Automated Transcript
Jason: Hello, and welcome to this edition of Gamma Secure, where we help you understand the evolving threats, and how our manage detection and response service helps you manage your cyber security posture. My name is Jason Simper, and I’m the Cyber Business Director at Gamma Communications, and I’m here today with Barnaby Noble, one of our pre-sales consultants.
Barney: Hello Jason, yeah, thank you. I’m Barney, I’m one of the security architects here at Gamma Secure. I’ve been with the company for over 10 years now, and I’m responsible for helping our customers with their MDR solutions, with their Microsoft solutions, with their Cisco solutions, and with their Palo Alto technologies.
Jason: Excellent, so you’ve got a lot of experience with cyber security and managing a broad range of our partners in terms of delivering customers cyber security protection.
Barney: Yeah, certainly. It’s been a long journey, with lots of twists and turns, and I like to think that the experiences that I’ve had with some customers has put me in a good position to help leverage that for our customers going forwards, and ultimately has culminated in us creating this MDR service.
Jason: Oh good, so I’m glad you mentioned that. So in our industry, we’re really bad at bringing up three and four-letter acronyms, people talk about endpoint protection, extended protection, desktop managed NDR with one of our other podcasts. Today, we want to talk about MDR, what does our managed detection response really look like and what benefits does it give customers when they work with us in a partnership to protect their business?
Barney: So, it gives a lot of benefits, an MDR service. But I think, if we take a step back first and look at how we actually got to an MDR service, and where MDR comes from, because historically, and ourselves included, we came from the space of managed SOC and SIEM and being an MSSP, and I think the problem with these services is that they ultimately result in very alert-centric services.
Jason: That’s the SOC and the SIEM piece, that’s the collecting the logs.
Barney: Exactly, you’re collecting logs, you’re creating passes for them, you’re storing them. You’re then using them to create rules, which you then make alerts from, and you then handle the alerts. The problem with that is it’s building a responsive service in nature. You’re not necessarily looking to find threats; you’re looking to be alerted that threat that you predefined has happened and then find a response to them. The difficulty with this is that it tends to lead to again a very reactive service, and it tends to have a large number of alerts being generated that can overwhelm your own analyst.
Jason: So a huge volume of logs coming in from all different sources.
Barney: Huge volume of logs coming in from all different sources, and really the service then changes, right? You’re no longer spending your time trying to actually improve the security of your organisation, and you’re trying to spend your time figuring out how you’re going to get the number of alerts that you have to a manageable level. And this introduces other problems, right? You’re then going to find that you’re all of a sudden inundating your team, and they’re becoming fatigued, and they’re not responding to alerts. I mean, so many of the incidents we see in our customers where there’s been a breach, they’ve had an alert, they’ve just not responded to it, because it’s buried amongst 4,000 other alerts that they’ve got.
Jason: So, what you’re saying to me is there’s a complexity of all the different technologies that are being used. There’s a lot more logs, we can’t keep up with all the different signals and noise that they’re getting, and that’s why they come to an organisation like ourselves to help them decipher that noise when one of the terms that our friends at Vectra use is “finding a needle in a needle stack.” You know, are we the organisation that comes along and helps our partnerships with our customers to do that?
Barney: I mean, that’s always the objective, right? Ultimately, the transition from being a managed SOC provider to being an MDR provider can be a little daunting to customers, and that’s because it is a partnership, right? We do need to work with our customers and really embed ourselves in with them, and that can take the form of, you know, having actual staff in their offices, working with them day in, day out. Can take the form of, you know-
Jason: So, we really form part of their team by putting people on site.
