Ben Love [00:00:02]:
Good morning and welcome to today’s webinar Cybersecurity webinar. Today we are joined by Jasa from Sophos and we are going to be talking about all things managed detection and response. So a quick introduction to Jasa. He is a cybersecurity professional with extensive industry experience in architecting and building scalable networks and security solutions for enterprise businesses. He has an array of technical and presale skills in the network and security verticals, including software defined networking, enterprise security, enterprise networking and wireless security. So without further ado, I’d like to hand over to Yassa to take us away. Good morning, Yassa.

Jasa Rakus [00:00:50]:
Good morning, Ben, and good morning, everybody. Thank you for joining us this morning. I’m going to go through what most of my conversations these days are with our partners, customers and the like around where does cybersecurity sit and what are their biggest concerns? As you can see here on the screen, we’re going to be talking about something you’ve probably heard quite a bit about, which is a manage detection response. So without further ado, let me get you hyped up a bit with a very short video of what cybersecurity is. Today’s. All right. I think we’re all probably pretty pumped with this lovely guitar riff. So let me peel off some of the layers of the statements made in that video and let me try to set the context first. Right. I don’t think I have to tell anybody in this session how important cybersecurity is. If you didn’t know that, then you probably wouldn’t be here. You’re seeing some stats here on the screen that we’re taking from two documents that we publish yearly. One is the state of ransomware and the other one is the active adversary playbook. And these are documents that we put together by interviewing hundreds of IT professionals and organizations and asking them honest questions. Where is cybersecurity seat? What’s happening in your environment? And they all seem to report. When I say all, the number is 57%. But in real life, that means everybody seems to have some sort of increase in the attacks over the past year. Not necessarily successful, but there are definitely attacks. And over 78% of the organizations saw an increase in the ransomware hits last year. So it’s very hard to keep track of what’s happening. I’m sure everybody’s aware that we have a massive shortage of cybersecurity professionals. And that’s not just for Australia, that’s worldwide. I think there’s a good stat that I read the other day that there is about a million cybersecurity professionals in us and about 750,000 open cybersecurity positions. So a 75% shortage in us of cybersecurity professionals. And even if you’re lucky enough that you get somebody that’s really good at what they do, it’s very hard to retain them. I’ve got conversations with customers that complain, look, we’ve got this junior guy. He’s an absolute gun. We’ve trained him, we’ve given him all the opportunity. And then a bigger fish came along and said, would you want to work for us for double the bag of money they’re giving you? I mean, nobody’s going to say no to that, right? So even if you’re lucky enough to have the right people, keeping them is very hard. So let’s have a look at why cybersecurity beyond just products is important, and that’s what today is about, right? I’m not going to talk about products alone because every vendor has a new, shiny, prettier box every year that we want you to buy from us. But I want to make sure that you understand that what we’re talking about here is not necessarily a product. This is what some of you might be familiar with. Those of you that use sofa sandpoint have probably seen this, right? So let’s have a look at what is this telling you. It says Sophos detected some things, it cleaned them up. Right, job done, high five all around. Everything is okay. Move along. Nothing to see here. I would love to say that’s true. Right. It isn’t. If we look at closer of what we have actually detected, you’ll see some applications such as PC Hunter, GMER, process hacker, iobit, uninstaller. Those are all types of tools somebody would use to bypass or break endpoint protection products. And when I look at where this is being run from, it says, okay, so administrator is doing this. That’s not necessarily bad because administrators sometimes do things, but it’s doing it at about 02:00 a.m. On a particular day. So this is an actual snapshot of one of our customers. That’s why certain things are sort of redacted here. But this was an actual customer and they didn’t pay much attention to it. They said, yeah, well, you’ve stopped it. We can move along. Well, in a context of the whole thing. You would not expect an administrator to be doing this at 01:00 a.m. Using these tools unless there is some sort of a reason and some sort of, let’s say, a change process behind it that says, I’m going to be doing this, I’m testing something. Well, the answer actually is that this is not the administrator. It is an administrator account that has been, some sort of abuse has happened and somebody has got a hand on that account is logged in into this server, and it’s trying to run tools to bypass sophos to execute more attacks. So an environment like this, in an event like this, that is when you want a service to get involved and help you to identify this and help you to resolve this further. Now, cybersecurity by itself has become probably too complex for most organizations to manage effectively. There are a plethora of tools