Scott Williamson [00:00:04] We're definitely not facing the same landscape that we paste, you know, even a year ago. So talk about the way the landscape will talk about the stakes.
Scott Williamson [00:00:15] We'll look at traditional security and where those gaps exist in traditional security and then we'll look at the true EMDR service.
Scott Williamson [00:00:28] So as I mentioned, you know, the threat landscape has changed, where we're seeing, you know, we've been dealing with ransomware for years. But even ransomware is changing nowadays.
Scott Williamson [00:00:41] You used to have to worry about somebody clicking on a bad attachment, and locking up their computer and then, you know, it started moving to where you want to cry and things of those nature.
Scott Williamson [00:00:53] Uh, threat to those natures came out where it could impact, you know, a network or a wide area network or things like that.
Scott Williamson [00:01:03] You know, over the years, rates works, very successful. Companies have started partnering, hardening their infrastructures.
Scott Williamson [00:01:12] Having better disaster recovery plans for things of this, that nature, you know, happening to them, being able to recover quickly.
Scott Williamson [00:01:21] And basically, you have good backups, and, you know, the bad guys, they realize this, they see this.
Scott Williamson [00:01:30] And so, now we're dealing with newer threads where, you know, you still get the encryption piece of it, but, you know, they all slow rollout data. Use that data, you know, as extortion. Where against you?
Scott Williamson [00:01:44] We're seeing this right now, big rise in the maize group.
Scott Williamson [00:01:48] And no net Walker's some of the, you know, malware as a service or ransomware as a service.
Scott Williamson [00:01:56] Malware that's actually going out and export trading data, and, you know, if a company looks at looks at a ransomware attack and says, Hey, we're OK. We've got backups.
Scott Williamson [00:02:07] These, these attackers will still say, Well, yeah, you've got backups, but I'll dump everything that we've actual traded out on the Internet, and then you're going to have to deal with that.
Scott Williamson [00:02:18] You know, and I mean, there's brazen. As, you know, they they've got public websites that host this information.
Scott Williamson [00:02:23] You don't even have to get on the dark web, or you can login to their websites and take a look at, you know, what companies have been bit hit, what data was exfiltration.
Scott Williamson [00:02:34] So, it's definitely changing.
Scott Williamson [00:02:37] Now, with users setting at home, VPN, again, we're seeing more and more threats because a lot of companies aren't, know. they're implementing split tunneling or they're losing build visibility with their, their security infrastructure that they've got on their corporate environment.
Scott Williamson [00:02:54] Business, e-mail compromise is, you know, we've seen a huge uptick in this. You know, you have to be concerned with wire fraud, vendor fraud, things of that nature.
Scott Williamson [00:03:07] As more and more companies move to an O 365 or a gmail type solution, they're losing visibility into those environments to see if they've been breach, or, or see if they've been brute force things of that nature. So we're seeing a huge uptake in the business, e-mail compromise is then, as I mentioned earlier, just the data exfiltration and IP theft.
Scott Williamson [00:03:31] That's happening.
Scott Williamson [00:03:33] Again, you know, we we have really built up this, this castle or this scheme, then these walls to protect ourselves from, you know, the ransomware or, you know, that the extortion, where, but we haven't really looked at the exfiltration. We're not keeping an eye on that.
Scott Williamson [00:03:54] And so, that's, that's kind of where we're at nowadays, you know, used to, when somebody got hit with an infection, it was just a matter of blowing computer away, and re-installing yet now.
Scott Williamson [00:04:06] Or we're seeing these guys on the networks actively running through the networks, being on the networks, for 30, 60, 9]0 days to understand what the network is, where everything is ****, what backups are being run, what endpoint security they have. So that they can actually execute against those.
Scott Williamson [00:04:27] You know, what does that mean? Well, you know, the sets are, the stakes are higher. I mean, just just the ransom allowing, you know, two years ago when we were doing instant responses, if we had a ransom of over $100,000 app, that was a big deal. Now we're dealing with companies that have ransoms in X X S $3 million to get their data back.
Scott Williamson [00:04:49] So, you know, that, that alone is a huge uptake and companies are having him, some companies are having to pay this, the financial impact of downtime and recovery.
Scott Williamson [00:05:01] Yeah.
Scott Williamson [00:05:01] How long does it take for a company to recover, if they're ever able to recover during this, you know, outages of weeks?
Scott Williamson [00:05:11] You know, months aren't unheard of as companies try to get back on their feet after a, a malware outbreak, ransomware attack.
Scott Williamson [00:05:21] The financial impact of the data and IP theft, right, what's that data worth? How does that hinder a company? How does it affect the company?
Scott Williamson [00:05:28] And then, you know, at the end of the day, you had the reputational impact of having to do breach notifications of being in the news.
Scott Williamson [00:05:36] So, you know, not only is it rants and that you have to worry about, but it's also all these other factors that you have to consider.
Scott Williamson [00:05:47] So, you know, what we've learned is traditional security.
Scott Williamson [00:05:51] It's really not enough anymore, you know?
Scott Williamson [00:05:55] When we talk about traditional pillars of security, you know, firewall, spam filters, antivirus policies, those are no longer sufficient.
Scott Williamson [00:06:04] You're, these attackers.
Scott Williamson [00:06:08] Yeah, and I'll get to this in a minute, Are a lot smarter, I mean, we're not talking about people brute forcing their ways in anymore, we're talking social engineering and phishing.
