Why deepwatch Chose Splunk to Secure Customer Networks - Patrick Orzechowski - BSW #202

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this week we welcome patrick orzakowski vice president of research and development at deepwatch to discuss why deepwatch chose splunk to secure customer networks in the leadership and communications section how besos bridge the gap between corporate boards and cyber security five questions cso should ask prospective corporate lawyers good leadership is about asking good questions and more business security weekly starts now this is security weekly for security professionals by security professionals broadcasting live from g-unit studios in rhode island it's the show where we explore the business of security to improve the security of business your trusted source for actionable insights on leadership communication and innovation get ready for business security stopping advanced threats requires knowing exactly what you're up against extrahop reveal x is the only solution that shows you not just where intruders are going but where they've been 90-day look back and complete network visibility across the data center cloud and device edge help security teams respond 84 faster with extrahopper vlx network detection and response explore the interactive demo at securityweekly.com forward slash extrahop as a security leader cyborg for teams was built to make your job easier are you struggling to measure your team's skills proficiency provide critical or relevant role-based training or translate training investments into meaningful business outcomes cybury for teams is the industry's number one nist aligned dod 8140 and 8570 compliance certification and skills training platform ninety six percent of the fortune 500 have employees training on cyber cyberate for teams skills development solved visit cybere.it forward slash solved to solve your training problems welcome to business security weekly this is episode number 202 recorded january 11 2021 i am your host matt alderman here in colorado joining me from g-unit studios are the birthday boys mr paul acidorian and mr jason albuquerque happy birthday paul happy birthday jason it's been a strange such a strange year for so many reasons did the browns win a playoff game is that what they did wow first they made it they won one it was a wild card but still anything can happen that's right anything can happen do you have a specific guest or topic that you want us to cover on one of the shows not including the browns submit your suggestions for a guest by visiting securityweekly.com forward slash guest and completing the form we will review those suggestions monthly and we'll reach out to you once reviewed also learn how to conquer cloud complexity in our first security weekly webcast of 2021 on january 28th register at securityweekly.com forward slash webcasts if you've missed any of our previously 2020 recorded webcasts or technical trainings they are available at securityweekly.com forward slash on demand matt i thought you could say also the steelers turned the ball over like six times in the first half as well but you know yeah yeah we'll talk about that in the next segment [Laughter] this segment is sponsored by deepwatch to learn more please visit securityweekly.com forward slash deep watch patrick orzakowski is a seasoned cyber security leader and technologist building analytics driven solutions for the past 15 plus years and one of the founding members of deepwatch he's worked in many industries including telecom healthcare and the us intelligence community on both blue and red teams he holds a bachelor's of science in computer science from stockton university and a master's in computer science from james madison university patrick welcome to business security weekly thank you thanks for having me sorry to uh start the whole thing with with uh brown's trivia i know we were talking about philly they just hired that's fired their head coach so he gets a start over i guess yeah yeah we're not as excited in philly as uh as you are in cleveland but um you know we'll we'll get there yes we'll get there every team goes through it's it's it's a turn right it just took cleveland like 18 or so years i don't know 50 and counting actually if we think super bowl wise yes uh patrick we're going to talk about uh your decisions and kind of your process of how you chose splunk for your customer base but before we jump in there i wanted to kind of back up a second i mean when we think about organizations and their cyber security program and building out security operations some organizations are going to build it themselves some people are going to outsource it but what are some of the big challenges people have around building out a security operations program yeah i think um number one is the diversity of data uh right now out there uh from a security perspective um being uh you know an enterprise nowadays in in the post covenant era you're you know you're moving a lot of your traditional data center stuff to the cloud um you're in a hybrid situation you're using sas products you're building things on serverless platforms so you know the old traditional syslog everything to your sim and and get that data in there is is a little more complicated and when you're building it yourself there's a whole slew of you know requirements that you have to look at when you're when you're building the brain of your you know your sensor network right and when we had corey watson on i think enterprise security weekly last year we were talking about data and what data should you collect and not collect