In this Spotlight Podcast, Pondurance Chief Strategy Officer Lyndon Brown joins me to talk about how changes in both the threat landscape and the workplace are driving demand for managed detection and response services, in which companies hire outside security talent to help keep sophisticated cyber adversaries at bay.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Change is the one constant in the information security field, where the bad guys set the tone and whose hunger for profits drive rapid evolution in both threats and attacks.
These days, the plague du jour is ransomware, in which cyber criminal gangs infiltrate companies, encrypt sensitive information and systems and – increasingly – offer threaten to leak stolen data to increase the leverage on their victims.
Unfortunately, the “fix” for the ransomware problem isn’t straight forward. Enterprise perimeters had already deteriorated well before the COVID pandemic and the rapid shift to remote work battered down what was left of them. Phishing attacks, credential stuffing and application layer attacks like SQL injection reliably provide access to corporate environments. Perimeter based detections and blocking offer little in the way of protection against these risks.
Increasingly the solution for organizations is to bring in security experts to help keep hackers at bay. But that runs up against another urgent problem: a severe shortage of cyber security workers, especially in sectors like healthcare and government. In July, for example, the Department of Homeland Security announced that it had completed its most successful cybersecurity hiring drive ever and that it still had more than 1,800 vacancies for cyber security workers.
One answer to the cybersecurity talent shortage is Managed Detection and Response (or “MDR”), a fast-growing segment of the information security space in which companies hire third party security experts not just to monitor their networks, but to get hands on in “response” – detecting, pursuing and removing threats.
What is MDR? How and why are organizations adopting MDR as a response to the changing threat landscape? In this podcast, we invited Lyndon Brown of the firm Pondurance in to the Security Ledger studio to answer those questions.
Lyndon is the Chief Strategy Officer at Pondurance. In this podcast he talks about the changing threat landscape and how shifts in threats and attacks have driven more firms in sectors like Healthcare, banking and financial services to seek expert help in responding to cyber threats.
To start off, I asked Lyndon to talk a bit about what Pondurance does and his role at the firm. You can listen to our conversation above, or use the button below to download the MP3 recording.
Disclosure: This podcast and blog post were sponsored by Pondurance. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
[START OF RECORDING]
PAUL: This episode of the Security Ledger podcast is sponsored by Pondurance. Pondurance delivers world class managed detection and response services to industries facing today’s most pressing and dynamic cybersecurity challenges, including ransomware, complex compliance requirements, and digital transformation accelerated by a distributed workforce. Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals, and compliance and security strategists who provide always on services to customers seeking broader visibility, faster response and containment, and more unified risk management for their organizations. To learn more, visit them at pondurance.com, that’s pondurance.com.
PAUL: Hello, and welcome to the Security Ledger Podcast. I’m your host, Paul Roberts, Editor in Chief at the Security Ledger. In this spotlight edition of the podcast…
LYNDON: Security threats aren’t like the weather that they don’t just kind of just happen right? There’s somebody at a keyboard somewhere in the world trying to figure out how to gain access to an organization’s assets and either monetize it or further their nation stay goals, etc. And as long as you have that someone on the other end, you need humans on this side, right? Machines just simply can’t.
PAUL: Change is the one constant in the information security field. The bad guys set the tone, and their hunger for profits drives rapid evolution in both threats and attacks. These days, the plague du jour is ransomware, in which cyber criminal gangs infiltrate companies, encrypt sensitive information and systems and increasingly threatened to leak stolen data to increase the leverage on their victims to pay up. Unfortunately, the fix for the ransomware problem isn’t straightforward. Enterprise perimeters had already deteriorated well before the COVID pandemic and the rapid shift to work from home battered down what was left of them. Phishing, tax, credential stuffing and application layer attacks like sequel injection reliably provide access to corporate environments today, as they did five or even ten years ago, and perimeter-based detections and block offer little in the way of protection against these risks. Increasingly, the solution for organizations is to bring in security experts to help keep hackers at bay. So-called manage detection and response, or MDR solutions are a fast growing segment of the information security space as companies turn to security experts not just to monitor their networks, but to get hands on in both detecting and removing threats from their environment. What is MDR and why are organizations adopting it now as a response to the changing threat landscape? In this podcast, we invited Lyndon Brown of the firm Pondurance into the Security Ledger Studios to answer some of those questions. Lyndon is the chief strategy officer at Pondurance. In this podcast, he talks about the changing threat landscape and how shifts in threats and attacks have driven more firms in sectors like healthcare, banking, and financial services to seek expert help in responding to cyber threats. To start off, I asked Lyndon to talk a little bit about what Pondurance does and his role at the firm.
