A new era for managed detection and response: Accenture MxDR powered by Google Chronicle
Summary
TLDRIn this informative session, Accenture's Brent Hambly introduces a new managed service partnership with Google, aimed at enhancing clients' cybersecurity. The service merges Google's advanced security technology with Accenture's extensive experience in security operations. Hambly emphasizes the solution's adaptability to various environments and budgets, highlighting its ability to help clients detect and respond to threats more effectively. The discussion also touches on the challenges faced by security leaders and the importance of a proactive, intelligence-driven approach to cybersecurity.
Takeaways
- 😀 Brent Hambly, leader of Accenture's North America detection and response practice, introduces a new managed service in partnership with Google to enhance clients' security operations.
- 🛡️ The service combines Google's advanced security technology with Accenture's extensive experience in security operations, aiming to provide a best-in-class solution.
- 🌐 The solution is adaptable to various environments, constraints, and budgets, ensuring clients can leverage Google's technology and Accenture's services effectively.
- 🚨 The service aims to help clients avoid costly and disruptive security breaches, emphasizing the importance of proactive and efficient security measures.
- 💡 Accenture and Google's partnership brings together various security capabilities, including Chronicle security operations, Mandiant threat intelligence, and security AI workbench, among others.
- 🔍 The managed detection and response (MDR) service is built on Google's technology, offering a scalable and efficient platform for security operations.
- 🔑 Security Orchestration, Automation, and Response (SOAR) is integrated into the service to enhance response capabilities and streamline security operations.
- 📈 The service includes a centralized web portal for clients to interact with the service, access dashboards, and gain insights into their security environment.
- 🌟 Accenture's unified Content Library, contributed to by hundreds of professionals globally, provides pre-built use cases, automation playbooks, and other resources to scale security operations quickly.
- 📊 The script highlights the importance of tracking metrics such as average time to detect and remediate threats to demonstrate the effectiveness of security operations over time.
Q & A
Who is Brent Hambly and what is his role at Accenture?
-Brent Hambly is the leader of Accenture's North America Detection and Response practice. He works with clients to help design, build, and run their security operations and choose the best solutions and partners for their needs.
What is the main focus of the session that Brent Hambly is leading?
-The main focus of the session is on cybersecurity, specifically discussing Accenture's partnership with Google and the managed service they have launched to secure their clients with advanced security capabilities.
What is the significance of the partnership between Accenture and Google in the context of cybersecurity?
-The partnership between Accenture and Google combines Google's best-in-class technology and advanced security capabilities with Accenture's years of delivery experience in security operations, offering a managed service that is adaptable to various client environments, constraints, and budgets.
How does Brent describe the challenges faced by security leaders today?
-Brent describes the challenges faced by security leaders as managing both the modernization of security and dealing with technical debt. They are tasked with securing new assets and technologies rapidly adopted across the organization, often without being involved in the planning process or having the budget to handle it.
What is the role of Managed Detection and Response (MDR) in Accenture's security services?
-MDR is a key part of Accenture's security services, providing clients with a platform that delivers 24/7 service, utilizing people and technology to be proactive and scalable in understanding the threat landscape and applying that knowledge across their client base.
What does Brent emphasize as the most important aspect of a security leader's job in detection and response?
-Brent emphasizes that the most important aspect of a security leader's job in detection and response is prioritization. They need to understand what matters and what doesn't to effectively manage their efforts and resources.
What is the significance of the Chronicle Security Information and Event Management (SIEM) capability mentioned by Brent?
-The Chronicle SIEM capability is significant because it allows for the ingestion of all security-relevant data and makes it searchable at sub-second intervals, providing a fast and responsive platform for clients to hunt and explore their own data and collaborate with Accenture's service.
What is the role of Security Orchestration, Automation, and Response (SOAR) in Accenture's service delivery?
-SOAR is an integral part of Accenture's service delivery, helping to enrich the understanding of incoming threats, accelerate response, and improve case management workflows within a Security Operations Center (SOC).
How does Accenture's managed service differ from other managed services in terms of collaboration with clients?
-Accenture's managed service differs by offering a collaborative process with clients, allowing them to actively participate in the service and make their own conclusions, unlike many managed services where the process can be less collaborative.
What is the importance of the unified Content Library that Accenture has developed?
-The unified Content Library is important because it contains pre-built use cases, automation playbooks, reporting dashboards, threat hunt data models, etc., which can be immediately scaled in a client's environment, providing practical value and accelerating the activation process.
What are the two models Accenture offers for its managed detection and response service?
-Accenture offers a full stack model, which includes their platform and people providing 24/7 support globally, and a hybrid model, which allows clients to use their own platform while still benefiting from Accenture's managed service.
What is the significance of the generative AI capabilities that Accenture is leveraging?
-The generative AI capabilities are significant as they help Accenture scale their operations and improve the quality of their service delivery rapidly, providing an assistant to security operators to help them through investigations and reduce response times.
What is the purpose of the security AI assistant that Accenture is developing?
-The security AI assistant is being developed to help security operators be more effective and efficient in their work by providing prioritized actions, quick responses, and confidence in the actions taken during an investigation.
What are the key factors that Accenture considers when selecting a partner for detection and response services?
-Accenture considers factors such as the provider's ability to detect threats, the value they place on intelligence, their alignment with the client's industry, their understanding of the client's business, their ability to serve the entire enterprise, and their approach to keeping costs down year to year.
