How Managed Services Providers Can Exceed Evolving SecOps Expectations - Christopher Fielder - CFH #30

[00:00:00] Level up how managed services providers can exceed evolving SecOps expectations and endpoint security entering the era of AI and XDR.

[00:00:30] This is Cyber For Hire.

[00:01:00] This is Cyber For Hire Audio.

[00:01:30] This is Cyber For Hire Audio.

[00:02:00] This is Cyber For Hire Audio.

[00:02:30] I am one of those Disney files that just seems to always find my way back there over and over again.

[00:02:37] It will be nice to be there.

[00:02:41] Of course, how to make sure that I gave myself an extra day on my own dime while I'm down there because there's nothing worse than being down in Disney World.

[00:02:50] And then the entire time you're there, you're just doing work and everybody else around you is having fun.

[00:02:56] So well listen, we've got a jam pack show for you as always, but some news just can't wait, which is why we want to begin by sharing what's top of mine today.

[00:03:06] So here's your headline.

[00:03:07] An attack by the cyber criminal threat actor scattered spider an affiliate of the black cat ransomware group Alph V attacked Vegas hospitality giant MGM resorts

[00:03:19] X-Full trading their data, encrypting their ESXi hypervisors and forcing the shutdown systems at multiple hotels, affecting everything from slot machines to reservations to payments to even electronic door locks.

[00:03:32] The culprits pulled off the cyber assault apparently by impersonating an MGM employee whom they looked up via LinkedIn and then called up an IT help desk purportedly as that individual as part of an orchestrated plan to take over key accounts

[00:03:48] and reset their multi factor authentication credentials. At some point, the perpetrators gained super admin privileges to MGM's octa identity and access systems and even configured a second fraudulent source identity provider that according to octa acted as an impersonation app allowing malicious actors to access targeted systems and applications via federation in single sign on also caesars entertainment revealed shortly after that they had also been previously breached by

[00:04:17] the same actors in their case only data was stolen no major shutdown because they had apparently paid the ransom so bill big story obviously why should this be top of mind for MSPs and MSSPs.

[00:04:31] Well, I mean first off the thing that really astounds me about this whole incident is just how easy it was to pull off and you know using LinkedIn and to to do the gateminders the way it happened.

[00:04:52] And I think if you're an MSSP the question is how do you fought that kind of tactic and there wasn't an easy answer for it.

[00:05:06] So, but it just it definitely showed how one tiny social engineering trick can cascade into something so huge.

[00:05:21] And I think we've seen attacks like that but we haven't seen one like this in a long time and certainly not affecting the gaming industry as it has.

[00:05:36] So, yeah I looked at this with the same sense of wow that I looked at the colonial pipeline attack two years ago where it was okay we've we've talked about this in theory as a danger but oh here it is happening in real time.

[00:05:57] Yeah we've arrived at this place and I think that for MSPs and MSSPs the message there is this is here this is now.

[00:06:12] And if you are managing IT security for big clients this is something that you need to be paying super sharp attention to.

[00:06:28] Yeah absolutely you know we actually even have a colleague at CRA who was there in Vegas while the attack was going down and according to her account she said it was just pretty wild to see how you know people basically had to wait online to make change in person and it just created all sorts of chaos and inconvenience.

[00:06:53] And like you said the social engineering element of it is very simple but it was a mix of simple and complex because what they also were able to do with creating this second source identity provider something also to watch out for especially for those specializing in I am because that's certainly a tactic worth further investigation as well.

[00:07:20] So interesting going on there and we're still continuing to see what the full repercussions are going to be.

[00:07:28] All right well that's our top of mind headline for the day but now it's time to move on to our MSP and MSSP business strategy topic of the week.

[00:07:37] This one really is an equal mix of both business and security strategy but with that said presenting our big idea in business level up how managed services providers can exceed

[00:07:49] evolving SecOps expectations.

