Cyber Threat Intelligence

Interview: Why Businesses Still Need Human Intelligence In The Fight Against Cybercrime

Mark MacDonald, Manager of Product Marketing at eSentire, discusses the importance of human intelligence in threat detection and response, the benefits of managed services vs upskilling and cross-training internally, and the future of adversarial AI in cybersecurity.

Expert Insights Interviews Mark MacDonald Of eSentire

Mark MacDonald is Manager of Product Marketing at eSentire, a market-leading managed detection and response (MDR) platform. At eSentire, MacDonald drives multiple go-to-market strategies, leading new product launches and maintaining ongoing competitive intelligence and market research programs to ensure that eSentire is consistently ahead of the game when it comes to addressing their customers’ needs.

At RSAC 2022, we spoke to MacDonald to discuss the importance of human intelligence when it comes to threat detection and response, the benefits of managed services vs upskilling and cross-training internally, and the future of adversarial AI in cybersecurity.

eSentire is a leader in managed detection and response. What sets you apart from your competitors in the MDR space?

Back when I first came to RSA like five years ago, it was still a very undefined space; very few MDR providers were actually on the trade floor. Now, you see MDR and XDR everywhere. 

To answer your question, I would say the biggest thing that defines us as a company is the fact that we respond, contain, and remediate threats on the customer’s behalf. That’s important because it cuts down the time needed to detect and contain threats. That said, a lot of companies are completing investigation cycles on behalf of customers more and more, but still, I would say we were one of the first ones to do it and our customers still call that out. And it’s important, especially for SMBs—and especially with the skills shortage—because, unless you’re a Fortune 500 or Fortune 1000 company, chances are you’re not going to have the people with the skills and experience necessary to complete full investigation cycles.

Then I would say our technology approach is fairly differentiated as well. So, we have our Atlas XDR platform that’s able to ingest data from multiple telemetry sources, so endpoint, network, cloud, traditional logs, vulnerabilities, assets, data. It’s built to deliver MDR at scale. These are differentiators that I’m seeing a little bit more of with XDR—but there are different approaches to it. There are a lot of vendors out there that have an XDR platform, but ours is purpose built to deliver outcomes for customers at scale. 

Could you tell us a bit more about some of the different approaches to XDR, and how organizations can make sure they’re choosing the right one?

The terminology that we’re using now— we’ve been using it internally, and I’ve seen it a few times from vendors that I hadn’t heard of on the RSA showfloor—is open XDR versus closed XDR. At eSentire, we’re more on the open side, in the sense that we want to have a platform that can leverage as much of the customer’s existing security investments as possible. There are a bunch of other vendors on that side.

Then there’s closed XDR. That’s like Cisco, Microsoft, Trend Micro—usually the giant, legacy security technology companies. And to get XDR, you basically have to be living in their ecosystem only. So, if you’ve got a customer that’s all in on Palo Altosolutions, it’s probably a really logical choice to use their XDR, too.

But the strategy there for those companies is honestly more like a stickiness thing: “You’ve already got this list of stuff with us, you might as well tack on XDR, and we can deliver that for you.” There’s merit to that strategy for sure, but then then you beg the question of whether you really want to have all your eggs completely in one basket.

So, those are the two buckets that XDR is falling under. And it’s important to consider that, because I think a lot of buyers, even SMB buyers, would be in a situation where they need XDR, but they might not even know there’s still quite a bit of nuance between XDR vendors. And that’s probably the most helpful way to at least split them into two camps and figure out what the best decision is for their company.

You mentioned that one of your key differentiators is the managed service part of your platform. How does your Threat Response Unit, Elite Threat Hunters and 24/7 SOC team help businesses overcome some of the challenges they’re facing, and what are the benefits of investing in threat detection and response as a managed service?

So, thinking of the cybersecurity skills shortage, there’s threat researchers and the folks that are more focused on trying to keep account of the threat landscape and find out what attackers might be doing tomorrow, versus analysts that are responding to threats in real time. Those are two different skill sets and it’s hard to create a solid team of both without the budget.

Our threat researchers are a unicorn within a unicorn in terms of the skills there, and our threat response unit really is world class. Like, punching above our weight. Our teams are right up there with the best threat research and response teams in the world. They’ve got a long list of uncovering zero days and different vulnerabilities. I think the biggest one was that they identified two critical vulnerabilities in Kaseya’s IT management software. It’s hugely important to us that we’re an active participant in the overall threat community. So, as part of our solution, our customers have that whole team backing them, on top of our security operations.

