Webinar Replay: Security Unlocked (MDR)

VIDEO TRANSCRIPT

Kaleigh Alessandro (KA): All right, everyone, good afternoon and welcome. Thank you for joining us today. My name is Kaleigh Alessandro. I’m the Director of Marketing for Omega Systems. If you are new to the Omega webinar circuit or new to Omega as a whole, I’ll give you a quick little background. We have more than 20 years of experience supporting customers with their managed IT, cybersecurity risk management, regulatory compliance, and cloud services needs.

So, today’s topic of conversation for our webinar is “Security Unlocked: Emerging Threats, Business Risks, and the Case for MDR. We’re going to be discussing the evolution of the cybersecurity landscape, and how businesses today are aligning their security priorities with their business needs. And of course, we’re going to discuss managed detection and response (MDR), which is a tool we all believe that businesses should have in their security stack today.

Joining me for today’s conversation are three individuals with no shortage of knowledge and expertise in the cybersecurity field. So, we’ll go around the horn here quickly. And if you will all introduce yourselves and share a little bit about your background, I’m going to go clockwise from who I’ve got here on my screen.

Let’s start with Mark Sangster, Chief of Strategy at Adlumin. Mark.

Mark Sangster (MS): Thanks, Kaleigh. And thank you for having me here. I’m Mark Sangster. I’m a cybersecurity author and Chief of Strategy with Adlumin. We are an MDR provider, but of course, you’ll hear more about that soon. I’ve been in the industry for nearly 30 years now not just as a practitioner, but also as a researcher.

So I spend a lot of time talking to even criminals in Russia and the Ukraine, just to get a feel for what’s going on, why are they motivated and how are they motivated and then bringing that back to have the business conversation with leaders, right? So, this is not about an IT problem to solve, this is about a business risk to manage.

KA: Great. Troels Rasmussen, General Manager of Security Products at N-able.

Troels Rasmussen (TR): Yeah. Thanks for having me, Kaleigh. I’m excited to have this debate with both Rick and Mark. I’m from N-able. I run our security business here and work very closely with Rick, Kaleigh, and Mark, both the Adlumin and the Omega teams to help MSPs, main service providers, SMEs, stay protected, grow, be resilient, and so forth.

Always love these debates. It’s a good opportunity to learn and then kind of expand your horizons. So, I’m excited to be here. Thank you.

KA: And lastly, my colleague at Omega, our head of security and technology, Rick Mutzel.

Rick Mutzel (RM): Afternoon, everyone. Rick Mutzel. I’m the manager of security and technology here at Omega Systems, a managed service provider where we’re providing security and managed services to a vast number of clientele and have partnered with Adlumin and N-able to have the offerings for a lot of the services that we provide here.

KA: Great, thank you all for being here and participating. Before we kick off our discussion, a couple of quick logistics. You may have noticed we are not presenting a slide deck. We’re going with the fireside chat approach today. So, just a really thoughtful interactive discussion amongst our panelists here. We will as always have the recording available after the event. We’ll also have a full transcript you can review because I’m certain there’s going to be a lot of great insight and knowledge that we’re going to throw around today. As a reminder, all of those materials, recording transcript, and other resources will be made available to all of our attendees 24 hours post-event. So, right around this time tomorrow afternoon.

Okay, with that, let’s kick things off by talking about the threat landscape today and really how it compares with threats of the past week. Mark, you’ve had a pulse on the industry for a long time now. How would you describe the shift in sophistication that we’ve seen from hackers and threats over the last, you know, five, 10, 15+ years?

MS: Yeah, absolutely. So, I think what we’ve seen is the industrialization, right, the industrial revolution of cybercrime. And often we talk about ransomware gangs. And I really dislike that term, because “gangs” reminds you of this kind of amateur thugs and some kind of turf war in their neighborhood. But these groups operate more like well-funded intelligence agencies. They are associated with governments in many cases. In some cases, they are sponsored, funded, or part of their organization. In other cases, they just sort of turn a blind eye and let them do what they want to do as long as they’re not creating havoc at home.

We’ve also seen the development of sort of software as a service (SaaS) across these organizations, right? So, ransomware organization, offering RaaS or ransomware as a service. So, if you are a smaller group and you can’t build the software yourself, you can use their toolkit and they have some kind of revenue sharing model between the intermediary or their channel and of course the groups that have built it. That’s why I call these guys the Misfortune 500 because they are like Fortune 500 organizations. They have C structures, they have compensation models, they know what they’re doing, they are not amateurs.

We’ve seen the shift in what they’re capable of doing. It has gone from small time kind of crime into massive operational shutdowns, data exfiltrations that we’ve seen and multi-extortion kind of tactics. They’re extorting you to pay the ransom to get your systems up and running. They’re extorting you to keep the event and the data private and to not leak it to say your customer base to your vendors or the government because they also realize in some cases you’re highly regulated and in those cases they know you’re gonna be in trouble with those compliance arms. So, they’re gonna, they threaten to leak it to that.

And they’ve expanded across all sorts of different industries. So, you know, we started with the Willie Sutton, I Rob Banks, because that’s where the money is, or the misquote, I should say. But they’ve expanded into other things like business services, law firms, marketing firms, municipalities, utilities, and K-12 educational districts have now certainly become one of the top targets that these groups go after.

KA: Yeah, there’s certainly a lot to keep our eyes on these days. Certainly, even as security companies, it feels like we’re getting pulled in a thousand different directions. Rick, I know the answer to this question is constantly evolving for you, sometimes day by day, but what threats or tactics are keeping you up right now?