How does Accenture's approach to threat intelligence differ from other providers?
-Accenture's approach to threat intelligence involves a structured conversation with clients to understand their threat landscape, prioritizing content and rule sets based on the threats, and advising clients on the benefits of a threat intelligence platform, including the importance of organic or original threat intelligence.
What is the significance of the 12-step process of decomposing threat actor activity mentioned by Brent?
-The 12-step process, likely referring to the MITRE ATT&CK framework, is significant because it allows for a more effective defense by understanding the specific stages of an attack and how it typically plays out, enabling better detection and response strategies.
How does Accenture plan to leverage generative AI in its security operations?
-Accenture plans to leverage generative AI to scale its operations and improve the quality of service delivery rapidly. This includes building its own security AI assistant and utilizing models from the Vertex AI ecosystem to assist security operators in their investigations and decision-making processes.
Outlines
😀 Introduction to Cybersecurity Session
The speaker, Brent Hambly, leader of North America detection and response practice at Accenture, warmly welcomes the audience to a session on cybersecurity. He emphasizes the importance of making good use of the audience's time and hints at a Q&A session later. Brent shares his background in Aerospace and defense, a startup, and his current role at Accenture, highlighting the partnership with Google. The session aims to discuss challenges, decisions, and recommendations for a resilient cybersecurity approach, using a scenario of a breached cloud environment to illustrate the urgency and impact of cybersecurity incidents.
🛡️ The Challenges of Modern Security Leadership
This paragraph delves into the difficulties faced by security leaders, particularly in the context of rapid digital transformation and the pressures of a global recession. Brent discusses the struggle to secure and manage new and existing assets without adequate resources or involvement in the planning process. He touches on the complexity of tasks such as container management, privileged account lifecycles, and data workflow mapping across SaaS applications. The paragraph underscores the need for security teams to be efficient and adaptive, balancing the modernization of security with dealing with technical debt.
🤝 Accenture and Google's Partnership for Enhanced Security Operations
Brent introduces the partnership between Accenture and Google, which aims to revolutionize security operations through a managed service. This service combines Google's advanced security technology with Accenture's extensive experience in security operations. The goal is to act as an extension of a client's security team, improving their security operations by accelerating the remediation of vulnerabilities and reducing risk. The paragraph also highlights the integration of SOAR (Security Orchestration, Automation, and Response) as a fundamental part of the service delivery, emphasizing the maturity and effectiveness of this capability in response and case management.
🌐 Comprehensive Managed Detection and Response Service
The speaker provides an in-depth look at the managed detection and response service offered by Accenture and Google. The service utilizes Google's Chronicle technology for data ingestion and correlation against broad threat intelligence, maintaining a fast and responsive platform. It also includes a centralized web portal for service interaction and a unified Content Library with pre-built use cases and automation playbooks. The service is designed to scale with client environments, offering an all-you-can-ingest model without penalties for deeper learning and data ingestion.
📈 Advancing Security Operations with Intelligence and Adaptability
Brent discusses the importance of intelligence in security operations and how understanding the threat landscape is crucial for prioritization and effective defense. He outlines a structured approach to understanding the threat actor's tactics, techniques, and procedures (TTPs) and aligning them with the client's industry and environment. The paragraph emphasizes the value of original threat intelligence and the benefits of sharing internal lessons learned with partners like Accenture. It also introduces the concept of tracking improvement over time through the MITRE ATT&CK framework to demonstrate increased security effectiveness.
🚀 Leveraging Generative AI for Security Operations
In this paragraph, Brent introduces the integration of generative AI into Accenture's security operations, aiming to scale and improve the quality of service delivery. The company is developing a security AI assistant to support security operators in their tasks, focusing on prioritization, quick action, and ensuring the right measures are taken. Accenture is also working on modules for incident response reporting and language translation to cater to global clients, showcasing the application of generative AI in enhancing security operations.
🔧 The Importance of Adaptability and Partnership in Security
Brent concludes the script with a focus on the necessity of adaptability in the ever-changing landscape of technology and business. He emphasizes the importance of having a partner that can adapt to changes such as acquisitions, divestitures, new business lines, or geographic expansions. The paragraph also serves as a guide for selecting a partner in detection and response, highlighting factors such as threat detection clarity, intelligence value, industry alignment, comprehensive enterprise service, and cost efficiency. The speaker invites challenges and questions, showcasing confidence in Accenture's approach and the benefits of the partnership with Google.
Mindmap
Keywords
💡cyber security
💡managed service
💡security operations
💡digital transformation
💡threat intelligence
💡Chronicle
💡MITER ATT&CK framework
💡generative AI
💡Security Orchestration, Automation, and Response (SOAR)
💡hybrid model
Highlights
Introduction to the cybersecurity session with Brent Hambly, leader of North America detection and response practice at Accenture.
Accenture and Google's new managed service offering aimed at securing clients with best-in-class technology and advanced security capabilities.
Brent Hambly's background in Aerospace and defense, and his experience in a startup, shaping his approach to cybersecurity.
The importance of a secure-by-design approach and the challenges faced by security leaders in the rapidly evolving digital landscape.
The impact of a global recession on security funding and hiring, causing a freeze on projects and growth for security teams.
The need for security operations to be proactive, efficient, and adaptive in the face of technological change and budget constraints.
Accenture and Google's partnership to reimagine security operations as an extension of a client's security team, enhancing detection and response capabilities.