Scott Williamson [00:06:17] No, attacking the weakest security feature of the corporate environment, which is the end users.
Scott Williamson [00:06:27] No security by obscurity, It's no longer valid, everybody's a target.
Scott Williamson [00:06:33] If you, if you turn on the server, and it's got RDP enabled, and it has no external access, inbound, you're going to be scanned. Usually within no hours.
Scott Williamson [00:06:46] People looking for for that easy, everybody's a target. Nobody's too small for these guys.
Scott Williamson [00:06:56] It's definitely, you know, crime, but the opportunity. Is it there? Can we do something with it?
Scott Williamson [00:07:03] I've mentioned this earlier, work from home users have caused the loss of visibility and protection.
Scott Williamson [00:07:08] A lot of companies that that we've talked to that have brought us in, you know, they they've enabled split tunneling for their end users.
Scott Williamson [00:07:17] Because their corporate firewalls weren't big enough to handle the increased traffic from everybody working at home.
Scott Williamson [00:07:24] Or, you know, their internet pipes aren't big enough, so they've enabled split tunnel, like, well, you know, you lose visibility as to what's going on on that machine when it happens, you know, without without doing a large capital outlay or increasing, you're your connectivity.
Scott Williamson [00:07:41] It's really hard to watch what's going on on that end user.
Scott Williamson [00:07:45] You know, a lot of a lot of clients that we talk to, people are using their own, you know, BYOD type thing from working from home, so again, that loss of visibility is what's going on on that endpoint is definitely a concern.
Scott Williamson [00:07:59] Software as a service. Same thing, lots of visibility.
Scott Williamson [00:08:02] I did on Office 365 a few minutes ago, You know, a lot of, a lot of clients out, there are a lot of companies out there, once they move, you know, there are applications to the cloud.
Scott Williamson [00:08:15] And whether it be e-mail or line of business apps, they, they don't pay, it's close attention.
Scott Williamson [00:08:22] What's going on with those applications because they assume that the service provider is doing it for them?
Scott Williamson [00:08:28] Yeah, you know, with Office 365 and, and things of that nature, you still have to watch it. Especially if you're doing hybrid installs, where, you know, there's write back capabilities and things like that within your environment.
Scott Williamson [00:08:42] That visibility still needs to be there.
Scott Williamson [00:08:45] And, you know, long story short, Today's attackers are better at this, and then you are, then than we are in a lot of cases, these guys, they, they spend their time trying to figure out how to do it, how to get in.
Scott Williamson [00:09:04] Now, that could be state sponsorship, you know, on the back side. You know, it's their job to do this or, you know, it could be some of these, you know, ransomware as a service, individuals'. It's just looking for one big payday.
Scott Williamson [00:09:18] Um, no, it doesn't, it doesn't take very many of these to allow an attacker to live a very nice live over in Eastern Europe. You know, a $3 million ransom, pretty much sets these guys up for the rest of their lives, as well as a family.
Scott Williamson [00:09:34] So they're going to try everything they can to exploit and to get into an environment and offstage.
Scott Williamson [00:09:46] So, how do companies protect themselves? In this landscape, well, you know, it all starts off with the tools and we all have tools. We've got a bunch of tools, right? We've got Endpoint Protection, we've got next gen firewalls, we've got you know, Siem Solutions, we've got tools.
Scott Williamson [00:10:03] But, you know, on top of tools, we need visibility. We need to we need to understand what's going on, on the endpoint. Our endpoint is reacting what it's doing.
Scott Williamson [00:10:13] No.
Scott Williamson [00:10:15] How it's communicating with other devices.
Scott Williamson [00:10:18] Automation and orchestration and we'll go into this but, you know, automation and orchestration is a huge peace of being able to respond in a quick amount of time.
Scott Williamson [00:10:33] You have to have knowledge. You have to have people who do understand the threats, people who understand the techniques.
Scott Williamson [00:10:39] People who understand what to look for.
Scott Williamson [00:10:43] You're on a day-to-day basis.
Scott Williamson [00:10:45] Then you need proactive monitoring, 24 by 7 by 365.
Scott Williamson [00:10:53] There is a reason why these breaches occur over long holiday weekends or on a Saturday morning at two AM right? These guys know how we work. You know how corporate IT works.
Scott Williamson [00:11:08] They know that people like to go out on the weekends and have a good time, and they're not monitoring things as they should be.
Scott Williamson [00:11:16] So you know, having that monitoring and response being active, 24 by 7 by 365 is a huge piece of any security solution.
Scott Williamson [00:11:31] So let's talk about true NDR, true in VR. As Lindsay alluded to is true to manage detection response capabilities.
Scott Williamson [00:11:39] It is a sock driven service. And we'll talk about our sock here in a little bit.
Scott Williamson [00:11:45] But we provide tools. We provide the visibility.
Scott Williamson [00:11:48] We provide the automation orchestration. We provide the knowledge and we provide the monitoring capabilities.
Scott Williamson [00:11:55] The nice thing about true EMDR is it is a co manage solutions.
Scott Williamson [00:11:59] Our clients have just as much access visibility insight into the solution as we do, but they don't have to dedicate staff or dedicate themselves to learning it or monitoring it. We, we've got your back on that, I guess, is the best way to put that.
