Centralizing Managed Detection and Response

 

Transcription

Good afternoon and welcome to our webinar. Today we’re going to be discussing the importance of centralizing your IT environment and reducing your IT footprint to help manage detection and response both from insider threats and external threats. Welcome. My name is Mike Abboud on the founder and CEO of Tetherview. We are the creators of the Digital Bunker. We’re excited to be here this afternoon. And we look forward to this presentation.

What Is Managed Detection and Response

So you know, insider threats have been a hot topic these days. Many different technologies have been breached internally through IoT. You look to varying hacks like the Verkada hack and the recent Solar Winds hack. We recently received a notice from the New Jersey Cyber Security Council that everyone should vigilantly look at their Microsoft environments to check for lateral movements. What is Managed Detection and Response? Well, detection and response mean, can you detect a bad actor? Can you detect a threat within your organization, and then how do you respond to it. What are the challenges, and what are the solutions?

Challenges MDR Addresses

Unfortunately,  the gaps and challenges are that every organization except our, self-serving statement here, Digital Bunker clients, deals with a very fragmented spread out IT environment. So you’ve got SAAS applications hosted at AWS, Azure and Google, you have apps that are sitting on a user’s desktop and their laptop, and then you might be hosting something in a colocation someplace. So what you end up with is a very fragmented IT environment. It’s almost impossible to detect movement that’s unauthorized in that scenario because you have so many open doors, so many open windows you’re trying to protect. So when a fly comes in, how do you know it’s not part of the wind, and how do you tell if it’s a fly versus a leaf coming in the window that day? Hence, it’s important that as you think about how to protect your IT infrastructure, you need to think about reducing that IT infrastructure.

The other challenge with MDR is addressing the skills gap. Do you have the people, the tech, the team, the tools to detect what’s going on today and evolve and constantly stay ahead of the curve? Well, if you have less than 5000 employees, you probably don’t have the budget; you probably don’t have the team, or if you have the team, they’re stretched very thin. Us IT people tend to be thought of as responsible for everything plugged into a wall, including the coffee machine. We need to think about your IT environment and reducing that IT footprint. A recent survey kind of showed that 53 percent of organizations report a problematic shortage of cybersecurity skills. I can tell you that that number is probably much higher because many folks who claim to be cybersecurity experts aren’t. And then what ends up happening is you hire a cybersecurity expert. You take that person; you put them into a vacuum watching your environment, and they’re not able to evolve and see the different threats out there. So it’s important that we also make this process less manual. We automate this.

We make it so that we reduce the amount of human interaction and increase the number of positive alerts that we’re getting and eliminate or get close to eliminating the false positives. So, common challenges managers face when handling their MDR strategies, again, keeping up with the constant changing landscaping and staying ahead of attackers. Look, the threat landscape has changed.

You look at the Verkada hack, which I think will have huge implications down the road. This was a camera company that, unfortunately, major U.S. organizations said, hey, we’re going to let these cameras run on the same network as my ERP system. And you know they thought that they trusted Verkada, and they did right. But they had a breach. What people were doing, and these are the types of hacks that we’ve been talking about for years, if not at least a decade already. Is using a really silly password on that little IoT device, that Ring camera, whatever you put on there. So if you have an administrator who’s accessing Ring or a Verkada system or any other system that’s an IoT in your environment and look at that particular environment as a non-threat, it’s outside of the scope of compliance; maybe it’s outside of the scope of security.

Well, that’s where the hackers are looking. Right. They know that you’re going to use your Netflix password for that. So they go, and they buy your Netflix password for 10 cents on the Web, and they try it, and they get in, and they got it right. Because once they’re in now, they have your Wi-Fi password, and now they’re in your network.

And hopefully, if they’re doing their job right from their perspective, they’re undetected. What’s important here is, again, to reduce your IT footprint, you have to create hard segregation and physical segregation between all of the different systems that can access your control system. From the buildings and your camera systems to your ERP systems and your desktops, creating a physical separation between those systems is critical. That’s the first step of eliminating the stress on detection and response.

