Risky Business - Snake Oilers: Sublime Security, VulnCheck and Devicie
Episode Date: September 21, 2023In this edition of Snake Oilers you’ll hear product pitches from: Sublime Security: e-mail security for people who want to tune their detections VulnCheck: Provi...des vulnerability intelligence to governments, large enterprises and vendors Devicie: Manage your devices with Intune without pulling your hair out Show notes sublime.security VulnCheck - Outpace Adversaries Cloud-native device management platform | Devicie
Transcript
Discussion (0)
Hi everyone and welcome to another edition of the Snake Oilers podcast series. My name is Patrick Gray. For those of you who are unfamiliar in these Snake Oilers editions, we get sponsors to come along and pitch their stuff and that means everyone you hear in one of these editions of the show, Paid to Be Here. And we're going to hear from three vendors in this edition,
Sublime Security, VolnCheck, and Devicee.
Sublime Security makes an email security product
that lets you actually write your own rules.
VolnCheck provides vulnerability intelligence
to very large enterprises, governments, and security vendors.
And Devicee can run your devices with their product slash service that uses Microsoft Intune.
So they manage your devices via Intune, via a whole bunch of tools that they've built.
And they're being backed by Microsoft these days too.
So we'll be hearing a little bit about that later on.
But let's get into it now with our first snake oiler, Sublime Security. So they're an email security vendor that is a little bit different.
You know, the undisputed leader in email security by revenue is Proofpoint, which is a major sponsor
of this show. They are a gargantuan company that takes the raw sewage that is inbound email
and turns it into water that you can shower with. Now, it's not
water that you can drink, but you know, it's much, much better. And Proofpoint does a better job
than the other majors, which is probably why they're rolling around in a giant pile of money.
But the jumbo email security companies like Proofpoint are black boxes. You can't push
your own detection rules to them and troubleshooting false positives
can be a bit tricky. So, you know, if one of the majors is doing something you don't like,
then tough, basically. But that's what Sublime Security's product is for. And you can go and
play with it right now for free. You only pay for it if you want the more advanced enterprise
features. The core version is totally free. I've
linked through to their features page where you can see all of the stuff you can get for free.
Now, you can deploy Sublime as a cloud service or on-prem, and the idea is that organizations that
want to be able to actually tune their own email detections can do so. So this is a very modern
whiz-bang detection as code type of platform. And it's
absolutely something that's going to interest a bunch of the people listening to this podcast.
So here's Sublime's co-founder, Josh Kamju, with a pitch on Sublime security.
Yeah. So Sublime is an email security platform that's primarily used to prevent email-based
attacks like BEC, malware, ransomware, credential phishing.
The big thing that Sublime does differently to address those threats is that we do everything
with detection as code. So underlying all of our analysis and detection is basically this
transparent layer of detection as code that's used to describe the threats. Traditionally,
email security has been for the past like, you know, 20 years, basically, you plug in this black
box. And we've had varying levels of black boxes over the past 20 years. And we are kind of
changing that dynamic. And we do everything with detectionist code.
If I had to think of a way to describe like who this is for,
it's if you have a detection engineering team, like this is for you.
I would say that that's where it gets really interesting.
If you want to do, if you want to like tailor custom detection content for your team.
And I'm not saying, I'm not saying that group of people exclusively,
but for that group of people, it's a no brainer, I guess is where I was coming from.
Yes, exactly.
So like you've got companies that are doing detection engineering and threat hunting and like all of these other areas of their security stack.
And we provide the ability to do that same thing in the email space.
Yes, exactly right.
So what about for the people who aren't doing their own detection engineering?
Why would they choose something like Sublime over one of the major cloud email security companies?
