Managed security services are evolving rapidly in response to radical changes in the cybersecurity landscape. In this episode, we talk to Ajay Bhardwaj, General Manager of the Secureworks® Managed Security Services Program. Ajay explains how the unprecedented pace of change has shaped a need for more innovative and proactive managed services, including managed detection and response. He takes us through the must-have tools and technologies that MSSPs need to deploy in order to reduce alert fatigue, increase intelligence, and proactively hunt down threats. Openness and collaboration are also key take-home messages, not just in technology but throughout the cybersecurity ecosystem. Join us to discover how new and improved managed security services can help customers safeguard their systems.
What We'll Cover
Secureworks Interview with Ajay Bhardwaj.
Sally : Hi everyone, and a very warm welcome to Let's Talk SoC, a special episode today on the future of efficient and effective secure ops for MSSPs. And to dive into this very important topic area, I'm delighted to be joined now by AJ Bhardwaj, General Manager for Managed Security Services Program at SecureWorks. Welcome AJ.
Ajay : Thank you, Sally. Great to be here.
Sally : Oh, my absolute pleasure. And perhaps a great way to start off is just a little bit of an intro to yourself and your role. And then we can dive into kind of how the world has changed, particularly over the last five years in this particular area.
Ajay : Yeah, of course, I'd love to. So I've been with Secureworks now for the past eight and a half years. I started out actually in consulting. So I led our consulting practice across EMEA. And it was only in the last year that I took on the role of general manager for our MSSP practice. And the reason that it excited me was because it was a new path for Secureworks to really drive our channel program. And the opportunity with our new platform to really support and help other MSSPs was just fantastic. So that's why I took on the role and I'm now running the global MSSP practice.
Sally : Superb, I love that and I love the fact you also brought that ecosystem support for one another out right at the stop as well, I love that. Brilliant stuff! Because I'll tease that up with kind of how much has changed and really I think five years is almost a too hard a place to start really given what's happened the last 18 months or so, but perhaps we can do that kind of macro lens what has been the biggest influence on managed security services for you What's changed the most?
Ajay : Yeah, that's a great question, Sally. Thanks for asking. If we go back five years, the world was a very, very different place as you just called out, right? We've had COVID since then, so things have just massively changed. Even the fact that we have Teams calls now, and I don't know whether you remember, but the Teams calls just a few years ago where you could have one or two people on them. Now you can have multiple people on those calls, right? And everyone's hybrid working, so very, very different environment. So, a less complex world five years ago… So what we had our MSSPs working with and Secureworks is absolutely in that domain too, we were using SIM platforms and we built our own SIM platform called CTP. And that was the de facto standard. Now a SIM platform, a security information and event management platform is one that's hugely complex, but it's very reactive. And that was fine a few years ago. So, it was steeped in reactive monitoring. So, they're being called bell ringing services, they've been called alert services. So, a huge amount of alerting and you're working with the facts after they've happened and when you talk about the numbers of alerts, one of the things that SOC analysts across the board would- deal with was alert fatigue. You just get so much coming at you and you have to deal with this over and over again. The other thing that we noticed as well was that analysts would have to swivel seat to other environments. So that means that they weren't working in one tool, they're working in multiple tools and having to swivel seat between those different tools to be able to get to the right answer. Now that's a lot of manual intervention. So, that's prone to error too. Then the last thing is with these SIM systems, there's a lot of configuration. So a huge amount of configuration. Now let's fast forward to today's world. We're in a much, much more complex environment. We've got a lot more things to think about, a much more complex world and therefore an IT environment that's much more complex as well to deal with. So, working from home, investment in the cloud, network connectivity paradigms, new endpoint devices, all of that has to be dealt with. So it's a very, very different environment. There's new threat vectors. As the threats become more widespread, the attack come from a number of different threat vectors and we have to be knowledgeable about that. And then lastly, because of this more complex environment, our adversaries have become much, much smarter and we have to be able to deal with that. So, that's what I would say the main differences between where we were five years ago and where we are today.