LYNDON: Lyndon Brown, chief strategy officer at Pondurance.
PAUL: Lyndon, for our listeners who may not know about Pondurance, could you tell us a little bit about the company and what you guys do?
LYNDON: So Pondurance is a very fast growing, manage detection and response company focused on helping organizations really address their biggest security challenges. This spans ransomware, compliance regulations and other threats, and we do this by offering 24/7 personalized protection.
PAUL: Pondurance is in a space mostly referred to as MDR: managed detection and response. It’s really easy. Gartner creates all these categories and people kind of scramble around trying to figure out which one they’re in, but it’s always better to sort of back up and talk about the underlying problems that organizations are facing these days and the kind of threats and attacks and also just the kind of management challenges that exist within the information security space. So with that in mind, what are the types of problems that generally bring companies to Pondurance’s doorstep?
LYNDON: Sure. So when we talk to organizations, there are really a number of kind of really cascading challenges that they’re faced with. The first probably gets the most headlines as it relates to threats we’ve all seen in recent months, recent years, et cetera, just the number of threats that organizations have been facing. There’ve been some high, very high profile breaches, such as ransomware affecting oil and gas organizations on the Eastern Seaborg, but also government agencies and even food supply organizations, a large scale beef supplier, was impacted by a ransomware event, but no industry has really been immune. We’ve seen municipal transportation, hospitals, universities all impacted by really this scourge of ransomware. And ransomware is not a new threat, but it’s a threat that’s gained a lot more attention and interest from attackers based on some key factors, cryptocurrency continues to be an attractive and harder to trace monetary and currency that allows attackers to both execute an attack but also receive payment. And it’s really been challenging from any organizations.
PAUL: To sort of dig a little bit deeper on that, what is the challenge that ransomware poses? Why is it so challenging or hard for companies to address in a way that other threats that have come along over the years maybe have not been as challenging.
LYNDON: Sure, so I would say ransomware specifically has got a lot of attention, a lot of interest. There’s a lot of money in it. And there’s an old adage when someone was asking, why do they rob a bank, they say that’s where the money is. And ransomware is simply where the money is. Organizations, whether it’s their insurance company or the organization directly, have shown and proven that when remember meets the road, they’ll pay a ransom. And so it becomes very lucrative. But what’s similar to other threat types and tactics is that it really only takes a few mistakes by an organization to be susceptible and vulnerable to an attack. Right? As far as it’s been well documented by now that the large colonial pipeline hack was really caused by one single compromised password. So we live in a world where a dollar of offense absolutely beats a dollar of defense and actually beats $1 offense beats a couple of million dollars of defense. Right?
PAUL: Six bitcoins worth of defense. Yeah.
LYNDON: Exactly. So it really creates a really tough situation where a lot of new threat actors are rushing into the pool to be able to get rich and really go beyond kind of the hactivism or other threat vectors that previously existed.
PAUL: It’s the first just kind of wildly successful cybercrime business model. I mean, maybe not the first, but it’s certainly the most successful we’ve seen today. I guess maybe there will be more in the future.
