Okay. Well, good morning, everyone. This is Chris Scully. I'm an account executive with InterWorks. We are super excited, about today. Thank you guys for joining. It looks like a great, great attendance. So we really appreciate that. We're looking forward to the conversation. Hopefully, everyone gets a lot out of this. And and, again, we appreciate your time. So I'm gonna play, facilitator today. Do very little speaking, which is the way it should be, but wanted to welcome everybody to do today. I'll do a quick introductions of, who we are and a little bit of what today's agenda looks like. So everyone should be seeing today's agenda, slide up today. So, again, I'm Chris Scully. Today speakers, as you could see below, these handsome gentlemen are Eli Sprague from InterWorks, John Crowley from from ArmorPoint and Corey Ayers, from ArmorPoint as well. So, we'll do quick introductions there, and then I'll talk a little bit about who inter InterWorks is, and then I'm gonna it over to Eli. There'll be a conversation about the need for modern security. And then we'll jump into what is ArmorPoint. We're gonna see a demo demo today as well, and then we will have time at the end for, Q and A. So you are welcome to be, entering questions, into the question box there. I'll be keeping track of those, making sure that any of them that we don't cover during the course of conversation. We'll cover there at the end, but feel free to save your questions. We will have a spot, towards the end for the guys to answer those. So, again, welcome today. And I'll give you a little bit now, of about an introduction. Corey, if you wanna go ahead and slip the slide there about InterWorks. So a lot of you may familiar with us, but InterWorks is Oklahoma based, but we're a global presence and IT services and solution provider. We've got clients ranging from small local businesses through SLED customers all the way to enterprise level companies. We provide the entire gamut of IT needs from managed services all the way to data center hardware. It is architectured engineering. Our headquarters is in Stillwater Oklahoma. But we have offices on Cherry Street in Tulsa, and Bricktown and OKC. We were founded in in nineteen ninety six. So we've we're well into our third decade of of serving our clients. And when we partner with many of the best and leading solution providers like our partner today, ArmorPoint's, that we are pleased to bring this webinar to you today. So With that, I'm welcome. You get again, thank you for making the time. We look forward to the conversation. And I'm gonna be glad now to turn it over to Meinerworks team Eli, who's gonna get us going. So Eli, take it away. Awesome. Thanks, Chris. And, again, thanks everybody for being here. Really excited to talk about this topic with you guys because it has been a pretty growing topic over the past couple of years. But I just want to cover before we dig into something like ArmorPoint, why we're even discussing the need for modern security tooling. Right? Why is this a webinar that we feel is important to host? And what has come up is a couple years ago InterWorks started looking more heavily into security and started asking ourselves questions like, can we really protect our business from attacks that use you know, some of these examples on the right, malware, interactive intrusion, credential theft, zero day vulnerabilities, things like that. And what we found is is realistically most companies just have AV and and for us, you know, we just had traditional AV at the time, and that works for malware. But for pretty much any other category that you look at, we were not able to really rely on something just like anti virus to protect us from that. And and so what do we do? We started going through different different products, different vendors, different operational approaches, And what we really ended up finding was a company like ArmorPoint. I want to address, you know, why we felt there was a need to to get into these kind of things. So if we if we look at the data, we can see that the stats show a clear need, that all of these other besides malware are growing risks for businesses. I know some of you some of you have already popped up in chat. If you guys have guesses on what any of these values are as we go over them. I'd love to see what you think. Just type them out in chat because to me, some of them were quite surprising when we when we started looking into this stuff. Especially if you've you've tracked it from year over year over year. But first off, let's cover why malware is is not really the the biggest risk anymore, right, why AV does not cover you. And the reality is initial access was malware free in almost seventy percent of is last year, which means that, this isn't just attempts. This is actual initial access confirmed into a business. Seven out of ten times malware was never used. Which means it's only gonna help you in in thirty percent of your initial breach cases. That statistic alone blew me out in the water when we started getting into this space. Of showing that it's just not enough anymore. We need something more comprehensive. And that's where we start getting into things like EDR. So if we look at interactive intrusion, those methods were up fifty percent last year. If you're not familiar with that term, interactive intrusion is is Somebody is hands on keyboard working in your environment. Right? It's not just some application that's running on your computer doing, you know, preprogrammed things. It's not just some script that kicks off. This is another person engaging inside your environment trying to traverse around. And it's something that traditional AV has a hard time catching because you can no longer just scan for a specific pattern of code or pattern of execution. You have to more look at patterns of actions as a whole. And that's where we bring in products like EDR, which are gathering that from all different parts of your computer as well as the entire environment, and logging that into a SIM. So you can correlate that data. Additionally, with that, we've also seen this next fact on ransomware is is pretty surprising to me, but ransomware attacks are typically sitting idle in an environment for around two months before they detonate. And if you just look at traditional antivirus, oftentimes, if something came in two months before it actually started impacting your users, would you be able to track that down? We felt that that not comfortably that would be able to be done, you'd to rely on whatever historical logging was in place. If that's just the event logging on your computer, a lot of the times that will rotate through really quickly. Especially if things fill up data wise. So, again, we're going to need something that's more comprehensive than just AV