Episode 42 Defenders of the Cyberverse - Insights from Alexander Rogan and Christian Rogan of Platinum High Integrity Technologist. - Cyber Security Happy Hour Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Okay, welcome to the Cybersecurity Happy Hour podcast.
My name is Christy, I'm your host, and this is episode 42.
We are going to be speaking to have two fantastic guests, Alexander Rogan,
Christian Rogan of the Platinum High-Intensity Technology, and the third of

(00:21):
the podcast is Defenders of the Cyberverse.
We're going to get some insights from these great men.
Okay, so Alexander, do you want to introduce yourself? Just tell us about yourself
and your background and your achievements.
Oh, wow. Okay. It's going to be short and sweet then, isn't it? So I'm Alexander Rogan.

(00:43):
I'm the CEO, and with Christian, I'm the co-founder of Platinum High Integrity Technologies.
We are a cybersecurity company, and we're bringing a particularly interesting
cybersecurity solution to the market.
It's a technology that Christian actually introduced me to a good few number of years ago.

(01:08):
Yes. And it's one that I became really enamored with. It's very powerful.
I got involved six or seven years ago as a reseller of the tech and then a few
years ago I was able to sit down and negotiate with the original architect of
the security technology,

(01:29):
and persuade him that it would be a good idea for him to sell the tech and let
Kristi and I bring it to a much bigger market.
So there you go. That's me. Okay, awesome. Thank you. Thank you for that. And Christian?
Yeah, I've been in cybersecurity for, well, since 2000.

(01:50):
I started off with PwC, a small outfit called Be Trusted, which engaged with
PKI at that time, and X509 certificates, if anyone even remembers those.
Moved over to Message Labs a couple of years later, which was a startup in the
email hygiene in the cloud space, and had a very successful seven years there
where that business was ultimately sold to Symantec for nearly a billion dollars.

(02:14):
Moved into a number of other security companies, did some consultancy in the
middle, worked for Alcatel-Lucent, worked for CSC, Trend Micro,
and ended up coming across this incredible technology from a small company called Abartis.
So I joined that little startup, which wasn't terribly sophisticated from the
commercial perspective.
So it didn't succeed like many companies. companies

(02:36):
and alexander and i were able then to acquire the
technology in june 2022 take it
back into our labs improve upon it and then in
the last six months or so we are taking this solution this
unique solution to market okay great great to hear that now you you know that
uh in our in our industry that malware is a constant and evolving threat and

(03:02):
what i mean by that is We seem to be playing whack-a-mole,
where we have sealed a point and something else pops up.
Now, how does your solution adapt to these new and emerging threats?
Because we know that there are various techniques some of these cyber criminals are using,
and some countries also kind of have research labs to implement these changes

(03:29):
as soon as, let's say, opening has been blocked.
Yeah, we call them zero days, and there's a big and valuable industry in selling
marketing and selling the zero days for exploits of vulnerabilities in corporate
and government systems.
The surprising answer is we don't adapt our technology at all because we recognize

(03:49):
malware for what it is, and that is it's a binary.
Now, when you are trying to introduce any form of malware after the breach onto
a system, we simply intercept it at that juncture and prevent the payload from
being delivered to the host.
And we do that at ring zero, whereby you can't obfuscate what the code is.
So we enable, we make the system, the operating system immutable by sitting

(04:13):
inside the kernel becoming intrinsic to that operating system.
This gives us a multitude of benefits, which we probably won't even have time to go into here today.
But simply put, we apply our code. It's a ring zero kernel level filter driver.
It doesn't require any updates and it absolutely stops with complete certainty
any new binaries being introduced to the persistent storage of the device.

(04:36):
That means you cannot write to disk without being permissioned onto the system.
And we have a whole policy engine, security policy engine, which allows you
to approve supply chain that you trust to make necessary changes through the
lifecycle of the applications that are running on your system.
So it is not simply something which will block the utility of the computer.

(05:00):
In fact, it absolutely allows the utility of the computer with full flexibility,
but will absolutely deny any manner of threat, whatever the attack surface is.
Is so we're talking about protection against usb even
infrared a malware broker sitting on
the computer and trying to type the malware into the machine itself because
they've got physical access they'll be absolutely prohibited from doing that

(05:21):
so to break it down yeah the
the way that the kernel level filter driver works is it
brings zero as i said and it intercepts all the input output traffic
and it will make a deterministic decision as to
whether that is a recognized binary that's been permissioned or
a new one or one that is trying to change a pre-existing binary
or indeed remove a binary because one of the attacks is to remove security control

(05:44):
from a system one of course is to change it to adapt it to make it vulnerable
and the third one would be to introduce a whole new set of code to obviously
attack the system all three types are absolutely prohibited okay.
Well, you said, I don't want to use that word, big claim. You said it does not require updates.
As we're aware, other vendors, if you do not update signatures,

(06:08):
then you are particularly vulnerable.
This is quite a novel thing to hear.
Christy, our technology, it's not reliant upon heuristics, behavioral analysis.
It's not reliant upon whitelisting. As Christian said, it's a deterministic

(06:29):
filter driver that embeds itself into the operating system.
So it actually becomes a part of the computer. It lives right in the heart of
the computer, right in ring zero.
Our competitor vendors are sat in the application layer.
They're in a different part of the computer system. system. And Abarthis is

(06:53):
looking for binaries, code, trying to get onto the computer system without permission.
And that's deterministic, it makes that decision, and it stops unwanted binaries
in less than a millionth of a second.
Okay. So, and it stops the bad guys getting onto the computer system before they have a chance.

