Transcript
In this episode of Beyond the Horizon, Hildur Kalon and Will Ledesma take a deep dive into some of the key findings from our recent State of the Sock report. In our State of the Sock report, we reported that our fastest breakout time was eight minutes. Well, that means that an attacker got into an endpoint and was able to break out of that endpoint and move into another endpoint within eight minutes. If our window is eight minutes, rapid response is absolutely necessary. So welcome to Beyond the Horizon, the podcast where we explore what is next in cybersecurity, one alert at a time. So my name is Hildur Kalon. I'm the NDR Deputy Director at Illumine slash EnableNow. And I have 13 plus years experience working in cybersecurity, working hand by hand in alerts, deep diving. And also my background, my forte is in cybersecurity networking side. So I love firewalls. I actually have one in my home. So it's very cool. And today we are diving into the biggest insight from our latest State of the Sock report. What is changing? What is challenging? And what you need to know to stay ahead of evolving threats. Of course, I'm not going to do this alone. Joining me, this is my co-host and favorite Waterloo partner, Will Ledesma, the NDR Director. Will, are you ready to pull back to the cartoon of what we are really seeing in the trench? Yeah, absolutely. Let's do it. And before we do so, I'd like to just, as you gave an intro to yourself, I'd like to give an intro to the audience as well. So I've been in this game now professionally for 24 years. And when I say professionally, I mean not from just like doing things for family and friends, right? Where I actually got like a real check from a company that I was working for and I got paid to do IT and cyber. So in that lifetime of this time, right, I've done a number of different things. I'm also a part of the United States Air Force Reserves Command where I used to get to wear a cyber patch on my shoulder. They recently, command recently changed that, but that's okay. You know, we were all one team, one fight, so no, no idealizations of your AFSC and so forth. So it's been a great game and great run. And I absolutely love this. I'm super passionate about this and that's why I'm still doing this, right? Like a lot of times, I don't know if you've seen the memes, Hilda, where it's like, like the, what's the little Yoda's name? I forget his name. The, the, the one from the little baby one. Yeah. Right. So it's like, it's like year one in cybersecurity and then it's like year three and it's like Yoda and then it's like year 20 and it's like that one from Jabba the Hutt, I forget that creature's name. But I feel like I'm definitely as crazy as it sounds. Like I still feel like I'm year one, like just because, and I'm sure you feel this too, Hilda, right? There's like, there's always something new. There's always something different. The things that drive people to want to get into cybersecurity, it's definitely real. Like our day is never the same, never the same. So so let's jump into it. Yeah. You know, we appreciate everybody for jumping on and spending time with us here today. And as Hilda mentioned, we're going to go through our state of the soccer ports and some of the highlights and, and go in through potentially other items as well that hopefully you guys find insightful and engaging. So what is the state of the soccer report that we are talking, talking, talking, and we need to say something about it. What is that? Why don't we are showing the, like in 2025, what do we have there? Well let's, let's set the time windows first, right? Because when we created our state of the soccer report, we used as close to real time data as possible. So when we did it, it was December, 2024 to February, 2025 is when we, we grabbed this telemetry. And so in this short window of three months, right. And some could potentially say maybe it was the holidays and so forth. I potentially think that, you know, attackers like to enjoy holidays as well, but you know, that's up to the perceiver of the glass. But within this time window, we experienced nearly 500,000 alerts. Now, some may be taken back and you might be like, Holy crud, well, 500,000 alerts. What are you guys doing? Like that's just a ton of potential noise, right? But that's why we, we, we raise based off the signals and then we investigate and then we will escalate. So of those 500,000, we took a, we found that 83,000, almost 83,000 needed to be deemed escalatable items. So as security issues. So we escalated 83,000. And what's interesting here is, is from all this telemetry, what we found is it is, is ransomware is still one of the top threats, right? And, and for those that may not be a hundred percent familiar with ransomware, it's essentially where they will, an attacker will get into an environment and they will, they will then hold a, a basically a keys to the kingdom over you by encrypting your data and not allowing you to access your data. And even if you pay them, cause it's a ransom, you know, like mission's not done then, right? Like you still have to build a decryptor. You still have to go and decrypt your data. And then they may not even give you the keys