Barney: This is my firm belief that you have to because the difference… the difference between an MDR service, or what an MDR our service should be, and what a managed SOC and SIEM service is, is that you’re trying… you’re ultimately trying to find threats and respond to them before they’re alerts in your dashboard. Right now, in order to do that, you need to understand the customer, you need to understand their network, understand the nuances, know who the teams are, be able to seamlessly escalate incidents between them and know who you’re talking to. You need to be able to understand, you know, maybe there are some quirks in their environment that have to be that way because they’ve got a legacy application. Maybe they’ve got some sort of compliance requirements that mean they have to set things up a certain way, and if you don’t understand those, then you’re not really in a position to be able to respond properly. So yeah, I think… obviously I’m going to say we are that organisation because we actively try to do that within our customers, but I think it would be almost remiss of me not to highlight the sort of the change and maybe that’s daunting to a lot of customers, and maybe that’s why you find that a lot of customers haven’t adopted MDR services yet, and they’re still quite happy with their existing SOC services because they’re box ticking exercises, right? A lot of customers, they’ll buy these services just to make sure that when they complete a tender for one of their business opportunities, or for their compliance requirements-
Jason: It’s a tick box exercise.
Barney: They have an existing service, “yeah, we can take that, we’re happy with it and they’re not being burnt”, and no one’s necessarily driving that evolution because typically, it’s when you get breached.
Jason: So what you’re saying is we don’t have a one-size-fits-all approach to this. This is very much a partnership in terms of the way we work with our customers to give them the manage detection and response service that fits their business requirement. It dovetails with the employees that they have, and we augment that skill set by allowing us to become a seamless part of the overall service offering.
Barney: Entirely, and I go one further and say that’s how an MDR service needs, should be. You can’t realistically… you’re not really going to be getting an MDR service if you’ve just got a third party provider who’s selling you an MDR service, but in reality they’re just giving you the exact same service. They’re not embedding, they’re not understanding you, they’re not tailoring anything to your particular organisation’s nuances. You’re just buying a SOC SIEM service wrapped up.
Jason: Okay, this is really good. I think I’m really clear on that, hopefully the listeners are too. So, if we just take the next step, I want to go through what we consider is part of an MDR service in terms of the technologies. So one of the things that this podcast series is looking at is looking at our different partners and the services that they provide with us in partnership to deliver that value. MDR is like the umbrella term that we use, but if you break it down, we’ve got EDR, we’ve got XDR. Can you just tell me about those different types, instead of just the SOC SIEM pieces, but what else is included in that? And what constitutes our MDR service at Gamma Secure?
Barney: So it’s interesting, because at Gamma Secure, we have tried to create tiers of SOC service that – oh sorry, tiers of MDR service that fit all the sizes and shapes that our customers may come in, and I don’t necessarily think that there is one, as you said earlier, there’s not one size that fits all. Part of the problem here is that some customers may be financial services with very stringent regulations and huge investment within their cyber stack, and so the technologies that they employ will be considerably more advanced than some of our other customers who could be in, you know, public sector, local government with more restrictive compliance – sorry, financial motivations, right? So, I think at the core, an MDR service really needs to include not just the SOCs in piece and the capability to overlay more on top of it, of being able to automate some sort of response actions, even if it’s automated through some form of human-
Jason: Orchestration and automation.
Barney: Orchestration, automation entirely, yeah. And in responses and in reporting and in being able to integrate with different platforms like Teams to really keep people up to date with what’s going on within the service, but also EDR. Now, EDR really is a cornerstone for a lot of the response capabilities within MDR services, so having a very strong and preferably native connection between EDR services and whatever your SIEM or your alerting platform is a major benefit. I think another real core part here is identity. Unfortunately, identity is the new perimeter. There’s no way to… we’re long past the days where you could lock everyone down at your corporate firewall and be able to sleep easy in your bed. It’s not like that anymore.
Jason: So that’s where we’re seeing, the sort of terms like zero trust network and, you know, SASE, a framework that allows anybody to get access to their data and do their day-to-day role at any point, at any time in the world.
Barney: Yeah, exactly. So, and I mean… look, zero trust is not really a new concept. It’s something that’s been around for almost as long as I have, but it really got forced, and maybe the recent pandemic really highlighted that, that as soon as your users are outside of those secure silos that you’ve set up for them, you can’t trust them. I mean, you shouldn’t really trust them when they’re inside your silos anyway. But you especially can’t trust them when they’re outside.
