Managed SOC Service: Augmenting Technology with a Human Cyber Response

Show Notes

In this episode of Krome Cast: Tech-IT-Out, we discuss the importance of having a human cyber response team as part of your security operations centre (SOC) to provide a proactive, real-time threat response to cyber breaches. We also review the key differences between a managed SOC vs an MDR service.

This tech panel podcast features Krome's Commercial Director, Sam Mager, along with Krome's MD, Rupert Mills, along with our Security Specialist, Paul Edwards and Technical Director, Ben Randall, discussing the fundamentals of a SOC Security Operations Centre, along with their insights into the human factors in cybersecurity.

ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

Get In Touch

• https://www.krome.co.uk/
• info@krome.co.uk 
• 01932 232345

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

Transcript

0:00

Welcome to Krome Cast, Tech-it-Out. I'm Sam Mager, Commercial Director for Krome Technologies. On this episode, we talk about managed SOC services, advancement in cyber threat and how to mitigate that threat, and protect your organisation. I'm fortunate enough to be joined by my business partner, Rupert Mills, Hi Sam. our Technical Director, the one only Ben Randall. Hi Sam. And Security Expert, Paul Edwards. Hi, Sam. So, I'll start with you Rupert, I'll direct this to you, We've obviously been offering managed services to our clients since, 2017? Yep. So I believe that makes 5 years, 5 years now, yep. Offering a range of, you know, patching, security updates, etc, etc, etc. But in the face of this increase that we've seen in, in cyber threat, and people's threat landscapes expanding as we move to more remote working, etc, etc, you know, we've kind of galvanized our offering of, with Paul's help in developing it, kind of brought to the fore and more mature SOC offering. Yeah. So before we dive into, I guess, the products we're working with, and how we're doing that, just for our audience be great to kind of cover off first, I guess, one of the buzz words we're hearing, what's the difference between a managed SOC, and then the buzzword piece MDR. Okay. So a managed SOC, security operations centre, and MDR, managed detection and response, they're very, very similar in terms of what they do. A managed SOC will tend to monitor, alert on, check performance of your environment, and then the security of your environment. MDR is then adding a response layer to that, often you find that's included in a SOC. So the lines between the two is very, very blurred. But the managed detection and response piece is basically, that whole detection piece that you do in a SOC, and then providing a response. The challenge with that, really, is that the response and what that response is. Some products will provide an AI based automated response, some vendors will notify your IT team, that there there is a threat taking place or something happens. And it's a question of timelines, for those to happen, what's the best way to react to a threat? and actually, are those people going to be able to do anything within your environment in the event of, of a threat taking place? That's a pretty interesting point, because we've talked, and we've talked off camera about this many times, we've been constructing SOC and having that, that human involvement in the cyber threat and cyber threat response. And we know that, we won't name names, there are offerings out there that are MDR, which you've just alluded to, that if they find anomalous behaviors going on in your environment, you might get an email at 3 in the morning or a phone call to say there's a problem, which is better than not knowing, but doesn't necessarily give you everything you'd expect, at a point in time if something bad is happening. Yeah, absolutely. I mean, Ben and I had one with a particular vendor, which one of our clients worked with, I won't mention the client or the vendor, but they were genius, because they'd phone up and say, yeah we've seen some behavior in your environment, this is happening, this happening, and they'd send through the logs, that was three weeks ago, okay, marvelous what we going to do with that now, because it's a bit late, so. But yeah, there's all sorts of things like that happening. Yeah, the timing of the response has to, it has to be a timely response, if you're trying to say there. And also, it needs to be depending on the what you've, you know, as you say, there's there's a whole range of, what are you buying and obviously, what you need to pay for, Yeah. whether the, you know, the, the extent of that human involvement. Because I think we're all looking now at kind of Cloud-based Software-as-a-Service kind of platform for this type of work, so that you can put the computing to break down those millions of logs that you receive every day. There's no way a human is going to do that part. They'll just get overloaded completely. Yeah, then and then it's passing, it's filtering that down using other technologies which we'll go into, but and then providing that, that human response to it, and then at the final, you know, what, what extent, what is the response to the, to the client, you know, is it going to be a phone call? Is it going to be an email? Or is it going to be actually stepping in and working on the system to try and resolve the issue? Yeah, and I think the important thing is actually, it can be a blend of all of those, it can be threshold based, so say okay, if it's something like