(07:21):
So we hit them at their most vulnerable place and that's just when they're about
to try and deploy the malware, they're trying to get the payload onto the computer and Abarthis says no.
Okay, awesome. Now, there are different ways of obviously deploying.
Malware coming onto our system, one of the USB clicking malicious links and

(07:45):
redirects to websites, etc, etc.
So what you're saying is whatever the avenue of input, I want us to stop it on its tracks.
Yeah, because the guy who architected this, the guy who wrote this,
was obviously a really clever guy.
You know, I mean, we talk about people with brains the size of a planet.

(08:08):
I mean, I do think that this chat was one of those.
And his genius was understanding how malware works in its most simplistic form.
And he came up with a solution based on that.
And this solution is the polar opposite of everything else that's out there.

(08:29):
It's an incredibly elegant solution to a really ugly problem.
It's a very small piece of code, less than 100 kilobytes, and it sits in ring zero,
and it looks at the malware as the malware tries to arrive and be delivered

(08:50):
onto the computer system.
And as Christian rightly said, malware is an unwanted binary.
It's a piece of code. Yes. And one of the zeros.
That's all it is. and if you can
stop it from being delivered if you
can stop that payload from arriving on the computer system you
can stop that malware doing what the

(09:11):
bad guys are trying to do and it doesn't matter whether they're
trying to deliver it by infrared and whether it's that you know a watering hole
attack on a website or whether it's a usb stick as the ingress point a bartis
doesn't care it doesn't matter what it it doesn't even need to know that what

(09:32):
it's saying is unwanted code.
So it breaks it down into something really simple and because of that it can react or it can act,
incredibly quickly so one of
the points i like to make is compare it's stopping malware being delivered onto
a computer system within less than a millionth of a second and compare that

(09:58):
to the the average time it takes now to actually find and clear malware from an operating system,
which I think according to IBM is over 100 days.
Yes. Sometimes in some instances, some of them is very hard to do.
Just have to, you know, we wipe the system or I think if I remember clearly.

(10:24):
There was an attack in one of the oil companies a
few years ago and they had to purchase a
new hardware and cost them a lot of money
absolutely 100 million dollars that was a ramco with
shimoon yeah yes a rampart yes
so uh and i really they had
to because of the scale of the attack they had to uh

(10:45):
give oil oil gas uh for free
for a period of time so obviously i'm not
sure what the long-term cost was now but if
if they are supposed to have this piece of software
it would have reduced that landscape drastically now
you've kind of walked us through the fundamentals

(11:06):
of and functionalities of
the advantage software and you also talked about
how they enhance cyber security
and also now you've also mentioned about being
a solution for zero day exploits and
any on no malware okay which is which is great to hear i'm just going to go

(11:29):
in again now and again this this piece of software just 100 kilobytes resides
in being a zero a question i want to ask is now obviously we are aware that.
Malicious codes and the binary can be recognized.
Are there any false positives here? No.

(11:50):
No, we don't suffer from false positives or false negatives.
So it's one of the great benefits of the technology because it recognizes and
it's an actual event. And if it stops a binary, we record it in our logs.
That goes to our SIEM, which we call Central Management Console.
That's a SIS log that's ported off the agent that sits on each of the endpoints,
goes to the SIEM, our SIEM, and that records for posterity the event that's

(12:14):
actually happened but because it's a deterministic decision on a binary that's
tried to write to disk there are no false positives.
So we're pretty good as a hunter-killer for pre-existing malware as well when
it tries to morph on the device.
So if you have an already infected device before we're installed,
there are instances where we have actually discovered pre-existing ransomware

(12:36):
because it's tried to morph.
It's tried to call out to its command and control on the Internet,
get a new profile to evade signature.
Signature because very often ransomware is discovered
you know by other security vendors signatured and
then the signatures are rolled out to pre-existing security vendors
so that they can adapt their solution to meet the to meet the emerging threat

(12:58):
we see it when it tries to morph and therefore we capture where it was on originally
on the disk and therefore we can do a targeted removal but the beauty of our
system is there are no false negatives
and no false positives And also an extremely limited number of logs.
The logs are low because we are stopping the attack before it follows through.

(13:19):
Okay. And that's really important when you think of the cost downstream to all
the logging that every other security vendor has to go through.
So if you think about the target attack a few years ago where they had deployed
FireEye, FireEye said, yes, we identified there was a threat and it was in the
lines of code that we reported to you.
Well, unfortunately for Target, the actual threat was hidden in amongst a million

(13:44):
lines of other false positives.
So they couldn't distinguish the wheat from the chaff, so to speak.
So the logging aspect to me is one of my favorite aspects of our technology
because of the sheer cost reduction.
So the ROI for our technology compared to almost, well, every other actually
security solution that's out there is dramatic. Absolutely dramatic.

(14:07):
And that comes back through having that surety of
no false positives and obviously the vastly reduced log
set i just wanted to point out
because of some of the listeners will be saying well it's all very well
protecting against persistent threat and binaries that write to the disk but
what about the tools that apt groups such as vault typhoon use they co-opt powershell

(14:29):
they're using vb script they're using some of these other approved solutions
that the administrators use Well, one, without technology,
a BARTIS administrator has a higher level of privilege than a normal sysadmin.
So where you would normally be god of the box and you can do anything you wish
with the system, with a BARTIS deployed, you have to be an BARTIS approved administrator,

(14:53):
to allow the unlocking of the operating system by the sysadmin.
So the sysadmin is no longer in control of the estate. state.
So we actually stop the insider threat as well as the external threat.
What do you think organisations would be comfortable handing over the keys of