Integration of SOAR (Security Orchestration, Automation, and Response) as a fundamental part of Accenture's service delivery.
Chronicle's SIM and SOAR capabilities combined to provide a superior and highly responsive managed detection and response service.
Benefits of the Chronicle platform, including its rich integration ecosystem, performance, scalability, and user experience.
Accenture's Global Content Library, offering pre-built use cases, automation playbooks, and reporting dashboards tailored for various industries.
The flexible integration model of Chronicle, supporting over 400 integrations and custom solutions for unique client environments.
Accenture's approach to security operations, emphasizing the importance of intelligence and adapting to the client's specific needs and tech stack.
The use of generative AI to improve the quality and efficiency of Accenture's security operations and response capabilities.
Upcoming launch of Accenture's security AI assistant modules for incident response reporting and language translation to support global clients.
The importance of tracking and improving detection and remediation times as key metrics for demonstrating the effectiveness of security operations.
Closing thoughts on the necessity for security providers to adapt and evolve with their clients, ensuring long-term success in cybersecurity.
Transcripts
foreign
[Music]
hey
coming through okay all right great hey
good afternoon and welcome everyone uh
really uh appreciate you being here I um
I hope you're having a good time here at
next and uh this is going to be a good
session
um whether it is you know you have this
penciled in to your agenda when you
download the app or whether this is the
consolation prize for the mandian event
filling up I'm glad that you're here and
I hope to make good use of your time so
we're gonna have a good conversation
about cyber security
um I will hopefully have enough time for
questions at the end we'll see how
quickly we get through it and um
definitely appreciate any any engagement
that you have uh or questions you have
please be thinking of them happy to
answer them at the end
um so my name is Brent Hambly
um I am the leader of our North America
detection and response practice so I
have the privilege of working with
clients every day helping them design
build run their security operations and
choosing the best Solutions and the
partners to do that with I'm really
happy today to be talking about our
partnership with Google it's going to be
a wonderful time just by way of
background I spent the first 10 years of
my career in Aerospace and defense so
learning for first hand what a
well-resourced and a very determined
adversary can do and can make your life
very miserable learning a lot of lessons
through that and helping our helping
secure clients for that I then spent
time as employee number seven at a
startup I was a wonderful Adventure in
my career being able to kind of share
all those lessons that we had learned in
a very difficult and uh and environment
to defend in Aerospace and defense and
then I have the approach for the last
four years of being a part of Accenture
and leading our North American detection
and response practice so I'm happy to be
representing the team here I stand on
the shoulders of a lot of great people
some people are here who have helped
build the solution and really work
together on this partnership that we
have with Google so
um
so we're gonna move fast and cover a lot
of ground
um I I know our time is going to go
quickly if you have one thing that you
take away from the session understand
that Accenture and Google recently
launched a new service to be able to
secure our clients it's a managed
service that allows us to provide that
the Best in Class technology and
advanced security capabilities of Google
and the years and years of delivery
experience that Accenture has in
security operations and bring those two
things together and deliver the value to
our clients and it's a very adaptable
solution so whatever your environment
your constraints your budget usually we
can find a way to make that work for
your environment and have you Leverage
The Best of Google's technology and
Accenture services but before we get
started I want to share a little bit of
perspective or maybe just ground us a
little bit in terms of where we're at so
if you're looking at this image I hope
it's it's peaceful it's a relief
it could be Friday you know this could
be you on Friday you're energized from
the sessions at Google next you came you
you know you have great plans for Labor
Day weekend and you you have your
calendar clear your out of office is set
and just before you get out of cell
range you get a call and it's your CIO
and they're frantic so this is not a
good start to the conversation
and they tell you that your company's
Cloud environment has been compromised
and the digital platform that helps you
generate 80 of your revenue is down and
as a head of security they need you back
at the office as soon as possible
immediately for as long as it takes to
respond and recover from that event
and so obviously this is not a situation
that we never want to find ourselves or
our colleagues or a loved one in having
to sacrifice their PTO to go in and
handle a catastrophe in the office I
think a lot of what we're trying to do
with this partnership between Accenture
and Google is help save our clients the
pain of that and really help them
leverage some of the best practices here
so we're here to talk about those
challenges the decisions you can make
today and some of the uh some of the
recommendations that we have for you to
have a resilient approach to cyber
security
so you know why are we here uh you know
I think a lot of that question is baked
into uh the fact that we agree on the
principles of secure by Design secure by
default that would be great if that's
how everyone operated and that's how all
of our Solutions were I think hopefully
we all share an understanding of the
business value of cyber security that it
is the number one business risk and that
it is a consideration on the minds of
not only the practitioners in the field
but the board of directors right
um but like breaks on a car uh the
better we secure our assets the faster
our business can move and just to share
a little bit of perspective what it
means to be like insecurity if that's
not the hat that you wear it's a really
difficult time for Security leaders and
so
as businesses have grown rapidly and
we've recognized the value of digital
transformation which is undeniable it's
put our Security leaders in a really
tough spot because
in addition to managing all the things
that have not been modernized yet
they're also responsible for the things
that are being rapidly adopted across
the organization and sometimes they
weren't involved in the planning process
and sometimes they weren't afforded any
budget to be able to handle that and
whether it's you know securing your
container runtime environment or
managing the life cycle of a privileged
account or mapping your data workflows
across your SAS applications uh it's
really tough out there it's a lot to
keep track of as a security leader and
it's been particularly rough for
Security leaders because just as we were
kind of gaining traction and momentum
and being able to be properly resourced
and get our budget requests fulfilled
and get our projects activated the
