Join Stefan Oancea, Principal Security Engineer at Secureworks, to find out more about our partnership with Microsoft. We’ll offer insights on the latest MS security offerings and help you evaluate which option suits your business best. You’ll hear how Secureworks and Microsoft work together and how this collaboration adds value to our customers. Learn how Secureworks integrates with your MS environment – and beyond – to plug the growing gaps in your cybersecurity defenses.
Sally: Hello and welcome to Let's Talk Soc, a podcast series brought to you by Secure Works. A leader in cybersecurity focused on empowering security and IT teams worldwide to better prevent, detect, and respond to cyber threats. I'm Professor Sally, your host. A warm welcome to the show to Stephan Muncha, principal security engineer at SecureWorks. Welcome.
Sally: A warm welcome to the show to Stefan Oancea, Principal Security Engineer at Secureworks. Welcome!
Stefan:Thanks Sally, really happy to be here.
Sally:Fantastic subject area today, particularly drilling into your relationship with Microsoft. I've been at the RSA conference over the last week and it seemed to me that Microsoft is continuing to expand its portfolio.
So, for those who may not be familiar with this approach, can you give us a high-level overview of the types of security offerings they're providing, particularly Defender.
Stefan:Yes, of course, and you're absolutely right. For the past few years, Microsoft has definitely been ramping up their security portfolio. And Defender is probably the most well-known and the most relevant.
Defender has four different capabilities: Defender for Endpoint, Defender for Cloud, Defender for Identity, and Defender for Office 365. Let’s look at the first, Defender for Endpoint, the EDR offering from Microsoft. We can hardly imagine a relevant security monitoring service or integration without EDR at work. So, this is what Microsoft proposes in terms of EDR and also comes with the E5 License. Then we have Defender for Office 365, which is their email security proposal for Office 365, and that takes away the need for any additional email security solution.
We have Defender for Identity which, even though it's a cloud-based solution, actually monitors the on-premises active directory environment and looks for specific tactics and techniques that threat actors might leverage against this.
And then we have the Defender for Cloud apps. Defender for Cloud is the CASB. CASB stands for Cloud Access Security Broker. It's able to govern and monitor the interaction between your users and cloud service providers, or cloud applications they use in both the Microsoft and Azure environments, as well as third parties. So, in a nutshell, those are the four main components that are provided with the Defender Suite.
Now having said all of that, we need to remember that in the end a tool is only a tool. And something that I always like to highlight is the fact that a tool is never the problem nor the answer. The real question is how are you able to leverage that tool and how can you make it really relevant, actionable, and meaningful for your environment?
That’s where Secureworks Taegis Managed XDR comes into play. We’re able to integrate raw telemetry and alerts from various Microsoft Azure and Defender components, bring them into Taegis and apply a layer of advanced detections and intelligence on top of that. Not only do we do that from a technology perspective, but we also do that from a services perspective as well.
So, basically having this open managed detection response service and an open XDR platform at its core, we’re able to bring added value to your existing Microsoft investment.
Sally:Love that on so many different levels. A: the holism – you’ve got four different pillars of coverage you're describing there. I think you’re also drilling into the fact that we've got convergence, particularly around threats and vulnerability.
So again, looking at those different areas all this week, when we are looking at the scope, scale, and sophistication of these threats increasing and converging – plus bad actor activity – that suite of coverage is absolutely essential, but also the power of partnership you're describing here with Secureworks. It’s not just the technology, but also that facilitation piece, isn't it? And that trusted partnership.
Stefan:Definitely.
Sally:It helps to navigate all of this and the ever-changing landscape we're dealing with. Brilliant, thank you, Stefan. You really brought that to life. What about Microsoft Sentinel? Could you explain a bit more about where that fits into this landscape as well?