Yeah, so a few reasons. So when you turn Sublime on, you get all of the detection content written
by our detection and ML teams out of the box. So you can basically just turn that on and it will cover the majority of
the attack surface that you are worried about. And so you basically turn that on and it's like
any other email security product. And then on top of that, what you get is the ability to
tune things if you want to, because everything is transparent. You also get the power of the community. A lot of our detection rules are open source on GitHub, and there are private
feeds that are also on GitHub and people that share detection content for emerging threats.
And so you can plug those into your email environment as well and kind of harness the
power of the security community, which, you know, we do that pretty like relatively well in other areas of security again, right? Like Suricata and whatever
and like Sigma. There's so many like snort signatures and Suricata signatures and Sigma
rules and all of these things that are being shared, you know, like Semgrap, we are basically giving folks the ability
to collaborate better and leverage the community in email. Where is that collaboration taking place?
Is there like a customer discord or Slack or something where people hang out and they say,
whoa, we've just noticed like this big campaign started, it's slipping through this particular
detection, you can tweak it this way? Or I mean, is that kind of how the collaboration's working out? We definitely do have a Slack community that's open.
So there is a lot of good discussion around detection content there.
There's also a few other places it goes down.
So all of the sharing can happen basically peer-to-peer,
and it can be operationalized very quickly, I should say.
So you don't have to like copy and paste a rule.
You can basically just paste a link to a GitHub repo
and it'll automatically slurp all that detection content up
and operationalize it for you.
That's pretty, that's cool.
Being able to drop a GitHub link into your console
and it just like imports the detection.
That's kind of cool.
It's pretty sick.
Can you do that in like a test detection mode to make sure it's not going to
break anything before you hit the go live button i'm guessing that's part of it right absolutely
yeah because ingesting random githubs and it's like oh no it's blocking everything from you know
hotmail whoops yeah so so by default actually when you, you know, like a new detection or whatever, it's passive by
default. And so even when we deploy, you know, like, if you're going to like run sublime, everything
starts out passive. And then you can decide when you're ready to start auto remediating things.
The other really cool thing that we do is we will take that detection and we will run it over historical data really, really fast.
So, we take the detection and we actually transpile it to SQL and we run it over historical
data. So, we can tell you, you know, sometimes instantly you've actually seen this attack,
you know, historically. And it's sitting in this using the CFO's mailbox. And you might and then
you can remediate post deliverydelivery. So if you basically
want that capability, then we will, we support like retention settings. So you could say,
I don't want that at all. Or I want one day of that. I want seven days of that. I want 30 days
of that. And, and then there's a tight, you know, model around storing that. So like you could put
that in your own cloud environment. And so there's like tight controls around all that, all that but it's it's totally it's like an optional thing if you want the ability
to do retro hunt yeah i mean i think already you know some people would be listening to this and i
think one of the issues with the big mail providers i mean they've got their advantages right which is
that everybody gets the same detection so they're motivated to make sure that they work well etc but
you know sometimes something good might not be getting through
and you can't change the detection rules
that they're using
or something bad might be getting through
and you can't change the thing, you know.
So just sometimes I know people have been frustrated
because they just want to make a change
to the detections that are being applied to their email.
And, you know, you can do that with Sublime, right?
So that's like one of the killer features there.
Yes. Now, this is available as a cloud service and as an on-prem service, right? We've got a
couple of deployment models. So our cloud like standard SAS, um, or you could deploy it to your
cloud. Um, and, and we actually also support Docker containers. So like you could literally
spin this up on a VPS or even on your laptop, run it on your personal mail. Can you run it on a Raspberry Pi? I'm just joking. Yes. Yes,
you can. You actually can. There was a Reddit thread asking about this and you can run it on
a Raspberry Pi. Oh man, that's funny. That was supposed to be a joke. Now, another question,
like, so I know a big pain point for a lot of people is stuff like phishing remediation you know you're handling that stuff in a different way to others yes okay
so we've got actually a really cool set of features for this so the first and probably coolest thing
is we can ingest user reports from basically any source that you get them as an organization so if
it's like Microsoft's like,
you know, report phishing button, or the Gmail report phishing button, or you got a third party
tool or an abuse mailbox, we'll slurp that up, we'll go and retrieve the original message with
all the headers intact. And then we can do a few really cool things with that. So the first thing
we can do is run what we call triage rules over those messages. So this is like the same sort of detection capabilities
that we've got running over live email flow.
