Established in 1999 Secon Cyber have a long standing experience of providing class leading cyber security solutions to customers ranging from small to large enterprises. We continuously strive to innovate and develop solutions to enable our customers and partners to work, play and live safely in the connected world. As part of this commitment we have developed our own Managed Detection and Response Service. In this session David King will discuss the benefits of an MDR service over a traditional MSSP or SIEM solution.

1. MANAGED DETECTION AND RESPONSE
APRIL 2018

2. RISK
SECURITY
SIM, SEM & SO ON
MSP & MSSP’s
GARTNER
Why MDR?
EXAMPLE
WRAP UP

3. David King
Head of Research & Innovation
D A T A C L A S S I F I C A T I O N & G D P R

8. PREVENT DETECT RESPONDPROTECT
4 PILLARS.

9. SEMSIM
I N C I D E N T S D A T A E V E N T S
SIEM
Combination and
correlation of events and
incidents, displayed in
textual or graphical form
Concerned with real-
time monitoring of logs
and correlation of events
Data retention and the
later analysis and
reporting on log data and
security records
TRADITIONAL
APPROACH.

10. M A N A G E D S E R V I C E
P R O V I D E R S
M A N A G E D S E C U R I T Y S E R V I C E
P R O V I D E R S
MSP & MSSP.
‘Pay as you go’
infrastructure &
service
Assistance &
consulting
Remote
monitoring &
reporting
Monitoring of
security devices
Consultancy &
advice
Security
operations centre

11. … u s e M D R s e r v i c e s t o a u g m e n t
e x i s t i n g s e c u r i t y m o n i t o r i n g
c a p a b i l i t i e s t o a d d r e s s g a p s
[ … ] b e f o r e i n v e s t i n g i n m o r e
s e c u r i t y m o n i t o r i n g t o o l s ( e . g .
s e c u r i t y i n f o r m a t i o n a n d e v e n t
m a n a g e m e n t [ S I E M ] , a n d h o s t
t h r e a t d e t e c t i o n ) , a n d
a s s o c i a t e d s t a f f a n d e x p e r t i s e .
“
“
Market Guide for Managed Detection and Response, Gartner, May 2016

12. WHY
MDR?
SERVICE
Managed 24 X 7 via the security operations
centre.
STAFFING
Highly skilled, highly trained.
Allows your staff to focus on business issues.
COST
Typically much lower cost solution than SIEM.
Delivered as an operating expense allowing for easier
budgeting.
COMPLEXITY
Networks are complicated.
Tools are complicated and require a lot of
maintenance.

13. STATE OF
THE ART
CUTTING EDGE
APPROPRIATE
TECHNICAL AND
ORGANISATIONAL
ME ASURE
Phrase appears 18 times.
‘Technical’ and ‘technical
measures’ appears 40
times!
BREACH
NOTIFICATION
You must tell the
supervisory authority
within 72 hours of
detection or finding out.
You must tell the affected
data subjects (if their
rights and freedoms may
be at risk) within 72
hours.
PENALTIES
€20M or 4% of global
annual turnover.
€10m or 2% of global
annual turnover.
When developing and
designing […] and, with
due regard to the state of
the art, to make sure that
controllers and
processors are able to
fulfil their data protection
obligations.
CONTROLS TIME SENSITIVE FINES

14. WHY
SECON CYBER?
ALWAYS-ON SECURITY
Managed 24 X 7 via our Security-as-a-Service.
EXPERTISE
RESPONSE
Fast and human.
Relationships with vendors.
VALUE
SIEM is expensive to deploy & manage.
Low cost per device per month.
Minimal additional hardware/software investment.
Easy to deploy.
Highly skilled, trained and motivated engineers.
High retention rates.
Excellent communication skills.

15. OUR
PLATFORM.
o Hardened CentOS appliance (local)
o Minimal hardware requirements
o Secure communications using TLS
o Load balanced with multiple ingestion engines
o Uses AWS ElasticCloud and Databases-as-a-Service
o Portal accessible only over secure channels

16. WANNACRY.
WannaCry
FIRST LOG RECEIVED
13:31pm – Logs indicate an unknown
threat taking advantage of a known
exploit
FIRST RESPONSE
13:34pm – Engineer notifiesTrust of problems
and requests they prepare their incident
response teams.
Engineers continue to investigate.

17. 17
SUBSEQUENT CONTACT
13:45pm - Method of propagation identified.
Policy change communicated to trust prior to
implementation.
ACTION
13:45pm - Policy changed to prevent further
propagation.
Approximately 300 machines infected.
NEXT ACTION
Engineers continue investigation based on
several logs.
Logs shared with vendors.
First real-time example received by vendor from
Secon Cyber

18. REVIEW
Post incident review.
Recommendation to deploy vulnerability
protection.
Regular health checks & maintenance.
Review of incident response plans.
REPORT
15:30pm - Reports produced identifying all
impacted machines, including IP address, last user
logged on, location (if known)
120 MINUTES
All machines identified and isolated.
Local recovery plans implemented.
Environment review scheduled.

19. Established in 1999 we have long standing experience of providing class leading cyber security solutions to
customers ranging from small to large enterprises. Our expertise lies in our deep understanding of the cyber
security market and unique position in bringing some of the best of breed products and services to provide
a fit for purpose and value for money security solution. This is evidenced by our high customer retention
rate.
US
ABOUT

20. Over 3 billion
logs processed to date
30,000+
endpoints monitored
Installed in a day!*

21. David King
Head of Research & Innovation
@TechSecDAK
STAND - R502

22. WORK
PLAY
LIVE