A Simplified 24/7 Cyber Security Approach, Managed Defense!

EB=Eleanor Barlow
CC=Chris Cheyne
FT=Feras Tappuni

EB: In SecurityHQ’s latest podcast, we are joined by Feras Tappuni, CEO of SecurityHQ, and Chris Cheyne, CTO of SecurityHQ to discuss Managed Defense, what it is, why it is needed, and how businesses can get the most out of the service to enhance their business, cyber security posture.

FT: You know, within our industry, things are nuts, right? I was going through this process where I was just thinking of the acronyms just around our space and you got SIEM, EDR, EPP, DOP SOAR, MDR, XDR, UBA, MSSP and I just stopped. I mean, it’s completely crazy. So if I wanted to ask right?

Take all that nonsense away, All the stuff that we hear constantly about zero day attacks and we’re going to be able to stop that where everybody knows that that’s not possible and AI and all that kind of stuff.

Let’s boil it down back to basics. What do our clients want?

CC: Yeah. Yeah. Well, it’s, I mean. What they, I don’t think they necessarily want an XDR product or an MDR, EPP.

A guy walks into his office Monday morning and he’s going to have to have Peace of Mind that his week going to go well. He’s not going to, nothing’s going to fall over. He’s not going to get compromised. His data is not going to wash up on the dark net. That his job is going to be intact. That’s what our customers probably or organisations are really interested in and they just want defence. They just want to know that someone is looking at their environment, they know what’s normal, what’s abnormal, they can reach in, they can block it, they can stop something, and they got Peace of Mind in and around that. And the problem is that the marketing teams have just gone wild by if I tag it with XDR, it will be better. It will taste better.

FT: Yeah, because everybody else is doing it right.

CC: Or I’ll say I’m delivering an MDR Service, but only for the endpoint and forget about the firewalls or the e-mail gateways or what’s happening on the Active Directory and think that because I’ve said it’s an MDR product, that it will actually do what it needs to do.

So I think there is a lot of confusion, it’s driven by, you know, the next buzzword in the market, and I mean, I feel sorry for these guys who are not necessarily security experts, but they need to be and they just they need a team that can just come along and help them do it and it’s not going to be dealt with an acronym.

FT: We certainly don’t do ourselves any favours as an industry when you start seeing banners as we stop zero-day attacks.

CC: Yeah. Yeah, exactly.

FT: Which is just more nonsense because how would you know? How would you know? But our clients are metamorphosizing. What I mean by that? Right, you’ve got. They’re all going through some form of transition. They’re either in the cloud, going to the cloud, changing the cloud. They’ve got remote workers, they’ve got on site workers. They’re acquiring companies. They’re selling companies. So their network is more dynamic in many ways than any other ways, but it’s still, you know, correct me if I’m wrong here. It’s still the basics.

By collecting your security tools, using their security tools, using their applications To ingest, to correlate, to create and alarm.

CC: Yeah. Exactly. Exactly.

For me, it doesn’t matter where you getting the data to security analytics. It could be in the cloud, It could be a Paas or SaaS system in in Azure or AWS great, could be infrastructure as a service, on premise data centre, that data and harvesting that data to put yourself into a defensive posture to be able to understand what’s normal, what’s abnormal, it doesn’t matter where it resides. So again, the idea that just because something is a past service in the cloud that you can’t use that data can’t get that data, that’s that’s a nonsense. Anything that’s enterprise grade will give you that data and you can use it for defence. You can use it for correlation defence. You can then, orchestrate playbooks to isolate and block and stop just the same as you can on Prem.

FT: At the same time, you can’t turn around to a customer, can you? and say all that security stuff you’ve bought, you don’t need that anymore. That’s because they’ve spent sometimes millions on this.

CC: Yeah, absolutely. I mean, I think in some respects. You go out and you invest in these really good tools, next generation XYZ, next generation endpoint system or e-mail gateway or file or whatever the case may be and there is nothing more dangerous than an unconfigured next generation something, where it comes back down to the whole concepts around security theatre.

“I’ve invested money. I’ve bought this really expensive tools, it cost me an arm and a leg, it’s bright and shiny, great branding and the marketing team behind it is wonderful” That’s really dangerous because we see it all of the time where there are amazing tools, endpoint tools that have been deployed in default configurations where they’re not really going to stop much at all. So they need they need to be configured, someone needs to look at it, someone needs to do something, be on-hand to attend to it and triage it. The tool itself does nothing, so you know, I think that’s one of the more dangerous aspects.