RM: Well, it always has been, and it probably always will be, your company’s weakest link is your end users, right? And so social engineering has become so incredibly good and hard to tell from, you know, valid content versus malicious content, and I’m sure we’ll talk about in a little bit how that has come to be, but end users and just getting awareness, end users not knowing what is good, bad, sometimes, you know, not speaking up when they think they’ve done something because they feel like I’m going to, you know, get in trouble for clicking this link or doing this thing, and just not leveraging the security side after an event. That is where a lot of the low-hanging fruit comes from. So, it’s never going to change. But end users is what keeps me up the most at night.

KA: Troels, anything on the threat side that’s got you waking up in a panic every morning?

TR: Yeah, I pull pretty much anything related to security and how it’s evolving. One thing I’d just like to comment on, Mark, is what you mentioned earlier, one thing that really surprised me is just the ingenuity amongst third actors. Like them using regulatory reporting requirements against organizations, right? So, we’ve seen examples of where malicious actors are actually using reporting timelines and requirements against companies.

So when you’ve had a breach, you have a certain amount of time to notify authorities and so forth and they actually use that as a way to extort further so this just adds like the level of complexity there and so forth but yeah no what keeps me like up at night is one of the things Mark mentioned as well like it’s just like uh that cybercrime is becoming like an industry right and the barrier to get started the barrier to get involved and the barrier to get going is so much lower and that just creates a lot of tax. That means that the width of people trying to extort you or trying to get access to whatever you’re protecting, it’s gotten so much greater.

Back in the day, it was like, hey, you could target a DDoS attack at a company or whatever. But now you can do pretty sophisticated attacks without having much knowledge because you can just buy it as a service and deploy it then. Then it only happens to the neighbor mentality. I’m sure Rick knows this as well, but we work with managed service providers, and they service a wide range of customers. Some small, medium-sized businesses will have this mindset of is we’re too small, people don’t care, it only happens to bigger companies, and so forth. And what we’ve really seen is it happens to pretty much anyone because people, a malicious actor will be testing malware, they’ll be doing drive-bys, just testing your environment, and then you’re in, right? And then you don’t have the right procedures and protocols.

So kind of the same with insurance, right? Only happens to the neighbor. It keeps me up at night. And then that security’s seen as a tax, right? Rather than as a necessity to have a resilient business, right? We look at how you build your company, you have the right legal structure in place, you have the right financial structure in place to make sure you’re sound. You should view security as the same, right? It’s not a software you install and then you’re secure, right? It’s a range and how much security are you willing to pay for and how much protection are you willing to pay for? And a good way of really sizing that out is, like, what does it cost for you to be out of business? Rather than view like, hey, what does it cost for me to deploy a piece of software? Like, what did it cost for me to be out of business for an hour, a day, a week, and so forth? And as we go through the discussion, I’m sure we’ll lean into it.

But the focus on I can save $10 today versus it costs me three customers or potentially my business because I’m out of operations for a week, as I didn’t want it. I didn’t look at it as a way to structure my business, to be resilient. I saw it as an IT project that I had to do because compliance framework or something like that told me to. Just that and then having the calls, we engage with a lot of companies where when you get a call from a customer and say, they’re in my system, what do we do? Then helping them backtrack and say, well, this is so much harder now because we didn’t have the right layer, so the right procedures in place, and then see how the cost racks up and so forth.

So, a bit of everything, but I’d say probably the concern or lack of urgency in treating this as a, it’s not everyone’s problem, and you need to take it seriously, because it will probably happen to everyone at some point in time, so do you have the right layers in place?

KA: So, you’re not getting a lot of sleep is what you’re saying.

TR: That’s just how it goes, I also have two small kids, so it doesn’t help, right?

MS: Troels, if I can build on your industry comment too, I think that’s another issue. You talked about regulatory there, but they’re also really good at socially engineering that industry. They know it may not be a financial regulator, but it could be things like a bar association or a medical board for licensing. We’ve seen a lot of that.

I think one of the biggest, the best fishing lures I’ve seen to date was a document or an email, I should say, and conversation that looked like it came from a law student at Harvard and they were looking for, you know, a mentor, you know, this is kind of that look I’m in the final stages of my law degree and I just want to find out what’s it actually going to be like to practice. And so after two or a couple of weeks back and forth with these individuals, they then sent them an email and said, thanks so much. Would you mind, you know, completing the survey? There’s a link below so that I get my academic credit. And of course it was a stolen document. It was legit. It had been weaponized and they got senior judges, uh, managing partners. They almost shut down a state supreme court. They really, really understood the inside. Maybe that was somebody who left law school and was not so happy.

But then I think there are more generic things too, the living off the land, exploiting vulnerabilities, unpatched systems, things that aren’t up to date. And of course, some of the trickier tools we’ve seen too late, MFA or multi-factor authentication bypass tools like Evil Jinx and others, which do a great job of tricking individuals into thinking that they are authenticating their identity. And of course, they’re not. Not only do they pick up their credentials in the token, but they get the session token, which means then remotely, any device, any browser that they use is automatically trusted by that authentication service, be it Microsoft or Google.

RM: That’s a good point, Mark. We’re seeing a huge uptick in especially targeting online services like Azure for session token theft. Once they have that, if you’re not implementing, you think you’re safe because we have MFA. It’s pretty trivial to bypass those things, and we’re recommending in those situations, moving towards a more zero-trust model with trusted devices or known devices only authenticating. You know, it adds another level of friction to users, but, and similar to what Troels kind of was saying is how much money does it take to secure my environment properly and how much friction am I willing to experience to get to that secure point?

KA: Good point. I want to touch quickly on AI since it feels like we can’t possibly escape all the discourse on artificial intelligence today. Troels, for all of the productivity and time-saving applications there are, are we seeing, or are you seeing the negative side of AI emerge? Is it helping hackers to be more effective or deceptive at this stage?