this, then no one wants to be woken up at 2 o'clock in the morning, if it's hitting this level, then you can let the AI deal with it. If it's hitting this level, then you need to be waking yourself up and dealing with it or waking the client up or whatever it might be, and those sorts of things need to be dealt with immediately. And so you've got differing levels of threat and different levels of protection there. The tooling is one thing, but actually having the business process in place to deal with it is just as important. Okay. Just kind of, I guess going back to your point there and we can get into some of the deeper level but, what I hear from this is, the level of alerting that some of these tools kick out and the fact that people, some people very successfully have built their own SOC, some people have invested in tools, kind of partly taken that step and then get a barrage of alerts. And you get that, we've talked about monitoring tools, warning, that red light fatigue, it was almost too much to deal with. So it just doesn't get dealt with, there's obviously, an obvious danger there of clearly as an MSSP, we're talking about outsourcing that and leaning on someone like us to take that pressure off. But it's a real pressure, right? There's a lot, these tools can kick out a hell of a lot of noise. Yeah. Yeah, that thresholding point that we were talking about just a minute ago is, okay, if you get 100,000 alerts in a day, how are you going to deal with that? If actually, 100,000, those alerts have got a severity of let's say, 2 out of 100, and 2 of them are 98 out of 100, you need to be able to pick the noise out of that, and say those are the two I need to respond to. So the tooling and the correct automation within the tooling, is vitally important to deal with that. But then having the people dealing with that bit at the very top, because often the tooling will point something out. But you need to be able to say, now someone needs to deal with that. And quite often looking at the threats and saying that that one ties to this one over here. So we're seeing the same activity in two locations, or we're seeing two pieces of activity in two different areas of our environment that tied together, and that's where the, the AI helps, but the human interaction with that, and then the decision making ability of a human to work out what to do about it, is where it comes in, and that's the difference. And this is, kind of the threshold limited, we've obviously looked at a few different tools, we can go into what we've settled on in a moment, but it's the, the intelligence and so let's not call it AI, it's more Machine Learning, to actually help you filter that out. There's obviously differences in the abilities of certain tools, than there are with others. But then there is the, we have to step in as the owner of the tool and actually like say put two and two together, because otherwise we'll get anomalous results, a fair amount of the time, right? Yep. And that's, that's the MDR piece back to what you're saying earlier, the R on the MDR of managed detection response is that actually what is that response? Because if, if your response is to tell the customer they need to look at something, then actually you can be far less selective about that, but if you say to them, okay, there's five things you need to look at today. Whereas actually, if your response is, let's go and deal with the cyber threats properly, you need to work out, is it real cyber threat what's happening here? And be very, very precise about how you deal with that action, because you're taking responsibility for the security of someone's environment. Yeah, it's important. Okay, so I'm gonna drag you into this now Paul. it's probably worth us talking a little bit about some of the, I guess some of the work we went through in building out our own SOC, some of the thought process that we've had, and the tools that we're working with touching on, obviously, some of the red light fatigue and the capability of some of the tools and I guess, why we settled on, the tooling we've settled on, while we're willing to put our flag in the sand and standby that? Yes, so you want to make sure you're focusing the human element in the response in the right places, if you're getting hundreds of thousands of logs, a day, a week, whatever it may be, there's no way you're going to be able to deal with that. So using Machine Learning tools, Azure Sentinel, Darktrace, allows you to filter out some of those response or some of those alerts that can be dealt with automatically, or alerts that are are just part of normal day to day business activity, false positives. So you can if you can use tools like that to, to take some of that workload off the SOC team, they can focus their resource in the right place and deal with the alerts that genuinely do need a human response to, to investigate. Okay. You know, it's very important, as you're saying with that Machine Learning, it's not just a generic, one size fits all, for all companies on detecting that kind of, you know, threats, because every company is different, you find that some companies might visit some really unusual websites for you know, design type stuff with a real minority sites, which other companies would never touch. So when that that comes along, it's, you know, there, there's a certain, there's a certain time, you need to let those systems run and learn what's normal for that company, and then what we want to know is when that changes, when something else happens