Eldon Sprickerhoff is the Founder and an Advisor at eSentire, a leading global managed detection and response (MDR) provider. Since founding eSentire, Sprickerhoff has set up the company’s Threat Response Unit, also known as “TRU,” which delivers intelligence on the latest threats and devises new detection models to support the Security Operations Centres (SOCs) that provide 24/7/365 services to monitor, contain and respond to threats for eSentire’s clients that don’t have the resources, talent or expertise to build their own SOC team in-house.
We spoke to Sprickerhoff to discuss the importance of MDR and why he set up eSentire’s TRU. We also discussed eSentire’s latest threat research, including the most successful attack methods they’re seeing today—and how organizations can protect themselves against those threats.
Could you please introduce eSentire? Who are your typical customers, what challenges are you helping them to solve, and what sets you apart from other solutions in the threat detection and response space?
We’re a two-decade-plus-old leader in cybersecurity services, and we’re the inspiration behind the managed detection and response piece. Typically, the size of our client base is from mid-size to enterprise. We started in mid-size financial services and moved to adjacent industries like legal, engineering, and healthcare. For the last seven years, there has been no single vertical that we don’t support.
Our clients understand that attackers are either interested in their data or want to disrupt access to financial support. And our clients could have regulatory concerns or many remote offices and not necessarily have full control or insight over what’s happening. One of the biggest things is realizing they can’t do it themselves.
As for what sets us apart—two pillars have been at the core of our existence from the beginning. First, we want access to as much useful signaling data as possible, even from a forensic level if available. So, if we need to investigate a potential incident, even from the network packet level, I want that data to be available so that we can be absolutely sure of what is happening in the environment. The second thing is if we discover some inappropriate activity, we want to actively block all bad behavior as soon as possible. And if we can do it proactively, that’s even better.
This is the big “R” in “MDR”: response. Unfortunately, there are so many companies that are out there that don’t provide what I would consider a response. They send an alert or an update but don’t engage with the attacker; they don’t engage in that head-to-head dogfight but rather leave the battle to the client.
Instead, that is at the core of what we do. No matter the detection source, we want to do that across the cloud, on premises, in hybrid environments, or wherever.
You say that the MDR space “exploded” around seven years ago—was there a particular catalyst for that?
I would say that ransomware was the specific catalyst. Suddenly, every single entity (person or institution) connected online was either hit or knew somebody who was hit with ransomware.
Back then, if one machine was hit, attackers asked for $500 worth of bitcoin as a ransom. If you had employed decent backup rigor, everything would have been fine. It might have been a bit annoying, but you could restore your data. Now, attackers try to get a foothold. Then they quietly install the software on as many machines as possible. Initially, they would start infecting immediately, but now they wait for a long weekend. Thanksgiving, Good Friday, Christmas, New Year’s, or any holiday weekend, because at these times, people are away with their family, they’re not on their phones, and that’s the perfect opportunity for attackers to light up and encrypt everything simultaneously.
And if you had good backups that were accessible, the restore process could bring the organization back to a state where attackers had already installed the dormant malicious code. It is difficult to go back to a clean state. And that’s how attackers have weaponized ransomware and introduced the seven-digit ransoms we hear about today.
Also: the people who were originally responsible for writing ransomware back in the day now have a business selling ransomware, so they don’t actually deal with specific ransomware campaigns. They just sell it to other people that don’t need to understand how to develop malicious code; they can simply buy ready-made and tested malware. This has definitely contributed to the broad spread of elevated attacks.
You mention managed response as one of your key differentiators in mitigating these attacks. How do your Threat Response Unit, Elite Threat Hunters, and 24/7 SOC team help businesses improve their incident response processes?
Let’s start with the SOC. Elite SOC analysts constantly monitor our clients’ networks and systems to detect and respond to the attacks coming in; they are the ones battling. I describe it as something similar to a combination of Air Traffic Control and Fortnite. They deal with that endless spew of possible indicators of compromise or concern, and they band together to proactively fight against the attackers (the opposing team) so that our clients can sleep easier at night.
But the SOC can’t do it all themselves, which is where TRU comes in. TRU has four legs: Security Architecture, Threat Intelligence, Tactical Threat Response, and Advanced Threat Analytics. Security Architecture determines the new tooling in improving efficacy. Threat Intelligence digs into attack data across our entire client base. Tactical Threat Response looks to build runbooks that make it easier for the SOC to respond when the threat data comes through. And Advanced Threat Analytics, as the name says, involves looking for new methods to detect unusual behavior. And they are the team that probably does more with machine learning than anyone else.