and that's the sensor side of the conversation right so you just kind of gave us an over a quick overview of like all the different types of data but now i got to take all the sensor data and i need to bring it together so i can analyze it to really understand where are potential issues in my network to fix it and that's the brain part of the conversation uh and so there's a lot of potential brains out there what are some of those kind of key capabilities or criteria you should be looking for in your brain yeah for sure so um you know as evidenced by all the startups and cloud native providers building sims and data aggregation platforms you know we have um a lot of a lot of different requirements and criteria for choosing that brain right um for me and and when it came to building out deep watches uh time to value and flexibility was the real key there um you know we we went down the path of you know looking at traditional sims uh looking at cloud native uh building our own and we we landed on splunk because um it its flexibility and its time to value we knew we could onboard customers very quickly and we can also onboard analysts quickly because of things like free text search and uh the the gui interface and allow analysts to really ramp up quickly to find cyber security outcomes versus you know having to learn a query language or really having a long time to ramp up on a new sim hey patrick this is paul uh thanks for coming on the show i i wanted to ask you um how was your evaluation process and ultimately like results different from an mssp perspective versus an enterprise perspective was there some overlap there you think or like different requirements yeah absolutely so there's a lot of overlap from a service provider perspective but for us um the flexibility of having uh different deployment capabilities from a service provider perspective was important right splunk has splunk cloud which is their cloud native sas platform you can also deploy on-prem for customers who have to keep their data in their traditional data centers and we also have our own cloud that we've built out for customers who you know want that uh out of the box turnkey secops platform that doesn't just include splunk but it's the you know from a raw alert all the way to you know a servicenow ticket now are you seeing shifts now with the the pandemic from last year of these different deployment models are more people you know now moving away from on-prem and moving into a cloud or a hosted service yeah we've definitely seen a shift um even from traditional industries like healthcare uh who have you know compliance requirements to keep things on prem um you know looking at the cloud and looking at sas platforms uh as an easier way to deliver those outcomes to their customers you know authentication is a perfect example um you know when we started deep watch it was mostly active directory data from on-prem you know domain controllers now you have azure ad you have products like octa and duo where you're bringing in data from cloud native into your sim platform and the easiest way to do that is if the platform sits in the cloud as well via api yeah i mean api integrations with other sas providers it it makes it easier when it's in the cloud it's great otherwise you're punching a bunch of holes through the firewall to make that communication happen yeah yeah i was gonna say patrick i think you you hit the nail on the head too i mean you're you're building an ecosystem now where you can onboard talent quickly right you can onboard your analyst very quickly with the the the technologies that you're using the best of breed technologies and then bringing your own differentiators to that to the table right building your ecosystem out you know one of the biggest struggles that organizations have with thinking about whether you buy or build is i'm going to tell you the biggest expense is the people right i mean at the end of the day the human capital is going to be the most expensive uh asset that you bring to the table so so you know the innovation is taking the technology streamlining your processes building context your ability to onboard analysts quickly and get them up to speed quickly and then hey by the way the innovative squad model that we've talked about in the past which i think is absolutely outstanding uh those are the differentiators i think it's i think it's a full gamut of differentiators you're bringing to the table and the technologies to help help support that absolutely yeah so onboarding of new folks coming in we wanted to make sure we we chose a product uh that wasn't a heavy lift from a training and and uh ramp up perspective you know i use the example of searching for an ip address uh if you know an ip address is doing some badness on your network uh you don't want to need to have to teach people sql or another query language you just want them to be able to go in and search the ip address get some context and then you know provide a ticket to the customer you mean a select ip from table why where isn't is it intuitive well there's so many different query languages now yeah and i think those solutions work well when you've got you know the the right team that has the right fit with that technology and patrick it sounds like you just want a much more quicker you know time to value because you've got a lot of people working for a lot of different companies and that makes total sense yeah absolutely and it's another reason why we don't support any other analytics platforms or aggregation platforms we want to make sure that you know our analysts and engineers are experts