that just doesn't fit in with that, you know, every, every company has their own ways, and every industry has their own different patterns, and so that is absolutely essential. You can't really just make a cookie cutter which will work for that out of the box, it relies on that, that AI or Machine Learning technology that we're seeing now. Yeah, the user behavior and analytics piece in there, that's vitally important, of actually, this person normally logs on from here, and normally logs on at this time of day, and now they're logging in from a completely different continent, in a time that's impossible for them to have travelled down from here to there, downloading lots of data all those sorts of things. Those are the as you say, the Machine Learning stroke AI, that - Equally those kind, that kind of behavior, the user appears somewhere else rapidly can actually be benign, because they've logged on via VPN or something like that, and they've appeared in somewhere else, and that's where a little bit of the human element, because we get that alert, say well, that's unusual, where they look at it. Oh, yeah, but they're on holiday in the Maldives, and they've been VPN'd in earlier. So they travelled across the globe - Yeah. in a moment, so but that's okay. Or actually, as we saw in testing and building the SOC, we saw some alerting from people using and again, bad, bad security practice, but it's good to, good to observe these things of actually, someone using their security credentials in some Azure, in some Azure services, which were located in the US, so they're showing up as logging, logging on in the UK and in the US at the same time, and you think, okay, that's a valid alert, and then you look at what's going on, and actually, you know, don't shut the entire company down because what they've done is put their credentials into Power BI in the States somewhere, and we need to fix that and say, no, let's use a service account. But, those sorts of things. And that's where the, the human element of it can come in. I mean, we had one little while ago, where we had a client with a particular one of their users, all of a sudden, there was a lot of noise from various different security services within different parts of their organisation saying, you need to deal with this, you'll, you're under attack from from Switzerland. And going through the details of those logs, it transpired that basically what they seem to have all picked up, was that some malicious IP's were being used, coming into their network, when we went and looked at the detail of that it was actually one malicious IP, theoretically, from Swisscom, who's the the home ISP in Switzerland, and the equivalent of BT internet or whatever. And that was one user had logged in once successfully via VPN through the firewall, using multi-factor authentication, etc, then we checked out and that user was in Switzerland at the time, and what happened is that IP had appeared on a blacklist from a few weeks previous where someone else in Switzerland got it as their home internet IP address had been using that IP maliciously, but the blacklist was old and stale, and there was a lot of red flags raised all of a sudden, as this, but actually, when you dig into the behavior, and you find actually it's, it's not multiple attacks or multiple attempts to authenticate, it's one successful authenticate, authentication, using multi-factor authentication as well, and then going back and finding out that that user is in Switzerland in that location at the moment, right, let's not shut down the global network, let's do that. It's interesting, the level of information that we can now get out of this, and obviously you can you can quickly pinpoint that that's a, essentially, it's a non event, it's good to know, because it could have been something. Yeah. It'd be good if we could, peel the onion slightly, and you'll find this very difficult but talk to me as if I'm an idiot,(Laughter) Looking at the technologies we use, what does what in the stack that we've put together, so we're talking about being able to spot different things, where, you've mentioned, you know, we use Darktrace, as our as our Machine Learning element of our solution, and Sentinel, etc, etc. it'd be good just to talk about how we use that, what each part is doing, and then how do we take feeds from our clients and make sense of that for them? Sure. I think, before we dive into that, I think it's important to say, so the SOC service is going to use Darktrace as a investigatory tool or an analysis tool, as a protection tool as well, then with Azure Sentinel sat on top of that, but we're also taking feeds from all of the other managed security services we provide for a client, or services they have if we're not providing those. So, for example, we provide most of our clients with Palo Alto firewalls, and we will take feeds from those firewalls. So you're looking at the various different threat vectors, what's the endpoint protection on the workstations, take a feed from that. So the Sentinel piece that Paul's been working on, takes feeds from all of those different sources, but actually, the specifics to applications to the SOC service, are Darktrace and Sentinel. Yeah. So but we can, yeah. Yeah, and that's kind of what I'm talking about. As we know, there's almost a core element that we have to have, obviously, we can take feeds from let's say our preferred vendors, likes of Palo and whatnot, but for Check Point, Fortinet, whatever it might be, we can obviously take data and information and logs from all of those, but it'd just be good to understand from the tools that we've selected, I guess, what is each one bringing to the table? So Darktrace is sitting in on the on the network looking at the network traffic, so unusual patterns of behavior. It might also spot things like a file called passwords.xls sitting on the network, Never! that's being used. This, may have happened.