[0:43] All About Deception Technology

Rachael: Welcome to the podcast everyone, Greg Edwards, he is the founder and CTO of Canauri, formerly serves as their CEO since its beginnings in 2015. And okay, go ahead and introduce yourself, Greg. Quick, I want to get into this favorite topic of ransomware that you guys work on.

Greg: Absolutely. Rachael and Petko. Thanks for having me. So I am Greg Edwards, the CTO and founder of Canauri. And we're a deception technology company that stops actively running ransomware attacks that get through the other lines of defense.

Rachael: And there's so much to talk about here, and I always have that habit of jumping into the meat of the matter. But I think for our listeners who may be new to deception technology, we've never really delved into those capabilities or talked about that realm. Would you give us a little bit of a foundation-setting landscape?

Greg: Yes, so deception technology has been around for a long time, 15 years at least as far as I know. And really what it is it's deploying decoys or canary files out into an environment so that those files are attacked first rather than the actual data files of the company that's being protected.

And they can be honeypot servers, so an entire set of servers or individual files. Really it is that canary in the coal mine is what they're there for, to take the brunt of an attack and be able to stop it before it gets into the rest of the production environment.

Rachael: That's kind of amazing. Sorry, go ahead, Petko.

 

Taking Security to the Next Level With Deception Technology

Petko: So Greg, I'm thinking of deception. I've always thought of it as, hey, I could emulate my environment and have the attackers go down this rabbit hole. That's network-level detection. There's also the credential side of it where you can have some fake accounts that if they get used, that become a canary and you know that you have to go to wherever they were used.

You took that a step further and said, "Let's create some decoy documents we monitor. And if they ever get changed because we know they should not get changed, then we got hit with ransomware in that endpoint and we need to roll back stuff." Does that sound about right?

Greg: Yep, that's exactly right. And it takes that time to detect from what can be hours or days, sometimes, down to seconds and even less than seconds, that it stops it. So it mitigates the damage of a ransomware attack so that it doesn't take the entire company down.

Petko: One of the hardest things with ransomware is knowing where it starts sometimes, you know, get hit with it. And I'm thinking back in the days of, let's say some of the large offices that got hit over the weekend, you're like, you come in, you don't know where to start. You don't know what happened.

You don't know how bad the infection is. I think ransomware is such an impactful solution, but also I'm worried about false positives sometimes or false negatives. Because especially with the SOC, "How many times, oh, don't worry about that. It's not ransomware, it's something else." It's encryption. It's actually our encryption that we used to encrypt their own files. 

 

How Deception Technology Change the Game of Security

Petko: But I think deception technology that you have is really interesting because it's like a hundred percent or 0% false positives. Every time it hits, it hits, correct?

Greg: Right. Yes. And that accuracy is what makes our solution so powerful and to be able to stop those attacks. And again, these are attacks that if Canauri wasn't there, then these attacks would be continuing to run. A lot of the time now, these attacks they'll set to start on a weekend so that at seven o'clock Friday night it starts running and nobody notices until they come in.

And so with Canauri to be able to stop that attack in its tracks and send the notification of who is that patient zero, where did it start? And what files were hit to start with, it's a game changer.

Rachael: It sounds like it, especially with ransomware, it's just such a difficult problem, right? Because it's not just the breaching of the data, but it's also the payment on the backend. And then you've got cyber insurance that they're not really covering things anymore and the treasury department can find you if you pay.

It's a nation-state actor. And then I read this article in Wired, they said ransomware attacks have entered a heinous new phase where now the attackers are frustrated that people are not wanting to pay. So they're threatening to release things like pictures, like cancer patients, this is crazy.

Petko: Yes.

Greg: Yes. So some of the worst are when school systems are hit all the time and when they're releasing data about kids. And probably the worst that I've seen is when they're releasing mental health information on children.

Rachael: Yes.

 

Deception Technology Lessens the Susceptibility of Security Attacks

Greg: They have no, obviously zero, morals, but you would think it somewhere that kicks in, maybe we shouldn't do this.