[00:07:53] The days of an MSSP or MSP being a security device babysitter are over clients expect more from your sock, sim and SecOps offerings and evolving attacks will demand more of you it's time to level up but how does one upgrade from basic to top tier services according to our featured speaker today there are several key steps including more common

[00:08:18] comprehensive cross industry threat data collection more refined contextual and meaningful analysis of threat telemetry data and ample use of threat intelligence data science and security research.

[00:08:32] This interview will examine the key challenges and opportunities associated with these critical objectives our guest for this segment is Christopher Fielder field CTO at Arctic Wolf Christopher has been in the cyber security world

[00:08:47] for almost 20 years with experience ranging from military government and corporate environments he holds 18 secure industry certifications along with a master's degree in information security.

[00:09:01] As I mentioned he is currently field CTO and director of product marketing for Arctic Wolf where he enjoys researching emerging security trends and highlighting the expertise of the Arctic Wolf team.

[00:09:16] So Christopher thanks very much for being here today really glad you could join us and as always we're going to jump right into things so we open with the premise of the days being a security device babysitter are over what does that mean really to just be a security device babysitter if we're doing sort of a before picture in an after picture and before is really prior to leveling up and evolving along with needs

[00:09:45] and expectations what does that look like and then compare to really what you need to look like today in order to both meet constantly evolving threats and constantly evolving expectations of increasingly demanding clients and customers.

[00:10:01] Thank you yeah so I really like that metaphor for a device babysitter right because when we think about like a traditional babysitter or nanny or whatever it's a job function that it's going to evolve and then

[00:10:14] there's kind of a limited amount of time that you can do that job right because your babysitting kids that are going to turn into teenagers and then they're eventually going to grow up and they're going to be gone.

[00:10:25] In the same way that these environments are going to evolve and they're going to change and they're going to have new equipment and if you are static and you are providing you know support for a certain set of equipment that's it well

[00:10:39] you're really limiting what you're able to provide because these you know environments are going to change so going to have new equipment come in they're going to have new devices come in they're going to get rid of legacy stuff.

[00:10:48] And they're really going to outgrow you if you're stuck in that one area of we're taking the alerts out of these few devices and they were repackaging them sending them out to you and that's it that's all we're really providing.

[00:10:59] And that's kind of the traditional way that it operated you know in my career I've worked with amazing service providers and I worked for some service providers that weren't as amazing unfortunately.

[00:11:10] And you know the really good ones were able to do more than just again you know pull the data out of those devices and sometimes they would just pull the alerts out of the devices throw them into an email and then shoot them to me and then I'm stuck going okay.

[00:11:24] So the device can send me an email with the alert and you're sending me an email with the alert so I've got double the amount of emails I've got double the amount of alerts and I have no additional context and no additional health

[00:11:36] and I'm paying twice as much what am I actually getting here right so then the good service providers were the ones that were saying okay what we're going to do now is we're going to actually eliminate the amount of alerts that you get we're only going to send you the alerts that actually matter

[00:11:51] and we're going to add context to that as well and we're going to move beyond the idea of okay we're going to base our service around a set of technology.

[00:11:59] And I think that is the heart of this right the traditional concept of being a device babysitter is rooted in the idea of its technology over people when your service needs

[00:12:11] to be about the people not the technology so what are you providing beyond just you know yeah we can manage that device okay what if that device goes away do they still need you what can you provide beyond that device so start planning your service for okay it's not about that device or series of devices

[00:12:29] it's about what we can do with that and what we can do without it as well so adding context to the information that's coming from the device and then you know being able to plan for if that device goes away we can still provide these capabilities.

[00:12:43] One thing I tell you know service providers that are out there is let's say that let's see your client has a reduction of cost and they have to cut their technology stack down to a quarter of what it was can you still provide the same value

[00:12:58] can you still provide the same outcomes what can you provide beyond just I'm managing all these devices that are out there for you and then that way you know it doesn't matter if they add more tech if they had less tech whatever you are still the root of their security and you are still essential no matter what it doesn't matter what their tech stack looks like.