Optimizing Your MDR Strategy

How do you improve and optimize your MDR strategy? The first step is to reduce your IT footprint. Using technology like the Digital Bunker, we bring the users to the data instead of bringing the data to the users. So we’re eliminating the number of endpoints. We’re eliminating the number of open doors and open windows to secure for our clients’ teams.

What that gives us is an inordinate amount of visibility into your IT infrastructure. So once you’re inside a digital bunker, nothing can access it except something that’s authorized. At the core of the solution is a virtual desktop, and the benefit of a virtual desktop is that we can control who accesses it, what they access once they’re in, where they access it from, and when they access it. So without a virtual desktop, you probably have a VPN which now creates yet another vulnerability point. Then you have an endpoint that someone logs into because it’s a physical endpoint that’s offline and off a network. Once they log into the network at that endpoint, there’s probably no MFA 99.9% of physical laptops don’t have MFA to access it initially. Right there is the first sign of trouble for an organization. Well, with a virtual desktop, your corporate data is always inside the Digital Bunker that’s built for you.

So now the IoT devices that are physically in your offices and your employee’s homes become a threat to your corporate infrastructure because if you think about it, how can you tell if someone’s sitting at home using no security on their local network because security is tough for most non-IT practitioners? How can you know that their local network isn’t compromised and that their local instance of chrome isn’t compromised? It’s impossible, especially if it’s a BYOD scenario. So what we tell our users is to create this Digital Bunker. Regardless of if the local devices are compromised or not, hackers can’t get into the Digital Bunker without MFA. And when we say MFA, we mean we’re geo-tracking physical location, their MFA code, and that they should be coming in at the right time. Multiple points of authentication are present.

Zero-Trust Environment

What that does is create a near zero-trust environment essentially as close to zero trust environment as possible. So we’re going to take away all of your users’ passwords and prevent them from having to get into a desktop, and then remember all of these other passwords. Or keep them from doing what most people which is starting to repeat passwords, and then you end up with a terrible situation where you know they love the Yankees, so they use Yankees1234 as their password everywhere, and now they’re toast. Again getting back to the topic of managed response and detection, you know the concept here is that once they’re in, we can see everything. Right.

So once they’re in, we’re tracking what they’re touching, what they’re doing, and if somehow or another something was able to get in there, we can quickly turn it off. Now the VDI, the network, the data that’s being hosted, and the access to the Internet act essentially like an old school office setting, except you’re all sitting telepresent inside the Digital Bunker.

We can granularly see one way in and one way out even from the Internet and see what’s going on. So we capture and log and audit every action, network-level, active directory, file servers, desktops, applications your URL access, and when you have SAAS applications, hey let’s let’s prevent them and let’s turn on SSO. But make it convenient for the users so that they’re not accessing those SAAS applications from any old device everywhere, creating yet another vulnerability. The fact of the matter is that most people want to work and they want to be productive. So when your organization doesn’t give your team the tools to be productive from anywhere, anytime, they’re going to find ways around it. COVID accelerated that. With BYOB, everybody wants to work from their Mac or other personal devices. You gave them access to ERP software hosted on the Web and available through a web browser, and now they can log in from everywhere. So again, we want to eliminate that. But if you eliminate that and don’t give them the functionality to work effectively, you’re never going to be able to detect a breach.

You’re never going to be able to stop people from accessing things where they shouldn’t be. And it’s going to be hard to control the IT experience.

So if you want to learn more about how we handle detection and response, please schedule a demo. Happy to do a deeper dive showing you some of the tools. This is a public-facing document, so we don’t get into the specific tools we use, but we can show you some of the audit tools and the granularity we can see. Would love to schedule a demo happy to do a one-on-one and get into that.

Sapphire Huie
sapphire@tetherview.com