to address this, and it's where we get into things like a SIM, you know, fronted with an EER tool, where we have that data for a year. We've seen firsthand cases where with log four j. Something got into an environment using log four j waited ninety days until, you know, all of the all of all of the panic calmed down, and then detonated and and ransomed an entire environment. Had that, you know, had that business had EDR and and SIM, we would have been able to catch those action patterns, right away. Or even during detonation rather than, you know, post fact. The next thing that that we found is access broker usage is is rising rapidly. If you've not heard of access brokers since this is kind of a a niche term, these are platforms that are getting your credentials through various methods like third party data breaches. So you're not doing anything, but a vendor that you use does get breached or phishing attempts or or key loggers or anything. Right? Any way they can harvest your credentials, and then they're selling them on the internet. Last I checked, I think it was typically around, like, three or four dollars to buy somebody's credential. There's no guarantee it works, but it's pretty cheap. Especially if you could target, you know, a named entity in a business. And so what do you do around this? Where you you have a a situation where somebody might be getting your credentials without ever touching your environment. How do you how do you manage that? How do you protect from that? We landed on dark web monitoring. Where we're hiring services, or in this case, ArmorPoint, is able to help us go out and scan for your content on these kind of platforms where people might be harvesting your credentials and selling them for further use. Furthermore, Public vulnerabilities have risen twenty five percent in the last year. So there's around twenty two thousand a year coming out. This is one of those where where once you start getting into tracking CVs when they release, you almost just wanna stick your head in the sand and go back to a point that you didn't you didn't know because there's so many coming out every single day. Right? And almost all of us on this call, I would imagine, use Microsoft pretty heavily And and they're responsible for a few thousand of those a year because they have such a large variety of services. The issue is if you're not checking for those, if you're not scanning for that stuff. You don't even know that it's a risk that's out there. We and we've we've seen this where there's a need to track this over time too. People deploy software. They think it's safe because it's the latest version. Great. Maybe it is. But we've we've seen firsthand instances where vendors have been vulnerable to some patched it, and then nine months later, rolled back to an older library due to a bug, and in doing so reintroduced vulnerability back into the environment a year after it was released. Without doing things like vulnerability scans, you have no clue that you've just taken this public web server and reopened, you know, like a PHP exploit or a SQL injection exploit to the entire world. So we're we're moving to a state where we we can start proactively checking for these things before they can be, taken advantage of. Another big topic has been phishing attempts, which we've seen double. This depends on kind of what security report, you you read seen anywhere from an increase in sixty percent last year to five hundred percent last year. Regardless, they are taking off like crazy. If any of you have kept up with the AI kind of hubbub that that's come up with chat GPT. There's already a fishing AI out there called worm GPT that is designed to engage with, like, targetedly engage with employees to try and their credentials autonomously. So you're using something like chat GPT to generate very realistic conversations and try and fish credentials out of your staff. This stuff is is pretty hairy to get into. And ideally, your email security platform is catching this kind of thing, But what if it doesn't? Right? There's no such thing as as true one hundred percent prevention and security. You have to plan for failure and and when things get in, what do you do? And this is where login monitoring, which would be a subset of your SIM would come in where you may have an attack where somebody purchases your credential or an employee falls for a phishing attempt that doesn't really happen much on their computer. We've seen a lot of these try to push over to mobile devices where you don't have AV or EDR. And Once they do that, you know, then they go and log in to something like Office three sixty five or Box or Slack or or, you know, any of these platforms that aren't an endpoint that you could have AV on. And so what you really need is the SIM doing login monitoring there to correlate that login, that login context, that location, MFA context, things like that, and bubble up alerts around that. Because again, traditionally, you don't have a way to handle that outside of just what what's going on on your domain controllers. With that, there's also a big issue that most of these attacks are not happening while you're in the office. Last year around six you know, seventy six. So three out of four attacks happened off of like normal business hours outside of eight to five. So if you have attacks that are running at you know, two AM or statistically, there's a large increase of these on holidays when everybody's off and with their family and doesn't wanna be bothered. What do you do? There there really is a need for a twenty four seven sock, and a lot of companies can't afford to staff a twenty four seven sock. That's a huge commitment in terms of of staff and and it's a huge roadblock to schedule for a lot of companies. Where do they work? How do they work? How do you track it? Do they have everything they need? No. It it just doesn't make sense for a lot of small and medium businesses until you get to quite a large size, which is where we we partner with somebody like ArmorPoint, help deliver a twenty four seven sock to you guys. So you don't have to worry about this at two AM unless it's truly a confirmed incident that needs your hands on a keyboard. And lastly, there's there's a constant growth into the cloud over the past several years. And today, I mean, ninety nine percent of businesses are using a SaaS product I'm I'm curious. The one percent that doesn't, I feel like it has to just be, you know, some mom and pop shops that are that are just doing work here and there. But, you know, find somebody that doesn't use Office three sixty five or G Suite or some kind of chat tool or anything, right? SaaS products are everywhere. How do you protect against these? Even if you're, like, if you're not running virtual compute workloads and