Trustwave Government Solutions Managed Security Services (MSS) is the combination of the industry’s best preventive and detective tools under a world-class managed services umbrella with unrivaled global threat intelligence.
Corey Baumgartner
On behalf of Trustwave Government Solutions and Carahsoft, we would like to welcome you to today's podcast, Fight Cybercrime with X-Ray vision, where Steve Baer, Americas CTO at Trustwave Government Solutions, will discuss the industry's best preventative and detective tools under a world class managed services umbrella with unrivaled global threat intelligence.
Steven Baer
Thanks very much. All right, it's a pleasure to be with you guys. Today, we're gonna spend some time hopefully having an engaging dialogue around visibility into cybercrime, right and x-ray vision is it really comes down to that fundamental notion that you got to be able to see what's going on. Right? See through wall, see around corners, right, and have some kind of superpower to really help you fight the adversaries, right it or at least have enough intelligence right and enough of a, an ace in the hole to stop, you know, stop the bad guys, or stop at least the preemptive attack, so you know what's going on. And that really comes down to visibility. And so, we'll spend a lot of time talking about, about that, about the services that we offer, about cybercrime in general, and sort of the what's happening out there in the world. We'll give you a Trustwave overview, right, we'll talk about the threat landscape. And then we're going to spend some time talking about what you're doing about it really, quite frankly, of people process technology, right, where to get your arms around it will tell you about tools and technology. And then we'll talk about managed detection and response or what we call MDR and then following it back up with two tools that will also help you get your arms back around that security that situational awareness with cybercrime. So, let's begin with who's Trustwave. Right? We're a globally recognized company, we've been in the business for over 25 years. We know cybercrime, right. We have incident responders on every continent. We have operations and, and security research researchers on around the globe that really do nothing but understand cybercrime. We probably do more digital forensics and incident response than about any other company out there. And because of that, that gives us that telemetry that inside, inside baseball secret sauce, if you will. What's going on? Right, The Who, and the what and the how of cybercrime activity. And so that helps us respond when we're monitoring or managing the technology for an end client. That gives us that better ability to make sense of what those threats are, right, and then correspondingly, respond and kill them before they become an insult to the company. We see threats all the time, right and threats change daily, it's in and the adversary changes as soon as a tactic becomes widespread. And the countermeasure starts to get built upon blocking and tackling for that given attack vector, the bad guys change their tactics, right. And so, there's just a smattering of some of the things we see out there in the wild, right. But you know, the problem doesn't go away. And oftentimes the adversary begins from, from a country where it's technically not illegal to hit and American institutions, it's probably encouraged, it's probably someone side hustle, quite frankly, you know, you do this by day, and by night, you know, you do whatever else you want, and make a little money for yourself, right? The tactics have been around for a long time, the tactics always get updated, and you see new, interesting ways to do bad things. But the problem is, is pervasive, right, and so on the on the defensive side, most organizations, and CISOs, InfoSec, IT risk whatever we call ourselves these days, you got to be right, all the time to stop this stuff. And you got to know where these threats are coming from and what to do about them. So. So we're going to take you through a little bit of that, and talk and talk in detail about some of the problems that organizations have, right and quote, conversely, some of the things you can do about them, then we deal with what I simply call the Jimmy principle. And the Jimmy principle, you know, sort of works like this, right? When you think about, and Jimmy can be one guy or Jimmy can be a team of people. But you when you think about the mature tasks that an organization needs to fulfill, in order to have a good dependent, defense, in depth strategy, you're dealing with a lot of things, right. There's a lot of things that need to happen. There's a lot of chores if you write, and quite frankly, when you map out what those things are, whether it's antivirus updates, right or, you know, who does all your administration who does all your support Who does your incident response? These things are mission critical to every organization Right. And oftentimes what we find in organizations is that it's usually one guy, or one group of individuals, a small group of individuals, right. And so, we start to think more about how focused our security teams are, right. And, you know, in the grand scheme of things, this becomes even more interesting. And so, you know, if it's that one guy scenario, lay in my example, here, Jimmy only who's gonna work an eight-hour day, right. And quite frankly, he doesn't have the time to be an expert, he's a jack of all trades, probably Master