threat of a global recession basically
froze our funding and our hiring so
instead of kicking off those projects
and growing our team as we always had
hopetoun we finally got the support top
to bottom for what we're doing we're
stuck in a freeze and we're starting to
emerge from that but it's been a really
tough time and I think that as security
teams we're always looking for every
advantage that we can get in that
situation to be efficient stewards of
our investment so you know to put it
simply we're solving for secure
modernization while also dealing with
our technical debt or we're Paving the
road ahead of us while we're also
filling the potholes behind
and to put a finer point on it uh and
very relevant to this talk digital
transformation has been really
disruptive to security operations so
security operations is kind of the heart
of the security program that's where the
rubber meets the road it's where we
determine are we going to be successful
or not in reducing risk to the
Enterprise uh very kinetically and the
Dilemma that we have is uh we're often
the last to find out about changes in
the Enterprise whether it's new assets
and new technologies that we're adopting
but we also
um don't you know always have the
business context for what these assets
mean and our job in detection and
response is all about prioritization
that's the only way we succeed we're not
going to get to the bottom of the stack
we'll never get to the bottom of the
inbox or the queue we really have to
prioritize our efforts and so the most
important thing that we have is insight
into what matters and what doesn't
relatively speaking and the pace of
digital change has not made that any
easier
so what are we to do about this
when I talk with clients about their
challenges and we talk about uh whether
it's their budget stagnation or the fact
that they can't hire or the fact of the
technological change in the enterprise
we have a discussion on you know what
would it take what would it take to see
across your Enterprise
what would it take to understand the
threat and accelerate the responsive
threats that we know about in our
environment what would it take to be
proactive in defending against
adversaries
and today I really want to share with
you the solution that Accenture and
Google have partnered on to be able to
help you achieve these goals
so simply put this is a breakthrough
moment for detection and response for
both Google and Accenture
um we are partnering on the capabilities
from uh from both of our firms to be
able to reimagine how security
operations can be and and really as a
partner in security operations how that
can be an extension of your security
team within your Enterprise
and also how that can be used to improve
not only not only just deliver the
service that you signed up for but
actually improve your security
operations how are you remediating
vulnerabilities faster how are you
reducing risk faster what do you
understand about the threat environment
we're bringing those capabilities
together
and so this is where I think a lot of
the important details are this is where
you'll get the first sense of well what
is he really talking about what is the
solution that Accenture and Google have
partnered with and so we now start
partnership back in April it was RSA
right here
um and it was based on a shared vision
for making our clients a more secure
overall and a more secure future for
them but it's also a recognition of the
unique value that we both bring to the
table and the synergies that our clients
are going to get out of the partnership
Accenture is the largest Security
Services firm in the world we're also
the leader in managed detection and
response so this is what we do and this
is our specialty one of our many
Specialties across the environment
um and it's we're serving thousands of
clients globally and we've done this for
over 25 years and so Accenture mxdr is a
platform that we use to deliver that
service 24x7 for our clients it's our
people it's our platform working around
the clock for them never sleeping always
having always being available to them
and really being proactive and scaling
out what we know about the threat
landscape and being able to apply that
across our entire client base
and mxdr is now powered by Google's
technology which is really exciting for
us this is a huge turn of the page for
us because what Google has done with
their security business the Acquisitions
they've made the integration that's
happened between the Acquisitions the
way that they're offering that up in
their go to market I hope a lot of you
are excited by what you heard in the
keynote about duet Ai and vertex Ai and
a lot of the different capabilities that
they're bringing to the table and
certainly Kevin mandia's talk there's a
lot of excitement around those
capabilities and so whether you look at
Chronicle security operations or you
look at mandan's threat intelligence of
breach analytics where you look at
virustotal or you look at some of the
capabilities coming in security AI
workbench where some of the foundational
capabilities we can use to build a
really good service in bigquery how do
we search our data at scale and our
dashboards and looker right these are
the capabilities that we're going to be
building that we're building this
service on and offering this to our
clients because it's going to be a
superior solution for them and
it really allow us to take a different
approach to detection and response and
really to bring this all together this
is busy and I know and I'm going to
spend a little bit of time on it but
this is really what looks what great
looks like in manage detection and
response this is what you hope to hope
to see and feel and experience from a
service provider and transparency and
how they kind of put together their
service and what what works in that
environment so as you move left to right
we're going from identifying threat
activity to determining a plan of action
to acting on that and we're doing that
through Google's technology so we're
using the chronicle Sim capability to
ingest all of your security relevant
data bring that all to the Forefront be
able to correlate that data against not
only our intelligence but also what
we're seeing across the broader threat
landscape
we are keeping 12 months of hot data
searchable at sub second intervals so
really fast and responsive times no more
10 15 minute queries that run and hang
this is an extremely responsive platform
um it's brilliant it works great for
whether you're a service provider like
Accenture or whether you're in the
practitioner chair it's a great
experience
um and we're also uh exposing that
capability to our clients so they can
hunt at Google speed in their
environment they can explore their own
data they can make their own conclusions
and they can collaborate in the service
with us and that's not true of many
managed services for those of you who
have delivered that it's not a very
collaborative process so I'm really
excited about that in addition we're
really integrating soar as a fun as a
fundamental and integral part of how we
deliver our service so soar security
automate excuse me security
orchestration Automation and response
that capability has been around for a
few years some of you may have haven't
up and running and are loving it within
your environment some of you may have
tried it and didn't find much success
with it and some of you may have yet to