Azure AWS, you're still having other services through these, like, again, Slack or email, you need to track that. And feeding that data into a SIM is one of one of the best ways that you have to get ahead of that to be proactive, understand what's happening, or track down what happened and remediate. So as we look at all these categories, there's quite a lot to tackle. Right? And there's there's far more than this that we could dig into, but for the sake of time, we're not. And when we started tackling this problem, what we found, surprisingly was ArmorPoint, which is, which we've partnered with for two years now have absolutely loved and they address quite a bit of this. So at this point, I'm gonna hand off to John. So he can cover a bit about how how we're tackling these kind of things with them, what their product does, and whatnot. So John, all yours. Awesome. Thanks, Eli. And, hi, everyone. Thank you so much for taking time out of your busy mornings to, to come listen to us talk for the next few more minutes here, fifty minutes. I wanted to just kinda give you a sneak peek into just the history of ArmorPoint before I dive too far into this. And I I will try to give you the the short and sweet version, but, we were actually founded in in two thousand and seven. And we got our startup, believe it or not, as a cloud services provider, primarily building virtual environments for CPA's or or various organized organizations. But what led us to security is that we, as an organization, needed to fortify our own internal security controls. And this is what really led us on this journey to build ArmorPoint to fully staff at twenty four seven three sixty five security operation center and truly be able to protect ourselves. And the reason why I I feel that this story is so powerful is because when we work with various organizations and customers like yourselves, we understand what you guys are all going through, and so we're able to help deliver these types of solutions that not only helped ourselves, but can help you as well. So that's the shortened suite version of it. But at this point, you're probably asking yourself, well, well, really, what is ArmorPoint? And so I don't wanna be the guy up here that's gonna read the PowerPoint, but, this first sentence here is so perfectly written that I'm gonna read it to you. ArmorPoint is a holistic cybersecurity platform developed primarily for businesses' weary of the complexity of running a mature security program. And so what does a mature security program actually mean? Well, to me, it connects the trilogy of people, processes, and technology into a single workflow, and that is exactly what we are doing. ArmorPoint, first and foremost, is delivering the technology needed to detect threats in real time at every layer of your network, whether it's the network, the endpoints, the cloud, but also we're delivering the technology needed so that we we can step in and provide containment and remediation in real time. And so on the bottom here, you can see some of the technology listed. These are some of the components that we are delivering to ensure we have that layer of visibility every step of the way. The next piece, though, is the people. Right? And this is a critical component. ArmorPoint delivers a twenty four seven three sixty five security operation center that will be monitoring your entire environment throughout the night and throughout the day. We are also a one hundred percent US based. We do not outsource any of our security team members. So most none of our customers will ever deal with anyone outside of our company or outside of the US. And lastly, we deliver the the the processes. Right? And these are the best practices built around incident response. So we have a repeatable process that tells us exactly what to do in the events of an incident. Now with that said, I'd like to kinda share about, you know, what a mature cybersecurity program actually looks like. And so the easiest way, Corey, if you wanna go to the next slide, Sometimes the easiest way for me to explain what a mature cybersecurity program looks like, it's sometimes easiest to relate it to home security. And so there are really three main ways that you protect your home or business. And without all three, you're not truly protected. And those three key areas are protection, detection, and remediation or response. So thinking about your home here for a second, window locks, door locks. Sorry, Corey. Window locks, door locks, exterior lights, these are all things that we are doing today to prevent intruders from breaking in. But everyone knows these types of things can be bypassed. Right? I can kick in your front door. I can break a window. If I wanna get in, I can truly get in. So what are you doing today that will help us detect if somebody bypasses your prevention? Right? We have things like neighborhood watch, video cameras, motion sensors, smoke alarms. These are all things that we are doing today to help us detect if somebody breaks into our house. But detection is sort of pointless if we don't have some form of response or remediation. Right? And so we have things in our homes today, like automated notifications to the authorities, criminal investigation, Some people have weapons. Me, personally, I have dogs. These are all things that we are doing today to truly protect our home. Likewise, a business needs to implement a multi layered cybersecurity strategy that includes prevention, detection, and response. And so thinking about your business here for a moment, a lot of the organizations we work with today are in this protection phase. Right? They have your firewalls in place, your antivirus, software patching, where you're doing the basics. But just like in the real world, these types of things can be bypassed. And so what does business need to be doing to help us detect if somebody bypasses our prevention. This is truly where ArmorPoint and inner works come into play. We're delivering tool sets around SIM log management anomaly detection, ideas, threat intelligence. These are all things that we are deploying to ensure that we know if somebody attempts or does, bypass our prevention. Yes. Let me make one thing clear, ArmorPoint does include some prevention as well. However, Again, it's it this is geared towards the detection and remediation piece. And then lastly, just like in the real world, detection is sort of pointless if we don't have some form of response. And so ArmorPoint is delivering the twenty four seven three sixty five fully US based security operation center that has automated threat remediation, human threat remediation, forensics investigation, and someone in a group and a team that is fully monitoring and willing to respond at any hour of the day. And in reality, this is all just part