TR: Following up on where Mark and Rick kind of were going, some of the social engineering, right? Like most of us probably heard of the MGM hack and how that was compromised. Like that’s a level of AI, right? Like deepfakes, you can’t trust the phone call any longer because you don’t know whether or not it’s actually the person you’re, you’re engaging with.

So having the right layers of validation, that was where Rick was going with zero trust and so forth. Like what are your procedures when you don’t know who’s actually calling? If a video is a video, if a picture is a picture, and so forth, right? So, that’s what it’s really just up-leveled the game and AI or machine learning or language models, however, you wanna put it, has really enabled security professionals to be more effective and efficient, but it’s also allowed threat actors to be more creative, to go out of band and create unknown practices, right?

A common thing is you pick up the phone you call someone and then you trust it right because I hear it’s Troels. That statement is no longer true, so that’s definitely made it a lot harder. And then like efficiency for sure like these are usually very smart people who are very good at what they do for most parts like threat actors. So, all the techniques that we’re using as IT professionals for companies to get more efficient and more operationally sound they can deploy those same strategies just as a counter to what we’re doing and kind of how we’re looking at it.

So assessing massive amounts of data and so forth. And that’s one of the things that has allowed them to be, has a leg of greater width in their attacks and say like, hey, they’re moving down market because the resources it takes to engineer an attack is so much less because technology allows you to scale so much better. So, kind of like what we’re saying, where we’re saying software allows you to be better. It works in all industries, also crime, sadly.

RM: I think we were kind of having a conversation, pre-webinar about what a threat actor looks like in the movies or what the perception is, right? They’ve got a hoodie, they’ve got the white mask, right? AI has totally lowered the barrier and the knowledge needed to become a threat actor, right? And so there are large language models out there that I can plug into a company’s website or their domain. And it’s going to output, here’s all the ports that are open. Here’s the IP addresses associated with. Here’s all the social media user accounts associated with that. And then I can take that information and plug in a CVE (common vulnerabilities and exposures) article that’s associated with that external scan. And it outputs the actual vulnerabilities associated with the CVE and an operationalized tactic to exploit that vulnerability.

There’s no team involved in this. It can be a high school kid with no knowledge and they just know how to type things into a prompting engine and output an operationalized attack on an environment, knowing nothing about the environment, doing no reconnaissance whatsoever. It’s just, here’s the information, and here’s how to operationalize it. The efficiency is fantastic, I suppose. But it’s very scary at the same time. Yeah. It’s crazy.

And as you were kind of talking about the impersonation, was it HSBC? The CFO was impersonated to an internal employee. That was a $25 million transfer of money just in one oops of not, and I always go analog. If there’s a question about am I talking to this person, like hang up the phone and actually dial the phone number you know that person is going to be at, right? Because you can spoof a SIM card, you can spoof a phone number, you can spoof an email address. Like hang up, don’t reply to the email, start a new one, pick up the phone and call a known good phone number for that person to verify before you transfer get up $25 million.

MS: Yeah, you know, that’s an important issue, right? It’s from an insurance claim perspective as well. That’s one of the things they’re looking for is did you take that secondary control, right? Think about it as MFA before you do fund transfers and it can’t be inbound, it’s got to be outbound. In particular, if you like to amplify what both of you were saying, if you just Google Microsoft’s research project called VASA-1. It is a face video generation tool that can generate high quality video with about 170 milliseconds of lag. That’s not something we’re gonna pick up on as a human, or maybe if we do, we’re gonna attribute that to, maybe the latency in our online conferencing service, right? But from just one picture and a short audio clip, they can control everything and you get lifelike video.

So that’s pretty easy for a bad guy to go to LinkedIn, they pull your headshot, probably somewhere on social media you’ve spoken or at a conference or something along those lines, they take that and they can auto-generate things like delays, installs in speech patterns, eye movement, hair movement, and not just hair movement, things like hair flicking. For example, if you had longer hair, things like that, there’s a whole, I think it’s about 20 different examples there on their page.

When you look at that, you realize just how easy it will be or how easy it is for criminals today to be able to fake being that individual. You can imagine that. You get the email that says, as Rick’s saying, we need to transfer this funds. Five seconds later, your team goes off or your Zoom or whatever, and there’s your boss saying, hey, I just sent you an email about such and such. I need you to execute this now. And they’re giving you all this context in the background. Becomes harder and harder to distinguish between legitimate and illegitimate activity these guys want you to enact.

KA: Okay. Well, now that we’re all sufficiently terrified of what’s to come, I feel like we’ve laid some good groundwork for what’s happening and what’s possible. I do want to shift gears slightly and talk about what’s happening on the business side of things.

We’re going to dig into some of the specific business challenges that we’re seeing impacted by these growing security risks. But at the highest level, I want to talk about the business leaders’ perspective on IT security. So, we’ve all heard and said this before, but security isn’t an IT problem, it’s a business problem.

And so, my question is, if I’m a C-level executive, with no IT background, no understanding of the nuances of these security threats, why does this conversation matter to me? So, I’m gonna put each of you on the spot for sort of your 30-second elevator pitch. Why should security matter to me? Who wants to go first, Mark?

MS: Sure. So, why does it matter to me? Because like I said earlier, cybersecurity is not an IT problem to solve, it’s a business risk to manage, right? And the excuses for not looking at this as any other risk that a company might face, any other fiduciary form of that, so whether that’s a natural disaster, economic headwinds, or whatever it might be are really, really dwindling. And as I like to say, ignorance is not bliss in the case of cyber risk. In fact, it’s a potential liability. And it’s one of the large law firms that I work with likes to add to that and your liability is only really gonna be limited by the creativity of the plaintiff’s lawyer or the aggressiveness of the regulator’s auditor.

KA: Good point. Rick, why should security matter to me?