you can use to increase your cybersecurity postures, and they are fantastic. The tools that I work with on a daily basis just will blow your mind away. But they are advanced, and advanced translates also into advanced level of skills to deliver them. You can’t expect a junior cybersecurity professional to become an experienced threat hunter overnight if you give them the right tools, because there is no substitute for experience and there’s no substitute for a size of an organization. So you just will end up not having that round clock expertise. And I know that a lot of presentations like these people like to say, yeah, but what happens at 02:00 a.m. On a Saturday when you’re not watching? Let’s flip this switch a bit, right? None of us are awake at 02:00 a.m. On a Saturday unless we’re having a very good weekend. Let’s put this into perspective of right now. I have a room full of people giving me full attention for the next 30, 45 minutes to an hour during the day. So none of you are doing a cybersecurity job right now, including myself, including Ben, including everybody. Right. So even the people that you rely on still have to do things that make your business grow. So what you’re doing now is educating yourself to be better at delivering the outcomes to your business. So it’s not just 02:00 a.m. My job is not to look at a screen like a robot and look at the lines of code jumping in front of me and look at the alerts, et cetera. My job is to make the business more profitable so you don’t have to work with what you’ve got. You can leverage somebody to help you. And the good news is you don’t have to have those expertise. You can have somebody like software to deliver that as a service to you. And that’s what we call this. We call this cybersecurity as a service because it is not a product by itself. Yes, we sell it as a product, but behind it are people, and I’m going to tell you how many people, and I’m going to tell you where they are. This is nothing that we’re hiding. But MDR by itself will give you an instant cybersecurity operations center. Right? And not just one. There are actually seven locations worldwide where we have our socks. And in those socks, we have over 600 cybersecurity specialists. I’m going to challenge anybody in this room, and if you feel happy to just drop it in chat, and I’m not going to say you don’t have an answer. But tell me of an organization that can afford 600 cybersecurity specialists. That is not a cybersecurity vendor, right. It’s very hard. 600 is a big organization by itself. For us, that is just the sock people, and that gives you that 24 7365 detection and response component. So what is the difference between a detection and response? Right. A threat detection is we all are fully aware that ransomware doesn’t just happen. You don’t wake up one day, everything was good a second ago, and now all of a sudden, you’ve got ransomware. There were steps, there were events, there were indicators that happened before we got to that ransomware event. And the role and the goal of this service is to stop those actions before they become an incident, before they become a case, before they become an escalation. And we do this by doing something called expert led threat hunting. Threat hunting is I will proactively look at your environment and I will make sure that it’s healthy, that it’s safe, that there are no artifacts that would tell me, you are potentially going to get hit by something. And we do this by understanding that there are going to be global ransomware or let’s say global malware or threat actor groups that are going to be doing campaigns globally. And if something starts happening in, let’s say, Brazil, for us, it doesn’t matter where it happens. As a global vendor, we’re going to make sure that every one of our customer with the MDR service will get that threat hunt across them to say, have there been any drops of those artifacts here in Australia or in some other cases? We have very targeted industry based campaigns. When somebody goes after mining, somebody goes after healthcare, and we say, look, there seems to be a healthcare campaign going on, all of our healthcare customers are going to be going to be more vigilant around them. And that comes with a full scale incident response capabilities. And if at any point what I’m going to mention comes at any extra cost, I will tell you, right, so this is all included in the service. And an incident response capability gives you a peace of mind to not only have things stopped, but also have realization of how it happened in the first place. Where did they get in? What is the impact of that potential attempt that could have happened? And what could I do in the future to prevent this to happen? So we’re focused on outcomes. We’re not focused on control points, we’re not focused on products, we’re not focused on adding additional layer of security in your environment. We’re focused on the outcomes. So with Sophas MDR, this is a human led service, because we are going against human led attacks, ransomware just being one of them, because it has direct impact on the bottom line. That’s why ransomware is so often the one that we talk about. But data exfiltration is just as bad, right? I think we all know that the Optus and the Medibank, neither of them were a ransomware. They did ask for money, but not ransomware in the traditional sense. Know your data is encrypted. If you want it back, give us money. They said more. Well, we’ve taken your data. If you don’t want us to share it, give us money, which is a different kind