This transcript is produced using transcription software and reviewed for quality. Despite our best efforts, some passages may be incomplete or contain errors due to audio quality or software limitations.
John Richards
Welcome to Cyber Sentries from CyberProof on TruStory FM. I’m your host, John Richards. Here, we explore the transformative potential of AI, cloud, and cybersecurity, where rapid innovation meets the need for continuous vigilance. This episode is brought to you by CyberProof, a leading managed security services provider. Learn more at CyberProof.com. On this episode, I’m joined by Chris Nyhuis, president and CEO at Vigilant. As AI becomes a bigger part of cybersecurity, one question just keeps coming up: how do you know when the data you’re trusting is actually trustworthy? Chris and I discuss forensic validation, detecting meaningful change, the growing risks of AI data poisoning and manipulation, and why the future of security is likely a balance between deterministic systems, AI-driven analysis, and human expertise. Let’s get into it. Today I am joined by Chris Nyhuis. Chris, thank you so much for coming on the podcast.
Chris Nyhuis
John, it is a pleasure, man. I’m really excited for today. It’s gonna be great.
John Richards
So you’re the president and CEO at Vigilant. I would love to hear about how you ended up there. What was your kind of path to ending up in security and running a whole security business?
Chris Nyhuis
Yeah, so it was interesting. I actually didn’t set out to go into the cyber world or even technology at all. I mean, back then I graduated from high school in ’95, went into college, went into paper science and engineering — nothing technical. Now, what was interesting is I think I was running from my inner tech guy, because I started programming when I was, I think, four or something like that, on Commodore 64s. And you’d get a magazine in the mail that would walk you through a whole—
John Richards
Oh, wow
Chris Nyhuis
—program that you would write, and you’d have to figure out why I had a semicolon off and it didn’t all work, and it was really frustrating. And going through the BBS days, and all the early — saw the tech industry grow, and built my first 386 when I was a kid. And for those of you that don’t know what that is, go look it up. It was a turbo button. It was really cool. Sped it up. But I was running, I think, from that. And I ended up working at this trucking company. I was routing trucks. And their main shipping computer went down. They were losing tons of money. And my GM heard that I knew how to fix computers, and the nearest IT guy was four hours away, so he’s like, “Run, Mike, why?” And he’s like, “I’m losing tons of money. Run, go fix it.” So I went down there, ended up — the RAM just needed to be reseated. But by the time I got back to my desk, I had a job in IT. I’d done tech support before that — I did dial-up internet support, and that was fun. But again, I just was running from it, and got into it. There is — when I first started seeing evil for the first time, you know, it’s before cyber started, it’s still IT operations primarily. We had just put our first firewall in, we had just converted from hubs to switches, and we saw traffic coming in at these sites. And the thing that really blew my mind was, when I really put it together, I’m like, people are trying to hack this network, or get in. And it wasn’t like — it’s just really early, but they’re trying to get in, and we were going, why would they want to get here? And then you realize we have compressed ammonia, and the systems people were trying to get into were our ammonia control systems, and you release ammonia and it just kills people. And that was when — because your lungs melt. And that was the first time I realized, crap, this isn’t just opening up a CD-ROM drive and making it annoying. This is — hey, this is going after it. So I moved from there, went to another organization in the automotive industry, worked my way up to being in charge of their cyber. And at that place I realized that this industry, although a great industry, drives less toward standard of care and more toward a shareholder value world. And so when you mix those together, you end up with a degradation, because you’re trying to create this margin for the shareholder, and not necessarily does this work. And that’s not every company, it’s not every organization like that, but it’s a big trend. And so I decided I wanted to jump into this side of the desk, the provider world, and just do it the right way. So we started Vigilant on three core factors. One, we were never going to be for sale. So we’re not for sale — we’ve been offered tons and tons of times, we’ve turned them down. Which meant we also took no private equity, because we wanted to be in control of the ability to execute what needed to happen. That’s led to us being able to have technology that really, really works well. We want to invest in our team. And then we also decided that we would take 25% of our profit and put that into orphan care around the world, and also anti-human trafficking efforts. So—
John Richards
Wow, I love hearing that. So you just started out and said, “Hey, we’ve got these core principles, we’re gonna build on those.” How long ago was that, and what has the landscape — how has it shifted since Vigilant really got started? What’s that journey look like?