Sally : Oh, superb overview there AJ, honestly that's great. I love the fact you took it from different areas as well. So, from a technical standpoint, for example, what you mentioned there about that swivel seat thing, it's so, so interesting, cause you kind of got two ends of the spectrum, haven't we, with that, but also like sprawl, you know, when it comes to certain tools and techniques as well. So, really interesting areas like that, but also some of the training needs. to centralise working, different forms of convergence, so from a technology perspective, but also things like IT and OT convergence, and…
Ajay : Yeah.
Sally : …quite frankly, the scale, the scope, the sophistication of threats, and their endpoints aren't yours anymore, so to speak, isn't it? So really, really interesting…
Ajay : Absolutely.
Sally :…plus bad actor collaboration as well. I always like to mention that,
Ajay : Yes.
Sally :…because I think sometimes that's underlooked,
Ajay : That's a great point.
Sally : …but actually it's helped bring a lot of old threats back, you know, like S7, for example, in telecoms. So, really, really interesting examples and sets the stage, I think, about why we need support in this particular area. So, focusing on that, kind of what good outcomes look like for customers, why do you think it is important today for MSSPs to really look at transforming their tech stack, to really better support and enable their SecOps teams?
Ajay : I sort of call out five categories for this, and I'll just call them out first, and then I'll summarize, and then I'll go back and get into more detail. So the five things that I call out are having an open platform, the second one is reduction of alert fatigue that we talked about earlier for our analysts themselves, world-class threat intelligence, so actually having a platform that has that intelligence built in, the ability to threat hunt, so proactively hunt all of the time. And then lastly, understanding what the tools, techniques, and procedures are that our threat actors are working with so that we can map to those and understand how to best manage them. So, let's go back. So, firstly, an open platform. Again, we've talked about the pace of change. We've talked about how more complex the environments become. Well, as a result, what we're having to do is build a platform that is as open as possible so we can work and build that ecosystem as you called out earlier, Sally. It’s a great point. Having a broader ecosystem that can integrate other like-minded partners to drive a broader, much more deep understanding of that threat and then, you know, and work against it is absolutely really key. So having an open XDR platform is key. Secondly, reduction of alert fatigue. As I mentioned earlier, MSSPs in the past have suffered from masses of alerts coming in. So, having a high fidelity platform that they can work with really where they're only working with what is what the true positives are, right? Where we really, really need to focus rather than having these massive things that they have to talk through. So that's important too. Thirdly, I talked about world-class threat intelligence and that is absolutely key. Having context for what you're doing and how you're building and understanding the threat. is really, really key. It's not just about the specific of the threat that's coming in, but it's what context is that positioned in, and that becomes key too.
Hunting, I talked about threat hunting, and this is a new phrase I've just brought in, so I just want to make sure that we're clear on it. Think about hunting as a proactive engagement. We talked about MSSPs and SIM platforms previously, having a very reactive approach to threat. So, it's almost after the deed is done. and then you're having to go backwards and then have a look at what's happened. Threat hunting is about really taking that detective capability and driving a much more forward-looking, proactive investigative approach. So, looking at clues, hunting for those clues around the system and having a system that provides clues that are connected so that you can actually get to the right outcome at the right time before. perhaps the breach has taken place and that's really, really key. And then lastly, I also mentioned about tools, techniques and procedures. Well, these are changing all of the time and it's really, really important that we keep on top of them. So, making sure that there's a mapping to things like the MITRE Attack framework that really draws these out, describes them and therefore something that you can use to map against what tools are being used, what techniques are being used, what procedures should be used and then working through the threat in that way.
Sally : Superb. Honestly, that's excellent. Honestly, such a level of detail, of course, all those five elements you mentioned there. I'm just thinking about what I'd like to pick up on and probably what you said about context in two different areas. So, one, leads me onto another question, but the other one is just about what you said about the knowledge sharing and the level of research that you're helping to support and again, it links into ecosystem as well, I think, doesn't it, with that power of that knowledge sharing, again getting more active intelligence to people to get ahead of some of these threats rather than looking at things retrospectively I think is so important but also there's maybe another aspect to context there as well that I find interesting which is kind of like the storytelling and getting buy-in…
Ajay : Hmm.