of the evolution of cybersecurity. We talk a lot about our cyber security is not a destination. It's a journey. And our goal is to help you along that journey. When we look at the evolution of cybersecurity where we've been and where we're going, Right? A long time ago, the basics used to work, password management, backups, you know, if you had a simple AV, that was enough. However, it's absolutely not anymore. Most organizations we talked to today are in this middle phase. I work with IT leaders on a daily basis, And the majority of them are somewhere in that defense in-depth stage. They have an advanced endpoint agent. They're doing some form IDS, IPS, But again, this isn't enough anymore. So what do we how can we help them get to that containment remediation? And that's exactly where ArmorPoint gets in comes into play. We're able to help customers get from that defense in-depth stage to true detection response and containment remediation. So the last thing here for me before I I kick it over to Corey is I wanted to dive into just how ARMPoint actually works and what we're actually deploying. I will keep this very high level for this call. However, at a later time, we can always dive deeper in this. So what you're looking at here is the topology of ArmorPoint. And what this explaining is everything we are deploying as part of the service how we are deploying it, how we're getting that visibility, and then ultimately where that data is all being stored. And so on the left hand side here, where it says customer network, this would be your network. Right? And you could see we have your firewalls, your switches, your servers, your workstations. In the center, these are the components that we are sending out as part of the service. And so this is what gives us that layer of visibility need, as well as the tool sets we need from a remediation standpoint. And so when we built this solution, we thought to ourselves what is absolutely critical to provide a true cybersecurity monitoring solution Well, in order to provide true security monitoring, the very first piece that we have to have is we have to have network visibility. And this is where this first component comes into play. This is an intrusion detection system, but it's also connecting into a port in one of your switches so we can get visibility into the the network. So, essentially, that's given us visibility into who's coming in the front door? What are they trying to bring with them? Who's trying to go out? What are they also trying to bring with them? If they do happen to come in, where are they going? Right? So we can see north, south, east, west traffic. The second piece that we have to have for security monitoring, so we have to have all this the event logs. And so a couple of these components here ensure that we have all of the event logs from a networking standpoint. We have all the event logs from server and workstation standpoint as well as our API integrations capture the data that we need for the cloud and SaaS applications. And then lastly, we have to have endpoint detection response. An EDR product is used for quite a few reasons from our standpoint. One, this is also used for threat prevention, but two, this is really a tool set that is used by the security team to ensure that they have the ability to do forensics, threat hunting, and also be able to provide remediation. So in the event of an incident, This is how the SOC team is able to step in, contain, and remediate that incident. And then, lastly, And the back end here, underneath where it says ArmorPoint, those three components is really the back end of this. So the The dedicated cloud collector is a dedicated server that we stand up for each of our clients where your event logs will be stored for a minimum of one year. All of this data is going into what I like to call the single source of truth, which is the SIM solution itself. This is the security operation platform that the security team is using to detect threats in real time and be able to step in. And then lastly, we have the soc. Which I've mentioned quite a few times now, but, obviously, twenty four seven three sixty five and a hundred percent US based. So with that said, unless Corey wanted to chime in on anything on this slide, I I'll hand it over to you so you can give everyone a sneak peek under the hood. Perfect. And I appreciate it, John. So I'm gonna pull up the screen really quickly here, and, we'll walk through ArmorPoint, as John just went through, Our point is a pre comprehensive tool set and service. And so today, we're not gonna be able to go through quite everything. But definitely wanna give you a taster of what the platform can do and and some of the workflows that are gonna be built with inside of the system. I always like to start with kinda two things though. The first is one of the key mantras of our foundation is visibility and transparency. And so with that, all of our clients, have full access to their platform. There's nothing that we're going to hide from you and your, your team. It's your information. It's your log data. You should have the right and the ability to dig through that information whenever you need to and whenever you want. Knowing though that the security experts in the SOC team and the InterWorks team are responsible for the alert investigations and the incident management portion of this system. If I wanna look through my analytics, my dashboards, my reports, documentation, it's all there for you, even down to what analyst is investigating, what alert, which we'll walk through here shortly. Second thing I always like to talk about is ArmorPoint was really developed for SOC analysts, and that was really, you know, our objective was, yes, develop a a front end that allows, clients and users to be able to see their threats and see dash boards, but the workflows were really developed for an analyst to not just detect potential indicators of compromise, but officially investigate them. And have that at their fingertips and do so as quickly and efficiently as possible. A lot of other systems, you know, force an analyst to get an alert like a malware detection alert, but then pivot to another tool or two or three other tools just to try and find, you know, any of those indicators of compromise or the analysis around that. And while that doesn't seem, at face value, you know, anything that's negative, when minutes matter, that that adds up. Right? And so throughout the system, we've built things to trim those minutes down. And one of them, which is what I have up on the screen right now is the alert queue. And it's a very simple concept, or actually take a step back and go to our alert list. This is a view that most security analysts work from. It's a list of things that have fired off over a given period of