Rachael: Yes. I don't know. See, that's the part that's kind of getting me, and it just seems like everybody could benefit from this kind of technology. And you think about it from even the smallest organizations. We've heard Beverly Hills, plastic surgeons have all these pictures they want to protect, but also you think about governments. I think, what was it, last month, the US Marshal Service had a ransomware attack and it wasn't the first time. Is that correct?

Greg: It was the first time that the US Marshals, at least that particular one was hit that I'm aware of. But yes, it just goes to show that anyone is vulnerable.

Rachael: Yes. It just causes one cause. So deception technology though is one aspect I think as in it comes to security, there's this kind of holistic approach. And so how are a lot of the organizations thinking about this that you're working with?

Greg: So what we recommend is defense in depth. And that's really what all companies should be looking at how do we put in multiple layers of defense so that we are protected from whatever kind of cyber attack is hitting. So that starts with the very basics of just having good network hygiene and really all starts with a network inventory and knowing what you have, which so many companies don't. It's insane.

 

[7:54] Deception Technology as a Must Have

Petko: I was going to say, I've seen deception emerge from a standalone solution to now being integrated into so many different things like EDR and XDR. And then you have some that are integrated into networks and some that are putting it inside. Do you see deception now becoming mainstream as a must-have?

Greg: I do, absolutely. So we have a patent on the way that we deploy and utilize the deception technology. And I really see that as becoming a mainstay of what every company should have as part of their cyber defense. Is that set of files and/or servers that are out there to distract and give that early warning to an attack that's happening?

Rachael: I think a lot of people do struggle too with navigating that security stack and getting the budget to support it and then all the other pieces that come with it. And it seems like something like this is just so incredibly important.

Greg: And the thing is that now, so we've seen this migration of the Fortune 500, really were the first to properly protect themselves. And so now we don't see the targets of the world like we did back in 2014, getting hit and it's smaller and smaller and smaller companies. And so everyone's having to level up their cybersecurity just to be at table stakes. So those budgets are increasing. 

But the thing that now needs to happen is that CEOs and boards, need to be educated and they need to understand how to hold their IT and security departments accountable. Because it's something that most CEOs and most boards, that's a piece that's unknown to them, and they don't understand what they need to know. 

 

Defining Success in Cybersecurity

Greg: And so that's again, changed at the Fortune 500 level. But that's got to come down to the smallest of companies so that at least the CEOs understand what are the minimum table stakes that they have to do to protect themselves.

Petko: Greg, having worked with boards, I've found that it's really difficult to measure cyber. How do you define success in cyber? How do you know you have enough budget for that SOC? That SOC's going to say, "Hey, here's how many events we have and the more budget I give them, the more events I get." It seems like there's a correlation there.

Greg: There is. So that's also improving. So companies like CrowdStrike and SentinelOne are adding AI to their EDR solutions and cleaning up those number of alerts because the alert fatigue is real. Going all the way back to the targeted attack, that was way back in 2014, they had alerts.

And that still happens today where companies will get the alerts and they see the alerts or the alerts may just be being logged and they just don't have the manpower to deal with them. And so again, companies like CrowdStrike and SentinelOne are really doing a great job of filtering out that noise.

Rachael: Coming back on the ROI thing, it seems like deception technology, if you're able to show the stopping of the ransomware, I think that becomes an easy calculus for business. Correct me if I'm wrong, Greg, but I feel like I read some statistics somewhere rectifying the cost of these kinds of attacks and ransomware, not only what you're paying out. But also damage to business and especially larger businesses, you stop productivity. 

 

The Problems Caused by Ransomware and Cyber Attacks

Rachael: There's brand hits, there's all the things, but I think it was something equivalent to the world's third-largest economy or something like that. That's bananas.

Greg: Yes, it is. It's the amount of damage that's being done by ransomware attacks and cyber attacks in general. It's just gotten out of control and I think it will take another three to five years to get to the point where the right tools are available today.

But actually implementing them, having the IT and security departments understand how to utilize them, and properly utilize them. It's going to take another three to five years to get this at least under control. And then it's going to be a matter of which companies are doing.

Then it's just going to be a matter of where are the holes remaining that the attackers can get through.