(15:13):
the kingdom to a third party?
In many instances for small to medium businesses, they do that already without sourcing to cloud.
So that paradigm shift has already occurred.
But you're quite right, many governments, many large companies.
As we've mentioned Aramco, very much will not allow third parties
to come in and and enforce control changing

(15:37):
control so we are quite able with our solution to give
them one a managed service or oversight of that
managed service or they can own and operate the solution themselves
with minimal minimal training it's a
very very simple solution to deploy using conventional tools
yeah obviously we use ip as syslogs
come from our endpoints protected endpoints to

(15:59):
a sim our sim or indeed they can have their own pane of
glass that they may have already invested in such as the
arc site or splunk or you know or any of
those so we play nice with all the other security solutions
in the stack we do not because we're only
at ring zero go ahead alexander yeah but christy just
you know the point about handing over the

(16:19):
the security i mean what what we're
doing here is actually enhancing the security so the
way that we will build ourselves in with
with the clients is that you won't have a
single point of failure so one person can't switch
it off so you've almost got like the missile silo analogy where two guys have

(16:40):
got to turn the keys simultaneously is that depending upon the size of the estate
and you know the locations you could have you could have somebody who doesn't
even know the other person on another other continent at a time,
you know, at a predefined time, two people working together.
Turning that key so you can make any amendments or

(17:02):
changes you need to do and then turn and then locking it
locking it again and you make it almost
impossible i mean you can never say never and you can never say impossible
but you know almost never almost impossible for the bad guys to co-opt somebody
yes so you can't you can't force somebody because there's somebody else on another
continent that has to be involved so you prevent the collusion yeah you prevent

(17:28):
collusion and if If somebody is having a bad day,
as it happens, well, tough.
That person having a bad day can't do the damage because they need to have somebody
on the other side of the world and they don't know who that person is.
Yes. So what we're doing is adding a higher level of privilege and a much,
much greater solution to these organizations.
Okay. I just wanted to finish the point on the APT group, Vault Typhoon as well,

(17:53):
because they are known for using the low and slow approach and using the administrator's
own tools against them, such as PowerShell, BB Script, C Script and so on.
And they have a very, very modest persistency on the device,
which is extremely hard to find.
So this is what Christopher Wray, the FBI director in the States,
has called an existential and generational threat to critical national infrastructure,

(18:15):
particularly in federal government in the States.
Because the vault typhoon apt group has
been in their system since 20 before 2021 i think i think they're saying to
their knowledge about five years so what you have there is a threat actor that
has now actually permeated the operational technology space within those large utilities those those,

(18:39):
water providers energy providers nuclear power stations and so on and so forth.
Simply because they're able to use your own administrative tools against you
once they've exploited the vulnerability on the system if you deploy the bartis in that scenario,
we are able by virtue of our complete control over the binaries to prohibit
the use even by system administrators of their own tool sets never mind the

(19:04):
operational technology where you've We've deployed tens of thousands of programmable
logic controls across a power station, for example.
But they still have the same operating system. They still have the same ability
to be vulnerable because these tools exist.
We can absolutely turn those tools off across our entire estate,
allow only the highest level of privilege, which would be a BARTIS approved

(19:28):
operator to utilize those tools.
For everyone else, it could be completely turned off, negating the risk.
Now, because we can do that after instantiation with the security policy that
we deploy, the deployment model is using the conventional tools.
The minute we're instantiated, it requires a restart because we do exist in the kernel.

(19:49):
We become part of the intrinsic to the operating system because that's how it
works. You have to do a restart.
But once the restart is done, that means you can then invoke the policy,
which would say I'm going to turn off all of those administrator tools.
And that would prevent any attack group
that's in there that utilizing the administrator tool

(20:10):
set would prohibit them from acting and the moment that small that modest persistent
threat that's sitting there which allows them to invoke the tools tries to invoke
the tools is prohibited but it immediately becomes visible to us so we capture
that event in the log it's a true event It's not a false positive. It's absolute.
We can then identify where the bad actor, the APT group, such as bulk typhoon

(20:35):
are across the network and then enable a targeted removal of their activity.
Presence and that may be the
most innocuous looking bit of code you might not think it
was malicious but of course the bad actor knows it's
malicious because that's what they're using to deny availability at
such juncture they perhaps want to mount an attack in conjunction with an invasion

(20:59):
of taiwan for example because vault typhoon is a chinese group so this is how
we can can enable and secure operational technology as well as IT uniquely.
The Abantis technology has been around. We forgot to mention this, Alexander.
We were commissioned by the Swiss military in 2004 and deployed in 2005 into

(21:21):
Armour Suisse in the Swiss Alps on behalf of the Swiss military.
And that means that it was written for very, very much earlier versions of Windows.
So we, in fact, have in our library, our software library, the ability to go
back to NT4 and to protect the endpoints all the way to the present day,
which is completely and utterly unique in our industry.

(21:44):
I was just going to ask you that about the legacy systems because we've talked
about critical systems and we are aware that some of the causes of the vulnerabilities
in those infrastructure is legacy systems that.
No longer house essentially they're unsupported christy exactly
yeah systems yeah yes now so whatever

(22:07):
vulnerabilities that exist remain to this day but with
our solution you don't even need to patch until you are good and ready so let's
say you've deployed cisco and then you now know there's a vulnerability within
the webex aspect of the cisco architecture and you have an issue now because
do I deploy their fix to fix the vulnerability?

(22:28):
Do I wait and test that fix in pre-production to ensure that that itself is
not being compromised, such as SolarWinds, where its supply chain was compromised?
What do I do? The IT professional, security professional has a conundrum.
Do I trust Microsoft to allow them to push out KBs across my estate, or do I wait and test?