Scott Williamson [00:12:15] So, we provide the same story, and I'm going to go into kind of what the solution is, and how we work through it.
Scott Williamson [00:12:26] So, let's talk about the tools.
Scott Williamson [00:12:29] We're moving a lot of the capabilities down to the endpoint are our ETR software. Is AI ML based.
Scott Williamson [00:12:41] It looks at the way malware and attackers work, so I don't know how many people on this phone call are familiar with the miter attack framework.
Scott Williamson [00:12:49] But we have moved away from signatures and scanning and things of that nature. We're now looking at the processes, what's happening on the box, and mapping it to the binary attack framework, you know, Is there a persistence involved? Is your privilege escalation involved?
Scott Williamson [00:13:07] Is there a lateral movement?
Scott Williamson [00:13:09] So, this particular tool, we became quite involved with manufacturers couple of years ago as part of our incident response services, so as they, as a company reaches out to us because they add an attack or they're undergoing an attack, we push this out step one.
Scott Williamson [00:13:31] This gives us visibility as to what's going on the network, what looks suspicious, what is it suspicious?
Scott Williamson [00:13:40] A few months ago we, we had a a telco.
Scott Williamson [00:13:46] Contact Us did an incident response on an issue they were having we deployed the ETR software out there to them.
Scott Williamson [00:13:56] They thought they had got got it taken care of.
Scott Williamson [00:14:00] You know, they were a week or two into their response, but they want to have another set of eyes. And so, we deploy the ETR solution that evening, we actually caught lateral movement through their network.
Scott Williamson [00:14:16] The bad guys and you know, that's, When you talk about things like lateral movement and defense, evasion, you all these key concepts of the miter attack framework.
Scott Williamson [00:14:26] Traditional anti viruses aren't looking at that, you know, traditional antivirus as they're looking at signatures, and some higher is the data.
Scott Williamson [00:14:34] But know that there's, there's flaws with that.
Scott Williamson [00:14:39] Having a tool that that looks and understands how bad guys work and how bad software works, allows us to respond much quicker, see what's going on and, you know, understand what the real threat is.
Scott Williamson [00:14:57] The problem with signatures.
Scott Williamson [00:14:58] There's a, there's a bunch of signatures, require signatures.
Scott Williamson [00:15:03] It requires somebody discovering this out in the open understanding you know, how to identify something bad happening and then creating a signature for it and then that signature has get pushed to the endpoint.
Scott Williamson [00:15:15] And that endpoint has to run a scan to make sure that nothing has happened or that signature isn't live on it.
Scott Williamson [00:15:24] So there's a lot of issues, you know, if your signatures can't be updated or are, you know, aren't up to date that you're not protected against the latest threats.
Scott Williamson [00:15:35] zero day protection is almost impossible, based on signatures.
Scott Williamson [00:15:42] So there's a lot of issues around signatures, and that's why we like to look, you know, I like to use the term malware, DNA, how does malware work, what does it look, or how does it, how does it act.
Scott Williamson [00:15:55] And so anyways, our EHR platform is, Is based around that the other beautiful thing about not having signatures is it just works. It doesn't have to be on a corporate environment. It doesn't have to be connect to the internet to get those signature updates. That protection is always there.
Scott Williamson [00:16:12] So, that, you know, gives us lot flexibility, endpoint deep visibility, we want to understand what's going on on that machine, not not only from a network traffic perspective, but I want to know, you know, what processes are running across processes, right.
Scott Williamson [00:16:30] What powers are being touched on that machine right now?
Scott Williamson [00:16:34] No, are there new scheduled tasks that have been applied to that machine?
Scott Williamson [00:16:41] Has PSA has ... been run on that machine? What is VS Exec down?
Scott Williamson [00:16:47] All those things are ETR Software provides us are your software also does?
Scott Williamson [00:16:55] one other thing that no other ETR software does and that is, becomes the BSS shadow broker for the machines that it's installed on.
Scott Williamson [00:17:05] So, this is a patented software or patented process that when the ETR software is installed on the machine, it becomes the Broder and nothing can touch the snapshots unless it knows that it's a known good process. And it's, you know, something that that should be touching it.
Scott Williamson [00:17:29] You know, whether it's, you know, maintenance or, you know, you're cleaning up snapshots space, things like that. It's not going to allow any any additional access into that.
Scott Williamson [00:17:40] Why does it do that? Well? you know?
Scott Williamson [00:17:43] With ransomware extortion, where, you know, part of their initial process is to delete out the shadow copies of machines so that those machines could be encrypted and they can't be recovered.
Scott Williamson [00:17:57] This protects against that is stops that from happening.
Scott Williamson [00:18:00] So, again, it's the only platform out there that does that and then, with the EDR, you know, when we talk about BDR, MDR, the R is for response.
Scott Williamson [00:18:12] So once something happens, what can you do, what, what?
Scott Williamson [00:18:17] Yeah. What is your response?
Scott Williamson [00:18:20] No, we're no longer telling people to go in and unplug it from the Internet and or the network and you run a scan on it.
Scott Williamson [00:18:29] All that stuff is done through the console, through the security operations center, your team, right? So, so we have several things we can do. We can.
Scott Williamson [00:18:37] Yeah, we can mitigate it. We can isolate.
Scott Williamson [00:18:42] It are, yeah, we can tell it. You can't talk to anybody else on the network or the Internet, except through our console.
