

Prasanna Malaiyandi: being like Curtis, why do

W. Curtis Preston: and now, now, once again, she will, she

will give you credit for it.

Uh, and I

will get no credit, but, Such is life.

So, um, let's move on to our guest.

I found her her background, fascinating.

She has degrees in both business and law and she finished her M B a

while actually running the company that we're talking about today, which

is, uh, SIEMonster, that's s i e.

Monster, an affordable security monitoring software solution.

She's now their c e o and you can find her on Twitter as @deztraction

so that's d e z traction.

Uh, welcome to the Pod Dez Rock.

Thank you.

Thank you for

having me

guys.

W. Curtis Preston: So, uh, you, so you've been, you've been all over

the globe and you are now currently.

I think just a few miles where I lived

for a

while.

Where, where, where exactly?

You're in Delaware

I am, I just gimme a minute.

I want 'em to announce it like the locals.

No.

Uh,

W. Curtis Preston: Are you in Newark?

No, no, exactly where

I'm,

W. Curtis Preston: yeah.

So that's actually where I got my start.

In backups back in 1993, I was fresh out of the Navy.

I was, I had, the Navy had sent me to Philadelphia, so my ship was in

dry dock up there in Philadelphia.

And um, so I got out and immediately went into, uh, backups, uh, because it was like

many people, it was the job I could get.

No one, no one wakes up, you know, no one dreams of being a, a backup

Hey, don't shatter people's hopes.

You know, I'm just saying, Curtis, maybe there

W. Curtis Preston: you wanna be a backup person, there is demand.

Trust me.

Uh, there's just not a line.

and, but yeah, I got my start there on Christiana Road.

The, that was where, uh, bank of America was.

Uh, I have a, I have a daughter who's now 28, who was born on Christiana

Road at Christiana Hospital.

So I'm feeling very close to you right now, even though you're all the way

on the other side of the country.

That's lovely to hear.

Cause I know you're in

California,

W. Curtis Preston: absolutely.

The, the, the complete opposite corner of the country.

Um, now clearly based on how I'm hearing you speak, uh, you were

raised in, in a different part.

Uh, probably a, probably a different hemisphere, I'm guessing.

Do you

wanna

W. Curtis Preston: Oh,

This is Curtis's favorite thing.

Yeah.

W. Curtis Preston: It's, it's not fair because I, I looked at your LinkedIn page

and I knew that you went to Victoria.

Uh, so, uh, that's not fair, but I, I would've gotten it either way.

I, I definitely, uh, my favorite is trying to, trying to,

within a few phrases, trying to

distinguish whether or not I'm talking to a Kiwi or a, or an Aussie.

Um,

And Aussie, so my accent is not the one that the Americans are used to.

And I, and I can drop it down to what you guys would most people think I'm from

England and when I come to the us right?

Unless, unless I start talking a bit like this.

And then, then they'll, they'll really know then it's

W. Curtis Preston: Exactly.

And so what's really, what's really hard to fathom, most Americans

I've, that accents can differ in a country.

It's remarkably

W. Curtis Preston: they should, it shouldn't, uh,

surprise them.

I mean, we have like 20 in this country.

Yeah.

know.

I know.

I know.

W. Curtis Preston: Yeah.

And, and what's more amazing to me is how much accents can vary in England, right?

Prasanna Malaiyandi: I was just gonna bring

W. Curtis Preston: little country.

And, you know, you have a different accent between north and South London, right?

I I, and it's just, and, and then you have accents, accents

vary based on class, right?

On education and, and

all of that,

right?

Um, so yeah.

That's

W. Curtis Preston: yeah,

I, I, I enjoy.

But the same can be said in New York, New York, right?

I mean, a New York accent depends on how they, you could tell literally

where, whereabouts they're from because of that, and that's just one

W. Curtis Preston: That is true.

So it is just the inability to apply the exact same rule to other

countries.

W. Curtis Preston: We, we, um, Yeah, we, I don't know.

I don't know what to say.

America.

Um, so, so, but you're, you're here now, so, uh, you're,

you actually live in Dallas.

The company is headquartered in Delaware.

I'm seeing

New York also.