(22:50):
In the meantime, I remain vulnerable, especially if that
vulnerability is being exploited in the wild yeah now with
our solution you can because the vulnerability cannot be
exploited because we will not allow a change to the pre-existing binary because
there's no change allowed the vulnerability is not exposed
so the only reason that you would need to
update your patch effectively is

(23:13):
through regulatory means because the the regulator
has asked demanded that you have to update your systems within
two weeks of a patch becoming available otherwise you
could do that at a you know twice yearly event
you could consolidate all your updates and you could roll them out
consistently and all at once across the
state negating a lot of expensive out of band patching and emergency patching

(23:37):
that goes away with our technology that means that the vulnerability even though
it exists cannot be exploited while we're while we're doing the protection so
another very powerful usp for our technology.
Just to reiterate, it will sit on everything from the current flavour of the
Windows operating systems all the way back to NT4. And that was the original question.

(24:02):
So it looks after all of the legacy estate, all of it.
So where you've got organisations, we've got the National Health Service,
we've got the police forces.
That up until very recently running XP or Windows 7 or Windows 8,
Abarthis will sit on those, and it will provide the same level of surety and

(24:26):
security as it does for Windows 11 or Server 12 or anywhere else it sits on
in the modern stack, in the modern architecture.
And this is just something I'd like to add.
This means that if you are running Abarthis on your legacy equipment,
equipment on your older IT,
you will update that IT when you are ready, not because you're being strong-armed

(24:52):
by a vendor saying, you've got to throw that machine away because we can't look after it anymore.
There might be years of life left in that machine.
It might be doing a really simple application, but you don't need to upgrade
it to Windows 10 or 11 at that expense.
Good examples of that are MRI scanners and X-ray machines, medical devices,

(25:16):
in broadcast satellite communications.
All of those use legacy OS because it can't be changed.
That's too costly and some of the vendors have gone out of business, etc.
I want to come into this more personally because I conduct audits for compliance purposes.

(25:38):
And one of the in the uk
i'm a cyber central assessor and you
are one of the standard questions we ask
is let's ask is has your software been
updated with the latest patches for the
vendor patch during 14 days now i'm looking
at this that if they say no but claim

(26:00):
that we have a barter installed that manages
all our operating systems going back to xp i'm not show you the current standard
will allow us to pass them because as far as the current is 27001 external other
standards as well is that do you have watch operating system it is windows 22 h2.

(26:24):
That is fine if and you have xp it's an automatic fail do you so if they if
these clients say say we have Windows,
let's say Windows XP, for example, and we have our bodies as software that is
providing that control.
Are you telling me that might they might pass the certification on auditor and

(26:46):
assessor might pass them?
Well, Christie, Christie, Microsoft on Microsoft are not issuing patches for XP anymore.
They don't know that we know that. Yeah, exactly. Yeah. So yes,
so this is a way this is a way that you could tick that box and
say it's now protected that's the question is
protected because microsoft are not
issuing patches refuse to unless and

(27:09):
unless in certain situations where like the
national health or perhaps the
the police forces are being forced to
pay a huge amount of
money every month as an extended license
yes for a support that
is actually no support so this

(27:31):
this goes back to return on return on investment there was
a dreadful story that came out a few months ago where the
national health paid microsoft or its reseller eight million pounds extended
licenses licenses for a month yeah yeah just a staggering amount of money and

(27:53):
that was so that they could run machines that were not actually being patched or supported.
I suppose if you look at the return on investment, £8 million compared to...
We would look after, Christy, I would look after the entire national health
for less than £8 million, just out of the fact that we would really like to

(28:14):
look after the national health. Yes.
Yes. OK. The amount of money that is being burned is absolutely horrendous.
So the return on investment would be massive and immediate.
Media but the the point the point is
is if if you don't have to
upgrade you know because you don't want to

(28:36):
and in addition you're actually
you're buying security yes whereas at the moment if you're paying for an extended
license or not you've got no security yeah and all you all you have to do is
look at the number of patches and the number of uh critical vulnerabilities
that that are being applied against even the modern,

(28:57):
not legacy, but even the modern architecture.
Congress are saying it's not fit for purpose. Now, it's not my place to sort
of say whether Microsoft are or are they not,
but if you see the reports that are coming out by organizations or politicians

(29:17):
who have got some sway with Microsoft, Very,
very recently, just after this, this, the vault typhoon attack,
when they suddenly realized that, you know, the problem that got the critical infrastructure,
the CISA attack, where another APT group got into the US body that was there

(29:38):
to advise and protect other US bodies. I mean, the irony is enormous.
People are getting upset with it now.
As you can see, as Christian said, a lot of the companies, the SMEs and the
micro-organizations do not have the in-house support and expertise in-house.
Which is why we have a managed security service. Yes, yes.

(30:00):
Which is supported by, yeah, so our technology is supported by an international patent.
We're filing new patents because we've actually improved the security since
we bought it. And now we have the ability to stop the living off the land binaries,
which I was talking about earlier.
That is the PowerShells, the VB scripts, the C scripts that the bad guys are using against you.

(30:23):
We also came up with a solution to the SMB1 problem, the server message block
problem one, which is an incredible vulnerability that allows and has to be
used for legacy to talk to the more modern architecture.
If you don't have SMB1, then you can't operate remotely your operational technology estate.

(30:45):
So that means that SMB1 is switched on across your modern IT estate.
And this is what's keeping the SOC analysts up at night, causing them massive
amount of stress, simply because they're having to monitor all the transaction
flows through SMB1 because it's highly vulnerable to man-in-the-middle attacks
because there is no encryption.

