A new era for managed detection and response: Accenture MxDR powered by Google Chronicle

00:00

foreign

00:02

[Music]

00:13

hey

00:15

coming through okay all right great hey

00:17

good afternoon and welcome everyone uh

00:20

really uh appreciate you being here I um

00:22

I hope you're having a good time here at

00:24

next and uh this is going to be a good

00:26

session

00:27

um whether it is you know you have this

00:29

penciled in to your agenda when you

00:31

download the app or whether this is the

00:33

consolation prize for the mandian event

00:35

filling up I'm glad that you're here and

00:37

I hope to make good use of your time so

00:38

we're gonna have a good conversation

00:39

about cyber security

00:41

um I will hopefully have enough time for

00:43

questions at the end we'll see how

00:44

quickly we get through it and um

00:46

definitely appreciate any any engagement

00:47

that you have uh or questions you have

00:49

please be thinking of them happy to

00:50

answer them at the end

00:52

um so my name is Brent Hambly

00:55

um I am the leader of our North America

00:57

detection and response practice so I

00:58

have the privilege of working with

00:59

clients every day helping them design

01:01

build run their security operations and

01:03

choosing the best Solutions and the

01:05

partners to do that with I'm really

01:06

happy today to be talking about our

01:08

partnership with Google it's going to be

01:09

a wonderful time just by way of

01:11

background I spent the first 10 years of

01:13

my career in Aerospace and defense so

01:15

learning for first hand what a

01:16

well-resourced and a very determined

01:18

adversary can do and can make your life

01:20

very miserable learning a lot of lessons

01:23

through that and helping our helping

01:25

secure clients for that I then spent

01:27

time as employee number seven at a

01:29

startup I was a wonderful Adventure in

01:31

my career being able to kind of share

01:33

all those lessons that we had learned in

01:35

a very difficult and uh and environment

01:37

to defend in Aerospace and defense and

01:40

then I have the approach for the last

01:41

four years of being a part of Accenture

01:42

and leading our North American detection

01:44

and response practice so I'm happy to be

01:46

representing the team here I stand on

01:48

the shoulders of a lot of great people

01:49

some people are here who have helped

01:52

build the solution and really work

01:53

together on this partnership that we

01:54

have with Google so

01:57

um

01:59

so we're gonna move fast and cover a lot

02:00

of ground

02:01

um I I know our time is going to go

02:03

quickly if you have one thing that you

02:05

take away from the session understand

02:07

that Accenture and Google recently

02:09

launched a new service to be able to

02:10

secure our clients it's a managed

02:12

service that allows us to provide that

02:15

the Best in Class technology and

02:17

advanced security capabilities of Google

02:18

and the years and years of delivery

02:21

experience that Accenture has in

02:22

security operations and bring those two

02:24

things together and deliver the value to

02:26

our clients and it's a very adaptable

02:28

solution so whatever your environment

02:30

your constraints your budget usually we

02:31

can find a way to make that work for

02:33

your environment and have you Leverage

02:35

The Best of Google's technology and

02:36

Accenture services but before we get

02:38

started I want to share a little bit of

02:39

perspective or maybe just ground us a

02:41

little bit in terms of where we're at so

02:43

if you're looking at this image I hope

02:45

it's it's peaceful it's a relief

02:47

it could be Friday you know this could

02:50

be you on Friday you're energized from

02:52

the sessions at Google next you came you

02:54

you know you have great plans for Labor

02:56

Day weekend and you you have your

02:59

calendar clear your out of office is set

03:01

and just before you get out of cell

03:03

range you get a call and it's your CIO

03:05

and they're frantic so this is not a

03:08

good start to the conversation

03:10

and they tell you that your company's

03:12

Cloud environment has been compromised

03:14

and the digital platform that helps you

03:16

generate 80 of your revenue is down and

03:19

as a head of security they need you back

03:21

at the office as soon as possible

03:23

immediately for as long as it takes to

03:25

respond and recover from that event

03:27

and so obviously this is not a situation

03:29

that we never want to find ourselves or

03:31

our colleagues or a loved one in having

03:33

to sacrifice their PTO to go in and

03:35

handle a catastrophe in the office I

03:37

think a lot of what we're trying to do

