[00:00:00] Mart: It turns out that 88% of the defenses fail and the vulnerability exploits just went through the defenses.
[00:00:11] Mart: But I do feel there is a little bit of a change, at least in the WordPress space. I think security has become something that people don't really wanna talk about.
[00:00:22] Lana: If you wanna set up security in a way that will truly protect your users from being hacked, you have to think of it in layers.
[00:00:35] Lana: If you update a plugin and the update hasn't been tested previously, you risk your entire site going down. So in that case, it makes sense to use Patchstack protection, which gives you safety and security.
[00:00:49] Mark: We have spent a lot of work, developing it, and we wanted to make it as user friendly as possible.
[00:00:54] Mark: Trust me, on this one
[00:01:00] Mark: For some reason. We see spikes in people trying to attack very old known malware files.
[00:01:11] Ben: There are different points that, basically back up the thesis that security can turn cost into profit. It's a good investment.
[00:01:26] Ben: Also, other, aspects on why you should consider adding security or upselling security. First of all, it brings added value to the customers.
[00:01:42] Mart: We are joined here today by Lana, the product marketing manager from Patchstack. We have Ben, partnerships manager from BitNinja. And then we have Mark, who's the CPO at BitNinja. And I'm Mart, I'm the Head of Marketing at Patchstack. And so today's webinar, I think we have two, two basically very, big themes.
[00:02:03] Mart: So one, we'll talk about why it's important to look at security as a layered concept. So traditionally hosting companies have wanted to consolidate the security stacks by offering these sort of one-size-fits-all solutions to cover the full range of threats to the users. But that one-size-fits-all approach is not really great and it doesn't really work.
So
[00:02:26] Mart: as an example. To lead this in is last week we actually published a case study where we tested sort of these traditional server and network layer defenses against WordPress vulnerabilities to see if they can handle that sort of very specific attack vector. And it turns out that 88% of the defenses failed and the vulnerability exploits just went through the defenses.
[00:02:48] Mart: So that was quite a, like a, I would say, not a surprising finding, but a very shocking, finding nonetheless, 'cause that's that's a high percentage. Second topic today is monetizing security. So obviously, hosting companies, they run a business and as such, perfectly normal, expected that they wanna think about not just offering, good security to their clients, but also, they wanna make it make sense from a business perspective.
[00:03:17] Mart: And good news there because, we have case studies about security that doesn't have to be just some pro bono thing you do for your users. You can actually monetize that and make it sort of part of your core business offering. So that's I think the second sort of really big theme.
[00:03:33] Mart: But yeah. Shall we just jump right in? I believe Lana, you're the first to go and, you wanna talk to us about cheese or Swiss cheese or layer security. But I'll let you, I'll let you take away, from this very awkward setup.
[00:03:53] Lana: It's fine. It's all good. I always love talking about cheese and cheesecake, so we're fine.
[00:03:59] Lana: But essentially to add on to what you just said. The problem with security and why it's currently on top of mind for users, for hosts is that traditionally we've thought of it as a one-and-done, but if you wanna do it correctly, if you wanna set up security in a way that will truly protect your users from being hacked, you have to think of it in layers.
[00:04:22] Lana: And the most common model is the Swiss cheese model. So that's the one used by experts. Personally, I prefer to think of it as a cheesecake or a layer cake, just 'cause I'm not in the trenches of figuring out the vulnerable code. But the way it works is there are four key layers to protecting a website.
[00:04:48] Lana: The first is obviously the physical layer, which is server protection. And unless you're hosting your servers yourself, there's not much you can do. But there are three layers where you as a host or as a user can actually take some action. So the first one is the network layer. This is usually the firewalls you have installed.
[00:05:09] Lana: This is the layer where you're gonna mitigate spam bots and that sort of thing. The second layer is the server layer, which our colleagues at BitNinja will discuss more in a second. And then the third layer is the application layer. All of these three layers have unique threat surfaces, unique threats that they can see, and things that they cannot see so well.
[00:05:34] Lana: So for example, network layer, if you had, firewall like CloudFlare, it's great for mitigating spam traffic, but it's not that great at seeing and understanding vulnerabilities. Server layer is perfect for mitigating DDoS, but again, maybe not quite as good at vulnerabilities. And finally, application layer, which is where you would mitigate vulnerabilities, but you would not tamper with file integrity or with other things.
[00:06:03] Lana: So it's essentially each of these layers, they have unique context and that context, that visibility into different aspects of security is what gives them the ability to mitigate specific threats. And that's what we're starting with today. That's why we're talking here with BitNinja, since from us, from Patchstack, we're handling application security and they're very well versed in server security. So with that in mind, I would let the BitNinja folks take it forward from here, but if there are any questions, just let me know.
[00:06:41] Ben: All right. Thank you Lana. And, first of all, welcome to the audience and second of all, thank you for organizing this and having us here today. I'm gonna start with giving a little bit of background info on what we are doing, where we're coming from, because I usually find it very useful, when it comes to server security, especially for hosts.
[00:07:12] Ben: So BitNinja was born in 2014. The short origin story is that we used to have a hosting company and we were well, struggling with like security issues, botnet attacks, malware, SQL injections, the usual stuff really. And then, we, how we tried dealing with them, firstly was, trying different kind of open source tools, mixing them, trying to keep them in sync. but that, it did do, a good job until a level. But after that, basically we realized that's not gonna be the way forward because the hosting company has been, it was growing fast. So we realized that we cannot, let room for security threats. So after that, we tried, enterprise solutions.
[00:08:04] Ben: They were really costly. Again, they did, they got the job done until a level, until they didn't. So we still had the security issues, but those were costly as well. The open source tools, on the other hand, were cheap, but they required a lot of maintenance and manpower. So that's when we realized that, okay, we have to do something with that.
[00:08:30] Ben: So we started developing our own cyber security solution, for our host, for our own hosting company. However, a bit later we realized that there might be a potential for this product on the market. So we started doing like different researches and realized there were other similar hosting companies in the same shoes.
