LinkShadow redefining cybersecurity landscape through its ‘intelligent NDR solution’

Patrick Ramseyer, Vice President EMEA at LinkShadow, tells CNME Editor Mark Forker how their cyber mesh platform is helping businesses move away from a siloed approach to security – and how its intelligent NDR solution is empowering CISOs to make better decisions based on the criteria that is really important to them.

Patrick Ramseyer is an Irish-Swiss national who has enjoyed a stellar career in the cybersecurity industry.

He has spent most of his professional life in Switzerland, but he moved to the UAE in 2018, when he was appointed as the Managing Director of a well-known cybersecurity vendor.

In April of this year, he joined LinkShadow, where he has been tasked with the responsibility of driving their growth across the EMEA region.

In a candid discussion with CNME, Ramseyer was transparent on the issues facing CISOs in the current cybersecurity climate, and how the solutions within their product portfolio are equipping them with the tools they need to both better protect their assets and save money.

He kickstarted the conversation by highlighting the need for large enterprise to move away from a siloed approach to security.

“One of the major challenges that stakeholders and CISOs are encountered with is the fact that they have what would be described as a siloed approach. Essentially, that means they are building up their security operations centres around various teams for various products. For example, take a CISO with a team of 50 people working for him, he has a firewall team, end-point detection and response team, but they are all working in separate little silos, and ultimately what that leads to is a lot of ‘noise’. When we say noise in security operations what we’re talking about is false positives, which is basically security professionals investigating incidents of no importance, and that leads to ‘alert fatigue’,” said Ramseyer.

As Ramseyer pointed out, the lack of talent and skills on a global scale has fostered an environment in which staffing shortages is the norml.

“If you work in an air traffic control tower you work for 35-minutes and then you stop and take a 35-minute break because of the sheer pressure. However, security operations centres don’t work like that because they can’t afford to. They are on the go for 10, or 12 hours a day monitoring incidents and monitoring threats, and investigating other suspicious activity, so alert fatigue is a huge problem. If you speak to any CISO in today’s climate he’s going to tell you that the biggest problem, they face is staff and skill shortages.” said Ramseyer.

Ramseyer reinforced how the siloed approach to security had become archaic, and stressed the need for security systems to being working in correlation.

“If my end-point detection and response is reporting that I have a couple of suspicious files on my computer, what you need to be able to do is correlate that with the fact that my PC is also negotiating with a website on a blacklist – and my intrusion detection system is saying that from another IP range in Russia there is an attempt coming through. So, essentially what you’ve got is the intrusion prevention system team seeing one thing, the intrusion detection team seeing another picture, the firewall team seeing something different, and the same applies to the end-point detection and response team, but crucially nobody is correlating this, it is all siloed. It’s only when they get together once a week and they say we had this, and we had that – it’s only then that the penny finally drops with them,” said Ramseyer.

Gartner have proposed cybersecurity mesh architecture as a solution to the problem of siloed security.

Ramseyer outlined that it is essentially ‘a new approach’ businesses need to take, and he explained the benefits of LinkShadow’s cyber mesh platform.

“We call LinkShadow, a cyber mesh platform, because it’s a new approach that companies are supposed to take. It’s all about taking a new approach to your security posture, and that’s what LinkShadow is all about. What you’re looking at with this new approach is instead of having multiple silos and multiple teams, you consolidate all of that into one package. It is based on the premise of middleware, which effectively eliminates all the things you don’t need to see from all the other systems, and highlights and gives you the most important information that you need. What we do is very similar to that, we’re talking to your EDR, IDS, and firewall teams, and we’re correlating and aggregating all this information, and that’s where our AI and Machine Learning comes in, because you can’t do that manually, the only way to do it is by using adaptive AI. The other element is being able to correlate the automation of all the responses, and that’s all done using our AI engine,” said Ramseyer.

LinkShadow has customer-centricity embedded into its core values as a company, and that has allowed them to understand the nuanced challenges facing CISOs.

In addition to this problems CISOs face in terms of SOC efficiencies and skills shortages, another consistent challenge they face is dwell time.

