In this Spotlight Podcast, Pondurance Chief Information Security Officer Dustin Hutchison joins me to talk about the value that managed detection and response (MDR) technology plays in an environment of proliferating threats. Dustin and also talks about how companies can operationalize MDR within their environment.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Enterprises today have a full plate of challenges when it comes to cyber security. In addition to doing the basic blocking and tackling like software updates and user management, organizations have cloud and third party risks to worry about. The rise of ransomware makes regular on- and off site backups of key systems and data indispensable.
And, then there’s the prevalence of sophisticated criminal and nation state adversaries. Organizations today simply can’t count on their ability to keep the bad guys off of their network. That’s why incident response and threat hunting capabilities are in high demand – and low supply.
Proliferating Threats: Enter MDR!
Given the diversity of cybersecurity skills that are now required, its no surprise that managed detection and response (MDR) firms are becoming a staple of enterprise security, as companies look to outsource mission critical cyber security tasks to trained professionals.
But that begs the question of what kinds of firms are likely to benefit the most from contracting with an MDR firm. And, given that your organization can benefit from MDR, what do you need to do first to be in a position to bring one on? And what is involved in the process of integrating that MDR firm into your IT security operations?
Operationalizing MDR in the Enterprise
Those are all questions that we put to our guest this week: Dustin Hutchison is the CISO of the firm Pondurance. Dustin has over 20 years of experience in information security, risk management, and regulatory compliance. His past work involved helping companies conduct risk assessments for new technology acquisitions ranging from infrastructure solutions to patient care devices. He advised companies on questions related to HIPAA, PCI, and other government and industry regulations.
In this conversation, Dustin and I talk about the kinds of challenges that organizations are struggling to manage. While the media’s attention is often focused on ransomware and ransom payments, Dustin notes that there are many other, less glitzy threats that still plague enterprises – from business email compromises to run of the mill hacking and data theft. To start off our conversation, I asked Dustin to tell us a bit about Pondurance and the work he does there as the CISO.
Disclosure: This podcast and blog post were sponsored by Pondurance. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
[START OF RECORDING]
PAUL: This episode of The Security Ledger podcast is sponsored by Pondurance. Pondurance delivers world class managed detection and response services to industries facing today’s most pressing and dynamic cybersecurity challenges, including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce. Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals, and compliance and security strategists who provide always on services to customers seeking broader visibility, faster response and containment, and more unified risk management for their organizations. To learn more, visit them at Pondurance.com, that’s P-O-N-D-U-R-A-N-C-E dot com.
PAUL: Hello, and welcome to the Spotlight edition of The Security Ledger Podcast. I’m your host, Paul Roberts, Editor in Chief at the Security Ledger. In this Spotlight podcast sponsored by Pondurance…
DUSTIN: It’s more than just the ransomware payment. It’s the cost of an IR firm. It’s the cost of maybe outside legal counsel. It’s the cost of downtime and lost revenue, the opportunity cost of internal resources, the potential downstream cost of cyber insurance increases and then also the reputation damage.
PAUL: Enterprises today have a full plate of challenges when it comes to cyber security. In addition to the basic blocking and tackling like endpoint security software updates and user management, organizations have to contend with cloud and third party risks. The rise of ransomware has made regular on and off site backups of key systems and data indispensable. And given the prevalence of sophisticated criminal and nation state adversaries, organizations can’t count on their ability to keep the bad guys off their network. That’s why incident response and threat hunting capabilities are in high demand. Given the diversity of cybersecurity skills that are now required of organizations, it’s no surprise that managed detection and response firms are becoming a staple of enterprise security as companies look to outsource mission critical cybersecurity tasks to train professionals. But that begs a question of whether your firm is one that is likely to benefit from managed detection and response. And given that your organization would benefit from MDR, what do you need to do first to lay the groundwork for a successful MDR deployment? What is involved in the process of integrating managed detection and response into your current IT security operations? Those are all questions that we put to our guest this week. Dustin Hutchison is the chief information security officer at the firm Pondurance, which does managed detection and response. Dustin has over 20 years of experience in information security, risk management and regulatory compliance. His past work has involved helping companies conduct risk assessments of new technology acquisitions ranging from infrastructure solutions to patient care devices. He’s also advised companies on questions related to HIPAA, PCI and other government and industry regulations. To start off our conversation, I asked Dustin to tell us a bit about Pondurance and the work he does there as the CISO.