explore it but this capability has
finally come to maturity and the way
that Google has integrated their Sim and
their sort capability makes it a value
add from the perspective of response and
the speed that we can generate from it
so not only is it did the products fit
together and work well together we're
actually delivering the service together
on it we're basing our success on the
efficiency of working together with both
of those Solutions so this is the way
that we deliver that service and not
only is it a tool that's going to help
us enrich what we're seeing coming in
respond to threat activities and really
work with our clients on how we want
that to flow in their environment but
we're also able to use it for case
management so how we actually go through
the workflow in a sock which having both
of those capabilities together is
fantastic and you know for those of you
who have experienced the pain of
multiple panes of glass and having to
swivel seat from one tool to another
this makes it extremely simple to be
able to understand your environment and
so we're really excited about bringing
Chronicle Sim Chronicle sword together
and we're also leveraging a lot of the
other great capable abilities from uh
from Google so when we talk about
mandian threat intelligence having that
incorporated into our platform along
with Accenture threat intelligence is a
really strong capability you're getting
two of the world's leading providers of
threat intelligence in one platform and
I think that that's such an important
value proposition because when you say
the name mandian out in the field and
for the uninitiated you know there's
very few who don't recognize the value
and if you do recognize it you know it's
top tier you know that's going to be an
exceptional capability we're able to
bring that together in the platform
we also want to hit on a couple of
points here one is that this isn't all
you can ingest all you can consume kind
of model and so you're not penalized for
learning more about your environment and
ingesting more logs that's very exciting
if you've ever been have to pay by the
terabyte you know that can get very
expensive very quickly and you know
there are different kinds of pricing
models that are that can be applied our
fully managed solution is all you can
ingest and so it's based on the number
of nodes in your environment as your
environment grows you know we will grow
with you but you're not penalized for
learning more for ingesting more for
understanding more security-rich context
about your environment that's more that
we can use to help keep you secure we
also have a centralized web portal that
we're building that's a common you know
way to interface with our service and
there's nothing really revolutionary
about that other than you're able to
consume our service interact with our
analyst see your dashboard understand
your environment what are our relatively
high risks what do we need to be
concerned about it's a good uh and it's
also based on your persona so you could
have your CSO login and be able to see
all the relevant dashboards for he or
she you can also have your analyst login
and kind of find out where do we leave
off in the investigation and what is the
first thing I need to be doing now so
that web portal is going to be that
single source of Truth for that
um maybe the thing that I'm most proud
of is an Accenture Security employee we
have a unified Content Library that is
both tailored for industry and it's also
contributed to actively by hundreds of
professionals globally and what this
means is we have pre-built use cases
automation playbooks reporting
dashboards threat hunt data models Etc
so these are things that we can scale
immediately in your environment so if
you if you know the experience as a new
Accenture client would be we understand
a little bit about your in environment
we activate your instance of Chronicle
Sim and soar and that is a really quite
frankly pretty quick and straightforward
process your data stays where it belongs
in your own tenant environment
segregated from all other data but we
also apply all the indicators that we're
extracting so we can better defend you
and our other clients but that whole
process end to end it can be activated
very very quickly through this Content
Library and when you think about managed
security operations for those of you who
have gone really deep into it and you
know it from the inside out you
understand there's you know fully
managed Solutions and then there might
be a one-off you know maybe a client you
have as a client you have a special
environment you have special
requirements so the provider is going to
build a custom environment for you and
what that looks like is
um maybe your own instance of technology
and then we come as a service provider
on top of it a lot of those teams
operate independently they're really not
connected they're doing the service for
the client and they're not really
working together and scaling across this
announcement with Google and not only
platforming our mxdr Solution on Google
technology it also gave us the
opportunity to pull together our Global
Content Library from across our many
delivery centers globally we have 20
Global socks and cyber fusion centers
pull all that together and allow us to
bring that to bear for clients so that's
really exciting that's practical value
for you as a client you're going to get
that immediately from the solution
and to take it one step further I don't
know if how familiar you are with the
architecture behind Chronicle maybe
you've tried it you know a few years
back or you know relatively recently or
maybe you've never seen it before
um but I think you know the most
important thing about Chronicle is the
the speed that we can get the value from
it and it's flexible integration model
so when our clients ask us why Chronicle
certainly we we work with other
providers and platforms but why
Chronicle right we we share a point of
view because of a number of very
specific capabilities one it's got a
rich integration ecosystem over 400
Integrations are available meaning odds
are in your environment Chronicle is
going to natively support it if not
we'll build parsers with Chronicle
Engineers to be able to support that
environment that's one point
you look at the performance and the
scalability of the environment it's hard
to argue with the responsiveness of the
search and how fast it can horizontally
scale we're also looking at the human
factors how do you interact with the
platform is that a good experience is
that a you know an experience that you'd
rather not have but you'll live with it
right we want our clients to be
delighted by that experience and really
see that responsiveness
um but really above all
with Google's vision for how they're
growing their security practice and
their security technology
um the vision that they have on making
their clients more secure all their
products are security first right we
really have great confidence and their
solution is going to grow as our needs
grow for our client and working with
directly with Chronicle Engineers on
building the solution out and helping
that scale to accentuate size we have
hundreds of clients globally we do many
many engagements across all of our uh
across all of our delivery centers this
is going to scale with us and so that's
a really exciting part to know with
confidence that as a client you're going