[00:13:18] Yeah absolutely and I think that serves as a perfect introduction to now looking at the three pillars of what you could consider to be next level services in this regard and I had mentioned them a little bit in my intro but let's take a look at each one individually and the first one that I mentioned was more comprehensive

[00:13:47] cross industry threat data collection so basically meaning you're not just collecting information off of the various endpoints of one individual siloed client but rather you're collecting scores of data points from across multiple clients corporations businesses

[00:14:11] and then taking all of that information together to even get a bigger picture sense as to what's going on so just talk a little bit about some of the challenges and opportunities associated with that and then I may follow up with some questions sure so this is something I can't preach enough to you know just across industry is to bust out of silos right because when you're working in individual silo you have just a small set of data that you're really working with if you are working with you know multiple clients

[00:14:41] and then you can use your vast amount of clients think of those as individual components that you can use as a larger connection point right so essentially if you see something malicious occurring one environment you can use that data you can use those indicators of compromise you can use whatever you've identified to further inoculate all the rest of your clients you should absolutely be doing that you know you have this wealth of information

[00:15:05] that you can be threatening through that you can be searching through that you can use to again further support your clients and further secure them in the same way that you shouldn't have a single point of failure you know you shouldn't have individuals that are only assigned to maybe one piece of technology or one device you shouldn't look at your data in only one area as well right because that's going to be again that single point of failure

[00:15:28] it's about building that larger data set to work from and building that you know that amazing lab almost right it's almost like a real world lab that you're living in and you're working in that data lake that you are experimenting with and searching through and again I said threat hunting

[00:15:46] but there's everything that you can do with that information and then you also find that you know across verticals you mentioned verticals

[00:15:53] and maybe you have one individual that's like you know I work in a very small area of you know one unique set of information why do I care about what happens in somebody else's environment well because that could then bleed over into your environment you never know right because you're using the same technology in a lot of situations a lot of cases

[00:16:14] something like you know it was mentioned the colonial pipeline but there's also like the solar winds incident and there was the Microsoft exchange incident not terribly long ago remember these are built off the same technologies so yeah you may be working in different verticals you may be working with different you know different customers or whatever

[00:16:31] but a lot of times you're using the same base technology so we need to understand you know is there an exploit against that technology is there a weakness in that technology is there someone who is targeting that

[00:16:41] and then using that information to again help secure you and inoculate you from those threats.

[00:16:49] Yeah you read my mind because that was going to be the follow-up question I was going to ask which is somebody might say hey I work in retail I have point of sale systems you know what do I care what might be going on in a healthcare environment where they're using connected medical devices

[00:17:07] but even though there might be some disparity in some devices that are using there's also a lot of universal technologies that apply across a multitude of industries and beyond that even if the devices are a little different it's sometimes an attack or a campaign or set of campaigns against one industry vertical is a precursor to those same threat actors starting to delve into other

[00:17:36] sectors as well that somebody that attacks healthcare might move on to hospitality next or something like that so it's always good to know what's what's going on in the bigger picture as well isn't that right yeah or let's think of it like this right excuse me but let's think of it like this what is that healthcare industry doing they're helping patients and at least in the United States they're not doing it for free right

[00:18:01] so they're getting paid their maintaining customer data and their processing credit cards they're processing financial information in the same way that that retail company is that retail company is processing credit cards and maintaining financial

[00:18:14] information and working with large amounts of money and that attacker might be going after that right they may be looking for PCI they may be looking for credit card information whatever it is

[00:18:25] and so they do have that common ground and they could be you know that may be an area right there where we need to look out for attacks against maybe particular PCI equipment or whatever it may be or there's probably you know you mentioned point of sale I guarantee in that healthcare industry

[00:18:41] there's probably point of sale equipment in there as well you know you go into a hospital and they have cafes they have gift shops whatever and the attacker may see okay well I know there's an exploit against this POS device

[00:18:55] and then use that as a hopping point to get somewhere else in the environment again there is a lot more common ground than we think just because we think we're in completely separate industries

[00:19:04] it's not the case whatsoever like it is built on a very strong you know similar foundation of technology and we do a lot of the same things

[00:19:12] and then a common ground between the two you're like you know well healthcare over here is very different than retail

[00:19:18] well you say that but what about pharmacies which is a perfect blend of the two and is a perfect bridge between the two environments

[00:19:25] and then it's very easy to go from one to the other.