Where, what is, how does New York figure into it?

so we were in New York Post, uh, pre pandemic with the

headquarters, and I used to be, I, I've transferred from New York.

I, I used to live in New York as well, and uh, New York is where we went

through Techstars in 2018 as well.

So that's why, uh, that's why we have a presence or had a presence in New York.

I'm about to pull out of New York.

Um, stick to, um,

Dallas.

W. Curtis Preston: Nice.

All right.

Well, I've been in all those places.

I love all those places.

Let's, let's talk about, um, by the way, Dallas, uh, clearly

wins, uh, from a barbecue perspective, um, unless you're,

Right?

Yes.

Well, you don't,

they'll let

you.

W. Curtis Preston: Yeah.

Yeah.

yeah.

Although of the, of the three cities they win.

Although if I'm in, if I, if I get to choose my Texas cities based on

barbecue, Dallas wouldn't be it.

Sorry folks.

Sorry.

Dallas folks.

I'm a bit of a Austin Barbecue fan, but

anyway, I've had great, but I've had great barbecue in, in,

in Dallas.

Uh, my favorite was at Terry Blacks.

but anyway, we.

Yeah, that's exactly what I've

heard as

W. Curtis Preston: we could easily have an entire podcast about

But we're not.

Yes,

but

W. Curtis Preston: not.

That's not why we're here to talk.

So, did you see the way he's reining me in Des so let, let's go back to 2016.

When you, you got this idea to, to, you know, start this new company,

what problem did you see that you were trying to.

Well, at the time we were Kustodian with a K and we were

professional hackers, so we were pen testers, um, working all over the

world, a small elite bespoke group, um, with clients all over the world.

One of our Australian clients, um, BlueScope Steel, fourth largest steel

manufacturing in the world, uh, had some issues with some ransomware.

I know that's a topic that.

You guys were Yeah.

Wanna touch on.

But, um, had some issues with that and, um, instead of, uh, that,

that we would be testing them every year for their compliance,

you know, for penetration testing.

So they actually asked us, well, are there no tools for this?

Uh, is there no way that we can support or, you know, protect our data?

And we are red team, right?

So we.

I don't know.

Let have a look.

W. Curtis Preston: You're like, we don't do that.

We don't do protect.

We do

we, we don't do that.

We, we know, we know how to get

in and we we get in real, like we know that we know how to penetrate very well.

Right.

Um, there isn't a area, and that's one of the, like, there isn't a

customer, a location, a challenge that we have not risen to by the way.

Right.

So, Badge of honor that we wear.

Um, so these clients are, so they asked for software to be Blue team, right?

Like protect, and um, to which we said, let's have a look.

And the one name at that time that came up was Splunk.

They can handle really big data and they can do this.

And so we said you wouldn't believe this cuz that Splunk is now, we said, let's

just let you know we're happy to bro.

Like let's introduce you to Splunk.

Right?

So we did and, and Splunk gave them a quote.

And it was at that point, to cut a story short, it was at that point that BlueScope

said to us, is there no way that we could perhaps solve this any other way?

And we said, you know what?

Let's have a look at some open source tools, right?

And so, the need was affordable security for big data.

Um, and that was the, uh, field in which we went into.

And at the time we went with open source tools, right.

And we patched them to, you know, like we basically stitched them up.

We made, you know, like put a cover on it, made it easier to

use, made it easier to roll out.

And that's how SIEMonster started.

And SIEMonster was always, we thought at the time, an annex to what we already.

I mean, we were pen testers, we're hackers.

We thought this is just this cute little project that was happening on the side.

One off.

Well, our, what started like a very small snowball got bigger and bigger.

Uh, the Australian government, including us, Aus Cyber backed us.

Um, to come to San Francisco to rsa, which we were now nominated product

of the year back then as well.

So we started to track momentum.

Uh, we saw that then that's where we saw further needs.

Okay, so this wasn't just a one off.

There really is a need for big data to be secured down at

a far more affordable price.

Right?

Um, because we vehemently believe that, uh, security

should not be gate kept by price.

Right.

So, uh, that's a fundamental that that's, by the way, that's harks back to the

days of when we were hackers as well, because we, uh, participated in the

DEFCON culture way back when as well.