to get a great experience and you're
going to get a solution that scales um
with your experience
so for um kind of to to put a a little
bit of reality on it right we fully
recognize that clients have Investments
that they've already made and platforms
that they may already be very happy with
and so maybe you if you're one of those
clients you don't see the value in
necessarily what we're doing here
because this is a chronicle-based
solution you've already chosen what you
want to do or maybe you are one of the
clients that has very specific
requirements on what you need to do
whether your data needs to stay in a
certain region of the world or you have
some regulatory restrictions on who can
touch the platform and things like that
right there's solutions for each client
and that's what I think one of the key
messages that I want to address is
whether you are more aligned to one of
the two models and the two models are on
the left it's our full stack model
that's our platform our people 24x7
support globally delivered
based on the scale we can offer that a
really great price point right so that's
that allows us to achieve the most value
for clients it's typically what we want
to leave with what we want to lead with
in our discussions unless there are some
driving requirements that would cause
you to need or want your own platform in
which case we're happy to work with you
on that and that's the solution on the
right which is hybrid and you know for
the sake of being at the conference and
presenting this material right you can
insert your own vendor names into the
other SIM and soar products but these
are the reality of the environment that
we're in and we're never going to go
into a client environment and require
them to replace what they already have
that might be working well for them but
we do want them to benefit from the
managed service that we can deliver for
them and we do want to make this as easy
as possible for them so really that kind
of middle slice of that soar integration
layer that is what is really special
about the service because that is a
layer that allows us to bring our
Content Library our service delivery all
everything that we know about the threat
landscape directly to a client without
them having to re-architect their
environment and so this is an
approachable solution it's
straightforward to onboard it's
straightforward to utilize and we can
configure the solution for our clients
and really work with whatever the tech
stack is in the environment many clients
have multiple Sims for different reasons
that's fine right we can use that sore
integration layer to cut across all of
that I think that that might be a
value-added capability that you either
have to build yourself or it's tough to
find in the market because I don't know
too many you know of the source
solutions that can really do a good job
of centralized security monitoring with
multiple security platforms that you
have to pay attention to
so
thinking ahead I think I've shared
enough about what the you know the
overall solution is and maybe the
flexible ways that we can deliver it I
want to leave you with hopefully a
little bit of value in terms of what
good looks like in security operations
and ways that you can advance your sock
regardless of your Tech stack right
so
when we look at what success looks like
in security operations all roads point
back to intelligence this is what we
understand about our own environment
this is what the experts at Mandy and
Accenture and other threat intelligence
providers tell you about your
environment in terms of whether or not
you're secure whether or not you're at
risk but really if you can align on
business value and you know from the top
down what are the valuable assets what
are the valuable business processes what
are the aspects of the network that are
particularly sensitive what are our what
are our really sensitive subnet ranges
when you can understand all of those
things together you have a good
perspective on the threat landscape
because you know your business and you
understand your industry and you
understand the adversaries that
typically Target your business in your
industry
and you understand the vulnerability
posture of your organization and all of
that is able to be integrated into the
platform and you understand through your
own analytics what you're experiencing
and seeing on your network today you can
bring all that together that's true
leverage intelligence that's applied
intelligence
and when we have the conversation with
our clients about what does Intel mean
to you and they may have a very prolific
answer to that or they may be struggling
to respond to I don't know that we've
really figured it out it's a feed that
we have it when it you know dings we we
pay attention but we don't get much more
out of that right whether you know
whether you're you're in either of those
camps
um where we start with our clients is a
structured conversation on helping them
understand that understand their threat
landscape and so left to right in the
bottom of this graphic are really how we
have those conversations and so we take
a threat actor and we understand their
way of operating their their tactics
techniques and procedures or ttps we
understand we help them understand that
right based on their industry based on
their environment we if they can name an
apt group or an adversary that they want
to Target we can tell tell the client
what we know about that and help them
work through that what that helps with
is prioritizing the content that we have
and prioritizing the rule sets that we
configure for them again it's all about
prioritization so if we're building in
the right direction because we're
starting with the right content
foundation in our seminar Technologies
if we are aligning our capabilities in
order in in terms of our response
processes on the right order of
operation based on the threats that we
see we can be very successful and we
help our clients stratify on that so we
put that in a priority order and finally
we help advise our clients on the
benefit of a threat intelligence
platform because whether it's Accenture
is provided or it's another uh threat
and tell platform that's provided in the
market this is really where a lot of
that comes together and you start making
this real for your Enterprise and so I
like to think about it this way right
other organizations may know a lot about
you because they are you know scraping
the internet and they are scraping the
dark web and they are dredging up all of
all of that intelligence that's relevant
for your business the one thing they
can't see is inside of your Enterprise
and those are where some of the hardest
and most important Lessons Learned are
and you have to have a way to
memorialize that within your environment
and so when we think about threat
intelligence organic or original threat
intelligence is some of the most
valuable that we have and so we'd advise
you to certainly collect that use that
tell stories about that in your
environment I meant talk about why
that's important and why you never want
to experience that kind of incident
again and what you learn from it but
also if you can share that back with us
as a partner we can be more effective in
preventing you from experiencing that
and preventing our other clients from
experiencing that in a way that protects
your privacy and we can do when we can