Scott Williamson [00:18:50] And our console allows us the ability to shell into that machine, to start doing some of the initial forensics or cleanup work.
Scott Williamson [00:19:00] Because I do have control of the BSS snapshots, I can revert that machine back to a known good state. So that, the default is, is we take a snap every four hours of that machine.
Scott Williamson [00:19:12] And, if something happens to that machine, if it gets infected or there's some kind of issue, we can revert back to a known good state prior to that happening.
Scott Williamson [00:19:21] Which allows remediation time to, you know, be much better than having to go and wipe machines and start over.
Scott Williamson [00:19:31] Integrated orchestration and automation.
Scott Williamson [00:19:34] Our security operations center uses a soar platform that allows us to do a lot of things automatically on the back end that the standard EDR software does it do. So I'll talk about this more in detail, but, you know, enhanced telemetry data as something happens, and we get indicators of compromise, or we get file hashes.
Scott Williamson [00:19:58] The Sor is automatically going out to our threat Intel feeds, pulling that information on those specific IOC's and providing that information to our analysts as the alert comes in.
Scott Williamson [00:20:11] You know, our soar platform has the ability to reach out to endpoints that are that have suspicious files on them and grab those files and pull them in and detonate them in our sandboxes, you know, to give us, more telemetry, automated triage. You know, we, we can go through and pull those things and pull those affected endpoints offline.
Scott Williamson [00:20:33] We can start the auto remediation processes automatically without having to spend a lot of dwell time on it.
Scott Williamson [00:20:42] Then Enhanced communications, right, so as we're working through the processes, as we're working with the client. Our soar platform is able to integrate within our communications platforms, clients, ticketing, systems, things like that to let them know what's going on.
Scott Williamson [00:21:01] The visibility. So, I hit on this a little bit, you know, employee endpoint visibility. What does that machine doing, right? What processes are running?
Scott Williamson [00:21:10] What processes were run CROs, processes, registry changes, network connectivity, DNS, URL traffic, file activity.
Scott Williamson [00:21:20] What files are being touch, what files have been, deleted, What files have been created? What? what has changed in the files, right?
Scott Williamson [00:21:28] Then, scheduled tasks. So this is all what we call deep visibility. That's happening on the endpoint, and all that information is being kept and sent to us are sent to the cloud. For us to do some additional threat hunting, and we'll get into that here in a little bit.
Scott Williamson [00:21:46] The automation and orchestration: again, the name of the game is reduced dwell time, right?
Scott Williamson [00:21:54] So, identifying those threats, pulling in the information, making conclusions and being able to react on it sooner than what you could without without the automation and orchestration. Right. So, with standard yaar, it's going to flag when something suspicious.
Scott Williamson [00:22:12] And it's up to you or your security operations center or us can make a determination on is this really something bad?
Scott Williamson [00:22:22] Is this something that that you know is a false positive that we can let go.
Scott Williamson [00:22:29] But that is very no manual process in most cases.
Scott Williamson [00:22:33] An EDR and I don't know I don't care what the EDR as an EDR is going to say, this is what I saw and then it's up to you to make that determination with automation and orchestration.
Scott Williamson [00:22:45] We're actually able to go, as I said, earlier, and start pulling in some additional thread.
Scott Williamson [00:22:51] And that threat intel can be from, from many of our different sources, you know, that we pull from, so are they known bad, as we've seen?
Scott Williamson [00:23:00] You have other people seeing them, is something new, and then how it maps out to that miter attack framework, Automation gives us the ability to do customized playbooks for our clients. So every clients, different notifications, and reactions, and, you know, remediation are different with every client.
Scott Williamson [00:23:22] So we have the ability to sit down with our clients and say, you know, when something like this happens?
Scott Williamson [00:23:28] How do you want us to handle it?
Scott Williamson [00:23:31] We then plug that into our store, and it can go through and actually create those run books as playbooks for us. And ensure that we're meeting your requirements without leaving anything out.
Scott Williamson [00:23:43] Uh, our soar platform also has integration capabilities with other security infrastructure. So, you know, some of our clients that we work with, we have integrations with their firewalls.
Scott Williamson [00:23:55] If we notice something bad on the inside, you know, a phishing e-mail or something like that, our automation platform can automatically reach out to the client firewalls and say, Hey, let's not allow anybody to click on this link, or allow traffic to go to this link. Because we know it's A, it's not a phishing site, that we just got spearfish from.
Scott Williamson [00:24:21] We can hook into their either, their Office 365, have playbooks for when people, you know, do get phished or we see logins from other countries.
Scott Williamson [00:24:33] The Sor platform can go either automatically disable that account, reset Password.
Scott Williamson [00:24:38] Generate e-mails and send those out to the people who need to know within the, within the client environment.
Scott Williamson [00:24:46] And then automated threat hunting. This is the big piece.
Scott Williamson [00:24:48] So, you know, I talked about the beat visibility, everything that we're looking at on machines, everything that we're keeping in the cloud.
Scott Williamson [00:24:56] We keep 90 days' worth of logs in the cloud for every endpoint that has the MTR software on it.
Scott Williamson [00:25:04] And, you know, we belong to a lot of threat intel.
Scott Williamson [00:25:11] Feeds, you know, some of them are, some of them are private.