So we were always giving back to community and feeling this way.

So that hasn't changed.

So that is the, uh, origin story

of SIEMonster.

So just a quick question.

I know you mentioned a couple times big data.

So did you feel that in the big data space there weren't any

tools available that were simple?

There weren't tools available that were

affordable or all the above?

If we go back to the origin story, the original, uh, thing

was it wasn't affordable, right?

By the way, the SIEM space was not as crowded as what it's now.

Right.

Um, so it's quite different now.

And I know a lot of people are doing a lot of things and that's, that's

really great to see that we're all that, that give, people are giving

Splunk a run for their money.

Um, but I dunno how many people.

Attacking the big data spaces.

You know, there's a lot that will go small, medium.

And the other thing that a lot of, um, people are doing, if you know

this space really well, is they will charge by node or by, you know,

they, they'll charge by endpoint.

And when you do that, you are asking your security operators to pick

and choose what they wanna cover.

Now that's vehemently against.

Belief system too, because if you do not put locks on all your doors,

then your house is not secured.

It's a zen.

It's as simple as that, right?

So, uh, we thought, well, that's a design flaw.

Again, this is red team thinking about blue, right?

Because we know how to get in.

So if you leave a door open, we already know that we're gonna,

like, that's the best way to get in.

So if you're not covering all your end points, then your system is not secure.

Period.

End of story right there.

That's why we decided big data is.

Where we need to aim for.

Right.

And it doesn't mean big data, big organizations.

It just means any data, all data, all encompassing.

Hmm.

W. Curtis Preston: interesting.

So I heard, I heard you say two things that to me sound like they

conflict and they probably don't.

So I just need you to help me understand.

One was you said that you, you, you agree with.

Me that you know, you know, you need to protect everything, right?

If you're not protecting everything.

And then it sounds like you have a solution that's aimed

specifically at Big Data.

So does that mean there's other parts of the organization that

you're not protecting?

No, what I'm trying to say is that our solution is, uh, is scalable.

Right.

And that's part of the story of our success.

We're scalable.

So it doesn't matter what you throw at us, we will put a circle

around your entire organization.

And if you, if you grow, we grow with you.

It's as simple as that.

Um, and without hesitation, and no one can do the EPS that we do, like the

events per second, the challenges that that requires, like we excel at that.

So when we started, like what started off.

Helping one client.

Let's face it.

Like helping one client then started to become like, how do we,

and it was always with the red, uh, red team, uh, vision, right?

We need to protect everything clearly, right?

We all agree in that if you're not protecting everything, you're not

protecting the entire organization.

So if that's the case, then how do we do that?

But do it really fast as well, because you do not wanna slow

the network down as well.

You see how they all, it's all hand in hand and it all comes down to, again,

the way we do things cause of who we are.

Right, and so that's why big data and all encompassing

So just pushing back on what Curtis had said, right.

I think probably Curtis, what you were confused about was

probably the big data word, right.

And phrase, right.

I think it's really like Des, like you had said, right?

You scaled depending on if you are a small shop and growing

or if you're a big shop, right?

It's a single solution that you could use.

That scales as you grow versus a lot, I'm guessing in this space there's

a lot of people where it's like, Hey, if you have a small solution,

you're probably not gonna use

They

They won't use the exact same implementation because

either it's too expensive to deploy like your enterprise wide, and we see

this in other software stacks as well.

Right?

You have an enterprise-wide solution, which is more complex and has all

the bells and whistles, but, uh, sort of a small medium company, it's too

complex because they may not have the dedicated IT resources to use.

And then you have the opposite problem, where if you have a solution

for small, medium businesses, when you get to enterprise, it

doesn't quite meet the scale and the security requirements and other

You have hit the nail right on the head there.

So we are a solution that can be used by small, medium businesses

and can scale all the way up to enterprise without a blink of an eye.

Immediately, you don't have to do anything.

It just does it.

So that's part of the technology that we've built in.

and by the way, if you're small, medium, you actually get the

benefit of enterprise grade security.

So there's that too.

W. Curtis Preston: Our audience is primarily data protection focused folks

who might not actually know what a SIEM solution is.