“There’s no doubt that dwell time is a huge challenge for CISOs. How long is a threat inside my network before I actually find it? These are the types of metrics that CISOs are looking at. When you talk about insider threat you need to consider that it could be deliberate, or it could be accidental. You also have to monitor the lateral traffic, you have North and South traffic, which is in and out of your network, and then lateral is inside user to user, by monitoring that traffic you can also detect anomalies,” said Ramseyer.

However, according to Ramseyer the biggest question that underpins all of the above is how do businesses save money?

“A CISO will say to you that I need you to hand me a proposal that I can give to my CFO that demonstrates if we purchase this product then we’re going to save money. You can show the cost savings very, very quickly, and the primary reason for that is the fact we have one user interface. For example, if I take the siloed approach, then I’ll have 10 different types of interfaces, and 10 different panes of glass. Every vendor will tell you that they have a single pane of glass, but it’s 10 altogether, it’s not a single pane of glass. You have to take all those 10 interfaces and funnel them into one. By doing that you have one platform that shows you where your threats are, how to respond to the threats – and ideally it will tell you where you are wasting money. In addition to this, if you want to investigate further, or if you need a specialist for forensics then you can go into your firewall logs,” said Ramseyer.

Ramseyer also highlighted the issue of ‘vendor lock-in’ that many CISOs and IT directors face.

“A lot of CISOs and IT directors will talk to you about vendor lock-in – which essentially means they are over reliant on one particular vendor. CISOs don’t like that because it takes the decision out of their hands, and maybe one vendor has a better end-point detection and response than the other, but because they are locked in, they can’t use it. They want autonomy and choice. The big advantage we have is the fact that we integrate with any vendor, it’s doesn’t matter if your Microsoft, Sophos, or Kaspersky, we integrate with all of them via what is called bi-directional API. We’re not only receiving information from them, we’re also sending them activities in terms of response, so it’s a two-way communication between each of those systems, and we have already over 60 done with all the main vendors, and this is what cyber mesh is all about. It is a common integration between all these tools that have a single platform, so that everyone can see what is going on in each one from the one pane of glass,” said Ramseyer.

LinkShadow has drawn widespread acclaim for their intelligent NDR solution.

According to Ramseyer, CISOs at large entities want to know what their risk exposure is, and LinkShadow’s intelligent NDR can provide them with that.

“Traditional NDR by definition is network detection and response, which essentially monitors the traffic on the network and looks for anomalies and threats. However, what intelligent NDR does is not only monitors the traffic, but it also correlates it all with the other security tools. CISOs want to know what their risk exposure is? Large organisations are concerned about their risk exposure because it’s a measurable metric, so they can say every month that my risk exposure was 9 or 8, so they can see they are improving. It’s not really applicable here in the Middle East yet, but in Europe, if you get breached you have to account for everything that happened up until that breach. When you get investigated by the relevant bodies of data protection, they are going to ask to see everything you have in place, and if you can document and demonstrate that you have been making an effort to reduce your cyber exposure over a period of time then the fines will be a lot less. These businesses want to see their risk exposure and we can give them that through our intelligent NDR,” said Ramseyer

Another key component within LinkShadow’s intelligent NDR offering is their block count ratio.

“We have what we call a block count ratio, and what that essentially means is how many blocks did my security tool do? How many times did it block a blacklisted IP address, how many times did the end-point detection and response cut out malicious files. We can see by assessing each tool how effective they are. We can then give the CISO a lovely report where he sees these intrusion detection systems have only accounted for say .6% of their total blocks for a year, which is less than 1%, so does he really need that one, or do he really need a very expensive one? You could have a DLP system that cost you $10,000, and you can have a DLP system that can cost you $1million, but you might only need a $10,000 one if your DLP is not a major concern, but you need to be able to determine that, and again that’s where we come in. Ultimately, our intelligent NDR empowers CISOs to make the decisions based on the criteria that’s important to them, and the No.1 criteria that it is important to any CISO is money because security is a blackhole when it comes to money,” said Ramseyer.