(Laughter) Yeah, we've seen that in quite a few places, people bypassing company process and storing their own passwords where they shouldn't be. But yeah, unusual patterns of behavior. So for example, if a user typically doesn't have much internet traffic, and then suddenly there's a lot of internet traffic emerging from their machine, it will it'll flag that as an unusual, unusual behavior, and you can investigate it. It might turn out to be completely benign. OneDrive, for example, new laptop, setting up OneDrive, it's syncing files. Or it might turn out to be something else that actually does need a response that they're doing uploading to their personal Dropbox or something like that. So that we'll be looking at, at network level traffic, but as Rupert said, we're also taking logs into Sentinel from Palo from other platforms, antivirus software, other firewalls, and we're able to run some logics and correlation on those. So in the example that Rupert gave, we can see that the user has logged in to the VPN on the on the Palo, but they also used MFA through through Azure, so we can, we can provide some context around, not just receiving the alert that they've logged in from a malicious IP or an IP that has been associated with malicious activity in the past, we can actually get some more information around that, that alert and, and based on that, we can then say, actually, no, this is, this is genuine, or this is malicious. It's interesting, obviously, helps you give context to the decisions that we're making there. For the benefit of the audience, can you talk more about I guess, our deployments, so how we have to deploy this out to a clients network to give us some of the benefits that we're talking about? Yep, so it's a physical appliance that will be deployed within a customer's office, or data centre. There'll be a port configured on the switch to essentially mirror all the traffic, that is, that goes through, through it. And from that, then it gets visibility into the entire network. So we're not just talking, you know, corporate devices that have an agent installed on them, it's any traffic, any device. So you know, someone external comes in finds a free network port that they can patch into, it will see that, it's not dependent on you having to install anything. So it will find, anything that gets plugged in, it will find it, anything with an IP address, it will find it and report back essentially. Yeah, it will see that, it will see that traffic, whether it reports back will depend on what that device is, is doing. If it's malicious, yeah, it will spot it and it will alert you, depending on what thresholds you set. So with Darktrace, you can, or each threat or event is scored, each model breach scored between zero and one hundred, one hundred being the most severe. And you can choose when you want to be either notified, or when you want Darktrace to actually automate a response. So it can send TCP reset packets, it can be can stop, or certainly block that temporarily, until you can have a chance to investigate and actually make a decision, what you want to do with it. But yeah, it can it can take that first step at 3am in the morning, and actually just stop that traffic dead. Okay, so when you couple that, with, I guess we do with that tool. So something like that we can, it will see an anomalous behavior, it can eclipse a threshold, it will then stop it and then our guys will be looking at going okay, threat or no threat type decision, and then we can manage that, and then there'll be the reporting we provide to our customers, I guess, the incident report or all the stuff we can publish in Power BI so they can see what's happened, whilst they've been calmly tucked up in their beds overnight. Absolutely, I mean, the Darktrace will feed into Sentinel, and via that we can, so we can produce Power BI reports, so you can get the numbers. It's not just like, oh, everything's okay, don't worry about it. Yeah. You will actually, it'll stop these many things automatically. We did this many things manually, you know, that get escalated, and in you know, had these many P1 issues or potential P1 issues so yeah, we could pull that that whole business intelligence into, into part of the service. Pulling the reporting at a Sentinel level gives you the reporting from all the products you're feeding into it as well, not just the Darktrace piece. So you get the full reporting across your entire estate of this is what we're seeing from a security threat landscape. Yeah, so essentially, with, with Sentinel, it's basically a slightly more clever, more clever version of the SIEM, so we can actually feed data from the switches from the firewalls, from Darktrace, from other security - Active Directory, Azure AD, Exactly. All those sorts of things, so you can correlate, as Paul said, the events earlier, Yeah, pretty much anything you can export logs from, commonly Syslog. But anything you can, you can integrate with, or get logs from, you can feed into the SIEM, SIEM product. It's the work that they've done at the backend that then tells you whether or not you need