There are some great things that are happening at the moment, you know that, I think the simplification of some of the cloud service providers, you know, I think Microsoft are doing some good work there. IBM is doing some good work there, If you look at one of the great things that come out of it, Azure Sentinel, is that it’s  pushing people to look at doing something that they weren’t doing before. You know, let’s log that data, let’s see whether we can correlate and find patterns of behaviour that are unusual.

But then it becomes the the next challenge is, well, what are you gonna do about that at 2:00 in the morning! So there are, there are definitely some really good stuff that’s that’s happening in terms of simplification of security or making it more accessible, that’s for sure. There are tools that none of us would have dreamed of having years ago. An endpoint solution, a basic endpoint solution, a commodity endpoint solution that’s got machine learning baked into it and some degree of AI if you believe.

FT: Going back to the basics, right, so you’ve got all these new tools coming out, you’ve got some incredible features, a lot of features that our customers are not actually using quite often. But it’s not their day job, is it? You want to still simplify as much as possible with managed defense, well, what we call managed defense.

So you go through an onboarding process, you know, let’s say you take on Managed defense, that takes you to a certain level, then you get the monitoring piece. Talk to me after we go live. What happens then? So you’ve used a combination of our tools and our cloud or our on-Prem. You’ve got it up and running. But that’s just Day One right?

CC: Yeah, so Managed Defense. We always start with events. we wanna orchestrate the event collection, as you said we on boarded it, we’ve got all of the events coming in from various different systems, which is great. It needs to be normalised. You need to understand what is a normal pattern of behaviour. You know, who normally logs in at what times and what geolocations, what’s a normal traffic, inbound, outbound… Understanding also some of the weaknesses that you have. So the great thing about log data and this comes into baselining is it’s going to identify where you’re using maybe out of date protocols and where you have certain traffic routes and misconfigurations, so you’ve got to go through that baseline period.

Now this sounds difficult. It is a bit of a tradecraft. It’s why you don’t try. It’s why you get a provider to do it. But our Managed Defense services is really focused first around getting that baselining in so that we understand what is normal, advise the customer in terms of weaknesses and posture issues that need to be improved because obviously we’d much rather be in preventative mode, proactive, closing down back doors and weaknesses rather than having to deal with 1,000 incidents.

FT: So what do I get as a SecurityHQ customer? That’s, you know, for the argument. We started the onboarding, the fine-tuning never really stops. You’re using some of my tools. We’re utilising SecurityHQ’s tools as well, and now I’m being covered 24×7 right through my SOC.

CC:So we’re up and running with baseline, so you know, we want to be hardening our instant response, so something’s gonna happen and you know whether it is something that is minor in nature or whether it’s major if it’s a major incident.

FT: How many tickets do I get? And you know which part are you doing and which part am I doing?

CC: Well, it’s a funnel, right? So we might be collecting. 500 log events a second for example, we’re going to funnel that down to the different alarms and correlated activity. In the end, we have those notifiable security problems that we’ve qualified and we said this is a problem and all the analysis around that, we don’t just chuck the problem over the fence and if we have that major incident, then the first thing that we potentially would be doing would be to open up a bridge call with the customer, you know, we’ve got a suspected around somewhere situation here, we need to take action.

FT: OK.

CC: And that’s instantaneous it it’s it’s not a question of right, we’ll deal with the alarm, we’ll do an investigation, we’ll raise a ticket and then some time a call. You know, it’s immediate.

FT: OK. A couple of questions here. So being the customer or the client, I’ve only got three people on my team. I can’t be dealing with 55,000 alarms a day. I need to be really focused on. I need you as my cybersecurity provider to tell me what I’ve got to do. So can you talk me through? How do you clear? You know, I don’t want to drink from the fire hose. I don’t want all the false positives. I just want to deal with what I gotta do, because I just haven’t got the bandwidth.

CC: Those prioritise major problems that are high risk that they could impact confidentiality, data, availability, systems… those things that we say are major and critical, I would say we’ve gotta be playbook in those, and we’ve got to be saying what action do we want to take? isolate the user, the host, the network and that needs to be done in an automated way. We’re only going to automate our way out of this problem, because our adversaries, they’re also automating, you know, they’re scripting jobs. If you get compromised, most of the actions are fairly automated, so you need to fight fire with fire here.