03:38

with this partnership between Accenture

03:40

and Google is help save our clients the

03:42

pain of that and really help them

03:43

leverage some of the best practices here

03:45

so we're here to talk about those

03:46

challenges the decisions you can make

03:48

today and some of the uh some of the

03:50

recommendations that we have for you to

03:52

have a resilient approach to cyber

03:54

security

03:55

so you know why are we here uh you know

03:58

I think a lot of that question is baked

04:00

into uh the fact that we agree on the

04:02

principles of secure by Design secure by

04:04

default that would be great if that's

04:05

how everyone operated and that's how all

04:07

of our Solutions were I think hopefully

04:10

we all share an understanding of the

04:12

business value of cyber security that it

04:13

is the number one business risk and that

04:15

it is a consideration on the minds of

04:17

not only the practitioners in the field

04:19

but the board of directors right

04:22

um but like breaks on a car uh the

04:24

better we secure our assets the faster

04:26

our business can move and just to share

04:29

a little bit of perspective what it

04:30

means to be like insecurity if that's

04:31

not the hat that you wear it's a really

04:33

difficult time for Security leaders and

04:35

so

04:36

as businesses have grown rapidly and

04:39

we've recognized the value of digital

04:40

transformation which is undeniable it's

04:43

put our Security leaders in a really

04:44

tough spot because

04:46

in addition to managing all the things

04:48

that have not been modernized yet

04:49

they're also responsible for the things

04:51

that are being rapidly adopted across

04:54

the organization and sometimes they

04:56

weren't involved in the planning process

04:57

and sometimes they weren't afforded any

04:59

budget to be able to handle that and

05:01

whether it's you know securing your

05:03

container runtime environment or

05:05

managing the life cycle of a privileged

05:07

account or mapping your data workflows

05:10

across your SAS applications uh it's

05:12

really tough out there it's a lot to

05:14

keep track of as a security leader and

05:16

it's been particularly rough for

05:17

Security leaders because just as we were

05:19

kind of gaining traction and momentum

05:21

and being able to be properly resourced

05:23

and get our budget requests fulfilled

05:24

and get our projects activated the

05:26

threat of a global recession basically

05:27

froze our funding and our hiring so

05:30

instead of kicking off those projects

05:32

and growing our team as we always had

05:33

hopetoun we finally got the support top

05:35

to bottom for what we're doing we're

05:37

stuck in a freeze and we're starting to

05:38

emerge from that but it's been a really

05:40

tough time and I think that as security

05:42

teams we're always looking for every

05:44

advantage that we can get in that

05:45

situation to be efficient stewards of

05:47

our investment so you know to put it

05:49

simply we're solving for secure

05:51

modernization while also dealing with

05:53

our technical debt or we're Paving the

05:55

road ahead of us while we're also

05:56

filling the potholes behind

06:00

and to put a finer point on it uh and

06:02

very relevant to this talk digital

06:04

transformation has been really

06:05

disruptive to security operations so

06:07

security operations is kind of the heart

06:09

of the security program that's where the

06:10

rubber meets the road it's where we

06:11

determine are we going to be successful

06:13

or not in reducing risk to the

06:15

Enterprise uh very kinetically and the

06:17

Dilemma that we have is uh we're often

06:20

the last to find out about changes in

06:22

the Enterprise whether it's new assets

06:23

and new technologies that we're adopting

06:25

but we also

06:27

um don't you know always have the

06:29

business context for what these assets

06:30

mean and our job in detection and

06:32

response is all about prioritization

06:34

that's the only way we succeed we're not

06:35

going to get to the bottom of the stack

06:37

we'll never get to the bottom of the

06:38

inbox or the queue we really have to

06:40

prioritize our efforts and so the most

06:42

important thing that we have is insight

06:44

into what matters and what doesn't

06:45

relatively speaking and the pace of

06:48

digital change has not made that any

06:49

easier

06:52

so what are we to do about this

06:54

when I talk with clients about their

06:56

challenges and we talk about uh whether

07:00

it's their budget stagnation or the fact

07:02

that they can't hire or the fact of the

07:04

technological change in the enterprise

07:05

we have a discussion on you know what

07:08

