A Nuanced Approach to MSSP and MDR Services

A Nuanced Approach to MSSP and MDR Services

March 9, 2020 • Monica Todros

Many organizations find themselves puzzling through the countless security products and services on offer these days, decoding the buzzwords and acronyms, hoping to find clarity and understanding. MSSP and MDR services are among those offerings. MSSP stands for managed security service provider, and MDR is managed detection and response.

Our guest today will help sort out the sometimes subtle differences between the two. Sean Blenkhorn is chief product officer at eSentire, and he shares his insights on modern threat hunting and how threat intelligence can enhance those capabilities.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 149 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Many organizations find themselves puzzling through the countless security products and services on offer these days, decoding the buzzwords and acronyms, hoping to find clarity and understanding. MSSP and MDR services are among those offerings. MSSP stands for managed security service provider, and MDR is managed detection and response.

Our guest today will help sort out the sometimes subtle differences between the two. Sean Blenkhorn is chief product officer at eSentire, and he shares his insights on modern threat hunting and how threat intelligence can enhance those capabilities. Stay with us.

Sean Blenkhorn:

I’ve been in IT now for over 20 years now. A little scary to say that, but started from a schooling perspective, went to school for software engineering. First part of my professional career was actually based in Canada and it was all surrounding more web-based application development, based on that background that I had in software engineering. About 17 years ago, I moved down to the U.S. And in that move, I moved more to consultancy roles and that’s where I got into a focus around security and compliance. And so I spent many years out there working with some of the largest firms globally, Home Depot, General Motors, Fidelity Investments, Walmart, you name them, working on large scale security deployments of technologies ranging from antivirus to SIM, to data loss prevention or DLP, to encryption were some of my areas of specialty.

And then parlayed that experience on the consultancy side to move more onto the pre-sales engineering side. So spent some time working with Symantec and their global threat intelligence team and their managed security services team before joining eSentire a little over six and a half years ago now, to lead their sales engineering and build their sales engineering division. And then subsequently, moved from that into a field CTO role where I was more focused on helping to deliver entire solutions for customer sets at more of an abstract layer. So going beyond what we had as direct products and thinking about the bigger picture and how we could put things together to solve customer problems and to achieve their outcomes.

So that’s what I did as field CTO. Then I moved into the role of Chief Product Officer to fill a gap that we had there. And then just most recently in the last couple of weeks, I’ve moved over to lead the the experience side, which is going to be focused on how do we take our market leading experience that we have with our customers from end to end, including things like our digital experience and so forth, our portal and our quarterly service reviews that we do with customers. But taking those and re-imagining those into a future model that will help drive tighter relationships between us and our customers and deliver more value from a risk perspective. So I’m pretty excited about the new role that I’m now undertaking.

Dave Bittner:

Yeah. I want to dig into your day-to-day there at eSentire. But before that, I have to ask you, back with your experience working with some of those large companies, when you talk about things like Home Depot and Walmart. I mean, when you’re operating at that scale, how do you come at these cybersecurity problems? Where do you begin when you’re dealing with an organization that is that large?

Sean Blenkhorn:

When I think about the projects that I worked with them on, they’re typically highly focused, meaning they are focused on specifically designing and defining an architecture for a particular product or product line. Now, that’s a component that fits into a broader security program. And so sometimes, the work within the scope of that arrangement would be to help them understand how it fits into the broader program. So it might be something like a PCI compliance initiative that’s ultimately driving the adoption of SIM and DLP. So there was a large global company Service Master that I had worked with and their initiative is around PCI compliance and driving the individual architectures and development of things like SIM and DLP and encryption, and what do those mean in relation to the broader program and their achievement of being PCI compliant.

So many times, those projects, like I said, were tightly focused on a particular scope, but bled into the broader security program. And obviously, the implications can be far reaching, and you have to think about not only compliance, but you have to think about privacy and legal challenges. So when you think about something like DLP, as an example, those are incredibly complex deployments. Because not only do you have a complex technical architecture that you have to solve too, but you also have the complexity of geopolitical diversity, right? So you have compliance and privacy laws in Europe that are very different, at least at that time, than what we saw here in North America. We’ve definitely seen obviously lots of convergence of laws and regulations, but it made those projects very complex of how to think about those in the bigger picture as well.