and they may just say, Hey, sorry, like we may or may not do that. Some attacks, you know, are just malicious in nature where they will not even hold ransomware, right? They just, they just want to conduct harm and damage to the environment and they'll go and encrypt and throw the keys away. So then you have to figure out how to find that D value of that algorithm in order to find that secret key, right? In terms of reverse engineering. But from all that, so, so apologize from going on to a little rant there, but from all of that, right? From those 83,000 escalations, 26, sorry, 2,684 were tied to ransomware. And what's interesting, Hilda, is, is I was surprised to see how many incident bridges our team had, right? Where we almost had a thousand incident bridges in three months and Hilda mentioned earlier the war rooms, right? And so just, it's the same thing, tomato, tomato is essentially what it is, just depending on how you want to identify it. But essentially an incident bridge for us is when we're jumping into a, a, a live incident with a customer and helping them ensure containment, helping them ensure that the threat has been contained, they are to work on extra removal steps and to not hold to that business disruption, right? Like we want to ensure that business and operations are still flowing for them and they're still able to, to conduct business and make money as well. So well, very quick. So is that mean that those ransomware, like we're seeing a lot of endpoint attacks all the time, or we're also seeing like cloud increasing there? That's a good question, right? So in the past, pre-cloud, by the way, I was one that I never thought cloud would turn into a thing. I was also against it in the past, but. There's a lot of people still. Yeah, maybe, maybe, right? We want to hold on to the data as much as possible. And so you, like the attacks were changing, they are changing, right? Where it used to go against the, the, the, the, the endpoints inside of the environment, right? You'd launch a phishing attack. You potentially get a remote access based on, you know, whatever bind malicious binary you're, you're, you're launching to get that, to get that, that, that, that, that remote control. We have seen a shift there and we've seen the shift from, again, within these three months that we're now 56% of the attacks are going against the, the endpoint where 44% is going against the cloud. And what I think we should highlight here, Hilda, in terms of importantness is. Where were we before? Like everybody kind of started having to go remote, right? Like your environment, like, like you say, you had a firewall and you have a firewall in your house right now. Yes. And let's say you have a, an antivirus, maybe EDR, maybe you're doing some other things. What does all that build to? Like what, what, what is that? What does that term? Like, what are you basically doing? How do you. Like layers of security you're talking about, like onion. Yes. Defense and death. Exactly. Right. So when we moved away from our traditional methods, you as an administrator, you almost immediately lost control of your environment, of your users, because now they instantly had to go remote. Right. And so the industry looked for, or not the industry, but companies had to find a, a way to protect the identity and the remote endpoint almost overnight. If, if they were still doing a traditional defense in depth environment and you could hold that confidence, like, Hey, my end users are protected because they're protected by all these layers of defense that I have. So that, that has, that has changed the world. Right. And, and this is probably why we're seeing more of the attacks going against the cloud environment as well, because it, it just, it, it, it led the attackers to go towards that environment due to, you know, a lot of people going remote and then they've just kind of naturally stayed there. They're, they're not, they're not really moving back towards the endpoint. And I would, I would anticipate that here in the very near future, we may even flip that. It may move more towards the cloud, right? We're, we're, we're thinking and seeing more companies, more public, just more things that are coming out that want to be in the cloud. It's ease of use for, for employees, ease of use of end users, right? Like you can do one thing in one system and move to another one and not have to worry about moving things across. And we'll potentially talk about some attacks that we've been seeing in the recent time since the state of the SOC report that we've published on, on things that we've been seeing. And so I do have a question for you though, Hilda. So why do you think the cloud is, is growing in, in challenges in cybersecurity? Like, why is there a challenge there? And that is a very good question. I feel like it's more, it's a fast moving. It's kind of like the AI situation that everybody's talking to. Like you mentioned, people are trying to reduce the cost going to the cloud. If you don't have physical servers there that you need to maintain, you need to protect physically. So now moving there to the cloud that you move it away. But then there is some fails implementation that can be