of None, probably spends a lot of time you know, in the, in the KB articles, or knowledgebase articles, right, trying to figure stuff out calling different support, support numbers, trying to get his arms around the problem. And it's just a lot of noise that, quite frankly, I'll get to it when I get to it kind of scenario, which isn't definitely not the way you want to live. And then it security world, right. And then jokingly, Jimmy jr. plays a lottery, right? Or, you know, we don't want to wish Jimmy bad by saying Jimmy gets hit by a bus. But Jimmy gets lured away really easily. In the vast majority, we're going to physicians, as soon as you know, your individual team members get certified technology, they get, you know their credentials and either CISA, CISN, CISSP. It's really hard to keep that right there often and then went in the wind, right? Now add to that, that you still have a lot of a lot of increasing regulations, you have a lot of conditions that you need to meet match, right. So, the roll up your sleeves, get it done, world continues to grow exponential, right. And then conversely, you still have that skill shortage, there's almost negative unemployment in cybersecurity. I joke a lot of times that, you know, in a lot of institutions, if you work in cybersecurity got cybersecurity as part of your title, you could probably burn the building down and still not get fired. Right? At some time for laughs go out and look at cyber see that org. It's a heat map of all of the cybersecurity jobs that are available across United States, when you're hiring people in a given a given state, right or municipality, heavy, large city. Think about the competition of that as well. Right? Who you know, you're trying to get the best applicant you can for, you know, for the package that you have wages and benefits and so forth? Right? How are you competing? How do you stack up in the marketplace to get the best talent that you can, right cybersec.org is a free service? So, it's worthwhile to spend a few minutes on it. So, what a company is really do when you're kind of going uphill, and basically these, you know, these battles, you buy a tool. And I like to say I like to call this the IT security clown car, there are tools and tools and tools and tools, tools will come and go right there or use the right tool for the job. But just because you bought a tool doesn't mean it's working. Right? I like to say just because you bought a car doesn't mean you know how to drive, which is, you know, words to live by, just because you can doesn't mean you should, right. And so, what we find organizations oftentimes doing is trying to solve a problem with a piece of technology, that they're making a capital investment, and capital investments are great, don't get me wrong. But at the end of the day, it's an investment. And not only that tool and technology, right? You put your people and your process around it. And that's where things start to go a little, little funky. Right? And so how do you know how do you make sure that you're, that you're spending money effectively, right, and that you're doing the things that you should? You got to spend that money effectively? Right, you buy the right tool. Right. And so, I always come back to is it a Swiss army knife or multi tool? Or is it a purpose-built tool? Right. And so we're gonna spend some time talking about managed detection and response in a moment, right, which I think is really a worthwhile tool that combines things like that EDR tool, usually, the better ones have, you know, built in antivirus for you to get more return on investment, gives you the ability to do things creatively, like seal processes, and quarantine hosts, you know, honing in on that network firewall aspect as well, you know, there are smart spends in there. Right. But again, it's tooling at the end of the day and technology. And so, the only way you really know that the technology and tools are working effectively is if you spend the time to test them effectively, right. And so, I always advocate no matter what tooling, what technology you're putting in place, right? And you're adding to people in your process around it. How do you look for cracks in the armor? Right? And so, we see people all the time that, you know, we're running a good solution, right, but didn't have a quite implemented correctly or they were missing features and functionality that they should have had turned on, or should have been protecting the rest of the organization, right. And so, part of the Part of the security resiliency, right? And part of security maturity, is really getting back to the basics on making sure the organization, the, the infrastructure is covered appropriately. And that can start with a good Vulnerability Management Program, right to make sure that we are up to date. You know, following that up with the right security testing now, me personally, I think that pentesting and penetration testing is an overused term in our space. I am more of a believer in that assumed breach. When we start to talk about things like Zero Trust, and that Zero Trust initiatives, how do we get better about protecting our assets? I mean, the reason the way we do that is through the right security testing, right? And then practicing those simulations like opposing force, right? Run those simulations, Red Team purple teaming, you know, the you don't know until you live through those exercises, how you're going to respond. And it's always got to be a timely response as well. Right. And