DUSTIN: Dustin Hutchison, I’m the VP of Services and the CISO at Pondurance.
PAUL: Dustin, welcome to Security Ledger Podcast.
DUSTIN: Thanks for having me Paul.
PAUL: So for our listeners who don’t know about Pondurance. Tell us a little bit about what Pondurance does.
DUSTIN: So Pondurance is a managed detection and response company, also referred to as MDR, and it goes a little bit further than only MDR. So we also offer digital forensics and incident response, and then also have a full suite of professional services, including application security testing, penetration testing, and then runs the Gamut with the Alphabet soup and compliance. So we’re a PCI QSA, which is a payment card industry qualified security assessor. We do a lot of program readiness and maturity consulting also for our clients.
PAUL: When we’re talking about things like data breach and compromises, what are we talking about? And what are you seeing out there just across your customer base in terms of the types of breaches and incidents that are most commonly occurring, most likely to get companies in trouble?
DUSTIN: It’s a great question, and it’s shifted over the years with the influx of ransomware. With that additional caveat of the blackmail factor, which has been added more recently, has grown. Business email compromise is one that’s been pretty consistent, and one thing to think about is, one may lead to the other. So you may have a business email compromise issue where the attackers in game is actually more than that initial step. So we’re seeing a lot of both of those scenarios.
PAUL: For the audience Dustin, kind of explain what business email compromise is and how that attack works.
DUSTIN: Yeah, so business email compromise, a lot of times you’ll think about this, where it can come from credential harvesting, where someone’s user ID password has been made available, and there’s an impersonation factor. It can occur through phishing, where someone receives a message, they click on a link or take some activity to where they expose their credentials. And then a lot of times what will happen once an attacker has access to someone’s email. Not only can they mainly just monitor everything with that person is doing from a communication standpoint, thinking very easily impersonate that person, too. So you see a lot of the wire fraud happened through business email compromised initially.
PAUL: Yeah, sometimes it seems like ransomware looms so large in everybody’s vision that I think other types of attacks are kind of getting overlooked in some ways, at least from the media perspective and the coverage perspective. Everybody’s writing about ransomware because it’s so dramatic. But there are so many other attacks that go on, and I think many of them are kind of interrelated, right. It’s kind of an all hands on deck approach once they’ve got access to your network and your sensitive data.
DUSTIN: Yeah. Exactly. And ransomware, it brings everything to a screeching halt. It’s very noticeable. So if people are working and suddenly it says their workstations are encrypted or they can’t access things on the network, it’s a lot more obvious than business email compromise or some of these other attack vectors. And so that’s definitely one of the reasons it gets more noticeable from the press standpoint, but also the pure cost of the actual ransom is usually shocking to people. So it makes for a great buy line, right?
PAUL: Yeah, it does. One of the things that you’re in the MDR space. I think there’s a perception that the companies who can afford to hire people to kind of help them with incident response are either affluent companies, large companies, Fortune 500 firms, or they’re just like their pants are on fire, and they really have no choice but to hire them because everything’s going to hell. What is kind of the profile of the Pondurance customer? How are businesses in that small, medium enterprise space addressing some of the challenges that we’re talking about?
DUSTIN: You know, it’s a great question, and it’s something that organizations obviously often think about too late. Right. You want to be engaged with a provider before it happens. One of the things that Pondurance has done to enable that is created incident response retainers where it’s more than just put us on paper and will be there for you when you need us. We actually are more proactive than that where we try to get integrated into their incident response plan, or if they don’t have an incident response plan, help them develop that, walk them through a tabletop exercise again before anything bad actually happens to where leadership and the subject matter experts are geared up and ready, and they know what to do next. And so that’s a low cost offering. And it’s really on the proactive side to get people ready. And you are going to have varying levels of readiness and expectations dependent on industry and organization size. So unfortunately, smaller organizations, they do think that they can’t afford this, and they may not be targets when all reality they can afford it, it’s inexpensive to prepare for, and they are also targets. It’s an opportunistic attack. And if they have anything that’s on the Internet or they’ve got email, then a threat actor could leverage that and take control. Or, like we said, with the business email compromise wreak havoc in a different way.
PAUL: Okay, so what’s the basic blocking and tackling here? What are the practices that organizations should be adopting just because their best practices or to prepare for working with an MDR firm like Pondurance?