LYNDON: Yeah. And you mentioned a cybercrime industry specifically. And if you actually charted cybercrime in 2020, cybercrime would be the 6th largest economy if it was a country. So I think you’re actually spot on right after California. So I think you’re actually spot on in saying that’s the big shift, right. Monetization, you always had nation state actors. You always had hactivists who wanted to deface a website and get their name out of there. You always had kind of script kitties who had their own motivations for doing things. And then you always had credit card scammers and things like that. But this is an interesting monetization strategy where pretty much any information is now monetizable, right. The beef supplier or a government agency might have a file somewhere that matters to them matters to nobody else in the world. But if you’re able to encrypt it and then deny access to it, it’s instantly become something of value that you can potentially get paid on. So that’s really I think the big shift and cryptocurrency providing a new avenue for organizations, malicious organizations and their partners to be able to monetize is just a compost events that makes it really tough for the average organization to protect against.
PAUL: So the manage detection response space. Let’s talk about that a little bit. Again, that’s part of the information security industry or market that Pondurance operates in. Folks are probably familiar with sort of managed security service providers, MSSP’s, could you kind of walk us through that managed detection response offering and maybe how it compares to more traditional managed security services?
LYNDON: Sure. Managed security service providers really popped up early in the Internet age, where all of a sudden organizations were being connected to the Internet. And I always like to say and I’ll quote a famous philosopher at this point, the invention of the ship was the invention of the shipwreck, right? There was no hackers, and there were no, really Internet threats until the Internet became available. Right. But once that Internet Super Highway, if you will, using a throwback term, there was established, really you saw opportunist, you saw nation states trying to leverage that to further their motives. And managed security service providers really started off as an offshoot of Internet service providers, recognizing that they can provide seatbelt if you will, for the highway that they had just created. But what quickly emerged and it continues to tap in today, is that managed service providers were really focused on device management. So configuring a firewall, configuring an antivirus product, and under the assumption that if you can block it, you’ll stop it. Right. So this is the equivalent of building a large wall around your house and saying, we got the wall up and we’ll be okay. But, you know, things have happened that have put dents into that strategy of many organizations. Most of their infrastructure no longer sits behind a physical perimeter or even a real kind of logical perimeters. It’s in the cloud. It’s shared and federated across partner organizations. Data is being shared, connections are being established. The average organization is leveraging tons of SAS applications, et cetera. So the dissolving of the perimeter, the evolution of the kinds of threats that’s sophisticated threats that can launch really created tremendous gaps. And the value that managed security service providers could provide in today’s age, MDR really emerged as an answer to that. To be able to really go beyond just trying to do a prevention only strategy to actually bringing the detection and response capabilities to bear. And detection and response specifically focuses on and is based on the realization that if you don’t stop it at the front door, you surely want to have a chance to stop it when it’s kind of in the perimeter, because being able to stop something urgent immediately can absolutely reduce the impact and the loss associated with waiting a lot longer. So that’s really the detection and response aspect and the kind of tools and the techniques that need to be involved to be able to do that effectively really distinguishes MDR from MSSP’s.
PAUL: Okay. What are those tools and techniques? What’s in the tool belt?
LYNDON: Yeah. So I would say the first piece is really deep visibility and that visibility can be narrow. Like some providers in the market, focus on just maybe an endpoint doing visibility, or it could be broad where you’re providing broader coverage across a variety of different dimensions. Endpoint log network visibility. And this is where Pondurance plays being able to provide 360 degree visibility across an organization’s infrastructure. The next piece really relates to how you do detection. Right. So going back in a time machine to the early Internet days, detection was really defined as threat researchers identifying a threat or seeing a threat alive in the wild. Finding a way to catalog that so effectively tagging it, if you will. But really identifying and developing signatures related to those threats and in trying to distribute those signatures as quickly as possible. So maybe patient zero isn’t protected, but the next set of patients would be protected. And that was largely what the security industry did for a very long time. CBAD, right, signatures, distributed quickly and hopefully be able to block it if it shows up at somebody’s front door. But attackers got really nifty and really good at creating using techniques to actually be able to manipulate their malware to make the same threat look 1000 different ways just by pressing a button. So that really broke the strategy around using a signature based approach to be able to detect the threat. So the modern MDR provider needs to be able to detect threats in the absence of a known signature. This often means leveraging advanced techniques, such as AI, ML, et cetera. But it also means doing threat hunting, assuming that there’s an attacker in the building and really walking the digital hallways, if you will, and doing it in a way to identify if there’s a threat in the midst.
