BCN Podcast: Cyber Security Series, Episode 3

Show Notes

In this episode, experts Emma Portlock and Matt Lovell join Peter Filitz to discuss the constantly evolving landscape of cyber security, particularly in light of Cybersecurity Month. 

They address common myths about security, the advancements in Microsoft security services, and the importance of a multi-layered approach to cyber security. 

The discussion also highlights the role of Security Operations Centres (SOCs), incident response strategies, and the challenges posed by supply chain attacks.

The experts emphasise the need for businesses to assess their security posture and leverage tools like Microsoft Sentinel for effective security management.

Find out more about BCN here - https://bcn.co.uk/

Thanks for listening!

Connect with us on LinkedIn or visit our website.

Transcript

Peter 0:04

Hello and welcome to the BCN Podcast. Today we have the pleasure of Matt Lovell and Emma Portlock joining us to discuss all things security, with uh it being security month in October. So without further ado, Emma, why don't you introduce uh yourself to our audience?

Emma 0:22

Hi, yeah, thanks so much, Pete. Um appreciate that. So my name's Emma Portlock. I've been at BCN just over a month now. Great to be talking with Matt today around all things security and cyber and what we're seeing with our customers and really having a focus on it for the month of October. My speciality is really with the full kind of Microsoft suite across the whole of cloud. And I have a particular interest in security because I am seeing it appear so prevalently throughout our customer set. So if I just hand over to you, Matt, to introduce yourself, that would be great.

Matt 0:54

Thanks, Emma. Thanks, Pete. So every month is Cybersecurity Month as far as I'm concerned. So I'm my love alone from CloudGuard. As we go into October, you know, I'm even more energized to help customers protect themselves and to help customers understand where those threats are evolving, where they're moving through within an organization, and more importantly, how you can mitigate and minimize the risk posed by those threats. So really looking forward to this conversation and really reaching out and engaging with BCN customers.

Peter 1:26

Excellent. Thanks so much, Emma. Thanks, Matt. Great to have you guys on today's session. So I guess, as we know, as with most technologies and services, it is very much a journey that businesses embark on. The landscape is always changing, and therefore you need to be proactive in terms of how you approach that. Maybe one for you, Matt. You know, a lot of customers have this sort of conception or perception that they're always protected, but they're not really. Do you want to elaborate a little more around that?

Matt 2:00

I think one of the biggest challenges I'm repeatedly seeing is that we've taken quite a traditional approach to cybersecurity. We've got endpoint solutions in the vast majority of businesses now. We have a pretty healthy understanding of cybersecurity in terms of the key risks. So phishing, business email compromise, probably being top of mind for a lot of smaller businesses. For larger businesses, the threats can be obviously much more focused, much more targeted, and looking at business process and how obviously areas of risk can you know obviously be materialized into those from more sophisticated attacks and impersonation. But there is a fundamental shift, I would say, in terms of identity and impersonation. And now we're seeing obviously the rise of synthetic AI-generated content and obviously AI-driven creation of that content from a deep, you know, fake point of view, and actually validating the authenticity of data sources and obviously content that we are receiving or that we're consuming being top of mind for organizations. So for me, as we go into October, this is helping customers understand the policy tuning with the tools that they've got and the gaps that may exist within their approach, within their tool sets, or within their cyber security posture, such that you can actually start to do something about those. Now, some of those actions are definitely to close those gaps and integrate those policies. One of the advocates I've got to a lot of customers is you've got to understand the correlation of security points in your organization. It's great that you think you've got good endpoint security and that you know the capability of whatever tool you've invested in is high. But actually, it doesn't necessarily correlate the way in which a lot of cyber attacks will work. They will be multi-level attacks within the organization. They will be focused not just on the endpoint, not just on the external surface, but they'll be looking at identity. And one of the problems that we've got as there's more and more breaches, that more and more credentials are harvested and are available to bad actors. And you know, we have tools and we show customers actually how we can very, very quickly mine those data sets and we can see text of a password. And we've seen this week you know some organizations that absolutely store passwords have been storing them in plain text, and therefore they're the easiest to crack. But I come back to password policies with customers, you've got to be enforcing really strong password credentials there, looking at passwordless technologies, really looking at the gaps in your organization and saying, okay, okay, these are the quick wins, and they're very easy for an organization to do. As I said, it's a very traditional mindset. We've thought about security in sort of compartments within an organization. We need to join this together.