Rachael: Have we seen the bottom? It's our favorite thing in cybersecurity. When are we going to see the bottom? But it feels like ransomware, you kind of get attacked twice to pay the ransom, then they hit you again because you didn't patch soon, that particular vulnerability or they give you the wrong key.

There's just all these things. What is the bottom of ransomware look like and just how much uglier could it possibly get?

Greg: Right. Yes, I don't think we've seen it yet. And again, I think that that peak is probably three to five years out and then we're going to plateau and eventually decline.

Rachael: Then we'll be on to the next thing.

 

Ransomware’s Similarity to Insurance

Petko: Rachael, I actually kind of think of ransomware, kind of like insurance. There's always this reinsurance where you resell it to someone else. Ransomware has the same thing.

I'll go hack this company, I'll get the ransomware out of them and then I'll take the same key, same encryption and resell to someone else. And if they can get in, great.

Greg: Yes, that happens all the time. And the way that it's structured within hacking now, they're very specialized in what they do. So a group will hack in and get the keys into the system, but then they won't actually do the damage and cause the ransom. They'll sell that information to the next attackers.

Petko: It's a guaranteed outcome if you think about it. Let someone else take it.

Rachael: What are we doing sitting here then, Petko?

Petko: Are you saying we're in the wrong business, we should go hack systems. Is that what I'm hearing, Rachael?

Rachael: Just sounds so simple. I'll just subscribe to the ransomware of the month club and just deploy, deploy. See what goes out there like I'm fishing and see what comes back.

Petko: I hear they take Apple Pay too.

Rachael: Yes, exactly.

Petko: Sure.

Rachael: That's hilarious. So one of the things we've talked about too though, Greg, I don't know that we're ever going to see an end to ransomware. But aside from things like deception technology, what are your thoughts on how we get them to dial back a little bit?

Is it if only Bitcoin were regulated or if there were other kind of means of impeding their ways to get financial incentives? How do we look at this holistically too?

 

[15:39] International Agreement on Cybersecurity

Greg: Well, so the way that we look at it holistically is get international governments to cooperate and make it internationally illegal to operate a cybercriminal organization. I don't see that happening anytime soon.
But that's really what it's going to take is international cooperation.

And we did see a little bit of that. So after the colonial pipeline attack back in 2021, there was some, I put quotes, air quotes that nobody listening to this can hear. But some cooperation between the US and Russia shut down the evil group that perpetrated that attack. But they also resurfaced three months later as a new organization.

Again, I think taking that international cooperation between governments and businesses and sharing of information that I just in the current landscape don't see that happening anytime soon.

Rachael: Yes, very difficult.

Petko: So Greg, so I'm just trying to think through the steps here. It's almost like you're saying if we had a global system of due process for cyber criminals that was effective and quick.

Greg: Yes.

Petko: So, we can do quick take-downs and back money through Bitcoin or something else.

Greg: Yep. And we in the US have a lot of those capabilities now to track cryptocurrency and track back to who these attackers actually are. But we have no jurisdiction to do anything. And so we really need that international law enforcement that I, again, don't see happening anytime soon.

Rachael: No, it's one of the things we've talked about a little bit, NATO running their cyber exercises and what have you, and a lot of the challenges they run into. 

 

Deception Technology Wage War with Cyber

Rachael: Particularly when you're looking at all this global landscape, is even just defining something which seemingly simple is what is cyber war. They can't even get to that alignment. So if we can't get to some of the foundational pieces here, that would be essential for any kind of prosecution illegality. It's a long way off for us. It's addressing this.

Greg: Yes, it's a long, long, long way off and insurers are now recognizing or at least trying to recognize a lot of these attacks as cyber warfare and so not covering the attacks as an act of war.

Petko: Yes, I see cyber budgets increasing in near future. I don't know about you.

Greg: Yes, and they have been increasing, but they need to continue to increase. And again, the CEOs and boards of directors have to recognize, and I think that they do now recognize. If we were having this conversation three years ago, I would say they were just woefully blind.

But now it's recognized, at least CEOs and boards recognize they need to do something. Now it's a matter of education and understanding what they need to do and then how they hold people accountable.