You can run on user reports
and you can auto triage those with those.
So you could say,
if two or more users report the same campaign, for example,
and we do some grouping of campaigns.
So even if it goes to a bunch of different users separately,
we'll group those together. And you can say, if two or more users report the same campaign,
auto-remediate that and give my team time to review it.
And I'm guessing auto-remediation means reaching into those inboxes and just nuking those messages,
right?
Exactly. And you could do things like insert a warning banner. You got flexibility. The whole
theme is basically you've got control over your email environment and you
can decide what you want to happen.
What sort of verticals is this proving popular in?
Because I'm guessing it's got reasonably broad appeal across different verticals, but it's
going to be more like tech forward companies.
That's just my gut feeling.
Is that right?
We are actually seeing adoption across what you historically wouldn't consider tech forward.
So we see both.
So this is your polite way of saying,
no, you're completely wrong.
We do see, we definitely do see like tech forward companies,
like Spotify and whatnot.
Yeah, I was thinking like the Silicon Valley set would love this that's just what i was thinking right 100
but we've also got less silicon valley-esque companies like retail folks like in in those
verticals as well that are just looking for a way to steer the ship so everyone's got the
got that problem and um so yeah, we see adoption across basically both.
Yeah.
All right.
All right.
And any particular verticals that are just like super popular or?
Retail.
We see like financial sector.
We see like insurance companies.
And it's funny because everyone says financial because they spend big on security, right?
So that's everyone's big vertical.
They do.
And like they just make very large transactions too.
So like the risk of BEC and
invoice fraud and these types of things are just like super high on their list of concerns so I've
got to ask too like we've spoken a lot about threat detection but how are you handling the
BEC problem because I know that caused the major providers some headaches in the past we have taken
you know like tens of thousands of confirmed, you know, labeled attacks
across our user and customer base and trained machine learning models on that. And one of the
things that makes the detectionist code approach unique is that you can be very targeted in what
you're looking for. Out of the box, if you turn Sublime on, is a natural language understanding model that will
analyze the content of the message, and it will classify the intent. So it'll look at, you know,
what is this user trying to do? And does it resemble something that we've seen in this prior
labeled data set that resembles BEC? So that's like the first thing that we do. The second thing coming out of that,
you know, NLU model again is tone. So is there a sense of urgency? Is there, you know, some kind
of financial requests being made in the message? And then we can combine all of those signals
with context about the message. So... Well, that's when you look at the headers and go,
does this IP stick out for some reason? You know, like I'm guessing that... Yeah. I'm guessing if you get an indication that like something is, you know, financial and urgent, you know, it's urging some sort of transaction and it's a weird IP.
Like that's a pretty high signal, but the email providers like Google and Microsoft
have gotten relatively good at identifying like poor IP reputation.
And like, that's one of the things that...
So by the time you're seeing it, it's not...
By the time we see it, it's not as big of a signal.
So like, we'll see a lot of attacks coming from like free mail providers, Gmail accounts,
or a recently registered domain,
but it's being sent through a mass mailer like SendGrid or, you know, Constant Contact. And so
we'll leverage all of those signals and say, is this like normal behavior for your environment?
Is this like a recently registered domain? Have we ever seen this domain before? Things like that.
And if all of those criteria
come together, then we can pop off a detection or auto remediate it. So the really cool thing,
though, is that all of these like primitives are all accessible. So you can basically build on top
of this as much as you want. So you can tune it, you can add exceptions, you can piece the logic
together in other ways if you want to. So that's really like where a lot of the control comes into.
I'm guessing you can make the rules different depending on the user group as well, right?