like very bad for business. Like not having a proper access control, segmentation, logging, decentralized. There is a lot of this cloud service that is only on them. If you don't have like the fully engaged on them, like you're not going to see like everything. So I feel that is a lot of challenge in cybersecurity because telemetry is so important for us. So how can we see it if you don't receive the logs? And sometimes that is our biggest challenge, honestly. What do you think in your experience? That's a good question. So in terms of challenges, I think one of the biggest challenges is the, like the human ourselves, like our emotions that are tied to actions. So you think it's always going to be layer eight. It's always layer eight. She's referencing the OSI model. So if layer eight doesn't exist, if you're not familiar with it, go and research it. There's a couple of different, I forget what they're called, right? Like the way that you remember it. Like I remember it as all people seem to need data processing. There's one for like pizza also. But essentially layer eight doesn't exist except between potential geeks, I think. But that's not a bad thing. You know, I think it is a potential layer eight issue, but in the sense of, like we have become so accustomed to not wanting business disruptions, right? Like we don't want to disable an account. We don't want to isolate an endpoint. We don't want to do these things. When I was an old school admin, that was the first thing when I heard like, you're going to do what to my system? You're going to isolate? Oh, heck no. Move on. You ain't touching my stuff, right? But what I think what is happening, Hilda, is attacks and hacks and these things, right? They can't become the norm. They can't become what people are just like, great, another attack, another hack. They got my information. Who cares now, right? We cannot get into that mindset as a society, as an individual. We have to remember that this information is our information, right? We're entrusting these companies to protect our data and protect what we are allowing them to own from us. And therefore, the resistance I feel has started to give the layer eight resistance, right? In terms of from the admins, even myself, I'm like, heck yeah. Go and disable and isolate and do whatever the heck you need to do. So that way my life is protected. I am cool with having a disruption, right? If I'm trying to log into like my bank app, it was actually yesterday. I was trying to log in and it was like, hey, it's down for a moment. And I was like, hey, whatever it is that you're doing, as long as you're protecting me, that's all I care about. Like that's it. So that I think in not just our industry, but in terms of society, right? We need to start potentially recognizing that some of these things will take disruption. Same way of like, hey, I need to go change the tire on my car, right? Can I do it? But do I have the machine and tool to actually like fix the flats and do all this stuff? No, I don't. So I got to disrupt my life to go take my vehicle in, go get a new tire, go or go or get it fixed. And then I get back on my life. Right. But it's just a moment of that disruption. And then my life is back moving. It's the same thing here. And then I get back on my life, right? But it's just a moment of that disruption. And then my life is back. So in terms of of our actions on this side, what we have found right in terms of our responses is that we essentially took 95 percent of of these attacks that were tied to the cloud against identity. We took proactive responses against 95 percent of those alerts and escalation. So you're saying that to be a rapid containment is where we're going to and where we need to go. What business? That is how they solve the problems, like to concentrate on response and containment. It's definitely rapid responses is definitely necessary. Right. You need to act as fast as possible, because, again, for all of you that are spending time with us. Right. What are you doing? You're giving time. You're giving us your time. So time is always of the key. And. For us in our state of the SOC report, we reported that our fastest breakout time was eight minutes. Right. So which is insane. That is insane. Like, what does that really mean? Right. Well, that means that an attacker got into an endpoint and was able to break out of that endpoint and move into another endpoint within eight minutes. That is indeed insane. So if you're if our window is eight minutes. Right. Based on the fastest breakout we saw, rapid response is absolutely necessary because it's just it's moving that fast. And again, that's our telemetry. That's what we're seeing. Right. Like attackers could be doing different things in other environments and so forth. It was just in the environments that we have data and insight to. This is what we have seen. So our actions in terms of, you know, having SOAR, having potential hyper automation SOAR as well. Right. Depending on how you want to define it and doing these things at time of signal to as fast as possible. Yeah. You know what? Take my car in and fix it for me. Disrupt my life for just a moment so that way I can continue going on and not