Stefan:Indeed, that's a very good question. While Defender really suits all sorts of organizations and all sorts of different sizes, Sentinel is actually a completely different story. Sentinel is a different product, an SIEM solution, Security Information and Event Management. Indeed, it's one of the most modern cloud-based SIEM solutions and perhaps one of the top offerings in the market. But if there’s one thing we've learned from the past related to SIEM solutions, it's the fact that they are complex and costly to deploy and difficult to fine-tune and manage. And you literally need a small army of experts to really bring the added value that they can bring.
Sentinel is no exception from that point of view. SIEM solutions are mostly difficult to license and even more difficult to predict in terms of costs. And that's because they're licensed based on data volume ingestion and/or events per second. Now, don't get me wrong, there are definitely companies and organizations out there that can benefit from a modern SIEM solution such as Sentinel. If you have a significant security budget and your own 24/7 SOC, staffed with experts that can deal with security engineering, security analysis, threat investigation, threat response, threat intelligence, and forensics – to just name a few – then maybe Sentinel, or a similar solution, might be the answer for you. But if we look into the market, if we look at the organizations that we encounter on a daily basis, those sorts of organizations are the exceptions rather than the norm.
Sally:Interesting. You mentioned earlier when you went back to Defender, the idea of doing more with what you have. I think that’s really a key theme as well. So, thank you for bringing that to life. I think it's so important right now, too. You already talked a little bit around licensing, but I'd like to drill into that in a bit more detail too, if we can. So, looking at Microsoft licensing right now, what are you seeing as the advantages there, but also some of the disadvantages, drawing on what you unpacked a little bit earlier?
Stefan:If we look at the Defender Suite, acquiring a bundled license such as E3 Security or E5 will give you access to all the relevant Defender features and capabilities that we briefly mentioned in the beginning. Moreover, E5 is a per-user license, which makes it quite easy to scope, as well as to predict.
We actually see more and more organizations of different sizes and verticals considering or already moving towards E5. On the other hand, Sentinel comes with additional costs on top of E5 and those costs are significant – and many times also difficult to predict, taking into account the specific way in which you size an SIEM solution.
So, the moment you start looking into integrating third-party lock sources into Sentinel, not only Defender, as well as other specific Microsoft and Azure components, then you get yourself in the situation where your bill just keeps going up. Furthermore, with Sentinel you have different variable costs for different types of logs, and this is actually something new that many organizations are not aware of.
Today, you can license Sentinel based on analytics logs, which are logs that are being actively used in the security monitoring process, but also basic logs that are only used for context. And those two types of logs produce different costs. At the same time, with Sentinel there will be certain features and certain things that will add pay-per-use costs.
For example, if you want to search through basic logs, you're going to pay each time you run a query on top of basic logs. It's the same thing with playbooks. If you're going to integrate with Azure Logic apps and run playbooks from within Sentinel to achieve automation, each time a playbook runs, you're going to pay an additional cost.
And last but not least, if we look at data retention, the timeframe that you get with standard deployment is not that big. You get only 90 days for analytics logs and eight days for basic logs. So, when you put all of these things together, you realize, as we were mentioning in the beginning, that it’s complex to scope and predict – and most likely you’re going to end up with quite an expensive product.
Sally:That's really interesting. We often talk about the different layers of security, don't we? But drilling through that into the different levels of licensing, and unpacking what that's about, is really valuable from an awareness piece, so people know what to consider, what works right for them and the size, resources, and talent etc. of their organization.
I think it just brings to the fore the power of partnership. I mentioned this earlier – the facilitation, guidance, and trusted advice. It's not just technology, it's the people, culture, process, and skills etc. that support that, which I think is key as well.
Could you tell us a little bit more about the combination of Microsoft and Secureworks and how you are working together? Then we can go on to look at why complementary strengths might be the best fit.
Stefan:Yes, that's really interesting. So first of all, let me say right from the beginning that we recognize Microsoft as an important player in infrastructure, operating systems, business applications, collaboration, productivity, and the cloud of course, and security as well. That’s why we have a strategic partnership with Microsoft. And that’s why we keep on enhancing and building on top of the integrations we have with them. Let me just give you a few examples to try and flesh that out a bit more. We integrate with Azure AD on a tenant level, but we also integrate on a subscription level in order to gather what we call, and they call, activity logs.