So you can introduce more paranoid BAC rules for your finance team, which is, you know,
again, this is an advantage of not being a black box.
Yes, that is a super common use case, which is we're going to target this set of detection rules
to this highly targeted team or group. So one of the things we'll do is we'll sync with
your tenant and we'll pull in all of this context. So we'll say, here's all your user groups.
We'll pull in with Azure AD. These are all the VIPs and this is the finance group.
And so you can say, yeah, exactly like you said, if it's going to the finance team and it's got
a Word doc with macros. If it even smells like BBC.
Yeah, exactly. Whereas if it's going to some call center person.
Right. Yeah. Who's got the crown jewels, throw the kitchen sink at them because I want,
they are highly targeted. They've got sensitive data. And so a hundred percent.
Yeah. All right. Josh Kamju, thank you so much for joining me to talk us through Sublime. We've
signed you up as a sponsor for next year. So you'll be, you'll be back on the show throughout
2024. Great to get you out here for the first go
round and yeah, all the best with it. Can't wait. Thanks so much, Patrick.
That was Josh Kamju from Sublime Security there. Find them at sublime.security. Our next snake
oiler is Volncheck. As you'll hear, this is a pretty simple pitch. Volncheck is an intelligence
provider that can tell you what bugs are being exploited out there and which ones you need to prioritize.
Volncheck's customer base is split between very large enterprises, governments, and security vendors that use Volncheck's database or data feed to help customers prioritize.
So here's Volncheck's founder, Anthony Bettini, with the pitch. VolnCheck is an exploit intelligence company, and we help enterprises, government organizations,
and cybersecurity vendors solve the vulnerability prioritization challenge.
Organizations struggle with figuring out which vulnerability they need to patch and which
to patch quickly and which ones can they defer until they have more capacity, and we help
with that problem.
I mean, this is funny. I mean, I had a conversation quite recently with Scott Kufa from
Nucleus, just about how vulnerability management has kind of become interesting again. People are
caring about it again. And it really is that prioritization issue. It seems like on desktops,
you know, patching and whatnot is mostly a solved issue,
but it's all the other stuff. And there's so much of it and keeping on top of that and patching
everything just isn't feasible. So this, this prioritization stuff is kind of essential now,
isn't it? It definitely is. And, you know, as, as listeners of your show would know that,
you know, lots of threat actors exploit IoT vulnerabilities all the time. And, you know,
you can't install an EDR product on the IoT device, you know, patch management with, you know,
Windows desktop patching solutions doesn't really work either. You know, it definitely requires a
different solution. Yeah. Not to mention, yeah, web applications and, you know, your more obscure
enterprise apps and whatnot as well, right?
Exactly.
Yeah. So how do you go about cobbling together intelligence on what's being exploited and
turning that into something that's kind of actionable? And I'm guessing too, that you're
providing intelligence on stuff that's likely to be exploited and that's going to go a little bit
deeper than CVSS. So if you could walk us through like your process, that'd be interesting. Yeah, sure. Yeah. So one is we have this fully
autonomous system in software that's monitoring lots and lots of data sources. And that includes
national vulnerability databases, certs, government alerts, also includes exploit databases like PacketStorm, also includes places where
exploit POCs show up like GitHub or Giddy or GitLab or Bitbucket. We'll also monitor all the
CNAs, everything from Siemens to Mozilla, all the operating system vendors, and all the major
programming language package manager ecosystems like Maven or NPM. We'll also track what
applications or operating systems are end of life. So we're trying to take a multi-dimensional
approach to both vulnerability intelligence and exploit intelligence, like what's really
being exploited in the wild. And where are your best quality signals for that stuff? Where do
they come from, right? Because of all of those sources, I mean, okay, you can look at the Sysachev list, right? And
that's going to be one source for you. But I'm guessing a lot of this is going to be, I guess,
what you'd call in a media context, original reporting, right? And how do you go about that?
