Are You Properly Monitoring Your Cybersecurity? With René-Sylvain Bédard of Indominus

Guillaume: Hello everyone. Guillaume Le Tual here, host of the Ecommerce Wizards Podcast where I feature leaders in e-commerce and business. Today’s guest is René-Sylvain Bédard, he is back for the second time. He’s the CEO of Indominus Consulting, he’s a cybersecurity expert. So today’s topic is Cybersecurity Prevention Part 2, the visibility. Do you see what’s happening in your network? Most people will answer, no. So if you were under attack or receiving malware, or ransomware, or whatever, until they actually trigger the effect, would you even know that you’re under attack? Would you know what’s happening in your network?

This episode is brought to you by MageMontreal, if a business wants a powerful e-commerce online store that will increase their sales or to move piled up inventory to free up cash reserves or to automate business processes to reduce human processing errors, our company MageMontreal can do that. We’ve been helping e-commerce stores for over a decade. Here’s the catch; we’re specialized and only work on the Adobe Magento e-commerce platform, also known as Adobe Commerce. We’re among only a handful of certified companies in Canada, we do everything Magento-related. If you know someone who needs design, support, training, maintenance, or a new e-commerce website, email our team at [email protected], or go to magemontreal.com.

So the question I’m throwing right away at you, René-Sylvain, let us know

more about this topic?

René-Sylvain: Basically, in order for you to know you need to make sure that you have what we call, “eyes on console”. So whether you’re collecting data or whether you have a firewall, if you have no one looking at the result of those monitoring, they’re basically worthless if you don’t see what’s happening. Also, if you have multiple vendors sending you data it becomes harder and harder to be able to monitor everything. So the more technology you have the more complex the analysis of this data is. We recommend setting up an actual single dashboard where all of your logs are going into, and this is called an event correlation system. It allows you to have a single dashboard to look at to know if there’s anything happening or any incidents in your environment.

Guillaume: And who’s looking at this? And is this something just for the big companies?

René-Sylvain: Some SMBs have administrators on premise who can actually look at this and understand what’s happening. For those that can’t we offer the service so that we can actually provide hands-on keyboard and reaction to those events so that people are protected.

Guillaume: So it’s like what we see in the movies where somebody’s watching all the cameras screens. If nobody’s watching, what’s the point of having all those cameras unless it’s to react later to the threat?

René-Sylvain: It allows you to react within that hour-12, which is so important. If you have that hour-12 window and no one’s looking at this in the middle of the night because everybody’s asleep and there’s an attack then when you come in the next morning the virus will have spread to various other machines.

Guillaume: This hour-12 in reference to the previous episode, it typically takes about an hour-12 for those kinds of virus infection to spread throughout the company’s network. After that you’re kind of screwed, it’s too late.

René-Sylvain: Yeah, that hour-12 is your time to react. So you don’t have a week, you don’t have a month. They can wait a month or two before actually dropping the payload so that they’ll know everything about your company, they’ll know where your backups are, they’ll know how much money you made last year, or how much money is in your bank account. They decide when to drop it. But if you haven’t reacted in that hour-12 they’re in control.

Guillaume: Okay. So you need someone in your company or from some outsourced service where one guy’s going to monitor, I guess, a lot of companies like this by scanning all those dashboards. Let’s say that we have a dashboard that is large enough to have one person assigned for security like, what is that dashboard? What’s on it? Like, how can I make sense of it? Do I need special training for this or can administrative staff keep tabs on this?

René-Sylvain: The training is to be a security analyst. So obviously in the Microsoft world there are some certifications that you can look into to be an analyst of cybersecurity. Especially when it comes to security and compliance, those are the categories of certifications. The dashboard’s name is Azure Sentinel. What it basically does is that it acts as a multi-layer filter. Let’s say you have a million events a day, you don’t want to look at a million events, it basically filters to remove the noise. You have two to three incidents within a day, we call it digestible and stops alert fatigue. When you have an alert, it’s actually positive, it’s something that’s happening in your network, and you don’t get binged 60 times a month.

Guillaume: So let’s say you have this dashboard monitoring, so from Azure Sentinel which is inhouse you are now on outsourced service and some kind of incident attack is happening, the timer starts and I have an hour-12, what the hell do you do?

René-Sylvain: The first thing we do is that we block access to the machine. So basically that machine becomes isolated, it doesn’t have access to anything anymore. Then we run what we call automated investigations onto that machine to know exactly what happened, what processes have been compromised, what files have been touched? And did it already have other machines that participated in its network? And we actually have global visibility on that. So that way if, for example, the malware activated it that it dropped a copy of itself onto a printer, that it copied itself on the file server, that it managed to elaborate its network before calling home and requesting a command center.

Guillaume: And how reliable is this kind of traceability to know that it has not also dropped something in the memory of your printer and the whole thing?

René-Sylvain: Actually, you’ll be fairly impressed at how precise they are, because technology is a one and zero game. It’s binary, so if you do something you leave a trace. That’s basically how, with event correlation, we’re able to do that because patterns of attack are now known. There are now very distinct stages, everything is documented and AI is behind Sentinel, we were talking about AI in the last episode. Well, Sentinel is using AI and machine learning to ensure that it gets smarter and smarter. And, I’m sorry to say that there’s not many companies in the world like Microsoft who receive 43 trillion signals per day.