in that splunk platform and don't have to worry about any of the other products out there not that there aren't other you know fantastic products in the market um we just wanted to make sure we stayed focused and we give the outcomes to our customers that they want you know they oftentimes they don't want to know how the sausage is made they just want to you know know that we're giving them good cyber security outcomes and that's that's that's time to value right there right standard process means you're streamlined and at the end of the day they want a result they want an outcome i i think it also creates some very interesting flexibility in the model is by standardizing on the brain the sensors are now where you get flexibility because there are lots of sensors out there right you don't have to say well i've got to be this type of endpoint customer to get value out of this because you're standardizing the analytics really at the brain not at the at the sensor level yeah absolutely we you know we make sure that we normalize the data as it comes in as well um so you know one of the advantages of splunk is schema on the fly you can send it raw data all day and do free text search uh but we also want to make sure that those fields that are important like ip address uh like username those types of things are normalized so as you mentioned that we can we can take in any product and and really uh focus on what the the user or the host is doing and not you know the specific feature of the product or how the logs come in or any of that yeah definitely for sure now when we think about what's the value to the customer side right we've talked about aspects of flexibility i've standardized the brain um we're going to allow the the customer to have a little more flexibility on the sensor side that's great but what other advantages do you get as a customer with this kind of standardized brain process especially from a managed service provider yeah so again you know we we allow the flexibility of of bringing in any product and um really economies of scale right so when we write an analytic uh for a product or for a customer we can take that analytic run it through our content management process and distribute it to all of our customers automatically so it really allows us to scale uh when you know an analyst is doing great work for one customer uh we can take those queries and and those analytics and distribute them to all of our customers so all of our customers get the advantage of you know the work that's being done with one and you know we're starting to focus on industries now um so healthcare customers you know we're making sure that we know exactly what to look for in their environments um you know manufacturing et cetera et cetera yeah yeah and you know i took a quick look at the ecosystem right the differentiators and part of it is your ecosystem i mean you know you have you have best of breed with splunk but you're also teaming that with best of breed other products like servicenow right so that allows you to create things like knowledge bases internal external knowledge bases so you could have verticals looking up you know certain items that are related to them and then publish that out to your customers too so i think you know having that information that you're gathering internally but then having the ability to use a powerful platform like servicenow to help enable that information sharing is massive yeah absolutely and that's you know that's the advantage of choosing a flexible uh brain as matt's putting it making sure that you can you can integrate with apis for outcomes like servicenow and you can integrate for active response capabilities if that's what you need right if you want to shut down an end point you need to be able to uh have an end to end uh identification of what that original raw event was that will eventually become that you know active response capability the other interesting thing we talked about a little bit on the economy scale we you were talking about you know leveraging an analytic but that also means you're sharing data between these squads right and we can't forget about the human element that the managed service provider brings in you guys have a unique model but you know the ability to share across squads i think is also a very interesting angle when you think about it because you might have some focus in a specific area and that focus can be leveraged by by other squads maybe in other industries talk a little bit about the human element here yeah absolutely so i mean that that really is where the rubber meets the road when it comes to incident response right making sure that a human puts puts a set of eyes on things before it gets to the customer uh we we started deep watch knowing that we didn't want to be just another reflective alerting platform right we didn't want to take an alert from an edr platform for example and just ship it to the customer um it doesn't really provide a lot of value so we wanted to make sure that our squads and our analysts look at these things and make sure that there's context there right uh the squad model allows us to you know really have that good knowledge of a customer's environment right i've seen this before it's their phone scanner for example um you know let's let's go ahead and and make sure we don't alert on that um and that that that knowledge uh you know snowballs into the point where you know we integrate really really well with our customers via slack and making sure that we have that you know human communication mechanism uh that's not just you know a canned alert or or a