Yeah, yeah. So today, we actually offer two products to take to examine kind of each
dimension of this problem. So we have we have this exploit
and vulnerability intelligence product, which really focuses on the open source intelligence
of what's going on out there. And you know, you mentioned the SISA KevList, we're tracking
hundreds of vulnerabilities as exploited in the wild that aren't even on the KevList. And in terms
of the ones that are on the KevList, there's really no way to know why it's
there. I think people have a lot of assumptions of why it shows up in the SysA KevList, but there
isn't kind of an explicit reference or citation. Everything in our Exploded in the Wild list does
actually have a citation, a date, a URL, and can be independently verified. I would say within that product, this open source intelligence product,
we effectively become a reference or a citable source
in the sense that whether it's in the SysEq list or the UK equivalent
or other exploit POCs we see show up on GitHub or Giddy,
these all show up in our feed in effectively near real
time. And so it doesn't really matter whether it's in Kev or it's being reported in the wild by
some gray noise sensor. In any of these cases, it effectively shows up in our feed to customers.
And that's on the OSINT side. On the proprietary side, we have what we call an initial access intelligence product,
where we try to effectively front run Kev. So as we see new vulnerabilities get released that we
think are likely to be exploited in the wild, we actually write exploit POCs for them, collect
PCAPs of what exploitation looks like on the wire, write surrogate and snort rules, map this back to
census, show the inquiries and gray noise tags to see what the attack surface looks like.
And you wait for it to pop, right?
Exactly.
Yeah. Okay. That makes sense. So, you know, we've talked a little bit about, you know,
the information that you're collecting and how you're collecting it. Like, what do you then
use that information to provide customers with? Is it just a data source? Are you providing products,
integrations? Like, what's the next, you know, what's the delivery bit from Volunchek look like?
Yeah, that makes, yeah, totally get it. Yeah. So we're effectively providing data over an API to
our customers in their real time. Today, we sell to large enterprises, government organizations, and other cybersecurity vendors,
and we power a lot of the products out there, whether that's a tech surface management products,
application security products. We power government processes on notifications and alerting. We power
enterprise processes around AppSec, vulnerability management, and threat intel.
So it's really up to them how they want to use that data.
Exactly. I think in some sense or form, it does largely boil back to this vulnerability
prioritization problem, though, in the sense that even if you're a detection and response team,
which signatures, rules should we even be
writing to block, you know, or detect which vulnerability is. Or on the product side,
you know, helping customers remediate those vulnerabilities most likely to be exploited
in the wild or those that are already being exploited in the wild.
So I can imagine, like you mentioned attack surface measurement, I think that's an interesting one because, you know, in that case, you could ingest this information and, I don't
know, turn those alerts, alerts for hits on those particular vulnerabilities, turn them bright red,
make them flash, that sort of thing, right? I guess that's the idea. Yeah, exactly. I think
we're both kind of a consumer of information out there and also a producer.
And I think what's kind of interesting about us is we stitch all of these disparate sources together
and normalize it and aggregate it in a way that's easy for other people to consume.
And in the case of exploitation in the wild, that could be by stitching together all these disparate sources on sensors that other people are picking up.
But it also could be things like mapping vulnerabilities to MITRE attack or to MITRE attack patterns or mapping threat actors to CVEs.
We have lots of kind of interesting data sets that help responding to vulnerabilities be a little bit more digestible for people out
there. Now, we've spoken about how the primary use case here is for prioritizing the remediation of
vulnerabilities. What are the bugs that really are making people jump and move immediately?
Like, is it pretty much as soon as something is flagged in your data source as being a big deal, they go after it? Or are there particular types of bugs and particular types of
problems that your customer set is using this to fix? I would say that on the customer side of
things, they're mainly focused on the vulnerability problem at scale, meaning like dozens and dozens
of vulnerabilities come out and get published.
