01 Securing the Under-Secured Marketplace
02 Challenges in the Under-Secured Market
03 Gaps in the Traditional XDR Approach
04 Cross-Functional Collaboration
05 Empowering IT to Do Security Work
06 Detection and Response: The Basics
07 About ISMG
Jim Simpson and Heidi Craun of Blumira on XDR for Smaller Enterprises
Simpson, CEO of Blumira, helps security startups be successful by centering products around the people who use them. He strives to eliminate gatekeeping in the information security industry, removing the barriers that prevent smaller teams from achieving successful security programs.
Craun has over 15 years of experience working in or leading customer experience teams. Prior to joining Blumira, she was head of customer experience at Clearcover. Before that, she was vice president of customer experience at FarmLogs.
Addressing the cybersecurity needs of under-secured markets presents a unique set of challenges. Jim Simpson and Heidi Craun of Blumira discuss why traditional XDR solutions fall short and how their approach helps firms strengthen their cybersecurity posture while enhancing customer experience.
In this video interview with Information Security Media Group, Simpson and Craun discuss:
“In the last 10 to 15 years, attackers are no longer just targeting large organizations. That’s because everyone is on the internet, and the organizational perimeter has gone worldwide, especially given everyone working from home due to the pandemic.”
– Jim Simpson
TOM FIELD: Talk about this underserved, under-secured market that you’re serving today and its unique cybersecurity challenges.
JIM SIMPSON: A lot of my career has been based on figuring out how to bring cybersecurity solutions to a broader part of the market. A lot of security vendors focus on the enterprise market because the problems there are well understood. We’ve been doing that for a long time and going to the broader market – the SMBs, the lower end of the midmarket – is challenging because you have to purpose-build solutions in order to access them. That’s because they don’t have the same resources to bring to bear and might not have the same subject matter experts working in their organization.
We saw an opportunity because in the last 10 to 15 years, attackers are no longer just targeting large organizations. That’s because everyone is on the internet, and the organizational perimeter has gone worldwide, especially given everyone working from home due to the pandemic. A lot of organizations are now more of a target because almost any kind of information is currency. So, how do you solve problems for them? Well, it takes a very specific persona and a solution that is targeting that persona.
A lot of times, the organizations that we work with don’t have security people in-house. They have IT people in-house, but IT people can’t take advantage of the solutions in the marketplace because they are more challenging for them to set up on their own. It would take months if not years to get them up and running. The solutions also tend to be out of their budget because they’re a lot more expensive. The expectation when operationalizing the solution is that a number of security experts in-house will be setting it up, using it, tweaking it and tuning it, and the IT people only have themselves. They have a small budget, but they still have the same exact challenges that large organizations have.
HEIDI CRAUN: That’s where the customer experience department within Blumira comes in, to act as an extension of that team because it has so few resources. An IT person may not have the skillset to analyze logs or potentially suspicious behavior that’s happening in their environment. So we have a unique opportunity to help them level up where they are today.
FIELD: Lots of enterprises have gone toward XDR. Why is a traditional XDR approach insufficient for this specific market?
SIMPSON: A couple of aspects of traditional XDR are difficult to deploy in the broader market or at the lower end of the market. They’re closed systems, so the expectation is that you’re going to buy all of your security solutions from a single vendor, put them all together and then get an XDR solution, which is out of reach for a lot of the customers that we service. The other challenge is that a lot of what we call XDR right now is an augmented version of EDR solutions.
Everything is being backed into the endpoint detection and response side of the house. Our perspective is that the real value in the overall solution is the ability to synthesize information from your endpoints – the logs that are coming from all of the tools that you’re running through a SIEM-based approach to XDR. The big differentiator for us is that we look at the incidents and events, but we pull in a lot more information to provide a more comprehensive view of what’s going on.
The other thing that’s unique to Blumira is that because we’re ingesting all of our customers’ information into the cloud and into our own cloud, we have the benefit of building on top of a large corpus of data. For example, if we see a trend with a certain attack on a certain vendor, we have petabytes of information that we can use to build detections to find that particular threat and effectively test it so that when we deploy it to customers, we can do that a lot more quickly. And we have a lot more confidence that when this thing fires, they’re going to have something to pay attention to. That’s the big difference between us and a typical XDR vendor.
FIELD: How is Blumira unique in terms of the XDR solution you bring to market, and how you collaborate cross-functionally within the organization to ensure superior incident detection and customer experience?
CRAUN: Blumira’s incident detection engineers gather the data from which we build our threat analysis and detections. They look at all of that data for emerging threats and known threats.
Sometimes, we detect threats before we’ve released a detection. We can see it in someone’s network and reach out to them quickly to say, “Hey, we’re seeing something happening in your network. We’re about to release a detection for it, but we want you to know that you’ll want to respond to it right away.