[00:08:51] Ben: And that's when we started shifting from doing sec, from doing hosting to security. Firstly, we created the botnet module, then the malware scanner. So we added, module, by module, to the product. And, fortunately it has become, it became a, like a really, a success story really. So within two years our team of, 15, grew into a team of 45, and then later we grew, to an even larger number.
[00:09:28] Ben: So this is where we are at right now. We have sold the hosting company and now we are only doing server security specifically for hosting providers because we like to believe what hosting providers are struggling with because of our background, we are specifically developing BitNinja just to hosting providers.
[00:09:48] Ben: So what does make BitNinja unique? BitNinja is an agent that you install on the server. it's modular, so we have 14 modules for different kind of threats. We provide a centralized console. So if you are hosting provider with, let's say, hundreds of shared servers or managed VPS, then you can all handle their security on just one centralized console.
[00:10:12] Ben: We also have a defense network, which, I believe Mark would be happy to tell you about. But in the meantime, I'm gonna just jump to the next slide so you can see what I was talking about. So here we have like threats and we have the modules on the right side that are taking care of specific threats and this is what you see if you log in to your BitNinja console.
[00:10:38] Mark: Yes, absolutely. And just jumping onto the, the first network part of things, is. It's our fancy word for saying that, we protect not just your singular server, rather it's a herd immunity against multiple threats. Because how BitNinja is working is, one of the servers gets attacked and then if that attack happens quickly enough or, it's intensive enough, then it instantly gets broadcasted to the other servers of other BitNinja users.
[00:11:10] Mark: So you don't necessarily have to get attacked to know about a bad acting IP address, and then you are instantly blocked, you're instantly protected against those attacks that are, that want to come through.
[00:11:23] Ben: Yep. Thanks a lot.
[00:11:26] Mart: So it's basically just to ask a follow up question, it's like this is almost like an IP block list almost.
[00:11:31] Mark: Yes. so it's, part of it because, as, Ben mentioned, BitNinja is a modular system and as you can see, IP reputation is one of our core modules. Because we do have, information about millions of IP addresses, and just two weeks ago we have presented 110 million captures, for users.
[00:11:53] Mark: And these are not including just the outright blocked IPs because of course we differentiate between different actors, of course. So that, that's a pretty big part of our protection and that's why BitNinja is able to do, a big load reduction that then we will go into soon.
[00:12:10] Ben: Yeah. Also I think it's worth mentioning that all of these modules, the 14 modules, basically feed back data to the IP reputation module, which is like the first line of defense for our server security approach.
[00:12:23] Ben: But the reason we are here is that basically throughout the years we experienced that security is not just an investment, but it's not just a cost, sorry, but it's rather an investment because there are different points that basically back up the thesis that security can turn cost into profit.
[00:12:46] Ben: It's a good investment. So I'm going to go into four points, three, sorry, as you can see here. First of all, the first one is the most obvious one, reputation damage. Because basically security is a must. You can't let any threats reach your servers, reach your customers, because data breaches, for example, or hacks, will result in reputation damage and in the end game.
[00:13:13] Ben: I will go also in dimension load drop topic or, we have a graph on that. Operation cost. I will not go into this specific one, but basically we have seen that investing into the securities solution will reduce the workload on support, for example. And because of that, those, support agents, we have the time to do something more useful.
[00:13:38] Ben: For example, instead of just dealing with, I'm sorry, pissed off customers. And then of course, the reseller partnership, options, security, providers provide, most of the server security companies offer reseller partnerships, which can be used to upsell security to, for example, unmanaged VPS, customers or even managed VPS customers.
[00:14:09] Ben: So the first one, as mentioned, the most obvious one, reputation loss prevention. Here I got a couple of examples how hosting companies were hacked in the past. As you can see, there's GoDaddy, there's hosting.co.uk. There's, Hostinger, for example, that was hacked a couple years ago. And these are large companies, right? So well. That, that helped them to stay afloat after a big security incident. By the way, kudos to Hostinger because they were really transparent, on the damage that was done, and also on the steps they took after the breach. Basically they had a lot of, like press releases and stuff like that to ensure their customers that something similar won't be happening again.
[00:15:07] Ben: But the only reason these companies could stay afloat, they didn't have, had to shut down the business, is that they are large organizations. But for example, if we look into another hosting example, they had a very serious data breach in 2021. I remember when it was published and, they had to shut down the business because basically all their customers data were leaked.
[00:15:38] Ben: What I'm trying to say is that if you're not a huge company, even then, if you're a huge company, but if you are a smaller one, especially if you're a smaller one, you can just not let a security breach happening to your servers or to your customers because first you will have damaging your reputation that will lead to churn.
[00:16:05] Ben: Or in extreme situations, you might even have to shut down the business. By the way, it's an interesting thing that most of our registrations come from hosting providers that are having heavy security issues. So they are not, they were not, having like proactive security, but after something hit the fan and things went sideways, they were only looking up security solutions after.
[00:16:35] Ben: So what my recommendation is to look up different server security solutions and try to avoid having hacked.
[00:16:47] Ben: The second part is load drop. So that's, that might not be the most obvious way of how security can boost your profits. But for example, on a shared server, having a server security solution, the load drop can be easily up to 30%. So by having 30% decrease in load, server load, you can either basically have more customers on the same servers, which obviously mean more revenue, or you can just allocate more resources to your customers, which means happier customers.
[00:17:26] Ben: So to illustrate this, I got here one of our customer's feedback, I think from a year ago. Basically they sent us the CPUs, be like, on the load of the, sorry, the screenshot of the CPUs here, you can see, I'm gonna show on this one, here you can see the load before installing BitNinja, the load goes down significantly.
[00:17:52] Ben: And then there are two spikes, which are, were the result of running a mobile scan, but, oops, sorry. But right after the malware scan ends, basically the loads go down even further. So basically the load drop is the result of blocking a lot of junk traffic, which is the result of having for example, the IP reputation module Mark was mentioning because using an IP reputation module and all the other modules, basically we can filter out a lot of junk traffic and there are measures in place to make sure that we only, we are only blocking like junk traffic.
