Blog | Oct 01, 2020

The Untold History of Managed Detection and Response Part II: Nerds at Work

Where humans are weak, machines excel; where machines are weak, humans excel. —loose summary of Moravec’s Paradox

Note: This post is part two of The Untold History of MDR; if you haven’t done so yet, be sure to check out Part I: “Collaborative Threat Management” and “Embedded Incident Response.”

People plus technology

It was by early 2002 that it turned out we were onto something with our approach to cybersecurity: our clients valued the peace of mind that came with knowing we were protecting them with our “Collaborative Threat Management” and “Embedded Incident Response.”

Through existing networks and word-of-mouth in the financial and legal services sectors, eSentire added more customers and brought on more team members to keep pace with the increasing demands.

It wasn’t long before we needed some real office space and in mid-2002 we moved into a unit in Cambridge, Ontario. That first office was nothing fancy: we had a server under the table, which kept the place warm in the winter but necessitated having a good A/C unit for the summer months. This setup worked really well: we were a collection of nerds at work and we didn’t need anything fancy.

This minimalist approach could occasionally create some funny scenarios. I recall one time we had signed a new customer and they had a policy of doing a walk-through of every supplier’s or partner’s office. Their rep landed in Toronto; I picked him up and drove us the hour to Cambridge to our headquarters. He walked up the stairs, strolled around the office—which must have taken all of a few minutes—and, satisfied that we were a real company with a real team and real technology, he went downstairs to the car that was waiting for him.

From that time until we packed up and moved to our new Waterloo offices, we incrementally took over the additional units in the office complex until, eventually, we occupied all available space. It worked out to five office expansions in four years and in that time we’d gone from three people to well over three hundred.

Of course, growing the “human” part of the business was only part of the story. From our inception, we’ve always strived to pair people and technology to optimally leverage and enable both.

Keeping up with the data—and getting ahead of threats

Even in the early 2000s, security was a data problem: we always wanted more telemetry, which increased the likelihood that we would observe direct or indirect evidence of a threat; but we also needed to continually improve our ability to analyze that telemetry to spot the needle in the haystack.

Beyond the network IDS component that we introduced and new modules to acquire and analyze telemetry (whether automatically or to make our analysts more efficient), one of the first pieces of technology we built was a website to aggregate the ever-growing volume of signals we collected.

While the primary short-term intent of this utility was to make us more efficient—and it did—centralizing the signals from our customer base provided important benefits that enabled the next stage in our evolution: getting proactive.

By efficiently analyzing signals, we—and our customers—were able to benefit from a network effect: if we spotted a threat against one customer, then we could learn how to look for that threat against any and all of our other customers.

Across our ever-growing customer base—and, it should be noted, a customer base disproportionately made up of high-value targets including hedge funds, lawyers, and critical infrastructure providers—we were able to see the state of the art when it comes to cyberattacks.

Plus, it was a little bit like seeing into the future: attackers often try out particular Tactics, Techniques and Procedures (TTPs) on a smaller scale before rolling them out widely. We would see these experiments play out against one or two customers, and then we knew what we would be facing on a larger scale.

To operationalize our intelligence and apply it toward proactive defense, we developed something we came to call AMP (for “Asset Manager Protection”), which we introduced in November 2012.

AMP—which is still active today—is a threat intelligence feed which draws upon our vast network of clients and sensors. Because of our expansive visibility, AMP provides unique and earlier visibility than third-party threat intelligence feeds:

  • Of malicious IPs identified by eSentire in 2020, 35% were identified in advance of third-party (including commercial and open source) threat feeds
  • Of those malicious IPs identified before they appeared in third-party threat feeds, 39% had been uniquely witnessed by eSentire

One of the most important factors behind AMP’s success is that it is manually curated by our security experts. Unlike auto-generated lists which are prone to error, this human curation practically eliminates false positives and unnecessary alerts by ensuring only active threats are included.

Building and operating a world-class SOC

Of course, building a system which allowed us to truly operationalize the intelligence we gathered—that is, to collect, analyze and action at scale—was an engineering challenge and ties back to the “people plus technology” ethos I mentioned above.

Perhaps nowhere is that approach more important than building and operating a world-class Security Operations Center. Through years of diligence and discipline, we have built a robust, resilient SOC capability. In good times, our SOCs are our secret sauce. In the changing and unpredictable world of 2020, our ability to continue to operate a world-class SOC when our analysts are remote is even more critical.

Essentially, MDR is a combination of advanced threat detection technologies, extensive processes to monitor and react to those technologies and, most importantly, cybersecurity experts who decide if/when a response is needed to attacks on customers.

While we employ countless technologies to automatically locate that “needle in the haystack” of potential threats, there is no way we can 100 percent make a response decision without relying on some “grey matter” correlation.

The SOC analysts are indispensable to the MDR delivery model. We are in our nineteenth year of delivering this mode of cybersecurity, and one truism we have come to learn is that threat actors are always changing their game to evade state-of-the-art cybersecurity protective controls.

Because the human analyst has always been (and will always be) key to effective MDR service delivery, we designed our SOC and supporting business processes to enable our team while protecting them from the burn-out that plagues the industry and contributes to the well-documented global shortage in cybersecurity experts.

I won’t go too deep into the details here, because we’ve done so elsewhere, but I will briefly explore one particular example that illustrates the people plus technology model.

Our threat pooling model is core to how we manage threats. This model utilizes the equivalent of an automated call display, as found in call centers, to implement a first-in and first-out model for threat investigations. What makes it through our vast array of filtering, correlation and analytics models—which leverage proprietary machine learning technologies built and acquired over two decades—is on average one threat signal to be investigated per 1,000 raw event signals.

The threat pooling model allows us to always assign the next available analyst to the next threat to be investigated in the queue. If we have a surge of threats, we modulate the number of analysts analyzing threats versus “off board” duties. Typically, this hovers around 25 percent, but we have capacity to handle substantially more. We strive to triage threat signals within a couple of minutes against a service level objective of 20 minutes. Year over year, our average threat investigation is closed in about 10 minutes–today, even with a distributed SOC due to the pandemic, we are averaging 8.7 minutes.

Plus, by taking care of our people, we—and our customers—benefit from extremely low turnover. It’s one of those hidden differentiators that really matters over the long run.

Throughout our almost two-decade history, the spirit of innovation and the philosophy of people plus technology has allowed eSentire to be a pioneer in the cybersecurity space. In the future, these approaches will be just as important—but that’s a story for Part III.

And if you want to read more about MDR, I highly recommend Gartner’s 2020 Market Guide to Managed Detection and Response Services.

Eldon Sprickerhoff

Eldon Sprickerhoff

Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.