The Transformation of Managed Security Services

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 171 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest today is Jim Aull. He’s a solutions architect specializing in security at Verizon.

We’ll hear about Jim’s career path, and then we’ll learn about his role in guiding customers through the technical and organizational challenges of selecting and configuring managed security services. He shares insights of common misperceptions he finds companies may have when starting out on their security journey, his suggestions for managing the broad array of available services, as well as the changes he’s been tracking in the industry over the years.

Jim Aull:

A bachelor's of science in electrical engineering, spent time in the military in guided missile systems and radar, so I always had a liking for security and just got into the communication space originally, wide area networking, things of that nature. From there, some of the major carriers. From there, got into hosting, which became very prominent and within hosting, VPNs and firewalls were really critical.

If you look at most people who got into security, there's a couple of ways in — they spent time as a firewall admin or maybe they were doing some help desk work, or maybe even from the accounting side like compliance-oriented, but then spent a lot of time dealing with hardware, designing hardware, building hardware systems. But then for about the last 15 years, I have been pretty much dedicated to cybersecurity, very focused in managed security services, but other practices around the technology as well.

Dave Bittner:

What is your day-to-day like today at Verizon? What sort of things take up your time?

Jim Aull:

Yeah. I'm very much pre-sales solution development. So I spend most of my time working with customers doing discovery, understanding their network or their business challenges, and their network or security requirements. Then looking into our array of offerings and putting a solution in place that will help them move forward and ease their pain, if you will, so that they can go about their regular business.

Dave Bittner:

Can you give us some insights as to what that process is like? I mean, for folks who may not be familiar with it or aren't used to operating at that level, I mean, is there a situation where you have folks who are on a sales team, but then also folks like yourself who have the technical expertise who are supporting that and making sure that the people are getting the services they need?

Jim Aull:

Yeah, exactly. The salesperson is typically responsible for the relationship and identifying opportunities, and once they see that a customer has said that they do need some help in a specific area, at that point, they would identify a subject matter expert, if you will. That subject matter expert will come in and assess the opportunity and, at that point, drive for requirements, develop a solution, help the customer understand the value and the merits of the solution and maybe even scoping around pricing, something like that may also be involved.

Dave Bittner:

Can you walk us through what a typical engagement might be like as you're out there working with your clients to put together the systems that fit their needs? What sort of questions are you asking them? What sort of things are you assembling?

Jim Aull:

Yeah, great question. The first thing I like to talk about is what applications do they have in place today because that's really why the network's in place, and then what's most critical to them and then behind that is the network to get an understanding of what their network topology looks like. Are they in the cloud? Is it AWS? Is it Azure? Is it a private infrastructure? So I'll go through that after I've understood their applications.

Then I'll start asking them about key technologies, vulnerability management, log management, event detection, security tools, EDRs, unified threat management, things of that nature. Then I'll go through operationally, how are they set up? Is anything outsourced? How do you do monitoring? How do you do ticketing? I really like to understand from a broad perspective. I'll even talk about, hey, what are you looking to do short term, long term, things like that. So I get as broad a picture as I can, before I start making a recommendation.

I've come to find out that if I ask enough questions, to me, the solution becomes very obvious. Early on in my career, I would jump too soon to the solution when I thought I understood it. So in making mistakes over time, I've come to realize that I need to really do ... I view myself as Colombo there. Hey, can I just ask you one more question, you know?

Dave Bittner:

Yeah, yeah. Now does that process itself often uncover things, too, to the customers? I mean, as you're going through and polling them on the types of stuff that they're using, does that often unearth things that maybe they haven't thought of themselves?

Jim Aull:

Yeah, that's a great point. It does. The other thing I was going to add to that as I was thinking, after I finished the question, is I won't just ask them questions, like I'm trying to sell them insurance or something, like all these closed ended questions. They're very open ended. As the customer responds back, what I'll do to establish credibility is I will, at that point, try to just turn it into a discussion, a value-added discussion. Most of the time what I'll say is I've seen that before and I agree with that. Let me tell you what I've seen work and what I've seen not work, and just offer it up as just a value-add to the discussion.