[00:18:40] Mart: Yep. and yeah, I'll, ask a quick question because, I, do have a couple of questions in the chat, so I'm thinking maybe this is a good time to answer them rather than just in the, at the very end. But I'll, because they are mostly to BitNinja, so I'll ask them right now, before we, go on to Lana, so, first one is, "Could you expand on what is sent for herd like immunity?
[00:19:06] Mart: Does this open any possible exploits using this modular system?"
[00:19:10] Mark: Oh yeah. Okay. I think that's for probably, yeah. that's for you? Yes. Okay. So with the herd immunity system, basically what we send is just IP data. And what I mean by that is, let's say an IP address is coming to your server, it tries to do something, suspicious, right?
[00:19:32] Mark: It's tried to access a file, it shouldn't, whatever, that IP gets flagged. And by flagged, I mean it's got put on a challenge list, what we call it. A challenge listed IP address will not be able to reach the server. It'll only see a capture page hosted by the server. So basically it can only reach the capture page on the server that's hosting, and then it can either resolve the capture or just continue on their way and, move on with their lives.
[00:20:00] Mark: And we get this information. So this is what is getting broadcasted: "Hey, your server is sending out this info. Hey, this IP just tried to do this. It resulted in this, it's still on a challenge list." And then other servers are receiving this same information like, "Hey, you should put this IP address on your challenge list and present it a captcha if it reaches your server."
[00:20:25] Mark: Because what we don't want to do is let hackers or bad actors just go on, try to hack a different server and then just move on to the next one and the next one and the next one without, any, sort of defense mechanism. So this way we ensure that, it's getting broadcasted to all of the servers and all of the servers know exactly why that IP should be on the challenge list.
[00:20:48] Mark: And you can see this information by just going onto our dashboard and then searching for an IP address. So I hope that answered the question.
[00:20:57] Mart: The other question we had, and it's, I think it might also be for Mark, is "Hi, are there any limitations when using BitNinja with Enhance or any other control pattern?"
[00:21:07] Mark: Yes, that's the age old question. Thankfully no. So what, why BitNinja differs is that we are not reliant on any control panel, rather we support the control panels. So we serve our own, firewalls and our own reverse proxy. And, everything is built in house. So all packages we maintain, we keep, and we install.
[00:21:34] Mark: We don't need anything else, but we support the control panels of course. So you can run cPanel, Plesk, Enhance, whatever you like, then it'll work just fine with BitNinja installed.
[00:21:47] Ben: As a side note, I would also add that we have a specific pricing, especially for Enhance users, that basically aligns with, the Enhance pricing just a commercial standpoint.
[00:22:00] Ben: Yeah. Thank you.
[00:22:03] Mart: And I'll ask, one more question and I think if there's any others we can also ask them like at different points and then, we'll give Lana a little chance as well. But I think last one that sticks one in is, "Do you plan to have any integrations, one-click installers, hosting providers, or control panels like RunCloud, cPanel, et cetera, et cetera?"
[00:22:22] Mark: Yeah. Okay. So that's also a fantastic question because, in fact we do offer this to our hosting providers. So I will talk about our APIs a bit later in the presentation. But the thing is that we do support this and some of our hosting providers, partners are doing this to their customers.
[00:22:39] Mark: So in some cases where you select BitNinja with let's say a VPS package or or whatever, you can just click install BitNinja and it'll automatically install it for you and you will receive your own dashboard and everything else with it. So yes, we do have this, it's just dependent on the hosting provider, how they want to implement this.
[00:23:01] Mart: Got it. Yeah, let's, run with Lana
[00:23:08] Lana: So now that BitNinja. I almost called you by Server Ninja just now, but that's, on me.
[00:23:15] Mark: That's also a cool name to be honest.
[00:23:17] Lana: I I like BitNinja though. I like your tattoos. So that's, that was why we're doing this. But basically with BitNinja, having taken care of all the server sort of threats, it's time to move on to the application layer because even though BitNinja has great and unique insights into the server aspect, there is also the application aspect.
[00:23:42] Lana: And in cybersecurity it's typically thought that the application level security deals more with the business logic of your site. So I think the most classic example is WordPress. Basically, it has user roles, it has prerequisites, so some vulnerabilities you can only exploit if you are an admin.
[00:24:01] Lana: Others you can exploit even if you don't have any user roles. And so this is where the application security really comes into play. And interestingly, it's also one of the reasons why we recently performed a case study. So what our team did was we hosted five sites with five different hosts, and we selected them in a way so that every host has a different security environment.
[00:24:28] Lana: So for example, first host, had only Patchstack installed and their regular sort of tools. The second host we also installed CloudFlare on top of it. Provider B had Monarx installed. Provider C had Imunify360. Provider D just had the basic config server firewall, and provider E was this, I don't wanna say low quality, but a very light host, so to say, in terms of security measures.
[00:25:02] Lana: And our goal here was trying to test how many vulnerabilities would actually get blocked in a real scenario and in a real environment. So we try to exploit 11 vulnerabilities based on the plugins of the sites hosted with different hosting providers. In the end, what we found was that two of the providers didn't block a single vulnerability because they didn't have an appli..., they didn't have a solution, the server or the network layer that could effectively address that vulnerability.
[00:25:37] Lana: And again, this is not a comment on the quality of server and network solutions. It's simply the fact that these layers couldn't properly see those vulnerabilities. And this is why I keep saying context like a broken record. Then provider A, we installed CloudFlare on top of it, and CloudFlare was able to identify four of the vulnerabilities.
[00:26:01] Lana: But again, it could not identify the exploits of more WordPress specific vulnerabilities. When we started talking about prerequisites, it was completely blind to them. And provider E, actually managed using their in-house firewall to block, I believe it was two vulnerabilities. All the rest of them actually ended up reaching Patchstack at the application layer.
[00:26:26] Lana: And that really is the key finding that we're trying to emphasize here, is that some threats are best addressed at server layer, others best addressed at the application layer. But either way, you really want a solution that has the right sort of context and framework to address these threats. Otherwise you won't be able to do much.