At the same time, we will tap into Office 365. So, we monitor your email environment from Microsoft, as well as your on-premises active directory. We look into the cloud, but we also look on premise. We leverage the graph security API in order to gather relevant alerts and security events from Microsoft.
And that's also one of the main mechanisms that we use in order to get pre-processed alerts from the Defender environment. Our most interesting and most in-depth integration is with Defender for Endpoint. Defender for Endpoint is what we were talking about in the beginning, the endpoint detection and response solution from Microsoft that comes with E5. From Defender for Endpoint, we achieve the pre-processed alerts, but also all the raw telemetry that Defender produces.
That gives us the opportunity to bring an additional layer of added value on top of Defender. And for all of what I've mentioned up to now, we provide our customers with a standard 365 days of data retention. That’s actually more than Microsoft provides with these separate components. And, from a scoping perspective, we basically only need to know the number of Defender for Endpoint licenses you have, because with Taegis and managed detection response, we don't really care about the number of integrations you have outside of the EDR space.
We’re only interested in the number of EDR licenses you run and the number of assets that can run an EDR in your environment. The rest of the integrations and data we store come free of charge. So, for an E5 customer, it's extremely easy to scope because you only need to tell us, we have this number of E5 licenses, and that's the scope for managed detection response.
But these are not the only ways in which we work with Microsoft. Within Secureworks, we have a number of departments that specialize in different key areas. One of them, for example, is our Secureworks Adversary Group, also known as SWAG, which delivers all sorts of adversary testing engagements. We have our own counter threat unit, numbering around 100 threat researchers who study the threat landscape 24/7, day in day out. They look at threat actors’ tactics and techniques and produce threat intelligence based on that.
And we also have our instant response team, a global team that delivers around 1,400 engagements per year. And all of those teams have deep Microsoft expertise, as well as collaborations with Microsoft. Also, just to give a few examples in this area, we have frequent interactions with Microsoft in order to disclose vulnerabilities our teams find within the on-premises active directory environment, as well as in Azure.
At the same time, we have various consulting engagements that we run with our customers, for example, ransomware simulations. And these heavily rely on us being able to exploit the Microsoft environments. One of the services that our customers really like best is called an active directory security assessment. That assessment helps you understand how hackers can exploit active directory misconfigurations and security gaps in order to achieve their objectives.
And last but not least, I want to mention just one more thing, Sally.
Sally:Go for it. No, I love it!
Stefan:I want to mention the fact that we actually have colleagues that are employed within Secureworks who are Microsoft MVPs (Most Valuable Professionals). And if you or anybody comes from the Microsoft space, you will know that MVP is one of the highest recognitions that you can get from a Microsoft perspective.
Now those colleagues play crucial roles in threat intelligence and in transforming that into countermeasures within Taegis with respect to the Microsoft landscape.
Sally:Love that! What you mentioned about simulation, in particular, really caught my eye. Because certainly in organizations I deal with, that's sometimes a missing link?
And I think going through that process is so incredibly helpful, that kind of learning by doing. But for all roles in the organization, simulating a threat and how you’re reacting and learning from that, I think is really powerful. But also, that auditing function again, knowing where you are and monitoring that, having that barometer and going forward helps you to develop that posture and improve it over time.
You've mentioned some of these areas already, but if you were going to say a top three reasons why this combination of Microsoft and Secureworks together might be the best fit for many organizations, how would you kind of gold, silver, and bronze that?
Stefan:Yes, so not only do we ingest telemetry, key alerts, and security events from Microsoft and Azure as I explained, but we also apply our own intelligence and detectors on top of that.
Taegis XDR benefits from multiple state-of-the-art detection mechanisms, as well as actionable threat intelligence, which is embedded in the form of countermeasures. And those really help us try and enhance alerts and telemetry coming from the Microsoft environment. So, on the one hand we will analyze and investigate Microsoft pre-processed alerts to make sure that we filter out noise and filter out false positives, which you should expect with any security solution and security feature. And you will see that the Microsoft and the Defender environment also produce false positives. And what we will do is take away the burden of going through those events and alerts. We’ll do an initial investigation and make sure we only highlight and raise the ones that are really a threat to your organization.