so most organizations are practicing that incident response, sort of full dress rehearsal, red teaming kind of exercise once a year. But the reality is, is they should be doing it probably more like four to six times a year, right? People move really, there's a, there's the great resignation movement going on, who's responsible for the moving pieces and parts, technology changes, right? Security, testing, those types of things that are happening, if you're doing all your testing in January, probably by July, if you've changed your environment, you know, you've added updates fixes at least 12 times. So how do you know, right? And so, you got to keep up on these types of testing. We try to make it as easy as possible, we created some diagnostic programs, that, that really help you get your arms around, where those threats are, where those risks are, right. You know, if you just don't know, when you want to get started, there's a maturity date. Right? You want to do more of the EDR type stuff, we do threat detection and response, right? How prepared or prepared for you are, are you for like, you know, that ransomware type of supply chain risk, right? What are your business partners doing? How much of a risk in my Am I inviting by doing business with certain business partners? And then of course, the offload to the cloud, just because you went into a cloud environment does not mean that you are secure. Right? You are still responsible for your data and your assets, whether they're in the cloud. And so, you know, our idea was to make it easy, right for an organization to say I need help. Right? And these are the avenues that you know, they oftentimes need help with. So, let's spend a little bit time talking about manage detection and response, right, we call it project tarantula here. We'll dive right in. And so, the idea here for all of us is that we get our arms around incident response as quickly as possible, right, you want to be able to kill those threat. Quick, right? Expand your team's capability, right? So, Jimmy is great at doing some of the things that he can put his hands on. But he is no expert when it comes to full on digital forensics, or perhaps incident response. Right. So, use services like ours to augment those team members, right. And then you can move slowly, from a monitor to manage right to manage services perspective, right? And strengthening in that position and allows us to have to become that extension and your team, that, you know, we have 250 people that do it 24/7 365 around the globe, versus you know, the three, four or five people that you might have. And so, we do that with our fusion platform, right. And that allows us to detect faster than everybody else, and then be able to respond and remediate. Right? And that it's across all of those interesting facets of your business from endpoint to clouds and network and whether or not you have some. Okay, so we want to move quickly, we want to add as much value as we can, and we want to add all that threat intelligence and that telemetry. So that we make we make sure that we're diagnosing that security event as quickly as possible, and then turning on or enabling the right countermeasures or killing that threat outright. And we're able to do that because that fusion platform of ours, you know, in just ingest trillions of events, we probably see more than anybody else out there, right. Men were also able to turn those into findings, right and our global threat operations teams really hone in on those findings really hone in on the adversarial activity again, the who and the what, how we've done some fantastic work, you guys can Google Trustwave and golden spy, as some of our previous work that that we can talk about, but it really it really translates into finding those right security incidents and being able to put them in the in the corners where they belong, right and dump them so they're not, they're not harming your infrastructure. We do it in a couple of different flavors for organizations, we have an end EDR MDR plus, right? And so, organizations that are technically new to EDR, and are managed services, right? MDR is the way to go. Organizations that require a little bit more touch, right? Can utilize our plus scenario, and I'll take if you're both of them, right? But and a nutshell, what you get is seven by 24. Threat Detection, investigation and response, right. And so, what we will be advocating is a traffic light protocol, which gives us the ability to contain a threat, like I said earlier, quarantine a host, kill a process, do those things that will really be a big impact to your organization. That's the difference between spreading right and going native and like really destroying an organization versus building, you know, building that low and slow fans, right. And we fill those processes right off the bat. We do malware, reverse engineering, right? The main the main feature of this really is to help organizations think smartly about cybercrime. And so, is that a targeted event? Is that actually mission specific malware is that something that was designed to compromise your customer, your exact client base, or was that run down the hall and twisted doorknobs. All right? We do data retention, most organizations don't need more than 90, but if you did, we can work on building that out. Or we can offload that to the proper storage vehicle for an organization. We also include our security commonly subscription, which is probably one of the best tools out there