[00:26:49] Lana: So the age old saying that, we hear from hosts all the time, and even users sometimes, we go to a lot of conferences and usually what we'll hear is, "We already have security, we're fine." But if you already have security as a host, what you really wanna look at is what sort of security you have.
[00:27:11] Lana: If you only have a firewall, that's not enough for protecting your users. You also need server solutions. You also need application solutions. And so this was, what the case study found. I'm happy to link it in the chat or if anyone's interested it's, right there all over our socials, but it made a really good point.
[00:27:33] Lana: And so that brings me to the next aspect that I've briefly touched upon is the nature of vulnerabilities. So with spend traffic, we understand what it is. With DDoS attacks, we understand what it is, but what are actually vulnerabilities? And the truth is it's very simple. It's logic flaws in the code and attackers are very good at exploiting them.
[00:28:01] Lana: And so they use those logic flaws to convince sites and, hosting providers, those sites are hosted on to convince them that the request is legitimate. So essentially it could be, and I'm gonna make a very simple analogy here, it could be something like trying to use vulnerability to convince the site, to give it permission to adjust the files on it.
[00:28:26] Lana: And unless you have an application solution that can recognize that request, the site is gonna let them do it. And that's how sites usually get compromised. Because if you look at the total number of security bugs in the last two or three years, 93 to 97% of them are actually WordPress vulnerabilities.
[00:28:47] Lana: And so what happens is if you try to mitigate this application layer issue, for example, an SQL injection at the server layer, the server won't recognize that malicious query is bad. It will just process it as normal traffic. So there are very sneaky vulnerabilities. And again, not, absolutely not saying that server solutions aren't good.
[00:29:12] Lana: They're just good for a specific purpose. Just like Patchstack and other application solutions wouldn't be able to mitigate DDoS attacks. So it's a matter of employing the right tools in the right positions. And here we also see some examples, so vulnerabilities are nonstop and they are constantly on the rise.
[00:29:33] Lana: Every year we create a big state of WordPress security report. And what we're finding is there's a significant increase year on year in vulnerabilities, especially in the past few years where AI usage has really run rampant. And the way we're all talking to ChatGPT, hackers are also using their own custom GPTs to launch attacks, to scan plugin code.
[00:30:00] Lana: And that's becoming an issue for everyone who wants to protect their users. So what we actually do at Patchstack is firstly there's the intelligence aspect, the data aspect. BitNinja, they have a list of, I think you called them, challenged IP addresses, right? Exactly. So we have something similar, but for vulnerabilities, we have a big database that this year was, pronounced to be bigger even than Microsoft's.
[00:30:31] Ben: I'm sorry, I didn't want to interrupt you, but, the terminology used to be, like graylist and blacklist, but as, time moved forward, we decided to, change it to, challenge list and block list. But some people might be more of, familiar with the, with the graylist and blacklist
[00:30:52] Lana: Makes sense.
[00:30:54] Lana: Yeah. So thank you for filling in there. But yeah, the way Patchstack does mitigation is we first created a really big database of all known vulnerabilities, and we even have in-house and external researchers who get paid bug bounty in order to find vulnerabilities before they're exploitable. And so the way that works is because we're the first to know and find out about these vulnerabilities, we can be the first to mitigate them.
[00:31:28] Lana: So when, let's say a hacker tries to access the site with the intention of exploiting it, what happens is Patchstack's connector plugin will recognize the nature of that request and apply a mitigation rule. This mitigation rule is operating on a firewall method, so it's not constantly active in the background.
[00:31:52] Lana: It's only deployed on demand. And it uses the software composition analysis to recognize when a specific website has a plugin that has a specific vulnerability, and only then when someone tries to exploit it, will that protection be deployed. Similarly, going back to the database, we are also able to identify something that would have become a zero day or a one day even.
[00:32:23] Lana: Even one day vulnerabilities are dangerous enough to be exploited and prevent them. Issue immediately our virtual patching rule, a mitigation rule that without changing code, without changing website or plugin code is able to protect you from these attackers that are trying to gain access to your site. So the way we see it, it's based on data, it's based on speedy mitigation, and it's based on minimally invasive mitigation.
[00:32:55] Lana: Because in some cases there are solutions that will completely bloat your site performance, and at that point it doesn't make sense to keep using them. And obviously there is also the aspect of whether you have enough time to update the plugin. Most people aren't aware that exploits of vulnerabilities happen in a matter of hours, so it's, from the moment it's disclosed, or in some cases it's not even disclosed, hackers will have launched attacks. And there is no way for someone to update the plugin in time. In many cases, it's not enough for the plugin developer to issue a fix in time. So all of that is really where Patchstack tries to mitigate in the simplest way possible and in the fastest way possible.
[00:33:45] Lana: And then finally, I will just deliver this and then let's talk business. But I wanted to touch upon a very common question that we get from hosts is, "Aren't vulnerabilities the user's fault?" So typically it's perceived that the hosting responsibility for security stops at the server layer.
[00:34:08] Lana: But when you have a big number of hacked websites, even though the user was supposed to update those plugins, it will actually end up reflecting upon you. It doesn't matter what it is, the user will naturally feel that there was something you could have done to protect them and you failed to do it. Again, the user themselves, they don't have to know, they're not always very security conscious, which is fine.
[00:34:33] Lana: They don't have to be experts, but it's in our hands and in host's hands to educate them and to give them very practical tools for protecting themselves against vulnerabilities, which are an extremely common cause for hacks. Yeah, I think that's, the key point I wanted to make. But if there are any questions, I would love to answer them and then we can head to BitNinja again.
[00:35:00] Ben: Uh, actually I do have one. But as I can see, there's also one in the chat. Mike, ask, "What's the Patchstack set up time, need any DNS changes?"
[00:35:13] Lana: Okay. So the Patchstack setup time for hosts basically depends on your resources, but we've seen an implementation times from three days with two developers, five days with one developer.