[00:19:27] Yeah that is an excellent point.

[00:19:31] All right well now let's look at another one of the pillars and this would be something else that can help provide more data,

[00:19:40] more overall context to the threat landscape that's going on that ultimately can help you do your analysis and make your recommendations later

[00:19:51] which is ample use of threat intelligence data science and security research.

[00:19:56] So how do you use some of those various feeds and reports to also then help provide a little bit more color to the data that you're collecting from the various endpoints?

[00:20:09] Thread intelligence especially for service providers so important because you're trying to provide value beyond what just the tool is doing.

[00:20:16] I'm going to go back to that concept you mentioned before which is busting beyond being a tool babysitter right.

[00:20:21] Every one of those tools has built in a learning capabilities which is they probably have threat intelligence,

[00:20:26] they probably have detection mechanisms indicators of compromise artificial intelligence whatever they're learning off of right.

[00:20:33] What can you provide on top of that and the one of the best things you can use do is use the telemetry from those devices

[00:20:40] and then add your own additional threat intelligence on top of it because you're adding something that they don't have.

[00:20:47] You're detecting things that they're not already detecting so utilizing additional threat feeds and also developing your own threat intelligence providing your own threat research is an amazing value to the customer right.

[00:20:59] It's something they can't get just from that device itself.

[00:21:03] They can potentially hire somebody else to babysit that device internally for them but whoever they're hiring to babysit that device is not bringing in years of threat research and threat intelligence

[00:21:14] and indicators of compromise and detection logic that you can provide to the customer in the same way.

[00:21:19] So you want to find as much threat intelligence as you can again developing it yourself internally and looking for those external feeds as well.

[00:21:27] What I'm not recommending though however is just going out there and grabbing every threat intelligence feed and every social threat intelligence and loading it into the environment because then you're facing the potential of alert fatigue right which is something we want to get rid of.

[00:21:42] So it's about then analyzing okay let me match up what the devices in the customer environment looks like the architecture their mission or the vertical that they're in with threat intelligence

[00:21:55] it's based around that as well right and try to marry the two and find the best fit that something that not every customer is going to be able to do as well they're not going to first know that there's external threat intelligence.

[00:22:05] And if they do they're not going to know which one's the best fit so it's also acting as a subject matter expert and kind of a mentor of hey we can provide threat intelligence

[00:22:15] and we could also provide recommendations on the best threat intelligence for your environment that we can use to apply to really get high fidelity alerting rather than just more alerting.

[00:22:25] Yeah well again you read my mind because as you were starting to give the answer to my first question I was going to say are there cases where you want to narrow down the scope of all of the feeds into something that might be most relevant to your client

[00:22:43] and then you went on to actually very perceptually answer that question before I actually even asked it so I think that gives us a really good sense of that second pillar of threat intelligence.

[00:22:57] Now let's combine the telemetry data that basically you are collecting across multiple sources and also the threat intelligence that you've been collecting and filtering

[00:23:12] and now let's take the third pillar which is just the actual analysis so getting that more refined contextual relevant meaningful analysis of threat telemetry data is really the third element of this.

[00:23:29] So I'd love to hear more about that including and this kind of almost a little bit combines all three pillars this thing I'm about to ask which is just what in your mind right now is the most important threat related telemetry data

[00:23:50] to be sure that you're collecting for your clients these days if there's anything that's sort of trending in that area I'd be curious to hear your thoughts on that.

[00:23:58] Sure so when we talk about how about the escalation of alerts first that is something that is something that you can really provide to your client that is unique and is really necessary is going through and pairing down the alerts

[00:24:11] and only escalating the alerts that are truly high and critical right your customer doesn't want to be overwhelmed your customer doesn't want to just be inundated with the alerts they can again they can turn on every detection source on those tools and be inundated with alerts themselves very easily.

