i'm chromecast check it out i'm sam major administrator for chrome technologies on this episode we're talking about many stock services advancement in cyber threat and how to mitigate their threat and protect your organization i'm fortunate to be joined by my business partner rupert mills hi sam our technical director the one only ben mandel hi sam and security expert paul edwards hi sam so i'll start with your rupaul's director you we've also been offering many services to our clients since 2017 which i believe that makes five years now yep yeah uh yeah offering a range of you know patching security updates et cetera et cetera et cetera but in the face of this increase that we've seen in in in cyber threat and people's threat landscapes expanding as we move to more remote working et cetera et cetera you know we've kind of galvanized our offering of with paul's help in developing it kind of brought to the fore a more mature uh sock offering yeah so before we dive into i guess the products we're working with and how we're doing that just for our audience it'd be great to kind of cover off first i guess one of the buzzwords we're hearing what's the difference between a managed sock and then the buzzword piece mdr okay so a managed stock security operation center um and mdr managed detection and response they're very very similar in terms of what they do um a managed sock will tend to monitor alert on check performance of your environment and then the security of your environment mdr is then adding a response layer to that often you find that's included in a sock so the lines between the two is very very blurred but the the manage detection response piece is basically that whole detection piece that you do in a sock and then providing a response the challenge with that really is that the response and what that response is some products will provide an ai based automated response some vendors will notify your i.t team that there is a threat taking place or something happens and it's a question of timelines for those to happen what's the best way to react to a threat and actually are those people going to be able to do anything within your environment in the event of a of of a a threat taking place yeah that's pretty interesting point because we've talked and we've talked off-camera and about this many times we've been constructing the soccer and having that that human involvement in the cyber threat and some threat response and as we know we might know names but there are offerings out there that are mdr which you've just alluded to that if they find anomalous behaviors going on your environment you might get an email at three in the morning or you know a phone call to say there's a problem which is better than not knowing but doesn't necessarily give you everything you'd expect at a point in time where something bad is happening yeah absolutely i mean ben and i had one um with a particular vendor which one of our clients worked with i won't mention the client or the vendor um but they were genius because they'd phone up and say yeah we've seen some behavior in your environment this is happening this happening and they sent me the logs and oh that was three weeks ago okay marvelous what we're gonna do with that now because that's it's it's a bit late so um but yeah there's there's all sorts of things like that yeah the the timing of the response has to it has to be a timely response as you know what i'm trying to say you're trying to say that and um also it needs to be depending on the what you've you know as you say there's there's a whole range of what are you buying and obviously what you need to pay for whether you're you know the the extent of that human involvement yeah because i think we're all looking now at uh kind of cloud based um software as a service kind of platform for this type of work so that you can put the computing to break down those millions of logs that you receive every day yeah there's no way a human's going to do that part just getting overloaded completely yeah then and then it's it's passing it's filtering that down using other technologies which we'll go into but um and then providing that that human response to it and then the final you know what what extent what what is the response to the to the client yeah you know is it going to be a phone call is it going to be an email or is it going to be actually stepping in and working on the system to try and resolve the issue yeah and i think the important thing is actually it can be a blend of all of those it can be threshold based to say okay if it's something like this then no one wants to be woken up at two o'clock in the morning if it's hitting this level then you can let the ai deal with it if it's hitting this level then you need to be waking yourself up and dealing with it or waking the client up or whatever it might be and and those sorts of things need to be dealt with immediately um and so you've got differing levels of threat and different levels of protection there that the tooling is one thing but actually having the business process in place to deal with it is just as important okay um just kind of i guess going back to your point there and we can get into some of the deeper level but what i hear from this is the level of alerting that some of these tools kick out and the fact that people some people very successfully have have built their own stock some people have invested in tools kind of partly taken that step and then get a barrage of alerts and you get that we've talked about monitoring tools for you that red light fatigue was almost too much to deal with so it just doesn't get dealt with there's an obvious danger there clearly as an mssp we're talking about outsourcing that and leaning on something like us to take that pressure off but it's a real pressure right there's a lot these tools can kick out a hell of a lot of noise yeah yeah that thresholding point that we were talking about just a minute ago is okay if you get 100 000 alerts in a day how are you going to deal with that if actually a hundred thousand those alerts have got a severity of let's say two out of a hundred and two of them are 98 out of 100 you need to be able to pick the noise out of that and say those are the two i need to respond to so the tooling and the correct automation within the tooling is vitally important to deal with that but then having the people dealing with that bit at the very top because often the tooling will point something out but you need to be able to say now someone needs to deal with that and quite often looking