do that across our hundreds of clients
globally that's a really powerful force
and so I'd like to share with you one
more thing which is maybe my favorite
metric in what it means to be successful
long term in detection and response
so for those of you who are familiar
with minor attacker but maybe you're not
this is a 12-step process of decomposing
what we know about a threat actor's
activity this is the attack life cycle
broken down into granular Bits And the
reason we do this is because we can be
more much more effective at defending
against this when we understand the
specific stages of an attack and how
that typically plays out
and when you look at the model and when
you understand left to right left is
we've done a really good job and we've
you know eliminated risk early on in the
cycle or you look right and it's a
disaster and you know these are you know
business impactful events
um you start to think about okay well
obviously how can we get as far left as
we possibly can be and so by gathering
your data and by organizing your data by
where where are we detecting this and
where are we remediating these threats
we can be really effective in telling a
message of are we getting any better I'm
sure you've all been asked the question
from your leadership are we secure and
it's an impossible question but you can
spin that slightly and say this is how
much more secure we were from last year
and this is how we do it right we we
break it down into the average time to
detect and the average time to remediate
we plot that out and we can show them
the growth over the time this is what
that looks like
so the y-axis is those 12 steps of the
miter attack framework
and as you see the plot lines what
you're looking for is a downward Trend
and in this case it's a good news story
and this is what we would tend to expect
over a year serving a client
and uh that green line at the bottom
that's the Baseline that's what we're
seeking that's our Target that's what
we're going for this is an organization
set priority but it's really what we're
striving for and so you see the first
chord this is a quarterly plot so the
first quarter you see we weren't doing
very good we were being heavily impacted
by uh the threat activity in our
environment these are things that are
causing big impacts to our business and
consequences probably costing us a
fortune maybe we're having to file
claims against our in our cyber
Insurance maybe we're really having some
painful conversations about Lessons
Learned maybe our leadership team looks
different I don't know that that's a
really bad news story if that's where
we're starting as a data point and you
see we're not being effective in
detecting or responding to any threats
as we move to the second quarter you can
see we've had a significant noticeable
Improvement in detection
but remediation really hasn't moved that
much maybe that's because we pooled all
of our resources said we're really in
tough shape let's at least try to find
where these you know threats are
targeting us and do a really good job up
front at detection
then but maybe we haven't had enough
time or energy to devote to having the
remediation conversations or we're
having trouble building a relationship
with the people that actually remediate
because we really need that solid
partnership with infrastructure with
endpoints with applications with network
with all the parts of our business to be
effective in actually responding and
remediating and so you know we're we're
slightly improving but we've got a room
to go and then in quarter three we see a
noticeable Improvement in remediation
maybe we've been successful in
negotiating what good looks like and
maybe enabling sorta do its job and do a
really good job in protecting us from uh
the threat activity but our detections
have actually gotten worse overall
because maybe we're getting targeted by
a different group or maybe
um we just didn't have you know the
right detections in place for that so
maybe the situation looked worse before
it got better because we just brought a
new capability on board
and then finally we can tell a good news
story in quarter four because not only
have we you know brought the detection
and Remediation statistics to the you
know all-time low from our measurement
but we can tell a really good story
about how much better off we are now
that we've been on this journey and
whether you're doing this through a
partner like Accenture
um and and or consuming a service like
Accenture mxdr that's powered by Google
or you're using another solution this is
absolutely something that you should
consider tracking because we all have to
tell the story about how much better are
we this is a really effective way
um and and helping and it's a way to
socialize some of the vernacular that we
use in security
with our executives
so obviously I'd be remiss if I did not
mention generative Ai and how we're
leveraging generative AI but I'm happy
to say that this is a real capability
that we are using to not only scale but
also help improve the quality of our
delivery very very rapidly and so in
addition to all of the great generative
AI capabilities that we're leveraging
building on vertex Ai and and the whole
Google ecosystem we are also building
our own security AI assistant and this
is for our security operators that are
serving our clients to be able to be
most effective and efficient in what
they do and I think some of the toughest
challenges in the field are knowing what
to prioritize being able to act quickly
spending most of our time on value-added
activities and really being able to be
confident about yes we took the right
action and we we did that correctly and
that whole closed-loop feedback process
for the analyst and those are some of
the use cases that we're working on so
as you look around the the wheel of the
the use cases that we're working on
those are real things that we're
powering generative Ai and our models
that we're utilizing both you know
models directly in vertex Ai and our own
models that we've trained on security
data to be able to say this is how our
operations team is doing and this is
going to be their assistant to be able
to help them through an investigation
and rapidly reduce and if you want to
see a demo of this capability we're in
Booth 401 I'd love for you to stop by
and see this capability and kind of how
our operators are going to be able to
interact with that in November we're
launching two of the modules here one is
the incident response reporting for our
client so in other words making sense of
this and being able to roll this up and
communicate this clearly to Executives
that's going to add a lot of value as
well as our ability to translate across
the many languages that we have to work
with right when we work with truly
Global clients that have operations in
all kinds of countries obviously it's
best to communicate in the primary
language that they're they're working in
and many times there can be things Lost
in Translation it's difficult to
communicate across environments so
imagine logging into the portal and
anybody on your team seeing the
dashboard in their native language it's
a really powerful capability that quite
frankly not many firms can offer
so I wanted to kind of incorporate a
quote that I think puts a really nice
point on what we have to deal with in
security so Darwin's theory of evolution
uh and is is working in in evolution uh
really helped us understand