to pay attention to those logs. Indeed, indeed. So briefly want to cover, and I know we're getting on for time on this one, but actually how we're structuring our team. Clearly this is a 24-by-7 operation as it has to be. Yeah, so there is a 24/7 aspect to this. Obviously, we would work on, on an automated response in the in the middle of the night, automated response for really serious items, but also that would be escalated to a person who would then respond and if, if deemed necessary, now, obviously on the terms of the rules of engagement with the client, they may be waking someone up, but depends how much autonomy will be given to that, depending on the scale of the client and - What level of threat, Yeah exactly, how serious it is, How, how what, what technical level that your contact actually is, you know, with some smaller clients, they may not be very technical so, yeah, they might want to know, but it's probably not going to influence many decisions. But, you know, on the on the more technically able ones, they may want to be involved. So this depends on the agreement with the client. It's an onboarding process with each client. Okay, what are the thresholds? Where do you want to be involved? Where do you want us to deal with it? and part of the security services that we provide at the moment, if we're already managing that asset, say the firewalls for example. And there's a response needed in the firewalls, we'll deal with it and then report to the client later, later being, do you want to be woken up at two in the morning, Exactly, yeah. Or do you want to be told at nine? And that's generally when we've been talking to clients generally threshold based, if the entire of my networks being attacked, and I need to do something about it, please let me know, please let me know now, if there's something you've dealt with, and it was a relatively low issue, then tell me tell me at nine o'clock when I'm in the office. Absolutely, okay. So I guess, not in summary, but at least one last, interesting one to hit you all with. We spent an awful lot of time, and people can't see but there's large whiteboard over there, we spent a lot of time writing a lot of stuff down about how we're going to do this, and how we make it different, etc. I personally think we've got service which goes over and above, what's what's available from other vendors, other resellers out there, etc. It will be good, rather than the salesperson in the room telling everyone that, to get from your positions, your opinions, what are we doing that, that is that bit extra? So we can respond, essentially. If we manage the firewalls, we can log on to them, we can interpret the logs, we can, we can change the policies if the client allows us to, to remediate whatever the threat is, it's not just a call, it's not just an email at 3am in the morning saying you've got a problem. It's, it might be if they want that, but it might also be a call at 9am saying, hey, this happened, and in the night we dealt with it, it's resolved. It's that human response beyond, beyond just an automated machine learning system responding to something, stopping something, it's the escalation to an actual qualified senior tech who understands what that means, and is able to filter that, just that that final human element, and then to actually remediate rather than just respond in terms of notification. Yeah, the remediation piece is the key differentiator for us is, there are a bunch of people out there who will do the manual response as well, they'll go and triage it and look at it and, and come back to the customer say, you have something to deal with here. We have a number of customers who have that sort of service who are getting fatigued with it and saying, Actually, I get this, and there's one of me and I had to deal with it, whatever hour of the night it is or whatever, or there's three people in my team, and we don't have the capacity to deal with this, and the remediation piece of being able to say something happened, and either by AI, we remediated it or dealt with it and shut it down immediately. So your, your people coming in to attack you with some sort of ransomware attack, it was shut down straight away, or alternatively, yeah, actually, this was something needed a bit more analysis, such as people in Switzerland, but we did that analysis for you, and we're able to make an educated decision based on the agreed thresholds of response with you guys. And by, as you said, someone qualified and experienced enough to make these decisions. The idea being really I think that an IT Manager who's buying this service, will be able to actually sleep at night. Yeah. That's, that's the end game really. Yeah, absolutely. There we go. and the bit we touch now, I think is the most important piece as all this, the cyber threats get more sophisticated, intelligent, etc. It's that time piece. It's how quickly if something happens that you, we respond to that and actually deal with it, right then, not a few hours later, because an awful damage can happen. Not on Monday after it's been attacking you all weekend. Yeah, or three weeks. Yeah. Yeah, absolutely. Perfect. Well, thank you guys, really appreciate it, it's very interesting. You're welcome. Thank you for having me. And thank you for joining us on this episode of Krome Cast, Tech-it-Out. If there's anything you'd like us to cover in future episodes, please do leave that in the comment section below, and like, subscribe and share and join us again on Krome Cast, Tech-it-Out.