RM: Well, unfortunately, if you read any of the news today, it’s not really a matter of, you know, if an incident’s going to occur for your business, it’s going to be when an incident’s going to occur, and you need to be prepared for the inevitable aftermath of what that’s going to look like. And so do you have the tools in place? I’ll say I refer to it as the “ostrich execution”. You can’t just stick your head in a hole in the ground and pretend this isn’t happening, right? It’s going to be a fact. It’s going to happen at some point. And do you have policies and procedures in place? Do you have business continuity? Do you have incident response plans? Do you have a team to execute those? Do you have individuals appointed to man those teams?

That all has to be done and should be done and in place and tested before an incident actually occurs. And so getting all your ducks in a row needs to be done now so that you can manage that risk and the execution of that when a cyber incident occurs.

KA: Troels, I’m a business leader. Why should security matter to me?

TR: Yeah, I’ll probably repeat a little of what Mark and Rick have said, one of those new smart people, right? And then kind of do what they say, but overall, it’s kind of sending on it. It’s the responsibility of the business owner, CEO, director, whoever drives the business and runs it, and his leadership team.

You need to view this as how you’ve insured your financials, all those bits and pieces, and really say that it’s more than Charles’ and IT’s problem. And then probably see security is not an outcome. It’s a thing you do to drive a resilient business. You’re building a, like setting up a security posture, you’re putting policies in place, procedures, as Rick mentioned, right? But that is for you to do what your business is supposed to do, whether it’s producing cars or serving customers at a restaurant and so forth. That’s the outcome of what you’re doing as a business. And you need to put things in place that allow you to operate that efficiently, right? And security is one of those things.

It’s like, you need internet, you need to make sure your device works and it’s only doing as it’s supposed to and nobody’s having access to it, or you’re not exposing your customers to risk. That’s one of the responsibilities, depending on the industry or vertical you’re in, right? If you’re in healthcare, finance, and so forth, you’re carrying a lot of very sensitive information. That means you have to be even more diligent around protecting and auditing and showing you care, right? Around their data and how you handle their information because that’s a privilege you’ve gotten from that customer and kind of like a responsibility you’ve taken on through your business.

So I just think of it as a way like, hey, this is resilience, you shouldn’t see it as IT spend. If you live in an area with lots of hurricanes, right? You have hurricane policies; you have procedures you take if a storm heads. This is the same, it’s just virtual versus physical, but it has the same implications for you as a business.

KA: Yeah, that’s a great point. So, I wanna talk about some of the specific business challenges that we see routinely come up as part of cyber risk conversations. The first being resources and budgeting. So, you know, I don’t have the money, expertise, or bandwidth to stay ahead of today’s threats. We’ve touched on this a little bit, but Mark, maybe you can kind of go deeper. What’s your response to that perspective and how do you coach both C-level executives and IT leaders who are trying to make the case internally for more investments in proactive security?

MA: Yeah, it’s an interesting challenge because the technical practitioners, or the technical leaders have the information that the business leaders need to make critical decisions. The problem is, often they speak a different language, right? So, I sort of jokingly say we need that Rosetta Stone to translate the ones and zeros of tech into the dollars and the cents of business. And some of the ways that I do this are things like looking at the costs and outcomes of peer incidents in their industry. So, a lot of times we get sort of wrapped up in these major events that occur and we say, oh, that major breach of some global carrier cost millions and millions of dollars and a small healthcare firm in West Texas goes, yeah, okay, that’s not gonna happen to us and we’re not worth that.

So you have to make it relevant, right? It’s a bit like, as I always say, when you’re dealing with a business leader if I start throwing statistics at them, they’re going to glaze over. If I tell them about crime statistics on the rise, they’re going to go, yeah, that’s terrible. And then they’re going to move on to the next meeting because it doesn’t matter to them. If I tell them that their neighbor got robbed at gunpoint, now they’re thinking about, you know, getting an alarm system, a big barky dog, a security guard, or moving altogether and finding a safer neighborhood.

Why? Because it matters to them, and it’s context relevant. So, you have to do the same thing for them. So, talk about what’s in the air industry. What are the things best practices? No one is to lead the pack, but they sure as heck don’t want to follow it and business leaders will try to find that balance of not spending too much but at the same time not leaving themselves with too much unmitigated risk. And one of the best ways I see of doing this is tabletop exercises and simulations.

The reason I do that is now let’s get to the point where the proverbial stuff has hit the fan and let’s look at this in a business context because what they suddenly and very quickly recognize is most of the decisions that get made are not IT decisions. The execution might be on the IT side, but it is a business decisions.

So simple example would be a very prominent one of the top global law firms years ago was hit by now an aging version of ransomware, but at the time it was a zero-day. And one of their clever IT people put up a whiteboard in their lobby that said, don’t connect to the network, you know, don’t connect to guest Wi-Fi, do not, you know, dock your laptop, all that kind of stuff. And they did it with the right sentiment. But of course, a rather perturbed client came in, saw this, took a screenshot of it, stuck it on their then Twitter account and complained about the lack of service. It blew up and by 4:30 that day, one of the big news agencies was calling them saying, we believe you’ve been shut down with ransomware or cyberattack and we’d like you to comment because we’re running the story at six. And of course, it went downhill from there. And what was worse was one of the major practices of this law firm was, as you can imagine, breach litigation and incident response. So, that probably didn’t help their business at least not in the short term.

So walking them through that, helping them understand that it’s a kind of, I call it a VUCA environment, volatility, uncertainty, chaos, and ambiguity, but you can turn that back on itself. So, you’re never gonna have all the answers you need, but gather the right people and be able to determine what you have to do. So, let me go back to that whiteboard example. In that case, making that incident public is going to be a business decision. That may go up to the board.