Emma 5:06

Yeah, so I would I would agree with all of that, and I think it's incredibly frustrating, you know, as BCN being a managed services provider, you know, helping customers look look after all their tech from you know, sort of Power BI data reporting to get someone's ear and budget around security. Um, it's that it'll never happen to me type attitude. And and for us, we know, we see the threats, you know, hundreds and hundreds of attacks per week that we're helping to mitigate. And I think it's just that frustration, like you say, Pete, that myth that, oh, we're protected, we've got a tool running, we're protected. There is no tool that will 100% stop a threat coming through. It's a multi-layered approach of training people so you don't press on that link about having layers in your tech to ensure that you're doing everything you can to protect.

Peter 5:55

Yeah, so true. It's forever changing and staying on top of it is the biggest challenge. I guess Emma, talking about Microsoft, obviously we're a Microsoft first partner. Microsoft has invested a lot of money in their uh security services stack. How has it evolved and what have you seen? And I guess this also will tie into what you're doing, Matt, at CloudGuard, but maybe talk us through uh uh the fundamental security services that are now available with Microsoft.

Emma 6:23

Yeah, thanks. Yeah, really interesting observations actually on Microsoft. So just a little bit of background to me. So my my core training life was 14 years at IBM. I then took a break and went and sold cricket for about five, six years, which was the best job I ever did, but I've come back into IT. And when I came back, it was at the point where customers were making that move to 365 and really around email. And I worked for an MSP at the time who were Microsoft's biggest hosted email provider. So we spent all our time moving customers to 365. And in those days, the strategy absolutely had to be put layers on your email, antivirus, the Microsoft stack on its own will not give you enough protection, you need to bring in the debt. And we used the analogy of, you know, I'm at home, I've got a front door, I've got a burglar alarm, I've got a dog layers before you can actually get to me in my house. Whilst we still have that approach now from an you know identity tooling, we don't actually have that same technology need because Microsoft have completely transformed and the amount of money and development they've put into their security suite back six, seven years ago when I first came back, the Defender Suite was in the bottom left of every quadrant. It's now in the top right. It doesn't mean there aren't scenarios where you do need to complement it with other tooling, but significant changes across the board. You know, hence why we have a partner in CloudGuard that used the Microsoft Sentinel. This this is a choice that BCN decided to make to put our technical people expertise behind the Microsoft stack because it is the most seamlessly integrated, you know, set of security solutions. You're not having to manage multiple tools bit corny, but that kind of single pane of glass truly does exist within that Microsoft security suite. Not sure that Microsoft has done a great job of telling customers how you know fundamentally their security portfolios changed. So that's the job of people like Matt and myself is to actually make sure customers can see what they can now do with their current Microsoft licensing and build out to a to a true cyber solution with services.

Peter 8:28

Matt, I mean that leads us on nicely into what you guys are doing there at CloudGuard and and how you've basically leveraged the investment Microsoft have made in their comprehensive set of tools and provided a managed service that helps bring those together. Do you want to talk us through what you and the team have done over the last few years in bringing that to market?