at the threats and saying that that one ties to this one over here so we're seeing the same activity in two locations or we're seeing two pieces of activity in two different areas of our environment that tie together and that's where the the ai helps with the human interaction with that and then the decision-making ability of a human to work out what to do about it is where it comes in and that's that's the difference and there's this the kind of the the threshold uh limited and we've obviously looked at a few different tools uh and we can go into what we've settled on in a moment but it's the intelligence and it's not called ai it's more machine learning to actually help you filter that out there's obviously differences in the in the abilities of certain tools and others um but then there is the we had to step in as the owner of the tool and actually like say put two and two together because otherwise we'll get anomalous results in a fair amount of time right yep and and that's that's the mdr piece back to what you're saying earlier the r on the mdr of manage detection response is that actually what is that response because if if your response is to tell the customer they need to look at something then actually you can be far less selective about that because you say to them okay there's five things you need to look at today whereas actually if your response is let's go and deal with the cyber threats properly you need to work out is it real cyber threat what's happening here and be be very um very precise about how you deal with that action because you're taking responsibility for the security of someone's environment yeah okay so i'm gonna i'm gonna drag you into this now um i think it's probably worth talking a little bit about some of the the the i guess some of the work we went through in in building out our own sock some of the thought process that we've had uh and the tools that we're working with touching on obviously some of the the red light fatigue and and the capability of some of the tools and what that's why we've settled on the tooling we've settled on uh while we're willing to put our flag in the sand and stand by that yes so you want to make sure you're focusing the the human element of the response in the right places if you're getting hundreds of thousands of logs um a day a week whatever it may be um there's no way you're going to be able to deal with that so using machine learning tools as your sentinel dark trace allows you to filter out some of those response or some of those alerts that can be dealt with automatically or alerts that are just part of normal day-to-day business activity false positives so you can if you can use tools like that to to take some of that workload off the the sock team they can focus their resource in the right place and deal with the alerts that genuinely do need a human response to to investigate okay you know it's very important as you're saying that machine learning is not just a generic one-size-fits-all for all companies on detecting that kind of you know threats because every company is different you find that some companies might visit some really unusual websites for you know design type stuff with the real minority uh sites which other companies would never touch and so when that that comes along it's it's you know there there's a certain there's a certain time you need to let those systems run and learn what's normal for that company and then what we want to know is when that changes when something else happens that just doesn't fit in with that you know every every company has their own ways and every industry has their own different patterns and so that is absolutely essential you can't really just make a cookie cutter which will work for that out of the box it relies on that that ai or machine learning technology which is in there yeah the user behavior an analytics piece in there that's vitally important of actually this person normally logs on from here and normally logs on at this time of day and now they're logging in from a completely different continent in a time that's impossible for them to have traveled from here to there and downloading lots of data all those sorts of things those are the as you say the machine learning stroke ai that equally those kind that kind of behavior the user appears somewhere else rapidly can actually be benign because they've logged on via vpn or something like that and they've appeared in someone else and that's where a little bit of the human element because we get that alert so well that's unusual when they look at it oh yeah but they're on holiday in the maldives and they've been vpn in earlier so they traveled across the globe yeah in a moment so but that's okay or actually as we saw in testing and building the sock we saw some alerting from people using and again bad bad security practice but it's good to good to observe these things of actually someone using their security credentials in some azure um into major services which were located in the u.s so they were showing up as logging on in the uk and in the u.s at the same time and you think okay that's a valid alert and then you look at what's going on and actually now don't shut the entire company down because what they've done is put their credentials into power bi in the states somewhere and we need to to fix that and say no dude let's use a service account um but those sorts of things and and that's where the the human element of it can come in i mean we had one [Music] a little while ago where we had a client with a particular one of their users all of a sudden there was a a lot of noise from various different security services within different parts of their organization saying you need to deal with this you'll be you're under attack from from switzerland and going through the details of those logs it transpired that basically what they seem to have picked up was that some malicious ips were being used coming into their network when we went and looked at the the detail of that it was actually one malicious ip theoretically from swisscom who's the um the home isp in switzerland and they couldn't bt internet or whatever and that was one user had logged in once successfully via vpn through the firewall using multi-factor authentication et cetera then we checked out and that user was in switzerland at the time and what happened is that ipad had appeared on a blacklist from a few weeks previous where someone else in switzerland got it as their home internet ip address had been using that ip maliciously but the blacklist was old and