(31:06):
The devices cannot be more encrypted so this
is as a threat vector so we can actually turn off that smb1
conduit once we're deployed on an estate this means
that the SOC analysts now kind of get their work life balance
back because they're no longer under huge amount
of pressure we hear anecdotally some of the

(31:26):
events i've been to in the last few months that 52 percent
of SOC analysts are on some form of prozac you
know taking medication to handle their
stress levels fully 65 percent of them want
to get out of the business or one of the presentations i
saw a guy put up a picture of three old men and said these are actually 22 year
olds and i got a big laugh from the audience because of the stress these these

(31:49):
poor sock analysts are under with our technology deployed that goes away and
we can reduce the number of staff required i mean we They had a Middle Eastern,
a very large Middle Eastern customer that we're working with right now who have
two data centers in the education sector.
And they did their numbers at the outset to how many folks would they need to

(32:11):
run a SOC. OK, we'll go with 50 in each.
And they suddenly realized being in a rather totalitarian type of regime where
if you get things wrong, the potential repercussions are much broader than getting fired.
The stress that these individuals are under the sock analysts are under was
so great that fully half of them were off sick at any one time due to due to

(32:32):
stress yes so now to to deploy so they now have 240 people across two data centers to do the same task.
Because of the stress levels yeah that's a
shame yeah it is because i mean i
hear personally of people actually leaving that sector of
the industry due to stress and burnouts as

(32:52):
well yeah but you deploy our
technology the white noise goes away you get
to see the an actual event the attempt as it comes in
the attempt is immediately prevented as alizana said and
less than a millionth of a second but you've recorded it you you
know that it happened and it's it
makes um it makes life so much

(33:13):
simpler we reduce the complexity you can
imagine when a security event happens and you've got maybe
if you're a large corporate you may have upwards of 25
different vendor security vendors in your stack and
they're all reporting on the same security incident as it
goes lateral across the network yes you're looking
at thousands upon thousands of lines of logs

(33:35):
that increase exponentially at the
point when there's something suspected to be wrong so solar winds would typically
collate and gather and aggregate all of those logs and we've seen from a report
from 2012 some years ago now what actually happens during a security event to
all of those devices that are are now communicating to the SOC and the NOP.

(33:56):
And the absolute snowball that you get of logs, it goes up, I think,
thousandfold from steady state to a thousandfold.
And then do you know if it's a credible threat or is it a false positive?
So these are substantial issues for the modern day SOC providers.
And now what they need to do is to add a SOAR to the mix because the SIM's not

(34:20):
doing enough. And if you haven't got a SOAR, then the SOAR is now also unable
to do the tasks that are now required because of the sheer number of logs.
So now we're talking about, or competitors are talking about, adding AI to the mix.
And now we're adding more complexity.
Exactly. Now, you mentioned SMB version 1 and the Security Operating Center.

(34:43):
Of what came to mind as well, as companies that frequently do vulnerability scans and,
also pen testing as well, the SMB version one will come up as a criticality,
I think of all the CVS, several above.
And what's came to mind now, since you mentioned the SOC, I wondered if your

(35:05):
solution can also address some of the findings we get from running these scans as well,
because I think some of our clients want to do a vulnerability scan,
of which they don't do it frequently,
and some of these categorizations of high security comes up.

(35:26):
People start cleaning out their hair. I just wondered if this would be something
that, as I mentioned before, small media companies can implement early before any kind of compliance,
either PCI DSS or CYBEN, SHO, ISO, all this.
I'm just thinking how this will help them as well, if this is in place, probably.

(35:49):
So what we do when we introduce ourselves to a new customer,
We go onto their site and we put our code onto some subset of their devices,
usually from different departments,
so we can look at the software assets that are actually running.
So we then compile a list and we run the logs that we've gathered in learn mode.

(36:10):
So we're not making any change. We're benign on the endpoint.
We're not making any deterministic decision. We're just sitting there recording
what's actually on the endpoint.
Point yeah and that's a that's akin to
a soft software asset management piece of our of our
um of our investigation our discovery phase we pass
that through some algorithms ai algorithms back

(36:31):
at our research facility and machine learning and we we then produce a report
we go back to the client the customer and say this is what we discovered on
these endpoints is this true and correct did you know that you had any desk
running on this machine did you know that you had because you You didn't tell us you had,
you know, a particular security vendor because something had been left behind

(36:53):
and was now sitting on the system, had never been removed,
is now unpatched and highly vulnerable.
And it could be you're talking to a bank and they have no idea that these software
assets are actually still sitting there.
So we are able to discover all types of code that tries to update itself or runs.
And in that way we can then help advise

(37:14):
the client the customer what they need to do
to clean up their system what they and and
then create a security policy for them that reflects their
risk appetite now this is a really important piece because
i imagine some listeners will be thinking well this is a highly restrictive
system this couldn't be deployed in a dynamic environment it's too inflexible

(37:34):
well that that would be wrong because we can create security policies that meet
meet the exact risk appetite down to an individual machine or 10,000 machines.
We can create a policy and give it to our customers and say,
deploy this and this will meet your absolute risk appetite.
Tailored for you dependent on the

(37:55):
on the on the applications you actually want
running because very often we'll go to a university and we'll
find a game server that shouldn't be in there because people
are messing around playing at night and this is usually sometimes in the it
teams as well they're uh they're consuming valuable resources and not realizing
they're introducing risk to their environment they're not necessarily malicious

(38:15):
they're just bored late at night they want to play games so they think well
i'll deploy a game server or we find cryptocurrency mining.
That's incredibly energy intensive and costly for a university who can't afford
to support that kind of scenario.
So we are able to find all these sorts of things on first deployment in learn mode.

