Andrew Brandt
π€ SpeakerAppearances Over Time
Podcast Appearances
At a certain point, it just made better sense to end of life the product early.
I mean, yeah, that's an interesting thing to hypothesize about, but I have no idea about that.
Well, I don't work there anymore, so I don't have to defend them.
But I do think that Sophos did seem to have better security practices than CyberRome did.
The threat actors are developing exploits and they're developing malware and they're coming up with new techniques for breaking into firewalls.
The implant is revealing all of that stuff to the security team.
So behind the scenes, the security team is rushing into production hot fixes and patches for the operating system that fix these vulnerabilities before the threat actor even knows.
And because they have this ability to send the hot fixes, you know, not necessarily to every machine, but maybe to every firewall, except the ones that the threat actors are using, they can fix the whole universe of firewalls except for the ones that the threat actor is using.
after you've tried to deploy your second or third or fourth attack and it just doesn't work and you're scratching your head because it works in the lab, look, I can show you.
I demonstrated it to these guys in the higher-ups at the company or whoever is telling me to do this attack, that it works.
But in the wild, it suddenly doesn't work.
I think after two or three times of testing,
shooting blanks, you're going to start to wonder like, hey, is there something else going on?
And they started to look at, you know, well, what is this, you know, what's the firewall collecting about us?
And are we inadvertently revealing as bad guys to the good guys what we were about to do?
So yeah, so they start looking at telemetry.
They start looking at log collection.