[00:35:26] Lana: So it's very simple because there's an API, there's an iFrame widget that you can also include in your hosting panel. So it's only up to you to add it as a ticket in Jira and get it done, so you'll also have our team at disposal. No DNS changes, nothing needed, just pure API connection.
[00:35:48] Ben: Awesome. Thank you.
[00:35:49] Ben: Mike, do let us know if that answered your question or feel free to follow up. In the meantime, however, I have a question for you, Lana, does Patchstack conflict with any other security tools?
[00:36:03] Lana: No. No. So it doesn't, I would say that if you have dedicated security tools for different layers, then it naturally won't.
[00:36:12] Lana: But even if you have some overlap between CloudFlare and Patchstack, there won't be an issue because Patchstack's mitigation rules are very specific. You're pretty good. Yeah.
[00:36:24] Mark: Awesome. Yeah, and to be honest, I also have a question because, we also get this question a lot and I think it's, it'll also ring a bell for you.
[00:36:33] Mark: Do you guys overwrite like existing website plugins or website code itself?
[00:36:40] Lana: No.
[00:36:41] Mark: Or how do you deal with the mitigation? Yeah.
[00:36:42] Lana: No. So we don't overwrite anything because again, the mitigation rules are deployed on a firewall, with a firewall deployment method. So it basically comes in front of the site, not within the site.
[00:36:56] Lana: We won't change code. We'll just recognize malicious traffic coming in, trying to exploit it, and will block that attacker from ever accessing the site. And that's the way it happens. Yeah. Does that make sense?
[00:37:11] Mark: Absolutely. Absolutely.
[00:37:13] Mart: Yeah. Thank you. Welcome. I guess we, we'll do one more question since we got into the spirit of taking questions.
[00:37:21] Mart: But then, yes, we gotta jump onto the business side of things as well. But this question, I think it's, I think it's about, I guess Patchstack, I'm assuming. How does Patchstack look for, if you mean ways? Yes. Okay. Yeah. So how is, how does Patchstack look for SQL queries if it's trying to mitigate SQL injection?
[00:37:42] Lana: So it looks at the nature of the log. I'm not in the technical side of things in the team, so I can follow up with you later with detailed explanations. But it looks at the nature of the request and the way the request is trying to gain access to the site. But because of the software composition analysis, it also knows which vulnerability the plugin has at the moment.
[00:38:06] Lana: So if the plugin is vulnerable to SQLI, then it's natural to be monitoring for traffic to it and blocking anything that will want to exploit it. It's not looking for SQL queries per se. It's blocking the traffic that otherwise would make use of weak SQL queries and blocks them before it's too late.
[00:38:28] Mart: Let's carry on because I think the, we also wanna talk about a little bit about the business side of how do you actually sell, or package security as a service, right?
[00:38:38] Ben: So basically we have addressed like the traditional, untraditional ways of boosting your revenue with having a server security solution.
[00:38:46] Ben: Now, we would, with Mark, we would like to address the more traditional ways - reselling security or upselling security to your customers. So I, we broke this down into two sections, basically selling, upselling to unmanaged customers if you are an unmanaged VPS hosting provider that, I think, might be relevant, to you.
[00:39:08] Ben: And then the second part, we are being managed, which is like a bit more specific, but kick this off with the unmanaged part. So why should you consider upselling a security solution if you are having unmanaged VPS customers? First of all, with this, you will give them the option of enhanced protection.
[00:39:28] Ben: Even if you have a level of security in place for them in the package, they can decide whether they would like to increase the level of security and have their own security measures taken care by themselves. The second part is risk mitigation. It might be not self-explanatory and we have different use cases, but for example, one is that, your customers with higher security can basically better avoid damage in your IP reputation.
[00:40:05] Ben: So for example, there, there's a hosting company where unmanaged customers were not aware that their VPSs were like doing a lot of nasty stuff, sending out attacks towards, protected servers. So we gave them a thing like, "Hey, do you know that your customers are attacking other customers, other companies' customers?"
[00:40:26] Ben: And they didn't know it, their customers didn't know it because it was a sneaky, like I dunno more about, what was it, Mark? It's, you are the expert on that from, so that can help with, like avoiding damage in your, IP reputation. And there's another use case which, Mark will be able to talk about.
[00:40:52] Ben: But basically the, we have a large, hosting partner where they wanted to know what, which customers were harming other servers deliberately, but I'll let Mark do the talking here.
[00:41:06] Mark: Yes. This, kind of joins onto the question that Mart had at the very beginning about our IP reputation. So we actually have, one of them is a large hosting provider.
[00:41:16] Mark: I don't want to name names, and the other one is a large VPN provider. And for them, knowing that their IPs are misbehaving is crucial. So what we have set up with, with them is that basically we have an API based alerting system that instantly lets them know if one of their IP addresses have been caught for doing something bad.
[00:41:40] Mark: So in reality how it works is - let's take the VPN provider for example, and so they, they lent an IP address to somebody, and somebody is using that VPN to try and hack a website, for example. That, let's say that server is protected by BitNinja, right? So we, block the attack and we find the IP address, then we can instantly let the VPN provider know that, hey, that IP is bad and they can cut the connection and they can basically block that user from accessing their VPN solutions again, for usually what they have is the, is a grace period.
[00:42:18] Mark: So they block it for five minutes at the beginning, and then they see if the attack continues and then go on, of course, because they don't want to block based on false positive for example. So that's what they use. And this is very similar to what the hosting provider does, but in their case, it's not like a VPN's IP address, rather it is a server's IP address that they are, is just unmanaged VPSs, right?
[00:42:44] Mark: They have like hundreds of thousands of them. So they, want to know if somebody is misbehaving or doing something they shouldn't be doing.
[00:42:55] Ben: Yep, exactly. Thank you Mark. Also other, aspects on why you should consider adding security or upselling security. First of all, it brings added value, to the customer.
[00:43:08] Ben: So usually unmanaged VPS providers as we see, how our partners would, they add like different backup solutions. They add one or several security solutions. And, that basically helps the customer. So when they go through the shopping process, they just click whatever they need. They act kind of like a marketplace, and they just grab anything they need for their service so they don't have to get it from somewhere else.