So, uh, and by the way, is, is that, by the way, is

that how it's generally pronounced?

Cuz I've always said SIEM solution.

I think, um, I think it's pronounced different

in different countries.

And when we saw it, we, in Australia, we saw it as SIEM.

Right.

In fact, we didn't even know what a SIEM was.

We were like something held your pants up.

No idea.

That's where we started.

Right.

Um, uh, it was only later.

Once we named the company SIEM Monster, right?

The way we named it, then we realized that a lot of people call it SIEM.

So, uh, and then we were stubborn about it and we started calling it, right?

Um, that's that too.

SIEM stands for s, it's s i e M, right?

Uh, security info Information event management.

It's another way of saying monitoring software that SOCs

will use, for example, right?

Or any security analyst will use.

Uh, so it's to give you a God view of your entire organization and

the events that happen in there.

Now there is a lot of things, and the definition of SIEM is a

really good one because there's a lot of confusion out there.

People think that are such a searchable database is a SIEM, it's not.

So you need to add some context around.

Prasannas laughing.

Cause I think, you know, it's Right.

So, right.

Um, so you, a SIEM ought to have some enrichment into as well.

And that happens when, um, with recognition that

this needs to be an event.

And then of course we have certain factors like SOAR capabilities

and XDR capabilities, which is the newest version of SOAR, let's say.

And so SOAR, and I'm gonna give a very basic, uh, analogy here, is when we.

Have a rule set apply to events that always happen.

And I like to use the logging, you know, like putting in the wrong

password over and over again.

So when that happens, or someone logs in, like you guys are a Delaware based

company and you're all in Delaware and yet somebody in a different

country is starting to log in, it's flagged from, you know, the location.

Right?

So things like that that you would say these as a ruleset, This is

something that I need to know about.

So it needs to turn into an event to alert me for, right?

So you can write rules about that.

And that's called SOAR, right?

That's S O A R.

So then the next iteration of that in the industry is called xdr.

And what XDR does is a lot of automation of that.

So then it not only picks out the events, it tells you what's happening.

It actually tells you that this is something that you need to do and

sometimes can shut it down as well.

And I.

I do have a story about that.

Uh, when a ransomware tried to get into one of our clients, a large hospital

and the XDR component literally shut it down before anyone could do anything.

Oh, it before it was infiltrated and saved that company.

Yeah.

W. Curtis Preston: So you threw out a couple of, uh, acronyms

there, and we always ask our guests to, to spell out the acronyms,

uh, that, that they use.

So what SOAR and xdr.

Certainly SOAR is security

orchestrated automation and response.

So as I mentioned, it automates and responds, so it'll give you, you know,

it'll actually run a script and then give you a response as an alert on your

Slack email, however you like to have it.

So something has been done and alerted, certainly helps your.

SOC team or your an analyst have a better idea, you know, so they're not

literally, because what usually happens with any SIEM is that events come in.

You need a way to prioritize them to say what is urgent, what is not.

SOAR will actually handle a lot of the very similar uh,

events that need to be action.

For you, that's what a SOAR is.

XDR or E D R is a extended detection and response.

So it basically builds on that.

And what that is, is, um, uh, the newer, um, technology,

which again involves automation.

As well.

So that will not only tell you that something has actually

W. Curtis Preston: Okay, so, so if I were to summarize these threes

tools, the SIEM tool is the thing that notices that something bad happened.

A SOAR tool will tell you that something bad happened and an XDR e d r tool

will actually respond, uh, that like

it can actually do things to stop the thing from happening.

Does that sound about.

So a SOAR will tell you true, but a SOAR will actually respond as well

because running on script, you can build custom made scripts as well, right?

So in your organization, you only, you know your organization the way

you, you know, it's, it's, everyone's quite unique in that fashion.

So what.

You can't have out of the box rules.

You definitely need your own set of rules to match your organization.

That's what a SOAR will do.

The XDR or E D R will actually action to take down commonly.

For example, if it's a known attack vector coming in, right, it will actually shut

down that IP and say no more from here.

So that is not just saying, Hey, if this happens, let me know.

This is like, if this happens, let me know and also shut it

down before I even get there.

So it's an.

It's, it's not, before that, it was the ANA analysis or analyst doing the action.