DUSTIN: Yeah I think one of the most important things that sound so elementary that a lot of organizations get wrong is an asset inventory, knowing what is under the control and where their data is. It is one of those first steps that you have to continually work on. So you’ve got to know what’s underneath the umbrella of your control and what you need to be focusing on and then also some of the standard hygiene things where it’s more than just user IDs and strong passwords. It’s user IDs, strong passwords and implementing multi factor authentication. It’s also understanding the threat profile of your third party vendors and knowing that they are living up to what you request of them from a security standpoint and managing vulnerability management from the perspective of knowing those assets, understanding that you’re keeping them up to date, you’re passing appropriately. But then being ready for that continuous 24 by seven monitoring. And that’s one of the great things about Pondurance’s managed detection and response, it’s you’ve got highly trained threat hunters watching your network for things that are outside of the norm, so you do the standard blocking, tackling things from the system security and the build out, but then having that eye on it all the time and then also using a third party where you’ve got hundreds of organizations being monitored to where if there’s something happening, there’s an indicator of compromise that’s happening in some industry. It may not have hit your organization yet. Having a security operation center that sees that from a cyber threat intel standpoint and can apply some protective activities, or at least a early warning is something that organizations need to think about for that continuous security monitoring idea.
PAUL: Yeah. I mean, that’s the type of thing that historically you’ve gotten from ISACS and so on. But of course, ISACS cost money, too, to belong to them and participate in them. And if that’s not in your budget, then you’re not privy to those types of sector related warnings that might come down, right?
DUSTIN: Yeah. Exactly. And then also having the people to actually respond to and something about it, having the information is great. But knowing what to do next is really key.
PAUL: So if you work with an MDR company, is it a restart or are you keeping pretty much what you’ve deployed and building from that, I think probably a concern that companies have is we’re going to engage with this company, and their first recommendation is going to be for us to buy a whole bunch of new software and services from them from their partners, and they’re going to be all these kind of add on costs that we didn’t anticipate.
DUSTIN: Yeah. I mean, Pondurance makes it very easy from a cost and implementation standpoint. We obviously have endpoint clients, network monitoring and log agents that the preferred Pondurance tech stack, but it’s not ever a rip and replace. That’s the great thing about the way that we monitor networks where it’s you come as you are, same way with security program build, you start where you start and our ability to be able to connect and parse what you already have deployed to give that full visibility across the organization is one of the things that our clients have definitely appreciated over the years where it’s not all net new and coming in where, of course, green fields are always nice, but it’s never like that. And so yeah, it’s not a huge lift to deploy what we need for that visibility.
PAUL: And generally what’s getting them to make the switch to managed detection response company is this initiative from the board or the C suite, or is it more just recommendation from the IT and security teams, or is it a consequence of basically an incident? Something bad happened and now we’re, now we’re really getting serious because we’ve been caught out.
DUSTIN: Yeah. No, it’s a great question. And it’s a mix because you’ve got organizations that are trying to be proactive. They are learning from the issues of their peers and other organizations and saying, all right, I need someone monitoring my network before something bad happens to me. Also, there’s also the regulatory compliance spin where having that visibility, being able to respond to security alerts and issues in a reasonable amount of time, it is leading down that path. Also, there are also clients that are introduced to us because they had a breach or an incident. And we can deploy the MDR service so rapidly and to get through that response cycle, a lot of the clients are saying, no, you can’t take this out. I need this. This is a visibility we should have had before this thing happened. So it’s definitely a mix from the proactive and the reactive.
PAUL: You’re listening to a Spotlight edition of the Security Ledger podcast sponsored by Pondurance.
PAUL: Can we talk about zero trust security?
PAUL: So as I’m sure you’ve noticed, it’s a big buzz word these days. Everyone from the Biden administration on down is promoting zero trust for the public sector or the private sector. From your perspective, is it useful to talk about zero trust? I mean, are the companies Pondurance encounters and works with, are they really ready for implementing zero trust, at least as it’s understood? Or is it kind of a crawl, walk run thing and zero trust is running and companies are maybe crawling or maybe toddling a little bit.
DUSTIN: Yeah. I think it’s the far end of the spectrum when you think about zero trust, what it really means when people talk about it from the buzzword standpoint versus what can actually be implemented within an organization, you’re going to get varying shades of implementation. So it’s that concept of are you segmenting the right way? Do the right people have access to the right stuff? And can you verify that it’s the right people and then continually, is it the right stuff? So theoretically, from a concept standpoint, it’s great. It sounds great from a security perspective. But when you start trying to work through the ability to actually enable people to work, that’s the same, we’re going to run into the same issue that we have now with any of these other security controls that are great. So even the adoption of multi factor authentication, for example, it’s not pervasive yet because it sometimes slows down people’s ability to work. Or the change in the network infrastructure is very difficult. And maybe leadership or the board of the business says, yes, that’s great. And that’s important, I get it, but is there something less that we can do.
