MSSP, MDR, MFA - So Why Isn't Incident Response Solved? - Tim Haynes

magic thanks folks for attending uh at 4M on a conference day which has probably been quite a lot of time on your feet um first thing I going to say is if anybody's expecting us to get into deep technical detail for any of the things that are here you are in the wrong talk bail for another one right now um because this isn't about the technical side pretty much at all um so starting who am I uh I kind of have to typically look at the back of my hand to remember in the morning um but my back covers an absolute multitude of sins uh at the moment I'm working as director of security services for BSS and originally

uh this was going to be both myself and uh major Chris Wilkinson uh but unfortunately Chris due to reserve commitments can't be here today so it's me doing this in my Todd but this is me feeding in from a whole bunch of things that I've seen kind of roaming around all of those Industries um all kinds of really really interesting and spicy environments um and ending up typically being the person that's kind of looking around for the grown up in the room and realizing that actually it's me um so uh hopefully this is quite useful I'm really hoping to reach a bunch of people through this if you've got questions kind of come up to me at

the end um I'm already looking at the timer and going oh God that's moving quickly so we'll move on so first thing we'll start with is kind of what's Incident Management versus what's instant response because we're going to delve right down into this and get into some of why uh we seeing the sort of problem that you might see if you're working for an mssp or a sock team when someone say says just sack the sock who's heard those wave those those words there we go right I don't think that's typically a sock problem I think that's something else but what you'll typically see in all the Frameworks so my personal favorite is kind of sans pisl but we're

not going to look at that today you'll typically see a big set of stuff here around prep you'll then see a set of stuff in a in a in a um uh sort of core core response phrase you'll see a set stuff and closed down with a lovely learning Loop there we go that typically doesn't happen or if it does it typically happens in a very very light way we way but if we zoom into this a little bit you'll see this kind of split between Incident Management and incident response so the Hands-On stuff that people might have been expecting with a title that we got around kind of mssp MDR MFA um typically a lot of that

is sitting in that in response space um we've got The Incident Management thing happening as that management layer over the top where you've got the people in the organization typically on the on the customer side which are largely running that and actually that's becoming a bit of a problem space because when you do this bit up here The Incident Management without the connections and knowledge that need to go down in this bit where we're going around that cycle uh potentially late at night potentially under immense pressure potentially uh not having met the people that we're dealing with that's where we're seeing things going wrong part of the reason for this is when people are doing business and Enterprise

architecture so uh how many architects in the room any Architects yeah few is yeah brilliant okay so if you tried to do things at super super detailed level um I've seen banks with an application landscape diagram which is 72 pages of you print out the detailed version even holding that in your head's pretty difficult so what's happening a lot is you're getting the Architects have to take the dupl brick level version of the abstraction of what's going on of the detail of what's going on and actually they're having to make tra tradeoffs so for example a really good one might be someone saying uh is deep fake detection um a data quality control or is it a

detective control for security Now The Challenge I guess is that we're dealing with people in terms of adversaries where they don't tend to follow a nice neat model and this gets a bit worse when you lay on some of the uh history and some of the organizational context that go with it so if you wind back kind of probably 20 years uh on the how do we get here essentially what you would have had is you'd had a bunch of start roles in the help Des State service desk you'd have had people that would typically kind of gravitate into the sort of business side the service management the business relationship management all that good stuff they were kind of the peoply ones

and then you have the technical ones that would have kind of gone into other areas and so you would have had a natural kind of flow there but it would have been all in the same organization um so typically what you would have had there would have been a bunch of people who actually if push came to shove could come together and talk um and they could glue things together if they needed to now what's interesting here as well is if you sort of look at what's coming next we'll talk about that in a minute but when I talk to both of my daughters who are in their late and early teens uh actually they're

not being taught anything that would lead them towards any of that so we think this problem actually could be a longer term one we've then had the situation where some organizations have tried to sort of sustain their incident response their it Security in house um but actually kind of if they've outsourced their it to an outsourced service provider the feeder streams that would have drawn people upwards and downwards towards this kind of technical security side which lends itself to the incident response side there's a barrier there it's no longer the same company somebody has to pay typically 5 to 7% of their salary to transfer that person so that tends not to happen similarly the people that

