In this ConversingLabs episode, host Paul Roberts speaks with Devin Byrd, Director of Threat Intelligence at Kandji. Byrd explains how Kandji has grown into a major security provider for macOS users, and how the attack vector for macOS and iOS users has increased in recent years. 

EPISODE TRANSCRIPT

PAUL ROBERTS
Welcome back everybody to another episode of ConversingLabs. I'm your host, Paul Roberts. I'm the Cyber Content Lead here at ReversingLabs, and we are here with another ConversingLabs Cafe edition. Last time we were talking to you from the RSA conference. This time we're at Black Hat here in Las Vegas, Nevada.
And we're here with Devin Byrd, who's the Director of Threat Intelligence at Kandji, Devin, welcome to ConversingLabs podcast.

DEVIN BYRD
Thanks, Paul. Great to be here with you guys.

PAUL ROBERTS
It's your first time having you on, thrilled to have you.
Obviously, we're here at Black Hat. We're in the ReversingLabs booth. Over there is the Kandji booth. Also pretty crowded. What are you seeing at the show? And what's interesting to you?

DEVIN BYRD
It's been great. There's been a huge turnout. There's been a, at least from our side, we're definitely an Apple house.
So it's been great seeing a big influx in Apple people and Apple talks and stuff that's been going through this year. So seeing that grow and keep getting bigger. It's been a great thing for us.

PAUL ROBERTS
For the folks who don't know Kandji talk just a little bit about what Kandji does.

DEVIN BYRD
Sure, so Kandji is a MDM and EDR provider. So we secure and do mobile device management for iOS devices, Apple TV, iPadOS, and macOS devices. And then we also have an additional EDR product that ties into our macOS product.

PAUL ROBERTS
Okay, and your customers are enterprise, small business?

DEVIN BYRD
We have everything from small business all the way up to bigger enterprises. It's more of just people who like really want to have their Apple devices secured and maintained and managed. So we have customers with as little as 50 devices and we have thousands of devices on other ones.

PAUL ROBERTS
So much of the whole InfoSec sector is predicated on Windows, right?

DEVIN BYRD
Oh, yes.

PAUL ROBERTS
It was, 95% market share for so long. It's really less true today, particularly in verticals like tech, right? Where Mac and non-Windows OS is actually really common. Talk about some of the challenges that presents for companies, in terms of doing endpoint protection.

DEVIN BYRD
Sure, so one of the biggest things and some of the things that I've seen across my career and kind of path has been that there's a huge influx of people who are very big into Windows security. It's always been the cash cow. It's the one everybody goes to. It's the one everybody knows. 
But as the enterprises are growing and you see a lot more with the millennial generation, the Gen Z generation that they really like their Apple devices. They want to have the seamless connectivity between iOS and macOS and have that kind of build to expand on.
More and more malware writers are attacking iOS and macOS devices. The problem that we've run into in the past is that because it's been such a niche field and it's so small, finding the people with those expertise has been really difficult and hard.
So that's one of the things that we try to pride ourselves on is we've built out a really great team of people who really specialize in that. But for the longest time, we were the black sheep. People were like, why are you studying macOS security? Nobody cares.

PAUL ROBERTS
You're doing endpoint protection. Is there a meaningful difference between the types of things, types of threats and attacks you're seeing on iOS, macOS, endpoints and what we're used to seeing in the Windows world? Is it pretty much the same threat actors, same types of attacks?

DEVIN BYRD
It's a very similar kind of attack field that's there. What we're seeing more and more is 10 years ago, a Mac malware may only be adware. And maybe just be something that's just potentially unwanted, like a kind of junkware. With the move to see more people, especially, specifically, developers and executive teams that are really big around having their macOS devices, we're starting to see a lot more things of backdoors.
Things like the 3CX that you had mentioned a moment ago, where it can attack that same kind of vector and expand that out to the people that normally would feel completely safe. If we look back, it wasn't too long ago, Apple made the claim that Mac doesn't get viruses. 
And as we continue to grow, we're seeing that not only do we get them, they're becoming more and more complex and more difficult to detect.

PAUL ROBERTS
And again, we talked about Patrick Wardle, who's one of the renowned experts in macOS, doing a whole thing just on the role that attacks on macOS endpoints had in the 3CX supply chain compromise.

DEVIN BYRD
Absolutely.

PAUL ROBERTS
Yeah, it's really true. And I think even back when you were having those conversations, Mac as a security issue, I think everybody recognized there's nothing inherent with macOS, that makes it not a security risk. It's just that there aren't as many of those endpoints as there are Windows endpoints. So fish where the fish are.

DEVIN BYRD
For the longest time, it was just one of those things was like, why would I create malware that only affects 3% of the population where I can create something that's going to hit 97% and have that bigger net to cast.

PAUL ROBERTS
Right. Okay, so you guys are in EDR space like what obviously with the shift to remote work, hybrid work... really big changes in the way that companies are managing their IT infrastructure what that looks like. You know the whole notion of a perimeter is long since dead.... what are you seeing right now in the EDR space? What are the big trends and what are you hearing from your customers in terms of what they're looking for in terms of protection?

DEVIN BYRD
Yeah the biggest thing is, the shift to remote work, it took out a lot of security measures that a lot of places had in place. People were used to going into the office and they had firewalls and they had all these different kind of layers of security that was put in place.
The shift to being remote, it changed all of that because you may have a Meraki router or Palo Alto firewalls or something in your office that the normal home user doesn't have. And then the normal home user, they're like, Oh, I want, remote light bulbs that came from China for $5. You don't know that may have a backdoor in it.
So you're just opening up a lot more security vulnerabilities, a lot more risk. So it's been something where you really have to maintain and monitor, not only the stuff that you know are going to happen, but watching for processes, watching for things that are going to be completely different or off key from what people are used to doing.

PAUL ROBERTS
Okay, final question. You brought it up, which is the supply chain threat, right? The MoveIT hack, the Office 365 compromise, like we are seeing threat actors targeting suppliers, major suppliers to major organizations as a way to circumvent security protections.
As an EDR vendor what's your take on that? Does that change the requirements for a company like Kandji or is it just, keep doing what you're doing?

DEVIN BYRD
It changes things, but it doesn't. We always know that those kind of things happen. It's not the first time we've seen the supply chain kind of attack happen, but it's getting more prevalent.
What it makes us do is become more aware that even though traditionally this software may be safe, we still only let our guard down. We can't just trust and not verify. We need to trust and verify everything that we're going through and looking at. So being able to not only validate, hey, this software is good, but what is that software doing? Monitoring its behavior, it's gonna still see things regardless.

PAUL ROBERTS
Okay, if our listeners, our viewers, who want to find you online, where can they find you?

DEVIN BYRD
So I'm on LinkedIn. And then if you ever need to get in contact with me as far as anything else, I'm also available through Kandji stuff. You can email us through there. And our threat team's happy to answer any kind of questions or do anything from that side too.

PAUL ROBERTS
Hey man, thanks so much for coming in.

DEVIN BYRD
Yeah, absolutely, Paul. Thank you.