Frustrated with the state of cybersecurity tooling available to most regular businesses compared to the large enterprise, Adam Gray launched cybersecurity startup Pillr, a cybersecurity platform company that brings all the great attributes of an enterprise SOC to the rest of the world’s businesses.
A Market In Need
Adam Gray has been in the cybersecurity business for a long time. As one of the founders of integrator/solutions provider Novacoast in the mid 1990s, he assumed the CTO role early to steer the technology choices the company made with both its internal systems design as well as the quality and legitimacy of vendor products being resold to its customers.
For the last 25 years it’s been his responsibility to evaluate and compare software solutions with efficacy in mind first, then security, and eventually value. He even led the design and development of multiple custom products along the way. Gray possesses a wide knowledge of the technology landscape, particularly in security, and continues to innovate where both necessity and opportunity arise.
His latest brainchild is the SaaS-oriented security service Pillr, which officially launched under a separate brand in September 2022. It’s a service meant to close the gap on prescriptive and effective security monitoring for organizations of all sizes.
What Gap?
There is no shortage of cybersecurity tooling on the market aimed at the buyer shopping with starry-eyed eagerness, whether their motivation stems from anxiety over endpoint visibility, or they’re licking their wounds in the wake of a real incident, trying to fix the problems that landed them in harm’s way. But despite a market flooded with EDR/XDR/MDR and SIEM solutions, none of them are as effective as they could be, due mainly to the diversity of customer in the market and how the solution is ultimately delivered. There’s a distinct lack of post-sales guidance from the tooling vendors.
The problem is that while security defenses so heavily rely on data analysis, there’s little initial support from vendors on what data should be collected and how it should be analyzed. The prescriptive element of security expertise is completely lacking with no established way to reconcile or achieve oversight when the tools aren’t effective. Perhaps that’s a gap to be filled by service organizations, but instead, why not just reset the game board?
Hit The Reset Button
That’s exactly what the Pillr team did when they adapted the Software-as-a-Service model for security operations. They started by creating a continuous agent-based monitoring service for the various types of endpoints and OS platforms, applied expert tactics-and-techniques security knowledge from their team of threat hunters to design better queries and searches, and finally they use a dedicated team of security analysts from a manned Security Operations Center to perform investigation and guidance on incidents. It’s a complete and extremely effective remix of the security tooling and services relationship.
Who Should Use Pillr?
While today it can be argued that every organization needs the same quality of security in place, the scope and implementation won’t look the same across all business sizes. Every environment needs endpoint protection. Every environment should have some type of continuous monitoring. But the scale and extent to which these are implemented and managed will be different for a small business than it will for the enterprise.
Different Scopes Of Need
These distinctions tend to align with employee headcount. The team behind developing Pillr recognized a dearth of solutions that provide efficient security operations services for organizations that fall into 2 main baskets:
- Up to 2500 employees, which can be considered on the smaller side, and
- The zone between 2500 and 20,000 seats
2500 employees is considered small? Most would consider this threshold pretty high for small business, but it is a practical stratum above which security spending and IT employees dedicated to security interests become adequate to manage internal roles and tooling.
Below 2500 also includes smaller MSP groups that manage multiple smaller customers with no IT or security staff.
Pillr saw an opportunity to provide primary security monitoring and SOC services via a SaaS-type service model for both strata of smaller and medium sized businesses who bring different but incomplete levels of security sovereignty to the table.
And the enterprise-scale organizations above 20,000 headcount? That is likely a mature organization with a large budget, dedicated internal SOC, and all the tooling needed to handle its own affairs. And yet Pillr has become a solution to augment those larger security strategies with more specific use cases. For example, one larger group in the finance industry utilizes Pillr solely for web browser threat feeds, that is to track vulnerabilities and issues with browser extensions—a very narrow-band use case but it fits for that customer. Pillr’s data and tooling around the issue is extremely effective.
Supporting Regulated Industries
Regulated security compliance isn’t just for mega corporations—depending on the nature of a business, it may be held to compliance standards regardless how small its headcount. Any business that stores financial, health-related, or sensitive data about its customers will fall under certain state or federally-mandated standards of minimum security.
These standards will specify exact security measures, and can include: endpoint protection software (anti-virus or anti-malware), network traffic encryption, monitoring of network traffic, and minimum data storage security such as file encryption.
Meeting the standards for the above can be a massive undertaking, especially for a smaller organization with a smaller IT budget. One of the goals of Pillr at the outset was to make compliance an easier pill to swallow by providing a solution to meet mandates with a single service.
A Clear Path Is Visible
With these goals in mind, the team set about building a solution that could appeal to the smallest business with minimal security budget but provide enterprise grade monitoring and endpoint protection, as well as one key ingredient that so many other products lacked: the services of a Security Operations Center, staffed by qualified and experienced human security analysts who would respond in the event of an incident.
The critical measure of success would be in the design of the technology behind the service and the quality of the user experience.
How To Build An Innovative Security Operations Solution
This was the not first rodeo for the Pillr development team. With a clear direction for what the Pillr experience should be, the focus steered to how exactly to build and implement it.
Development began in summer 2019 with a timely request from cloud service reseller and partner Pax8, who needed a security solution to fill a compulsory gap for its customers. Regardless how the service was executed, its success would boil down to a few key characteristics:
- Easily deployable and manageable for the customer—Pillr is a single agent install that runs on the endpoint. After that, all data and intelligence and rulesets are taken care of by Pillr. No additional tuning is required.