Guillaume: That is for sure.

René-Sylvain: So when you take that and you put that into machine learning, it gets smart very fast.

Guillaume: Yeah, you can tap into Microsoft’s immense resources and staff and skill when preparing your security system when you use Microsoft Azure stuff for sure. Very interesting. Anything else that people should know when it comes to monitoring their network and stuff like this, or it might even come through their website, anything else that they should know?

René-Sylvain: So when it comes to their website it’s a bit more complicated but there are patterns also that exist that allow you to, for example, stop SQL injections, stop DNS for direction. So you need to make sure that what the internet is facing has been secured and there are some alerts that are there. So if someone actually tries to change your DNS, you’ll receive an alert, if somebody tries to modify your database or modify your code, you will receive an alert. Those things need to be configured, they’re not there by default. But when you do and suddenly if someone adds a prefix to your domain name to sell pharmacy or drugs on the web you’ll know, you’re told the second it comes in.

Guillaume: You have an alert somebody created a subdomain on your domain name, okay.

René-Sylvain: So those alerts are important when it comes to e-commerce phishing. The other thing that needs to be monitored that can also harm reputation is everything that has to do with comments. It may look funny but when you allow users to comment on a product or on a service or anything, you can get all kinds of crap. And most of them are other phishing attacks trying to get your own customers to be phished through a web attack.

Guillaume: So it’s a door for attacks or for entry, it has to be properly secured. It’s totally doable to properly secure it. I mean, Amazon has so many reviews but for sure it’s an entry point that any hacker will try to pry if there’s a crack.

René-Sylvain: Definitely, wherever there’s a crack they’ll try to go in. One last detail I would recommend is that if there is a device accessing your private data, it has to be secure. No matter if it’s a personal phone to one of your staff or if it’s a phone you pay for them, or if it’s a personal computer at home, if it has access to inside your network, to your file servers, or to your database, it has to be secured properly. Because if that gets compromised, automatically the rest is compromised.

Guillaume: Okay. And can you define what you see as secured properly, like in the case of an iPhone and any Android phone?

René-Sylvain: So for example, I’ll come back to the EDR that we discussed in the last episode. I would say, you can actually deploy Defender for Endpoints on Android, on Apple and on PCs, and what that will give you is a real time VPN. So every single user traffic that you’re going through will be protected and you will also be protected against malware websites. It will also tell you that there’s a new update and you need to install it now if there are any security fixes in it. It will also protect your phone against any malware. So at that point your phone gets secured.

Guillaume: Okay, so you basically install the Microsoft anti-virus Defender for Endpoint in all of those phones regardless if it’s an Apple phone, or an Android phone or whatever?

René-Sylvain: Yeah. Or Linux or a Mac or a PC. So that if it accesses your data it has to be secure.

Guillaume: Okay. So Mac to everything, you should always have the anti-virus installed for internet access to your data?

René-Sylvain: That EDR is key. And also there used to be a time where Mac were saying, we don’t know viruses. Well, with malware on Linux, it doesn’t exist anymore. They’re a target as much as anybody else.

Guillaume: Okay, so that’s old stuff. If you have an Apple or an iPhone you are more protected, is that still true without necessarily being fully protected? Because it’s like closed source, you cannot install anything, it has to go through the App Store and so on.

René-Sylvain: Well, it’s less and less true. I mean, now there are hackers, let’s call them cyber criminal groups that have found ways to bypass the store and just install stuff directly from websites. Also there are things in the Apple Store and Google Play as well that have backlinks that download, let’s say, questionable data.

Guillaume: Okay. And you were vouching here for Defender for Endpoint from Microsoft, what do you think of all the other stuff that’s out there, the Defender, Kaspersky and whatnot?

René-Sylvain: Well, don’t get me going on Kaspersky right now.

Guillaume: Yeah. Right, it’s Russian so let’s forget that one. There’s McAfee then, you know?

René-Sylvain: Well, McAfee is an established product, it’s a mature product. I consider it an enterprise product. I’d say sadly, it’s no longer at the top of the line when you compare McAfee with SentinelOne, for example, which is the other EDR that’s leading the process there. It’s nowhere to be found. The EDR portion is what’s stopping the ransomware. The anti-virus of old, most of them are late in the game. I know that Trend Micro, for example, did enter EDR two years ago and is going well but it’s still not in the top five. So we have to be careful there.

Guillaume: All right. So the last shotgun question, anything else that anybody else should know about this topic?

René-Sylvain: If you’re working from home just be aware that your teenagers might be a vector for getting your machine attacked. End users, but they don’t know about cybersecurity. If there’s a good deal of training to be done at home when it comes to cybersecurity, then I would start there.

Guillaume: All right. Well, thank you René-Sylvain for being here today. If people want to get in touch with you, what’s the best way?

René-Sylvain: rs.bé[email protected], and we also have a free on-demand cybersecurity assessment, which I believe you’ll put the URL into the description.

Guillaume: We’ll do. All right. Thank you.

René-Sylvain: Thanks.