I’ve worked with a manufacturer where it costs $7 million to shut down their assembly line. They decided or elected for a period of time to suffer the attacks because it was cheaper to do that than it was to shut down in terms of restart overhaul costs and in terms of lost business. Another executive that I worked for in a different industry told me that they were losing $650,000 a day while shut down. So, they were willing to pay a ransom to this gang because they thought that would speed up or somehow accelerate their recovery. Now, whether that’s true or not is another question.

The point is these all become business decisions. So, I think that’s one of the best ways. And when they start to recognize that, and as you walk through the scenarios where you’re tapping some of the kind of critical security tools that you need. So, things like multi-factor authentication, segmentation, data backups, etc. That’s where they start to realize these things are important. And you shift the conversation from, okay, IT just wants more budget, they wanna hire more people, they want the latest and greatest to them, the shiny toy or whatever it might be. So, they recognize why these pieces are critical in their security defense and why they should invest in them.

KA: Yeah, that’s a great point. Here is another challenge we see, right? There’s a wide swath of industries and locations grappling with increasingly stringent regulatory compliance standards relative to security and risk management. Where once it might have been some best practices and nice-to-haves, there are more and more expectations demanding businesses have everything from multi-factor authentication to SIEM logging to proactive threat hunting. Rick, can you talk a little bit about how you’re seeing regulatory requirements evolve with respect to security standards?

RM: Yeah, I could talk about this all day. This is kind of near and dear to my heart, and I think a lot of the regulatory bodies are realigning their standards, and they’re becoming much more in-depth, and they’re becoming much more granular. And so before, you know, there was this list of, you know, 40 controls, you know. Now, all of a sudden, it’s 178 controls. They’re becoming more granular, and there’s a need for that, because these controls were written a decade ago, and technology has changed so much. What we’re seeing is a lot of them now just overlap, which is awesome from an audit perspective, because you can complete one audit and be 75-80% there to another framework, but they’re converging a lot. And I think that’s great, but then also the industries that they’re applicable to are also expanding, right?

And so one of the things like the FTC did was they started expanding these standards out. And so like your car dealership, think of all the information you give to a car dealer. You know, when you’re financing a car, it’s kind of like the wild, wild west if you’re an IT person looking at a car dealership. I mean, you could see anything from Windows 2000 machines, you know, shared passwords and credentials, you know, it’s all over the place. And then you can see very good implementations at a car dealership, but there really wasn’t a good standard out there. And the FTC is doing what I think is a good job of putting like the GLBA safeguard standards out into those environments. And there’s a lot of security controls that go along with that, which what I’ll say is, you know, basic cyber hygiene.

You’ve got the SEC with all of the new standards that they’re putting out, which again, I think is a great thing. and it’s adapting to some of the new standards. And with that, there’s more accountability, which I also think is a great thing. Traditionally speaking, from the regulatory and compliance perspective, that’s an IT thing, right? And your CISO is, for the better lack of the term, the scapegoat, right? If something happens, that poor guy takes all of the heat when there’s an incident. Well, maybe he didn’t have the budget, he didn’t have the backing, he didn’t have the resources needed to implement the strategy that he would like, and wasn’t enabled to be as effective as a CISO that he would like for the company.

And so specifically like with the SEC, they’re moving that up the food chain, which I think is great. And so now there is a requirement for somebody on the board to be responsible. The board takes a larger stake in the overall cybersecurity posture of public companies, which I think is, again, great. You can’t just say, oh, Bob, the CISO, he didn’t do a great job, we let him go, we’re gonna do better now moving forward. That responsibility is much higher now. And the board has some stake in the game when it comes to the overall company cybersecurity posture.

There’s always the legal term materiality, right? And I think as the frameworks standardized more, that term, while has a definition, and I am by no means counsel, there are some precedents and legal definitions for materiality. And that is now becoming the new term when there is inevitably a breach, was that, or is that going to cause a material impact on my company or my customers?  So, keep that in mind from a compliance perspective. What does materiality mean to me or my clients?

And then the last part is, there are some interesting disclosures for incidents as far as timelines being put out there, which I don’t necessarily agree with totally. Again, with SEC, like four days to disclose. From an incident response perspective, four days, you may not know in a large company a lot of the information. And again, going back to materiality, what is that gonna look like for my company if I report prematurely? And what is the impact of that gonna have to sales, my company, you know, all of that put together, I think kept people from disclosing for extended periods of time, which I don’t think is a great practice, but then also now we’re moving the ball the whole way to the other side of the court and is four days going to be enough time to actually dig in and find was this actually a material incident? Was this just a business email compromise and they didn’t actually have access to anything? You know, in a large company, four days may not be enough.

Or you don’t have tools like an MDR platform, which is capturing the logs to make a determination of materiality. And so now you’re pouring through or you’re going back in time, you don’t have logs. So, maybe you have to say, I don’t know what they had access to. So, I’m just gonna have to say they had access to everything. And that’s how it all leave that.

KA: There’s a lot happening. There is a lot for folks to keep their eyes on. Absolutely, a lot of changing regulations. When we talk about alignment between IT and business, one area that we all know doesn’t get enough attention is the operational resiliency and the very real potential for your business to be impacted by a security event. So, maybe Troels, you can go a little bit deeper on here because we touched on it a bit, but for the CTOs and the IT directors and IT leaders who are listening in today, how can they effectively make the case to leadership, to their boards that frankly, ignorance isn’t a risk management strategy?

TR: Yeah, I actually think a thing Mark touched on is like something we do at N-able. So, we’re a public listed software company and so forth. We do tabletops at least twice a year. We do it with all executives. We’ve even had our board in because you really need to understand like, hey, who’s doing what when? Who’s making what decisions and how are you kind of operationalizing that? And a tabletop is obviously fictional and it’s like a kind of experiment you’re running with your company. How do you react in a given situation?