So in the end, if we’ve got that high severity threat, maybe we’ve got a non malware related threat, some anomalous use of PowerShell or something like that’s gone wild. Then we need to be suspending that user account immediately, in an automated way based on rules of engagement with playbook. So see bad and take action immediately.

In under certain circumstances, obviously you can’t do that. You know the action you take may cause more damage than it’s itself. So that’s not carte blanche. But that’s the approach that you need to take, and then that buys you time to run a proper investigation. So you got a team of a couple of guys and they’re not security experts. That’s why you leverage the SOC team to detect, to support containment and then come back in to do the investigation to see what happened, what went wrong, what were the lessons learned.

FT: If you start getting these alarms middle of the night. And you can’t reach us (customer). Or how do you reach us? What is your normal standard? Is there some form of agreement we have when you call when you don’t call? How does that work so?

CC: We have a mobile app (SHQ Response Mobile App) because the reality is that it feels like you’re working from your laptop all the time, but the reality is weekends, evenings, nights. So we have a mobile app and yeah, we can reach out to you, we can call you, we’ll get you on the phone if the house is on fire but at the same time you have the mobile app, you can look at what the SOC is working on, what instance that we think are interesting prioritised issues, connect through to the security analyst with the click of a button, just push the button will connect you through to the SOC, who can support you to deal with things. So, we we’re trying to remove that friction and really sort of put the power of SecurityHQ’s SOC into the hands of the customer on the mobile phone because that is that’s how we do our lives. Right. We’re going to train and something happens. You’re not going to flip your laptop.

FT: Yeah, of course you not.

CC: So you know that’s the key way.

FT: SecurityHQ runs 6 Global Security Operations Centres around the world. How are you leveraging that globalisation of those SOCs to really enhance the value of the customers? Is it a case from threat intelligence? Is it a case from just fall back capabilities or is it just because you see everything, just visibility?

CC: First of all, it’s process of continuous service improvement. I mean you learn something new from some incident in some location, 1 industry every day and then you gotta cross-populate that across so you know there’ll be a team in one of those regions in Australia or India or US doesn’t matter where it is.

They’re going to see something. It will be interesting. We’ll have a new use case out of it. We’ll have a new attack methodology identified and a new correlation rule, a new way of handling something, some IOCs, whatever the case may be. And that gets populated across. So you’re not completely tunnel visioned.

Also, some of the demands of our customers, You know there are and they have different demands in different regions and they push us to improve the service in subtly different ways in different regions and everyone gets a benefit.

FT: Just before I move on, I wanted to talk as well about because you mentioned earlier about the playbooks and the use cases. Are those customs, have you got them out-of-the-box? How do you handle that and how do you develop them going forward?

CC: So they’re scenario based, they’re they’re almost always linked to an use case, so a playbook would link to let’s say that there’s a a particular phishing type of attack, impersonation, phishing impersonation event for example. What do we want to do about that versus a user’s clicked on a phishing embedded link for credential harvesting? Two different sorts of phishing problems that have two different responses, so the second one where if the user clicks on a link that is directed to a creditor harvesting, then we want to be insisting that the passwords are reset for those particular users, so the action, the containment action is password reset.

So we we have a list of use cases where there’s the common responses and those common responses are agnostic to the end technology. So if we want to block a firewall, an IP on a firewall, I don’t care whether it’s checkpoint, Palo Alto, Fortinet or Cisco, we’ve got the integrations with all of those common firewalls and more. What we need is the logic to say when do we block an IP and a firewall so and the common thing would be, let’s say that we see a known C2 communication.

FT: OK

CC: We don’t want to hang around here, let’s block the IP. We need to be able to execute that on whatever technology the customer has. So we have a whole bunch of playbooks, we customise them as well because every customer is a little bit different, some customers will say “go ahead and isolate and use workstations”, you know, that’s fair game. Others might have a different opinion, they might want to say. Yeah, isolate, but call first so that playbook is subtly different, so we can configure that, that’s not the issue.

The use cases that we have that are triggering these these scenarios, I mean, we’ve got something like 2,000 use cases now and growing almost on a daily basis with new technologies, new threat attack methodologies or ways of detecting. No one has a monopoly on these ideas, some come from our customers, some come from our own content team.