[00:43:38] Ben: it also helps with differentiation. Basically you can, get ahead of your competition in case they are not selling security yet. That can easily move one customer, one customer to another hosting company if they are selling security. And of course, the, one of the main points is that why you have all this, it'll bring you extra revenue in.
[00:44:07] Ben: Also, it might, sound tricky to integrate, for example, having a, offering a server security solution into your shopping process. But fortunately, Mark and the team has made sure that it's only a few clicks. it might be a bit more than a few clicks, but it's not a hassle. Mark, would you like to talk about this?
[00:44:29] Mark: Yeah, absolutely. we are really proud our API, so anytime! We have spent a lot of work, developing it and we wanted to make it as user friendly as possible. I know it's hard to save with API, but trust me on this one. What you have for API is basically, whatever you see on our dashboard is as accessible via API.
[00:44:52] Mark: So if you want, you can basically develop your own dashboards for your customers, or if you just want something simpler, you can create email reports that you want to send out to customers and anything that you can imagine you can make with the APIs. You can also automate installations.
[00:45:10] Mark: You can also automate licensing, cancellation of licenses and everything. So it's an old, everything is covered basically with our APIs and we also have some use cases that we can provide to you that explain what you can do and how to achieve that.
[00:45:30] Ben: Yeah, and even I could do a couple of things with our API, which is a big thing because I'm not that technical, so kudos Mark.
[00:45:40] Ben: Okay, so this was for unmanaged VPS providers, in case you are interested how this can be done.
[00:45:49] Lana: Yeah. I just had a question while we're speaking about, unmanaged. So do hosters who usually resell to unmanaged customers, do they require more help from BitNinja? Like what's,
[00:46:07] Ben: Less and less as we go forward.
[00:46:09] Ben: Okay. So basically we have collected all the main questions coming up and all the challenges for hosting providers and we've made endless materials helping the hosting providers. That means white labeling options, for example, or partial white labeling options or, I don't know, API integration manual and a lot of different materials to help the providers.
[00:46:39] Ben: From time to time, we do get a request for help with the shopping cart integration, but it's more like a, okay, we are handling it, but can you guys still take a look to make sure everything's gonna be all right this way. Also, it's not 'how', but, some of our provider partners reach out to me, asking whether we can run campaigns like, temporary campaigns saying that you can buy, buy one, get one free, for example, during let's say, cybersecurity month or Black Friday, and we are happy to do that usually. And that's usually a big boost in their numbers. So the managed, which the managed VPS customers, or managed hosting providers, which is there's one difference in our standpoint from the unmanaged VPS providers. Basically here, the hosting provider will upsell BitNinja or upsells BitNinja to the managed VPS customers and they will be managing BitNinja for the customers. So basically, here I brought, or we brought, two or three use cases how different managed hosting providers handle security for their clients. Because the challenge here, unlike, at the unmanaged VPS customers, is that you manage security for your customers and good security is invisible.
[00:48:16] Ben: Therefore, somehow you have to deliver the value to the VPS owner. So because they don't get to log in to their BitNinja console because the provider manages, manages security for them, at some level, you will have to deliver the value what that extra security solution does for their server. So for example, we have a partner who prefers to send out our monthly reports on this.
[00:48:48] Ben: Okay, we handle, you paid extra for the security service. This is what it's done for you in the last four weeks. It got, I don't know, 387 malware. It blocked 2,000 incidents and different kind of attacks and, this is what it, why you are paying. We also have another partner called Nimbus Hosting, and they decided to go on a different route.
[00:49:17] Ben: So they decided to put a more effort and they actually build their own security dashboard. So Mark actually worked on that project with them so that way, each managed VPS owner can, could, can log in to their security dashboard so they can see in realtime what, for example, BitNinja does for them. The one thing we usually don't advise is, providing access, especially if the provider handles all managed servers on one BitNinja console, because obviously that would be a disaster.
[00:49:56] Ben: But yeah, this is it. I think.
[00:49:59] Lana: One thing I wanted to ask is just going back, back to configuration a bit. Do hosts need to configure the BitNinja Modules or is that pre-configured?
[00:50:11] Ben: I think it's, well BitNinja does come out of the box, right? So we have most of our modules enabled by default.
[00:50:19] Ben: They have like different, like the most convenient rules set, engaged on the modules that provides the lowest force, force positive rates and stuff like that. But in case hosting providers have like specific needs or they are working with a really specific stack, they get the chance to like fine tune the modules and they can get all their settings how they want it because, while we believe a security solution should be coming out of the box, ready to deal with anything, we also believe that we should provide configuration options for like specific needs. So it's, we are trying to balance.
[00:51:04] Lana: Yeah, no, I get it. it's, it's a fine line between just giving hosts everything they need to get started real fast, and then allowing them to customize that journey later on.
[00:51:16] Ben: Exactly.
[00:51:17] Lana: Yeah. Makes sense. Okie doke. And then I think...
[00:51:21] Ben: great question though.
[00:51:22] Lana: Oh, I try! The business side of things like, that's the one I get more than the hacking side of things.
[00:51:31] Lana: But yeah, speaking of business, so I'm gonna, I'm gonna keep this short so we have more time for questions and chatting, but when we're talking about security, we started this off by saying that there is a strong business case for it. So as you mentioned in the reselling aspect for BitNinja, so we also have some examples from the Patchstack side where we've really built to the product for hosts keeping that monetization in mind.
[00:51:59] Lana: in one example, Rapyd Cloud has included Patchstack by default and that allows them to differentiate. In other cases, we've also seen Patchstack being included in higher tiers where, for example, there's more bandwidth, there's more security features, more performance features. And we also have companies who have included Patchstack as an add-on.
[00:52:25] Lana: So there is, there's quite a few ways to start monetizing your security. Obviously your mileage will vary and you know your users best, but one of the examples we like to exemplify is WP Umbrella. So the challenge there, which I think also speaks to hosts, is getting ROI from security investments. The truth is you don't have to wait months for something to pay off.