have to worry about something major. So being proactive is kind of like what we want to like humans, we tend to be reactive all the time. That is our nature. It's psychological, psychological. So now we're trying to be more proactive. So I think that is the trend now that people can go our business to solve this kind of problem. Not to solve because we are not going to solve because. Who is the major threat? Is layer eight is always going to be humans because of us. That's why we are here. That's why we have this podcast and talk about the state of the SOAR because of humans. Humans, we are the ones that the biggest threat. So how can business solve problems or reduce the risk? Like how? It starts with acceptance. Right. And this is where you have to take a look at your business as a whole. Right. Because this like you can't cookie cutter cybersecurity. And so so like when I say that, right, like I think of like, let's say I potentially have a I don't know, an accountant's office. Right. That we're protecting. And then we have a medical office that we're protecting. Right. And so that acceptance becomes. Do you accept accountant and medical locations for us to take actions on your behalf for proactive responses? This is where it like how do businesses solve these problems? It needs to come at the top first to say, yes, we accept these things or no, we don't accept them because of potential other risks. Right. Such as the medical one. Let's say we isolate an environment and somehow some system that would notify a nurse or do something for somebody. Get to get to get to like it disrupts that now we're potentially putting human lives at risk. So every single organization and industry does need to look at how to solve these problems within themselves and then lean on the strengths of those in the profession. Right. Like I know my weaknesses. I know I'm not a doctor. So when I need medical help, I go to a doctor. Right. And it's like, hey, you like, please help me. Same thing here. We can give you the risk. We can give you the potential things, but we need you to make the decision and then we will act accordingly. But again, it goes back into into like what I was saying about how I never wanted these things, how I was very against them and how I've seen the industry change from a reactive to more proactive. And so how do businesses solve these problems? Right. So one attempt to change the psyche. Right. In terms of acceptance or at least lay it out and make it in doctrine. So that way everybody knows what you're willing to accept and not accept. Invest. Right. Technology is you mentioned we actually mentioned a couple of different defense in depth layers. Right. Like so invest in potential an MDR service. Right. Invest in potential EDR services. Leverage. And this is an interesting hot. Yeah. Yeah. Zero trust. Yep. Zero trust is a hard one, by the way, in my opinion. That's a hard like I love the concept. I love the thought, but it is hard to do in practicality, in my opinion. There are artifacts and things that we can do. Right. Like you can say like, hey, like, is this device is it accepted into my environment? Right. Do I know this advice coming into my environment? Okay. Yes. But technically the device is a remote device. And what if, you know, a bad guy is physically on that device? Right. So that's what I'm saying. Like zero trust is really hard to do the way I've always I've always deemed zero trust. So in the past, I would be asked like, hey, well, can you prove that somebody was like doing these things? And I could get very close to proving it in the data. I'm like, look, like all these things indicate that this person did it. But do you have a camera watching that person on that computer? No, you don't have a camera. So then can we 100% say that this was the individual that did it? That's where you know, zero, that's me zero trust is hard to do. But one of the key topics right now, and we'll likely get into it here in a bit as well is AI, right, like leveraging the AI, leveraging the automation, to help reduce the mean time to respond, we're talking about proactive response and measurement of time and everything of that aspect. And also, if you're looking into right, like if you're running a SOC, or, or you're running a security operation, or you just it people boots on the ground, right? Like you also have to consider fatigue, right on the SOC side on our side, Hilda, right? Like we're very interested in our SOC analyst, we don't want to burn them out. So we look for ways to ensure that that that's not happening. In addition, right testing all the time, right? It's almost like the tale as old as time, right? It's like, you got to test you got to you got to pen test your environment, you got to do you know, red team, and you got to do blue team, and you got to do essentially purple team, you got to do tabletops, you got to go through these things to ensure that you're prepared. And it's almost like I'm like, I feel like with you, I'm preaching to the choir, right? It's like Hilda, like, you know, these things, right? And and I'll have discussions with with others. And it's like, I think in intricately, the majority of us know, we need to do these