(38:36):
And then, as I said, once we've gone through discovery phase with the customer,
we can then tailor a security policy that fits their absolute risk appetite
and what should be running, what is permissioned on those systems.
And that's incredibly powerful Because when you do your audit,
you can say with true conviction, this is what we have running.
These are the assets. There's nothing else on here. And we can prove that through

(39:00):
the logs. And that then brings in the cyber insurer.
How do I get my estate insured against threat?
Threat and the things that we're finding talking to insurers
now is that they're more concerned about the insider threat
almost than they are the external threat because if
you've got an individual who's got cis administrator rights having a bad day

(39:21):
going through a divorce or had a row with his boss yes he could introduce elements
of risk to that organization or they could leave something behind before when
they get fired something terribly nasty and and this is the uninsurable This
is where the real challenge comes in.
So, Alexander, talking about that high level of privilege and control where
you need to have proper collusion across several staff members to introduce new risks.

(39:47):
Is a lot lot harder than dealing with the single uh you
know than managing you know the threat of a single sysadmin who's you've now
got oversight and control over what actually they're doing yeah yeah um okay
now most most organizations they will have group policy,

(40:09):
and also the applications are managed by Intune.
So if I'm coming from the client point of view, because they're going to come up with these answers.
Okay, we have this already. How come your pieces of software found this and
the ones we're paying for already didn't actually give us this,
found this rogue software and we thought we had controls already through group policy, et cetera.

(40:35):
How would you answer that? We've had those conversations and they are pretty tough.
The processes work differently, Christine. And you've got to ask yourself the
question, if you are using any of the vendors that are out and you're hacked.

(40:55):
Yes. Yep. Ask yourself the question, does what I have on my machine work?
Well, if you've been hacked, the answer is no. know
why is your vendor telling you it's not a question of if you're going to get
breached it's when you're going to get breached why are they telling you that

(41:16):
the other question is why are you accepting that they're selling something that
they know doesn't actually stop the product.
And i think yeah i think they they again they
they i think they'll stand that
the the client is ignorant of the threats that's why
so you get these test persons come

(41:37):
to them say okay this provides this solution
and because obviously they don't
have the knowledge behind that it's okay then that works for us and then they
implement it and that generally it doesn't work and then in six months time
they'll come along with something else yeah and then they'll come along with
something else and then they'll come along with something else and this is you

(41:59):
know this is uh i I think it's called tool sprawl.
This is where the tools are being sold to the client who's looking to buy some
surety and security are getting more and more complex, more and more expensive,
and there are more and more of them.
There's something like 75 different sets of tools, security tools,

(42:22):
used to protect an average business now.
Certainly, enterprise is more than that. I mean, we know banks have got up to
100 different levels of security products in their stack, and they still cannot stop the zero day. Yeah.
Yeah so the tools that are out there at the moment don't work and that's the

(42:44):
fact we think the situation is going to get rapidly worse because of the advent of general genitive ai,
and being able to string together multiple exploits and use them in a single attack by,
gai will absolutely introduce weaponized software into large institutions very

(43:06):
very rapidly now out and we're seeing some i think there's some researchers
in israel that have proven and they've strung together two or three of these
now and proven that they just sail through all the defenses.
So so so it's this capability is
obviously going to be utilized by nation state and we'll
eventually of course travel down to the the ransomware

(43:28):
type gangs because very often there's what's the
guy who's working nation state during the week is
then out for himself particularly from russia at
weekends to monetize his skills and so
they'll be taking those skills and capabilities and deploying them for
ransomware which is obviously financial gain as opposed to nation state which
might be to deny availability and christian the solution industry is coming

(43:52):
up with at the moment is oh don't worry about the ai generated threat we will
have the ai generated security.
Look we're seeing this coming in now
yeah so yeah the sock didn't what
you see him in the sock didn't work so they
introduced the saw yeah so what is not working so now they're introducing the

(44:17):
ai to support the sword to support the sock it's almost like that oh you know
the the man has swallowed a fly and you know the whole you know it's it's just
how it's how it's unraveling It's crazy.
It's they descended into a rabbit war and not a rabbit hole, as I like to say.
And what we're seeing then with the advent of utilizing AI for this,

(44:41):
that is really, really cost prohibitive because it uses an enormous amount of
energy to run an AI is usually energy consumption consumptive.
So your costs are going to go up again. Now, with our solution,
we actually reduce the energy required on the endpoint because not only do we
stop malicious binaries or new binaries coming on,

(45:03):
but across data center, we've proven that deploying a BARTIS across 2000 servers,
for example, reduces the energy consumption by roughly seven and a half percent.
And that report was done by Lockheed Martin back in 2015.
So we can also reduce the energy consumption as well as simply improving the security start.