Chris Nyhuis
Yeah, so that was in 2008, when we started. There’s two landscapes I’ll talk about, if you’re okay with that — one the buyer, like the consumer, and then the other one is the industry in general, and then the other one is the threat actor. Which one do you want me to start with first? Consumer? All right, cool. So the consumer is interesting. 2008, we were right in the middle of a crash, and that’s something I’ve noticed — over the life of Vigilant, we’ve been through three, and we’re in our third recession. And in recessions, you see this major contraction inside of a business, and so they tend to choose to purchase things that help them contract. So, like in 2008, people didn’t want to buy cybersecurity, even though we had tech that really was brand new to the market. And so what we ended up having to do was pivot to fund Vigilant, and we ran network cables during the day and at night, and we consolidated people’s networks, and we used that to fund Vigilant. And what’s interesting about the buyer, though, is back then people didn’t really want to buy cybersecurity — they didn’t think it was important. But then you had this small microcosm within organizations, like the OGs of the cyber world now, who knew it was important, but they were fighting their business. And so they became our primary clients. But what was interesting about that is they knew what needed to be done and they had the skill set to do it, but they didn’t have the funding to build a team. And so out of that really became that MSP, SOC-as-a-service type model — because they’re like, hey, can you bring the tech and the people? And we did that for a really long time. Now, what’s interesting over time, because recessions change things, is a lot of organizations are now starting to contract from that, and they’re saying, hey, we want our own teams inside these organizations. So you saw this proliferation of MSPs, and we said, let’s just focus on doing what we do best — let’s focus on building technology, let’s focus on empowering MSPs, let’s focus on creating this umbrella for MSPs, too, to be able to come in, or the consumer to build their own SOC teams, and just supply the right technology to solve the job.
John Richards
So how has AI coming in impacted that, as you see folks looking to contract? We’re hearing so much about, well, we’re gonna throw AI in to solve that — obviously opening up a can of worms as well, both on the power it brings, but also vulnerabilities, new attackers, attackers using it. So you mentioned the aspect of how you are handling it. What has that meant for Vigilant, and how do you take those core security principles and apply them in a world where AI is causing everything to accelerate so fast and opening up all kinds of new threat vectors?
Chris Nyhuis
Yeah, so I think what’s happened is you have this industry that I think has been diluted — and capabilities. If you talk to people when they don’t have their business, their company’s hat on, they’ll tell you that. It’s been an industry that’s been diluted. I think it’s been mostly diluted because of the way that cyber’s been marketed.
John Richards
Can you maybe explain what you mean by diluted in this sense?
Chris Nyhuis
Yeah, for sure. So money is what fuels the growth of anything. And if you look at the way the consumer buys things, they look at these marketing clearinghouses as the guiding light — what did this company say, what did that company say. And so then those companies create these top-10 lists, which are really driven by whoever paid the most. And not necessarily does it work. And it also drives things like what does society want a business to look like, and then they make those the criteria, too. And so then the decision maker goes to that and says, well, we’re gonna buy what’s on the top of that list. When, in reality, what’s on the top of that list may not actually work. And if you look at the statistics that are out there and put those two together, you go — wait, threats have increased magnificently, incidents have increased magnificently, they’re not slowing down. You see that the average time to detect a threat is now 287-plus days, and it used to be 90 days 10 years ago. Something’s wrong, but yet we keep buying the people at the top of these lists. And so I think the marketing of it is a problem. I think the other thing is — the marketing of it has driven fear, and it’s caused this scenario where people will buy something and not really decide based off the data that’s there, but they’ll decide basically on how it makes them feel. And so that becomes this buy-in whiplash. But the other thing, too, is that it enables the next best thing to come in when something you already had might have already been working. And so you keep going all over the place. And then the third thing that’s happened is the C-level has been targeted in this “I’m better than you” type thing. There’s a great scenario — we had a client that reached out and said, “Our CEO’s pissed.” Why are they pissed? I knew the CEO. I’m like, what’s going on? They said, well, they went to their C-level round table, and everyone pulled out these scorecards they were getting in an email. I’m not going to name names of companies, but the scorecard — they looked at it, they went through the scorecard, and he got an F. And everyone else had B’s and A’s, and he’s holding you guys responsible. I’m like, well, let me look at this scorecard you got. So we’re looking at it, we’re like, there’s no way possible they could even have known what’s there to give you an F. And so we went through it, and they were definitely not — they were not an F. In fact, they had better security than their peers. And what was interesting about it, though, is we called up this company that sent these emails out, and we got all the way through to their engineers, and we said, there’s no way you could know this. And the guy goes, “Yeah, but there’s not — this is just an email we send out to try to get business.” I’m like, oh my gosh.