Jason: It’s interesting you say that. We had a really long conversation with Martin Kramer from KnowBe4 in one of the other episodes, and he told us how they themselves had become the victim of a cyber attacker pretending to be a candidate for a role and they demonstrated, and you should go back and listen to it. It’s quite interesting how going through the validation and checks of that identity on that perimeter allowed them to stop the malicious intent, but even so an organisation as trusted as KnowBe4 can, if not, on their guard be caught out.
Barney: No one’s immune to being caught out in these ways, and that’s really why, in an MDR solution, it’s of vital importance to be able to have some sort of integration with whoever your identity provider is, a minimum to do things like locking accounts, like resetting passwords, resetting any session tokens, and being able to integrate with the identity provider to get signals where deviations from normal user behaviour has occurred. Things like impossible travel events.
Jason: So, you’ve talked about EDR so you know, endpoint protection, you’re talking about the users themselves. What about network detection and then that extended… what we hear about XDR. So where does that go from service offering?
Barney: So, network detection is really important, although obviously we’ve established that the user is no longer sitting quite comfortably in your offices. There’s still a lot of visibility that can be required within your network to catch especially east to west visibility, and it’s one of the reasons we strongly leverage our partners Vectra because they have a very competitive model when it comes to deploying sensors in your environment. And really, when we’re talking about network detection and response, we’re not just talking about, you know, your north to south, so “is Jason going to a certain website”, like beaconing behaviour, “is Jason going to a certain website every 3:33 in the morning for 10 seconds and then disappearing?” It’s not necessarily just searching for indicators of erroneous external behaviour, but it’s also looking to see, “well, okay, who is Jason talking to within the environment? What is he doing? What files is he sending? What usual communication patterns?”
Jason: So, building up a sort of profile of my activity.
Barney: Building up a profile of your activity, and although that’s not necessarily UEBA, in the sense that an identity provider-
Jason: UEBA?
Barney: User entity behaviour analytics.
Jason: Another one of those four-letter acronyms.
Barney: Another one of those four-letter acronyms which we’re incredibly good at making, and I dare say they’ll probably change it in a couple years’ time to be a different four-letter acronym to mean the same thing. But yeah, it’s really extending that identity understanding we’ll call it, that you really know “what does Jason do? What is Jason’s work pattern?” And it’s baselining that, and understanding your behaviour allows you to then be able to identify where those deviations occur, and what’s critically important here is making sure that you can get that east to west visibility across the entire estate. You don’t just want to find yourself purchasing a Rolls-Royce solution and sticking it in one egress point to the network, so you catch all the north to south. But you don’t see anything that’s going on with it. That’s not the objective of your NDRs, right? Although they’re great at doing that, you’ve got your firewalls, you’ve got lots of other security solution. IDS, IPS, you’ve got your email gateways. They’re all focusing on north to south, but there’s very little looking at what’s exactly happening right now from one of your file servers to one of your customers, or one or two of your servers within a data
centre are talking to each other.
Jason: Yeah, I’m glad you said that, because for me, you know, we’ve been providing, you know, firewall security, managed firewalls to our networking customers for years, and people will say, “well, if we’ve been doing that with some of the core partners, the chips you have, why do I need this new technology?” But you’ve just really well defined why that’s a different type of traffic profiling and activity as opposed to a firm wall. It’s more that east to west traffic.
Barney: You need to cover every bit of traffic that you have ideally, and obviously some customers are not going to be in a position where they can do that, and they’ll focus on north to south. And I’m not trying to rubbish anyone’s efforts. We’re all trying to do our best here, but I think underestimating the visibility of what’s happening within your environment is a risk I personally wouldn’t want to take.
Jason: So, shifting gears then. So, we have a number of different technologies here. What would you say is the benefits of our MDR service at Gamma Secure?
Barney: I honestly think that the benefit of the Gamma Secure MDR service is that we are very much a partner-focused service. We don’t just want to come in and give you a, you know, we don’t want to deploy an MDR service. We don’t want to rip out your existing EDR and replace it with our preferred one. We don’t have certain, you know, we’re not technology restrictive. We try our hardest to be technology agnostic so that we can insert ourselves into your environment and then work with you as a partner to really improve your security posture and roadmap over the length of the contract. Be it five years, be it eight years.
