Let's Talk SoC

In Your Corner 24/7: The Right Expert for Every Problem

Episode Summary

In managed detection and response (MDR), not all solutions are created equal. Alongside different scope and technology, the quality of support can vary greatly. In this episode, we take a look at what sets Secureworks apart, guided by Security Operations Lead Matt Mills. Matt explains what makes our approach so unique — namely, fast and direct round-the-clock access to the right Secureworks expert. Whether it’s a SOC analyst, threat hunter, or a multidisciplinary team, customers can be sure they’ll always have access to the right expertise. Find out how this works in practice and what difference it makes to our customers. And learn why Secureworks was named an MDR leader in a recent Forrester Wave.

Episode Notes

Episode Transcription

Secureworks Interview with Matt Mills

Sally:  Hi everyone, and a very warm welcome to Let's Talk SoC. I'm your host, Sally Eaves. And today we're diving into all things threat detection and engineering, notably around MDR and in particular the importance of trusted support. And I'm delighted to be joined now by Matt Mills to discuss exactly this. Matt is security operations team lead at Secureworks. Welcome Matt.

Matt: Hi, thank you. I'm happy to be here.

Sally: Oh, fantastic to join you today, Matt. Really appreciate it. And perhaps a great place to start. Perhaps just share a little bit more about yourself and your role at Secureworks!

Matt: So, as you said before, my name is Matt Mills and I'm the team lead for the Taegis Security Operations team. So as a team lead, my job is first and foremost to be a technical leader for my team. That typically starts with being a mentor for the analysts underneath me who serve on the service teams, but also is a part of being like an escalation point for other teams into the SOC as well.

I've been in this role for about three years now, and it allows me to see and contribute to solving many different types of problems, from creating new analysis methods and techniques to be used by my team to help me solve complex customer challenges.

Sally: Love that, love the different kind of interdisciplinary skills you brought to the floor there as well, plus that focus on mentoring I think so important, love that. I think as part of this as well I'd love to get kind of the experience of what it's like kind of working with Secureworks, you know from the customer perspective what to expect, so what's that like in terms of your experience of kind of interacting, you know how frequent is that, and what's it like in terms of the process of reaching a stock analyst for example, I'd love to bring that to life.

Matt: A lot of different other MDR providers, they oftentimes have issues with their customers being able to speak with the analyst directly. So, that's a problem we did not want our customers to have at all. So, with Secureworks, we give our customers direct access to the SOC analyst. So, there's an onscreen chat functionality, which usually gets a response in about 90 seconds directly through the Taegis console.

We also have a phone line and email support available as well. So, interactions between the customers can be anything from a customer maybe asking for help on how to do something with the Taegis platform, or even they may even need some help analyzing some activity or behavior they've seen in the platform itself. So, we pride ourselves on our ability to be able to interact directly with our customers to help address any issues or answer any problems they may have.

Sally: Love that Matt, thank you so much. Love the fact your work bringing to the fore there, that personalization of experience, not limiting the time spent with analysts. And when we see over and over again, issues around complexity and overload around threat noise and constraints on teams, etc. Working with people directly with your customers like this and not limiting the time spent, I think it's absolutely key and really giving that one-to-one support. So, I love that, such a great focus on that experience and really spending the time that matters.

And also, I think what you said there was it 90 seconds in terms of a response time? When we look at what we're seeing about the lengths of threat attacks lasting and how long they can be invisible for before they're actioned upon, getting that support faster and faster, again, massively important to negate risks like that. So, love to see that, brilliant stuff!

I'd also love to bring to the fore, again about this experience and what these interactions are like. Who else are customers reacting? It's not just one person, it's not just the SOC analyst, it really does take a village. So, who else would the customer be engaged in? I'd love to bring that experience to the fore too.

Matt: here's a variety of different teams that oftentimes have to interact or engage with customers directly at different points. So, for starters, it's going to be the CSMs or the customer success managers. They are tasked with helping customers ensure they are getting the full value from the service that oftentimes requires them to meet directly with the customers so they can understand what their security challenges are and direct them to how we can solve those for them.

