LW: Welcome. Thanks for joining everyone, my name is Lee Waskevich, vice president of security and networking strategy here with ePlus. Today, I’m joined by Randy Watkins with CRITICALSTART.
RW: Hey! Thanks for having me on.
LW: Absolutely, absolutely. appreciate you joining us.
LW: So, we’re going to run through a few different questions today, mainly regarding manage detection and response. We’re seeing a ton of activity in speaking with our clients around the subject, customers that are dealing with attack vectors, moving workloads into the cloud. They’re struggling with retaining talent or training talent, being able to provide a strong sense of security operations. From your vantage point with CRITICALSTART, why do you see MDR is gaining so much attention.
RW: There’s a lot of traction in the space and there’s multiple reasons for it. Something that we come across, pretty generally when customers are looking at MDR, is the ability to provide 24×7 monitoring.
RW: So, that’s something that is kind of being amplified in terms of importance because of nation-state sponsored attacks or crime-based attacks that are overseas. And they operate on much the opposite schedule than a typical eight to five security team does. So, just that availability of 24×7 response is driving the overall MDR market.
RW: Another thing that we see pushing us forward in terms of MDR momentum is operationalizing technology. I’m sure everybody’s seen it or been there, done that. But you look at the technology that a customer has or that an organization has, and they’re not using any of it. It’s kind of there but it’s not plugged in, or it’s plugged in and nobody is looking at it. And what that results in this is kind of wasted resources. And as resources are so limited, organizations really have to take advantage of everything that they have and that means fully operationalizing their technology.
RW: Well, you kind of talk about the lack of resources in the space and how hard it is to attract and retain those resources and, you know, kind of transferring that risk of the resource is a good choice for organizations that want to be able to operationalize their technology.
LW: Ok, great. Yeah, we see that as well. You know, consulting with clients and their security program, relooking at their architecture, we see a lot of shelfware out there. You know, they’ve made good, strong choices, but I think they get drawn into the day to day type stuff and they never go back and optimize, they never go back and integrate those technologies. So, a service like MDR helps to put a lot of that operational piece together.
LW: How about from the size of organizations that are good candidates for MDR. Can you comment on what you see in terms of who makes a good customer for Managed Detection and Response?
RW: Yeah. So, when we started the MDR business about five years ago, we really thought that our average customer size was going to be between 500 and 1,000 users. We figured that was a sweet spot and we really looked at it like that because we figured the larger organizations, the enterprises, people with 5,000, 10,000, 50,000 users. They were going to have a more mature security program. And we started to really market towards the SMB space, that 500 – 1,000 users.
RW: Well, what we found after the first year was our average customer size is about 1,500 and growing. And it was because, although we’d love to assume that large organizations have much more secure environments, that wasn’t necessarily the case.
RW: So, now what we see is kind of broad adoption of MDR from the 10-person dentist office, all the way up to, you know, we have customers that are 100,000 users. And it’s because of what you just talked about.
RW: They’re continuously going from implementation to implementation to implementation. They never really get to operationalize the technology. So, they install a SIEM, they install IBS, they install an EDR, but they’re not really getting anything out of it, because when they get done installing it, they move on to the next project. They never get to resolving those alerts. So, even the larger organizations are having a difficult time getting the resources to both implement and operationalize the technology.
RW: So, right now our average customer size is probably somewhere in the 8,000 users range, but we have customers that are 100,000 endpoints, we have customers that go through MSPs that are 10 endpoints. There seems to be no bounds as to what a good market for managed detection and response is.
LW: Ok. So, it really can cover any size and scope of an organization as long as they have the guidance to see, “Hey, we really need to spend some, some focus on operationalizing things.”
LW: You know when you, when you look at managed detection and response, you know, the detection and response piece was, you know, kind of came along for the ride with endpoint detection and response. We saw technology providers, software, around that endpoint shift over the past 18, 24, 36 months. Why do MDRs focus so much on the endpoint and how does CRITICALSTART use that in relation to their service?