[00:52:51] Lana: In WP Umbrella's case, they saw ROI within four weeks and it only took them one developer and five days to implement. The way they've integrated it into their product, which is a management platform, was as a security add-on priced at a fixed fee per month, which also compensated for their fee for Patchstack protection, but also allowed them to create a new revenue stream.
[00:53:20] Lana: So there is a way to make security profitable and open up new channels for your revenue. Additionally there's a very intuitive upsell mechanism. So if you remember what I mentioned about threat intelligence and a database of vulnerabilities, you can also get that as a separate API and then start slowly telling your customers what sort of vulnerable plugins they have on their sites.
[00:53:45] Lana: And from there it's very simple to get them to transition to paying for protection because they are now aware. So you are completely overcoming that educational hurdle with actual practical examples. And then in another case we have the challenge of a rising reputation risk, Veebimajutus, which are an Estonian regional host.
[00:54:09] Lana: They saw a lot of websites with vulnerabilities. Their support team was constantly cleaning up sites. Users sometimes, doubted whether the host was supposed to protect them. They were not educated enough, which again, not a fault of the users, it's just something that happens. They were not educated enough to know how to mitigate vulnerabilities.
[00:54:32] Lana: And so maybe Veebimajutus, they decided to integrate Patchstack's, real-time protection into one of their higher tiers. So their reputation was completely restored and they also earned up to 100% additional revenue per user. So all of those are very strong signals that security no longer has to be something that's just a money suck for your hosting company. It's, it can also be quite lucrative. And then, as I mentioned, Rapyd Cloud, they started by integrating Patchstack completely. So if you want to be a host that's secure by default, if you want to be able to claim that, then you can do what Rapyd Cloud did because in their case, they're dealing with very complex sites.
[00:55:20] Lana: So these are e-commerce sites, learning sites. If you update a plugin and the update hasn't been tested previously, you risk your entire site going down. So in that case, it makes sense to use Patchstack protection, which gives you safety and security, and also time for you to test the updated piece and just breathe easy knowing you're protected.
[00:55:46] Lana: So those three are the main sort of partnership models that we see. And so far, so good. And I think the key aspect is really showing hosts that security can become profitable. And that's it for me guys. That's it from me, it's security can be profitable.
[00:56:09] Mart: Thanks for that. That's a, pro. Yeah. Thank you.
[00:56:12] Lana: That's now a such, yeah,
[00:56:16] Mart: I think, yeah, I think that's, that's a good point, Lana. It is not just like a money suck, right? It's not just something like, a cost you, basically comes with doing business, right? You can actually turn it very profitable. We don't have any questions actually in the chat right now.
[00:56:32] Mart: I have a couple of questions that I probably would wanna ask. One, one is I'll throw it just out there and this is like a random question I just thought of is but what do you guys think? Has it gotten easier to sell security or be in the security business? And if so, why?
[00:56:52] Ben: I think that the need is bigger.
[00:56:58] Ben: There's been so much security breaches in like the last couple of years. For example, at the start of COVID, we monitored like spikes, like never seen amounts of security threats targeting servers, for example. So I think when everyone went digital because of the quarantines and stuff like that, the, the number of threats just skyrocketed.
[00:57:26] Ben: And that obviously ended up in a demand in cybersecurity. And maybe that's the reason why we are seeing, new and new different security providers on the market, and stuff like that. In terms of, is it easier or not? I'm not sure. I dunno, what do you guys think?
[00:57:53] Mart: Good question. I think I'll answer 'cause I asked this question and I realize right now it's, a really complicated question. I don't know why I asked it, but I was thinking about like the business side of it. But I do feel there is a little bit of a change, at least in the WordPress space.
[00:58:08] Mart: I think security has become from something that people don't really wanna talk about, maybe plugin developers kind of wanted to brush security aside and, don't wanna talk about their breaches. But we've gone to this place where everybody's, more proactive, being more proactive about, disclosing their security issues and stuff.
[00:58:25] Mart: I think part partially it's linked to maybe the legislation that's coming. We have the Cyber Resilience Act. Basically in effect already in the EU in a couple of years, it's gonna be enforced, which is forcing software vendors to address security issues and not hide incidents. But in, in our case, we do see there's an awareness of people.
[00:58:46] Mart: Maybe it's just the, just like the amount of attacks maybe in the WordPress space. But we do see like an increase of people wanting to do, something, being proactive about security versus, reacting. 'cause it very much used to be like, oh, I got hacked. I guess I'll remove the malware and that's it.
[00:59:05] Mart: But there's something separately changing.
[00:59:07] Ben: I think they also, I'm sorry, just to quickly add in here. I think that the proactive approach also comes after, at least some of them had bad experience in the past or security acts. So they are like, okay, I didn't wanna do this.
[00:59:24] Ben: I don't wanna do this anymore. I'm just gonna switch my mentality into the proactive, Also Wayne, put a, like a comment in the chat section. He says, "The need for security first software has been much higher after COVID, at least with my small company." Thanks for backing me up, Wayne.
[00:59:49] Ben: Glad to hear, glad to read your, comment. Actually, I would be interested, if those, customers gave you a reason, like if they were trying to dodge something specifically or, they just wanted, or they just were more like security aware by default.
[01:00:13] Mark: Just, to chime in with my 2 cents as well, that I think time in this is a double-edged sword in a sense because on one hand, hosting providers who have lasted a long time without a proper security solution, will just say, oh, we lasted this long already, we don't need anything else.
[01:00:30] Mark: But on the other hand, time is helping hackers developing better type of attack, better types of attacks, more attacks, just more sophisticated ones. So it's like hard, how to decide, oh, am I safe, am I not?
[01:00:48] Ben: Oh, was it the director of MSA or CIA who said that it's not the question whether you are gonna be hacked.
[01:00:55] Ben: It's the question. The question is when, or something like that. Yep.