Each of those four groups within TRU supports the SOC when investigations are going on by providing tooling and assistance.
Some competing cybersecurity services just send an alert if they detect some inappropriate activity and don’t give backup support or evidence. I come from a technical incident response background, and from the very beginning, I didn’t want to build just another incident response team where you would send people on planes to investigate. That entire process could take over 24 hours for the team to get there. Having a remote incident response team saves both time and money. In addition, it helps us investigate every unusual activity that gets signaled as a true positive incident, so we can lock it down and stop the attacker earlier. At eSentire, our 4-hour threat suppression SLA is unmatched in the market.
This has been at the core of our raison d’etre from the very beginning.
What made you want to set up TRU and deliver Managed Detection and Response as a fully managed service?
As part of our evolution, we had some terrific people in this group called “DSP,” or “Distinguished Security Professionals.” They are sort of the creme de la creme of security talent within the company. If we had to spin up a “tiger team” to deal with an unusual challenge quickly, we would call on them. But initially, they were in different subgroups throughout our organization, so we had to reach across the organization to try to get these people and steal some of their time. It was kind of ad hoc, and while it worked, nobody was really happy with it. It was not very efficient.
So, we decided to build a new team to address that mandate specifically. It started as Advanced Threat Analytics, but it made sense for us to construct the other legs that now make up the TRU. And it has been one of the best spin-offs in the last several years.
As well as helping businesses identify and respond to threats, your Threat Response Unit delivers research and threat intelligence to help companies stay ahead of attackers. What are some of the biggest trends they have uncovered this year?
The pandemic lockdown and work-from-home scenarios didn’t stop attackers; they just adapted. One of the bigger evolutions in behavior in the last year is that sophisticated attackers have sharpened their focus on supply chain attacks rather than attacking individual companies or individuals.
Take Okta and Kaseya, for example. These two tech companies serve many thousands of clients (ultimately with millions of endpoint reach). The effort it takes to break into either of them is more or less equivalent to attacking any single tech company. Still, you’ve got that multiplier effect in a payoff: you attack one, and you’ve access to literally hundreds of thousands, if not millions, of victims. So, it makes more sense to go upstream.
Ransomware also continues to evolve. Now, I look at ransomware as internally facing Denial of Service. We’ve seen that attackers are starting to blend external Denial of Service with internal Denial of Service. So not only do you have to worry about the attack happening inside your environment, but the external side as well. I expect attackers to start moving more into the cloud, attacking hosted Sharepoint and other cloud-based data stores.
We have seen more attacks with multi-factor authentication, as well. It’s common to have authenticator apps on mobile phones, but this lead to a bombing in notifications. If the authenticator prompts an end-user to click “yes” and they’re distracted at that moment, the risk is to let that threat actor in.
Recently, we found some very interesting information about how malicious code is making its way into the environment worldwide, with well-explained attribution to some Russian entities. We can do this partly because of the low-level data we have collected.
One of the ways in which MDR solutions help businesses combat these threats is by combining both human and artificial intelligence. Why is it so important for organizations to utilize both of these when it comes to the fight against cybercrime?
From the very beginning, Marshall McLuhan’s balance concept of “high tech/high touch” was employed at the core of this company. I have always said I wanted to use technology as much as possible, where it’s appropriate, to do the heavy lifting when you’re doing analysis. There’s too much data for analysis to be done by hand. And when it comes to cybersecurity, if you’re not already using statistical methods and machine learning, you’re falling behind because too much data is coming at you too quickly.
Those models aren’t replacing people; people are still doing deep investigations, but supporting them with better tooling is necessary. And that’s where ML is appropriately used—not just as a buzzword—comes of use.
What are your final words of advice to organizations struggling to protect themselves against today’s advanced cyberthreats?
Don’t feel bad if you can’t do it yourself. Every organization is currently struggling with it.
If you were trying to build a team that’s going to defend 24/7, I calculate that you’d need a group of 12 people. That’s 12 very expensive people with career aspirations, and you’d have to keep them trained and enthused, and you’d have to buy up the back-end technology to support all of that. It is expensive and difficult—especially these days—to find specialists that can do it well.
So, don’t feel bad. Even the largest enterprises need help with it. Find a specialized firm that can do this, understands your unique challenges, and can help you to defend yourself so you can sleep better at night.
And that’s us.
Thank you to Eldon Sprickerhoff for taking part in this interview. You can learn more about eSentire’s managed detection and response solution via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.