Matt 8:49

Yeah, thanks, Pete. So I think over the last five years, Microsoft has been rapidly developing its security strategy, and one of the foundational pillars within that is their product of Sentinel, right? So Sentinel is a tool that enables us from a scene security, incident, and event management platform to then begin to automate more of the findings, more of the analytics, and to integrate and correlate that information to help accelerate both detection of issues and resolution of those issues through increased automation. And that is a journey. We're progressing from a scene to a source, security orchestration and automation response strategy. And as organizations do that, they can then integrate more of the applications, more of the cloud services, more of the security processes within their business. So they've got organizational enterprise-wide visibility in real time of security in their business. Because I was just reflecting upon this uh with a customer last week because they they were raising the concern about the number of browser security updates they're being forced to do very recently. And this was an organization and not uncommon that actually allowed their users to have a choice between the Microsoft browser and a Google Chrome-based browser. Other browsers clearly are available. But what we have to think about there is how attacks are evolving. And I said, if you go back to you know cybersecurity month in October 2023, there was an awful lot of focus. And I said, What was the key theme that you remember from that? And they were like, Well, it was all about MFA. We've got to have MFA, whatever your security posture standard that you're working towards in your business is. And I said, Right, so what's happened is the security, the bad actors have recognized that it's actually really quite complicated with MFA now to do those sorts of attacks. What they're doing is session jacking. And actually, one of the key vulnerabilities, because they don't have to come across your network now, is to do it from public interfacing services and they're focused on your identity. So session jacking is about taking that identity, taking those credentials and using those to formulate an attack. So 12 months on, there is an increasing focus, you know, from the attackers in terms of interrupting those live sessions because that enables them to bypass multifactor authentication, whatever your choice of technology is. And actually, it's so much harder to identify the behaviors of people being not expected, and therefore even two identities existing in an organization, which is why we need to bring this together in terms of correlation and aggregated behavioral analytics. And Microsoft's Sentinel platform at the core of it has what's referred to as end-user behavioral analytics. What that is doing is enabling us to then build that real-time picture across Microsoft and non-Microsoft connected sources to understand what is going on at a user behavioral level.

Peter 11:59

I think that's so key to understand that. But I think for our audience and those that are layman, do we want to maybe just elaborate in terms of what a SOC service is and how it works just at a high level?

Emma 12:15

From my perspective, a SOC is there to provide that proactive monitoring support to a business 24-7 so that you know you're not having to get out of bed on Christmas Day on your birthday, weekends, etc. But it supports if you have an IT or a security team in place, great, we work alongside them. If you don't, great, you can outsource, you hand it across to us and we can manage it. And at the heart of what we're then doing is the technology that CloudGuard provide on top of the Sentinel solution that is really, really quite extraordinary and the AI that they've got embedded within that solution. So you've got people that really care, you've got people at the end of the phone, end of email, but you've also got really superior tech running on top of Microsoft tooling that's giving this picture that Matt was sort of trying to explain that working out the behaviors. If I'm sat here now, you know, near Winchester where I am down in the south, and then in a minute's time I'm in Nigeria all of a sudden, the tech picks up on that, and then the people proactively alert. So it's that support as a partner to a customer to provide real-time proactive monitoring and assistance, as well as then expertise and ongoing, you know, how do we optimize that? How do we always make it run best? What are the new threats we're seeing from other customers or from working closely with Microsoft? So I don't know if you would agree with that, Matt, or if you'd like to add anything.

Matt 13:38

I totally would agree with that. What I would say is that where we've come from in a lot of organizations is we've got security in certain uh silos or pillars within an organization. That might be a technical pillar or it might be a business process pillar. So, you know, we've got an endpoint protection, whether it's a mobile device, a laptop or a virtual desktop. We've got server-based security, we've got network-based security. And what a SOC is doing is actually bringing together data from those different technology stacks and aggregating and analyzing that data. Lots of customers don't have the luxury of that focus where they can focus solely on security and they can see how threats are evolving across multiple different environments. And you need constant focus on tuning your environment and having the best response because we want to stop a threat as quickly as possible. If you have a phishing email that is unfortunately not stopped by your email security solution, the next point of reference is going to be the user's browser session or the client device itself. And we are reliant upon the speed of response if it detects a particular threat or it's requesting information or trying to redirect us to a known bad website. A SOC knows how to deal with that. If the threat gets down to a device or it picks up a particular concern that it has a link that it's being sent to, a bad IP that it's going to, or interactivity. But the time to respond is absolutely critical. And if it's not your sole focus or you miss it, the user may share that information and it may go on to obviously lead to data exfiltration or a breach. What I'd say is actually if it does get to that stage with a SOC, actually managing a data exfiltration or a ransomware attack is one of the key things that users get benefits from a SOC for.