Scott Williamson [00:25:14] Some of them are, you know, um, pay for, Some of them are government based, but every day, we, you know, we Yeah, Good day.
Scott Williamson [00:25:23] We may get 25,000 copies, or alert, IOC, updates, on a bad day and maybe 150, but what we have is an automation software that can pull that information in.
Scott Williamson [00:25:36] and understand what those IOCs are, whether they're URLs or IP addresses or file ashes.
Scott Williamson [00:25:43] Take that information, and then proactively go back and look on our client's infrastructure's over the past 90 days to see if something bad or something matches that new threat intel that's coming out, right.
Scott Williamson [00:25:57] So, that, that's automated, we can run that, you know, through the automation program, it'll look for that and let us know, hey, yeah, no.
Scott Williamson [00:26:10] The, you know, the world just found out about zero login, but, Hey, look, we see indicators of that two months ago on on client.
Scott Williamson [00:26:17] Hey, we need to, you know, sit down and talk with them and understand what we need to do to mitigate what may be happening in their network.
Scott Williamson [00:26:30] Knowledge.
Scott Williamson [00:26:31] So, our Security Operations Center provides security monitoring services, whether it's MDR, whether it's semi as a service, network, security monitoring, vulnerability scanning. Those are all socs services.
Scott Williamson [00:26:47] We provide a large portfolio of clients, right?
Scott Williamson [00:26:53] Enterprise energy, critical infrastructure, health, care, municipality, legal, and more, right. So we get to see a lot, especially when we start talking about the energy sector, critical infrastructure.
Scott Williamson [00:27:07] You know, though, those are, those are clients that are heavily targeted and have been for years, right? So we get to see those threats as they are coming through.
Scott Williamson [00:27:18] That allows our sought to build those playbooks, build that IFC data, all of those things as well as Lindsay had mentioned earlier.
Scott Williamson [00:27:28] We also do frontline incident response, right?
Scott Williamson [00:27:30] So I've got teams that are out in the weeds, you know, looking at the latest Mays, ransomware attack on clients or looking at the net Walker's stuff, you know, capturing the phishing, business e-mail, compromise data.
Scott Williamson [00:27:48] So, we're seeing the techniques and the tools that are there being effective.
Scott Williamson [00:27:54] Yeah, right now and so that allows us to build our own IFC data, our own understanding and build that into our EMDR practice.
Scott Williamson [00:28:06] True digital security also has already, you know, we've got a team of pen testers that, that this is what they do, right? So, there's, there's communications between the blue team and the red team understanding, you know, how the red team is being successful.
Scott Williamson [00:28:23] What we need to do to kind of shore up the blue team's ability to monitor and catch things that the red team is finding as being effective.
Scott Williamson [00:28:38] So, let's talk about our Security Operations Center. We are somewhat unique that we have our own US.
Scott Williamson [00:28:45] based Security Operations Center, it's true owned and operated there.
Scott Williamson [00:28:50] My, my security analyst are, are my employees, they go through our training, they understand our, our processes, Our tools It is a 24 by 7 by 365 butts in seats security operations center.
Scott Williamson [00:29:08] It's not outsourced in any way.
Scott Williamson [00:29:12] As part of, you know, their job as part of the monitoring of some of the infrastructures we have to do, they have to pass some pretty serious background screenings, background checks, things of that nature, because a lot of the critical infrastructure work that we do.
Scott Williamson [00:29:29] Again, they're trained in our tools, our procedures. You know, that they're well documented.
Scott Williamson [00:29:34] The, the use of the Sor platform actually helps quite a bit in that to ensure that, you know, everything is being done as it should be.
Scott Williamson [00:29:46] Um, manual threat hunting, so we have our ... platform doing the automated threat hunting.
Scott Williamson [00:29:52] My analysts are trained to manual threat hunt through environment. So as new things come up, as new techniques come up.
Scott Williamson [00:30:03] My guys are trying to go in and understand how that affects client A versus client B, and then how to look through that.
Scott Williamson [00:30:11] So, manual threat, hunting is a big part of what we do on a day-to-day basis here, and then also, you know, just to mention, we are sought to type to certify, you know, our security operations center is as well as true, you know, as a whole.
Scott Williamson [00:30:27] So, everything that we say we do is audited and confirmed.
Scott Williamson [00:30:36] So, yeah.
Scott Williamson [00:30:38] True in general, you know, this is some information in regards to, you know, some of our collaborations, you know, are partners with cyber corps.
Scott Williamson [00:30:51] We've got our own socks.
Scott Williamson [00:30:53] We have collaborations with University of Tulsa, Oklahoma State University. ... is what we like to call it. At DHS, we're part of several DHS programs.
Scott Williamson [00:31:06] And so I won't read all of these, but, you know, these are some of the collaborations.
Scott Williamson [00:31:09] Some of the, the information sharing that we work with.
Scott Williamson [00:31:23] That's it. So we can go ahead and open it up to Q&A.
Lindsey Watts [00:31:29] So we have had a couple of questions submitted already, but want to make sure that you all have plenty of time to submit those in and be able to ask all of the things that have come to mind throughout Scott's presentation.
Lindsey Watts [00:31:45] The first question Scott that we have for you is, do you do VSS on workstations or on individual user PC's?
Scott Williamson [00:31:56] So we can do VSS on servers and workstations. All of that is really based upon the client and how they want it deployed.