PAUL: You’re listening to a Spotlight edition of the Security Ledger podcast sponsored by Pondurance.
PAUL: That sort of human in the loop piece is so important. I think there’s a lot to talk about applications of AI and Ml machine learning and artificial intelligence around threat detection, but it still is a thorny problem, and one that requires more than you can kind of get out of the box, right? Talk just a little bit about how Pondurance manages that piece of it. The walking the hallway as you put it and checking to see that nothing is a miss.
LYNDON: Yeah. So I think if you walk into an average organization, they’re typically sitting on one or the other end of the spectrum. Right? There’s some organizations that have no alerts, and that’s a problem in its own, right. But then 41% of organizations say that they’re seeing 10,000 alerts a day, which is a different problem, but also a problem.
PAUL: Ironically, a better problem than the organization with no alerts.
LYNDON: One could argue, but if you don’t have the talent, right. But if you don’t have the talent, look, those ten alerts to thousand alerts, it’s kind of the same as having it’s kind of the same as having no alerts. Right. So it’s actually where that human element, one way the element comes in being able to understand ascertain and determine what’s happening and what needs to be done in the threat landscape. Right. Leveraging processes and technologies as force multipliers. But ultimately we still haven’t both a machine that is sentient is autonomous can think the way a human thinks. And because the interesting thing about security and honestly, probably, part of the reason why I’m in it, is because it’s one of the few professions where it’s a two player game. It’s a two player sport. Security threats aren’t like the weather that they don’t just kind of just happen. There’s somebody at a keyboard somewhere in the world trying to figure out whether strategically or opportunistically, how to gain access to an organization’s assets and either monetize it or further their nation state goals, et cetera. And as long as you have that someone on the other end, you need humans on this side, right? Machines just simply can’t do it. And then also when it gets to doing a response in actually being able to push the button, whether that’s blocking or quarantining a network, removing the host, removing a threat or other things, those are still things that are best left in the hands of elite and trained security analyst, being able to weigh and take in all the different inputs about the business, the context, et cetera. And then go from there. So really having humans in the loop is not something that will go away. And organizations out there simply cannot find the talent that’s needed to further those goals.
PAUL: Yeah. I mean, you bring up a great point. And obviously that’s just the dearth of security talent and how much organizations across industries are struggling just to find people to fill those jobs and do the work. How does that impact you? Is that something that brings organizations to Pondurance, it’s just the challenge of finding those people? And then how does Pondurance or other MDR vendors, how do you kind of manage that relationship of parachuting into the customer’s environment and taking on a pretty active role in terms of threat detection and response?
LYNDON: Yeah. So one of the great things about us being able to focus on being the best at MDR is that one of our core capabilities is being able to attract, develop, retain, and advance security security talent. Whereas an organization, a regional bank, local health care provider, a grocery chain, they have a lot of other things to be focused on. So security just simply wouldn’t be on their top ten list as far as being world class. And we argue right, it doesn’t need to be that’s what partnerships are for, just like we’re not being trying to be experts in those different domains, allow us to be the experts and work closely with you to help drive your business goals forward is how we most effectively collaborate. And what that looks like is really understanding the business itself. So we have very deep expertise in a number of verticals. I’ll mention healthcare as just as an example. And healthcare is an area where we’ve worked for years. We understand the jargon, the acronyms. We understand the number of the business requirements, but we still want to hear exactly what the particular organization is facing, and then we can effectively implement the detection and response capabilities to help advance those goals and help reduce the risk that that organization is particularly facing. So as we onboard clients as we work with the clients on a 24/7 basis, we’re really focused on being an extension of their team and providing the collaboration, the transparency that they deserve, while also removing a lot of activities and needs from their plate specifically.