Emma 15:31

One thing that the SOC is reliant on, though, for the SOC to work well, is that at that very first layer, the policies are the best they possibly can be. So that initial piece of work that we always do with customers is what have you got currently? So that scenario I just gave before is impossible travel. It's a policy that you can light up within M365. If you don't have that, the SOC's not going to pick up that because that alert isn't coming true, right? So we are totally reliant on customers working with us to look at what is currently implemented and how could we make that better? How can we make it more robust to give that kind of true baseline? Of course, Copilot has been everywhere, right? So, you know, you go in and take a look at Copilot, every single workshop I've done with every single customer, their data is not in a place that they would want to roll out copilot because they don't have that security layer around it. So that's just kind of an example of one of the areas that often gets forgotten because as Matt said, if it's not what you live, breathe, do all day, day in, day out, you may not be aware of all the additional capabilities that you have within the whole governance set within Microsoft now.

Peter 16:43

Absolutely. No, and I think it comes back to what I know you always say, you know, security does underpin absolutely everything. And, you know, it makes sense to have a security operation center which plugs in all your security measures to be able to monitor it centrally, because as you said earlier, Matt, it's typically a multi-pronged approach that these attackers will take. And the only way for you to really be able to identify that is having a high-level overview to see what's happening across all those pillars, which is whatsock really does bring. That's super exciting. So, in terms of this month, I guess, what are you pushing? I know you said last year is obviously MFA. This year, what is the big topic that everyone's focusing on in terms of messaging to the wider audiences?

Matt 17:32

I think obviously we've had a year, a really exciting year of copilot and AI and open AI and other AI tools really accelerating into businesses. That creates a new set of challenges, you know, around managing and protecting data within businesses. So, again, whilst we still want to be continually improving cybersecurity posture for every customer, actually extending that and understanding the threats that are coming from those new tools, but to use those tools safely and securely is definitely going to be the focus for Cybersecurity Month in 2024.

Emma 18:08

As well as that, from my perspective, a key thing that's come out this year, you know, we've had a couple of major cyber breaches, cyber incidents, you know, hit headlines as you turned on the news first thing in the morning. It has actually made people think and look. And one of the key things that I'm helping customers with, unfortunately, I'm a really you know expert in the Microsoft licensing, is looking at the tools that they've got, rationalizing them down, saving a huge amount of cost on those like annualized revenues that they're spending on multiple tools, and then reinvesting that money into having a true SOC service that gives them that security protection of not just tools, software, but the kind of people around it. So I think that's also one of the key themes that I'm seeing as well.

Matt 18:54

So a lot of customers come to us and they say, yeah, Sentinel's really, or the database within Sentinel, something called log analytics, is really expensive. They've been faced with challenges. Either they've looked at deploying Sentinel themselves and haven't quite got the experience in how to manage and optimize Sentinel, or they've wanted to collect a large amount of insight and information across their organization. So they've got a lot of connectors, and all of those connectors are ingesting a large amount of input and of data, and that's driven cost up. So a big part of what we do, and I do want to emphasize in in this cybersecurity month, is how to optimize your performance, not just in detection, but cost management as well. And typically we take half of the standard cost out of most sentinel deployments that we see and keep it at an optimal level for customers. So again, we're trying to reduce the barriers to entry. Yes, you've got great signaling of security issues from the Microsoft products and other 30 parties if you want to integrate those, but we can do it much more cost effectively for you.

Emma 19:56

And by the way, because of our relationship with Microsoft and the um specializations that we now have with them, which is how they uh rate partners these days, we have pots of funding as well. So if we possibly can, let's spend Microsoft's money for you to help you look at that journey as well.

Peter 20:12

Yeah, that sort of brings me on to the next question. And it might be one for you, Emma. So for businesses out there that are a little unsure in terms of whether or not their security posture is where it needs to be, what can BCN in partnership with CloudGuard offer those businesses who want to sort of review where they are on that security journey and really work out what they need going forward?

Emma 20:36

Yeah, so the initial step would be you know to contact um we can have an initial kind of whiteboarding security strategy session. There is no tool that will fix this. This is about mapping out where you currently are, where you're trying to get to, who are the people in your organization, what are their identities, you know, how do you want to manage that? And then we'd map out a roadmap for you. And I'm not talking months and months. I'm then talking you know within the space of a week we could have carried out a couple of assessments like an overall cyber assessment, an M365 security assessment to really comb in on what we know from our experience of having done this numerous times, the key areas that you need to get right, we can then help fix them alongside IT teams, as I've said before, or we can do them ourselves and then we can map out what are the rules of that slot, what do you need that slot? How will you do your alerting? How do you want us to do the remediation? And we we map out that whole journey. And as I I just kind of flippantly mentioned there is significant Microsoft funding for this. You know, if you fit the the criteria and that's something that between Matt and I and our teams we can look and see if we can get you funding. So that's how we kickstart it and as I say this is not months and months of consulting effort. These are predetermined workshops we know what we need to get from them to move the customers quickly and on that journey.