FT: I want to change the subject slightly because I want to talk about a subject that we that nobody in our industry ever really talks about. I mean, I watch and I see our competitors and and different experts talking about how to detect and resolve and things like that.

But very few people talk about what happens when there is an incident and what is the role of your MSSP or your SOC within that scenario? So if I was to give you a scenario where you (as SecurityHQ) have detected us, us being the customer or the client, that we are seeing malware being profited across some of our databases in a certain data centre that we run, talk to me about minute one. The alarm gets raised. it comes out as what you define as P1?

CC: Yeah. so what’s gonna happen here is, first of all, it’s going to be correlated. So we’ll have identified that that problem exists. A lot of the use cases that we have, have a fair amount of automation now in terms of building in intelligence.

So that host has been impacted. What do I want to know?

First of all, we want to know the users that have touched that host, who’ve accessed that particular host, what the host has communicated with, what the file is, is it on any other systems and that type of information we collect in a fairly automated way, we serve it up to the analyst so he knows. We’ve already created a ticket so this is within seconds. Alerts triggered within seconds, the customers got the incident, so it depends obviously on how complex these queries are, but seconds to minutes, so the incident is now in play, if it’s a major incident, we may have also a playbook associated with it, so we may have already called a containment action to isolate that host. So we may already have a situation where something’s happened, host is isolated.

FT: OK. But, I’m interrupting you here, so we see this, we’re shutting things down, we’re isolating it, at times you have to actually, in extreme circumstances,  network is down, right?

CC: Yeah, that’s a multi host situation. So we’ve got a critical incident here, multiple hosts are impacted, multiple user impacted, so now we’re on a bridge call with the customer.

FT:What is your processes though? I mean, are you using incident response processes? What kind of, you know, talk to me about the type of people on this kind of call? What’s the quality of those people?

CC: Yeah, it’s everything.

It’s structured. We use an NIST incident response procedures processes which talk about first identify and then we respond, eradicate and contain.

So on the bridge call, you’re going to have an IR specialist and that not all. We’ll be with you in for hours, that’s immediate, always manned, always in the SOC, 24X7, something happens, someone is on the call with you to support you and attend to it.

And I’ll come back to this in a moment. That one of the things that is so wrong right now with the cyber insurance situation.

But we’re on a bridge call with the customer and we take we take the place of the incident manager.

FT: OK,

CC: So we are the guys who are saying. We need you to do this…

FT: And is that included in the service?

CC: Yes! And it can’t happen without it, because in the end we are going to have an incident or two, they may be minor, they may be major, but we need to plan for the worst and we will be there to support into the management. We will tell the customer what to do, when to do it, you know, it becomes an A&E really type of environment, we are, you know, the doctors in the room, the customers are the patient, we are directing what we need to do.

FT: It’s not. Yeah, it’s not like in the movies, is it? It’s actually very quiet, very focused because we spent a lot of our time letting the engineers do their work, right? Because you have a lot of background noise. You’ve got the CEO calling, you’ve got legal calling. You’ve got everybody screaming and shouting and actually what you’ve got to do is make sure isolate the noise from the people doing work.

CC: Well, the customer’s full of emotion at this stage. You know, there’s a lot of emotion that’s going through the customers staff’s mind, you know, guilt, was this my fault? Or what am I gonna do? Am I gonna get the blame for this? And all that.

FT: Yeah, so stages of grief, isn’t it?

CC: Yeah, exactly. So really that’s where we come on. Unemotional, this is what we need to do. It’s a big call to shut down a firewall.

Let’s say you have ransomware, we say, right? We we want you to disable all your domain admins, we want you to isolate a file. Those are big calls to make, you know? So yes, have your playbooks ready documented, all that kind of stuff. Someone’s going to make the call.

FT: Yeah, but for me to make the call on these extreme circumstances, right, you gotta provide me the right information so I can, because you don’t in a corporation, you don’t make calls in isolation. I’ve gotta speak to my board. I’ve gotta explain to them. This is why we have to do it and they will ask.

Well, how long will it be? How long will it take?

Invariably, there’s in these extreme situations, right? I mean, correct me if I’m wrong, Chris, but there’s actually very limited choice. Sometimes you just have to do certain things.

CC: Inaction is the worst thing.