would have had the organizational Knowledge from this side um who maybe operated in this side may have been offshored or outsourced so you had kind of a knowledge death there and this kind of gets a bit more challenging so next step over that was to say okay well it's it's if it's hard to to sustain this bit and and kind of do it if you're looking at that big Lego block or or Big dupl Blocks level uh and you're an Enterprise architect or an entprise security architect you will start there saying okay how do I solve this problem and the natural solution of that has then been to say okay um let's move that instant

response out to a managed security service provider whose day job is to provide those super technical people and the platforms that go with it um and the engineering that goes with it and that will be great now to an extent those people do have scale in depth but what we've also just done is we've now put a commercial boundary in which is not just between the incident management team and the incident response team but it's also got this dimension of you may have to go through that to the Outsource service provider it may not be that you're actually going through this um and this is Engineering in a bunch of problems for incident respon want what do I mean by a bunch of

problems um we end up with this situation where um Security Management is having to translate to the mssp the mssp is having to go back to Security Management um and there may be limits in understanding Security Management is also having to go back to all of these people and we may have the situation where business architecture and Enterprise security architecture is set over on the customer side and actually anything that would actually lead to anything up here being integrated with is being done out here at a managed service provider which is probably not your managed security service provider Contracting to get those to join up together engineering to get those to really join up together is not easy and

so what we end up with is this situation where somebody in the mssp in the middle of the night picks up that there's a dropper or a downloader which is which is in the environment and they would really like to nip an attack in the bud unfortunately the person over this side they've probably come up through the route of great they've done this service management stuff they've done the business relationship management stuff they've got into security the way for them to access a better role more salaries to go management they will typically have done that through a GRC thing which is essential uh but which is also inherently limiting so when this person phones up at 3:30 in the morning

when your mouth is dry and everything tastes like cotton wool quite often the person that's receiving that on that side is just saying I don't know I'm not authorized to run business risk I'm not authorized to cause disruption I don't know what this does this is actually the very best thing that could happen because it's the least impactful way of achieving containment it's leveraging that investment in the mssp it's leveraging the um the investment in the MDR but because they don't know quite often they'll say right well I'm deferring that till the morning so it's not that we're dealing with a dropper or a downloader by the time that it actually gets somebody that can make

that call uh that's G A ey similarly another one here uh this is a really good example so Bob and accounts uh um their accounts behaving strangely can you fix it um now if over this side uh we've got this problem which is that the mssp has not got the context here Bob is now deputizing for the CFO Bob is using the cfo's business SAS credentials to do it the business SAS hasn't been on boarded this is problematic because what we end up with is a situation where the mssp is going well they're not they're not in ad as a a finance admin they're not in ad as a domain admin um and actually you can also run into the

scenario here which somebody else mentioned which is if somebody hasn't thought of this bit and said okay through this whole layer uh we can access priorities that would get us to the top end of incident response so if that's stuck at Sev five for a weekend um while somebody has to go through a mechanistic here our scoring to get it up there to get it escalated actually going to largely sit there and by the time that we get to here where someone's saying well this business critical SAS service is being really weird and like you know documents seem to be disappearing and we've got people saying what's going on and where um actually kind of it's too late and this

just drives dissatisfaction on both sides so what you've got is a reduction in psychological safety you've got an increased workload uh in terms of trying to think about things they can't explain the decisions to their business on the sock side on the mssp side side we end up with this classic kind of problem so it's on this side we're hearing sack the sock replace the mssp there are bad nmsp out there there are bad socks out there um they are rare actually this is typically not that problem and these guys burn out or rust out because the stuff that they're trying to do just doesn't seem to be valued or understood and this talk title come came

literally from a conversation which I will take this saress out of but it was watching a CTO say to AO you've spent the Millions on the MDR the MFA in the mssp and you still can't fliping stop this um that is not a problem with any of the Technologies involved actually it's how you've kind of gone out engineered and integrated them um but at this point you know it's absolutely plausible that we're on a sack the seeso PA if actually we after that kind of money that we've spent from infc collectively across these two areas um haven't actually gone out and brought that together um few ways that we can see to potentially address this so uh