RW: There’s two main reasons that we focus on EDR. One, it’s a definitive source for information. And what I mean by that is, if you think from an analyst perspective what you’re going to do when you get a firewall alert or an IDS alert or a, I mean, most types of alerts. If I get for instance a blocked outbound C2 communication, the first thing that goes through my head is, “what’s happening on that endpoint that is causing it to communicate outbound to a C2”, right?
RW: So I’ll want to identify the process that’s trying to communicate the user contacts, how did that process get there. I really want to dig in and figure out, not the nature of the network request, but what’s making that network request.
RW: So, that’s the first reason. The second reason is because the endpoint is the best place for response. I mean, there’s really two places you really want to be able to respond and that’s on the endpoint and via Active Directory with disabling user accounts.
RW: We really look at the endpoint as a way for us to, you know, we have managed detection and response, we look at the endpoint as a great way for us to respond.
RW: We did, for a while, block things at the firewall and what we found was users are mobile. They would take their laptop home and all of a sudden they’re beaconing out again. So, that’s why we have a focus on endpoint.
RW: Now at CRITICALSTART, we make very, very deep technical integrations. What we do is, we’ll use API’s to pull in the alerts that are created by these different endpoint products, and then we use the API’s to go back and get additional information, as well as performing those response actions.
RW: So really, we’re making our integration so tight that our analysts and our customers can work through our platform to do just about everything they can do inside of that endpoint. And what that does is it breeds efficiencies.
RW: The endpoint is really a strong place for us to kind of leverage the technology to not only create the service but also gain that efficiency of keeping all of our analysts in a single queue, in a single platform.
LW: Okay. All right great. That makes a ton of sense. I think another unique aspect is your model for resolving alerts, right? Many SOCs and MSSPs and customers that try to do it on their own, they deal with alert fatigue because there’s so many events and things like that coming in. Can you talk about how you accept risk and the models that you have around resolving alerts?
RW: Yeah. So, in terms of risk acceptance, we don’t, right? Because that’s on the customer to do. When you look at, I think it’s important that you called out MSSPs, MDRs, as well as internal SOCs. They all suffer from same issues, which is we’ve looked at security products we’ve looked at manufacturers to be extremely effective at detecting attacks.
RW: The problem is, when you’re effective at detecting attacks, you’re typically over detecting as well, right? It’s always better to err on the side of a false positive.
RW: So looking at how MDRs, MSSPs, and in-house SOCs, looking at how they respond to these alerts that are coming in and the false positives. There’s really two ways that we’ve seen organizations deal with this. The first was what we call input-oriented, where you’re essentially shutting off speeds and feeds that are maybe lower fidelity or that garner too many alerts. And the problem with that approach is, you’re accepting unquantified risk. I mean, you’re accepting risk that you don’t quite know you have because you turned off the product’s ability to detect that risk.
RW: So that kind of makes the product was effective and what ends up happening is, you get breached and you go, “Why didn’t we pick this up?”. Well, because you had to turn off the rule
RW: The second way that we see is called prioritized or priority oriented. This one is extremely common. We see it in SOCs, we see it in different MDRs and MSSPs. And this is where you kind of start at the top of criticality and you work your way down the stack until you run out of resources.
RW: So, “Hey, we’re going to look at criticals. If we have enough time, we’ll look at highs.”
RW: Most organizations never get to the mediums and lows. The problem with that is you’re accepting quantified risk. So now you know that it’s risky, you have it up on the board in your SOC but you say, “Oh, it’s a medium. We don’t have the resources for the organization that the business is going to accept that risk.”
RW: And that one’s kind of dangerous because we have pretty well-documented cases of multiple times when an alert has shown up in a SOC, but it was a medium or low and it got kind of brushed off, and then it resulted in significant breaches, executive-level turnover, massive disclosure, billions of dollars in loss.
RW: So, when we started the MDR. The goal was to not do any of that. Hot tip for anybody watching, if you want to accept risk, you don’t have to pay anybody to do that. You can just do that by yourself.
RW: So our model seeks to accept no risk. So what we do is, we look at every single alert that a product generates, that a security product generates, and we resolve every single alert that comes in, so we’re not accepting risk and we’re not limiting the effectiveness of the product.
LW: Ok. Yeah, makes a ton of sense. You’re taking it all in. You’re the ones making the determination on that through your technology, through your skills and training. Alright. Excellent. Yeah, that makes a ton of sense.