PAUL: Is there a profile of the type or size of organization or even the industry in your experience, that where there’s just a lot of movement towards adopting MDR right now for whatever reason, and should listeners who might be considering this, I mean, is this a turn-key solution or is this a kind of a force multiplier like you’ve got a security team, but they’re overwhelmed and you need to kind of separate out the weak from the chafe, help them really just focus their energies on what matters and not get distracted by the noise. And we’re here to help you do that. Or is it like we hire Pondurance, they’re now our security team and we focus on other stuff?
LYNDON: Sure. There’s a couple of good cures. I want to try to touch on all of them. So I think the first answer your first question. I’ve worked at organizations I built really awesome security technology that was really focused on and could really be used by I’ll say the security one percenters of the world, the security organizations that can go out there and buy one of everything pretty much higher whoever they want. Right. So organizations in that group, Pondurance or another MDR not necessarily relevant, right. But for the other 99% of the world who can’t find the talent don’t necessarily know which tools to buy could keep the technologies effectively configured, even if they did select those and then also have to keep an eye on total cost of ownership. That’s really where Pondurance plays. Now to answer your other question around, and I’ll say this, how tall do you have to be to get a ride, a ride? There’s different configurations, and our policy is we meet customers where they are. So some of our customers absolutely come in. They have a CISO. They have some number of talented security personnel, but they also know they can’t scale that. Right. If you look at just do some back of the envelope calculations and you want it to start a 24/7 sock, it’ll take about 14 to 16 people, depending. If you want people to have any holidays off, to actually be able to staff that effectively. And most organizations just can’t find or couldn’t afford to budget for 15/16 people to actually be able to provide that level of monitoring.
PAUL: And these aren’t people, this isn’t like the kid running the fry later, either. These are like skilled, talented professionals who command decent salaries.
LYNDON: Exactly. Right. And then also just like all of us, right? They want to be challenged. They want to take on new projects and things like that. And that’s really where these things typically kind of break down when an organization is trying to go at it at their own. If you look at even there’s a space called the SIM space. Many people have familiarity with it. SIMs been around for 20 something years, but the vast majority of SIM deployments were unsuccessful. Why? Because technology alone is simply not enough to solve the problem. You need someone to configure it, monitor it, manage it, upgrade it, and just buying a skew off of a price list that doesn’t really give you all that. So that’s a big area. So our mission is really to be able to provide. We want to ensure that every organization, really, regardless of size, the industry is in a position and is able to protect their business from cyber risk. And that’s why we come to work every day.
PAUL: One of the really challenging and frustrating things about the information security industry is that when new approaches or popular approaches emerge, every existing legacy vendor immediately kind of wraps themselves in that wrapping paper, whether it’s going back data leak or SIM or threat intelligence or whatever the hot term is. And with MDR, you do see a lot of vendors kind of saying, oh, yeah, we’re MDR. And we’re also these five other things for listeners who are out there need to sort out these companies figure out who’s real and who’s not what is MDR and what is an MDR? Any advice on kind of obviously, you would recommend Pondurance, but any advice on what they should be looking for, what kind of core capabilities or features they should consider indispensable?
LYNDON: A couple of things definitely jump out to me as you ask that question, Paul. So I’ll break down the problem into a couple of different areas, and I’ll start with visibility, right. So somebody say you can’t protect what you can’t see. So let’s start with the visibility side. And I think, you know, organizations need to ask their current provider or prospective provider if if the provider is able to help that organization close visibility gaps across endpoint log, network and cloud. And simply put, if a provider can’t cover all four of those, you probably want to seek another provider who can really cover all and give you confidence that you’re protected across those dimensions. As it relates to detection and response, a combination of alert based detection, but also leveraging threat hunting is critical, and there are an MDR, manage detection response, really comes down to response. And surprisingly, we see a lot of both legacy providers and other players in the MDR space who don’t do full fledged incident response. The thing that comes to mind is when you see a dog kind of chasing a bus and it’s like, what are you going to do? When you actually chase, catch the bus. Right. So it’s the same exact thing in managed detection response is I was in the market for managed detection response provider, I would definitely want to make sure I have one that can do response and can really manage that end to end. Response means taking action, but it also means managing stakeholders and helping develop a comms plan and helping be able to really remove the threat as quickly as possible. And that’s what all comes down to that response piece. And I think having that is absolutely critical.