items. But it's just there's not enough time to get these things done. So it is time, it is time, the biggest issue. So you mentioned about AI and the SOC. And how do you think the MDR role and the SOC role plays now on this on this big issue, like containing the thread, triaging, analyzing, like how is the MDR role playing right now and the AI too? Well, this is a this is a will idea thought. So this is the statement does not come around anything of business or anything of that of anything we're representing or anything. So this is this is my personal opinion. I was thinking about, like, AI, I'm looking in the industry, and I'm reading all these things. And it's like AI is doing this for this organization. It's doing this for this company is doing this, it's doing this. And so I was thinking, like, how is AI really affecting cybersecurity? Right? What is it actually doing for us? And my aha moment, or my epiphany was essentially is AI is doing nothing more than helping drive conviction at faster speed at faster time. Now, yes, some may argue, well, we have AI that is taking actions on behalf of the analyst 100% agree with you. But that AI was instructed and taught that by who, by a human, right? So all AI is doing is helping the human get to conviction faster. Right? So how does all that play a role in MDR? Well, it plays a role because we need to I've been saying it as as augment, right, we need to augment the analyst, which we are doing here. And we need to empower them to be able to move at essentially AI speed, when threats are going on. So I'm going to, I'm going to give you a little story, Hilda, which I'm sure you're quite familiar with, but for the audience here, right. So we had a we had a an attack fall on one of our, our environments. And I went and got with our senior analyst, this was a bot almost two years ago now, actually, I think it was two years ago now. And I said, Hey, I want to do a postmortem hotwash, you know, I want to know what you learned and what happened from this. So we're discussing the the actual incident. And I, he shows me his list of IOCs. And I was like, man, this is really awesome, right? Being an agnes. Basically being that we're an environment where we can take in a lot of telemetry, right? That means you can be hunting against EDR against cloud against endpoint, like you can be hunting against a bunch of different things. Right, right. He, I think it was, it was like 10 IOCs. Again, two years ago. So he gives me this list of IOCs. And I'm like, this is great. How long did it take you to get all this? He tells me, well, you know, it took me about 60 minutes. That's super impressive, like to find all these IOCs, right? So it's that cognitive thought to try to put the pieces together to find the moving parts. Yes, we get the signals and the detection, right, but you still have to dive in deeper. So at the time, we had a one of our AI children, I'm not going to name the child at the moment, but one of our AI children. It was in beta. And so I ran the command. And I said, Hey, I'm going to do this. And I showed him the list of the returned IOCs. And he said, How did you get this? And I said, Well, let's not worry about that right now. Let's discuss what we're finding what we're seeing here. So we returned the 10 IOCs plus three additional ones. Now, the the return right is for for our senior analysts, they held confidence that the IOCs that they had found were actual indicators of compromise, right. But for an AI system, like you can only hold so much confidence, again, what does it need on the other end, it needs conviction, it needs a human to make that conviction, right. So it's driving and finding anomalies inside of the environment. And in this case, for for for this use case that I'm giving. But not every anomalous item means that it's malicious, right? It just means it's potentially anomalous. We're building some other things here that we've already implemented, right, where we can have potentially one anomaly and two anomalies that then you have two anomaly items coming from AI presented to an analyst at a human level and say, Hey, I have this and this. What's the human gonna say? Whoa, wait a minute, you got now now you don't, you're not just giving me one thing, but you're giving me two. Anyways, long story short, you're not just giving me one thing, but you're giving me two things. So the the return of that data of those IOCs, the 13, so essentially, the three other ones, right, that he had not come across, again, anomaly does not mean malicious, but in this case, two of the three were malicious, additionally, returned to us within 10 seconds. And that is a just, for me, that's just mind blowing. Because now we're proving that AI is helping the analysts get to conviction. And again, remember, this was two years ago, Hilda, right? Like this, this is doing this now for quite some time. Yeah. So now we have that level of empowerment for the human to say, our AIs are, are basically augmenting you to help get to that conviction even faster. You remember, you remember that we had like three years ago, an attack, like it was a ransomware. And we were like, on like more than 24 hours. Imagine that we have that there at that