LW: I think another important piece, outside of you mentioned how you do so much around technology integration, you’re leveraging the technology stacks that a customer has, but there’s also a people component to this, right? Because when a customer interfaces with their service provider, especially as security service provider, many times it’s over email, or they’re picking up the phone and calling someone. Can you talk a little bit about CRITICALSTART’s culture and the analyst retention rate that you guys have?
RW: Yeah. So, we consider ourselves a technology-enabled service. And when you look at the spectrum there’s kind of two sides and then the middle. So the two sides, you have MSSP on one side. They view this as a people problem. We’ll throw more people at, throw more people at it, throw more people at it. That usually results in high turnover, because you’re not solving the underlying problem.
RW: But then there’s a SaaS model. The SasS model says this is purely a technology problem and we’re going to create a platform that does all this automatically.
RW: And then there’s kind of tech-enabled services that sit in the middle and that’s where we are.
RW: So what we did was we created the platform first that helps us resolve every alert. And then we found a way to kind of avoid analyst burnout. If you look at the number one reason of analyst turnover, it’s because they’re all looking at the same alerts over and over and over and over every day, and there’s no resolve. So, we built a platform that allows us to get rid of that problem by resolving every alert, and then once we see it once, we’ll automatically resolve it in the future.
RW: Well, what that has led to is a 99% employee retention across all of our SOC analysts. We’ve lost one analyst last five years. And what that means is, we can spend a tremendous amount of time, energy, resources, money training these analysts to be fantastic, world-class analysts. There’s an old adage I love to refer to: would you rather train an employee and risk them leaving, or not training an employee and risk them staying? Well, if we solve the problem of them leaving then we can sink the resources into training them and making the world-class analysts.
RW: So, all of our analysts go through about 160 hours of training before they ever touch or see customer data. After that when they become an official tier-one analyst, they know how to get to become a tier two and that involves x86 and 64-bit programming classes so they can start the reverse malware. Now that’s just at tier-two. There’s tier-three and four as well. They get into threat intelligence and campaign identification, as well as different leadership roles.
RW: So really what we did was, we created the technology that really encourages people to stay and it kind of gets rid of the mundane, so every alert they open up has the potential of being a new APT, a new piece of ransomware, a new piece of malware. And then we train them to really dive into every single one of those alerts and what the result is, is a fantastic service for customers where they feel like they have a world-class SOC at their fingertips because they actually do.
LW: Gotcha. No, that makes total sense and it does provide, I think from putting myself in the customer’s shoes, a higher level of confidence in the resources that are helping me to operate my security and to help detect and respond against those threats. So that’s great. Thanks.
RW: To add on there, what we see is customers being able to elevate their resources, because of our resources. So we go into a lot of organizations especially these ones that have 10, 15, 50,000 users. They already have a security team. It’s not enough to provide full 24×7, but there is a security team there.
RW: And a lot of times when we come in, the analysts on the team they’ll start to have this whole “are you outsourcing my job” type mentality. No, no, no, no. We’re taking the tier-one and two. We’re gonna escalate things to you to be responded to. You get to elevate your position to incident responder to pentester to threat hunter. You get to get rid of this, “Hey, I’m looking at all of these alerts today,” and you get to really move into, “I’m going to find something unique, interesting, truly different inside of my environment.”
RW: So, our resources and the training that we put into that really kind of allow the customer to elevate their limited resources to positions that are more valuable to the company.
LW: Right. Yeah, that’s especially true right now. Especially as budget are tightening and others want to make sure the resources are being used for what they were hired to do or what they had the capabilities to do.
LW: That’s where the strengths going to be. Very much agree.
LW: Last question, we’ve been having this conversation a lot around, you know, this is being recorded in Fall of 2020, so you know since the march time frame, since everything that’s gone on globally this year. What has changed in your world since that time and what you’re seeing from both, you know, the CRITICALSTART standpoint of the security spectrum, if you will, of all of these threats and alerts, as well as your dealings with clients.? Any insights you could provide there?