So it really is a matter of just saying, okay, we're going to work on this list of these
vulnerabilities that are present in our org and in the Volncheck data. So it's not like they're
taking a subset of those and working on them. We see every behavior you can imagine. So for
instance, we support some of the industrial control system security products out
there. And from their perspective, maybe they're only interested in OT vulnerabilities or the
exploitation of OT vulnerabilities. Whereas in other cases, we're dealing with AppSec products
that do software composition analysis, and all they really care about is Maven, NPM, PyPy, and
these kinds of vulnerabilities.
So we allow the data to be sliced and diced kind of any way they want to do it. But ultimately,
what we bring to the table is which of these vulnerabilities are either being exploited in
the wild, have exploit POCs, have some level of exploit maturity that is trending in some
direction that they should be caring about.
So how much of your business is end users actually buying this information themselves versus vendors sort of offering this to their customers? Because I can just see that
from an integration perspective, like there's a lot of different security tools out there where
they could make use of this data. So I'm just sort of curious what the business looks like, I guess. Yeah, yeah. I would say it's a healthy mix of cybersecurity vendors, government organizations,
and very large enterprises. I would say where we are a fit to me would be-
That's the second time you've said very large enterprise. And I get that because I'm guessing
at a sort of regular enterprise, Ma and Par Enterprise? Right. Just not extremely large.
There might not always be a team at a regular enterprise
to sort of handle this sort of information,
but they would be able to use it
through their vulnerability management tools
or through their code security tools or whatever, right?
So is that how it breaks down?
Like if you're a mega enterprise,
you can kind of use this stuff yourself.
If not, it might be a check the box option with some of your other tooling.
I think that's probably is an accurate way just to add a little bit more color though. What I
would say is that very large enterprises, they do behave different from all the other enterprises
in the sense that if you look at some of the largest banks in the world, and you compare them to,
say, a utility company, the utility company, you know, they want to log into a SaaS portal, they want to drive workflows from that portal, possibly they want it on premise, but it's a
traditional kind of SaaS experience, even if it's living on premise. Whereas in the case of these
very large organizations, you know, whether that's a government on premise. Whereas in the case of these very large organizations,
you know, whether that's a government entity or some of the largest banks in the world,
how they operate is really on data. They have custom reporting systems, custom orchestration
systems, you know, homegrown somewhat of everything. And they don't want another portal to log into.
They want better data to make better
decisions. And so I would say we're a fit with that. All right. Well, Anthony Bettini, thank you
so much for joining us to walk us through Volncheck. Very interesting stuff. Great. Thanks.
Thanks for having me. I appreciate it. That was Anthony Bettini from Volncheck there. Big thanks
to him for that. And you can find Volncheck at volncheck.com. Our next snake oiler is one we've heard from before a couple of years ago, Devicee.
Devicee is an Australian company that has built a product around Microsoft's Intune.
And as you're about to hear, Microsoft is now getting behind them.
Intune is an amazing bit of plumbing that can be used to manage all sorts of devices.
But let's be honest, out of the box,
it can be quite difficult to use. So Martin McGregor founded Devicee to make Intune actually
usable. And what's funny is there doesn't really seem to be a typical customer for Devicee. It's
all over the map, which is probably because everyone has to run and manage devices and it's always a pain no matter what size you are.
And work from home has complicated this even further.
So their customers are anyone from schools
to large enterprise, right?
Anyway, the idea with devicey is you just tell them
what apps you want on your devices and they make it happen.
And over the last couple of years,
they've done a bunch of engineering work
to make their own
tooling at the back end work much, much better. So now when a customer says, hey, can you roll out
this app to our users? The process is very, very simple. Eventually, they're going to make those
tools customer facing. But to be honest, it's not really something people are asking for at the
moment. They're quite happy just to say, can you add support for X, Y, Z? So yeah, customers like letting the
device-y gnomes do all of the work once they submit a app support request. Anyway, all this
engineering work means that device-y is ready to scale. So here is Martin McGregor talking all
about device-y and its new relationship with Microsoft. We operate really as a service. So
that makes us a little bit different in the market. We're not just tools that people consume to build their own solutions. You come to Devicey
when you really want to outsource that function or you want to work with specialists in that domain.