would it take what would it take to see

07:09

across your Enterprise

07:11

what would it take to understand the

07:12

threat and accelerate the responsive

07:14

threats that we know about in our

07:15

environment what would it take to be

07:16

proactive in defending against

07:17

adversaries

07:19

and today I really want to share with

07:21

you the solution that Accenture and

07:22

Google have partnered on to be able to

07:24

help you achieve these goals

07:27

so simply put this is a breakthrough

07:29

moment for detection and response for

07:31

both Google and Accenture

07:33

um we are partnering on the capabilities

07:34

from uh from both of our firms to be

07:37

able to reimagine how security

07:39

operations can be and and really as a

07:42

partner in security operations how that

07:43

can be an extension of your security

07:45

team within your Enterprise

07:47

and also how that can be used to improve

07:49

not only not only just deliver the

07:51

service that you signed up for but

07:53

actually improve your security

07:54

operations how are you remediating

07:56

vulnerabilities faster how are you

07:58

reducing risk faster what do you

07:59

understand about the threat environment

08:01

we're bringing those capabilities

08:02

together

08:07

and so this is where I think a lot of

08:10

the important details are this is where

08:12

you'll get the first sense of well what

08:14

is he really talking about what is the

08:15

solution that Accenture and Google have

08:17

partnered with and so we now start

08:19

partnership back in April it was RSA

08:21

right here

08:22

um and it was based on a shared vision

08:24

for making our clients a more secure

08:27

overall and a more secure future for

08:28

them but it's also a recognition of the

08:30

unique value that we both bring to the

08:32

table and the synergies that our clients

08:33

are going to get out of the partnership

08:35

Accenture is the largest Security

08:36

Services firm in the world we're also

08:39

the leader in managed detection and

08:40

response so this is what we do and this

08:42

is our specialty one of our many

08:44

Specialties across the environment

08:47

um and it's we're serving thousands of

08:49

clients globally and we've done this for

08:51

over 25 years and so Accenture mxdr is a

08:54

platform that we use to deliver that

08:55

service 24x7 for our clients it's our

08:58

people it's our platform working around

09:00

the clock for them never sleeping always

09:02

having always being available to them

09:04

and really being proactive and scaling

09:06

out what we know about the threat

09:07

landscape and being able to apply that

09:09

across our entire client base

09:11

and mxdr is now powered by Google's

09:13

technology which is really exciting for

09:15

us this is a huge turn of the page for

09:17

us because what Google has done with

09:19

their security business the Acquisitions

09:21

they've made the integration that's

09:23

happened between the Acquisitions the

09:25

way that they're offering that up in

09:26

their go to market I hope a lot of you

09:27

are excited by what you heard in the

09:28

keynote about duet Ai and vertex Ai and

09:32

a lot of the different capabilities that

09:33

they're bringing to the table and

09:34

certainly Kevin mandia's talk there's a

09:36

lot of excitement around those

09:37

capabilities and so whether you look at

09:39

Chronicle security operations or you

09:41

look at mandan's threat intelligence of

09:43

breach analytics where you look at

09:44

virustotal or you look at some of the

09:46

capabilities coming in security AI

09:48

workbench where some of the foundational

09:49

capabilities we can use to build a

09:51

really good service in bigquery how do

09:53

we search our data at scale and our

09:55

dashboards and looker right these are

09:56

the capabilities that we're going to be

09:57

building that we're building this

09:59

service on and offering this to our

10:00

clients because it's going to be a

10:02

superior solution for them and

10:04

it really allow us to take a different

10:06

approach to detection and response and

10:08

really to bring this all together this

10:10

is busy and I know and I'm going to

10:11

spend a little bit of time on it but

10:12

this is really what looks what great

10:14

looks like in manage detection and

10:15

response this is what you hope to hope

10:18

to see and feel and experience from a

10:20

service provider and transparency and

10:22

how they kind of put together their

10:24

service and what what works in that

10:26

environment so as you move left to right

10:27

we're going from identifying threat

10:29

activity to determining a plan of action

10:31

to acting on that and we're doing that

10:33