first one great let's insource it I'd kind of highlight that if you're in this problem space you probably don't have a the money be the technical skills or see the organizational skills to do it so where we where in this where it's been a great we're in sourcing it it's typically been a 2-year Journey towards partial kind of capability and so that that's not ideal one option that we've seen that works and again none of these are magic bullet but this one's really interesting and when I'm saying about mssp by the way this applies equally with group socks so if you've got a group sock and you've got operating companies or franchises you will end up with state

with similar problems but actually embedding people from uh the two organizations Works bit more expensive another one that's great it's much much better to die collectively round a table have a laugh go out for a beer afterwards on a tabletop exercise which is joint between the business side doing the instant response and the technical side that's doing sorry the bus bus side that's doing the instant management and the technical side that's doing the instant response that is far far better although again we do get issues where people say actually we can't afford to do that I always find it really interesting when people say I can't afford to do a tabletop exercise because that's kind of really telling me

that they really really can't afford to have an incident which uh is I guess a bit of a bit of a bit of a challenge and the other thing which we have saiden is kind of interesting in that um some organizations will kind of augment so um they will bring in a group of people they'll bring in uh a degree of expertise um and they'll go out and do that and that will try and Bridge gaps um but that requires a lot of skills on both sides to go over and do it so you end up talking about a rare resource pool of people um it requires commercial Buy in from both sides um and it can

also end up with both sides effectively saying look because we haven't got psychological safety because we haven't got uh the Buy in um we instead will blame the organ mentation so none of these are magic bullet um but any of them is much much better than the situation where we're leaving it by saying we are purely looking at swapping an mssp swapping the um Simmon soide um swapping out um whichever technical measures we've got without actually addressing the organizational root cause um and similarly uh on this as well as mentioning the stuff around sort of group sock mentioning it around mssp other classic scenarios where you know you're seeing this kind of uh this problem emerging would be things like

digital Transformations so great someone is adopting um a SAS for CRM and a Dev secops model uh in another SAS which is providing the pipeline none of it's crossing the mssp um similarly business adoption of AI ml again quite often none of that passing through so um that was kind of the counter throw of you know why is that not fixed and as I say because that's the leading towards the sort of sa seeso situation um that it really is one that sort of we wanted to share the awareness of don't have a Magic Bullet feel free to find me on LinkedIn um and that's it from me other than

questions questions yes and

there um so just where you uh you you augment the mssp and the internal team I was just wondering what sort of tools you've seen to to do that augmentation yeah so typically that's the case that you would need access to the msp's portal for their uh MDR their Sim uh their sock ticketing tools and access into the um client side but you will typically need to also augment that for stuff which does open source intelligence or which has got threat intelligence feeds because you end up with incidents which are outside that nice little mssp bubble and if you can't help solve some of those again it doesn't really solve that full problem cool any other questions I think

we've probably got time for a couple more is there are we've got one back there from

Liam excellent talk thank you very much um the doesn't uh digital forensic s to respond to solve a lot of these problems okay great question absolutely great question um the challenge with digital forensics and instant response is um if you have not got this right um one of the things that you would see that' be a symptom of this would be people talking about we have an mssp project or we have an MFA project or an EDR project great so we've thrown resources at it and declared it as done now the problem is if you've done that and you call in DFI which is quite often through the top end of this great so we've escalated a thing if you haven't

put the foundations in place to do things like actually acquire the business thing that's sat outside DFI will rock up um they will look at the instant response process they'll try and gather what evidence they can but if the threat actor has kind of slash and burn to cover the tracks on the way out and there's no logs there's not a lot they can do okay time for one more

question it seems from what you're saying that the best answer is to have lots of incidences in practice well I I'd say best answer is probably to have lots of practice practice but yeah um uh someone suggested earlier on one of the other talks well great let's train on a SE 3 which is wonderful if it was a SE 3 but if it's a s zero and your business is stuffed you know maybe not but yeah there does need to be that bit about spending the time to actually say okay we'll work at a lower level we'll train a bit more um we'll practice things but also making the people that are holding the pen on design aware that this is a

problem so that they account for it and they prove that the requirements been met on the drawing board not uh actually in practice cool thanks again Tim um yeah let's give him another big round of applause