Right. So the guts of it is that Intune, unless you're a very large company, can be a little bit
difficult to use. I mean, that's essentially, if you had to very large company, can be a little bit difficult to use. I mean,
that's essentially, if you had to boil it down to like brass tacks, that's the thing you're
trying to fix, right? Yeah, we want a really comprehensive security model and a really great
operational model for end users. And that's actually much more difficult to achieve than
most people appreciate, especially before they attempt to do the project. But we still do have very large enterprise companies that use Devicey and they
still have end user compute teams. They just will play a different role. And instead of them building
and maintaining all the infrastructure, they'll just use Devicey for that.
Now, over the last couple of years, you took a Series A investment and you've been working on a few things.
You've worked on getting ready for scale, right?
So that you can bring on more and more customers.
And the second thing you've worked on is making the back end of your thing easier to use, right?
So when a customer says, hey, we want to roll out this app to all of our endpoints, that's a much easier process for you now. I believe also the plan is eventually to allow
customers to get access to a prettier version of that backend. Is that right? So it'll be sort of
self-service. Yeah. And largely it is already. So once the customer's onboarded, they've got a
portal they go to where they can request apps, decide where they want those deployed in the
organization and even request new apps. So rather than investing in building their own bespoke solutions, they're coming to devicey
so they can use essentially an off the shelf products that meets and exceeds their requirements
that they could typically achieve by themselves. All right. Now I was going to ask you about the
local admin thing, right? Because this is actually something that a lot of your customers have been using Devicey to do, which is, you know, once you've got Intune managed endpoints, you can start really tackling the local admin issue.
This is something that your customers are using you to do, right?
100%.
Yeah.
So there's some really important prerequisites before you can manage local admin effectively.
You have to be able to make sure that you can provision the system, make it completely
operational without an admin needing to do anything. So that has to be completely automated.
And that includes app management. So all of the applications that an employee needs,
need to be able to be configured, deployed without anyone being an administrator.
And once you're at that point, then we can tackle
things like local admin privileges. So when they're on board, we have a workflow that we
take them through where we bring them to maturity reasonably quickly. So they might not even
appreciate the sequence that we operate and why we do those things, but it's so that we can get
them to those outcomes really quickly without them really noticing. So one of the things is helping them, like we said before, onboard apps and manage
themselves through the portal. So no one needs to install them anymore. Once we've got those
prerequisites, we can execute on that. And there's some other things that we need to be able to
provide. So what happens is a customer will say,
hey, listen, we request local admin on this device. They'll actually work with our customer
success team who will provide that to them in a safe way. So for example, they want to risk accept
that this particular user is going to be a local admin. That is represented in our console. They can see at risk accepted user,
but they can also see all the unexpected admins that shouldn't be there. Click on those and start
working through resolving those and getting them compliant. Plus there's other things that we do.
So if they say, hey, listen, we need local admin for this purpose. We built a lot of capabilities
so that they don't
need a local admin. They can still achieve most things. So our support team will help them
achieve those. But then even if it comes down to it and admin absolutely needs to get access to a
system, we provide our customers the key vault that creates credentials for every system and
they can be retrieved by an administrator for any system.
It'll be a unique password.
It'll change after they've used it.
It's got all those nice security capabilities,
but we have to make it operational.
So there's a lot of things that we do so that the business can still run.
So you sort of baked in some automated PAM in there as well?