RW: It’s been a rough couple of months, right? I mean, a lot of organizations trying to adapt and figure out how to keep their business operational during this time of COVID. We’re seeing a lot of users go into work remote, including the security team. And that’s what most organizations are, that we’re talking to, or dealing with, or that we’re exposed to, is “hey, how does my security scale across all these remote users?” Because when users go home, regardless of whether they’re using a corporate asset or a personal asset, they’re more likely to do things that maybe aren’t work-related that generate more and more alerts. So, what we’re seeing is a lot of users going to work from home or working remotely and then a spike in alerts, but because the security team is now all remote there’s an inherent efficiency loss. So, you have more alerts, you have less efficiency on the security team, and you have to deal with every one of them because hackers see this as a great opportunity.
LW: Yeah, exactly.
RW: From an attacker’s perspective, never let a crisis go to waste, right? So, we’re seeing massive email campaigns with a ton of COVID attachments, we’re seeing a lot of drive-by downloads, we’re seeing a lot of spear phishing, we’re seeing a lot of email compromise, we’re seeing a lot of whaling. I mean, kind of all the attacks are starting to bubble up, not just because COVID is a great excuse to send out an email, but also because it’s very difficult for me to kind of yell across the room and says, “Hey, are you sure you want me to transfer this money”.
RW: So, this whole remote worker issue combined with the hot topic of COVID for attackers to leverage, is really just spiking the alerts. From our perspective on the business side, we’re seeing a lot of customers come to us saying, “how do we remedy this.” And we have a pretty obvious answer, you know, Managed Detection and Response. Let us take the tier one or tier two and some of the response capabilities, use your limited resources to help deploy policy or provide user education, and let’s see if we can drive up the security posture of the organization although everybody is remote.
RW: So, it’s kind of this perfect storm that we’re trying to fight against and it’s a unique battle.
LW: Yeah, exactly. We see the same thing from the ePlus side and it’s about helping that customer to drive their program forward. So yes, this Managed Detection and Response becomes a very, very important piece of that. And dealing with, you know, preying on the curiosity of people, preying on the fact that everyone is so distributed, there’s a lot of weak areas of the chain, if you will, that can be exploited and without the proper controls and without proper emphasis and focus on it, it’s really difficult for organizations. And we see it every day in the news, something different on either a breach type attack, a lot of ransomware being hit. All those pieces can be mitigated to a degree with the proper precautions being taken. So awesome. I appreciate that.
RW: Yeah and that’s another reason why we focus on the endpoint. Gartner has their triad of logs, network, and endpoint, and nothing against network, but when all of your resources are distributed and once you have always-on VPN backhauling all the traffic, network kind of wanes in importance,
RW: But you’re going to have an agent, right? So, we focus on endpoint because it allows us to reach out and touch those remote resources and still maintain some level of visibility and protection even when the users are working from home using a SaaS-based application.
RW: We’ve had to find better ways to go out and work with those remote resources. A lot of customers that are we’re talking to are reevaluating their endpoint solution to make sure that it’s the right one because now that’s growing in importance. We’ve done a lot of consultation with ePlus and customers saying, “Hey, let’s have ePlus work through all your different requirements and find the right solution, then we can sit on top of it and manage it”.
RW: One of the big perks for CRITICALSTART is, we don’t just tie into one solution. We support multiple endpoint products. So, ePlus can really go in, do some consulting with a customer and say, “Hey, based on your requirements your organization, this is probably the best solution for you,” and CRITICALSTART can then come on over top do that tier one and two to really not just promote the resources necessary, but also the correct solution.
LW: Right and bringing that full circle then they’re faster time to operation, right? And actually finding that efficiency with the purchase that’s being made, with the investment that’s being done, rather than trying to sit there, integrate slowly roll it out. With CRITICALSTART services on top right away, you’re immediately recognizing that value. Awesome.
LW: Well, thank you, Randy. Once again this has been Randy Watkins, CTO with CRITICALSTART. Don’t let the guitars and black t-shirt fool you. It’s not Dave Grohl even though a few times I thought it might have been. I’m sure Dave Grohl knows much about MDR, but again this is Lee Waskevich. I’m vice president of security at ePlus. Thanks for joining.
RW: Thank, Lee.
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.