Scott Williamson [00:32:06] Now, of course, you know, the operating system has to support VSS snapshot.
Scott Williamson [00:32:11] So, with the EDR platform, we have agents for Macs and Linux and, you know, your Windows variants.
Scott Williamson [00:32:19] We even have, you know, agents for Windows seven and Windows 2003, because there's still, believe it or not, a lot of that out there. So, as long as the core OS supports VSS snapshot, we can enable that.
Scott Williamson [00:32:34] And, typically, in a, you know, normal MDR rollout, we do enable that across the board.
Lindsey Watts [00:32:44] OK. The next question we have here we are evaluating Sentinal one as a standalone that we would manage.
Lindsey Watts [00:32:55] How does True MDR compare?
Scott Williamson [00:32:59] So, um, so, it compares really well that Sentinel one considering that is the EDR platform that we started everything on, right.
Scott Williamson [00:33:08] So, I've talked about the BSS snapshotted and that that is based off of Sentinel one.
Scott Williamson [00:33:13] It is based off sentinel one complete that gives the full deep visibility into the machines. So, sentinel one is, a great product. You know, it's kind of taken the industry by storm.
Scott Williamson [00:33:26] We're seeing a lot of a lot of companies work. Lifting it out.
Scott Williamson [00:33:31] I want to understand that, everybody.
Scott Williamson [00:33:34] I want everybody to understand that MDR is more than an EDR piece, right?
Scott Williamson [00:33:39] So, you know, If you have a stand alone out there, that's great.
Scott Williamson [00:33:43] Do you have the ability to manage it?
Scott Williamson [00:33:45] Do you have the ability to threat, do you have the automation piece, right?
Scott Williamson [00:33:50] Because sentinel one, trying to tell you, hey, you need to look at this, but from there, that that's where it pretty much leaves you, right.
Scott Williamson [00:33:58] You got all these great large. Got all this great visibility. But how does that all get together, right? So you have to have the knowledge you have to have.
Scott Williamson [00:34:06] In my opinion, you have to have the automation to reduce your dwell time to make a good decision.
Scott Williamson [00:34:11] You have to have eyes on.
Scott Williamson [00:34:13] You know, again, these guys are not attacking you between the hours of 8 to 5 a day, Monday through Friday, right? So, you have to have that additional piece. The automated threat hunting, the ability to go back in time and look at IOC's that may have occurred, is another big piece of it.
Scott Williamson [00:34:32] You know, a lot of companies that we've talked to the half cent along that converted over to MDR. You know. It was a time, the knowledge gap, the automation piece that they were missing.
Scott Williamson [00:34:44] So, to answer the question, it maps out, the EDR piece maps out, really well as a sentinel one, because that, is it.
Lindsey Watts [00:34:56] OK, something kind of along those lines. If this replaces Symantec endpoint, why would I have a subsequent issue that needs mitigation?
Lindsey Watts [00:35:06] Wouldn't that be prevented?
Lindsey Watts [00:35:08] And then as part of that, what resource impact is the agent and the main rule mitigation?
Scott Williamson [00:35:16] OK, so very good questions so why would you need it? Well, again, zero days, right?
Scott Williamson [00:35:24] So we have worked on several very interesting cases with sentinel one in the past around the maze group.
Scott Williamson [00:35:36] And the maze grew there, There's a big right up within Sentinel one around the techniques that maze was using to infect different clients. We were involved in that.
Scott Williamson [00:35:49] Some of those were incidents that we were working on.
Scott Williamson [00:35:52] Those weren't known, right? There were McAffee, had no signatures for them.
Scott Williamson [00:35:58] The way they were jumping around a network was totally a legitimate way of doing it, right, I mean, so McAfee and people like that are going to look at, you know, execution at, you know, how WhatsApp that software doing doesn't match signature?
Scott Williamson [00:36:15] Maze was using you know RDP and Alsace and Things like that to jump around the network. So your standard antivirus is are going to see that as oh that's legitimate software right?
Scott Williamson [00:36:27] Um, so, will it, you know, prevent yes, it will prevent a lot more than that could be. Just because of the way it works.
Scott Williamson [00:36:37] But, you know, there's always that possibility.
Scott Williamson [00:36:40] There's always that, you know, has somebody got some kind of persistent foothold in my network and created an account in our network, and we don't see it, and it's a legitimate account that you jump around.
Scott Williamson [00:36:53] That's where something like sentinel one or some of the EDRs would be able to give you visibility into that.
Scott Williamson [00:36:59] What was the second part of that one Lindsey?
Lindsey Watts [00:37:02] So, here, what we saw, yeah?
Scott Williamson [00:37:07] So, um, So, before we went with sentinel one we based off several different EDR platforms sentinel one by far was the lowest footprint.
Scott Williamson [00:37:20] Now, of course, you know, you're a lot of, it's going to depend on the age of the machine, and, you know, the speed of that drive and things of that nature.
Scott Williamson [00:37:32] But the nice thing about a sentinel one, which, again, as you know, what we're using, is that we can go in and customize policies and the visibility on endpoints based on what they are.
Scott Williamson [00:37:46] So if you've got, you know, if you've got some, some Windows seven machines out there with, you, know, four gig of ram and, you know, an old 5400 RPM drive, we can go in and say, You know what?
Scott Williamson [00:37:59] Deep visibility on this particular unit.