time, and working in a team. Couple challenges arise. I don't know who's working on what. So a lot of stocking soft teams have a third party system that they have to feed this information into. We see a lot of times people using Slack or Microsoft teams to say, hey, I've got alert twenty one forty two. And, you know, someone, you know, doesn't see that message and comes back five minutes later and says, oh, I just closed that out. Right? And so we're starting to waste time on these investigations. So we obviously have this view. It's very much just for reporting and historical analysis, for active investigations, said, we work from this alert queue. And really, it's a simple concept. As alerts fire, they come into the bottom left active queue. Each analyst has their own my assigned queue. The objective here is pick these up, assign them. We have stock managers who can assign them out. Even our clients actually can pick up alerts and why that you know, why I say that is we have a team queue here in the middle, and the idea behind this is really two two fold. One is efficiency with our sock. We know what we're all working on. So there's really no reason for me to pick up this sentinel one or crowdstrike or attempted threat attempted, credential theft alert because I know others have already picked that up. And vice versa, if you pick up an alert, no reason for us to touch it, because you've pretty much raise your hand saying we've got this. You can always engage with us, though, on that. Flip side, though, you likely have quite you may see an alert we notify on certain things. And rather than just emailing, you know, socket InterWorks or socket ArmorPoint, can come into your platform and see the exact analyst who's investigating, click into that and start to converse with that individual. One other item on this screen that I always like to call out is, well, yes, our primary focus is going to be cyber security and indicators are compromised, because of all of the aspects that both Eli and and John spoke about, We do have performance based alerts. So we're collecting things like CPU utilization on your servers and workstations, availability of network, change management, new users being added, privilege escalation, rights being taken away or added. Anything that kind of shifts that baseline. And all things fall into these indicators of compromise or alerts, we then investigate those in really three outcomes. Within that process. One is we close it out. We add our resolution notes. And outside of you logging into the platform, you you don't really know that that alert happened. Right? There's what we were saying is, hey, benign activity. We looked at it. Saw nothing suspicious or indicating any, you know, attempted breach. So we'll close this out. The second is verification of activity. And that is where we will reach directly out to you and say, hey, not necessarily an incident or a security breach or anything along those lines. We're just seeing some interesting things that we wanna make sure was you and your team. Something like, hey, we're seeing a scheduled task being created every single time you start your computer that calls out to, suspicious, you know, IPE or website. Just wanna verify that, you know, that's you and it's being intended. The third option is we investigate. We do see something that is suspicious or is a true positive we then convert that into an incident, and at that point, engage our incident management team and start to work through some of the Ex that John had mentioned around containment and remediation. I do like to call out on the left here as well. We separate alerts and incidents because in our world, they are two very different things. A lot of our competition will just say these are events, and they actually escalate based off of price or the severity level. So high automatically gets kicked up critical. But what that does is it leaves low in medium, sometimes lingering, on the system. And they really just start to get that alert fatigue and focus in on those high end criticals, escalate those. What we tend to see is about ninety percent of alert are, what we call false positives. Right? Things that happen on a day to day basis. You wanna keep track of. You want to investigate, but know, nine out of ten times, they're they're okay. Right? Nothing suspicious. And so if we're constantly escalating these high end criticals into quote, unquote, you know, escalated incidents, your your your incident management, your team, and the stress around that starts to escalate. And so for us, we always will have that human verification on every single alert regardless if it's high and regardless if it's low. And with that, we have a incident queue, looks the exact same, operates the exact same way, but we have a different team that manages this queue. With the idea that just because it's low does not mean it's not related to an incident or isn't an incident in and of itself. Also on the flip side, just because it's critical does not mean it's an incident. Right? And so that human verification, you know, tools and technology are great. They help streamline things, but that human analyst with experience, that's really what we wanna bring to the table, right, and working with, along guide your team to really understand, is this something we need to be concerned about? Couple other items that I wanna touch on as well. One being dashboards. So within the platform, dashboards can be an extremely powerful portion. From everything from just general event log collection, what's going on within my Office three sixty five, what about my Windows event logs, one that we always touch on is the ArmorPoint events. So one thing we're very transparent about is our performance. Everything down to our response time, what's our average, what's our minimum, what's our maximum. Right? When I mentioned transparency, Really do mean it. We hold ourselves accountable, and we wanna make sure that, you know, you see us as an extension of your team, not just a vendor or a product. And so you would likely wanna measure your team's KPIs and and performance. We also have the deeper network analytics Whether it's a four to eight, a sonic wall, whatever firewall you might have in place, performance of your environment, your performance of your desktop, including our back end. That's dedicated to you. So again, go into that transparency, Windows performance logs, CPU utilization, anything along those lines. And then a wide variety of security dashboards as well, from your SharePoint activity who's adding, changing files, your Linux activity, your network, dark web monitoring, really down to who's changing their passwords, creating processes, everything along the lines there. Each one of these, what we call, panels can also be turned into a