canned report right yeah canned reports don't provide a lot of value as we know from our days in the vulnerability management space um so where should a customer start right when you think about going down this path of evaluating a mana service provider you know where where should they start what should they look for in their provider you know we've talked about some of the highlights around deep watches offerings but but what should customers that are looking to engage these type of services you know one what should they look for and number two where should they start because this can become a very large engagement over time yeah it's a it's a massive partnership when you when you do partner with uh uh mssp or mdr right it's uh we call it a marriage you know you get you get you get married uh for a year or three years or however long the contract is and you want to make sure that it's the right fit right so first i would start with you know do they support the the products and platforms that are already in place right if i'm in azure shop and your your mssp doesn't support uh azure then it's a non-starter um and you know the next thing i would look at is making sure that the mssp focuses on keeping the minutia of um maintaining a platform a complex platform like a set ups platform away from you know my security team right if i was a cso i would want to make sure that my security team is focused solely on my business security and not you know keeping the lights on with splunk or keeping the lights on with any other products because you know it's it's a full-time job just to manage and and maintain these platforms right and then you have a team doing that and who's who's looking at the actual you know incidents and alerts coming from this platform yeah and that's the key right i mean that's that's a huge value add right there because that the talent pool is is so slim these days that um you know if you're if your staff is busy in the weeds busy on the run you know i look at organizations i've said it before on these shows is i look at organizations in really three modes you can be in run mode which just keep the lights on or you can be focused on focusing on growth and transformation of your organization and in the value of having a partner and you know i consider a business partner at the end of the day you know your mssp and your organization need to be tied at the hip and it's all about knowing who owns what right and at what time who owns what so so the value that you bring is you now allow the teams to be able to focus on the growth and transformation of the program absolutely you know the security program takes a back seat a lot of times to you know troubleshooting especially those inline things like firewalls and edr's and things that can can cause outages and introduce risk into the into the business so yeah we want to make sure that we're we're a good partner and we're you know we're allowing those teams to sleep at night when it comes to keeping the lights on as well as providing you know our inherent cyber security expertise and and and giving that partnership value um you know to to the customer and giving them you know the warm and fuzzy that someone's someone's watching the wall you know yeah one of the questions that came in from discord you know one of the complaints about splunk sometimes is cost could get pretty costly to run splunk right the more data you bring in the more costs you incur how do you balance that in the different offerings from deep watch and i think this ties a little bit into that second part of the question which is you know where should organizations start and and where do they go and how do you manage costs as you're maturing through that model yeah absolutely so you know you mentioned it we have a maturity model uh that we roll out for all of our customers that prioritizes the data sources you know in a perfect world you bring in every piece of raw data from your organization uh terabytes and terabytes and terabytes a day um without any added cost but that's just not how it works right it doesn't matter what platform it is splunk uh splunk gets gets a bad rap for being expensive but other platforms are expensive as well and at the end of the day you need humans to look at that data right so we we help our customers prioritize the data that's coming in to make sure that you know we're looking at the things that the attackers are looking at right so you know we don't want to bring in you know on day one dhcp logs for example um you know we want to make sure that we're getting those authentication logs dns logs uh firewall logs to make sure that we're catching the things that are the low-hanging fruit now that's not to say that other log sources aren't important it's just we prioritize them to make sure that we get the most bang for our buck from the splunk license that the customers have and that's the key it's the economies of scale right i mean we used to do that internally all the time where we'd have that shared business model right and and now as things over the decades have progressed now you're looking at a that shared model now becoming a partner it has to be right and you're realizing economies of scale on your side where now you can you can basically bring that value now to the customer yeah absolutely and we can we can take all of the lessons learned over years of ingesting data and and tell a customer hey you know you have this license um let's let's make sure that we get the right data in first right some of these nice to haves are great but um you know at the end of the day you want to catch the bad guys