September 10, 2024
On September 19, Mindsight and High Wire Networks will host an event called “Enhancing Your Cybersecurity with SOC Services” that will provide valuable insights into the following:
- The financial, reputational, and operational impacts of cyber risks.
- Real-world examples showcasing the effectiveness of SOC services in threat detection and mitigation, especially in cases where EDR tools were bypassed.
- Tips on creating a rock-solid cybersecurity plan with regular assessments, training, and best practices.
- Why 24/7 monitoring and expert intervention are must-haves for effective threat management.
- Why human expertise in cybersecurity is irreplaceable and how SOC teams can outsmart even the trickiest threats.
The discussion will be led by Mindsight CIO Tad Gralewski and Overwatch Managed Cybersecurity’s Travis Ray. We spoke with Ray recently about the Crowdstrike debacle, lessons learned, and what it all means from a strategy and planning standpoint. Here’s what he had to say.
Q: The recent CrowdStrike outage negatively impacted so many sectors. What weaknesses did it uncover, and what more should companies be doing when it comes to cybersecurity to be better prepared?
A: A lot of IT and security leaders have been reevaluating their own tools and ecosystem since that incident. It was a unique situation. It has only happened once or twice in the industry in the last 10 years. One thing in particular that’s important for customers is: Who’s managing the console and testing updates before they happen? The CrowdStrike update had an error in the code that caused CrowdStrike to shut down the systems that it was using and basically take endpoints and servers offline. The reason why it was such a widespread outage was that most self-managed security operations centers and, in truth, many MSSPs who help manage CrowdStrike for their customers or rely on CrowdStrike, weren’t testing updates before they pushed them out. But you would need a unique configuration to do that. One differentiator with SentinelOne, which is the technology Overwatch leverages to power endpoint detection and response services, is that before we push something out to a customer’s endpoint that we’re managing, our security analysts will test that update and make sure that it’s not going to break anything. If it does, then we don’t push it, and reassess.
If you’ve ever used a Microsoft tool, you know that sometimes updates break things. So we test that—especially because we have EDR [endpoint detection and response] on more complex systems like Citrix and VDI, and those systems can break very easily. SentinelOne gives us the ability to test all updates. It gives us a lot more flexibility. And it’s built more for managed security service providers than CrowdStrike tools. Only a very few users had the capability to test the problematic CrowdStrike update before it got pushed out. CrowdStrike forced it. That’s part of the value that a managed security service provider brings to the table: security expertise and a constantly vetted process to prevent situations like the tech outage from happening. I will say that I was pretty impressed with how CrowdStrike handled it. They owned it and have made efforts to ensure it doesn’t happen again. But technology isn’t infallible (in fact, it often complicates cybersecurity and becomes the root of the problem), which is why any cybersecurity strategy should consist of the right people, processes, and products.
Q: How should companies approach cybersecurity more holistically versus just focusing on tools? What’s involved in developing a holistic strategy?
A: You need to be looking at all the areas of cyber risk to your business. And it needs to be a continuous strategy. High Wire has a broad portfolio of offerings, so that as customers’ continuous risk mitigation strategies evolve, we can evolve with them. Not ever business can throw the whole kitchen sink at their cyber risk strategy; you usually have to build that up over time and try to make it a holistic approach, where you have as much data consolidated in one place in order to get as much visibility as possible across your attack surface.
Overwatch together with Mindsight, can help customers grow into their cyber defense strategy by providing more than just managed dection and response (MDR) or more than just the traditional foundational services. Our security expertise allows us to talk to a variety of customers and meet them where they’re at in their cyber risk mitigation journey. Some are just starting. Some have been doing it for just a while. Some have been ahead of the curve and have been doing it for years, and they’re looking at implementing a more sophisticated strategy. If you went to business school 15 years ago, cyber risk wasn’t even something that was talked about when it came to managing the risk to your business. For a lot of companies now, it’s become the number one thing. But what that means is now you’ve got a lot of companies trying to figure out what to do. And it’s not easy. Mindsight does a great job of helping to build a strategy and understanding where a customer is and how they can start deploying managed security services that are going to have the most impact, while also building a risk-mitigation roadmap.
Q: Why did Mindsight and High Wire partner—and what does High Wire bring to the table?
A: Mindsight really appreciates that we’re able to bring enterprise-level technology to mid-size business at an affordable price point. Plus, High Wire takes a vendor-agnostic approach. If, at some point, SentinelOne stops being the right solution for a given company, we’ll find the right solution to power the service. It helps future-proof cyber risk mitigation strategies for our clients and their customers.
Acronyms to Know
SIEM
What it stands for: Security Information and Event Management.
Travis’s take: Four years ago, SIEM was the new magic bullet. And that’s something that our industry has gotten better at doing—not positioning certain things as the only security tool that you need. SIEM is a crucial part of your risk mitigation strategy and defense in depth because it’s going to give you the ability to correlate things that are going on across different parts of your attack surface. The struggle is being able to leverage that data and do something about it. Some companies are great at collecting all the data and some are not that great, and it’s very difficult to build the detections and all the rules and everything that goes around that. A lot of times it makes sense for companies to collect the logs, whether that’s because they understand the value of it from a security perspective or because of compliance. Overwatch takes SIEM to the next level with a next-gen XDR platform. See below.
SOAR
What it stands for: Security Orchestration and Automated Response.