Scott Williamson [00:38:01] Isn't that big of a deal?
Scott Williamson [00:38:03] And so, we can uncheck that, I want to say.
Scott Williamson [00:38:08] And I want to say it takes 250 meg worth that ram, Toronto Ont standard.
Scott Williamson [00:38:14] And depending on the logging and stuff, it can yeah, take anywhere between five and are vague and two gig for the logs to be on the machine. Again, all that's really customizable on a per policy per device basis.
Scott Williamson [00:38:31] Know, I wanted to other things that I didn't mention and here is that the EDR also has the ability can you control local firewalls on the machines, create policies and also control the USB and Bluetooth behavior on the endpoint, right.
Scott Williamson [00:38:47] So, we can lock down and say, you know, we were not allying USB mass storage out of this subset of machines, or we can say, yeah, we're allowing USB storage, but it has to be this maker, this model, which the company provided. Anything else doesn't get the ability to do that.
Scott Williamson [00:39:05] So, that's also part of the MDR package the EDR package,
Lindsey Watts [00:39:12] OK, and we've had a couple of a couple of questions similar to this one, so I think it would be fair to just say maybe clarify, is this just a managed deployment of Sentinel?
Scott Williamson [00:39:25] No. No. You're not getting the orchestration automation.
Scott Williamson [00:39:30] Know, the eyes on 24 by 7 by 365, this specific community, you're not getting that, if you just I said, Oh, one, right.
Scott Williamson [00:39:42] You deploy Sentinel one.
Scott Williamson [00:39:45] As with any EDR, they can be extremely noisy especially if you have them toon properly, you want them to be noisy.
Scott Williamson [00:39:53] You need that that additional information.
Scott Williamson [00:3]9:57] You know, all my analysts are trained and certified in sentinel one.
Scott Williamson [00:40:02] To understand getting the full piece out of it.
Scott Williamson [00:40:07] So you take, sentinel one is your core, you build the automation, the orchestration, the automated threat hunting, the manual threat hunting.
Scott Williamson [00:40:17] That is the that is the package, and then it's eyes on.
Lindsey Watts [00:40:23] OK. We have a question also around logging. Logging is involved. Is ... OS query cislog still involved?
Scott Williamson [00:40:34] So no, query is not involved. The logging is coming directly from the machine.
Scott Williamson [00:40:41] The central one agent, understand you're getting two different things. So with ...
Scott Williamson [00:40:46] Query, and so on, versus this OS query is going to give you visibility into the, the logs, the Active Directory logs the, you know, what, what Windows event logs are being looked at. Sentinel one really doesn't care about those event logs. It's working on a layer lower than Windows, Right?
Scott Williamson [00:41:08] So, it's looking at the actual processes that are running, and what they're doing, is looking at, yeah, Who is that machine talking to you, Whether it's internal or external. What, yeah, what ports is that talking to?
Scott Williamson [00:41:21] So, it's, it's looking at a layer that is a lot lower than, than the OS, or the Windows event logs so that there are differences. Do you have to have all of them now? Not necessarily.
Scott Williamson [00:41:35] OS query is going to give you a different set of logs, as opposed to, what, you know, VR is giving you.
Lindsey Watts [00:41:44] OK, I love this question because I think it's something that we see a lot around definitions of what is MDR. And it seems like the industry, there's just a lot out there.
Scott Williamson [00:41:57] So, does MDR use AlienVault for SIEM, Which, I think, opens, opens the door for a comparison and contrast, maybe, between those two services.
Scott Williamson [00:42:10] So, so, MDR is not a SIEM. MDR is concerned about your Endpoint protection, right?
Scott Williamson [00:42:17] Your servers, your, laptops, things of that nature, SIEM or SIEAM, depending on what part of the country you're in is, is concerned about not only the endpoints, but it's also concerned about the infrastructure, right? So SIEM is concerned about your Office 365 logs. It's concerned about your Sass logs. It's concerned about your Active Directory logs.
Scott Williamson [00:42:41] Know, an MDR solution is not going to tell you that somebody was added to the domain administrators group within Windows.
Scott Williamson [00:42:50] It's not going to tell you that because that's totally legitimate.
Scott Williamson [00:42:53] Know, now, if somebody did privilege escalation on an endpoint and used a vulnerability to do, you do that privilege escalation, then MDR is from the fire about that.
Scott Williamson [00:43:04] But if it is a compromised administrative account that has added something to your Active Directory, Domain Administrator Group in VR. So, I'm going to catch that because that, that's totally legit.
Scott Williamson [00:43:16] So, SIEM is really a holistic view of your entire infrastructure.
Scott Williamson [00:43:21] Firewall logs. What's your firewall blocking?
Scott Williamson [00:43:25] You know, your layer three logs, your Active Directory logs is Office 360 logs.
Scott Williamson [00:43:30] So, MDR plays a big role in SIEM, by providing more detailed, more telemetry.
Scott Williamson [00:43:41] As, you know, as to what's going on, on that machine, but it is not a replacement for, SIEM
Lindsey Watts [00:43:49] OK. Is there a demo available?
Scott Williamson [00:43:53] There is a demo available.
Scott Williamson [00:43:55] So, you can definitely reach out to your account manager, We can schedule an online demo to show you, you, know, in detail, what, what the logs are, what it's like, and how it works, all those good things. And then we can provide you some demo licenses to them.