of ransomware than most of us think of. So we will focus that you have the ability to grow your business, because our focus is going to be cybersecurity. So we’re going to monitor, detect and respond to threats. So even your it people and your managed security provider that you might use grassroots it as your it main security provider, can help you do projects, can help you do strategic initiatives. He’ll help you grow your business, not worry about cybersecurity itself. And the community immunity component on this slide is important. We have over 16,000 MDR customers alone. There are vendors that don’t have 1000, 600,000 customers altogether, let alone for their service branch. We have 16,000 MDR customers. And just as an illustration, we have over 400,000 customers altogether. So imagine how unlucky would you have to be to be the first one to be hit with something we have never seen before. It almost never happens that somebody’s always first, but as much as we compete with other vendors, we also share threat intelligence. So it’s not just community immunity by the number of organizations that we’re covering, but it’s also the relationships we have in the industry. And here is the cool thing, we don’t need you to go all in. I’m going to have slides later that going to explain this a bit better. But you can start low and slow. You can start with an endpoint and a server protection and then build onto that until you get to a security posture that you’re happy with. So this is probably most, if not quite a few of your environments. This is nothing unusual. Users are everywhere. I would imagine that some of you are probably in an office, some of you are at home. There’s probably a combination of both. And that’s the reality of today’s world, right? And we all have some sort of endpoints and servers and there’s network equipment, there’s cameras, there’s access points. If you work in education, there are smart boards. I was at an australian independent school expo a couple of weeks ago. There is not a non smart device that they sell in schools anymore. Everything is smart, everything is connected. And when I spoke with those people, what’s your position on security? They said, oh, these don’t get a text. What’s the OS underneath? Oh, it’s an Android. And my mind was just, okay, I guess blinders on and just soldier on is the best way forward. It’s not right. It just simply isn’t. And you can of course put security controls across this. Not a problem, as you can see here, I’m not promoting any of our products. I’m just saying these are the types of products that will help protect you. You can have a workload protection in your cloud, you can have cloud security, a broker, you can have firewalls, email protection, identity. You can have all this. It’s very hard to take these individual pieces of security controls and put them together and say, well, I’ve seen something by this user in identity which also was suspicious in my network detection response that then translated into some activity in the cloud because I have three different tools. This is hard to put together and correlate and make sense of it even, and this shouldn’t say this because I do work for Sophos. Even if all this were sophos by itself, you doing it, it would be hard to correlate this if you don’t have knowledge of what you’re looking at. So there’s an investment and we understand that investment. So what we have done with our service is we essentially don’t really care what security controls you use, right? We have something called integrations, where we can take telemetry from third party products and our product as well, goes without saying. And we drop it into a common data lake. And that common data lake allows us to take all of this information to see what’s happening with it. To do detection across everything contextualized means that an endpoint log, a firewall log and an email log are going to be three different logs. But they tell me the same story if I contextualize them in the same way. And we do that by aligning them to a mitre attack framework and say this type of events tell me there is a privilege escalation attack happening on email, on firewall and endpoint. So clearly somebody’s trying to escalate privileges across my environment. So I’ve contextualized that together and I said, now I can correlate them and decide what to do with it. You see there are two services on this screen on the far right. One is the XDR. So I’ll quickly touch on the XDR, which stands for extended detection and response. This is a tool that you can use yourself and do a lot of what you see here, but you probably can’t do it at scale. So you have to be a very skilled and versed and trained security analyst to look at this data and do this yourself and come up to the same solution and same results as we do. We do offer that to people, and I’m not going to lie, we have organizations that are, as some people have to say, Fortune 500, right? Big organizations that have investment in their socks and say, we probably are going to do better with NDR, but then you tell them, well, if this was MDR, not only are going to we do this for you, but we can do this. Our meantime to remediate on average is 38 minutes. And when I say on average, this is on average of all cases over twelve month period across 16,000 customers, right? So it’s a pretty accurate statement of how long it takes us to remediate a problem. Remediate, right. And let’s talk about what that remediation means and how we go through this threat response process in software itself. So it starts