report. So while the dashboards are real time and allow us to, you know, go to specific time metrics or specific days. Reports are very much, hey, I wanna see the last week's worth. And so we can start to combine a lot of this into a variety of different reports for you. We also have a vulnerability management queue. And what this allows us to do on one hand is see our historical vulnerabilities, first, when were they created? So when we ran that first scan, But the modification date also allows us to keep track of, did we patch this? A good example is, you know, the second vulnerability here, number two, scanned on February third twenty twenty two. We ran another scan. Never saw it again. Effectively, we've patched this. It's no longer present in the environment on this particular device. However, on this, number one here, the CentOS seven, saw it on February third, we saw it again on six twenty one twenty twenty three. Right? And so this one's still a lot I've it's still kicking. And if I was ever curious, I can click into that and start to get that detail around what is that vulnerability. I can assign this out. I can reopen it. I can add notes. Within the system as well, keeping track of who is responsible for this. One thing I did skip as well is on every alert incident and vulnerability, there's an activity section. And that kinda goes back to the collaboration that we wanna engage with your team on. And so if I go back to a particular alert, and I'll pick on this unusual login alert, which is really just a user logging in at a time they don't normally log in at And, again, not necessarily malicious, but in this case, something that we do wanna keep track of. If you're ever curious, you can always come in, go to activities, open up a line of communication and say, hey, Mike, since that's who investigated that, should I be concerned? Once we send that out, it's gonna go to, Mike, but also our stock managers, and a a few of our escalated tier two analysts as well. To ensure you do get that response and we start to engage there, especially if you say, hey, this should not have happened. We shut this user off months ago, and the fact that that we're seeing them log in is, something we need to dive deeper into. We wanna dive a little bit deeper. We, again, exposure raw logs here as well for you and your team to look through. So this is really diving into probably a one compliance, right, in reporting and being able to show and prove that you are collecting those logs. In the flip side, spent a lot of my time in the analytics doing threat hunting, and really trying to understand where are those abnormal activities Sometimes I know exactly what I'm looking for, time frame. Sometimes I just know it happened over the last twenty four hours. Right? And potentially, I know, hey, from nine AM to twelve is really what I wanna look at. I can click and drag and start to drill into this. Now most people don't speak in, log. And so what we've done is we've offered a parsed out field version for you. That's interactive as well. Right? And so if I wanna start to come in and say, hey, I wanna know all actions that are open. I can put a star here, and I can say, hey, I wanna see what data sets they come from. What that enables me to do is really just parse those out in an easier to see view for myself, as well as come in and start to filter off of these. So now I just wanna see logs coming from the the performance product within ArmorPoint, hit search, and that'll start to filter that down for So ease of use is also something that we strive for. Sim and cyber security is going to be a complex, situation and process This no matter what, but the easier we can make it, for any type of user to find that information, you know, the the better we're all off, on that. Now when we get deployed, we have a variety of different monitors, what we call monitors, but alerts already preconfigured for your environment. We can always continue to create and tune these as well, tuning just meaning, hey, let's limit the noise around this. And so there's over, you know, fifteen pages of these pre built alerts that will be in your environment. We're responsible for the tuning, of those. But, again, we wanna give you that ability as well. So you can click into any alerts, and ultimately add your own deceptions or detection rules, as well as see the, historical record of how often that alert is firing within your environment. Now I do wanna pick on this scheduled task for a little bit and talk through maybe a live example of what we would do within the system. And so what is essentially happened here is a scheduled task was firing on this particular device. And, scheduled task happened all the time. We use them. Systems use them. Applications use them. And so in and of itself, it's not necessarily malicious. What we track though is We've seen historically this can lead to malicious activity or, is the preemptive nature recon of malicious activity. And this is actually coming from our specific ArmorPoint log agent because this is an activity that, to Eli's point, EDR is not really looking at or an antivirus is certainly not looking at because it's not malicious. Right? It's not even necessarily malicious behavior. This is what happens. But what we're going to start to say is this is unusual. Let's take a look at this, and we can start to dig into the host records that exact process, as well as the username that's executing that. We're gonna even get the raw log around this as well. And as I actually dig through this, what this particular scheduled task is is when this laptop gets restarted, that scheduled task then triggers an application or a process to reach out to a malicious IP and then download ransomware. So EDR at that point, ideally, is going to detect and prevent that ransomware, but it our objective is, hey, if we can mitigate that risk before it even becomes a reality, that's that's that's our goal. Right? Earlier in that process because, again, to Eli point, things sit for months now. Right? And so if this just continues to sit and sit, this this bad actor can start to continue their recon. Right? And without this investigation, we would have never known that they even had access to the environment in the first place. And so now we can go in, and this is very much where that EDR comes into play. We now can go through that remediation process, remove this, look at this device, and go on that threat hunting mission, right, that analysis of, okay, well, we know someone got in how they get it where they get in from. And to John's point around the the cyber security of journey, we can now start to go through a process to close our gap. Right? There's always going to be additional risks within our environment. The system does a lot of other things as well, from