[01:00:59] Mart: Just to chime in on top, I was just thinking, because usually the regular WordPress site owners that I've talked to, it's, often you have two types of people, the ones that, haven't been hacked, the ones that have been hacked and that know the value of security.
[01:01:12] Mart: And I feel like maybe over time just, the naturally the percentage of people that have suffered an incident, it has gone up because everybody I talk to that has had an incident, they are security first. So they think in terms of proactive. People that haven't or don't know that they've been compromised, so that, that's a whole other thing you, might not even know is, they're like, oh, you know what's, it's this.. how likely is this? What's gonna happen to me? There's no way I'm gonna, I'm gonna be a target, right? I'm nobody. Why would anybody attack me? So maybe it's just like the same accumulation of people. There's like a snowball effect, but, yeah. Thank you for entertaining that question, by the way.
[01:01:51] Mart: I do have another one that's, a bit more specific because it's obviously I'm more in the, the vulnerability space, more in the WordPress sort of security space. I'm quite, aware of the latest trends with what's going on with vulnerability exploits.
[01:02:08] Mart: But I did wanna ask, is there anything interesting, or is there an interesting trend of new, attack types that you guys see, like on the, server side of the business that's worth going into?
[01:02:24] Mark: Oh, yeah. Honestly, what I find fascinating as always is that for some reason we see spikes in people trying to attack very old, known Marva files, basically, like they try to come back to very old known vulnerabilities, or not just vulnerabilities, but exploited files or whatever, and I just try to come back to it and ping if it still exists on the server. And it's just this, these two months in the past, like we have seen, like I think 5, 10 times increase to the normal amount of just these types of attacks. And, I always find it interesting like, how, but this, there seems to be reason that they might be doing this because they see more success lately with it because I don't see why anyone would try to access these old files anymore.
[01:03:20] Mark: So I think that's, the most interesting one. Other than that is just the usual new types, new payload, still malware, but yeah, generally I, this is the one I find the most interesting,
[01:03:33] Ben: The regenerating malware.
[01:03:36] Mark: Oh, yeah. the Phoenix malware as you like to call it. Yes.
[01:03:40] Mart: What is that? This sounds, this sounds interesting.
[01:03:43] Mark: Yeah, so basically what it does is it somehow gets onto the server. That's not the interesting part. What's interesting is that it, there are two families of this. They act the same, but slightly different. One of them is basically like a torrent based marva that pings other servers for the infections on them, and then regenerates itself based on that.
[01:04:11] Mark: "Hey, am I missing a file from my malicious files?" And then it's basically just syncing multiple servers to each other. That was very clever. And of course it, I'm very much, explaining it in a very simple terms, but it was very complicated how it worked in reality and it was extremely complex.
[01:04:27] Mark: But, it was very like smart. And when you see something, you have to give kudos to the hackers sometimes.
[01:04:33] Ben: Yeah. I'm gonna give, them on because, they give like PTSD for you.
[01:04:41] Mark: But that was very interesting. And the other type of this is that this, but it only exists in memories of the servers rather than as files.
[01:04:51] Mark: So it's basically a running process, keeping everything in memory, and then it's just basically spawning new instances without the files to be found anywhere. So it's very hard to track down where it's coming from and then what it's doing exactly. Because of course, you don't see it in, in a file.
[01:05:08] Mart: Fileless, yeah. Fileless malware is another different beast. Yes. I will say, just to start wrapping this up, 'cause this has a risk of expanding into a two hour call. I think we should do a follow up webinar. We should do a follow up webinar and take a little bit deeper into these things. I will say, just to sum this up right now is, I think attackers are smart.
[01:05:31] Mart: They're really smart, they're getting smarter. And if you're a hosting provider or you, if you're a regular, website, user, administrator, whatever, I think the key is to just be smarter. So I think that's gotta be the challenge for you or trust those people that are smarter too, to take care of it.
[01:05:48] Mart: So I will say, I feel like I saw, there was a little comment about, I think from Wayne, on, on why clients are choosing proactive, but, and he said because reactive causes losses in revenue and reputation, which I think that's, something that everybody needs to particularly...
[01:06:09] Mart: Yeah. But with that, I do not believe I have any other questions. I would ask each of you to just say something. Is there, if anybody here wants to reach out to you ask for more information or if there's something interesting you want them to read, use this as your opportunity to pitch that or give them your shout out, your contacts, maybe starting with Ben.
[01:06:33] Ben: Yep. Happy to. So anyone can find me on LinkedIn, as Ben DOTH is the family name or just feel free to shoot me an email at ben@bitninja.io.
[01:06:49] Mart: Brilliant. Mark, how's your inbox? You ready for questions?
[01:06:54] Mark: Drop a question on LinkedIn or via my email. It's mark@bitninja.Io. Very simple to remember.
[01:07:00] Mark: Always happy to chat about anything, so feel free. And then maybe let's drop the ball to Lana.
[01:07:07] Lana: Thank you. Yeah, like you guys said, LinkedIn or email works best, lana.c@patchstack.com. And if you want some more required reading, I'll drop the case study Mart and I were referencing in the chat, so it's an interesting one, dives a bit deeper into what hosts are using, what they're not using.
[01:07:31] Lana: So just something to pass the time with and thank you. Thank you for the attention.
[01:07:39] Mart: Yeah. Brilliant. Thank you. And again, Mart, also LinkedIn. I'll accept any requests coming my way. And feel free to DM me if you want like a follow up webinar, if you have ideas, I think DM all of us, because I think there's a lot we didn't touch upon and we just open, we touched on some very interesting kind of themes at the very end.
[01:07:58] Mart: We might test sub to tease like another webinar to dive maybe more technically to some of this stuff, next time.
[01:08:05] Ben: Definitely. Mark will do a lot more talking than I, so I'm happy to do that. Also, maybe we should do this recurring.
[01:08:14] Ben: yeah. It was fun.
[01:08:16] Mart: Yeah. Thank you, to the speakers for speaking, to the audience for participating and, catch you next time.
[01:08:22] Mart: Alright, see you. Thank very much everybody, bye-bye.