(45:23):
And we can bring for C-suite some surety back to the change control process
so that they know that they're not going to be in the car park at four o'clock
in the morning talking to reporters,
a gaggle of reporters because they've just lost a load of valuable IP or customer data.
You know has happened has happened many many times
over the last few years so if you think about

(45:45):
the cost implications of running a pr team the disaster recovery
the business marketing planning everything that goes
with that the backups that the you know all the huge costs associated with maintaining
and testing all of that it's just the cost implications are utterly utterly
immense and this this we believe this is out of control and we also think that the The spend,

(46:09):
the corporate spend by the security vendors is at now roughly 80 to 100 billion
a year in marketing to keep this mess afloat is utterly ridiculous.
So energy consumption has gone up massively. The complexity has gone up.
Yeah. One of the major banks that we've talked to, their biggest risk,

(46:30):
as they see it, is vendor management.
Management if they've got 75 vendors looking after
a global bank imagine how many meetings
that goes down to
because you've got to have a quarterly meeting with your vendor you've got
to have patches from them day in day out emergency
patches regular patches new features that you might want to deploy you've got

(46:51):
to have that relationship with them that's a space in the car park that's an
additional coffee machine that's more office space meeting space just for all
the security vendors and and of course that moves into the to the knock as well
not just the sock not because they're all they're all linked,
So the cost implications moving forward, if this carries on the path it's going

(47:12):
and you don't do the prevention, not cure, as we are maintaining you need to
do, the reactive approach requires a victim.
Somebody gets clobbered and then they come out with a fix and then you've got to roll it out.
And then you've got to hope that that fix doesn't contain something malicious
because the bad guys have got into the security vendors because that's who they're targeting.
And then so you fix as well doesn't affect

(47:34):
on the application of the system and now
take now take a vendor like us whose code never changes yeah
you check some it you deploy it you never touch it
therefore it can't be made vulnerable and
our solution is also hardened as well so it's self-protecting because
you can't get hacking tools onto the machine that we
sit on you can't remove us you can't affect us so we.

(47:57):
Are secured and pardoned as well okay now um
you've mentioned christian you mentioned costs and
with every business they look at
their budgets so i just want
to look at how would you okay let
me put this in there how how we show is that about
the software remains cost effective formalization especially

(48:20):
in light of budget constraints and resource limitations because
as you know vendors tend to sell the
products let's say let's i want
this just general 100 pounds per user okay now
for the first two years it will stay 100 pounds but unfortunately year three
it goes up to 150 200 pounds how would you manage how can you stay within how

(48:45):
can this be cost effective for the clients in the long term well our business
model the model is built around that Christy.
Yes, so we because we've got this.
Principles and simple principle of stopping malware we don't have to keep coming

(49:06):
back and sell something else you know we we're not going down into that rabbit warren reference,
that rabbit hole yeah the the the other way of doing it the the way that our
peers are are providing security protection with the industry at the moment
it is just to get bigger and bigger and bigger and whether they like it or not

(49:28):
they're adding as they add more complexity.
They're adding a greater attack surface yes and
obviously they're coming back for more money well with
the bartis you don't have to do that you deploy
it it stops malware as i said right
back at the beginning at its most vulnerable point so
it's proactive every other model that

(49:50):
you've described every other situation you've described is
a reactive solution which is
no solution at all as christian said it requires
a victim yeah and in some
cases it's not one victim but it's tens
of thousands look at not pettier a few
years ago so it was a russian attack on accounting

(50:13):
systems in ukraine got into
odessa port within within no
time and i'm talking less than seconds odessa port was
being hit in the black sea almost identical
time cabris had a biscuit factory
in tasmania get knocked over by

(50:33):
the same malware and cabris
obviously spend an an awful lot of money in their security yes yeah
and this this unknown sliced through
absolutely everything the more and the
cyber security vendors will say we'll find the problem we'll issue the fix we'll

(50:53):
get the patch out and you know everybody's going to be happy not petty it cost.
The world 10 billion dollars in damages so they killed companies they killed
tnt i believe didn't they and And Merv nearly went to the word.
Be careful what you say. It didn't kill you tough.
It cost them a lot, a lot of money. It did huge, well, $10 billion worth of harm.

(51:17):
Many companies fall over. Many companies don't come back from these cyber attacks.
So the question is not just, you know, are you going to be protecting my budget
in two years, or are you going to come back in two years and put the price up?
It's like, are those businesses going to be there in two years?

(51:38):
The amount of attacks is growing exponentially.
Faster than the money can be spent to secure against it
i mean the damage that's being done to the
to the world economy is greater now than the chinese gdp you know there's like
loads of loads of stacks out there that you can draw on that just just tell

(51:59):
you how how big and how scary this problem is at the moment and we we we just
don't think the current methodology is good enough,
okay and what we do for our managed service customers christie
is we'll we'll sign a contract with them for three or five years and
then they can fix their costs and without technology they know what their security
budget is going to be with every other solution that's out there it's an unknown

(52:23):
and it's escalating and the the board is absolutely fed up with having to come
up with more and more money having been told this will solve the issue and this issue is never solved.
I'll give you an example christy one of our one of our larger clients who are
in the education sector.
I sat down with them and I said what I thought the biggest problem was to them.

(52:49):
And the first was I reckoned that their costs were out of control and that they
were buying more and more from the vendors.
The hackers, the bad actors outside of the education sector are a given.
Yeah and and it's almost as though you

(53:09):
know that they're part of the part of society whether it's
good or bad but the the fact that they
were having to spend and that their spend was out
of control made that as great
a problem as it was from their beloved students who
loved nothing better than trying to hack the school systems as
well yes so inside the threat

(53:31):
yes so so but but when you've got the insider threat and you're not stopping
it and when you're adding more and more systems to your cyber security defenses
and you're not stopping it yeah the fact that your costs are going out of control
gets more than a little bit upsetting yes of course.

(53:52):
These organizations are not saying no they're writing
your checks they're paying the money and they're still getting breached
it's not right it's not fair no it's not it's not it but your thing is that
they have to do something they have to show sort of due diligence they have
to show that they've been proactive in attempting to stop these threats because

(54:13):
if they do nothing then and obviously becomes negligent.
So if one piece of solution doesn't work, then they have to find somewhere because,
again, in some of these organisations, schools, even though schools are universal
charities, you have shareholders, they have to answer to different stakeholders.
So they have to appear to be doing something.