with collection, as I’ve mentioned, and collection can be across multiple different types of security controls. We drop all of this into the data lake and then we start enriching it. And getting threat intelligence across your detections is important, but what is sometimes even more important is a business context. So if I look at. I’m going to use Ben as an example in some of my analogies. So apologies for that, Ben, but I know that Ben works a lot. I know that it’s not unusual for Ben to work 14 hours a day because he’s passionate about his work. But I rarely see him work between 02:00 a.m. And 03:00 a.m. On any given day. So whilst he does work weird hours from a business context, him working at two is unusual. So there are very few SIM type solutions that are going to distinguish the business context and the threat intelligence and say, well, the threat intelligence tells me this is good. I do expect Ben to work weird hours. This looks good to me. So when we have that knowledge across multiple security controls, we can correlate them and we put them together in what we call cluster. A cluster is a detection from an email, a detection from a firewall, and a detection from an endpoint, for instance, that has some sort of commonality. Let’s say that it’s the same mailbox, it’s the same user, and it’s the same IP address, which also allocates to the same user. And that tells me something is happening with this user across my entire state. So I’m going to call this a cluster and investigate. So that is one way to start an investigation and analyze another one is there’s nothing happening in the detection, which doesn’t mean everything’s okay. It might mean that we are in early stages of a potential attack. So we’re going to be running threat hunts. And threat hunts are done two ways. One is based on some sort of weak signals. A weak signal is absolutely four incorrect password attempts by Ben at a weird time. That is a very weak signal. Right. He might have just typed it wrong four times, but put together with what I just said before, becomes a weak signal. So you’re going to say, all right, let’s open this pandora’s box and see what’s happening. Is there more than what we’re seeing? So we’ll do that. Threat hunt. Another one could be what we call a leadless threat hunt. And a leadless threat hunt is we don’t see any weak signals. But we know there are campaigns that are currently happening globally of some sort that I’ve mentioned before. So without any weak signals, we’re going to say, let’s go looking for trouble, right? A leadness threathound is a guy that comes to a nightclub and picks a fight because he says, look, there’s definitely somebody here that wants to fight me. I’m just going to pick a fight and see who it is, and then I’m going to deal with it. And that is what a threat hunt is. We’re going to go looking for a fight and deal with it before it breaks out. So once we have that information, we’ll see how big of a problem it is. We’ll say, look, it’s a threat, it’s an event, it’s a case, it’s an incident. Let’s see what the next steps are. And there are two potential next steps. We’re always going to do containment, and I’m going to explain the difference between a threat response and an incident response, just so you understand what that means. But we’ll also always contain a problem. So this is, we have proof that there is an attack or some sort of an attack trying to happen right now. We need to stop it from spreading. We’re going to remove the malware. We’re going to isolate the endpoint. We’re going to kill the process. It is a disruptive, I guess, task or a process against the attacker. I’m not going to pretend that a disruptive process like this might affect your systems, but let me ask you this question that we don’t have to answer. But just think of this, right? If I tell you, I know somebody is on your exchange server or exchanges online these days, but I know somebody is on your file server in your environment or on your database server in your environment, and they have hands on keyboard access, would you tell me that don’t touch it because it’s important for business? Or would you say, you know what, it’s going to be painful, but take it offline until we know what they’re actually doing and how much problem they’re causing, I would be shocked if any organization says, I’ll just let it run and we’ll see how bad it gets. Most people are going to say, all right, it’s disruptive, it’s unfortunate, but the outcome of not addressing it is going to get significantly, significantly worse. So after we’ve done the containment, we are going to neutralize, right. And neutralization means we need to eliminate any signs of that attacker as well as prevent recurrence by giving you very guided instructions and recommendations how you could have stopped that. So we’re going to do a root cause analysis, and we’re going to do all this, as I’ve mentioned before, on average in under 38 minutes. So in 38 minutes, from a detection to giving you a thumbs up is pretty fast. We’ve started this session at ten, so by now you would have been well and truly in the bottom end of the investigation phase if this was a serious problem in your environment. I’ll show you what that means in comparison with a security operations center. Now the importance of doing this and making the solution and the system better moving forward is what we call a virtual cycle, right? So these are the components of our xops, as we call this, that make the service better, right? So the information that our sackop analysts find