FT: Yeah, No decision making.

CC: Yeah, exactly. So that’s where I say, of course we can’t make the decision for the customer. But what we can do is forcibly recommend. We recommend to do this because we know that’s what our experience says and that’s the right thing to do.

Going back on to the cyber insurance piece. We’ve worked on multiple major security incidents where the customers had cyber insurance and they’ll be here next Thursday, you know. Meanwhile, you’ve got a business to run. You’ve got stakeholders screaming, you’ve got regulator issues and all this kind of stuff, you gotta get it done. So, that’s why, what we include within our managed security services, is not just incident management but on all of our Managed Defense services, we include five days worth of digital forensics and investigation work, because you don’t want to be dithering around with paperwork and insurance companies and trying to get someone on the phone and they’ll be here next Tuesday. It needs to be that same moment that someone is there to, to actually support you and attend to it without having to get into give me a purchase order for this and the other.

FT: But ultimately, insurance, like any type of insurance, is after the event!

Ideally you don’t have the accident. Ideally you don’t have the incident. Yes, it happens,  Yes you should have people and processes and incident response capability at your core, that’s that is the best insurance.

But the best way it’s similar like a health, going to the gym regularly and do that, you’ve gotta have the capability to monitor and detect, right?

CC: Yeah and be proactive around it as well.

So your point around going to the gym? What we do every single week is we take our customers to the gym. Every week, we’re there on a on a weekly call. We go through their data, we’ll identify where there are policy issues, risks, misconfigurations, stuff that are just home goals, things that we can fix now that reduce your attack surface, reduce your risk, reduce the vulnerabilities exposure, and in doing that, obviously, hopefully none of that bad stuff is going to really happen, you know, so we have customers where we’ve really pushed that, we’ve created initiatives month or month or month to to improve their posture. And we’ve never had a serious major security incident.

FT: Because it is a journey, isn’t it?

CC: Yeah. Yeah, it is.

FT: When customers take on Managed Defense service. It really is a journey, and that’s just day one. When they say it’s not like a, you know, pay and forget that. Not at all. It’s a weekly. I mean, what do we get? Daily, weekly. what do we get from the SecurityHQ’s Managed Defense service?

CC: So we have big data analytics platforms that allow us to to create very interactive reporting where you can visually see where some of the problems are, the patterns, the normalised data and then every week with showed it to the guestbook. These are the problems. This is the analysis around it.

FT: We get a call? We’re on a structured call?

CC: Yes a structured call, with a cyber security manager and a Level 3 analyst analysis that’s going to be there guiding you through all this stuff, so the value of that consultancy services alone is huge. It’s one of the biggest positive feedback we get from our customers.

FT: Do I get to see everything, all the incidences, all the tools?

CC: We will go through, of course we’ll go through, what are the incidents created within the last X number of days? What’s open, what’s closed? What are the lessons learned? But then we move on to the data analytics and see where we can improve the policy and posture of the organisation as well. So you know, we would put in hours and hours of work prior to the call. So we turn up with meaningful information to actually guide the customer forward.

FT: Do I get a report as well?

CC:  Yes, you do. A very interactive report.

FT: And then at the end of that interaction that I have weekly, other actions generally that I have to do as well as a customer or the actions or is it just a we’re just checking in kind of thing?

CC: Those things that we think are risks, let’s say we’ve identified this week that your DNS is resolving to all sorts of risky locations and geolocations, we need to harden that up. It’s a risk. Yeah. So we document that risk on the risk register and we may decide that we open a ticket around an incident if we think there are specific risks associated with that more instant related and we live with that risk register, so it becomes your To-Do List.

FT: One of the things I’ve noticed and as we bring this to a close, is that, I’ve noticed this actually in the last 18 months, the way our clients have changed that it’s no longer and hasn’t been for a while the per view of the big enterprise, we’re seeing more and more smaller to medium sized businesses engaging with security for Managed Defense, because they have the same risk, right? If anything, they have more risk because they have less money, they have less, less capability.

CC: Yeah, exactly.

FT: So they’re actually way more exposed and I don’t think that’s gonna change.

CC: No, it’s not going to change. A small business would have all of the same tools, just less, less IPs, less users, whatever it is you know, and in a way, they have bigger risks because their capabilities to deal with those problems are less mature. So therefore the risks are larger.