Sally : …about why investment in security and we need to change the narrative you know it's the investment in insecurity that's more of a concern if you see what I mean so just as one example of that one research study I was involved in recently. We put some imagery and things around this to bring it to life, but also compare it to everyday activities. We were trying to show how the cost of entry has gone down for security attacks. So as one example..
Ajay : Yeah.
Sally : ..of this, we were able to drill down all the different elements. And so, as an example, say kind of five times your cup of coffee at whatever, whatever your coffee shop preference might be, kind of five of those in a week, you've kind of got your entry level to combine your own ransomware kit, for example. So again, I think that knowledge sharing. even in that level has another benefit too, because it builds that awareness and makes it relatable for people, whether they're directly involved in the security industry or a member of the public or it's somewhere in between. I think that powerful kind of narrative storytelling is also important too. So, I love what you said about all those different areas. And also on that power of context too, leads me into the other area I wanted to go into next, which is kind of the benefits of extended. detection and response and kind of that granular contextuality and the holism that brings to the fore I think could be very relevant there but I will hand that back to you Ajay if I can.
Ajay : No, thank you, Sally. It's a great point. I think you make some really, really good points about that entry point, that price of entry into that hacker world. So yes, it's getting cheaper and cheaper to be able to do that. Five times a cup of coffee? Yeah, that's pretty scary. Yeah, no, I think, thanks for the question again. Think about now where we are in terms of that paradigm. There is so much coming at us, right? There's so many new threat vectors. There's so many new threat actors. The cost of entry, as you mentioned, has just gone down. So what we're looking for right now in new platforms is a platform that allows for an always on hunting paradigm. So remember that paradigm that I talked about earlier, which is how do you get ahead of it? How are we looking forward, as opposed to looking rearward and seeing what happens previously, we wanna look forward to see what's coming and get ahead of the problem or the attack. So having that always on hunting paradigm becomes really, really important. But we also talked about this complexity of the new environment. So, cloud, network, endpoints, there's so much that's proliferated over the last few years, especially because of COVID, right? So those COVID years have kind of driven a lot of cloud engagements, a lot more in the cloud. We've got a lot more endpoints out there. There's a lot of us working in hybrid environments. That means a very, very high, very much larger, more complex endpoint environment too. So, you have to be able to manage all of those threat vectors too. You need a high-fidelity platform as well. An XDR platform has to be high-fidelity. And again, this goes back to that, the issue that we've got around alert fatigue. We want as much good context as we can get so that we're really focused on the problem at hand as opposed to everything that's out there because it's just too complex for analysts to look at all of the time. So, that becomes really important too. We talked about open architecture and you also talked about this. And I think this is really, it's a really good point that you raised, Sally. Having an open architecture and having a collaborative environment where you're working with other like-minded vendors, that becomes really, really important too, because the adversary is getting smarter and they're starting to work together. There's bigger groups going after institutions and we need to make sure that we're working well together as a group of companies that can come together and really provide a richer approach to threat detection and response. And then lastly…
Sally : Absolutely.
Ajay : …as I mentioned, threat intelligence. Having a really strong threat intelligence source and backing becomes really important. So, again those are the things that I would talk about that I think are really critical in today's world.
Sally : Love that and that point of kind of coming together. I was at RSA recently and again, you know, literally that kind of metaphor of the event there really was their key messaging was stronger together and some of the most powerful sessions there that we had on knowledge sharing were when you had organizations, some of which may have traditionally competed, but now it's more of a co-opetition, if you know what I mean, and coming…
Ajay : Yes.