Rachael: Yes, absolutely. So I'm interested in your background a little bit more too, Greg because as you know, we talk a lot about cybersecurity as the cost of doing business today and getting more talent in the industry. And you're an entrepreneur, you've been standing up businesses and been around for quite some time in this world.

 

How Deception Technology Helps Startup Businesses

Rachael: How do we get to get more people into it? I guess it's the first question. And then the other is getting cybersecurity to be truly integrated into new business plans. As new businesses start up, how do we help folks start at the right place from the very beginning?

Greg: Yes, so first of all with the cyber education and getting more people into the field, that somewhat is happening through market drivers that are through pay. It's a great field to get into right now and will be in the coming years. But the problem is really to be an expert and a cyber professional takes years and years of experience. And so we are way behind the curve there. 

And I don't know, I haven't seen the latest numbers of how many short we are in the cybersecurity profession, but it's hundreds of thousands worldwide. So from that standpoint, we absolutely have to have more and more young people coming into the field. And there are great programs now at Notre Dame, Iowa State University here in Iowa has a great cyber program. And so there are some really great college programs in cybersecurity, but again, we're behind the curve there.

The second part of that question, how do startups and companies are starting out, how do they integrate cybersecurity in? And again, it's that education piece, it's so much easier to do it from the start as a startup and the certification. So, SOC 2 now is much more accessible to a startup and small companies. And so those certifications are something that I think startups should begin with. 

 

The Value of Certifications Today

Greg: Now that SOC 2 certification for companies is definitely any Fortune 500 companies, but becoming much smaller and smaller companies that that's just table stakes. If they're looking at a new vendor, new software vendor, and they're not SOC 2 certified, that's just off the table.

So startups have to look at that and have to from the beginning start with cybersecurity in mind and the right certifications for the company in mind as well.

Petko: Greg, I've actually found certifications are critical to selling because as you pointed out, it's more accessible now and the customers expect it. If you don't do it, what ends up happening is you start getting stuck with filling out these spreadsheets that are 500 questions long and everything else. So SOC 2 or whatever other due diligence they want to do. 

It's either do them once with a third-party verification that proves you know security or you're going to do it every single customer and they might want a penthouse on top of that. So it's about reusing that certification with your customers versus doing it.

Greg: Yes. And five years ago I would've said that SOC 2 certification, wouldn't have said it as worthless because it had value. But it has very, very high value now and there's no teeth to it from the standpoint of you're not going to get into legal trouble if you don't have everything in line.

But at least when you go through the audit process that auditor's going to be able to determine whether or not you're following best practices or not. And that is hugely valuable today. Whereas, five years ago it was more of a rubber stamp and it's not anymore.

 

[22:32] The Future of AI

Rachael: So looking ahead at the next 5 to 10 years, where do you think you were going to see the most innovation happening in security or the most advancements forward?

Greg: So certainly AI. that ability to analyze the indicators of compromise and filter out the alerts so that the alerts that do get to humanize are high value and you eliminate that alert fatigue. That's where I see the biggest advances coming.

And so that's not only in that machine learning side of AI but also in the rules-based AI. So actually taking action then and recovering on those attacks before it even has to go to a human. And what we built Canauri on was that rules-based AI to say,

"Okay, if these things are true, then take these automated actions."

Petko: Greg, AI aside, when I think AI, there's the traditional AI or ML. And there's the models that you start seeing recently like ChatGPT where it's trained on billions of data sets and you ask it questions and it comes back and answers. I think that could be a game changer for just the workforce getting more cybersecurity professionals in the market.

But it also could have the opposite effect where you can bring more attackers in as well. 

Hey, how do I write an encryption script? Well, I can't tell you that. Or if you ask it how you write ransom, it'll say it can't tell you. But if you really kept the piece pieces and say, how do I encrypt the file? How do I do this, how do I have it communicate, how do I exchange keys?

 

How Will Deception Technology React Toward AI?

Greg: It is both sides of it. So the attackers are already using AI too. One of the things that I've seen most recently is using it in their email writing so that natural language. So generative AI helps these attackers to write in English much better than they have in the past. And they're utilizing it in the same when you think about how we use it, I use ChatGPT all the time just to help in my writing, and the attackers are absolutely utilizing that.

