eSentire MDR and the Role of Digital Forensics

John Irvine of eSentire on Enhancing Investigations, Response and Detection

The threats have nultiplied, tools have maxed out and the staff lacks capacity for real-time detection, investigation and response. Enter: MDR. John Irvince of eSentire discusses the power of MDR and the role of digital forensics.

In this exclusive video interview with Information Security Media Group, Irvine, Vice President, Digital Forensics at eSentire, discusses:

• The role of an MDR provider;
• The challenges both from external and internal threats;
• How to think of digital forensics in the scope of an investigation.

Irvine is a multidisciplinary executive with skills in digital forensics, cyber profiling, intrusion investigations, program management and enterprise software product management. He has extensive crossdomain experience, having worked in federal law enforcement and intelligence as well as Fortune 500 companies and small businesses. Throughout his career, he has led multisite divisions of digital forensic examiners, incident responders, network intrusion specialists, forensic application developers and malicious code reverse engineers in support of our nation’s most critical law enforcement and intelligence organizations and commercial enterprises.

The MDR Provider's Role

TOM FIELD: So, MDR versus IR versus digital forensics – what role does an MDR provider play today?

JOHN IRVINE: MDR providers try to stop an attack as fast as they can so that you can get back to business as normal. Farther down the chain, in terms of what damage was done or how far somebody got in the system, an incident response and a full IR investigation may come in. With eSentire, we try to offer that entire spectrum end to end.

Levels of Investigation

FIELD:You’re focused on detecting and stopping threats. What level of investigation is part of these efforts?

IRVINE: The level is largely determined by the kind of threat and the organization where it appeared. Our Atlas XDR technology can disrupt 3 million attacks against our customer base in a day. But occasionally we have to do human-led investigation. We handle about 6,000 of those a day across our 24/7 SOC. From there, we might have 700 escalations and then 400 actual containments of something novel, and this is all happening in a day. Usually, our mean time to respond and terminate a threat is within 15 minutes of first detection. So the amount of investigation that happens depends on how easily or quickly we detect the threat all the way through what kind of compromise might have happened and if the company needs to understand whether there was potential data loss or some kind of threat to the organization.

"We have very robust up-front detection and response capabilities, and we also offer a full incident response shop on the other side, doing digital forensic examinations that get down to a low level to determine if something's happened inside your network."

Unique Capabilities

FIELD: What is unique about your investigation capability in comparison to other MDR providers?

IRVINE: Our Atlas XDR Platform uses multiple sources of signals to correlate events, so we get extremely high-quality data across these multiple signals, including endpoint logs, network sensors and general log data. We put all those signals together into one system where we can find strong correlations. And we have a 24/7 active threat-hunting service from our SOC. As an eSentire customer, you don’t wait around for a response to happen. By the time we’ve called you to let you know something’s happening, we’re already well into the response or have completed it.

Our threat response unit does active threat hunting with a focus on your particular industry and what’s happening in current trends to make sure that anything that might be starting to bubble to the surface is stopped as early as possible. We pull together about 40 different threat sources. About one-third of those signals aren’t found in any other commercial feeds, and 10% of those signals are never discovered in those commercial feeds and never published. We have very robust up-front detection and response capabilities, and we also offer a full incident response shop on the other side, doing digital forensic examinations that get down to a low level to determine if something’s happened inside your network.

Variety of Threats

FIELD: When many people think about MDR, they think about investigations related to threats that come from outside the organization. But your team sees a broad range of investigations, including insider threats, HR investigations, M&A activity, corporate and security. How do you account for these types of threats and risks?

IRVINE: Many MDR companies feel that threats stop at malware code. But there are a number of threats to an organization, including cyberthreats that can happen internally and that have nothing to do with malware code or external bad actors. We recognized this a long time ago, and eSentire acquired my former company, CyFIR LLC, and gained its forensic technology so that it could expand the concept of a threat to an organization.

A threat is something that’s going to affect an organization’s bottom line. That can be an internal investigation – for example, a harassment case that needs to be investigated. It could be corporate security issues or intellectual property theft. It could be a rogue employee who decides that they’re going to take all of the intellectual property from the company before they leave or an overworked systems administrator who has a passwords.text file on his desktop just to make cutting and pasting into the 20 systems he has to get into in a day easier. Those are all threats.

It could even be a merger and acquisition. If your company is purchasing another company, you have big concerns. Before you integrate that other network into yours, is it potentially already compromised? Do you have any idea if that network’s been owned by somebody before you link it into yours and potentially open up your network to attack? Also, you might want to get an assurance before you purchase this other company that the intellectual property that you’re about to spend a lot of money on isn’t already out there on the street. Has it already been stolen and exfiltrated, and you don’t even know that? These are huge threats to a company’s bottom line that are cyberthreats but are not typically considered by a standard MDR platform.

Prioritizing Speed

FIELD: What you’re describing sounds very time-intensive. How do you prioritize speed of response and speed of investigation?

IRVINE: With our Atlas XDR Platform disrupting 3 million signals automatically every day, much of that is done on the front, so that’s how we can get the speed. Beyond that, we have purposeful threat hunts that are hypothesis-driven. We assume that there’s badness in the network, and we are going to find it and find what might apply to a particular customer sector or a particular new attack. We proactively look for that, and our response is always on so that when a sensor trips, we are already responding with 24/7 SOC personnel who are fantastic threat hunters and professionals. They’re not just people sitting at a scope and sending an email. They’re actively digging into it with the benefit of our threat response unit, and that really shortens the time cycle.