And it’s surprising how fast people lose their heads. Like security has to be muscle memory, right? And when, oh, let’s say Kaleigh, like the CEO is out on vacation, okay, who makes the call? When do you go to your board, as an example? When do you go to the press? When do you respond to press? How do you respond to threat actors? When do you involve third parties? When do you go to the agencies? There’s all these questions and things. in addition to what Rick highlighted as well, like how you operationalize it, how you actually treat the incident, but there’s a lot of business decisions you need to make when you’re going through this. And that goes back to like the operational resiliency.

Think of this as you have an existential event with your company, potentially. Not all events, security events are at this proportion, but it could be. It could lead there. How are you going to operate? How are you going to mitigate? And what do you think the cost is to your business? That’s where a lot of the policies comes in and understanding the, like, what does it actually cost for me to be out of business for a day, for an hour, for a week? And what are the implications? And again, reading the news, you can very, very, like, get a pretty good overview of what it costs these massive enterprises.

So I’ve been impacted by multiple breaches by these like significant franchises. I was on a business trip, I was staying at a Marriott or a Sheraton actually in Edinburgh. As I was staying there, I got an email and say, yep, yep, your information is on the internet. We got breached, sorry. I worked at Microsoft when Maersk, one of the biggest shipping companies in the world, got taken out of business for nine days. That cost them awards of $300 million. They had to reboot their whole IT environment from an offline server in Nigeria. They communicated via WhatsApp because they’re just down. They couldn’t operate their ships, their ports, and so forth.

I know these are very big companies, and it might feel like, well, they’re obvious targets because they’re so big, but what they went through and what they learned is what is the cost not of doing and what is the cost of being out of business or not being able to operate, facilitate. Mark, you’re example of the manufacturer that cost about $7 million to shut down operations. And that is probably like a decent sized manufacturer, but not one of like a massive enterprise in how they operate. Doctor’s office, or lawyer’s office, as it was mentioned, do your customers trust you if you can’t keep their information safe? Because it becomes like, you start to question your business practices.

So I think that’s very important as an IT practitioner and professional, you bring that lens to it. Like, hey, let’s talk what it actually means if we’re not doing this the right way. Because going back to like the scale, security is a scale, like how much am I willing to pay for a certain level of protection? And that’s why you need to understand what it costs me to be out of business or not operational for a period of time, and then what are the repercussions I have to go through, whether it’s reporting, it’s restarting a production line, and so forth. You really have to understand bits and pieces because that starts to inform how you’re investing in IT, but especially cybersecurity, because now it’s relative. I’m paying $10 an endpoint, $100 an endpoint, whatever number, a month, but that is to prevent me shutting down my production line, which I know cost me $7 million. And there’s no take backs. Like once you get into that situation.

So I think that’s very important. Have them understand, like make it tangible, make it real. I should have the discussion, but also you as an IT practitioner and an IT or security leader, IT leader, information leader, whatever position you’re in, you need to understand what impact you’re having on the company and kind of how this has changed over the past five to 10 years. And it’s becoming ever more so prevalent. And this is small and big companies. So, obviously, hey, you invest a little less if you’re a five-man shop than if you’re like Target or Microsoft, it’s been a lot more. But relative, like the importance and impact to you as a business and then see like you have from inconvenience to existential events. Let’s understand and let’s try to map that out. And that’s why I always, so I’ll extend a little here if that’s okay, Kaleigh.

One of the things that I see a lot in the field is understanding what it takes to do this efficiently and how I view it. I always look at things mean times, right? So, like how long does it take for you to detect, to investigate and then to respond to a thing? Because when you’re talking about security, you’re operating in minutes and hours, not days and weeks. I’m detecting something I can take action to limit the impact of this. If you don’t have a good understanding of the mean times, that probably means you need to talk to someone that can provide you guidance or help you map this out.

Then going back to some of the best practices, like tabletops, try to run through it. work with an outside counsel or coach, however you want to position it, just run through it. Spend an hour, spend two hours, have them run through a scenario where you go through it. Bring in your other leaders, your other executives, and so forth, and have them feel what it’s like. And how their decision-making is through this, and then who can you call. So, that means like, hey, do you have a service provider you’re working with that helps and supports you? Do you understand your insurance limitations and implications? That’s a big one as well.

It’s expensive to go through these things. So, that’s why I invest upfront, but when something happens, who do you call? Because you most likely have to call someone at some point in time, whether it’s a company that helps do forensic, whether it’s an agency, because you have to report something. But there’s always someone you need to call or inform. and then understand what’s covered by who and when. So, those are important things and that’s how you can bring it up from a, I need this type of technology deployed to, here’s the problem we’re solving, here’s the cost of not solving the problem, okay, here’s the cost of solving the problem.

If you start with, here’s the cost of solving the problem, you will now have a potential like a CFO or a CEO or whoever is trying to rationalize the dollar spent versus the impact of not spending the dollars, right? So, have them understand like what they’re protecting and the outcome that they’re looking to achieve. And then you can say, okay, well, here’s your scale of doing it best to breed, best ability. To a this would probably give us the checkbox on whatever compliance questionnaire, insurance questionnaire we’re trying to go through.

KA: Great. So, I’ll sort of quickly recap. Thus far, we’ve got, we’ve got more sophisticated threats and threat actors, we’ve got less time, money, and resources for IT, we’ve got more regulatory requirements, and also kind of a lingering, it’s not going to happen to me attitude. So, you know, put all that together and you’ve got a little bit of a recipe for disaster.