time, like it will reduce our, our life or be easier. Yeah, yeah, I remember one of them where I was in the hunt. I was in the trenches for it was like 10 hours. It was insane. And I remember it was like our 10. And And I remember it was like hour 10 and, and I was still looking at it and I found another IOC and I was like, and it wasn't even like, it just, it rubbed, like it rubbed my gut intuition wrong. And I was like, eh, I can't prove this one, but this one doesn't feel right. And I went and I took actions and turned out that was like the main one, right? Like that was the biggest one. And it took us that long to find it. So 10 hours to 10 seconds. Oh my gosh. That is insane. Like just, I could have done so many more things that day. I know. You know, could have went for a walk. So you, so we were saying that AI is helping us a lot, not like to reduce like the actual analyst, like humans are not going away. We are not going away. So at least when we have a natural threat, an attack from 10 escalation that we escalate, how many do you think humans are going to be like acting and working on it? Like, is it a 10, like one to 10 in 10 or two right now? It's likely still going to like, again, it's, it's, it's all driven by human, right? But as we add more confidence into what we're doing, I do feel that there will be a shift in how many engagements and investigations we need to put human eyes on, because we're just helping the AI get to conviction and the AI help us drive that conviction, right? So it will likely yield a one in 10 output, right? Where one in 10 will still require the human intervention. And surprisingly, that's what our metrics show, right? That's what the state of the stock reports show, where it actually is one in 10. And so at least I completely forgot about that. It just hit me right now, but it's, we will move faster, right? And we have to think again of time, right? So if we can get, if we can start moving closer to machine speeds with humans as well, and having the AI is doing the things for us as well, like, yes, it will allow us to free up those times that those windows in order to go and work on the bigger, better things, right? To continue to move these things forward. So saying that, what do you think is the right balance right now for a stock that has an AI, like 70%, 60% driving or being worked by the AI and the rest 40 is more concentrated on humans or 70, 30, like, what are your thoughts there? It's such a hard metric to try to define because it's going to be dynamic ultimately, right? And what we're finding in our success is that at 70%, we're finding a really good sweet spot in terms of 70% is handled by our AI that has been guided and led and trained and mentored by the human, where 30% is still being handled by the analyst. And but why is that right? Like, why 70? Why not 90? Well, it's because there are going to be some limitations where, like, those convictions can only get to so many levels, right? And as as there's harder detections, right, because we can we've clearly we're at 70%, we've programmed and taught our AI to handle these types of investigations. But there's still 30% that are requiring much more cognitive minds, right? Like, you have to be able to put those bigger pieces together. And again, like, different, different things are going to are going to work different. And when I say things, I mean, like different, different, just others may have different numbers is what I'm essentially saying. But this is this is where we're finding our sweet spot and success that these alerts are easy ish for the AI to do because we've done it, we've trained it, these are the alerts where we still need the human to really be a part of it. But now we've hit it on two fronts, right? I've defined like I internally defined that we have like five families of AI, each with children. So, you know, two of those family members are handling those 70%. And on the other 30%, right, we need the the other family, which is the story I was telling you about how we're augmenting those analysts, right? So imagine which we just said, right, the 30% of of of investigations that need to be handled by the human where you're not alone anymore. Now you have the AI to help you get to those and find the anomalies and get to the conviction faster. So it really does just amplify our threat hunting capabilities, our time. And essentially what we found here is that it like once we really started moving into these paths, we were able to open up our threat hunts by one hundred and fifty three folds. Like that is a lot. It was quite a it was quite a few. I'm sure the I'm sure the senior team wasn't quite happy when we're like, hey, you guys have a ton more time available. Let's go do some more hunts. But, you know, it's it's what we love. Like I like I love to to do this. I do want to ask you a question, Hilda, in respect to time, because again, time, I know that we're we're starting to drive deeper into this this conversation and we can just keep going and going and going. But I want to ask you. In terms of like attacks in recent time. Out beyond the state of the SOC report, like is there any other thing that we have seen or trends that we have seen