stale and there was a lot of red flags raised all of a sudden as this but actually when you dig into the behavior you find actually it's it's not multiple attacks or multiple attempts to authenticate it's one successful authentic authentication using multi-factor authentication as well and then going back and finding out that user is in switzerland in that location at the moment right let's not shut down the global network let's do that but it's interesting the level of information that we can now get out so you can you can quickly pinpoint that that's a essentially it's a non-event it's good to know because it could have been something yeah it'd be good if we could peel the onion slightly but and you'll find it's very difficult but talk to us if i'm an idiot looking at the technologies we use what does what in the stack that we've put together so we're talking about being able to spot different things we're you've mentioned you know we use dark trace as our machine learning element of our solution and sentinel etc etc be good just to talk about how how we use that what each part is doing and then how do we take feeds from our clients and make sense of that for them sure i think before we dive into that i think it's important to say so the the sock service is going to use dark trace as a investigatory tool or an analysis tool uh as a protection tool as well um then with azure sentinel sat on top of that but we're also taking feeds from all of the other managed security services we provide for a client or services they have if we're not providing those so for example we provide most of our clients with palo alto firewalls and we will take feeds from those firewalls so you're looking at the various different threat vectors what's the end point protection on the workstations take a feed from that so the sentinel piece that paul's been working on takes feeds from all of those different sources um but actually the the specifics two applications to the sock service are dark trace and centered yeah um so but we can yeah yeah that's kind of what i'm talking about we know there's almost a core element that we have to have obviously we can take feeds from this our preferred vendors likes to power and whatnot but checkpoint fortnite whatever it might be we can obviously take data and information and logs from all of those but it'd just be good to understand from the tools that we've selected i guess what does each one bring to the table so dark trace is uh sitting in on the on the network looking at the network traffic so unusual patterns of behavior it might also spot things like a file called passwords.xls uh sitting on the network that's that's yeah being things may have happened yeah we've seen that in quite a few places um people bypassing you know company process and and storing their own passwords where they shouldn't be but yeah unusual patterns of behavior so uh for example if a user typically you know doesn't have much internet traffic and then suddenly there's a lot of internet traffic um emerging from their machine it will flag that as an unusual unusual behavior and you can investigate it it might turn out to be you know completely benign uh onedrive for example a new laptop setting up onedrive it's syncing files or it might turn out to be something else that actually does need know a response uh that they're doing you know uploading to their personal dropbox something like that so that will be looking at at network uh level traffic um but as rupert said we're also taking logs into sentinel from from paulo from other platforms anti-virus software um other firewalls and we're able to to run some logic some correlation on those so um in the example that rupert gave we can see that the user has logged in to the vpn on the paulo but they also used mfa through azure so we can we can provide some context around not just receiving an alert that they've logged in from a malicious ip or an ip that has been associated with malicious activity in the past we can actually get some more information around that that alert and and based on that we can then say actually no this is a this is genuine or this is malicious it's interesting i think it helps you give context to the decisions that we're making there for the benefit of the audience can you talk more about i guess uh our deployment so how we have to deploy this out to a class network to give us some of the benefits we're talking about yeah so it's a physical appliance that will be deployed within a customer's office data center um there'll be a port configured on the switch to essentially mirror the um all the traffic that is that goes through through it and from that then it gets visibility into the entire network so we're not just talking um you know corporate devices have an agent installed on them it's any traffic any device so you know someone external comes in finds a free network port that they can patch into it will see that um it's not dependent on on you having to to install anything so it will find anything that gets plugged in it will find it and have an ip address it will find it and report back essentially yeah it will see that it will see that traffic whether it reports back would depend on what that device is is doing if it's malicious yeah it will spot it and and it will alert you depending on what thresholds you set so with dark trace you can or each threat or event is is scored each model breach is scored between 0 and 100 100 being the most severe and you can choose when you want to be either notified or when you want dark trace to actually automate a response so it can send tcp reset packets it can it can stop uh or certainly block that temporarily until you can have a chance to investigate and actually make a decision what you want to do with it but yeah it can it can take that first step at 3am in the morning and actually just stop that traffic dead okay so we couple that kind of i guess what we do with that tool so something like that we can it will see an anomalous behavior it can eclipse a threshold it will then stop it and then our guys will be looking at going okay threat or no threat type decision and then we can manage that and then there'll be the reporting we provide to our customers i guess an incident report or all the stuff we can publish in power bi so they can see what's happened yeah whilst they've been calmly tucked up in their beds overnight absolutely i mean the dark trace will feed into sentinel yeah and and via that we can say we can produce power bi reports so we can get the number it's not just like oh