And on the other hand, we apply, as I mentioned, our own detectors and threat intelligence on top of the telemetry coming from the Microsoft space. And that brings added value above and beyond the customer’s existing investment in Microsoft E5. So, all in all, our managed detection response service ensures customers are only alerted when they're dealing with a real threat.
And based on over 20 years of experience in this space, and 11 years in a row being named a Gartner Magic Quadrant leader in the managed security services space, we definitely know what bad looks like when we see it. And that's not all, because we not only look into your Microsoft environment with managed detection response, but being a truly open XDR platform and service, we correlate what we see in the Microsoft environment with the rest of your modern hybrid and potentially multi-cloud deployment.
We also look into network traffic, network security, identities, Google, Cloud, anything that really runs in your environment and produces relevant telemetry will be correlated to what we see from Microsoft.
Sally:Again, so it's that holistic coverage, that visibility right across your estate. And I love what you said there about taking away the burden, because again, you see that so often. It's not just about the cost or talent constraints either. It's also just the sheer amount of noise signals, isn't it? So being able to drill through that and really get granular and bespoke about what actually is relevant and what isn't. Because otherwise you could have sprawl and issues where you actually increase risk rather than negate it.
I love how you brought that out there. Stefan, I could go on all day, but I know we've got limited time, so perhaps to close this off and bring things together – in terms of your customer base, how many people are taking advantage of this kind of combination right now?
Stefan: Yes, this is really one of those cases when numbers might actually speak for themselves. Over half of our customers, and we have thousands of them, are actually sending us telemetry coming from Azure, Office 365, and Defender. And we are currently monitoring around 1.2 million endpoints deployed with Defender for Endpoint for hundreds of customers that leverage E5 licensing.
It's very interesting to see that out of those customers around 60% actually run a multi-EDR environment. This means that, besides Defender for Endpoint, which runs on let's say the majority of their assets, they also have specific environments where deploying Defender or buying an E5 license perhaps doesn't make sense – even if only from a commercial standpoint, so from a cost perspective. And those environments we see are usually third-party cloud environments such as AWS, or testing environments and pre-production, where deploying solutions such as E5 would not necessarily make sense. And these are the places where customers can leverage our own Taegis EDR agent, which comes together with Taegis at no additional cost.
And this again highlights the power and flexibility of an open XDR platform. We look into your Defender environment, but if you don't have Defender everywhere, we also provide you with another EDR agent, which is on par from a capability perspective, to say the least.
As a conclusion, based on our deep Microsoft integrations, as well as being an open, managed, XDR platform and service, we are able to effectively leverage your existing investment in Microsoft and E5, while at the same time efficiently closing the gap between the E5 security bundle and the rest of your environment, in order to address the total cyber defense needs across your landscape.
Sally:There's so many areas covered in this. It's been a real pleasure, Stefan, to have you on Let's Talk SOC. It really has. We could go on for some time, but again, you've really brought to the fore the power of those complementary strengths, the visibility, and the integration. And again, going back to that point of reducing the burden and working with you and what you've got as well, and making the best of that. There are so many other themes you've interlinked together here that I think are really vitally important when it comes to making the most of optimizing your security posture. So, thanks so much for joining us today. It's been an absolute pleasure.
Stefan:Thank you, Sally.
Sally:And thank you all for watching and listening too. This has been Let’s Talk SOC. We'll be back soon with a new episode soon.
Let's talk SoC is a podcast series brought to you by Secureworks. A leader in cybersecurity, helping organizations reduce their risk, maximize their existing security investments, and fill their talent gaps with their cloud-native security analytics platform Taegis. They offer MDR and XDR solutions, the better threat prevention, detection, and response. To learn more, visit secureworks.com.