[00:24:26] They're hiring you because they want to pair down the alerts and they want to know okay no you have looked at this and you have verified and vetted this is a high fidelity true alert that I need to move on.

[00:24:37] So being able to do that and that's just going to take time and practice an expertise and understanding the customer's environment this is something I can't explain and you know can't really push hard enough is don't treat every customer environment the same something that makes the company I work for unique is it we go in there and we learn the customer's environment is if it were our own.

[00:24:57] And then that allows us to add the context to then say you know is this truly a critical alert is this truly a high alert or is this something that would be high in another environment but not particularly this one right and we want to get it down to his few alerts as we actually can.

[00:25:14] Then going to that second part of that question which is is there a source of telemetry or an area where I would recommend people really look in the research that we've done we don't think that there's enough individuals that are really.

[00:25:25] You know looking at cloud and cloud in context as well I talk a lot you know when i'm talking to individuals out there about when it comes when it comes to cloud the entire industry is taking the approach of can we not should we right they've adopted clouds so quickly and just integrated cloud into their environment but they've not taken the necessary security precautions that they really needed to.

[00:25:52] Some research that came out of Arctic wolf about a year ago was you know there was a statistic that said a little over 99% I know it's weird when I say that over 99% of organizations are using some form of public or private cloud right there's like 99.3 something in there but only 18% of those that we found we're using some form of CSPM or active cloud monitoring and management that's about 81% of environments they're not really.

[00:26:22] They're actually actively monitoring and prepared to respond to their cloud incidents that's a vast amount anything about okay so that is a huge gap that attackers are probably either infiltrating right so they coming in through cloud or worse they're exfiltrating data through cloud you know the top of the area talked about a certain group of.

[00:26:42] Casinos that had a big data exfiltration I would assume that's probably exfiltrated through cloud through some mechanism or not they're not putting it out of us being not walking it out the front door right and they're probably not just throwing it out through email they're probably slowly leaking it out through a cloud source that's not being monitored and it's not being properly secured so.

[00:27:02] It's important that we monitor our cloud very closely but we want to monitor it in context and in balance with all the other telemetry that's out there.

[00:27:11] I look at it as a balancing act if we want to look at the network we want to look at the imports we want to look at the exfilt endpoints the log sources the cloud we want to look at identity right in authentication we want to look at all of it together in one big picture

[00:27:27] and then actually allows us to identify our again goes back to my previous point allows us to identify those high fidelity alerts or is this truly an alert that we need to move on.

[00:27:39] And it's not just managing the security alerts and knowing when to escalate to a client it might even be a situation at times as critical as do we need to move fast and respond to a budding incident by taking some kind of a.

[00:27:57] Remediation action like a quarantine or something where you really want to make sure that you have the proper justification and grounds for doing so or if you at least have to quickly escalate to get permission or act immediately.

[00:28:15] Do you think that again as things continue to evolve will there be an increasing reliance on artificial intelligence and machine learning to help with making some of this analysis and decisions for what action to take is it can continue to be a hybrid mix of human decision making and AI based decision making.

[00:28:40] I think there's going to be increased reliance on AI but just as much reliance on a hybrid approach right you're not going to be able to take humans out of the loop because personally.

[00:28:50] I would never trust an automated response to do those containment actions or to do any kind of you know response capability on its own without a human as a check in a balance for that.

[00:29:02] Because the moment you do is the moment that an attacker could come in and actually utilize that against you and essentially do us your environment right.

[00:29:09] I mean if you have the artificial intelligence going through and isolating the systems based off of okay this looks suspicious well then you can have suspicious activity and multiple devices and suddenly they're all locked down and those could be the same devices they're doing very important things throughout your environment so yes an increase in artificial intelligence as a tool to assist.

[00:29:31] The individuals are the humans so we need to remember that AI needs to be a tool that is utilized to empower and increase the individuals not to replace them in an you know no situation we need see is okay well I just purchased this you know this tool so I can get rid of some of my analysts or I don't have to hire some

[00:29:50] analysts absolutely not the case you're probably with that AI going to get even more noise now and you're going to have to have individuals that monitor it and work with it 24 seven which is fine because you're going to get more alerts and you're going to get more capabilities but you're also going to have to use it correctly.