Travis’s take: One of the foundational things with compliance is log collection and analysis, which is what SIEM does. The struggle they’ve run into is, “Now we’ve got all this data. What do we do with it?” And that’s where an MSSP, like Overwatch, can come in and take it a step further with security orchestration and automated response, or SOAR. SOAR is an enterprise-grade tool that, for a long time, hasn’t been very vendor agnostic. We implemented a SOAR tool that delivered fast and scalable outcomes, and was truly vendor agnostic. Most SOAR platforms were proprietary and only really worked with their own set of tools. Overwatch SOAR allows Mindsight and their clients to bring in their customized technology stack because we know not every customer has the same firewalls and solutions deployed. With the vendor-agnostic Overwatch SOAR, we can build thousands of detections quickly, customized to the clients’ requirements, and push that out across all the data that we’re ingesting, which allows us to take advantage of and leverage the information that we’re getting and correlate it much faster.
SOC
What it stands for: Security Operations Center
Travis’s take: The other challenge that we hear a lot about when we’re talking to partners…say a customer is using a partner for managed services but not the security side, and often there’s no customization or flexibility from their third-party MSSP. They need some specific things to work, but their provider essentially says, “You’ve got to live in our box. We can’t do anything outside of this.” The SOAR platform we have allows us to create customizable rules of engagement and responses, so if a customer (like Mindsight) says, “We’re co-managing with a customer that has an IT team that wants guidance from us about what to do during the day.” But after hours, when there’s no one in the office watching those systems, that’s where Overwatch’s U.S. based SOC steps in to take over. In fact, the SOC works 24 hours a day, 365 days a year. We respond to events for them, so they don’t come back Monday morning and find out they got breached over the weekend and now it’s too late. Bad actors will get into your network and your environment and observe to understand how to monetize their access. That so-called “dwell time” is one of the hardest things to detect, because bad actors usually aren’t doing enough to trigger most security alerts. But when you’re collecting logs from across the entire attack surface, and you have a SOC with analysts who are experts and know how to look for those subtle indicators of compromise, we can go find those bad actors who have gotten through prevention defenses. The average industry-wide mean dwell time before a catastrophic cyber incident is around 90 days. Our average mean dwell time from when the first log is collected that would indicate compromise to us responding and kicking that bad guy out of the environment is under 15 minutes. So even though that bad actor got through your prevention defenses, which is going to happen, we were able to get them out of there before they could harm the business. This is important because it gives our customers the peace of mind that even when they’re sleeping, Overwatch is watching their environments.
NOC
What it stands for: Network Operations Center
Travis’s take: A lot of our partners, like Mindsight, act as NOCs for their customers. For us, then, it’s about having a symbiotic relationship with them and being able to interact with the NOC—because a NOC might have information on those systems that we don’t have, and we might have information they need. A lot of times when bad actors launch an attack, a NOC would see a spike in the CPU. They would start seeing things on the machine or on the network that we’re not really looking for or monitoring. But that’s information that can help us reduce mean dwell time. We need to have a symbiotic relationship to be able to cohesively work together.
EDR
What it stands for: Endpoint Detection and Response
Travis’s take: When you have remote users on your network, whether they’re traveling or working from home, there’s risk that comes with that. You have less visibility into their devices because they’re connecting through SaaS and cloud and they’re not on your network. Having an endpoint detection and response tool on an employee’s machine that is constantly monitoring everything that’s happening on that machine—what’s coming in and out, indicators of compromise and malicious activity—is super crucial. Without it, that remote user is a blind spot. And if their device gets compromised, it can compromise the whole network. Bad actors can move laterally through remote users into the core network and find that pot of gold. But whatever EDR tool you’re using is going to give you much more visibility into that remote tool and the ability to respond to it. Instead of having to be physically on site with it, we can use SentinelOne to roll a compromised machine back to its previous state before the compromise happened. We can also allow downloads of unfamiliar files by running them through threat intelligence to make sure they’re not malicious.
XDR
What it stands for: Extended Detection and Response.
Travis’s take: While EDR is focused on endpoints, like laptops and servers, XDR is gathering information from across the entire attack surface, whether it’s a company’s cloud, their identity access management, their email, their devices, their firewall, servers, network—whatever it may be. If a bad actor gets in through a firewall, outside the endpoints, and a customer only has EDR deployed and managed, you won’t be able to see threats moving across the rest of the attack surface. It’s critical to be able to see the forest (big picture) and the trees. Overwatch ingests all the data, correlates it, and watches in real-time for any anomalies—and of course, takes swift responses as needed. So, really, XDR is the evolution of SIEM, because it adds response capability on top of data detection.
Cybersecurity is a complicated topic, as evidenced here in this blog. That’s where Mindsight comes in to simplify it for you, with the great partnership they have with Overwatch. Join us on September 19th at Gibsons in Oak Brook to learn how to create a rock solid cybersecurity plan. Space is limited so register for Enhancing Your Cybersecurity with SOC Services today!
About Mindsight
Headquartered in the Chicago suburb of Downers Grove, Mindsight offers fully managed IT services for organizations in a variety of industries. From cybersecurity to cloud, infrastructure to unified communications, our expert-only solution architects and engineers become an extension of your team, committed to your success. Located in Downers Grove, IL we proudly serve customers across the area including Naperville, Oak Brook, Northbrook, and surrounding counties (Cook, Lake, Dupage, Will, Kane, and Grundy). Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.