Dave Bittner:

Then how does that mesh with the various offerings that you have at Verizon versus perhaps things that you might have to go to an outside provider for?

Jim Aull:

First of all, our portfolio is very broad. We don't offer, in security, we don't have a solution for everything, but it is quite broad. We do have a lot of technologies that we resell and a lot of partners. It's quite unusual that we wouldn't be able to work with a partner.

But then sometimes it just doesn't make sense. One of the things about Verizon is we get involved in very broad opportunities. It could have the networking, it could have security, it could have purchase of hardware, it could have ongoing support, it's global, et cetera. If that's the case, we'll bring in partners, for sure. If it's a little bit more of a focused opportunity, then we're going to stick to some things that we do really well.

Dave Bittner:

Well, I want to go through some of the specific types of technologies that you're familiar with and the parts that they play in defending an organization. Can you take us through some of those things? I mean, I know you often use things like machine learning or analytics and stuff like that.

Jim Aull:

I've been doing managed security services for years, and managed security service is going through a transformation. It's been around for probably 15 years, and there were some issues with managed security services. There's a lot of false positives. It was very much a set-it-and-forget-it type of approach where we got your logs, we're monitoring them, and the customer thought that those were all just being taken care of.

Really, if you look at security, you need much more of a programmatic approach. In my mind, I don't say this a lot, but it needs to be more of a security as a program. This thought of rinse, lather, repeat — the night watchmen walking around the perimeter. MDR is the one that I spend most time with, and the one that I see customers asking about the most.

Dave Bittner:

Well, can you give us some insights? What goes into that? What are the elements of it that contribute to it being a good solution?

Jim Aull:

Yeah, absolutely. There are a couple of staples to MDR if you look at the marketplace, I think and I talk about security as a program. What I mean by that is threat intel — everyone has threat intel, but how good is it? I mean, it has to be a program internal to Verizon. How do you gather data? How do you add context to it? How do you quantify it? How do you keep it relevant? Then when you take that threat intel, it needs to be ... You need to put it into content in a way that you can alert and filter. It's the same thing. You need to research, create, tune, plan, audit. Then it gets down to the real-time alerts, meaning, the alerts come in, you need to triage it, you investigate, you remediate, you help the customer reduce the attack surface area.

Then you also need to do regular threat hunting, and it's the same thing. Threat hunting is a program. You need to research what the threatscape looks like. You need to apply metrics to your threat hunting. This thought of threat hunting is just these real smart Zen warrior threat hunters just jumping around based on their gut and their feel, but it has to have a very programmatic approach to it. That's what we do really well, and that's our focus.

If you look at MDR from an industry perspective, everybody likes to talk about artificial intelligence and machine learning, and, of course, that's quite important. But less than 50 percent of the attacks today have malware because there's so many tools out there that can catch malware. But artificial intelligence, it has this ability to detect attacks in motion, like an adversary trying to access a registry key, or loading a fileless malware. It's really hard.

There's a lot written on data models and artificial intelligence, but basically these data models are trained to compare what it's observing in a way those attributes have observed anomalies against ones they have stored in their databases. Then they make a statistical verdict on the risk and the probability of that and then they escalate. That's how artificial intelligence works.

The other critical component to manage detection and response is EDR. EDR is this term that's been around for a long time or been popular here over the last couple of years. Most large organizations have an EDR deployment. You'll find that smaller organizations or mid-tier, if you will, not everyone has deployed EDR.