[00:30:07] So I think AI is something that's very beneficial but again I can't stress enough it is a tool it is not a replacement for people.

[00:30:15] Alright Christopher well thanks I appreciate all of your perspectives and analysis on this and hopefully it helps our managed services audience today in terms of building up from that ground floor and adding additional teals tears of services and expertise to their offerings to help in that always evolving race with the bad guys so thanks again for your time here before we go I do want to do.

[00:30:44] One last bit with you that we always do at the end of our first half of our show and it's a little segment that we like to call we speak geese now we speak geek is basically a celebration of the geek and nerd culture that is so often associated with the cybersecurity community after all we're all a little bit geeky about something and so I'd like to ask you today

[00:31:12] Christopher how do you speak geek?

[00:31:15] Yeah so my I would say geekiest or nerdiest thing is I am a huge Batman fan.

[00:31:22] I have an entire tattoo sleeve dedicated to Batman it was the first movie I ever went to in 1989 was 89's Batman.

[00:31:31] It was a sold out theater I went with my stepfather they had one seat left my stepfather bought it snuck me in and I actually sat on his lap at about five or six years ago.

[00:31:41] I was about five or six years old and watched the very first Batman and it's been my favorite favorite thing ever since.

[00:31:50] All right now you said that you were going to actually share with us who you think the best Batman is so this is going to this is going to cause a little controversy here I have a feeling

[00:32:00] who was the best Batman on screen okay so that's here.

[00:32:04] That's a thing so this separates real Batman fans from you know artificial Batman fans but I believe the best the single best Batman of all time is Kevin Conroy

[00:32:14] and if you don't know who that is then you're not a real Batman fan.

[00:32:18] So Kevin Conroy I was actually wondering yeah so Kevin Conroy is to me Batman he embodies Batman

[00:32:29] everything in fact if you've heard him and behind like the scenes or interviews he almost he has an understanding of the character that almost no other actor has.

[00:32:38] And on screen I believe that he is the best Batman because he's done you know animated movies and if you're a fan of the CW shows he actually played a kind of Kingdom Come version of Bruce Wayne Batman in a couple of episodes.

[00:32:54] So you know rest in peace Kevin Conroy to me he will always be the true Batman he is who actually Batman is now if we're going to argue about somebody that's actually put the costume on in a legitimate movie that's a little bit different you know when you say who is Batman it's very personal answer like if you ask somebody who is Doctor who they say who their doctor is that's the first person they saw right to me my Batman is Michael Keaton

[00:33:23] like because he was the first Batman I saw I have a great affinity for agree with that yeah right but I have a great affinity for Adam West as well I think he was just so campy and so fun.

[00:33:34] If I had to put them in order and this is really geeky right I would probably say that it would go with Kevin Conroy I Michael Keaton to Adam West 3 and then we get into the Christian Bale for controversially probably Robert Pattinson 5.

[00:33:52] And then I would probably Val Kilmer and then put what's his name Danny Ocean at the very bottom I forget his name right now.

[00:34:03] Oh Ben Afflack oh no George Cleary and you forgot and you forgot all about Ben Afflack which I think says a little something about his part.

[00:34:16] I didn't forget him I pretend that one doesn't exist fair enough I think I actually pretty much almost exactly in line with you on this maybe Adam West gets a little further down from me because of the campiness but otherwise I think I mostly pretty much all agree with everything that you said.

[00:34:39] Yeah Michael Keaton Kevin Conroy and of course the Kevin Conroy matched up perfectly with Mark Hamill the Skywalker who voiced the Joker so last question before we go were you excited to finally see Michael Keaton step back into the cape and cow for the flash movie and did it bring back all of your nostalgic memories there.

[00:35:06] I was so excited to see it and then I was so that movie was a freaking mess though so hurt I was so painfully hurt by how it actually turned out.

[00:35:16] And then if I don't want to give anything away but if you know listen to what I just said a few minutes ago and then watch the very end of the flash movie and it's just like a punch in the gut it's just awful.