that we could potentially share with the audience here that we weren't able to include in the state of the SOC report because it's like right now it's happening like right now. Oh, my God. Yes. Honestly, it happened last week, which it was insane. And it is sharp because I was reading more articles and somebody else had the same attack, kind of like the same trend. So basically, I call this I was the art of fear. So art of fear, what does that mean? Like it means that we are looking for like attackers now are looking for the fear, like not actually doing a real attack, like not going to your firewall, to your network and doing it. It's just like fake. Attack and put it against our blog there, like we have a customer where they receive an email saying that they were hacked, they were like attacker was in their firewall, they're in the network. They show screenshots of like routing tables, you name a minus a and there's other information like domain in a banner saying like warning. And the customer was like, oh, my God, oh, that's going to drive some emotions. Yes. So we are emotional. So they just freak out. They call our emergency line. What the heck? What is going on? This is what we receive. So, of course, our team, very relaxed, deep breath, deep dive there. Let's see what is going on. So that's what we did. We go, we check the logs, of course, we are diligent, we validate like each screenshot. But one of the things that we notice is on the screen, one of the screenshots, it's a shell. And normally when you are in a firewall CLI, you're going to see like the name of the firewall or something else. You're not normally going to see shell. That is one of the key points that we noticed there. And we also notice the routing table interfaces, the names were like so odd. So we ask a customer like, hey, do you normally use this naming for your interface? And they were like, no, we don't use that. Of course, the routing table was showing like internal IP address. And we also asked for those like, hey, do you normally use this subnet internal? They say no. We also check the IP address that were involved, that it was in the thread and the email thread. And we found that the IP address is a certain IP address from that customer that has four open ports. And we actually went to those four open ports and guess what, we actually found the banner. I say there like it was just a firewall banner saying like if you warning, you're getting into this firewall and you're not you're not supposed to be here if you're not authorized, blah, blah, blah. So, yeah, it was more a fear attack. And we are seeing those trend now, like attackers or hackers are getting lazy sometimes. Or maybe those are the kids trying to like scare. So let me let me get this straight. So let me wrap my mind. Right. Right. You're right. You're right. Yes. Yes. So basically the attacker sent an email saying. Not attacker, not attacker, not attacker. It was like a third party that found an information like one group of attackers. Let me ask you, where did they find it? Where was it found? I remember the forum, but it was like a surf like surface web, middle web, dark web. Like where did they find? It was a middle web. I don't think it was dark, dark. I think it's a middle one. OK, so essentially some third party doesn't matter, found something that's in the middle web. Yes. Claiming where an attacker is saying I own this environment. And they then took that, sent it to the client, client got super emotional, called in the SOC, SOC went and did all the investigation and basically said there's this is all like this is very good in terms of driving emotions, but they do not own you. They're merely grabbing open source intelligence against you. Yes. That's quite crafty. Actually, I've not really seen that done before. Has that been something you've seen before in the past? No, actually, it was the first time I'm seeing that. I guess maybe there is some situation that happened that it passed, but I mean, it was not the norm. So it was very interesting to deep dive with the team. I've not seen it at a business level. So let me retract my statement. I've not seen it at a business level. I've seen it like I'll get like friends and family and they're like, oh, my gosh, I got this email with this guy saying like he like owns my computer and like he like recorded me like walking through my house. And I was like, yeah, no, don't like that. It's a fear. What do you call a state of fear or the art of what you call the art of fear? Yes, I like that. Actually, I was like, oh, that is cool. So so the other one is like AI driving attacks. So I feel like hackers are also using the AI. So how can we be? On top of them is the question. Just pull the plug, just pull the network cord right now. Just kidding. Let's go, Homer. It's a you know, it it's just where we're going to we're going to to move to. There's an airman in my squadron who works for a I don't want to say the name because I don't want to say it, but it works for a company that sends things into space essentially. And we're having a conversation. He does a eye for them. And we're again, we're like, I was trying to think, like, how is a I going to affect our lives? Like, you