With the eSentire Investigator, which used to be the CyFIR Enterprise Platform, we’re able to forensically investigate an organization across all of its computers simultaneously. The traditional model of traveling on a plane and taking over a conference room for two weeks to help a customer is too slow in today’s environment. We deploy remotely and can have immediate physical-like access and do forensic analysis to a box within minutes.

Responding at Scale

FIELD: How do you deliver this response at scale?

IRVINE: Again, the Atlas XDR Platform comes into play. With its automated disruption technology, we can hit a hidden attack quickly and stop it fast, before it has a chance to take hold. And with that 24/7/365 SOC, we are always looking. We’re always able to get in and quickly handle an attack. At eSentire, when we find something that’s affecting one customer, we can quickly scan across our entire customer base. That way, every eSentire customer can benefit from what unfortunately happened to one customer, or the results of research done by our threat unit, and we can immediately apply that across the board.

Helping Businesses Large and Small

FIELD: An investigation like this at this scale is hard to do. What are the different levels that you can deliver this to? And how is it consumed by different organizations?

IRVINE: A small to medium-sized business might not have an IT security department. It might just have one or two overworked IT people who are trying to pull cable and set up computers, as well as protect everything. We understand that. We can essentially provide a SOC for those customers. We can provide the managed detection and response that the company needs to stay safe. And should something happen, we have our investigative staff right there at the ready to help out.

A larger company may have a fully established SOC or even a worldwide SOC, but we can augment that with our tools and our people to assist them. We can take off some of that load and help them immediately respond to something. And our investigative platform, eSentire Investigator, is available to purchase. A SOC with qualified forensic personnel, investigative personnel, or even corporate security personnel could use that platform to enhance its own internal abilities.

“I love meeting new customers, but far too often, I’m meeting them on the worst day of their professional lives. And that’s not the best time to start that kind of planning. So start early.”

Digital Forensics

FIELD: How should we think about digital forensics in the scope of an investigation? Is it looked at as always required or as an add-on?

IRVINE: Digital forensics often isn’t required if all you’re trying to do is stop an attack and you’ve stopped it quickly and are convinced that there’s nothing left over. But maybe the attack was custom-crafted or had been in there low and slow and going for a while, or maybe you suspect that the attack was a misdirection or a cover for another attack that’s much more sinister. Then you might want a greater degree of assurance that you haven’t lost intellectual property or been damaged in some way, and a forensic investigation can help you with that.

How eSentire Can Help

FIELD: Enterprises need a combination of tools, methodologies and hands-on personnel so they can discover, react and minimize the potential impact of any digital security threat. If they have their own SOC, IR teams or investigations teams, can they still leverage your capabilities in-house?

IRVINE: We can do that as a service, so we might be called to assist in an incident response, an e-discovery collection or a human resources investigation. Often, a company that has its own capability and staff wants a third-party evaluation done – either because the incident is going to court or just as an assurance. Cybersecurity staff are in strong demand these days, and sometimes there’s just not enough bandwidth to do everything. We can absolutely help with that on a services basis.

We also can provide our eSentire Investigator Platform to allow a company to do its own work. For example, companies often have to go through e-discovery collection exercises because one company is suing another company or the government is asking for data about something. The traditional model there is oppressive. One of the big four accounting firms sends five to 10 people on-site at your company for anywhere from two weeks to six months to gather up information. They take people off the computers and make forensic copies of every computer, so every employee has four to six hours of downtime. That adds up to a huge bill at the end. But with eSentire Investigator, one examiner can sit down, address all of the computers in the organization simultaneously and collect everything in response to a request. It’s a huge time and cost savings.

'15 Minutes'

FIELD: Can you offer any real use cases?

IRVINE: In one case, a customer was using a software package, which cost them quite a bit of money, to eliminate any kind of personal identifiable information inside their networks. They asked us to come in to a location across the country to check it and said, “How fast can you get here?” We said, “Fifteen minutes. Here’s our agent. Let us install, and we can begin forensic examination immediately.” And they said, “Sure. Sign the paperwork.” And in 15 minutes, we were on that box.

Another company had quoted three days to get somebody on-site and start doing the work. By about seven minutes after we had deployed, we had already found 2 gigs of personal identifiable information on one of the boxes. And that very quickly ended the investigation. The speed of our response using our remote technology allows us to react faster than many competitors can even begin to get on a plane to handle the response.

Plan Before the 'Worst Day'

FIELD: What are the key takeaways you want to leave with us today?

IRVINE: You want to have a relationship with your MDR provider before an emergency happens. That way, you already have the policies documented and the procedures in hand. You know who to call, and everything can flow much smoother, because attackers today are skilled. You have to have a healthy respect for who is on the other side of the fence. When you don’t, things tend to fall apart. And we don’t want that to happen. We want you to concentrate on what you’re good at, your business. There’s no shame in having a cybersecurity company that has expertise in this area to help protect you.

I love meeting new customers, but far too often, I’m meeting them on the worst day of their professional lives. And that’s not the best time to start that kind of planning. So start early. Get to know the people and the providers, and have that relationship. Then when the inevitable does happen, know that your provider is there, has your back and can begin an immediate response for you.

About eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services.

For more information, visit www.esentire.com and follow @eSentire.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

(800) 944-0401 • [email protected]