for organizations that need to get smarter about, about their security about the maturity process and growing a real security practice within their institutions. You get a client success manager, which is our guy that holds you by the arm holds you by the hand and make sure you're getting everything you need. Plus, our MDR Plus package as a few other things that are really, really impactful to organization. Number two, the name Trustwave spider labs threat expert, right you get a guy, right, it's great to say I got a guy, but that person is the is the individual that really gives you a better handle on what's happening out there. And the threat landscape and the things that are happening particularly to your institution. We talked about the incident response capability, right, but that mean detection, meantime, to detection, meantime, to response, right, for critical alerts goes up as well. And so that helps you get smarter, faster about mature security practice. You know, the sweet spots are really for a plus when you're moving into a to a larger institution, right or, or, you know, those organizations that don't have that security, thought leadership, or, you know, the right boots on the ground to really respond to things. So, Security colony, is a fantastic resource for both organizations, right to get there and get smarter about resources and educating the team and vendor risk assessments and so forth. They're great places to start the price very effectively, what I often find is organizations might have an EDR. Right. But more often than not quite haven't got there. And that's where these packages, you know, add a lot more add a lot more momentum to getting an organization up and running in terms of being security resilient. But it's not just EDR, right, and MDR at the end of the day, right? That fusion platform allows us to ingest a lot of different security telemetry from a lot of different technologies and infrastructure inside an organization. But then we need to add, right, the right, corresponding services, right? Because as I said earlier, there are no silver bullets, there are no one size fits all scenarios that really are going to save it save you all the time. Right? We need to get smarter about dealing with adversarial activity, or when an adversary is inside that environment and doing things like going native or living off the land. How do you know that you're stopping them at every turn of the game? Right? How do you know that you're evicting them? evicting them when they are doing bad things? And, you know, when they're changing their tactics and doing things to avoid detection? Right? We also look at the crown jewels, right things like, you know, your database and your underlying your underlying data, where is it? Where is it housed? And how do we keep, you know, good threat intelligence around it. We look at things like, like your mail system, right? That inbound mail, right still represents 90% of a risk scenario to organizations for things like spear phishing, whaling, you name it, right and so people still click on things the technology It isn't as bulletproof as we would like to make it, right. So, we find things where adversaries get in. Because, you know, sometimes the technologies is not as that safety net is not covering that technology as appropriately as it should. And so, we always talk about tools are one thing, but adding people and adding process, right, could be the differentiator for a lot of the tooling that you already have. Right. And so, we talked about doing things like threat hunting, right? And so continuously, right? If we're waiting for a signature update, or waiting for a security patch, or whatever, and that's, that's risk. And so why do that one, we're gonna have people actively go and look for an exploit, we're gonna take the threat intelligence from the field, and go hone in on whether or not it's a problem for an organization before it explodes. Right? And so digital forensics and incident response, customers come to us and say, I just don't know, what do I start, at least get someone in your back pocket. We see organizations all the time do digital forensic and incident response retainers. And I always advocate getting multiples, right? So, operate on this on the theory that one is none. Two is really one, but three is ideal. And not every institution can afford to have three Incident Response retainers. But the scenario that we see more often than not, is when the next big thing comes. Right. And all of us are, you know, heads down working with our biggest clients on an incident response for whatever that that major outbreak is, how do you know you're gonna get service? Right, have a backup? It makes good sense. It's common sense, right? To have backups of things. And the same goes for services, right? Maybe you have one guy do the incident, the incident response service, and you have another one, check their work, security advisory services, you know, I need help, right? I need people that are experts, I need people that need that, you know, know what to do, and how to do it, I need, I need someone to augment my team and you know, give them the right guidance, and push them in the right directions to make sure that our bases are covered. We talked about security testing, they're in the middle. Right. But consulting and professional services are, you know, sort of the backbone of the security industry. Right. Like I said, tools and technologies are fine, but having the right people right, having