This is now the program actioning,

W. Curtis Preston: But it sounded like you said Soar can do some actions as well.

That's why I was, um, So, and it's, I'm just, again, help me

understand, like with the, with the SOAR tool, the, the main action

that I think it's doing is, is letting you know, right?

It's sending you messages, whatever it is that you want do.

That's the

W. Curtis Preston: That's,

So just to clarify, that's the action it's

doing.

Exactly.

W. Curtis Preston: to actually shut down something or block

ports or whatever, that's where a, an XDR e D R tool.

Correct.

That's when you start to get into that automation side of things where

it's starting to think for you.

It's starting to, and that's where the ai, the exciting part of, you know, the AI can

come into, it's starting to think for you.

It's starting to get to know patterns.

That's where, by the way, there'll be another iteration of this.

So we have, if we can imagine, SIEM would be the core, right?

The core that is protecting all of your data.

SOAR would sit around that, but SOAR is kinda like version one, let's say.

And then you've got xdr, which encompasses all of SOAR Does that make?

So it does everything that SOAR does, but a little bit more.

And I can imagine that as the future goes on, we'll have another

version of that, which will then

include.

W. Curtis Preston: So are these three separate tools then,

or there are tools that encompass all three aspects.

I'm certain that there are companies saying that

they are three separate tools, but that's not what we think.

Should happen.

We think security should have be able to do all of that.

So even though, you know, we are titled a SIEM uh company, we actually

have SOAR and XDR capabilities and quite quietly working on the next,

uh,

the

W. Curtis Preston: So the answer, uh, and at some point, Prasanna, I'll let

you speak, but I, this is, you're the first person I've had that's really been

able to sort of lay all this out for me.

Uh, So there probably are SIEM tools, SOAR tools, XDR tools,

individual products that I can buy.

Uh, there are probably hundreds of them, uh, but there are maybe a smaller set of

companies that like yours that can do all three

We'll do all of them.

W. Curtis Preston: Okay.

Correct.

And even smaller that can handle the data volume that we

can.

W. Curtis Preston: Okay.

All right.

Yep.

W. Curtis Preston: You, you may now speak for Prasanna.

Thank you Curtis.

Uh, so Des, when you were talking earlier about sort of, okay, you need

this automation with Soar, right?

To be able to figure out and alert you properly, right?

Um, I think a lot of our listeners may not necessarily realize sort of

the volume of events that may come in.

Right.

Could you talk a little bit about sort of like what you see in some maybe

like small, medium businesses, right?

Where they might be like, Hey, I just have an IT guy.

They can just mi manually monitor,

right?

All these events and why some of these things may not

work yet.

Well, first of all, let's start

with what.

Like, what is a SIEM?

Remember I said there are some people thinking that a searchable

database is a SIEM because it we're collecting everything.

But that's just, for starters, that sounds like a nightmare because now it security

guy literally has look for, that's,

Yep.

that's not telling, giving any ranking.

That's, that's a searchable database.

That's not a SIEM.

So, um, So with a SIEM.

With just a SIEM, the amount, and remember everything is an incident.

It doesn't know if it's a good incident or a bad incident.

It's just an incident.

Okay?

Everything is creating, everything is, uh, giving you a trigger.

So we need to then assess.

If it's a good thing or a bad thing, is it an event?

Right?

So, by the way, if it's an event, is it a good event?

Is it a bad event?

So we start ranking, right?

So we start to say, ok, so when people are trying to break in bad, super bad, right?

Someone turning on the printer.

It's an event.

We don't need to do anything.

There's no alert there.

But it's still, you see, you're still being, it's an event.

You're still recording.

But it's not something that needs to be actioned.

These are very basic examples, but I, I like working with really basic

analogies and then building out, right?

So, um, in that case, Their volume.

You're talking about volume.

Even the bad ones could, like you could have pages and pages, how like that

makes it very difficult and like small to medium businesses usually have one guy,

like you are the security guy, go do it.

Right?

So that's a lot of pressure for one guy.

So you need to make it easier for them.

So that's why.

You know, alerts to, uh, slack channels, alerts to phones, or, because they can't

be sitting there staring at a screen like this is not, uh, wall Street ticker.