So let’s talk about then what we believe is the appropriate path forward, and that’s managed detection and response. The security stack, just like the threat landscape, has had to evolve to keep pace, and so now we’re seeing MDR as the shining star for security conscious businesses. Mark, can you quickly give us the 50,000 foot overview of what MDR is and how it was born out of the security tools of the past like AV and EDR, etc.?

MS: Yeah, sure. I’ll do it quick. You think about it, over time we had anti-virus in the beginning and then anti-spam filters and firewalls and so on. We kept adding to our two-of-everything Noah’s Ark of cybersecurity and born out of that became the managed security service providers, MSSPs. Their job really was to pull all those things together, aggregate the information and provide reporting, make sure they were patched and updated and so on. But that still only went so far. The reality was while they managed devices, it was about shifting the mindset to managing threats. That’s where managed detection response came from.

About almost 10 years ago now, Gartner coined the phrase managed detection response as a turnkey service to provide 24-7 protection that includes detection and containment capabilities on behalf of the client. What they’re talking about there is that when one of those systems alerts that someone with the right expertise can go in, can investigate, determine whether there is malicious activity, and then can contain it, shut it down ultimately before it becomes business disrupting. That’s the part that I add onto it.

The challenge with MDRs, there’s a lot of confusion in the market. The vendor’s capabilities differ greatly in their ability to protect those clients. Whether what can they detect and what services or sources can they detect from? Can they contain across everything or can they only contain across the endpoint, etc. That’s really where customers, I think, have to identify what are real features that they’re bringing and ultimately, what benefits are they going to get from them?

KA: Awesome. That’s a perfect segue. I want to talk about some of those features and benefits and just a quick time check for everyone. We’ve got about 10 or 11 minutes left, so we’ll keep that in mind as we try to run through some of these.

Rick, when we’re talking about companies struggling with limited bandwidth, internal resources, one of the gaps we see as a result of this is with security monitoring, alerting, and response, right. That those operations have become a full-time job and businesses of varying sizes don’t have the means to train or keep SOC analysts on staff. So, can you talk a little bit about the benefits of the SOC component of MDR and how it can be a cost-effective alternative to building out and maintaining your own internal SOC?

RM: Yeah, I mean, this is a very similar situation to what we saw, you know, 10 or so years ago with kind of the move to the cloud, right? So, you make a business decision of, do I have the expertise, the staff, the waterfall to keep this moving forward for the next however many years, to keep it in-house or on-premise, or do I go to the cloud and outsource it, and use a third-party provider to provide those services?

A lot of times, I mean, I know personally, it’s hard to find and maintain a security practice. Finding knowledgeable people, once you find them, keeping them trained, keeping them sharp, keeping them up to date, right? That’s a full-time job, I know, because that is my full-time job. That’s a whole another thing on its own, and managing that internally, building a 24-hour SOC, that’s at least five full-time positions with management staff and training and benefits to pay on top of it. It’s very expensive.

And so outsourcing, it makes a lot of sense. And a lot of times, a small to mid-sized business, you don’t even want to have to deal with that or manage that, or they don’t have the capacity, the budgetary resources to do that. It makes a lot of sense to outsource that to a provider. There needs to be a relationship there.

I had several meetings this week alone of, “I’m going to outsource this to you, this is my job because I’m company X, I’m referring my security to you”. And as like Troels and Mark were saying like, “This is huge for us. We can’t recover from an event in the news for my company. So, I’m trusting you with this”. It’s a big decision to make for a company to outsource security services. And so you need to find a trusted provider that you’re comfortable with making that relationship with to offset that liability and provide the level of services that your company’s going to need for security.

KA: Yeah, absolutely. Troels, I think the threat intelligence aspect of MDR is also a really compelling benefit. So, many security tools and solutions are reactive in nature inherently, but with MDR, you’re also getting that proactive hunting for known and emerging threats before they reach you.

So what’s your take on, you know, the importance of this proactive methodology and how do you see threat hunting and intelligence feeds evolving over time?

TR: It’s, the way I look at it is, right, you have left to right boom. And what you want to do is you want to have as much occur on the left side as possible. So, the more proactive you can be, the more proactive action or the faster you can take action as the boom or like incident happens, the better. And that’s where really, I think Rick and teams is investing a lot of effort in how do we become as great as possible to protecting and ensuring that as much as possible stays left. That’s obviously applying a good level of protection, all the layers and so forth, but also looking at the data, looking at trends, looking across all customers and so forth.

That’s one of the things as well with partnering with a company in this space is suddenly you have expertise that extends beyond your scope. You can lean on their expertise, but also from a cost perspective. I’ll just lean a little on this because that’s one of the benefits I find at least is if you are to build these services out yourself, right, you’ve run a security operation center. Think of it this way. You need 24 x7, that’s probably three people a day, right? You need holidays, you need weekends, and so forth. That means you’re, at a minimum, running a staff of 8-9, very expensive people, if you want 365 coverage. You want people looking proactively at this, and then that comes back to the Intel, right? Looking at it, understanding it, being able to action it, and correlate things, so you can take the right level of action is really what it’s all about because you can collect all the information.

That doesn’t mean you know what to do with it. And that’s where expertise plays in. And then partnering with, so for example, the Adlumin team have a great amount of researchers that then partners with their response team, with their service providers and so forth, right? So, it becomes like a part of like an extension of your team and understanding, hey, like what’s going on in the threat landscape? What can we do to be preventive? So, we’re ready for them when they come. We’ve taken the action to make sure like the kind of the loophole is closed or whatever part of our posture has been strengthened and kind of repositioned to take advantage of or prevent whatever issue is about to occur.

I’ll go back to the Maersk thing. They needed to patch their Windows systems. They did that two months too late. That’s a simple one. Everyone knows you need a patch, right? A healthy device is usually a somewhat secure device, but just being an understanding and having people look at the telemetry, knowing what to do with it, and doing it, taking the action before the damage occurs, or if it occurs as close to point zero as possible, right, ground zero.