[00:35:26] I want so much more for Michael Keaton so but you know what I've heard that there is a beaul juice to coming out with Michael Keaton so hopefully that's a redemption arc for him and at the end of the day I just love Michael Keaton I just think he's an amazing actor just a really good bad man really good funny actor all around so we'll see fingers crossed.

[00:35:47] Yep agreed maybe there's still a chance he'll do that Batman beyond projects so I recommend it for.

[00:35:54] Alright well you know what we could talk about this all day but unfortunately we can't we've run out of time but that was a lot of fun I appreciate it but for everybody else please stick around because there's still another half of the show left to go we're going to be discussing our big idea in security coming up next which will focus on some interesting research on end point.

[00:36:16] Security that was recently conducted by the cyber risk alliance that and more coming right up so we'll see you in a moment on the other side.

[00:36:30] Alright welcome back everyone to cyber for higher the managed security podcast once again I'm Bradley Barth with cyber risk alliance and the first half of our show we talked with Christopher Fielder at Arctic Wolf about leveling up your SecOps program.

[00:36:44] Right now I'd like to welcome back my co-host for the day Bill Brenner because it's time for us to examine our managed services info sec topic of the week presenting our big idea in security and point security entering the era of AI and XDR.

[00:37:03] Endpoints are everywhere and coming many forms and especially in today's BYOD environment it's becoming increasingly difficult to maintain visibility and control over all of them.

[00:37:14] Unfortunately, Rogan points represent an enticing attack vector for adversaries who are always looking for a way inside your network but according to an August 2023 cyber security by your intelligence survey of 200 security and IT leaders and executives.

[00:37:30] Security professionals are actively working to address such threats with a mix of MFA strong password policies and training and they're hopeful that newer more advanced tools like AI and XDR could help minimize endpoint comparison.

[00:37:44] This session will analyze this and other key findings from CRA's endpoint security research and what the results mean from an MSP perspective.

[00:37:54] Bill, glad you're back with me and as always we're going to jump right into things so let's start by having you paint a picture for us based on the responses from this survey about how serious have been issue this is in terms of overall endpoints sprawl and why it is important to you.

[00:38:13] And why it is important to be constantly building out your solution stack to protect these endpoints.

[00:38:20] Yes, so the interesting thing about this research is you have to squint to see it but you start to see a shift in focus for a lot of our respondents.

[00:38:37] So what I mean by that is for years now the central piece of an endpoint strategy has been we need to protect the end users from themselves.

[00:38:53] They cannot be trusted or relied upon to not fall for every hook that's out there.

[00:39:04] And what we see in this particular survey is security professionals moving on from I mean that's still very much the case but this report focuses more on the what to do about it.

[00:39:24] And what's interesting here is the priorities as a lot of these respondents are going into 2024.

[00:39:36] So for example artificial intelligence and machine learning is the most planned for 2024 endpoints security investment.

[00:39:49] That's followed by things like XDR and what you see here is respondents are moving beyond the basic EDR and reactionary tools.

[00:40:04] So they're trying to get ahead of threats by using technology that raises contextual awareness.

[00:40:13] So XDR is a great example of that and anticipates threats much more quickly which obviously that's where AI comes in.

[00:40:24] And in our last segment Chris had mentioned this where AI it's a tool not the be all end all but this puts into clearer focus with something like endpoint security where AI is seen as the tool.

[00:40:42] Some other things that were interesting to me was certainly not surprising but it just stood out as as an ongoing highlight where three out of five respondents admitted that they've had they've had to deal with one or more compromised endpoints in the last year.

[00:41:07] So that's not a sky as falling kind of thing it's been there but when you consider the 63% of respondents reported having 1000 or more endpoints on their network.

[00:41:25] So that translates into a lot of compromise and it's just it shows how difficult it is to stay ahead of the threats that come via the endpoints.

[00:41:43] So now that makes a lot of sense and is very a very clear indicator of that sprawl to which I was referring and yes the the increasing adoption rates that will see moving into 2024 and beyond of AI and XDR does seem to indicate an interest in having more of that contextual intelligence for endpoint security.