Petko: I've also seen, the cyber professionals will start saying, how do I use this to do X or threat hunting or, "Hey, look for this IOC in any of my data sets and tell me what you find about it" and it'll write you a paragraph, write your reports.

Greg: Right.

Petko: Potentially. Yes.

Greg: Yes. And that's where I think the next several years as these different AI technologies become more and more accessible. We're going to see some incredible innovation both on the protection and the attack side.

Petko: Yes, I think it's going to get more specialized. ChatGPT is very general knowledge, lots of data as if you give it more specific data, let's say more cyber data, you kind of have this group of here's everything we know about cyber and it's really specialized. It might infer things that we didn't even consider.

Greg: Yes. I think that power of the machine learning and natural language ingestion is, I think we're just beginning to scratch the surface of what's possible.

Rachael: That's exciting actually.

 

[31:19] Can Deception Technology Keep AI in Check?

Greg: It really is. I feel like innovation has happened so rapidly it seems like over the last 25 years. But I think the pace of change is just now getting to the speed that we're going to continue to see.

Rachael: Yes, I'm excited about the future. I was telling you before, I said I can't wait till we have self-driving cars where you could just sit in the backseat.

Petko: Rachael, we already have that. Last time I checked, I was the one driving and you were sitting in the backseat.

Rachael: That's hilarious.

Greg: Well, and what does that mean for car ownership, too? When you don't need a driver anymore and can just come to pick you up. And the same thing is happening in aviation. So I'm a private pilot and the capabilities that the autopilot of my little plane has, you really get about 700 feet off the ground and push a button and it'll fly you down to 200 feet from your landing spot. And that with the vertical takeoff and landing systems that are being built now with electric vertical takeoff and landing and self-flying, yes. And self-flying is definitely going to happen in our life.

Petko: Let's put it together.

Rachael: I know. Yes.

Petko: I want my flying car.

Rachael: Exactly. I shudder to think of regulating a flying car highway.

Greg: Flight is actually much easier to regulate because you have three-dimensional space, so you don't have the constraints that you do on a highway.

Petko: Greg, I'm curious, as a pilot, how long have you had autopilot or I guess the self-pilot, I don't want to say autopilot, but the self pilot, the autopilot.

 

The Origin of the Auto Pilot

Greg: Yes. So we installed a new system in 2020. So it's a Garmin system. We had autopilot before, but that autopilot was just altitude and keeping you going in the same direction. Whereas this actually has flight planning capabilities where it'll fly the approaches so that it'll fly right down to 200 feet above the ground and lined up on the runway.

Petko: But that's like a Garmin, so I'm assuming that's almost consumer-level. We've been doing this for probably decades, right? Is what I'm trying to get at.

Greg: Yes.

Petko: I think in the commercial space.

Greg: Oh Yes. So Collins Aerospace was one of the first to build what's called synthetic vision and tied to the autopilot systems. And that's been around for 15 years plus.

Petko: So it's not Tesla, it's not Elon Musk who invented it first is what I'm hearing. Autopilot came way before Elon invented the car.

Greg: Way before.

Rachael: Depending on who you talk to, it could have come out of Roswell, New Mexico. I'm just saying.

Petko: Next podcast, Rachael. Next podcast.

Rachael: Yes, I've been deep diving into Amazon Prime and there was some documentary about classifying documents. It's just fascinating what's out there.

Petko: I'm stuck on the Egyptians and the Mayans right now.

Rachael: Yes.

Greg: Little older technology.

Petko: And how they were more advanced and everything else that goes into it.

Rachael: I know what happened. And then what happened? Yes, it will drop off and you got to rebuild it. So Greg, now we're entering the fun part of the podcast. We always like to ask and do you want to ask, Petko, your favorite question?

 

What Greg Reads for Fun

Petko: No, you go first, Rachael.

Rachael: Okay. Well, I'm going to steal your question, but what are you reading right now? We're always interested in what you read for fun, but also what you read kind of professionally. What's of interest to you these days?

Greg: Yes, so I'm reading, Selling Your Startup.

Rachael: That's fantastic.