know, there's all these different types of doom and gloom types, predictions and all this different stuff. Ultimately, what both him and I started to come to the realization was, is that the future tomorrow, which is already today in many places, will have a dependency on AI. Right. Like you will need to know how to work with AI in some shape or form. Now, that doesn't mean to go give everything to AI. I will say I can see when somebody gives me something out of AI, like there is there's certain items. And when we're over at RSA, right, we had this like pop quiz thing and we're asking people like, which one is AI and which one's human? Oh, yeah. And I was surprised to see. I know you're over at InfoSec in Europe, I think last week or the week before. Right. I was surprised to see, at least from the RSA side, how many people were able to actually say like confidently like that is the AI one. And so I wanted to drive into them like, what is leading to you to say that? And they would say that the way that it is is presented. Right. It feels more kind of robotic versus human in a weird way. Maybe some people can just see that. I am not a literature person to really be able to pick that up. But were those trends that you were also seeing over at InfoSec? Yes, it was basically the same thing they were saying. And also they mentioned about like how the human is more like detail. And we provide more detail, very specific items versus the AI. It was very generic, like this is what it is. This, and this, and this. That's why humans are amazing, right? Like we're just amazing. We really are. But, so let's wrap up. Let's do a like just a kind of overall. What do we know? Post-mortem. So compared to last year, have we seen changes in the state of the SOC? I mean, heck, we saw one last week that you were just telling us about, right? So yes, there's always gonna be changes. Yes. Are we getting more like detections compared to last year? Yes. Yes, we are. And we're seeing again, more attacks going against the cloud than in the traditional past, right? So again, 44% where the previous year. So just to give that closure of that number, the previous year, we're at 30% of cloud attacks. Within those three months, December to February, we found 44% of cloud attacks. That's amazing. And now the AI handling like 70% of the initial. True, that's true, right? So AI, so AI is now handling a bunch. We will add on a future podcast of Beyond the Horizons, right, of what we're seeing against the token-based attacks, right? Like this is definitely something that we're also seeing on this side. Incident bridges are going up. That is true. I was watching the team yesterday and I was just, you know, for me and you, it's all metrics, numbers, and everything else, but being able to be on the ground level with the team also. And I was definitely seeing them definitely engaged in a lot of incidents yesterday, incident bridges to ensure containment with customers. And we are seeing also a lot, I'm sorry for interrupting you. No, you're good. As always I do. But we also see one of the things that I remember now is that there's a lot of customers that are hybrid. They're like, I don't want to fully go to cloud, but I don't want to also stay on-prem, so. Let's touch that really quick, really, really quick. How would that affect a defense measure? Like if you have a hybrid environment. So I feel like, for example, Azure, let's talk about Azure and Oli. So if we push some kind of like disable to this account and the on-prem, your source of true is your on-prem domain controller, and you just only push the Azure to disable, what is going to happen? It's only going to disable in Azure, but when they synchronize, because the on-prem domain controller is a source of true, that is going to remove that. So that is one of the- So you didn't do nothing. You didn't do nothing. Yeah, it's kind of like, okay, done. So that's important to know. Yes. If you're setting up a hybrid environment and you're working with a team and they're telling you, hey, we're going to disable this cloud and your source of truth, like you said, the on-prem directory, well, then you're not doing anything because as soon as it syncs again, just like you said, right, it's like, all I got to do is just wait because you may have disabled it for a second. And then as soon as that sync happens again, I'm back in. That's a good one. We might want to dive into that one a little more next time as well. Yeah, 100%. But beyond that, you opened the show, Hilda, so I'll let you close the show. I was going to say that, why you don't close it? Because I opened it and now that you turned to close it. Well, just again, we want to thank everybody for coming to hang out here with us at Beyond the Horizons. And hopefully you guys enjoyed this. Hopefully you learned some stuff. Our intent is to drive what we're seeing from the SOC, what we're doing here at Lumen Enable, and essentially just give you guys some insight behind the veil and to help you be ahead of the game beyond the horizons. Yeah, beyond the horizon. Thank you so much. Well, thank you guys. Thank you. Thank you, Hilda. Thank you everyone. And we'll see you all next time. Thank you.