Do you know what I mean?

You cannot have that, that you just, you cannot be doing that.

So you need ways to put some, uh, framework around, well,

human flaws like blinking, right?

So we need, uh, a system in which we can, first of all, rank.

And then like I said, a SIEM was probably not enough because it depends

on the volume of data coming in.

Not enough.

So you'd probably want some actionable items to say this usually happens

and when this usually happens, I want if that, then this, right?

Then that's basically what SOAR is, right?

So, um, then I want these things to be done.

Makes your IT security guys life so much easier and

would you say that that transition from just

a normal SIEM to soar, does that happen at a certain employee count,

at a certain data set size count?

Like what do you, or is it basically everyone should be thinking about

Everyone think, look, the way it's going is everyone should be

thinking about XDR way at the beginning.

Everyone should, because I think that you right now, you do

not need to run a SIEM, right?

To run a SOC.

You need highly specialized people, and that's a cost point.

Like small to medium organizations cannot be doing that.

So what they need is tools that will make a job easy for an IT person to say, this

is something that needs to be actioned.

The, the benefit of something, and I hate to, I hate shilling, but

the benefit of our product is, is that you don't make that decision.

It's there.

It doesn't matter.

Like if you're small, if you're large from the start, it's there.

Yeah.

W. Curtis Preston: it.

It's not a choice

W. Curtis Preston: Yeah, and I think the.

The worry.

Right.

Come, you know, there's a lot of us that have been in it for a minute, right?

That's, that's the kids say and um, The worry historically with automated things

that are going to actually do things in my environment to help protect me is that

they're going to trigger too often, right?

That they're gonna, it's obviously, it's the false question, and you, you

know, you've decided that we're under attack and so we shut down the network

or, or whatever it is that, that we've decided that we're gonna do that.

How?

How do.

Get to that level of comfort.

So well, we have professional services for that, where we actually

rule out, and that's the rule sets that we write to literally customize

that stuff for your organization.

So you've removed the false positives, right?

Because we, you can't imagine that people are going to be able to

know how to do that off the bat.

It's probably one to be left to the professionals,

right, to set it up for you.

Kinda like anything, almost like buying a new, um, apple TV and

connecting it to your TV and needing a professional to come in and help you

set.

W. Curtis Preston: a, as a technical person, the fact that I needed

professional assistance to set up my Apple TV is a, was a bit insulting.

Okay, here's another really important question.

I'm assuming that these tools and, and your tool of course,

They manifest themselves in a couple of different ways, right?

How do people buy these products, put them in?

And then how does your, how does your product work?

Okay, so this is a very pertinent question right now because

we're about to release version five and we're the only SIEM product out there

that'll be available on AWS marketplace where you, if you're technical enough,

you can actually do it yourself with the support portal and go for it.

You don't need any help.

As done implementations, you'll have it up and running within minutes.

Again, unheard of if you know about any of this, right?

Unheard of.

But we're here to break the, again, we're here to make sure that, uh,

security is not gate kept right?

And that's part of it.

Um, now if that is outside of your technical scope, then we

are here to help implement and, and put that in for you as well.

Um, so you have two

options

When you do talk about that second case

or even the first case, right?

Is it customer or you are deploying it in their infrastructure?

In their environment on servers?

Is it offered as like a SaaS service that they log into?

Especially if you have multiple sites, so it's

all managed centrally.

Like what does that

deployment model look like?

Correct.

So the, the unique part of our, um, product is, is that

they all can hold tenants.

So again, if say for example, you are, uh, a small business, you're growing and

now you have different, uh, locations.

So you have different op, you can literally sit different tenants

and have one panel of view, uh, and your system will grow with you.

That this is what I mean about highly customizable and uh, very, Incredibly

scalable, so you could sit different tenants inside right now, off the bat,

through AWS and it's in the cloud.

By way performance, we utilizes technology in order to make this happen as well.

W. Curtis Preston: So you're, you're, you're a service

and I like that very much.

Uh, I do think that that's clearly the way it is going and, and it

makes it so much simpler for a lot of people, especially SMBs.

Um, but I don't understand.