John Richards
Wow
Chris Nyhuis
And the CEO’s on there. So it was really interesting — he went back to that meeting and gave them the report that we gave him, and he goes, “Look at this.” And then he felt — his ego felt bigger. So this industry has become this marketing powerhouse, and it isn’t necessarily driven by whether something works or not. And so that’s created an amazing place for threat actors to thrive, because although they’ve gotten way more advanced, they don’t have to do advanced attacks to get into organizations.
John Richards
I don’t like hearing that, but I know it’s true. So let’s talk a little bit then about how you are differentiating in that space, and why it’s worth looking outside of these lists. And I know from having been on the side of the service provider, being like, “Oh, we gotta pay how much to be on your list? Is that worth it? What does that mean?” So, yes, the industry has some challenges — but for these folks, like the CEO, what are the things right now that they’re—
Chris Nyhuis
Oh, it totally does.
John Richards
—they’re worried about in this AI space, and then how are you tackling that to bring — oh, no, we can come back and show our own report — what is it that you’re showing to say, hey, don’t worry, we’ve got you covered?
Chris Nyhuis
Yeah, it’s a little side story there — we actually helped write one of the first MDR reports that were out there years ago. We wrote it, and then about a month later, that organization came back and said, “Hey, do you want to be on the report?” We’re like, yeah, we wrote the report — why would we not want to be on it? And they said, well, it’s going to cost $250,000. We’re like, no.
John Richards
No
Chris Nyhuis
We are not doing that. So we ended up not being on the very first report that we actually helped write, which was crazy. I think CEOs are getting to the point, as I speak to them, where they’re starting to admit, in some cases, that they don’t have all the answers for this. And this is the thing that’s really weird for them, because it’s the one thing they haven’t built organizational intuition on — they were never analysts, they were never digging into threat actors, they weren’t digging into how an attacker attacks. And so, if you look at every other part of their business, you could bring them a spreadsheet and they’ll know what’s wrong — they won’t know why, but they’ll know what’s wrong. But with cyber, they don’t. And so there’s this weird battle inside of an organization where the CEO is trying to figure out: does my team just want something cool to play with, tools to play with, or is this something that’s legitimate? And the problem with that is they’re asking their team questions that their team doesn’t know how to communicate. So one of the things that we’ve done at Vigilant, for our clients or the groups that work with us who take us into their clients, is we’ve built persona dashboards, and all those persona dashboards actually tie together. So that way, if an analyst sees data, it translates that to the CEO — so that way they can literally sit in the same room, have the same conversation on the same things, and the application is doing the work for them to help communicate. And that’s the biggest part, because — a CEO needs to communicate up, and they need to lead down. And so just understanding that, in order to help a business thrive, you have to enable that. You have to enable that.
John Richards
Well, I know from having our short discussion before this, you talked about data mattering being a core concept, and we could see that here in how you’re educating people in their responses up. What does that look like, then, on the actual data side — how do you bring the information so they know what to focus on and what they need to tackle?