through indicators of compromise and hunting methods, et cetera, are fed into our AI so that they can bring build machine learning models and playbooks and that is then shared with software slabs researchers so that they can open it up and look into the details. And that gets given back to our security professionals. And this is, as I’ve mentioned, over 600 people across seven global socks. So every major theater has a sock. And if anybody’s asking, oh, do we have one in Australia? Yes we do. There is one in Sydney. But we do have a follow the sun model. So it doesn’t really matter where we are. And the map behind it was, you might not see it. Well it actually has dots where those data centers are. You might see the green dots on the world map in the background. But that’s the purpose of this virtual cycle, is that all of our products benefit from this. So the cool thing is you don’t have to just go all in with software. You can start small, you can say I’m going to start with endpoint, that I’m going to bolt MDR on top of it and then I’m going to build on that foundation. And by build on that foundation, I’m not saying build by buying more and more software. It means build by introducing the rest of my potentially already existing security controls into being part of this system. So I’ve mentioned the 38 minutes a couple of times and the reason why I’m going to bring this up is because these numbers are not something that we’re making up. Right? So an incident closure time for a sock team on average. But let’s not say average, let’s say the fastest, the fastest, let’s say it’s 3.7 hours. That is still significantly, significantly more than our average threat response time. Right? And I’m using the fastest possible time that we have. And this is again a statistic that we grabbed from, I think it’s over 2000 organizations globally that have internal SoC teams. Now why are we so confident in saying this? Well, because this is underpinned by sophosis intercept x endpoint protection that according to all independent, because I only value independent tests, we do stop 99.98% of threats. And I personally believe, and you probably agree that the best investigation is the one that I don’t have to do. So if 99.98 is already blocked, cool. It means that not that our guys are not going to look at it same as the slide that I’ve showed you at the very beginning. It means that their priority is going to shift. They’re not going to be chasing tail for every single detection. They’re going to be chasing the tail only on, let’s say, zero two is the ones that they’re going to be really focusing on as a priority because they have bypassed the security controls. The rest is going to be done through a normal security incident response procedure. Now let’s just understand what is the difference between what is called a threat response and an incident response. And you’ve probably seen that so far. I haven’t really talked much about the product itself. Outside of that. We do these things pretty fast. In terms of 38 minutes response time, a threat response is stop the bleed kind of, I guess, approach, right? So you’re in a car accident, your hand is bleeding, you have to stop the bleed, so you have to stop the propagation and making the attack become worse. So you just mitigate the risk of that threat, as we call it, at that stage becoming an incident. It’s very disruptive and it’s disruptive to the malicious activity of the attack. Once that is done, and we know that the attack is not going further, we move into the incident response state, which is all right, we need to remove the scripts, we need to remove the test schedules, we need to reset the passwords, we need to isolate the user. At that point we might come to you as an organization and say, hey guys, we want to find out the root cause of this, where it came. Would you mind giving us your logs of your VPN concentrator? Would you mind giving us the logs of your firewall? Would you give us the logs of your DNS filtering system? Because we need to know more to give you a very clear view of how this happens. So we’re going to go above and beyond just our product because that’s what a root cause analysis is. And then we’re going to come back and we’re going to, you know, we saw this as an email attachment to Ben. He clicked on it. It was a phishing link. He got baited. That’s how it started. For your information, after looking your minecast proofpoint or sofas email logs, we see that this email has also been delivered to nine other people that haven’t clicked on it yet so that we don’t go through this again in the next 15 minutes to an hour to a day, whatever. We recommend that you remove those from their inboxes. This is the sender. You should probably blacklist this sender. This is the IP address that they’re sending from. You probably should blacklist this IP address. I sometimes get asked the question why don’t we do this ourselves? And can we? Yes, can in terms of we have the technical capability and we’re doing it for us internally. No, we’re not doing it to customers right now because we need to find the right way of delivering this within existing change windows change requests and following the right bouncing ball. I’m going to say probably in the next couple of months, as in this quarter of the year, we’re going to start offering some of the remediation beyond just sofas. I’m going to say that the first cab of the rank is probably going to be around identity. So something like duo probably and Azure ad where we are going to give you the option to choose to say