Scott Williamson [00:44:13] Play around with it yourself.
Lindsey Watts [00:44:16] Please explain more about G Suite and other software in the Cloud Protection.
Scott Williamson [00:44:25] So, again, this is concerned about your endpoints, G suite, things like that.
Scott Williamson [00:44:32] You've got to have something that's pulling those logs down and correlating those logs against what your endpoints are done.
Scott Williamson [00:44:38] So that's where SIEM, would play a role, is, you know, giving you more of a holistic view.
Scott Williamson [00:44:45] Now, know, MBR is going to give you some information. Like, you know, is this machine connecting to G Suite?
Scott Williamson [00:44:52] You know, what processes kicked off the connection to drink?
Scott Williamson [00:44:55] G Suite is legitimate. But, you know, again, if you're not looking at your logs, from, from G Suite, or from O 365, you got a pretty big gap.
Scott Williamson [00:45:07] And what's going on?
Scott Williamson [00:45:08] And, you know, one of the things that we've seen out in the field, is, you know, a lot of companies will move to two G Suite or Office 365, and they'll do a hybrid installation, and they won't be monitoring the logs of Office 365 or G Suite.
Scott Williamson [00:45:27] And those accounts will get hammered every, yeah, I mean, just constantly brute force, you know, and eventually, you know, depending on your, your password policies and your MFA deployment, things like that.
Scott Williamson [00:45:40] You know, eventually, these guys get, like, and get in there and if you don't have eyes on those logs, then, know, you're never gonna see it happen.
Scott Williamson [00:45:50] MDR In as an Endpoint Protection piece, it's a, you know, it's a next, you have ours.
Scott Williamson [00:45:59] But, again, if you want in G Suite, notice that you really need to have some kind of SIEM, some kind of log monitoring in place.
Lindsey Watts [00:46:11] And I think the answer's maybe, where would I start?
Lindsey Watts [00:46:15] MDR versus SIEM, right?
Scott Williamson [00:46:19] So, depending on, you know, the endpoint protections, the biggest deal right now, right? So SIEM is definitely something that that you could add on. We see a lot of clients. You know, once we pushy, MDR out there, they see what it's doing.
Scott Williamson [00:46:41] They want the correlation, they want the SASS piece. They do move out to a CMO of MDR.
Scott Williamson [00:46:50] We've got other clients that don't have compliance reasons or don't have any outside motivators that say, Hey, you know, MDR is not for us.
Scott Williamson [00:46:57] We're getting you know the telemetry data. We want to see out of NDR so it's really on a case by case basis.
Scott Williamson [00:47:03] But you know there are definitely differences between the two.
Scott Williamson [00:47:08] Know that the two services.
Lindsey Watts [00:47:12] OK, and I like this question as well.
Lindsey Watts [00:47:15] Is there anything in between these two?
Lindsey Watts [00:47:20] SIEM versus MDR. True MDR
Scott Williamson [00:47:27] So the answer is yes. Uh We are We're getting ready to launch our XDR, which we'll bring in some logging.
Scott Williamson [00:47:36] Things are still finalizing some of those pieces.
Scott Williamson [00:47:39] But, yes, there, there will be Indian,
Lindsey Watts [00:47:44] OK, and this looks like our last question for now, though. We have a few more minutes left, if anybody else has something after this one. My company's end points are not always the same.
Lindsey Watts [00:47:55] Am I locked in if those change throughout the year?
Scott Williamson [00:48:00] So this is a managed service, which, you know, we gave you the ability to flex as you need to.
Scott Williamson [00:48:08] So, again, as you know, it's a it's a monthly, a monthly bill that comes in, so if you're flexing, you know, between 200, 250, you basically get billed for what you're consuming on that line.
Scott Williamson [00:48:22] So, to answer that question, Yeah, we're very flexible when it comes to that.
Lindsey Watts [00:48:34] OK, one more just came in. Our company's primary endpoints are Mac OS based. Does the MDR Solution, work with Apple.
Scott Williamson [00:48:44] Yes. yes.
Scott Williamson [00:48:45] So, like I was saying earlier, we have Windows, Mac OS, Linux, clients, the Windows clients, you know, depending on what you're doing, we can go as far back as Windows seven, now you know, to the latest and greatest, So yes, Macs, Macs work fine.
Scott Williamson [00:49:08] You don't get the VSS capability, because it's not built in, but as far as the logging and the prevention, you know, all, the miter attack framework, you know, all that stuff is built into it.
Lindsey Watts [00:49:23] OK, that looks like our last question for today. Thank you everyone for joining us over what is probably your lunch hour? We appreciate having you with us, we always are welcoming your additional questions. So if you would like to get in touch with somebody, your contact at TRUE, feel free to send those over. This is not a one-time thing, Scott will answer questions till the cows come home. If you know. So thank you again and we appreciate your time.
Lindsey Watts [00:49:55] Thank you Scott for sharing with us about Endpoint protection and True MDR if you would like a copy of the presentation. Please feel free to submit your e-mail address, in the question section, or in the chat section. We've had a couple of people ask for that. And you will also get a link to the recording if you would like to go back and listen to anything, if you were missing one part, or want to hear it again. So, thank you again for joining us.
Contact Us Today!
Let us know your business needs and we will make sure to get back with you promptly!* denotes required fields