Yeah, well, we used to have our own version of LAPS,
Local Admin Password Service, but we've retired that now, in there as well yeah well we used to have our own version of laps um local admin password service
um but we've retired that now and we've we're making use of microsoft's one that sits on on
top of intune so we we essentially automate that for our customers now yeah that whole thing now
look speaking of microsoft uh you've done a deal with them tell us about that yeah we've just been
we've gone through this quite incredible experience of being
assessed for the Pegasus program, Microsoft Pegasus program, which I was quite surprised to find that
we've managed to get in. That's quite a thing for a small Australian startup. But I think the real
reason for that is we saw the problem that's on Microsoft's radar and something that they've
identified this year which is the challenge for small to medium businesses to get effective
outcomes on Intune for their organizations that are affordable so that's where we're really strong
Microsoft recognized that and this program is really about you know we're already co-sell
ready so you can buy mark you can buy devices through Microsoft, but really expanding our capacity to take on more of their customers and particularly in other regions around the world.
So the Pegasus program, I mean, I think you get like a bunch of Azure credits, right, which is one nice thing, but it's also sales support, isn't it?
It's sales support.
It's go-to-market support, but it's actually resources that they allocate
to us.
So we even get a solution architect allocated to us from Microsoft.
So we have an interface into Microsoft.
So it's a bit of a two-way thing.
We want to be able to give our customers a better experience on Intune than they can
achieve for themselves.
And this relationship allows Microsoft to support us better so that we can support our
customers better with Intune as well. So they're backing you because of the small to medium business use case but as you
said as well you're selling into enterprise so where is like is there a typical sort of size
of people who are buying in I'm guessing not though because like desktop management is something
everybody needs and I'm guessing you yeah as you said you're still going to get big customers coming
along when they can't be bothered doing all of the engineering that you need to do to make Intune
work properly. Yeah, exactly. And look, where we spoke last, we only really could afford to take
on enterprise customers. That's where we were at as a business. But as we've been able to increase
scalability and we've been able to change our pricing model, we can take on customers of any size.
And one of the particular focuses for us
has been schools for that reason.
Schools is an area that I wanted to help for a long time
because it's a gap.
It's really hard for them to find experienced IT people,
especially experienced in-tune professionals.
And it's quite expensive to get good outcomes there.
So we've been able to service schools
that can't pay as much as large enterprises. Yeah. Now, another big use case, I'm guessing, I mean,
you know, I mentioned local admin and whatever, but you know, the, look, just generally well
managed endpoints is great, but also just patching. Patching is just such a big thing. I mean,
I'm guessing you would have some enterprises coming to you just because you make that part of it easier, right? You know, patching is a 25-year endeavor for me now.
I've been fiddling with this thing, you know, and it's amazed me that it's as challenging as
ever for organizations and maybe even more challenging. You know, back to having a complete
ownership of this solution and working in a way that gets us outcomes. We've just designed
as device-y so that we can get much better patching outcomes than if we didn't manage the
device. If we were a tool that you would use to orchestrate patching, you couldn't get the
outcomes that we do because we're onboarding the devices and we're managing them from when they're
first built as well. So we have absolute visibility of every device. So the challenge for patch management and keeping
organizations up to date for me is that there's always a gap. And this is something I've experienced
over my whole career. The order is always asking, what about the devices that you don't have an
agent on? What's their status? And that could be 3% of your organization, but if you have thousands of
devices, it's a lot of devices out of compliance. We've been able to make headway in an absolute way
where we can get really 100% compliance for patching because of this holistic approach to
how we manage devices for our customers and
that's app that's application and operating system and security patches all right well
martin mcgregor uh from devicey thank you so much for joining us to give us an update on where you're
at with it all so yes if anyone listening would like their uh devices managed via intune uh you
can head over to devicee.com.
Cheers, Marty.
Thank you so much.
That was Marty McGregor there with his pitch for Devicee.
Big thanks to him for that.
And you can find Devicee at devicee.com, D-E-V-I-C-E.com.
And that is it for this edition of Snake Oilers.
I do hope you enjoyed it.
I'll be back next week with more risky biz news and analysis.
But until then, I've been patrick gray thanks for listening