Chris Nyhuis
Yeah, and that’s it — John, I think that’s the crux of everything in cyber, is that people have to ask, where does data come from, and how is it protected? And I don’t mean protected in transit, like did someone see it or not — it’s how do you make sure that the data you saw, or received, is the data you’re actually interpreting? And that’s really important, because, back to the C-level again, the moment they distrust the data that’s put in front of them, they will not trust anything again that you bring to them — because they associate it to the person, and they associate it to the tech, so they’ll quickly move on, because the C-level has a very short thinking span — they make a decision, they move. And so you have to make sure that data integrity is there. So when companies are buying cyber, the very first question they should be asking is, how are you collecting data? Where does it come from? And when you look at that ingestion pipeline, as we call it — the first thing you have to do is establish ground truth. You have to know that the data you’re interacting with, that you’re capturing at the very first point, hasn’t been manipulated. And there are ways to do that. But I’ll tell you what’s happening mostly in this industry — and I’ll say it’s because it’s cheaper for the vendor — is they’ve stopped connecting on the wire. They’re pulling off of firewall logs, or they’re pulling off a switch. And when you look at the architecture of these devices, a switch has an ASIC chipset, a firewall has an ASIC chipset — they’re not running processors that can even do deep packet inspection. And then when you’re connecting a security technology to a span port or a mirror port, you’re losing 30% of your traffic off the bat, because you’re not getting one-to-one collection. The switch is passing 100% of the data, but you’re not collecting 100% of it. And then you’re also stuffing 46, 48, 96 ports down into one or two, and you’re losing packets there, too. So when you think about ingestion — if you’re collecting off a firewall or switch and losing 30% of your packets, then you’re passing it to a detection system that’s also running those lower-level processing systems, like ASICs — your pizza box — you’re losing more data there. And now you might have 40%, 50% of the conversation that the threat actor did. So what’s happening is a threat actor knows they can weave in and out of those degraded spaces, and they don’t even have to worry about being detected, because they’re just hiding in that gap. Then you turn that into AI, and you say, hey, go learn on 40% of the data — you’re exponentially going to get negative learning.
John Richards
So what’s the approach to get around that, then?
Chris Nyhuis
Yeah, I’ll say this — I study warfare all the time. It’s one of the first things I do in my job, as a CEO of a cybersecurity company. And there are time-tested ways to do things. Now, they might be a little bit more expensive, but a breach is way more expensive than it would be to do the little bit more expensive thing. So, first and foremost, I would never, ever trust data for a cybersecurity system that comes off a span port or a mirror port, ever. For us, if we’re implementing technology inside a client environment, we’re putting taps in place — external, internal, east-west. We’re tuning in — we could tell our clients how much packet loss they have at any time. You should really tune in and have teams focused on what that packet loss is, or diffing the logs that happened and the logs you captured, so you can tune that in as near to zero as possible. And that’s one of the very first things you should be focusing on — if you deploy anything cyber, before I even look at an event, that’s what I look at first, because if that data is not right, the event could be absolutely wrong. It could be a false positive, it could be a true positive that didn’t get detected — AI could learn incorrectly. The other thing, too — and we’ll get to this as we talk through AI a little more — is the way people process data with AI right now is very fad-based, and it’s producing tons and tons of hallucinations and false positives. That’s a negative. But again, the very first thing I’d be focusing on is taps. The second thing is I’d look at the systems I’m detecting on — whether I’m using a cloud provider, I would ask the cloud provider, hey, at what level are you responsible? That will tell you really quickly where your boundary with them exists and where it doesn’t. And what you’ll find is that most of the collection in cloud environments, or even in virtualized environments, happens mostly in a virtualized way down into the lower stack — you’re really up in the application and presentation tier, and you’re virtualizing down. So you end up with this data loss that no one’s talking about. But I would 100% put physical detection systems in. We have a physical sensor that we deploy inside client environments — we build it overstacked for the client infrastructure so it can buffer up, we have enough storage in there to store PCAP, full network flow, built on Intel stacks that can do deep packet inspection. Because, at the end of the day, the collection matters. And everything else downstream — it doesn’t matter how amazing your AI is, or your detection, or correlation, or how amazing your intel teams are. If your collection sucks, you’re done.
John Richards
If they’re trying to learn on that data, then you’re actually feeding bad data in, and your actual learning process is degrading and going downhill, just from the fact that you’re not giving it what it needs to understand the full scope.
Chris Nyhuis
Oh, big time. We even look at what threat actors have started doing — again, they don’t have to do major, crazy advanced attacks to get into most organizations, they just don’t. But the one thing we do see a lot is what we call the joystick effect, which is basically where they’re out spinning up thousands of different EDR providers, and they’ll send detection data, or different types of traffic, to train and manipulate the training — to negative-train it on the back end to miss what they’re doing. You see that inside client environments with logs, too — they’ll manipulate logs. This has been happening for years, but people are just now starting to talk about it — the fact that you can unhook an EDR platform on the device, carry out an attack, and hook the process back up, and most providers aren’t going to see that. So you can embed attacks that are there, and it just sees it as good traffic — again, you’re manipulating it. And what takes place through that joystick effect, or why we call it that, is because you can actually manipulate security teams based on the logs that you give them. Now, that has been happening for decades — every incident I’ve ever worked on, you’ve always had manipulated logs, and they manipulate them for that reason. The problem now is that humans are not going down that path and going, “I wonder if these logs are manipulated.”