through Google's technology so we're

10:35

using the chronicle Sim capability to

10:38

ingest all of your security relevant

10:39

data bring that all to the Forefront be

10:42

able to correlate that data against not

10:43

only our intelligence but also what

10:45

we're seeing across the broader threat

10:46

landscape

10:47

we are keeping 12 months of hot data

10:50

searchable at sub second intervals so

10:53

really fast and responsive times no more

10:54

10 15 minute queries that run and hang

10:57

this is an extremely responsive platform

11:00

um it's brilliant it works great for

11:01

whether you're a service provider like

11:03

Accenture or whether you're in the

11:04

practitioner chair it's a great

11:05

experience

11:07

um and we're also uh exposing that

11:10

capability to our clients so they can

11:12

hunt at Google speed in their

11:13

environment they can explore their own

11:15

data they can make their own conclusions

11:16

and they can collaborate in the service

11:18

with us and that's not true of many

11:20

managed services for those of you who

11:21

have delivered that it's not a very

11:22

collaborative process so I'm really

11:24

excited about that in addition we're

11:28

really integrating soar as a fun as a

11:32

fundamental and integral part of how we

11:33

deliver our service so soar security

11:35

automate excuse me security

11:36

orchestration Automation and response

11:38

that capability has been around for a

11:40

few years some of you may have haven't

11:42

up and running and are loving it within

11:43

your environment some of you may have

11:45

tried it and didn't find much success

11:47

with it and some of you may have yet to

11:48

explore it but this capability has

11:50

finally come to maturity and the way

11:52

that Google has integrated their Sim and

11:54

their sort capability makes it a value

11:56

add from the perspective of response and

11:59

the speed that we can generate from it

12:00

so not only is it did the products fit

12:03

together and work well together we're

12:04

actually delivering the service together

12:05

on it we're basing our success on the

12:07

efficiency of working together with both

12:09

of those Solutions so this is the way

12:11

that we deliver that service and not

12:12

only is it a tool that's going to help

12:14

us enrich what we're seeing coming in

12:16

respond to threat activities and really

12:18

work with our clients on how we want

12:19

that to flow in their environment but

12:21

we're also able to use it for case

12:23

management so how we actually go through

12:25

the workflow in a sock which having both

12:27

of those capabilities together is

12:29

fantastic and you know for those of you

12:31

who have experienced the pain of

12:33

multiple panes of glass and having to

12:35

swivel seat from one tool to another

12:36

this makes it extremely simple to be

12:38

able to understand your environment and

12:40

so we're really excited about bringing

12:41

Chronicle Sim Chronicle sword together

12:43

and we're also leveraging a lot of the

12:46

other great capable abilities from uh

12:48

from Google so when we talk about

12:50

mandian threat intelligence having that

12:51

incorporated into our platform along

12:53

with Accenture threat intelligence is a

12:55

really strong capability you're getting

12:56

two of the world's leading providers of

12:58

threat intelligence in one platform and

13:01

I think that that's such an important

13:03

value proposition because when you say

13:04

the name mandian out in the field and

13:06

for the uninitiated you know there's

13:07

very few who don't recognize the value

13:09

and if you do recognize it you know it's

13:10

top tier you know that's going to be an

13:12

exceptional capability we're able to

13:13

bring that together in the platform

13:15

we also want to hit on a couple of

13:18

points here one is that this isn't all

13:20

you can ingest all you can consume kind

13:22

of model and so you're not penalized for

13:24

learning more about your environment and

13:25

ingesting more logs that's very exciting

13:27

if you've ever been have to pay by the

13:29

terabyte you know that can get very

13:30

expensive very quickly and you know

13:32

there are different kinds of pricing

13:34

models that are that can be applied our

13:36

fully managed solution is all you can

13:37

ingest and so it's based on the number

13:39

of nodes in your environment as your

13:41

environment grows you know we will grow

13:43

with you but you're not penalized for

13:45

learning more for ingesting more for

13:46

understanding more security-rich context

13:48

about your environment that's more that

13:49

we can use to help keep you secure we

13:52

also have a centralized web portal that