Greg: So not announcing anything. I think that is proper, whether you're actively looking for an exit. So this is my third startup, and ultimately what you start a company for is to exit and go do the next thing. And so at some point that will be the case with Canauri. And yes, that's actually what I'm reading right now, Selling Your Startup and all good fundamental best practices for how to prep a startup to sell.

Rachael: That's wonderful.

Petko: I'm looking at the book right now. I might add it to my list. I've not read that one.

Greg: It's a good one.

Petko: Good. Yes. Five stars on Amazon is what I see. All five.

Greg: Yes.

Rachael: So as a serial entrepreneur, Greg, how do you come up with your next venture? Are you looking for things that inspire you, that excite you, or what's your calculus here?

Greg: Yes, so it's really finding that gap of what hasn't been done yet that needs to be done. And where I see that next is in 5G. So marrying the connectivity with zero trust, cyber security. So that you can hand enterprises an end-to-end solution that controls the network from connectivity all the way through their applications across the cloud.

Rachael: That's exciting.

 

The Old Days of Cybersecurity and Deception Technology

Greg: So I've identified what that gap is already. I'm just now I need to go do it.

Rachael: That's fantastic.

Petko: I thought 5G had that already. I thought 5G had the ability to create private networks on top of it and everything else.

Greg: So it is, but it's not accessible yet and it doesn't give the control to the IT departments that they need. So it's still controlled by the carriers and what I see really, and I have a long enough experience in technology. I can remember the days of cybersecurity were physical connectivity.

You could actually air-gap the system and you can't do that anymore. And that's where a properly configured 5G system could give that power back.

Petko: Are you thinking of overlay networks?

Greg: So this would actually be, it is an overlay network where it runs over the public infrastructure that exists but allows the IT departments to take back control of that network. Actually, have their own IP addressing that they control and control the access points of where that connectivity goes.

Petko: Back in the day we had token ring and everything else where you had to depend on that infrastructure and that once you put it in, that's it. This potentially could allow you to do encryption over 5G and take back control of your solution and at the same time be agnostic to the technical solution. So in theory, you could use Huawei.

Greg: Right. You could because it doesn't matter. It's all encrypted.

Petko: If you trust encryption, yes.

Greg: Oh yes, true.

Petko: Throw in Quantum, I think you got a solution.

Greg: Yes. I was waiting for someone to bring that up.

 

Quantum, the Next Big Thing?

Rachael: Do you think Quantum's going to be the thing that everyone's saying it's going to be? I hear a lot of mixed messages about that.

Greg: Yes. There's a way to go yet. If we can get there, it'll be mind-blowing. And I would say we are, we're quite a ways there. It's just a matter of can we get it to the point where it's accessible to all of us.

Rachael: That'll be an exciting day.

Greg: Hey, well exciting. And essentially throw out all of the existing cybersecurity that you have and start over.

Petko: I don't think you throw it out, it just evolves, right?

Greg: Yes, it'll evolve. It's not going to be a throwout.

Petko: Yes, I kind of saw cyber go from everything you managed in-house to now being managed in the cloud to eventually being managed by both if you will. Or giving off the keys to some expert somewhere. It's definitely involving, I think the operational technical, technical is still there and just operational side changes. But I thank you for everything you're doing to help with ransomware.

Greg: Yes. Absolutely.

Petko: It's a great book you're reading. I added it to my reading list already.

Greg: Good. I would recommend it.

Rachael: Yes. Well, thanks for joining us today, Greg. This has been a really fun conversation and what a wonderful career you've had. It's always so much fun speaking with serial entrepreneurs and just finding those gaps because that's what keeps innovation moving forward and it's wonderful.

Greg: Absolutely. yes. Well, thank you for having me today. This was fun.

 

About Our Guest

 

Greg Edwards is the founder and CTO of Canauri (Formally Cryptostopper), a ransomware protection service that automatically detects and stops active ransomware attacks. He has been a technology entrepreneur since 1998 and has founded many businesses. Including Axis Backup, a backup and disaster recovery company for the insurance industry, that he founded a few years before CryptoStopper. He is skilled in disaster recovery, Cloud computing, and Network security just to name a few.