Matt 21:55

The greatest area of unknown unknowns with many customers is the configuration management. Okay so these MCI assessments that we can do for customers with Microsoft support are absolutely crucial to unearthing, you know, it could be conflicts. So when we do the uh security health check reviews as an example we often find organizations have conflicting security policies and they weren't even aware that there was a conflict or there could be a large number of applications in use in the organization and they have default security which may not be as secure as it needs to be or it could be other elements of policy or configuration best practice in organizations. Or it could be that they're not leveraging all the capabilities in their current investment in the Microsoft licenses. So again it's just making customers aware of that which is why this is such a quick and powerful route for customers to really explore it at low risk to themselves to very quickly identify and resolve those security gaps that exist which they may not be aware are in existence.

Peter 23:04

Yeah so true I know we've talked a lot about Microsoft today and obviously Microsoft tooling can you tell me a bit about how Sentinel can also integrate or report on third party applications as well because obviously more and more businesses have got mixed environments multiple vendors in play how does how does Sentinel provide cover on those platforms as well great question.

Matt 23:30

So one of the reasons Java myself selected Sentinel right at the beginning of the journey when Microsoft launched it was the capability to integrate to the widest security ecosystem. So what that means is that you can connect to third party applications. So a huge number of our customers are hybrid. Lots and lots of customers are in other cloud services as well or they have a multi-cloud architecture. We can ingest logs from AWS and Google just as easily as Azure we can also help customers integrate and write to applications with a supporting API. So we can develop a custom connector for that customer from Sentinel to ingest those logs. We work with the vendors we work with the customers to then build analytics and longer term build you know analytical rules and automations that give us greater insight and greater capabilities to automate alerts from that ingested data and to correlate it to other data points that we've already got within Sentinel and Sentinel is the fastest developing security ecosystem in terms of those connectors and those analytical rules you can cover you can protect your complete organization and that includes operational technology OT environments it includes threat intelligence ingestion. So those are external data sources that we can bring in which enrich the incident that we have already received automatically to give us greater context and move it through incident management and hopefully into automated resolution. So we're actually continually taking the number of incidents even though we're absorbing more data from more points within the organization we're actually automating and delivering faster both response and resolution to an instance.

Peter 25:17

Should we talk a bit about supply chain attacks?

Matt 25:19

Do you think it's worthwhile mentioning I do I think with supply chain attacks they are still incredibly prevalent despite some really good progress being made in in organizations. So where are the risks evolving in terms of supply chain attacks? An awful lot of supply chain attacks were done on basic reconnaissance and they involved a lot of change of payment details etc as security and security processes in most sized businesses in supply chain has massively improved right the authentication and the governance to actually change you know supply details or payment details etc has kept up with the threat vectors but new threat vectors have appeared in supply chain. So impersonation is a really big challenge in in supply chain right now particularly if you have a very diverse supply chain or a supply chain that changes very frequently or is very seasonal et cetera or global for that matter. So those are the key risks that are being introduced. Now you know when supply chains have to diversify very quickly you go into new products or products might be in short supply or seasonality or poor weather you know or exceptional events might drive your organization to extend your supply chain because of supply chain challenges those are the areas where they are being rapidly exploited. So again we've got to look at impersonation obviously there's supplier onboarding processes and looking at where change is taking place, you know, where you are taking those on how are you validating that supplier and the authenticity of the data that they're sending to you so it's not just payment details what data is transferring how are you security checking that information so it's not ransomware it's not valware it's not matter viruses that are coming into the organization. And again changing the mindset so people have have established relationships with suppliers is their mindset still zero trust even though they're working with that supplier you know many times a day or many times a week we've still got to treat every interaction exactly the same way. Is it secure? Is it genuine how am I going to prove this Matt that's really interesting.