Dave Bittner:

I would imagine there must be a lot of collaboration between the various organizations that are providers like yourself and the in-house teams, and there’s a lot of back and forth that must go on.

Sean Blenkhorn:

Yeah, absolutely. That’s a really critical component to how we think about it at eSentire, how we think about MDR. It is not just about providing a service that is focused on blocking threats, that is a natural outcome of what we do and how we do things. But we need to think, especially within our market, when we’re working with mid-market to small enterprise type of customers, we have to think about how this fits into the broader program and how do we help those customers mature over time.

Rather than just blindly delivering a service, we want to know more about the customer, help them mature in lots of different areas that are not directly related to services that we deliver, but are linked, intrinsically linked to providing a better security outcome for the company. And we have to understand that what a customer does in their broader security program has an impact on us, and what we do has an impact on that broader security program. So there needs to be a lot of back and forth and a lot of collaboration to make the best of the solution and the implementation.

Dave Bittner:

Well, let’s dig into some of the things that you’re doing there at eSentire. I’d love to start by just having you explain for us what some of these things mean. What is an MSSP? What is MDR? And how do those integrate into organizations that you provide services to?

Sean Blenkhorn:

Yeah. I think the best way to start too, is to think about what we feel are the differences between an MSSP and a managed detection response or MDR player. And I think my perspective comes from having worked for an MSSP in Symantec to now working with eSentire. And they each have similar objectives, but a very different path on how to achieve those objectives.

So an MSSP is generally, by definition, a little more focused on device management. So managing the technology that customers already have within their environment. And through managing those and managing the data that comes off of those, the alerts or the events that come off of those, correlating and making decisions based on those, you achieve better security outcomes is the theory behind that within an MSSP. But it’s highly focused on, “I will manage your firewalls and I will manage the event feed off of those.”

MDR takes a different approach to try to achieve a greater level of security, and in the end, better outcomes, I feel, for customers. And that is more centered around the fact that while device management is still an important piece, you still have to manage firewalls and ensure you have the right rule sets in place. MDR for us has always been, when we help define the MDR market, it was really around recognizing that inevitably, those third-party technologies will fail. Attackers will find a way around the technical controls that you put in place and we need to be able to find a way to identify the attackers when they have done that, when they’ve circumvented the technical controls that you’ve put in place.

So it’s about getting technology and visibility into a customer’s environment to be able to look for those anomalies, those activities that would indicate that someone has circumvented those technical controls that you might have in place. Identify those patterns, then investigate them, and then ultimately respond to them. And generally, there’s a little more of a mixture. Now, most MSSPs are working towards MDR-like services. Some MDR providers have begun to offer some MSSP-like capabilities of management of third-party technologies. But my general principle has always been, as an MSSP, you have to have a broad ability to support many, many, many different technologies. And there’s some inherent weakness in that it’s very difficult to be good at all these technologies. And then it also means that, as a service provider, my ability to provide a service that has high efficacy from a security standpoint is somewhat dependent on the third-party technologies that you’ve decided to put in place.

So if you’re coming to me and you already have a firewall vendor or an endpoint vendor and you’re just simply looking for me to manage those, my ability to manage them might be quite high, but the efficacy from a security standpoint will be partly dependent upon those technologies themselves versus our approach is, we bring in our technologies that we have perfected over time and we know that it gives us the right visibility at the different layers. And we think about our layers as network, endpoint, log, and cloud. So those four critical layers give us the visibility that we need, and we need to make sure we have the right tools with the right fidelity of information. So it’s nuanced between an MSSP and an MDR provider, how they operate. Their goal is, like I said, ultimately the same as to provide security and security services. How they go about them is quite a bit different between the two.

Dave Bittner:

Now, are they complementary to each other or are they intentioned with each other? Is it a defense in depth kind of thing, belt and suspenders sort of thing? How do they play off of each other or can they exist in the same universe?