EDR as a tool, if you can think about it, it's the next generation of antivirus. They tend to have over a thousand rules. These are CrowdStrike, Carbon Black, Cylance, Tanium — companies like this — and there's many, many more, and new ones starting up all the time. They are able to see what looks to be legitimate traffic, but if you have the right detection capabilities, you'll realize that an adversary is trying to do something. For example, some of the things that are legal or most workstations that can run netstat or PowerShell or FTP, and all of those are the typical tools of an adversary to try to basically compromise the system, move laterally, reach out to command and control, exfiltrate data, rinse, lather, repeat, remain stealth by getting rid of all their logs.

The other thing that the EDR tool does is it also gives you the ability to contain it. If we see an alert, you can actually process disrupt the end station where you see activities occurring, and it also can do or host isolate. Then from there, the EDR tool has investigation capability, so you can see how this occurred, the process tree on the end point, if the binary that was used as it changed its name, as it spread, and just continue to do investigation to identify where this compromise occurred and then what it is I need to do to remediate and make sure that it's not continuing to grow.

I think the other component that I mentioned was threat hunting. If you're really concerned about security, the best way to maintain security hygiene is to threat hunt. You can almost think about it as pen testing internally, if you will, usually with an EDR tool, but it could be other tools as well.

Dave Bittner:

When people come to you and when you're starting out with them, are there any common misperceptions that you run into regularly? When people are at the beginning of this journey, are there things that they don't have a clear understanding of?

Jim Aull:

Oh, yeah. Everybody has a different approach as to how they think is the best way to do it. One of the challenges is you need to have the appropriate log sources. They may not have a technology stack that is going to be the most efficient. You need endpoint, you need cloud, you need next-generation firewall, you need proxy, you need critical Microsoft infrastructure. So you need to have the ability to pull that in.

One of the misunderstandings is that they'll have other log sources that they want brought into the discussion, and a lot of times those aren't really needed. They add noise. It's really hard to talk to the customers with a real understanding that I know it's an important system to you, but it's really just adding noise and excess of cost to the situation. And I have a real hard time with that one.

Dave Bittner:

That's interesting. You have to, I guess, sort of make your case over time, show them that there are better ways to spend their time and resources?

Jim Aull:

Exactly. The other misperception that I get sometimes, too, or misunderstanding that I struggle with customers sometimes is that they want to see the interface. The security industry has been so inundated with tools — the Frankenstack, if you will. You buy another tool, there's diminishing security return associated with that tool, and that tool, it wasn't installed properly because you want to buy it, but did you spend the time to have someone install appropriately, and then you need to continue to update it and tune it. I think finance people believe that those tools are cheaper than hiring a security practitioner. But there's a point in time where you need someone to groom the network.

In that same vein, the point I'm getting at, is that when you're selling and talking about MDR, they are very interested in seeing the interface and the interface is important, but more than anything else is it's the services. It's the bulletproof processes wrapped around the services like the analyst and the customer service engineers and the threat-hunters and the ability to develop content or grab intel and develop relevant content, much more important than the interface. But they're used to looking at the interface because they're used to buying tools.

Dave Bittner:

Yeah, that's a really interesting insight. I mean, I think about how as a comparison as you acquire more property, as your estate grows and grows, at some point, there's going to be a time when it makes more sense for you to get a groundskeeper than, I don't know, getting yourself a fancier lawn mower, right?

Jim Aull:

Yes. I think a lot of customers are coming to understand that at this point.

Dave Bittner:

What tips do you have for folks who are starting down this pathway, who are beginning this journey and aren't sure how they should go about facing this reality? What words of wisdom do you have?

Jim Aull:

Yeah. I think the market has come from so many different providers. It's come from EDR providers, it's come from startups, it's come from managed services, providers becoming MDR providers, and it's even coming from some of the business consultants who are now getting into the space.

This is a process, rinse, lather, repeat programmatic approach. You could be a company that developed software and have a great tool, but you can't pick up that process overnight. So I would ask anyone looking at an MDR provider what their people process looks like? Do they have global operations? Have they been in this business for a long time or are they just getting into the business?

Dave Bittner:

Our thanks to Jim Aull from Verizon for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.