So you're up in the cloud, but you need to, uh, see things, right?

These events that you described, uh, you use that term events per second, right?

E p s.

So how are you able to see these things

that are going on inside my environment?

How do we make that connection?

So during the implementation stage, you'll be asked to input all of

your data traffic into that to, to us.

You'll actually be told to, or you could actually even have a local agent.

So a virtual local agent within, and then what happens is that

acts as a, um, repository.

So everything goes to that agent, and then it becomes one funnel up

to the cloud that allows for, um, your, your guys are in backup, right?

That allows for two things as well.

That means that if there's a disconnection anywhere, you've actually got local

storage of events, which is really good for forensic and anything else.

It's just due due diligence, right?

And so when the connection is reestablished, it will.

Uh, take all of that, um, events back up to

the cloud.

W. Curtis Preston: That makes a lot of sense.

And then of course I will

need someone to monitor that, the service.

Right.

Um, or I can hire somebody to do that.

Correct it, it does depend on the, uh, on the skillset of

your staff and your organization, what type of organization it is.

If you're looking for just compliance and just let me know

if someone is trying to hack in.

I think you're good.

Like I, I I think you're good.

Your It can do it.

If your data is incredibly sensitive and you need 24 7 monitoring, then

you would probably outsource that.

And I suppose it comes back to the actual value of having red

team create blue team security.

We think of every, every design element, we don't put just

funnels straight up because what happens if there's a disconnect?

What happens if there's a power failure?

What happens if that, like even that needs a.

That's all been thought through.

Right.

Um, so the redundancy isn't intended to be kept there.

It's, it's intended to just in case there is a disconnection,

a power internet, whatever.

Right.

Um, and these are all the things that have been thought through.

Uh, so the system is secure.

It's not just protecting you.

The entire system is

secure at

Okay.

Yeah.

W. Curtis Preston: it's like, it's like,

bank robbers that built a bank.

Exactly right.

It's just, you know, the other thing, the o the only thing, the

other thing is, is like, it's like, it's like having a motorcycle gang

as personal protection, right.

It's probably, you know, the outlaws that's the trying image I'm trying to get.

It's like having outlaws and going, I'm, these are gonna be

my security guards and you know,

you've got the best damn security guards on you could ever get.

Right.

Because ain't nobody's gonna mess

with you.

Because the p that's exactly the, exactly.

Um, the

W. Curtis Preston: So do you, do you still do the red team

stuff or, or is it, this is going so well that you're not.

You're not doing that.

Yeah.

So we always keep a foot into the red team world.

We still attend Defcon, um, in Las Las Vegas every year.

Um, and.

We, but unfortunately, um, the, this has overtaken everything and

this has grown from what was a kind of side act to the main event.

Yes.

W. Curtis Preston: I like that, that, I mean, that, that's, you know, you're,

you're clearly meeting a need, uh, and.

If you're helping SMBs to have better security, I am.

I am all for it.

Des, at the beginning you had alluded to a

ransomware story that you think we might be interested in hearing about.

Um, maybe you want to talk about what happened.

Oh, okay.

So that, that's one of our clients who's a large hospital.

Most of our

clients

don't

We're totally fine.

yeah.

So just bear with me here.

And, and I, and I'm in the, I'm in the Secret Keeper

business, okay?

So a large

Hospital.

Uh, was infiltrated, um, by an incident that was basically going

to be an attempted, uh, ransomware.

Right.

malware was attempt to lock down their system and it was our, um, including the

SOAR and the XDR capabilities, and he, and the project was called Project Skynet.

It was, it's just, Phenomenal.

Once you hear this guy's story about it, I've literally got

a, um, I was so interested.

I had him interviewed right?

And wanted to get what his story out there.

It's a brilliant, brilliant story of exactly this.

It's exactly how, uh, attempt was made and the SIEM did its job.

It literally did its job.

It's kind of like, are you.

Fans of Harry Potter by any chance, you know, the last movie when all of the,

uh, statues come to life and finally start protecting the, uh, castle, right?

So it's a phenomenal SIEM, right?

It's like finally they sit there and, but they find that's exactly what happened.

The SIEM came to life and, and killed the ransomware.

Identified it, knew what it was, shut it down before we could.