Sean Blenkhorn:

They can. It is not entirely common to co-exist, but we have certainly, over the years, have seen customers of our own look to MSSPs to essentially do things like the firewall management and for us to deliver MDR. Now, there’s complexities in that obviously for customers having two different vendor relationships. And I think we’re seeing the market ultimately converge a little bit in terms of, do we continue to see a separation between MSSP and MDR? Do we get into next gen MSSP where there’s maybe a little more convergence? But we have seen customers separate those. And some have taken the path, or many I would say in our case, for our customer base, have taken the path that they can control and support the management of things like firewalls and so forth.

And really where their struggle has been is the operations behind that. The detection response capabilities. The investigative process of taking a signal, determining whether that signal is identified as weird, but is that weird good or weird bad? And that’s where MDR providers have come in. And that’s where I think, from our perspective in the mid-market, the customers have really struggled. It has been less about, “Hey, I don’t really want to manage my firewalls.” But more so about, “How do I make sure I’m getting the most out of those technical controls? And what do I do about the gap of things that ultimately get around. If I have a privileged attacker with credentials, they’ll likely walk right through that firewall or VPN connection. How do I detect and respond to that activity?”

Dave Bittner:

I want to get your take on threat intelligence and the role that plays in these types of scenarios. Where do you think it fits in?

Sean Blenkhorn:

Threat intelligence is obviously a critical component overall. You cannot deliver a security service without having threat intelligence be an important part of that. Because at the end of the day, threat intel plays an important role in a number of aspects. But one of them, for example, being the more we know, the more we can share as an industry, the more we can leverage threat intelligence as platforms and integrate it into what we do, that will help us with speed, efficacy and even automation. So if I know about a threat, if I’ve seen it before or I’ve seen the patterns, the TTPs of an attacker and I can more quickly identify that within an environment, then it saves … You can imagine if we stop an attack early in the stage of an attack, how much downstream work that helps eliminate. And so threat intelligence is an important aspect to that.

Not to mention all of the other aspects. So yes, automation and stopping threats early on before they ever happen and leveraging threat intelligence to do that, but also to be able to support the broader research that has to be done when you’re delivering a service like ours, understanding as new vulnerabilities and the activities that are happening within the industry. Because for security and for us, it’s all about prioritization. A company, and then customer, will always have more work than they can manage whether it be as simple as patch management. The customer will always have more vulnerabilities than they can ever patch in any given day. And so then the goal becomes a prioritization of that effort. And that same philosophy or mentality can be applied to many things across the organization. Not just vulnerability, but it’s a great simple example.

If we can leverage threat intelligence in a pragmatic way to help us understand and prioritize what to patch first, then that is a great application of threat intelligence. So leveraging a source like Recorded Future to be able to understand what is happening out there, what activity is going on to help us prioritize the efforts that we are doing on the backend, then that is another great example of the use of threat intelligence. The one thing I will say about threat intelligence is, we have to operate in a world of unknown. And we have to protect against the known threats. We also have to protect against the unknown threats and the never before seen threats.

And so that’s an important promise of MDR and what we do at eSentire. So threat intelligence is critical to that. We have threat intelligence teams that leverage and utilize tools like Recorded Future, but it is important to not rely solely on threat intelligence, meaning it’s a continuous cycle and you have to be able to detect the unknown, and then feed that back into the broader community so that we can together provide better services across the industry and protecting our companies and our industry and our countries.

Dave Bittner:

Our thanks to Sean Blenkhorn from eSentire for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Too Sleepy to be Secure?

Too Sleepy to be Secure?

October 26, 2020 • Caitlin Mattingly

How many of us can say that we get enough sleep, consistently And not just the number of hours...

The FBI Builds Enduring Partnerships in Cyber

The FBI Builds Enduring Partnerships in Cyber

October 19, 2020 • Caitlin Mattingly

The US Federal Bureau of Investigation, the FBI, has taken an increasingly prominent role in the...

The Fascinating Paradox of Cryptocurrency

The Fascinating Paradox of Cryptocurrency

October 12, 2020 • Caitlin Mattingly

Our guest this week is Kim Grauer, head of research at Chainalysis, a blockchain intelligence...