Peter 27:26

So what we're talking about yeah is is a mind shift as you said as well but it's not just the tooling right it's also the IT policies within these businesses that need to be reviewed and security is bleeding into operational policies as well because as you say it it all starts with the onboarding of those suppliers and making sure the necessary checks so to speak are carried out when looking to engage so that you add that layer of security. So it is a very much a multi-layered approach and you touched earlier on the cyber incident response as well because you know we've always said that there's no 100% guarantees so you've got to plan for the worst and hope for the best so to speak. But talk us a little bit about the incident response plans and consultancy that CloudGuffer in conjunction with BCN to prepare businesses shall we say for these potential issues.

Emma 28:18

Yeah and funnily enough when you were just mentioning that it's actually got to be embedded within policies and within operational process that is absolutely a core part you know so it's what's your operational procedure if something was to go wrong you know what backup DR, what testing have you tried bringing your systems back up? And we've actually got similar to the approach that I I talk through with with the SOC we have similar assessments workshops that can get you like quick and and running quickly on what have you currently got, what are those gaps and how can we help you get those policies documented, those procedures documented so that everyone knows if the worst is to happen, what happens at what stage. So it's that kind of parallel consulting operational piece of work that works alongside the tech and the security services that you'd work with us on. Don't know if you want to add anything to that matt.

Matt 29:09

So we do four levels thanks Emma we do four levels of incident response. So we will do a health check on an existing incident response. And when I say health check this isn't uh you know we're just going to review your plan we're actually going to get you to test the plan with us and we're gonna sit alongside you while you do it. One of the many things that we do as an example is whatever process you're relying on, let's just say it's data restoration, we'll actually then say that's not an option to you, right? Okay, so you're in a double or a triple extortion led attack and unfortunately the data's been compromised in backup so you've got to recover your business in a different way. As an example we've also got tabletop exercises so we've got a catalogue of scenarios that we can take from your existing planning and actually test that in a more granular level for certain types of attack. We've got instant response management services so you can do pay as you go. So you've got an issue or you've got a potential issue, you can pick the phone up to us through BCN, through CloudGuard and we will help you manage that scenario. We have also for some customers now added the instant response retainer service. So you can pay for an SLA for the response and that includes all of the previous services I mentioned. So there's lots of services available for customers whatever your level whatever the starting position for customers you can come into any of those at any time.

Peter 30:27

That's great. And it's good to emphasize that it's not just the tooling and the tech that make up a decent security posture. It is the policies that go with it. It's the after sales support that goes with maintaining those systems and those services and it's the ongoing consultancy to make sure that as the landscape changes and evolves so does their security measures which I think is key. I guess just before we wrap up any parting words of wisdom or advice let's start with you Emma.

Emma 31:03

I'm not sure it's necessarily wisdom but I guess we are here to help we've painted a kind of scary landscape you know it it is. It does seem to be getting more traction now people do seem to be thinking about this more as I say because it's hit the headlines. So you know let us as an expert in this area work alongside you to help you see what gaps there may or may not be and let's make sure that you're as secure as you you possibly can be I I'm desperately trying not to scare or frighten people any more than I obviously have already but it isn't about that.

Matt 31:34

It's about let's not be complacent, right? Because you don't know some of these risks and some of these risks are evolving really quickly and you may not be aware of that or you may not be aware it's opened up gaps because your last business continuity plan was tested you know more than 12 months ago because organizations have been under such pressure or the organization has changed rapidly in the last year or so and you haven't had chance to get plans to catch up and retest. Those are the things that we can help with. Make sure that you are as prepared as you can be because I can guarantee to you if you do prepare better and you do test you will perform a lot better if the worst happens and minimise disruption to your business.

Peter 32:15

Absolutely thank you so much guys for that great conversation really interesting and informative. Just like to remind the audience uh please like and subscribe to our podcast thank you so much for joining us this week feel free to visit our website for more information we've got lots of information relating to the services we provide that's www.bcn.co dot and if you'd like to know more in terms of how BCN in partnership with CloudGuard can help you stay safe and secure please don't hesitate to get in touch with us. Thanks for joining cheers