Sally : …together looking at different elements of this and it was so, so powerful and it got the biggest response and you also mentioned about network as part of different layers of complexity we have today. And I literally published it this afternoon, but I've got security starts at the network. It's kind of a new piece that I've put together, but you're absolutely right. I couldn't agree with that more strongly. And it's not an either or, it's embedded from design from the start. So, I've kind of called it “security is the network,” And it just shows that we need to go in it. We're looking at architecture, we're going to process a level. All of these things make a difference plus. interesting synergies between sustainability, security and these different areas as well I would say. So, one for another day I know, but love that subject area. And as a final kind of takeaway and I'd love to come back to this as well Ajay because there's so much more we can dive into, I really appreciate that but if somebody's looking at this now so particularly from an MSSP perspective, but we could go wider as well just again it's public awareness, but they're looking for you know qualities from our providers. them navigating this landscape we've been describing. What would kind of your gold, silver or bronze be so to speak, if kind of things to look out for that might support you and be a really good kind of personal fit for your organization.
Ajay : That's such a great question, Sally. And we talked a little bit about the kind of architecture of it and what you need to be looking at from a threat perspective. But I kind of would start with, above all, an MSSP is a business, right? So profitability is key. So one of the things that I would always ask any MSSP to look for is how can they ensure that they are sustained in a profitable business for the long term? And that's really, really important. So, I think that would be one thing that I would call out because we are in the business of securing our customers and we wanna be there for the long term. So, profitability, how do we get to profitability? That's really important. I also believe that working with a platform built by an MSSP for MSSP is really, really important because again, understanding what the MSSP has to go through. Things like alert fatigue, things about how to run SOC shifts, how to inspect, how to do the best from shift to shift. Those things become really, really important. So making sure that you're building a or you're working with a platform that is effectively good for you and good for your analyst, that becomes really important. So analyst efficiency, again, really, really key, really, really important. I've talked about world class threat intelligence. I'll say it again, because it's really, really important “context is everything.” Making sure that you are going after the threat and understanding what that context might be becomes really, really key. So ,it's not just about the specifics of what you're looking at, it's the greater context. Is there something else going on? Are there trends going on? Is there something at a macro level? Is there something at a national level that you should be aware of that helps drive and inform what decisions you're going to make? And then again, at the end, I would say this, and it goes back to your community conversation. It goes back to working together to help beat our adversary. An open XDR platform, something that will truly integrate with multiple different endpoints, but also multiple different environments from, as you mentioned, network to cloud to the endpoint itself. Those things become really, really key. So, that's what I would call out as the key things that you should be looking for if you're looking for how to progress your MSSP capability.
Sally : I love that. I think that's so, so important. One final thing that you said there as well on that community theme. So as long as alongside all the aspects you talked there that really support you from that kind of agency to act and active proactive intelligence that you're bringing to the fore. I also think one other area is active listening. So I've spoken to quite a few Secureworks customers as part of some interviews I've been doing but other activity as well that I do in this particular space. And I've heard stories about where something's been fed back. and they've seen that thought become part of the pipeline, in terms of the development of solutions. So looking at that when you're looking at different providers and different people to work with and support you in that journey, I'd also say look for kind of indicators like that as well, speak to people, get involved in those conversations, because hearing things like that, for example, for me, that's a massive kind of barometer to, well, I want to be part of that. because you can really see that you've got a pipeline there to be heard, to listen to, and you can actually be part of that growth process as well, to really be part of that solution development. So, I love that type of more anecdotal, but soft feedback, but I actually think it can be really, really valuable and really important for trust too.
Ajay : I couldn't agree more. That's a great call out, Sally, great call out.
Sally : My pleasure, Ajay. I know we have to bring this to an end, but as I often say, let's come back for more soon because it is such a timely critical topic for everybody. But I just want to say thank you so much for joining us on Let's Talk SoC today. It's been a fantastic episode.
Ajay : Thank you, Sally. Thank you so much. Really appreciate it.
Sally : Thank you very much. And for everyone watching and listening to, thanks so much for joining us again. We'll be back too for another episode very, very soon. Thank you.