the right expertise around, are they implemented correctly? Should I be making that investment into a tool and technology? Right? Is that really the best use of my of my time? Is that really going to defend my infrastructure? My organization, incident response? I can't, I can't talk about this enough. We probably do about 1900 Breach investigations, right? We teach digital forensics and incident response to a number of law enforcement agencies. So, we see it all right, whether it's that rogue insider, or you know, that insider, that's being propositioned by, you know, an outside firm to sell out for a number of Bitcoins, right? You know, we always, we always have a really good sense of the who and the what in the house, so you don't have to go at it alone. Figuring out how an organization is getting compromised, right. But to be able to do that quickly be able to do that remotely to save an organization money, right is, is key, right? Being able to kill that threat, and then you know, have that have that wherewithal to move past it is important, right? And knock-on wood, you know, if you get through 12 months, and you're not having that you're not having an issue, let's use that money more, let's use that money proactively. So, retainer doesn't just go away, you're able to do some really, some really interesting activities around your security infrastructure around your tabletop exercises around your executive team. So, they're getting smarter about a security maturity program. All right let's take a few minutes. And we'll talk about database security. Oftentimes, we see organizations try to do more with a tool, right or do more with what you have, which is normally fine. However, you got to use the right tool for the job. And I'll pick on vulnerability management for just one second. There's some great tools out there, absolutely fantastic tools out there at identifying vulnerabilities for the operating system for your desktops and workstations. Right. But when you put all that data into a database, how do you really get smarter around it? How do you look at other things? Like what's happening with my user population? Right, with my administrative controls, right? How do I know that? You know, someone's not selecting a table and then dumping that into a box under that desk, and working off of it using production class sensitive data, and, you know, a sub dev environment just to make sure things work, right. So at the end of the day, you know, most organizations really have to have a better Our plan for dealing with database security than just the off the shelf kind of vulnerability management tool or the good enough tool, hey, we've got some results in this environment versus, you know, a tool that's purpose built to look for security issues within your database infrastructure. And DB protect works, you know, on all the major flavors of database out there works in all the different on prem and cloud environments, right? So, the idea there is to get smarter around protecting the crown jewels, right? And then move forward from there as part of that defense in depth strategy. Now, we talked about male is still an entry point. People still click on things, right, like 91% of cyber-attacks, start with a male attack, whether that's fishing, spear fishing, whaling, right, you name it, right. And that includes things like credential compromise, you know, you name it, business, email compromised, all that stuff. I saw a statistic two weeks ago that the FBI thinks that's a $5 trillion business and jacking mail systems and in business email compromised, right. So financial loss is huge, and it's gonna continue to, to grow. So, we put we have a product called nail martial, right, that really looks at all that guts under the, under the covers to make sure that you're making a smarter, more informed decisions around mail, right. And even if you outsource them, or you know, you went with Office 365, or, you know, you're, you're on a traditional on prem, exchange infrastructure, right, the idea there is we put our arms around that, that infrastructure to make sure that we're dropping all that bad stuff, right. And so, it's a better an inspection point, if you will, and then cheaper inspection point than some of the competition out there, but still help you get your arms around that entry point and killing threats as they arise. So, you know, just a few things to think about, too, about strengthening that in the security posture, right. And so, at the end of the day, we always want our clients to feel that they're, they're getting quicker response time, they're killing the threats faster, they're getting better intelligence around those threats again, and then we're on our staff or augmenting your team so that you are more resilient when your people you know, seem to leave your organization or seem to, you know, weather that storm or the great Reza resignation and getting the right people at the speed and your security programs and your security practices don't stop. So, we like to call that future proof. Right. And so, our business is to keep to keep threats away from your business and keep your business moving. So that is the bulk of the presentation. So, I appreciate your time.
Corey Baumgartner
Thanks for listening. If you'd like more information on how Carahsoft or Trustwave Government Solutions can assist your organization or agency, please visit www.carahsoft.com/trustwave or email us at Trustwave@carahsoft.com. Thanks again for listening and have a great day.