documentation to admin control, to, air our new agents as well. Not only are we, you know, pulling in logs. We're also gonna build out CMDB within each device. Right? And so I'm looking at a SQL server here, and I can start to see those scheduled tasks. I can see what applications are installed, services running within my within this device, all the way down to patches, users that have access, my audit policies, firewalls, again, from a reporting perspective, extremely helpful for our clients. But, again, for us, we're using almost all of this for investigations and detections. We see an audit policy get turned off. Right? Maybe you and an admin within your environment, But we're still gonna investigate and likely reach out and say, hey, this is unusual behavior. We just wanna verify because if it isn't you, we need to start to move into an incident management process. Same thing with a new service, a new application, a new user being added, all things that we wanna make sure that we're repeatedly checking within your environment. And then finally, I'll touch on the EDR, which is cyber reason with, in this case, full detection prevention suite here, within the system. So AI is gonna be our anti malware behavioral engine. Does come with a traditional anti virus as well. Signature based detection is still important. Right? And so to John's point earlier, those basic things that you know, worked, you know, five, ten years ago. They're still critical. Right? They're still extremely important to continue to doing. To be doing. But it's that layered approach on top. The PS is gonna be power and power shell inspection, and then data collection DC allows us to do deepak an inspection and some additional analysis here. But we've also, added and utilized in here as the anti ransomware module. So Well, ransomware is, you know, in and of itself malware, this behavior, you know, starts to replicate, and that's one of the largest concerns that know, most clients have, we see it, consistently, and ransomware in, in particular, that speed to reaction is pretty And so we have automated playbooks that say, hey, we start to see any sort of encryption event going on within your in your environment. We're going to, a, always start with containment. Right? We see a lot of folks trying to start going through prevention, and containment's gonna be the most critical So we always work to contain processes, applications, files, and even devices. Make sure this is no longer spreading within the environment. And then at that, stage, we're gonna work alongside your team to go through the, what we call, eradication. Now let's start to remove that and make sure that that threat is no longer in the environment. Then we go through a, what we call post incident handling of exercise, which is that root cause analysis. Okay. We We've recovered from this. It's no longer in the environment. How did it get in and what are those gaps that we can close? Again, there's a lot two ArmorPoint's. I'm gonna wrap up here with the last few, sections. Cannot stress enough the layered approach to cyber security. Right, being able to not just add those preventions at your network edge, at your devices, in your cloud environments, but monitor for those abnormal activities. Those abnormal changes to your your infrastructure, but then also have a plan in place where if those changes end up being malicious, you can respond and effectively remediate that. Alright. Eli. Yeah. We'll pass it back to you guys. Yeah. Absolutely. Okay. Well, thank you, Corey. Appreciate that. Thank you, Eli, and John. So, everyone at this time, we've got some time set aside here to answer any questions you guys have might have. So please use the the Q and A or the chat box, and we'll make sure to address those questions. You've got a great opportunity now to hear direct from the from the experts, and we've got several folks on the on the phone as well that have extensive experience. So great time to answer those. So be putting in those in the chat box, and I'll I'll I'll share them with the team. We've also got a few I've got a few questions here, that were sent directly to me that can get us started so while we're waiting for you to add. And then I also welcome our panelists if there's any frequently asked questions that you guys have had, as you've, worked on this and that you'd like to share, feel free. So anything that we haven't covered. So with that, please, take a few minutes and, and we'll go from there. Yep. Go ahead. We can start with Ralph's, question here around the server on our our network. I I think you're talking about the network sensor, which is just an appliance that you spend a port off on your switches to, aggregate like all the network traffic and ship that up to ArmorPoint. Also responsible for things like vulnerability scanning and stuff if you use that. So it it is an appliance. It's typically like a fortigate firewall, that that's been customized. But it's not usually, a standalone server, however it can be. And in terms of is this local or cloud, are are you meaning the actual like server and and appliance or in terms of like what the solution can handle? Yeah. I'm gonna make an assumption that Ralph's talking about potentially, you know, traditional sims will put a physical server, in your environment that you have to maintain and manage for ArmorPoint, we will host that. Right? We we maintain the resources. Just for that server, we add additional resources, do the updates, we're responsible for that. As well as that network appliance that Eli just mentioned. It comes pre configured, pre built for your environment. And then, we're the ones that manage that. We also add the patches and updates to that device as well. Then we got another question from Paula. I can answer that one. So as far as, the remote workstations go, those two agents there in the center, so the log collection agent, as well as the EDR. Both of these agents are extremely beneficial to us in a time like right now where, you know, a lot of our employees are working remote. They're not always sitting behind a firewall or connecting back to a VPN. These two agents actually don't care where your workstations are sitting. They will create their own encrypted tunnels and forward the data back into the collector. Hope that answers your question. Awesome. Yes. Feel free to keep those coming. A couple others guys that you might answer, maybe, you know, in a nutshell, what's the difference between, AV and EDR again? Could you kinda cover that? Yeah. Yeah. Absolutely. So your traditional antivirus is looking at things called signatures. And what a signature is is it's essentially known malicious code, known being the keyword. And so your antivirus is essentially scan constantly scanning your environment for these