Then to answer your question in terms of the managed side, again, it really just comes down to the fact that most customers don’t have the skills or haven’t been exposed to what following a threat investigation is like, and they need that. A lot of our customers acknowledge that they have a certain risk profile and they understand that they don’t have those skills internally, and they need to outsource them or partner with us to do that. And that’s probably the biggest reason why there’s a need for MDR and why it’s everywhere. 

We’ve heard some discourse this week over the best way to approach the cyber skills gap: via managed services, or upskilling and cross-training. As you’ve said, managed services have a lot of benefits, but how big a role do cross-training and upskilling play here?

It’s huge, and we’re very much behind that.

We have a partnership with local colleges and universities in southern Ontario that have cybersecurity programs. A lot of our executives sit on their boards and we have a pretty good feeder system, but it’s still a challenge. But it’s important to have relationships with local schools, and then also to have career paths internally.

And that’s one thing that we’ve done really well at eSentire. Somebody comes in and works, maybe for a couple of years in the SOC, and then has a change of mind and wants to expand their horizons. It happens. We’re at the size and standing now where we can offer really good career pathways, so these people can make a lateral move within the company to something that floats their interest a bit more. It’s important to offer, because if you have any background or skill in cybersecurity, the world really is your oyster.

If you’ve got a little bit of drive and ambition, you could probably land a pretty high-paying, well-credentialed job, and it’s important for our organization to understand that and help foster career paths for the folks that have the skills in security.

A lot of our conversation today has been people-focussed. Why is it so important for organizations to combine human intelligence with artificial intelligence when it comes to stopping today’s advanced cyberthreats?

The best way to describe it is that AI, automation, and SOAR are all very good at grouping data together. They’re very good at filtering out stuff that is, in all likelihood, not very useful in a security investigation. But it’s still not at the point where it can make the same informed decision that a skilled analyst can make. I’ve heard a similar analogy to it being like self-driving cars. It’s very good, it will likely improve over time, but it’s just not the same as a human behind the wheel. 

There still isn’t a substitute for a skilled analyst that has had the experience and understands what attack patterns look like. And then ultimately owns the decision to isolate a user or make a decision to contain a threat on a customer’s behalf, and then also be available to communicate that back to the customer. That’s something we always value and something we always get positive feedback on: the level of human interaction we have.

We’re available to do a full debrief of the incident and then also convey attempts or best practices to hopefully stop it from happening again. So, at the end of the day, I think there’s still not a substitute for good old-fashioned people-to-people service. Especially in something that’s as personal as security. A lot of our customers are stressed out. It’s a stressful job that they’re doing. But actually talking to a person and having that human interaction, which has been especially missing the last couple of years with COVID—there’s a lot of value to that.

Some experts predict that adversaries will increasingly begin to use offensive AI and machine learning in the coming years. How might that look in terms of its impact on the threat landscape, and how should we respond to it?

What these things really do is allow attackers to work at a higher scale =, it’s definitely a concern. Another interest is deep fake technology. I guess that’s probably in the realm of AI, but that’s something that could be a Pandora’s box, because that technology, in the hands of attackers, will make it even more easy for them to do stuff like social engineering. You can imagine a perfect voice replication of a CEO or something like that, and that’s stepping it up to the next level of being creative with your attacks. Writing an email in the same tone as a CEO is something that happens a lot, but it’s nowhere near faking a CEO’s voice.

So, a lot of that is concerning and, at the end of the day, attackers are always going to have the advantage of first move in every scenario. I think from the perspective of MDR, it’s still going to be leveraging whatever the cutting-edge technologies are to detect them as fast as possible and then contain them as fast as possible. The time correlation is very obvious: the longer an attacker has to dwell in an environment, the more financial damage to a business they can do. If you can shrink that window, the damage shrinks with it.

Finally, what is your advice to organizations struggling to protect themselves against sophisticated attacks such as ransomware and zero-day malware?

I think MDR is absolutely table stakes for organizations now. Here at RSA, even I was pretty surprised about the sheer volume of MDR companies that are out there. It’s gone from a relatively upstart security category to a very well-established one. Your readers will have plenty of options, some of which are more SMB-focussed, and some that are built for larger enterprises. And I think, in terms of bang for your buck and addressing the skills gap, it’s clear that MDR is the solution for that.


Thank you to Mark MacDonald for taking part in this interview. You can find out more about eSentire’s managed detection and response solution via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.