[00:42:11] Also in the interim while AI and XDR seems to be the future focus I know there was also a question about currently which endpoints security practices are most commonly implemented.

[00:42:28] Can you share with us a little bit about what are some of the most common technologies right now that are currently being implemented and maybe a couple that might be surprising that are less of a focus maybe that's an area where MSPs and MSSPs can step in if those particular projects aren't taking place on an in-house basis.

[00:42:50] So there's one good example to look at if you're an MSSP or an MSSP and you're doing business with security vendors in the channel.

[00:43:04] You know that Sophos is an example of a company that's been heavily active with that as is Arctic Wolf and what you see in those areas is a lot of discussion around MDR, managed detection response as a way to deal with a lot of things but certainly endpoint is one of them.

[00:43:34] And I think what you see here is everybody is looking for this unified source of data that they can then see I hate to say things like single pane of glass everybody says that but it is true.

[00:43:57] It's where can we see everything on one screen and get the context, get where our priorities need to be in responding.

[00:44:11] And so you see that at play big time here.

[00:44:17] Yeah, for sure. And I know another focus of the research was asking some of the security professionals, some of the top challenges in implementing endpoint security.

[00:44:31] So what are some of the biggest barriers that you found there are currently to overcome for these implementations to become more successful?

[00:44:40] So nothing particularly new here. And I mentioned it at the beginning, it's the end users. The idea that you cannot possibly get all end users most end users for that reason to do all the things they need to not fall victim to things that compromise their endpoint that compromise their device.

[00:45:08] Not because not because people are stupid or they don't care, it's just when you're using multiple devices every day to do all of your work.

[00:45:22] You're focusing on that work and you're not thinking all day long about I shouldn't do this or I should do this because this could compromise my endpoint.

[00:45:37] You know, it's you're working. And so it's what can MSPs do to take that responsibility out of the hands of the users?

[00:45:50] You still need to educate. You still need to raise awareness. You still need to get as many end users as possible to do the right things and make the right decisions, but at the same time it's it wouldn't be fair to put the full burden on the user.

[00:46:07] We're just trying to get through life every day. And I think that is where MSPs can really make a difference and I think the way they can make the difference is through the use of, you know, XDR, MDR tools like that that bring every bring the picture together into better focus.

[00:46:30] Yeah. So before we wrap up this segment bill, I know that the report did have some final recommendations for readers. Can you summarize a couple of the key ones for us?

[00:46:47] Yeah, I mean, I think the big one and at risk of sounding like a broken record is you need we've spent years collectively as a community.

[00:47:04] Buying a lot of products to try and deal with every threat that comes zipping around the corner. But context is key. And so it's important to be looking at what you are, what you can do for your customers through use of AI and machine learning.

[00:47:28] If you're not using something in the realm of XDR, MDR, my personal opinion is you probably ought to be not probably you ought to be.

[00:47:43] So that's but that's pretty much a reflection of the takeaways and the report.

[00:47:52] So that's really important. Well, great. So yeah, for anybody that's interested bill just real quick you want to just let folks know where they can get their hands on this report?

[00:48:03] Yep. So you can get your hands on the report by going to

[00:48:11] the website where all of these reports are kept. And also you could visit the cyber risk alliance website where if you go under resources, you will see that we have a press release and link to the report landing pages for all of these.

[00:48:33] All right, so be sure to do that and check that out and read that report for additional insights and perspectives on endpoint security. And with that we've reached our endpoint.

[00:48:43] We are officially out of time but I'd like to once more thank Bill Brenner for joining me as my guest co-host today.

[00:48:50] Meanwhile to everyone else watching feel free to check out even more cyber security podcast content on the MSSP alert channel E to E and S e media websites.

[00:49:00] Until next time I'm Bradley Barth, please reach out to us via our show page with your comments, questions and insights about the business of cyber security.

[00:49:08] We'll keep the conversation going on the next episode of cyber for higher, your insight source for cyber outsourcing.