in in your network um so yeah that's excellent point we need to make sure that we and you just said it right over time you've learned onboarding best practices here are the log sources you want to start with here are the next set of log sources as we mature and as we learn your organization right and your program matures here's the next set of log sources you want to bring in you've built those best practices we don't have you know as as a client you don't have to repeat that we're learning from you right and what you've done and with your customers so yeah again economies of scale across the board yeah absolutely and and it's an iterative process right as we bring on more logs and more products uh we leverage splunk base obviously um but we we do have lessons learned and we we tune our regex and we make sure that we're you know getting the absolute correct data on an iterative process so you know the next time we have to do it um you know it makes it that much easier for the next customer patrick do you find customers are taking some of those more chattier logs that maybe uh for your analysts and other analysts aren't as useful or critical pieces to the puzzle like you mentioned dhcp logs you could lump dns logs in there as well do you take that and send those off to somewhere else that's much cheaper to store to have as a reference do you find these hybrid approaches being effective as well yeah absolutely so you know those those heavier log sources the chattier logs you can dump them to s3 you can dump them to a syslog server for forensics later and we do see customers doing that um dns you know internal dns obviously is super chatty um but you know as solarwinds shows us you know those those dga domains via dns are critically important we want to make sure we're catching those for our customers so definitely you know we can differentiate the types of logs too if it's external dns with you know external internet based domains uh we prioritize those but maybe your internal dns is is one of those more you know nice to haves right yeah we were talking about that with database query logs go in that category as well because you tend to turn those on and do some troubleshooting then you're like oh my god i have to turn that off right but then there are specialized vendors that have some specialized use cases depending on your team where you may want to collect uh those logs but you know looking at that every day for security and use them when you need it yeah it's probably probably not the best way yeah absolutely and we'll we'll uh filter out the the chattier stuff too right if it's if it's a web database some of those selects that happen a million times a day we might you know we might filter out but uh you know a select from the user database might be something that we want to look at right right right yeah and then you can have a solution that stores all those and maybe you do go back and look but i like your i like your strategy when we talked with corey about this of like you guys and folks know that these are the most valuable log sources and we know we can do great things with these sources i would love to have that for our organization set that up that gives now the organization much more freedom to go what do we want to specialize in like maybe we do want to have a place we store all the query logs and we're doing performance analysis maybe some of our own security and performance you know application profiling right but i know that i've got a team that's cherry-picking the most valuable and effective log sources and has a team whose talents and skills are tuned towards that as well i think that's really the in my assessment from from listing that's the value absolutely yeah in the other balance that has to be thought about here is it's not just the cost of the splunk implementation this is the cost of splunk and all the resources to analyze the data and hopefully you know when you when you think about an mssp they've got that balance kind of in balance right i mean to the point where you're whatever data you're bringing in there are resources there to analyze evaluate and extract value out of it because the people cost we already talked about at the beginning of this segment they're expensive they're even more expensive than these tools so it's not just a splunk cost either yeah absolutely and you know you could evaluate any of the aggregation platforms out there and there's always pros and cons you know one might be cheaper but they only support a handful of log sources right um one might be more flexible uh but you know it takes a whole devops team to to maintain and manage it right um so you know you have to weigh all of that when you're when you're making the choice to to you know bring in logs and and build an aggregation platform yeah definitely important patrick thank you so much for joining us on business security weekly thank you so much to learn more about deepwatch's managed service offerings please visit securityweekly.com forward slash deepwatch we'll take a quick break and then cover the leadership and communications articles for this week

Info

Channel: Security Weekly

Views: 265

Rating: 5 out of 5

Keywords: application security, exploits, ransomware, security architecture, vulnerabilities, threats, breaches, firewall, network security, access control, data protection, encryption, endpoint detection, endpoint prevention, endpoint protection, forensics, incident response, information security, malware, privileged access, siem

Id: Q_y8Q-QXnoM

Channel Id: undefined

Length: 28min 7sec (1687 seconds)

Published: Tue Jan 12 2021