if you need to reset a user’s password, just do it for us. And we’re going to be able to do that right now. We give you advice to say reset user password and we say reset this user password. Reset this machine password local password on this machine, remove this ip, remove this task schedule. So we’re pretty specific on what we want you to do. And let’s not pretend, probably everybody in this room has already invested in something. So we recognized that and we said, hey, how about we become very flexible with our service and say we want to be compatible with what you’ve already spent money on. Excuse me while I take a bit of a sip and you can have a look at this slide and see how many of those vendors you recognize potentially in your environment. So this is a subset of the solutions we can already ingest in our data lake. So if you have a fortinet firewall, a azure presence, you’ve got mimecast and duo. Not a problem. All of them can become telemetry for our MDR service. When I say telemetry, I’m talking logs, right? Let’s not pretend. Telemetry is a nice fancier way that we say logs these days. So when I get logs from your Fortinet firewalls your minecast email protection, your duo. When I put this together, it allows me to correlate and do clustering of events. I’m not going to come in and say you’ve got fortunate. Tough luck. If you want this service to work well for you, buy Sophos firewall. If you want this to work better on email, buy Sophos email. I’m not delusional. That’s not what’s going to happen. And this is the first time I’m going to mention this because I told you that I will. What you see on top is Sophos is in a green square. That is because if you buy MDR service, any of Sophos products are included in the pricing. In terms of if I want to get Sophos email software’s cloud, Sophos firewall software, cloud solution into MDR that is included in the offering. The others that are in orange come at an extra cost because it cost us time and money to deliver the service across other products. So we sell this in what we call integration packs. So you can say, I’m going to buy a firewall integration pack, an email integration. You don’t buy a Palo Alto integration pack, you buy a technology integration pack which allows you as many firewalls, as many environments as you want. You say, I want firewalls and I’ve got four different vendors of firewalls, but I want all of them to be into your NDR service. You say, cool, just buy the firewall integration pack. There are two that are not software that are included, which are very important. Microsoft three, six, five is included in the price, even though it says it shows here separately as email. So that is included in the price and Microsoft products through graph security API. So for those of you that don’t know, Microsoft has an API opened to everybody where you can pull logs from Microsoft security products into your environment. So all security products from Microsoft, if configured correctly, and there are good articles how to do that, will report logs into a joint container. And that joint container, the data can be pulled out through an API that is included in the MDR offering. So a lot of organizations say, well, we have a sophas firewall surface endpoint, but we also use Office 365 and we use some other products by Microsoft. From a security standpoint. Great. All of that is included in the pricing, right? And this is very complementary to what your managed service provider is doing because they can manage all this relationship for you. The way that MDR works is you specify the context that you want to be notified when something is happening. And those contexts can be your Mantiki deployment that says, look, we’re doing it for these guys. Call us, we know the environment, we’re managing it anyway. We’ll handle the relationship for you with them, but we are your first point of call. We have numerous customers that just say, just call our managed service provider. They are our it go to people. So in this case, we would call grassroots it and say, hey, it’s us sophist again. Let’s talk about this customer, because we’re seeing certain things. I know that we’ve all went into it industry because of all the great recognition and the glamour it brings. I can’t remember a day when somebody doesn’t pat me on the back and tells me how great of a job I’m doing. Clearly you can see that I’ve mastered the art of sarcasm. When it works, nobody cares, right? It works. Nobody comes to you and says, oh, great job. I know that it works because you’ve put an effort in. I know that it works because you’ve done the right configuration, nobody cares. The second something gets broken, it’s, oh, come on, it guys, it never works. We always have a problem. So what we made sure is that you can demonstrate to the business that the MDR service works for you. And we do this through two types of reports, a monthly and a weekly cybersecurity report. A monthly report is very much one that says, hey, great job, but great job because all of this has been done of software by you. So your status is green. It’s green because we’ve seen 57,000 detections that have become five cases, but no escalation. So if somebody says, why are we paying money for this MDR? Well, because the work that they’ve done would otherwise have to be either done by us or not done by anybody. And it would just funnel through a detection all the way to a serious incident if nobody looked at it. And the weekly one is more for the it people in the room. It tells you, hey, this is the hunts we’ve