Some other teams that oftentimes directly engage with customers as well are going to be the threat hunters that are a part of our elite managed service. So, for customers who choose to subscribe to a higher level of service, they can have a threat hunter assigned directly to their team. That threat hunter then meets regularly with the customer again so that they can understand what their security focuses and challenges are and then design threat hunts specifically around that customer's needs.

Some other teams that frequently interact with customers are going to be things like our incident responders. So, whenever we identify some activity and it's determined that it needs a full-on incident response engagement, that engagement will be assigned an incident response consultant, and that consultant will be with regular contact with that customer as well as they're dealing with the incident.

Sometimes, depending on the scope of the incident, you could also be assigned an incident commander, and that would be another individual who would be interacting with the customer frequently. And I think finally, we also have our product support team.

So, there are times where customers may be experiencing issues or having some sort of problem with the platform and that product support team is designed to work with the customer to identify and troubleshoot any issues they may be having. And so that requires pretty frequent communications as well. For product support, they can use the exact same method they would contact my team with this, the in-console chat application, as well as phone emails and tickets.

Sally: Brilliant stuff. I love that. Again, such a range of roles and resources available here too. I’m impressed with say your threat intelligence unit, really superb there as well. Great access to support there, and again, how that's working also with the ecosystem to give this knowledge and freely make that available I think is superb too. So, I love that. Also, anecdotally too, you mentioned there about your product team. I've also heard some great feedback, for example, when consumers have kind of given feedback about something they like to see, you know, extra additions to the platform too, but that's been listened to. So, it's part of the product development too. So that active listening to consumers is so, so important. And I've heard a lot of feedback on that personally as well. So again, all those aspects together, it really does support that holistic support around cybersecurity postures, doesn't it? So brilliant. And you mentioned there in terms of different kind of levels of service. So, I'd love to bring that to the fore as well, because I think so much is given kind of as a baseline for everyone. And then obviously there's those premium options you said there around dedicated support as well. Wonder if we could kind of just give that a little bit more information as well for the audience too, just to unpack that further.

Matt: Happy to! So, for starters, there's a base level of service that you get by just being on the platform. So, whether you are using the platform as a stand-alone or you are part of MXDR service, that allows you to get access to my team as far as like asking questions, submitting tickets and stuff like that as well. So, you get that just as a benefit of being on the platform.

Now you get some more increased support by being a, MXDR customer. And so that's where you're going to get things like, us triaging your alerts, investigations escalated by my team, et cetera, et cetera. Now there's several service levels above that as well. So, one of the first ones I'm going to mention is going to be our MXDR Elite Service. So, as a part of that Elite Service, as I mentioned a little earlier, you get assigned a threat hunter that is dedicated to your team, that allows that threat hunter to help create some bespoke threat hunts that is particular to your environment. And a service that we have above even that is what we call our MXDR Enhanced Service. So oftentimes some of our customers may not have the in-house security personnel to be able to support the service. So as an MXDR customer, my team is triaging and escalating activity, but it sort of requires the customer to have the infrastructure and support to be able to action those investigations and things like that. And not every organization has those people. So, what our enhanced support team does is actually reassign those individuals to be that in-house security personnel. So those individuals get access to your in-house security tools and applications.

They have direct interface with my team and other teams at Secureworks as well. So, like I said, it's designed to enhance whatever existing security personnel service you already have on site to give you that service that you need.

Sally: Love that. I love the fact that it's working with what you have. And also, with those different levels of support as well, it can grow as you do. And it can really personalize and tailor to your exact needs. And you're not getting something you don't need, you know, it really is kind of working with you. And again, today, I think that's so, so important as well to do more with what you have, you know, so again, that facilitation and mutual support, I think is absolutely vital. So, I love that. And I'd love to hear a bit more feedback as well about what you're hearing from your MDR customers around kind of the benefits of this as well, whether that's a customer story or just some other areas of appreciation too. Because again, I think that helps to build that contagion of change of what can be done. We see so much in the news, don't we, in terms of how threat vectors are escalating. And it can be very scary and people can kind of know, where do you start? And it can be quite overwhelming. So, seeing what can be done, the support that is available to organizations of all sizes, I think is a really powerful story to share. So, I'd love to touch a little bit more about that and I'll share some things I've been hearing too, but I'd love to pass that back to you, Matt.