PAUL: That is a differentiator that response piece and the most consequential piece for the customer of course.
LYNDON: Exactly. And the other areas I would put here in the category of look for would definitely be every organization has made some level of security investment or IT investment. Finding a provider that can actually leverage some of that investment and not require you to completely turn off for the Apple Cart is something that’s key. Every organization has different sets of policies or compliance mandates or potentially just internal objectives and ensuring that the provider to your point about turn-key earlier. Ensuring that that provider can actually be somewhat customizable and fit within your particular policies is critical. If you keep getting an alert for something that is not a policy for you, but it’s a policy for someone else. It kind of creates that boy who cried wolf scenario. You definitely want to make sure that the policies are customizable. And then the last thing I’ll mention is really experience in your industry. It’s really tough and difficult to work with a provider who doesn’t have experience in your particular industry. That could be manufacturing. It could be healthcare. It could be oil and gas. Being on the other phone, other side of a phone from a provider who just doesn’t speak the jargon doesn’t understand your particular industry and doesn’t understand why something would be critical. Is really, I would say it was really an unfortunate scenario. So definitely, as the listeners look at MDR providers, encourage them to look across those dimensions.
PAUL: Final question. I mean, obviously the COVID pandemic has really just changed the way businesses function and operate forced probably the acceleration of certain technology trends. Digital transformation trends from your approach there at Pondurance, what do you think the biggest impacts of the pandemic have been in so far as security is concerned in the types of questions and demands you’re hearing from your customers?
LYNDON: Yeah, I think just for a pandemic point of view, obviously, the broader impact on society very damaging as relate.
PAUL: It’s been a wild ride man.
LYNDON: And pivoting into security, specifically, I would say, let me find a bright spot. Right. And I’ll say that this is probably the fastest acceleration of digital transformation that has occurred in our lifetimes. In a 18 month period, organizations were ripping off the Band Aid and figuring out how to do telepresence in health care, figuring out how to engage with clients and customers and more effectively digital enabling a whole class of workforce to be able to actually work from home, work remotely. So on the positive side, tremendous amount of progress in terms of just moving forward, perhaps even a decade pace in a very short period of time. The con is that a lot of that happened in the absence of the traditional maybe security reviews, analysis, risk adjusted analysis that would determine, is it time for us to actually do that or what should we be thinking about, et cetera? So that’s really kind of the Catch 22 huge transformation in terms of new services being offered. That cloud has absolutely seen a huge growth and adoption, but at the same time, security has generally lagged both in the ability of technology to be deployed, but also in terms of the expertise to be able to know how to secure the cloud. The number of cloud security experts in the world, it’s extremely, extremely small. So fortunately at Pondurance we have a team that focuses on that. But that’s really just kind of maybe illustrates the point there, rapid digitization really is requiring organizations to think extra hard about their security strategy, and MDR provides contributing solution to some of those challenges.
PAUL: Listeners want to learn more about Pondurance, where should they go?
LYNDON: Sure, Paul, they can find us at pondurance.com right from the home page. They can click “request a demo,” and it will give us an opportunity to show them how we work with a variety of organizations and also have a conversation about how we can help them.
PAUL: Lyndon Brown, chief strategy officer at Pondurance thank you so much for coming in and speaking to us on the Security Ledger Podcast.
LYNDON: I appreciate the opportunity to chat with you today Paul.
PAUL: You’ve been listening to a Spotlight edition of the Security Ledger Podcast, sponsored by Pondurance. Pondurance delivers world class managed detection and response services to industries facing today’s most pressing and dynamic cyber security challenges, including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce. Pondurance experts include seasoned security operations analysts, digital forensics, and incident response professionals and compliance and security strategists who provide always-on services to customers seeking broader visibility, faster response and containment, and more unified risk management for their organizations. To learn more, visit them at pondurance.com, that’s P-O-N-D-U-R-A-N-C-E dot com.
[END OF RECORDING]