This was then passed along to management to say, this is because it's one thing to

say, damn it, we've been hacked or dam it.

We've got ransomware to deal with.

Right?

That's panic mode.

But to hear, listen, they tried it.

But they didn't get anywhere because this was, we stopped.

This was stopped.

It's you.

That's a different emotional journey.

You're not sure if it's like, did it happen?

Did it not happen?

What happened?

You know, like, like, you know.

Um, and so great story for that.

So that's exactly a story that's happened that because ransomware, and

here's the other thing I gotta tell you.

Alright.

Just lean in boys.

Every company that's been hacked, Every company that's had ransomware

attacks, all of these guys have got security software too,

right?

W. Curtis Preston: Yep.

Just think about

W. Curtis Preston: Yep.

And, and every one of them that were unable to restore

their data had backup software.

Right.

Um, and yet, and yet sit.

because you know what they say.

W. Curtis Preston: What do they say?

You know what they say

Nobody gets fired from, from buying a Gartner Quadrant product, right.

Exactly well known, which means security people, and I'm guessing backup people

or two are not doing their research on the technology and the advancements.

They're just doing what everyone else is doing.

They go to Google what is the best thing, what is the best backup pro, whatever, and

going with that, not necessarily the best.

So the companies out there that are being hacked, that are getting ran

ransomware softwares, I guarantee you they've got really, really

well known security software in.

And they're doing a phenomenal job, aren't they?

Phenomenal.

Absolutely brilliant.

W. Curtis Preston: I, I sent, I sense a tad bit of sarcasm there.

Well, Des, you've been, you've been fascinating, you've been entertaining,

uh, and, and very educational.

Uh, I do not know as much about this space as, as I should.

And, and I, I think, I think I'm, you know, I'm, I'm not alone in that.

So, you know, you really helped us understand what that market does.

I, I love this idea of a product that is, You know, I mean, the fact

that your product sort of starts with affordable as, as your leading thing.

Uh, I, you know, I love that the idea that you said that, you know, your, your

the customer that started this, they said they, they wanted Splunk and then

they got a quote and they're like, ha.

Right.

They had, uh, sticker shock.

And, and I do think that that.

Problem cost, right.

Is a barrier for a lot of areas of technology, and I really agree with you

that it should not, you shouldn't have to be rich, uh, to, to have decent security.

Right?

Um, and so I, I'm, I'm glad your company's there.

I'm glad you're doing well.

Uh, I wish upon you that you will have no time left for Red Team Business.

Um,

And, uh, so tha thanks a lot for coming on the pod

Oh, thanks for having me.

It's

been a

pleasure.

W. Curtis Preston: And

Des, just, uh, one question.

If, uh, our listeners wanted to find out more information about

SIEMonster, where can they go?

Can

they, like, is there a website they could hit?

Like what should they

do?

SIEMonster spelled SIEMonster com.

Um, that's our home.

And um, yeah, that's where you can find out more about the product and um, get

W. Curtis Preston: I like it.

I, I wonder if, because of the way we pronounce it in the US I wonder

if people call your company SIEM Monster and they don't understand

all the time.

They don't understand the J the joke, because remember when we first started we

were like, We, we heard it as SIEMonster.

We were like, haha,

the

W. Curtis Preston: Aren't we

clever?

Lago.

You know, like, you know, so that's, aren't we clever tongue?

Right.

Um, and we even had, our servers had different names, we had different code

names, we had all had monster names.

Uh, we had Kraken, we had, we had had, we had so much fun coming up with all of

that at the start, you know, when we were just re really start, you know, starting.

So the SIEMonster stuck, had to get rid of, uh,

but we still have them on Slack and they're be private and they're.

W. Curtis Preston: Uh, don't keep that character.

Um, yeah.

So, uh, Prasanna, thanks.

Uh, thanks.

You know, great conversation.

as always then thank you.

W. Curtis Preston: All right.

And, uh, thank again to our listeners.

The backup wrap up is written, recorded and produced by me w Curtis Preston.

If you need backup or Dr.

Consulting content generation or expert witness work,

check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that you

hear are those of the speaker.

And not necessarily an employer.

Thanks for listening.