That is a unique relationship between the incident detection engineer and the customer experience team, and I highlight it because the customer experience department is the bridge for our customers between the IT team that they have, which could be quite small, and our detection engineers, who provide the security expertise that they don’t have in-house. It can be anything from helping our customers tailor our detections for their specific environment to helping them analyze what’s going on in their environment when they’re looking at logs.
If they receive a finding from us that something scary might be happening, we’re there to support them through it and gather the data that they need to handle it from an incident response perspective or, heaven forbid, a cybersecurity insurance perspective. We collaborate internally to support our customers on the other side of the equation.
SIMPSON: On the product side, we continuously work with our customers to determine what they have in their environment that they need us to take care of. While we have our idea of the mission and the vision of the company, we find success by solving the problems of our customers. Heidi’s team and our sales organization are on the front line, but we also have product people who meet with customers to determine the next set of problems that we need to prioritize to help them with their organizational needs going forward and to help them think about security
One of the beneficial things about our customer experience organization is that in addition to partnering with them to get the best value out of our product, it also helps them when they need advice on other vendors that they might be considering to solve other problems. We view ourselves as a partner for the long run in terms of helping these companies get to the next level.
“If we see a trend with a certain attack on a certain vendor, we have petabytes of information that we can use to build detections to find that particular threat and effectively test it so that when we deploy it to customers, we can do that a lot more quickly.”
– Jim Simpson
“The customer experience department is the bridge for our customers between the IT team that they have, which could be quite small, and our detection engineers, who provide the security expertise that they don’t have in-house.”
– Heidi Craun
FIELD: How do you help your customers become more confident in managing their security?
SIMPSON: Our customers tend to work more on the IT side of the house. There has traditionally been a divide between IT and security. From a product perspective, when we show a customer something of concern, which we call a finding, we make no base assumption about what their knowledge is when it comes to the security issue at hand. We explain to them why they should be concerned about it.
We also provide them with a decision tree, or workbook, that asks them questions step by step to help solve the problem. For example, if a new Windows administrator is being created on the network, we explain why this could be a potential concern from a security perspective or it could be totally valid. The first question that they encounter in our product is: Did you set up a new Windows administrator? If the answer is yes, they can close it, put it in the audit log and move along. But if they say no, they will be walked through the process to solve the issue themselves. We want to empower IT people to do more security work by virtue of practicing it in real time.
CRAUN: From a CX perspective, we help customers understand what the findings are and work through the nuances when they’re not sure right out of the gate whether it’s actually a security risk to them. We do that very reactively, but we also help them proactively, even when they’re onboarding. We help them think about how they want to set up Blumira and how we should be gathering logs, advising them on general security posture and other elements that are so important to their success long-term, and helping them increase their confidence in their own security. Our goal is not just to be an extension of their team but to help them increase their own expertise over time.
FIELD: With an eye toward 2024, what are the threats and threat actors that
your prospective customers need to watch now, and what questions do they
need to ask about their own detection and response capabilities?
SIMPSON: We have a thesis that good security can happen within the first standard deviation of the mean when it comes to solutions. But a lot of times when security people build products, we build for two or three standard deviations out. At Blumira, we focus on: How do we help people solve the basics? If you don’t get that done, then you’re never going to do the more complicated things. And a lot of times, if you get the basics done, the complex things don’t materialize
Prospective customers need to keep an eye on the basics, which include patching, vulnerability management and doing phishing awareness training. These problems are accelerated for a variety of reasons, including the reduced cost to attackers and financial incentives for them. Also, attackers now have access to large language models to write and orchestrate really convincing phishing campaigns even when they aren’t native English speakers.
When it comes to detection and response capabilities, organizations need to have awareness around where their logging gaps are. You can do that using a partner like us because our customer experience organization solution architects can provide you with an executive summary of everything we’re seeing. They can help identify where the gaps are. Or you can pay an auditor or a pen tester to validate that detection capability. We recommend doing both because you should build good relationships with a good partner but verify it on the other side.
CRAUN: Our CX team responds when you see something in your environment and want to know what it means. We want to help make you happy after something didn’t go well. We can explain what happened and why and try to recover those moments. But we’re also thinking at a macro level. We quantify all of the conversations that we have and get really granular to understand what customers at the highest level are seeking in our product and what underlying problems they have.
We’re not always tuned into the solutions that they’re asking for. We think of those, but we try to get to the heart of the underlying need that has led them to contact us. Sometimes that’s a product-based solution, and sometimes it’s not. But either way, we analyze that and feed it back into the product team and our engineering team to make sure that we’re looking at all of the possible ways that we can help up-level the security for our customers and the Blumira experience in general.
“We’re looking at all of the possible ways that we can help up-level the security for our customers and the Blumira experience in general.”
– Heidi Craun
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 36 media properties provides education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.
902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io