everything's okay don't worry about it you will actually get stopped these many things automatically yeah we did this many things manually you know that escalated and and you had these many p1 issues or potential p1 issues so yeah we could pull that that whole business intelligence um into into part of the service pulling the reporting at a sentinel level gives you the reporting from all the products you're feeding into it as well not just the dart trace piece so you get the full reporting across your entire estate of this is what we're seeing from a security threat landscape yeah so essentially with uh with sentinel it's basically a slightly more clever or more clever version of a seam so we can actually feed data from the switches from the firewalls uh from dark trace from other um security directory usually exactly sorts of things so so you can correlate as pool saying the event yeah yeah pretty much anything you can export logs from commonly syslog but anything you can you can integrate with or get logs from you can feed into a seam product okay it's the work that they've done at the back end that then tells you whether or not you need to pay attention to those locks yeah indeed yeah um so briefly on cover and i know we're getting on time on this one but actually how we're structuring our team clearly this is a 24x7 operation as it has to be yeah so there's a 24 7 aspect to this um obviously we would work on you know on an automated response in the you know in the middle of the night automated response for really serious items um but also that would be escalated to a person who would then respond and and if this if deemed necessary obviously under terms of the rules of engagement with the client um they that may be waking someone up but it depends how much autonomy we were given yeah to that there's depending on the scale of the client and what that was right exactly how serious it is how how uh what you know what technical level your contact actually is you know some smaller clients they may not be very technical so yeah they might want to know but it's probably not going to influence many decisions but you know on the on the more technically able ones then they may want to be involved so yeah this depends on on the agreement with the client yeah it's an onboarding process with each client of okay what are the thresholds where do you want to be involved where do you want us to deal with it and part of the security services that we provide at the moment if we're already managing that asset say the firewalls for example yeah and there's a response needed in the firewalls we'll deal with it and then report to the client later okay later being do you want to be working up at two in the morning exactly and that's generally when we've been talking to clients generally threshold based if the entire of my network's being attacked and i need to do something about it and then please let me know please let me know now if there's something that you've dealt with and it was a relatively low issue then tell me tell me at nine o'clock when i'm in the office absolutely okay so i guess not in summary but at least one last to hit you with we spent an awful lot of time and people can't see there's a large whiteboard over there we spent a lot of time writing a lot of stuff down about how we're going to do this and how we make it different etc i personally think we've got service which goes over and above what's what's available from other vendors other resellers out there etc it would be good rather than the salesperson room telling everyone that to get from your positions your opinions what are we doing that that is that bit extra so we can respond essentially if we manage the firewalls we can log on to those we can interpret the logs we can we can change the policies if the client allows us to to remediate whatever the threat is it's not just a call it's not just an email at 3am in the morning saying you've got a problem it's it might be if they want that but it might also be a call at 9am saying hey this happened in the night we dealt with it it's resolved it's that human response beyond beyond just an automated machine learning system responding to something stopping something it's the escalation to an actual qualified senior tech who who understands what that means and is able to filter that just that that final human element yeah and then to actually remediate rather than just respond in terms of notification yeah the remediation piece is the key differentiator for us there are a bunch of people out there who will do the the manual response as well they'll go and triage it and look at it and and come back to the customer and say you have something to deal with here but we have a number of customers who have that sort of service who are getting fatigue with it and saying actually i get this and there's one of me and i have to deal with it at whatever hour of the night it is whatever or there's three people in my team and we we don't have the capacity to deal with this and the remediation piece of being able to say something happened and either by ai we remediated it or dealt with it and shut it down immediately so your your people coming in to attack you with some sort of ransomware attack it was shut down straight away or alternatively yeah actually this was something needed a bit more analysis such as people in switzerland but we did that analysis for you and we're able to make an educated decision based on the agree thresholds of response and by as you said someone qualified and experienced enough to make these decisions the idea being really i think that an it manager who's buying this service will be able to actually sleep at night yeah yeah that's that's the end game really isn't it yeah absolutely there you go and i the touch now i think is is the most important piece as all this the cyber threats get more sophisticated intelligence etcetera it's that timepiece it's how quickly if something happens that you we respond to that and actually deal with it right then not a few hours later because an awful lot of damage can happen yeah yeah yeah not on monday after it's been attacking you all weekend yeah all three weeks yeah yeah absolutely yeah by the way perfect well thank you guys really appreciate it it's very interesting you're welcome thank you for having me and thank you for joining us on this episode of chromecast take care now it's like to cover in future episodes please leave that in comment section below and like subscribe and share and join us again on chromecast check it out [Music]
2022-07-01