PAUL: And by less we mean less expensive.
DUSTIN: Yes, less expensive. Is there something that’s good enough? So that’s the whole thing with zero trust, like getting people to understand what that would really mean and then how they would apply it to their organization, I think, is an important concept, but not setting expectations so high to where it’s binary. It’s either yes or no. It’s appropriate access that’s been analyzed based on what the business actually needs to do. It is kind of the key idea in the back of my mind was zero trust.
PAUL: But your average SME small, mid size enterprise that hopefully has a dedicated security person? Maybe, maybe not. Maybe has a small IT team. Is it really realistic for them to even be talking about zero trust given the resource and budget constraints they have?
DUSTIN: Well, I think it’s important to talk about in the same way, it’s important to talk about ransomware, from that awareness standpoint to make sure that the people that are hearing it, the people that are interested in it are educated on how it’s applicable to the specific organization, and if it leads to funding for additional security projects, that’s great. And it’s that whole idea from a governance standpoint of where do you actually need to spend money to get where you want to go? And again, from the security program build perspective that Pondurance helps provide it’s really understanding that criticality based on current threat landscape and also helping educate leadership of organizations that it changes. So you have to constantly reevaluate one of the reasons regulatory compliance requirements put in at least an annual risk assessment or periodic security testing because it’s not stagnant. And so having those conversations, especially when they’re in the news, a popular press with leadership and saying, okay, here’s what this means. Here’s what happened to our organization or this is how it could benefit us is definitely a huge step in the right direction.
PAUL: I mean, obviously for organizations that are contemplating engaging with an MDR company, really, any information security company, there’s always a cost conversation. How much is the downside to us versus what we know the solution or the service is going to cost us. Data on cost of breach and cost of security instances all over the place, but what figures does Pondurance use and kind of how do you explain this to your customers in terms of hey, listen, the downside to your company of an incident cyber security in a data breach is X. And so you need to figure that into your, you know, calculations as we’re talking about what this service is going to cost or what the solution is going to cost.
DUSTIN: Yeah. So first, helping clients understand the true cost of a breach really has to do with it’s more than just the ransomware payment or it’s more than what was transferred via the wire fund transfer. It’s the cost of an IR firm, it’s the cost of maybe outside legal council, it’s the cost of downtime and lost revenue, the opportunity cost of internal resources, the potential downstream costs of cyber insurance increases, and then also the reputation damage. And then you also don’t know the scope of the incident. So will it be very isolated? Will it be across the entire organization? So that’s one of the benefits of a tabletop exercise, for example, where you walk through here’s, what could happen. You’ve got this initial incident and it expands and spreads this way. What happens next for you, dear client. And so the numbers, like you said, are all over the place from business email compromise. One of the statistics of the top end price is $984,000, one of the top end costs for ransomware that we’re seeing, on average, is $1.1 million. And then the forensics and legal guidance, it’s bumping up against top in $400,000. So not using those numbers for the old fear, uncertainty and doubt, but just level setting and saying, look, getting in front of this from a cost standpoint has a lot more benefits than just the cost of that one incident. And then also, keep in mind one incident doesn’t mean you’re never going to have another one. And so doing what you can from that program build and the proactive operational security steps is getting easier and easier for people to understand the true benefit there.
PAUL: Yeah. Well, and in fact, I think there’s data suggests that companies that have been compromised that many of these attackers are coming back for a second bite of the apple, because why not? Right?
PAUL: And at the end of the day, I think one of the things that the companies need to realize, as well as particularly in the case of ransomware. While you can look at aggregate data about the average ransomware payment and so on and how it works out for most companies, at the end of the day, you’re in a negotiation with a bunch of criminals, right? There’s no guarantee that they’re not going to act like criminals act, and try and squeeze you for as much as they possibly can. Whether that’s the mean or not. And you just have to decide whether that’s the situation you want to find yourself in.
DUSTIN: It’s so interesting with the ransomware. We always joke that the bad guys have great customer service because they don’t all pay, right?