- Analysis is driven by data—the right data—and ingested in such a way that makes it easily searched and analyzed
- Operated by a team of security pros with specific roles: developers and automation specialists for the platform, threat hunters to determine what to look for in the data, and security analysts in the SOC to work cases when detections occur
With a cloud-based Software-as-a-Service (SaaS) delivery in mind, the moniker “SOC-as-a-Service” took hold. The idea that anyone could sign up, download a simple agent installer, and instantly have the coverage of an enterprise-grade Security Operations Center watching their assets was revolutionary.
And the magic behind the scenes to provide that sophisticated detection and alerting capability relies on something of a dream team comprised of a few key players:
An Expert Team
With his pick of skilled resources from the engineering and development teams at Novacoast, Gray identified roles that would comprise a well-rounded team. To build Pillr and deploy it as quickly as possible, each role would need to hit the ground running and maintain a firm grasp on the vision. He would need:
An architect to design the infrastructure, locate the right data and extract necessary insights for effective security analysis.
- An infrastructure designer to construct a system capable of handling the massive volume of data necessary for meaningful analysis, in such a way that makes the data accessible for searching and mining, as well as conduct the care and feeding of a complexly orchestrated cloud architecture.
- Developers to connect the various clients (endpoint agent and customer portal) to the backend and create a functional application user experience.
- Threat hunters and intelligence experts with comprehensive knowledge of the security landscape who can steer the hunt for malicious activity and bad actors.
- Security analysts who investigate cases that originate from automated detections by the Pillr platform and determine the level of risk and legitimacy levied by any single threat. This role also leads any response efforts in the form of guidance to customers or delegation to an Incident Response team.
- A hybrid threat hunter/developer role who converts threat intelligence into the content and rules required by the platform to discover malicious data, files, and network activity in the incessant stream of ingested data from endpoints.
While this list may seem like the fantasy ensemble cast of a science fiction film, this is the reality of deploying ambitiously scoped technology. It requires an optimally-sized team with agility and focus, unencumbered by traditional product legacy, with the depth of experience and understanding that only results from decades of battling in the security space. The Pillr team is both small and large enough.
Philosophy For Making It Work
With the dream team in place, the process of refinement to achieve the most effective and streamlined operational methodology began. It was based on a few key actions:
- Grab as much usable and strategic data as possible using integrations with other technologies from anywhere and everywhere in business
- Cast as wide a data collection net as possible, across customer organizations and any other functional silos. The wider the scope, the more insight and correlation is possible.
- Collect that data as close to the source as possible to ensure its complete and unmolested
- Constant human involvement achieves what automation cannot
It’s A Real SOC
There is an inaccurate notion that automated security monitoring, especially that which touts the power of artificial intelligence, is purely autonomous. There are some severe limits to the technology, and while machine learning is powerful and efficient at dealing with masses of data, there’s no way around the fact that it must constantly be steered by human attendance.
AI in security monitoring is the same—it’s a tool to alleviate the mundane enormity of data processing tasks and to identify outliers and anomalies—but anything strategic still requires the guiding hand of a learned analyst.
So in contrast to the idea of a completely automated SaaS behemoth, Pillr actually operates a real SOC, staffed by humans who investigate incidents and continually tune the tools to react to the incessant flux of the security landscape.
What Does It Do Better?
Real World Cases
A good real world use case for Pillr is the example of Log4Shell, the widespread Apache Java logging vulnerability that disrupted security staff Christmas celebrations at the end of 2021. It was a challenging vulnerability to deal with for a few reasons:
One, Log4j is included as a dependency in nearly every enterprise-grade software solution that uses Java, and two, it is very difficult to locate and determine its vulnerability status when its packaged deep within a compiled and deployed instance. This problem of determining where Log4j existed and whether it represented risk for organizations was a rude awakening of sorts. The visibility into software inventory at a package level was sorely lacking and untouchable by the majority of tools.
Pillr notified customers exactly where their vulnerable Log4j instances were within a day of the story breaking. They made it possible for affected groups to seek out the necessary vendor updates to patch, or at least get the process underway. The system is designed for maximum visibility and searching across multiple data types, and the Log4Shell event was a great test of its effectiveness.
Chrome Extensions
One the most prevalent yet understated new cyber threats is that of malicious Chrome browser extensions. The extent to which Chrome extensions gain an inappropriate level of system access to workstation endpoints is fairly opaque to users who are often installing hastily from the Chrome Web Store to solve some immediate need, and aren’t necessarily scrutinizing the security of the add-ons.
An inordinate number of extensions tracked by Pillr suffer from this issue of excessive access rights. Access to complete browsing history, local network activity, web requests and form submissions, audio capture, desktop (screen) capture, and file system access are just a few examples. Extensions identified as malicious were able to shim additional content into pages (beyond their stated scope) or siphon user data to remote APIs. Intent for exfiltrating user data to unspecified remote systems is often murky but investigation of several extensions made it clear they were beyond a legitimate and acceptable usage.
Pillr will identify both malicious and excessive access extensions on endpoints to further reduce the attack surface from this type of malware.
Final Thoughts
Today’s IT teams and service providers benefit from the ability to select from a range of endpoint protection and intelligent detection tools—some of which are developed by large software corporations that have maintained a grip on the industry since its inception. Pillr is unique. The platform was designed and engineered by a team with decades of hands-on experience in IT security, driven by a vision for what’s best for modern MSPs, MSSPs, and the customers they support.
Gray’s 27+ years of experience in cybersecurity led him to build Pillr—a security operations solution that complements SOC service. The Pillr team scaled this software-focused solution to a service that’s accessible to businesses of all sizes and delivered it in an approach that’s as just as thoughtfully crafted and managed. It’s an adaptive model of development, services fulfillment, and marketing that’s proving the key to Pillr’s growth and success into 2023.”