John Richards
Oh
Chris Nyhuis
What they’re interacting with is the events, or the output from AI, and then they act on it. So we’ve missed the connection between — is this manipulated? — and we go right to acting on it.
John Richards
Yeah, it’s like missing that step — it’s assuming what it’s getting is correct, and then you’re building off this kind of house of cards that doesn’t really exist, but you think it does. You’re using all these tools, and as you mentioned earlier, it doesn’t matter how good they are if the underlying data has been manipulated or adjusted. You think you’re going down the track and everything’s okay, but in reality — to your joystick metaphor — you’ve been manipulated into believing that, when the real problem’s somewhere else.
Chris Nyhuis
Yeah, and you have no idea it even happened. And even worse, you have no forensic ability to know it did or not.
John Richards
So you say “forensic” here — talk me through what you mean by forensic in this case, and how it helps people address this issue of, oh, my logs were manipulated or adjusted and I didn’t even realize it.
Chris Nyhuis
One of the things around cyber — when you look at detection, anything happening on a device, if that device is controlled, could be manipulated. So you have to always assume it is. What can’t be manipulated — and I’ll say this, go learn about the OSI stack, the OSI layers, it’s really important. The TCP/IP model, too, if you don’t know it already. A lot of people are down on OSI and TCP, and I’m like, guys, it’s literally the core of a lot of this. But when you look at the higher you go in the stack, the easier it is for an attacker to hide — it’s harder up there. The lower you go, the harder it is for them to hide, because you have more information up here, less information down there — they’ve got to manipulate protocols and things like that down low. So where do threat actors operate most often? At the top. Now, the flip side of that — where is it less expensive for a cyber company to do cybersecurity? Up top. Where is it more expensive? Down below. So that’s where, like I said earlier, margin matters. When you’re dealing with that manipulation, you have to get into places that are harder for them to hide. So when you’re doing cyber just within a device, or logs — that’s a completely manipulatable environment, so you have to validate that environment hasn’t been manipulated. What you do is you detect around it, and you do that in a way that isn’t in-line — you have to protect the ability to collect. That’s why using passive taps and things like that are really important — if you have a span port and someone takes over your switch or your firewall, they’re going to manipulate your feeds. So you have to make sure that, from end to end, you have chain of custody, knowing that the bytes you collected are the same bytes on the other end. When you have that, you can compare what’s happening inside the device and outside — and if those don’t match, if the communications coming out of that system don’t match what you’re seeing on the inside — say, for instance, you’re seeing encrypted traffic somewhere, but on the inside it’s not showing you that encrypted traffic — well, now you know what the threat actor is doing. It’s like, oh, I need to look at this encrypted traffic, what’s causing it. And the reason you wouldn’t see it on the inside is because the actor would manipulate it to where you can’t see it with EDR. So that’s the big thing — you have to be able to see what’s happening around something, and inside of it, at the same time. That’s the big key.
John Richards
So where does using AI come into play as you’re doing this? Is it — we can’t use that because it’s going to be looking at logs that maybe aren’t correct, we need humans to look at this? Is there a layered approach? What do you see as the model you’re recommending, when you’re working with people, for how they use AI, versus having humans look through all of this — what’s that responsibility split look like?