done, because this is what we’ve seen globally. These are the results for your environment. You seem to be targeted by these types of mitre attack techniques. So we give you a bit more specific technical information. And God forbid, which does happen, you have an actual incident, you will get another report, which is an incident report. And an incident report will give you a very good executive summary that you can show to your boss and say, look, despite all the money we’ve invested, sometimes things do go wrong and we had an incident and this is what happened. And then you yourself, or whoever is interested can go through a full timeline of all the events. And as you can see, the color coding here. So red means things were bad, and then at yellow we got involved and we turned it into blue, which means we’ve started doing some action, and then you start seeing some green. And green means this problem is fixed. This problem is fixed. We found a new one. This is fixed until you see at the very end it’s all green, we’re happy. And then we give you usually a page of two of extra recommendations saying, hey, if you’ve done this in the future, that probably is not going to happen. You probably need to patch things. You should probably look into resetting some passwords. This password that was abused is an admin password. Our recommendation is reset all admin passwords because one exploited can potentially mean more of them. Exploited. How confident am I that this service works? I am $1 million confident. Why am I saying $1 million? Because the service does come with what we call a breach protection warranty, which covers up to 1 million in response expenses. All right, let’s cut to the chase. Right. 1 million in response expenses is what looks good on a marketing data sheet. You’re not going to get 1 million. There is small print that says, yes, it’s 1 million, but it’s essentially $1,000 per endpoint that’s been breached. So if you have a 300 licensed MDR estate, the most you can get is $300,000. So I’m being very transparent here. So there’s no but you said 1 million, and then it turns out that’s not what’s happening. So it is included with every subscription of MDR, whether this is new or renewal, at no additional cost. And it covers endpoint servers, windows, macOS, does not matter where that is deployed. Is it covered in Australia? Yes, absolutely. There are things in the small print of the service description that explain to you how we expect you to handle your environment. And this is not underwritten by a third party, so that you have to go through a claim through budget direct. I’m making this up. But through a cybersecurity insurance company. No, you deal with Sophas alone. We are underwriting this. We are paying you the money. I get asked often, what do we do if something is unpatched and gets breached? The link that you see on this page, the sofascom legal that talks about all of the descriptions of this service. So specifically for patching, we expect you to patch things, but we are reasonable. If something gets a CVE score, I think, of nine or more, we expect you to patch it in certain amount of time, which is, I think, like 48 hours after patch is available. But Cve nine and higher is very bad, right? And then that time expands as a particular vulnerability has a lower score all the way down to, I think like a month if it’s cve seven or lower. So let me summarize what I’ve told you today. MDR is a service that is currently protecting over 16,000 customers globally. And it does this by providing you a response time of 38 minutes on average of detection being the 1 minute and the most of the time spending on investigation. It might sound a lot to spend 25 on investigation when the other two combined at 13, but the investigation is the enrichment correlation and everything else, right? So when we do respond, we’re not walking in blind, we know exactly what we’re responding to. So we do spend some time to get the right intelligence, the right business context, to put things into perspective and then to respond to it. And it is a proactive service. And that is probably the main difference between a SIEM and an MDR. A SIEM will wait for an alert to happen and then have a playbook and potentially even some sort of automation to deal with it. But it needs to see something that it has known about before. A sim is very ineffective in protecting against things it’s never seen, because it has to learn the behavior. We do things a bit differently. For us, everything that is not default is abnormal. So it’s the other way around, right? It’s not. I need to prove something is abnormal. I would need to prove something is normal. So we say the baseline is this, and everything that is an anomaly is not within the baseline. So it’s a very quick return to value, because as soon as you start using the service, we start protecting you. And it comes with full incident response capability, no extra cost, no retainers, no limitation. Let’s say you have a server that you can’t patch because of your change window. We will protect you, right? We will protect you. We’ll say, look, your best course of action moving forward is to make sure that you do patch yourself. But we’re not going to walk away and you’re not going to avoid your warranty just because you haven’t done this. So 16,000 customers translates to. Just to give you a bit of an illustration around, I think the last data that I saw probably in the last couple of months was on average, about 1.4 million endpoint points protected by MDR at any given moment of the day.