Jason: A flexible approach to take on what you have, manage that in tandem with the organisation, and then change over time to where appropriate. The kind of the best approach or the best of breed product that fits their specific requirements.
Barney: Yeah, entirely, and I think it really comes from our background, because the history of Gamma Secure is that it was a value-added reseller, so we resold lots of different security solutions, potentially hundreds, maybe thousands of them across the team. And over sort of 15 years, we really realised the benefit of being able to understand all the various, different solutions and how they fit different sized organisations and what are their concerns.
Jason: So a real consultative approach that’s not one size-fits-all.
Barney: Yeah, entirely. I mean, look, obviously we’re restrictive on our vendors for a scaling purpose. We can’t support thousands of vendors anymore, because we’re not able to guarantee the high level of service that we aspire to. But that doesn’t mean that the knowledge is lost. Like, the team here, they really understand all the different security solutions that are available and the different technologies, and many of them have deployed them in one form or another, and because of this it means that we can really understand what the environment our customers are in. What the capabilities are in, and use that to make the use cases, which are really the cornerstone of what our MDR service is right, yeah?
Jason: So, it’s more about the principles of the technology that we’re supporting in terms of whether it’s identity, whether it’s network traffic. The technology provider does change, but the principles are the same. So, if the skill set is there within our team, they’re able to adapt to newer technologies as they come along.
Barney: Entirely so, and to go one further, it doesn’t mean that if you’re not using one of our preferred suppliers that we then can’t help you, because we understand the underlying technology. There’s a very good chance someone in the team’s deployed it, there’s an even better chance that we’ve already integrated into an MDR customer of ours. So, we have that existing skill set and knowledge to really optimise and to sort of give you the lessons learned. We’ve done this before, we can talk to you about where it worked and where it didn’t work, and the rationale behind why we do some of the things or why we make the recommendations that we make.
Jason: Okay. So, using all those years of experience, going from, as we would describe it, a traditional value-added reseller into a service provider into a managed security service provider. It’s what really differentiates Gamma Secure in terms of our proposition today and the partnership that we’re able to offer to our customers.
Barney: Yep, that’s exactly where I think we’re coming from, and I think it’s the sort of journey that you need to take in order to really be an MDR provider. You need to have gone that full cycle and seen exactly how security has evolved over the last 15, 20 years to be able to find yourself in a position where you can offer the kind of service that we need to offer customers. I mean, threat actors are getting more and more advanced, and even the ones that aren’t advanced are able to purchase access to corporate networks and purchase ransomware kits and do immeasurable damage, which 15 years ago they wouldn’t have been able to so, because of this, you know, our customers need to be more proactive. It’s getting to the point where, if you’re not a pro… if you’re not looking for a proactive service, and you’re not being proactive in the security that you have-
Jason: You’re not really getting the protection that you need.
Barney: Yeah, you’re not securing yourself, and I understand why a lot of customers are still in the position where they’re looking at their existing managed SOC SIEM service, and the alerting they’re getting from it and because they’ve not –
Jason: And thinking they’re getting something that’s protecting them.
Barney: And thinking, and the thing is, like, a lot of people, it is an investment and maybe it is daunting to justify that initial spend and the extra engagement that is involved with taking a proactive MDR service, but it’s better to get ahead of the curve personally. I think, if you’re not doing it now, then the more expensive route of getting breached and then having to find one is the alternative.
Jason Excellent. Well, thanks for that, it’s been a really interesting conversation. If you’d like to find out more, come to GX. Gamma GX is our customer experience on the 15th of May. We’re in the Queen Elizabeth Centre in London, and we have customers there. We’re doing a presentation around our capabilities across networking, network security and cyber security. Our core partners are going to be there, in terms of the discussions around NDR with Vectra, we’ve got Cisco are there. We’ve got KnowBe4, we’ve got Tenable.
Barney: As well as a lot of the team, myself included. So, if you’ve heard anything on the podcast you want to ask me about, or you want to disagree with me, then come over and say hello. I’m always happy to have a conversation.
Jason: Excellent. Well, thank you for your time. Until next time on the next edition of Gamma Secure.