KA: Great. I’m gonna do a quick lightning round in a minute and I’m gonna ask you all what your favorite MDR feature is, but I think mine is the way that it’s able to aggregate data from so many sources. Conventional SIM tools, conversely, are sometimes only logging security events. Firewall level, some have connectors for endpoints, but with MDR, you’re able to integrate data from so many different sources.

Mark, how does this transparency change the game when it comes to delivering security insights and protection?

MS: Yeah. First thing is if you can’t see what’s going on in your environment or there’s lots of more shadows than there are light pockets, you’re in real trouble because criminals do a great job of getting in between those spotlights and in between the silos of different technologies that we have. So, you have to be able to look at all of it. It adds what I would call it’s like the Z or Zed axis. You’ve got the North-South, which is the in and out of the Internet through your firewalls, etc. The Cloud services, you have the East-West traffic or the Y-axis when it comes to things like endpoint, system-to-system, etc. within your environment and creating greater visibility.

Things like e-mail accounts, privileged access, looking at Azure, the endpoints, the Cloud services, the perimeter defenses, etc., gives you that third dimension, which starts to talk about the context and the relevance. Why is it that Mark’s system is no longer, Mark generally does this and his profile has a certain viewpoint to it or topographical mapping, and all of a sudden it’s going way out of hand. Likely that’s an account takeover. Something else has happened with one of my devices or my account itself.

And it’s also the ability, or I think really taking the agnostic philosophy to it. If you look at traditional MDR vendors, they were more about, I call it the fixed, you know, it’s like the wedding menu, the fixed menu, you know, pick one of two appetizers, one of three entrees, and pick a couple of desserts with the coffees on the house. And the problem with that is if you don’t fit that mold, it’s not going to work for you. It means they’re managing particular aspects, but there’s, as I said, there’s darked out areas in your environment.

So you really want that more open agnostic approach that N-able and Adlumin provide, that then allows you to see everything. Once you’ve got that capability, that allows you to make the informed decision. And at that point, it’s about the containment capabilities.

KA: Awesome. I know we’ve only got a couple of minutes here, so I’m conscious of time. I do want to give folks an opportunity in the audience if they have questions, please feel free. There is a questions panel in your go-to webinar dashboard. We do have a couple of minutes left. if you’re a fast typer and you want to send something in. And in the meantime, we’ll do a quick lightning round for our panelists here.

So I’m going to go around the horn. Mark, I’ll start with you, and then Troels, and then Rick. Favorite MDR feature?

MS: For me, beyond what we just talked about, live reporting! The ability to see what the security operations people see at any given time and not reliant on that other party to pull that information or correlate and curate that information for you.

TR: UEBA (user and entity behavior analytics). Lind of like extending on what Mark just said, but there’s a lot of sophistication in the tool, and that just allows you, your team, to be so effective when operationalizing and scaling.

RM: SOAR (security orchestration, automation, and response). I like automation as much as I possibly can. And so kind of what Mark was saying, the sooner that we can stop a dwell time of a threat actor or a potential incident, the better. And so SOAR really cuts down on the response time in an automated fashion using UEBA and all of the live reporting data points.

KS: Perfect tie-in. All right, I think what we’ll leave you all with is, if you can each chime in on maybe the biggest consideration for IT leaders evaluating MDR, and we’ll kind of go around the horn again as well, Mark, starting with you.

MS: Yeah, so for me, I think it’s identifying, so map vendor to your requirements, right? Just don’t look at carte blanche or compare them all by price or, you know, whatever fancy checklist they’re going to put in front of you, but really think about where your core competencies, what matters to you? Is that regulatory issues? Is that, you know, confidentiality, whatever that might be, and then match it to the right vendor, the one that can compliment the skill sets that you have internally, and make sure they understand your business. As I always joke, if somebody’s working in healthcare and they spell HIPAA with two P’s, you throw them out.

KA: Wonderful. Troels, biggest consideration for MDR?

TR: Yeah, like how are you solving the problem today if you don’t have an MDR vendor or like outsourcing, who’s doing the work? Who’s doing it when Mark’s on vacation? How are you going about it? Make sure you have your processes in place. Go through, understand what it takes, like, mean times, detection, investigation and response, and who does what when. And if you can’t articulate that clearly, you should probably talk to someone that could help you with those answers.

KA: Rick, biggest consideration for evaluating MDR?

RM: Know where your MDR provider is going to start and stop, and so the rules of engagement are usually clearly defined, make sure you’re aware of what those rules of engagement are because you may be surprised that you think you have full coverage and it’s going to stop at an email letting you know something bad is going on, but you still have to do the last bits to stop what’s bad going on. So, make sure that you’re aware of the rules of engagement that are defined in your MDR vendor that you’re looking for.

KA: That’s a great point.

Well, not surprisingly, we have eaten up every minute and a couple extra here that we allocated for today’s discussion. I want to quickly remind everyone that they’ll receive a link tomorrow with the full recording of our chat today, as well as the transcript so they can easily revisit any of the content we covered today. And again, those materials will be delivered to inboxes around noon Eastern tomorrow. Big thanks to our panelists today.

Mark Sangster from Adlumin, Troels Rasmussen from N-able, and my colleague Rick Mutzel from Omega Systems. Thank you all for your thoughts, your perspectives. Together, our three organizations are delivering a really impressive MDR solution, which our team at Omega is exceptionally excited to tell folks more about. So, please don’t hesitate to reach out when you’re ready to book a demo with Rick and his team to learn more.

So, lastly, thank you to everyone for attending today, and we hope to see you all again for another webinar soon. So, with that, I will say thank you and enjoy the rest of your day, folks. Thank you all.