Matt: Sure, so for starters, customers really love and appreciate how easy and quick they are to be able to get in contact with my team. Sometimes that quick response can make all the difference and for a pending incident. As an example of this, we actually recently had a situation with a customer where they saw some activity that made them suspect a ransomware attack may have been in progress.

They wanted a second opinion before they began their full incident response processes and so, they reached out to my team. Because of how quickly they were able to get in contact with us, we were able to take a quick look at the activity and confirm that it actually was not ransomware and was just benign activity. And so, we were able to save that customer a lot of time and money. If they had went ahead and started their full-on incident response process, began pulling hosts off of the network and things like that. That could have had a noticeable business impact on that customer. Since they were able to reach out to us and allow us to confirm what was going on, we was able to save them a lot of time and money. Additionally, on the flip side of that, one of the most more recently talked about vulnerabilities is the Citrix bleed vulnerability, right? So, there's a lot of talk and scare regarding this vulnerability. And so, customers, and rightfully so, are pretty paranoid around activity around that. So, just the other day, we were able to see activity that suggested Citrix bleed was being exploited and the customer was able to call in and contact us again immediately to figure out what next steps they were able to do.

We were able to quickly talk them to some things that they can do to curtail this activity early before it spreads. And so, we was actually able to contain this incident before the threat actors were even able to get access to anything. And this is really important because the most common end result of exploitation of Citrix bleed so far has been ransomware or essentially these smash and grab situations where they get access, rapidly steal some data and threaten to ransom it back to the customer.

We was able to get involved in this and prevent this before it even got that far. And so again, we were able to save the customer a lot of time and paying just from being able to see it interact and respond so quickly.

Sally: That's brilliant. Such a tangible example. I love that, Matt. That's brilliant. And there's literally a report just came out from UK government and ransomware was coming up again, obviously, as a perennial challenge, but looking at some of the other impacts and changes, for example, around extortion techniques and things like that. So, what a timely example of getting in before that situation occurs, if you see what I mean. But also, you're saying that saving in terms of time, resources, etc. It's such a powerful example of changing the narrative of investment in securities around the cost of insecurity and in this case that time saved by working through in that way and that type of investigation so it always rounds such a great example but I love that and in terms of feedback too I was only looking at this morning, Forrester, obviously great, great example of a kind of third party and a trusted within us in terms of assessment of these types of things. Their MDR report that came out very recently too, again, great feedback there and leader status again for Secureworks. And I love the fact this time of year is the end of school report type of things, but very much top marks around things like time to value really come across in our conversation today, Matt, but also things around like your dashboard reporting, price transparency, which I think is absolutely important for everyone, but also around the managed investigations. And again, I love the fact you've brought so many examples of that to the fore in such a short period of time today. So, congratulations on that as well. I thought it might be a nice way to end the feedback on what you're doing. Cause again, literally just out, I think the last week.

Matt: Yes, that's really awesome. So, we really do appreciate when organizations like Forrester try and highlight things like that. For us, we try not to rely on reporting like that, and we like to show proof in our work itself. While we love seeing accolades from customers, the true win for us is just being able to provide value to our customers, and that's what we value.

Sally: I love that. I love that. And that's part of the reason I mentioned it, Matt, because I really appreciate the approach that you take towards that. And I hadn't seen that much shared about it. And I thought, you know what? I'll bring that in as a way to end it. Cause I think that's really, really well merited. And again, you let, you get the stories, do the talking and the examples. Like I say, ones I've shared myself, that really is the best demonstration by action, isn't it? It really is. So brilliant stuff. I know we're out of time, but Matt, thank you so much for dropping by today. It's been a fantastic episode of Let's Talk SoC, and thanks so much for all you're doing with your team. And it really does take that village, that complementary strengths, those skills, and obviously the technology we're brought to the fore today, all coming together to make a difference. So, thanks for all you're doing!

Matt: Hey, thanks for inviting me! I'm happy to talk about Taegis. Thanks so much!