(54:34):
Okay, I'm going to ask you the final question. Looking ahead,
what are your plans for further development and improvement of cyber security solution?
And now you say that at the moment it is, I don't want to use the word static.
But surely there is room for improvements in the future.
I totally agree with you. I mean, we just filed for a number of new patents

(54:58):
for the next generation of Abarthis.
And we're actually spending an awful lot on research and development.
So we are a dynamic business, very much not static.
So yes we are investing in the
future now we're putting a lot of a lot

(55:18):
of money into the development of our ai you know regardless
of what i say about how our competitors work you
know we we're very much interested in making sure that we've got decent ai that's
working for us that is consuming a fair amount of time resource and money we're
also looking at areas where Abartis traditionally hasn't sat,

(55:44):
file protection as an example.
So that's not been something that Abartis has been particularly.
Relevant for, but, you know, that's now changing.
So, you know, I don't want to say a great deal about what we're doing because
a lot of it we are protecting our IP at the moment.
But, yes, we're sort of confident that we've got more solutions in the pipeline.

(56:09):
Also, you know, talking of that, we are working on a Bartis for the cellular market.
So we will have a Bartis for Android. Oh, that's awesome.
One of the clients that we're talking to were about building a Play Store so
we can look at the apps that are coming into the Play Store and make sure there

(56:31):
are no back doors in there, there's no spyware or malware.
And then we can provide a custodian for those apps and making sure that nothing
can be added to it or changed whilst it's in the client's Play Store.
Door and then when it's deployed onto the
cell phone well the cell phone's protected by a bartis and

(56:54):
you know we we stop anything bad happening there
so that that's actually part and parcel of what we're doing at
the moment okay would that be a package deals because
our organization issues and advisor laptops yeah
the client talking about so
it's it's a major a telecom provider okay so they
will they will be able to bring that out to you

(57:17):
know the millions of clients that they've got undoubtedly they will
you know they'll be selling telephones to to their
clients through their you know their network of shops
or their online facilities um they'll just
start selling telephones with a bar to spit it okay well
that would be good and the other aspect is we've spoken
mostly about we've spoken mostly about microsoft

(57:38):
but obviously if we're going to to do android that's based on unix linux originally
so we have the capability to provide security for linux right now so that's
something that we develop for some larger customers for specific versions that
they're running but we can compile our code to be effective in linux as well currently.
The other aspect that we're looking to is to be embedded

(57:59):
in iot so we're actually built into the
operating systems of the internet of things because if
you can imagine you've got millions upon millions of devices being
deployed which are essentially done but they're connected through ip
they are major conduit for ddos attacks by
the bad actors again and we can absolutely prevent them
being repurposed by malicious actors so there's a big playhouse there a great

(58:24):
example of that is that urban myth about you know 10 million toothbrushes being
co-opted to be part of the uh huge ddos recently so it was you know it was an
urban myth but a bartist would have stopped doctor.
It's like you've got some sort of this.
So you could you could deploy a Bartis onto your toothbrush and make sure that

(58:44):
the bad guys don't attack it.
So we're also involved in developing for smart cities as well,
for smart meters, for going on to, you know, building security so that somebody can't hack a building.
So to speak, as we saw in one of the early diehards, we'd have to prevent anybody
getting in and doing that kind of malicious attack where you could perhaps turn

(59:06):
the heating up or off in inclement weather.
And also you wouldn't want somebody else to be in a bad act to be able to attack a.
City's infrastructure regarding traffic lights and or other stuff which could
potentially cause horrendous accidents so smart cities is a big thing for us as well,
you mentioned data centers you

(59:28):
mentioned so what about the embedded environmental controls within
the data centers well we have a huge story
with the data center because the the amount of water and cooling
that's required is reduced we can extend the life
cycle of the spinning discs because the platter the surface temperature
of the platter drops by eight degrees c so if
you don't want to sweat your assets and use the benefit of our

(59:49):
code you can extend the life cycle of those of
those machines and so the benefits are just kind
of weird and wonderful because you don't you wouldn't think putting a small
amount of code onto an operating system would have such a dramatic
and positive effect but it absolutely does we get
accused of pushing snake oil I might add at this.
Point when we start talking about energy savings and but

(01:00:11):
it's just a knock-on effect of reducing complexity and
introducing simplicity into a model okay awesome
now thank you for that thanks Alex and
Christian where can listeners find out more
information about yourselves about your company do they can
visit the website platinum hyphen hit.com

(01:00:31):
or do a do a google search for uh
abartis which is the the name of the
product or platinum high integrity technologies and
then you know there's the opportunities to uh get in
contact us through there and then we're
also on social media so for business a lot
of business actually comes to us through linkedin so we're

(01:00:54):
all there people people can find us just looking looking for
us by name okay thank you so much for
your time alexander and christian and
we hope that this episode has provided valuable
insights and practical knowledge that you can apply in your own life or work
it's not just about passive listening and taking action thank you once again

(01:01:15):
for listening have a great day thank you thanks very much christy it's been
a pleasure to be here thank you christy thank you you're welcome,
Fuck.

All Episodes

Episode 42 Defenders of the Cyberverse - Insights from Alexander Rogan and Christian Rogan of Platinum High Integrity Technologist.

Episode Transcript

Popular Podcasts

Dateline NBC

Stuff You Should Know

The Nikki Glaser Podcast

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Episode 42 Defenders of the Cyberverse - Insights from Alexander Rogan and Christian Rogan of Platinum High Integrity Technologist.