PAUL: Yeah. Right. Yeah. I know that with the Kanti ransomware playbook that got leaked, I know that a lot of the security people were like, that’s really great documentation. I wish our security team had documentation like that. It’s very kind of thoughtful and detailed and kind of walks everybody through, it’s just like, yeah, they’re investing resources where it counts. Good affiliate documentation.
PAUL: Don’t skimp on that. What do you think? Obviously, we’ve got a lot of attention at the federal government level around improving, boiling the ocean, improving the level of cyber security, both at federal agencies as well as in the private sector. What is your advice to companies on things that they can do in the short term to really boost their cyber security posture and kind of eliminate some of those low hanging threats.
DUSTIN: You know, that’s a great question. And I think it’s an exercise that even an organization with an established program should do periodically. Just kind of take that step back, have fresh eyes on the organization and say, is our program shaped the right way. And so I think there’s so many great resources you mentioned from the government standpoint. NIST Cybersecurity Framework is such an outstanding document just to kind of understand the controls that a lot of the compliance requirements are focusing on. Just walking through that and kind of understanding are these things that we’re doing and then also the CMMC, the Cyber Security Maturity Model Certification, Pondurance is a registered provider organization or an RPO. So we’re going to help a lot of organizations align with that is also built off of this documentation. And I think just getting a better idea of not just the risks and the threats that are out there, but some of those baseline controls. And obviously this is something that Pondurance helps organizations with from a pure risk assessment standpoint. And then plus, we do a lot of plan of action of milestones, where we’ll look at the organization, map it out against a framework like NCSF, warranty the regulatory compliance frameworks, and then help build that plan and then really setting realistic milestones to address the critical items. So looking at those and saying, okay, here’s some of the low hanging fruit things that don’t cost us a lot of money, don’t cost us a lot of time. Can we make a deliberate effort to get this done by X date and then show evidence of it? I think it’s such a great first step and then making sure that this doesn’t just live in the IT organization. Cyber security is a business problem, not just an IT problem. So getting the full support of the organization is more important now than ever.
PAUL: Okay. Final question, for organizations out there that might be contemplating, you know, some kind of MDR engagement. What question should they be asking themselves whether they’re ready for it, whether it’s a good fit for them as an organization, allow them to allow our listeners to self screen as you would.
DUSTIN: Yeah. I think an organization that wants more visibility into their network. And once that safety net of experts that are doing this day in, day out, this is what they are solely focused on and need that extension of their team is the perfect candidate for this. And so we service organizations of all sizes, different industries and can really supplement the team with that visibility. And also, like I said, that safety net of knowing that you’ve got people watching your network for things that are outside of the norm that are going to come back with really strong recommendations on how to fix this. So it’s not just here’s an alert, something bad happening. It’s something bad is potentially happening, here’s what you need to do next. I think that’s probably the best way for a company to self screen. If that’s a gap in their program right now, hunters can definitely help.
PAUL: And this way you’ll know those that cybersecurity talent is hard to come by these days.
DUSTIN: Definitely. And that’s why using a third party like Pondurance that can attract that talent is so key. Organizations is trying to do this on their own, their analysts are focused on that type of network traffic that’s within their own walls. Once you expand that out to all these different industries, you get a lot more exposure so that rapid response and ability to see how indicators are going to affect different companies and organizations is really important.
PAUL: So, Dustin, if our listeners want to learn more about Pondurance, where can they go?
DUSTIN: So the Pondurance website, you can go directly there and request the demo and even above and beyond MDR, Pondurance being able to help the organization anyway, possible from like I mentioned before, the technical testing or professional services would be great.
PAUL: Dustin Hutchinson of Ponduance and thank you so much for coming in and speaking to us on the Security Ledger podcast.
DUSTIN: Thank you so much for having me.
PAUL: It’s been a pleasure.
PAUL: Dustin Hutchison is the Vice President of Services and Chief Information Security Officer at the firm Pondurance.
PAUL: You’ve been listening to a Spotlight edition of the Security Ledger podcast, sponsored by Pondurance. Pondurance delivers world class managed detection and response services to industries facing today’s most pressing and dynamic cyber security challenges, including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce. Pondurance experts include seasoned security operations analysts, digital forensics, and incident response professionals and compliance and security strategists who provide always on services to customers seeking broader visibility, faster response and containment, and more unified risk management for their organizations. To learn more, visit them at pondurance.com, that’s P-O-N-D-U-R-A-N-C-E dot com.
[END OF RECORDING]