Chris Nyhuis
There’s a bunch of companies that want to remove AI, or remove humans, out of it completely. I think that’s a bad idea. I think humans always have this innate, built-in — I believe created — intuition to be able to put things together in ways that I don’t think AI can. I may be a naysayer, but I don’t think AI can do that. Now, what AI can do is get way, way better at pattern matching than we are — that’s really what it is, it’s going to get faster and better the more processing we put at it, it’s going to be amazing at pattern matching. So what we do with AI is, we first take data as it comes in — well, first we make sure it’s forensically validated. The second thing is we want to make sure we’re able to really quickly do true correlation with that data. Once we do that, we take it through what we call a deterministic pass — we’re looking at things we’ve already established ground truth for, that are verifiable, that are hard evidence, back to that forensic validation, that diff. We pass those through, whether it’s that forensic validation, or IOCs, or YARA, or CVE validations — things we know to be true. Then we pass it through AI, and we look at, okay, what did that deterministic pass miss? Or, let me say this — what does AI assume it missed, or think it missed? Because AI will hallucinate. But what’s happening in that case is we’re limiting the focus of that AI, so we get less hallucination, less token usage, and we’re able to validate — we’re not validating what deterministic saw, because we already know that’s validated, we’re looking comparatively at what deterministic missed. And then we feed that back through deterministic to say, okay, take another pass, see if you missed this. It’s like, oh yeah, we did — great, okay, let’s feed it back into AI again. We keep doing that until we get to zero passes, and then we take it to a human for judgment and context. And that’s reduced detection time by literally 11 months. We’re able to reduce it very, very quickly, just by driving judgment and context. Now, I’ll say this — the tactics have been around for thousands of years, these things don’t change. Like I was saying before, looking at the outside and the inside — that’s how you tell someone’s lying, that’s the whole point of a lie detector test. So these concepts aren’t different, it’s just that humans forget, and then they start over at ground zero again. And I think the AI industry is doing that — it’s the next best thing, people are like, oh, forget all this other stuff, let’s focus on AI.
John Richards
Well, yeah, it’s easy — you see something new and shiny, and you get distracted, and you think, let me try this. Now, for our audience out there who’s listening — maybe we’ve got somebody who says, you know what, maybe I’m just running an EDR right now, and I should be thinking lower, going deeper. I want to learn more about what Vigilant does. What’s the best way they can learn about this, understand what Vigilant offers, and maybe get in contact with somebody to see about implementing it in their own environments?
Chris Nyhuis
Sure, absolutely. You can go to vigilantdefense.com. We post a lot on LinkedIn, Twitter — we didn’t do a lot of that over the years, we just focused on cyber, and we realized we probably should tell people more about this. On our website, there’s a research tab — we found all kinds of craziness in the open-source software world. Back in March, you could read one of the highlighted posts there, just around open-source software. And, really, I’ll say this — a lot of attackers are not going after open-source software maintainers, they’re getting access to their tokens and embedding malware into the code, into open source. And because a lot of these open-source platforms, or the software, aren’t pinned to a version, it auto-updates. So, literally, the last three or four months, remote access trojans have been getting deployed to hundreds of millions of systems, and people don’t even know it. You can go read that on our website, it’s pretty interesting. We did a deep analysis on GitHub — I like the projects on GitHub — and we wrote some software for free, it’s called Runner Guard. You can download that and point it at open-source software you use, and it’ll validate those systems continuously, and also tell you if they’re secure, if they’re set up securely or not. So go to our website, there’s a lot of information there. If you’re an MSP, or a provider, reach out to us — we’d love to enable you with the technology we have. There’s a lot of MSPs getting sued now, because they’re putting tech in and they’re the responsible party, and their clients are suing them for a breach. So we have guaranteed no breaches for our clients, which we can talk about. And I’ll just say this — you can do cyber well and methodically and keep yourself out of a world of hurt, or you can follow the new fad and be like everybody else, and have breaches all the time.
John Richards
Yeah, no, thank you. And if you want to check that out — either the report or Vigilant itself — we’ll have links to that in the show notes. Chris, thank you so much for coming on here, this has been so informative. Excited to hear about what you are doing, and looking forward to what comes next for you all. Thanks for coming on here as a guest.
Chris Nyhuis
John, thanks a lot. It was a great, great time, man. I really enjoyed it. It was awesome.
John Richards
This podcast is made possible by CyberProof, a leading co-managed security services provider, helping organizations manage cyber risk through advanced threat intelligence, exposure management, and cloud security. From proactive threat hunting to managed detection and response, CyberProof helps enterprises reduce risk, improve resilience, and stay ahead of emerging threats. Learn more at CyberProof.com. Thank you for tuning into Cyber Sentries. I’m your host, John Richards. This has been a production of TruStory FM. Audio engineering by Andy Nelson, music by Amit Sagie. You can find all the links in the show notes. We appreciate you downloading and listening to this show. Take a moment and leave a like and review — it helps us get the word out. We’ll be back next month right here on Cyber Sentries.