and an accelerated path life on earth
right he helped us explain a lot of what
we're seeing in life on earth and the
highest the trait that was most highly
correlated to survivalist species was
the ability to adapt change that's what
we have to do every day in Security in
technology in the fields that we're in
and that's really hard to keep up with
and so that principle really sticks well
with our industry right the technologies
that power our businesses and the
economic factors that Prevail and just
how we interact with each other our
ability to adapt to change and move the
business that maybe is maybe your
business is acquiring another firm it's
divesting part of a business maybe it's
getting a new line of business maybe
it's you know moving into a different
geography as you grow and scale you need
a partner that can adapt to that change
with you that is at the core of our uh
ethos if you will that's that's the
heart of what we do
and when you're looking at a partner in
detection and response and when you're
evaluating all of the different factors
that go into a decision about selecting
a partner I really wanted to be able to
give something back to you that I've
experienced in many of the conversations
that we have with clients about why
Accenture why your service why the
technology platform why are you going to
be the right partner for us and I'm
happy to say
um that some of these Lessons Learned
you know we'd have confidence we'd have
confident response to all these
questions but our lessons learned are
not all providers are considered equal
right and so as you adapt to change
think about you know conversations with
your provider about can they explain to
you simply and transparently how they're
detecting threats in your environment
can they tell you what they're going to
do with another a new piece of threat
data or an indicator of compromise that
they see the right answer is we're going
to Retro hunt against all the logs that
we have for you and we're going to tell
you if we've ever seen that threat in
your environment we're going to
proactively protect you from that in the
future and if you have a sore capability
we're going to automatically block that
we're going to block that IP on the
firewall we're going to you know lock
that user account those kinds of things
right you need a confident response from
that on your partner
what is the value of intelligence do
they prioritize it is it and also Rand
do they have you know capabilities
coming in from other feeds that they're
able to be used in that environment it's
very important are they aligned to your
industry do they understand your
business in the industry that you
operate in do they understand the
difference between an oil and gas
pipeline versus a medical device in a
hospital versus you know e-commerce
platform in the cloud right can they
speak those languages can they
understand where you are at as a client
and really partner deeply with you it's
a very very important decision and then
can they serve your whole Enterprise and
maybe most importantly these days is
how are you going to keep costs down
year to year what are the things that
you're doing to become more efficient
because I don't want to see escalating
costs every year you know your service
needs to be getting more efficient and
you need to prove to me how you're going
to do that generated AI is one way to do
that and that's certainly one of the
many things that we're doing but this
Global model is super important to us
for doing that
so with that cheat sheet in mind you
know I started with
how are you going to approach this or
what would it take to you know what
would it take to see across the
Enterprise what would it take to
understand understand the threat and
accelerate a response and to be able to
you know adapt and be able to keep ahead
of threat actors
um you know what you need is a great
partner who has experience in delivering
the service at scale designing building
and running not just running but
designing and building security
operations that's very important you get
a lot of perspective by having to build
things from the ground up and then
understanding the value of managed
service and the integration of that
super important we need to be able to
understand the threat and not only
contextualize what you're seeing but add
value to that through the threat
intelligence that's being curated all
the way from the Strategic level of
what's going on geopolitically what's
going on in the threat actor communities
what's going on in the dark web forums
but also very tactical intelligence that
we can use in your environment
how can we accelerate response is soar a
core part of the strategy or is it
something that we do because a lot of
clients ask for and we bolt it on and we
use it if clients ask for it but it's
really kind of something on the side
because for us it's a core part of our
strategy and we need to make sure that
our clients see the value of that they
understand that there's a lot of
flexibility in how we do that that is a
consultative process of what action
would you like us to take would you like
to be involved in the response process
one of the really interesting things
that we can do with Chronicle soar if
you're not familiar we can put a human
in the loop for specific steps in a
Playbook so that if there is a detection
that fires on one of your critical
assets and for a end user workstation we
would contain it immediately we don't
want that anywhere near our network but
this is a critical web server this is
serving up a critical application that
runs our business what do we do in that
scenario well I want my Security
administrator or I want my like lead
security analyst in the sock our top
tier analyst to be able to make sense of
this and work with our application team
to coordinate maybe the restoration of
services the takedown or how we
reconstitute the service and relaunch
that that new clean instance right so we
can put that human in the loop to be
able to take that action and really
involve our clients in the response
process that's a really exciting
capability and then finally from the
proactive standpoint how are we bringing
together all of our operations data
right how are we really leveraging the
scale that we're operating at if your
provider serves two you know hundreds
and hundreds of clients every year I
would expect a service that also can
leverage the benefits of the hundreds
and hundreds of client engagements I
wouldn't want my engagement to only be
in its in its separate box without the
ability to really benefit from that and
that's really what we've tried to build
here so hopefully you gained something
from this I love you know additional
questions or anything that you might
want to share
um really if you're you know we'd love
to you know be challenged on what we're
doing here and seeing you know why you
may you may doubt that this would work
in your environment but I really thank
you for the time
um Accenture we're really really excited
about the mxdr platform powered by
Google technology a lot of exciting
announcements from Google here encourage
you to do that we have great partners
total and really bring all those
capabilities to bear so thank you very
much for the time and hope to see you
around and answer your questions maybe
it Booth 401 or off to the side here
later thank you
foreign
Просмотреть больше связанных видео
5.0 / 5 (0 votes)