signatures. However, the difference between an antivirus and EDR is even though EDR has an antivirus component to it, so it can see those signatures. What it's really doing is it's looking at behavioral components and and things that are acting with malicious intent. And so that's where we hear about zero days. Right? A zero day threat is a threat that has never been seen before. And so, and your traditional antivirus won't be able to capture that. However, the EDR will be able to pick on pick up that This is something that is acting with malicious intent or acting suspicious. And so that's that's the main difference between the two. Outstanding. Another one that I have is, have you seen a ArmorPoint help with obtaining cyber insurance? Yeah. I can, I can jump in there or, John and Corey, feel free to as well, but We we definitely have both with ourselves and with with some of our clients? One, we've seen some insurers require EDR solutions beyond AV. So we've seen that shifting to a hard requirement just like MFA has in the past two years. And additionally, it it tends to cut the station a lot more short when when you say you have a comprehensive solution like this and behind it, which is just not only EDR, but also the socks. So I know it's definitely made our lives easier with procuring that and and the rates as well as some of our clients. Good deal. Thanks. Still waiting on a few few more, but here's here's another one. And how do we deter how do you determine what the saw handles and versus what is escalated to our teams? Yeah. I can jump in on that one. That's a great question. And And sometimes, and and this is always a fun way. It depends. Generally, we have our pre established rules in terms of things that we're going to handle A good rule of thumb is any alert is our the SOC responsibility. We come in. We have no that a client is going to be looking at those alerts, and so we're going to be investing. Now there's certain times and within certain, customer environments that clients may say, hey, if it's a server and you see malicious activity, verify with us first. Right? Because that's a critical infrastructure, and we have core services running on that. In that case, we can, modify the runbook, and the playbook for that client, to then, you know, go through that process of verification. So while we have kind of pre established rules, we do see each client treat each customer, as a unique environment, and so you do have the ability to work with the team to customize the processes and runbooks. And and I'll jump in here and say, this is one of the things that we've really enjoyed about our our partnership with ArmorPoint is because we can have you know, custom handling custom procedures for, you know, each instance of ArmorPoint. It's something where we're able to engage with our clients in a way that that best fits their needs. So, you know, we engage with some people that want to be completely hands off from security just because they don't you know, they either don't have somebody staffed for it. They don't have the time for it. You know, it's something they want to entirely outsource. And, you know, a solution like ArmorPoint helps get us almost all the way there, but at the end of the day, you still need somebody that's handling some of those questions, has the context of what's going on in your environment. What's intended, you know, making the changes. So if there is a compromised log in, we need to go log into the DC and and do something about it and take more action. Intuitworks can jump in and and facilitate the rest of that that event handling for you, or it's something that we can merge in with your IT teams to help deliver as well. Right? So you guys are able to to handle as you see fit, escalate to ArmorPoint or us to to get more information or advisement on on where to go. Awesome. And I know we're almost at the top of the hour. So, here's a good one to end on. For any any of our panels like to chime in, the question was, maybe a couple of points where ArmorPoint compares against other products in this space. Maybe a couple of key points there. I can I can kick that one off? So a lot of the the vendors in this space today. Probably where our biggest differentiator is is actually in the remediation component. And so a lot of the vendors in this space, I are really geared towards detection and alerting. And so they'll basically let you know that there's an issue, and they can tell you exact where that issue is. However, they won't actually step in and help do anything about it. And so one of our biggest differentiators, like I said, is that we will actually help step in and help contain and remediate those incidents as they occur. And I'll I'll add on to it. It gets a great point. Additionally, just on the screen here. Each one of these middle icons, in a lot of cases is a is a singular product with a lot of other vendors. A lot of the others in the space are really offering, you know, one, two, sometimes three of these, but rarely do we see an entire stack within here? And I forget the vulnerability scanning as well. And so that's that's one where we see including the remediation, you know, and the the layered approach, right, and and being able to cover multiple different, scenarios within the environment. You like curious, alongside, your answer as well. But, oh, sorry. That was gonna last one all good. But, yeah, we and I'll I'll echo ArmorPoint is what we use internally at InterWorks as well. Right? We're bringing this forward as as the solution that after going through and embedding quite a different, quite a few different vendors You know, we found ArmorPoint to be the one that we trusted most. You can look at other products like Arctic Wolf. Right? Or sentinel one or crowdstrike. And and I mean, they're comprehensive solutions, but for the entire stack that Corey's talking about, It's it's pretty hard to stop getting integrations into everything they have plus the, you know, the hands on remediation. The cost is incredibly competitive It's it's something that we just we had a hard time finding anything else that could top it. Outstanding. Well, well, thank you guys. And so with that, I wanna thank everybody again for joining today. Thanks, Corey, John, Eli. We really appreciate partnership between InterWorks and ArmorPoint. Attendees, if you haven't noticed, we've added our web links to both InterWorks and ArmorPoint within the webinar chat. So feel please, you know, grab that and feel free to reach out to us with any questions or direct solution assistance. We're glad to help. Again, thank you all for joining. We look forward to doing this again. So please be looking for future webinars and conversations. And with that, I hope everyone has a great rest of your day. Appreciate it. Thank you.