13:53

we're building that's a common you know

13:55

way to interface with our service and

13:56

there's nothing really revolutionary

13:58

about that other than you're able to

13:59

consume our service interact with our

14:01

analyst see your dashboard understand

14:03

your environment what are our relatively

14:04

high risks what do we need to be

14:06

concerned about it's a good uh and it's

14:08

also based on your persona so you could

14:10

have your CSO login and be able to see

14:12

all the relevant dashboards for he or

14:14

she you can also have your analyst login

14:16

and kind of find out where do we leave

14:17

off in the investigation and what is the

14:19

first thing I need to be doing now so

14:21

that web portal is going to be that

14:22

single source of Truth for that

14:24

um maybe the thing that I'm most proud

14:25

of is an Accenture Security employee we

14:28

have a unified Content Library that is

14:30

both tailored for industry and it's also

14:33

contributed to actively by hundreds of

14:35

professionals globally and what this

14:37

means is we have pre-built use cases

14:39

automation playbooks reporting

14:41

dashboards threat hunt data models Etc

14:44

so these are things that we can scale

14:45

immediately in your environment so if

14:47

you if you know the experience as a new

14:49

Accenture client would be we understand

14:50

a little bit about your in environment

14:52

we activate your instance of Chronicle

14:54

Sim and soar and that is a really quite

14:57

frankly pretty quick and straightforward

14:58

process your data stays where it belongs

15:01

in your own tenant environment

15:02

segregated from all other data but we

15:04

also apply all the indicators that we're

15:06

extracting so we can better defend you

15:08

and our other clients but that whole

15:10

process end to end it can be activated

15:13

very very quickly through this Content

15:14

Library and when you think about managed

15:17

security operations for those of you who

15:19

have gone really deep into it and you

15:20

know it from the inside out you

15:22

understand there's you know fully

15:23

managed Solutions and then there might

15:25

be a one-off you know maybe a client you

15:27

have as a client you have a special

15:28

environment you have special

15:29

requirements so the provider is going to

15:31

build a custom environment for you and

15:33

what that looks like is

15:36

um maybe your own instance of technology

15:38

and then we come as a service provider

15:39

on top of it a lot of those teams

15:42

operate independently they're really not

15:44

connected they're doing the service for

15:46

the client and they're not really

15:47

working together and scaling across this

15:50

announcement with Google and not only

15:52

platforming our mxdr Solution on Google

15:54

technology it also gave us the

15:56

opportunity to pull together our Global

15:58

Content Library from across our many

16:00

delivery centers globally we have 20

16:02

Global socks and cyber fusion centers

16:04

pull all that together and allow us to

16:06

bring that to bear for clients so that's

16:08

really exciting that's practical value

16:09

for you as a client you're going to get

16:11

that immediately from the solution

16:14

and to take it one step further I don't

16:16

know if how familiar you are with the

16:18

architecture behind Chronicle maybe

16:20

you've tried it you know a few years

16:22

back or you know relatively recently or

16:24

maybe you've never seen it before

16:26

um but I think you know the most

16:28

important thing about Chronicle is the

16:30

the speed that we can get the value from

16:31

it and it's flexible integration model

16:32

so when our clients ask us why Chronicle

16:35

certainly we we work with other

16:37

providers and platforms but why

16:38

Chronicle right we we share a point of

16:41

view because of a number of very

16:43

specific capabilities one it's got a

16:46

rich integration ecosystem over 400

16:48

Integrations are available meaning odds

16:50

are in your environment Chronicle is

16:52

going to natively support it if not

16:53

we'll build parsers with Chronicle

16:55

Engineers to be able to support that

16:57

environment that's one point

16:59

you look at the performance and the

17:00

scalability of the environment it's hard

17:02

to argue with the responsiveness of the

17:03

search and how fast it can horizontally

17:04

scale we're also looking at the human

17:06

factors how do you interact with the

17:08

platform is that a good experience is

17:10

that a you know an experience that you'd

17:12

rather not have but you'll live with it

17:13

right we want our clients to be

17:15

delighted by that experience and really

17:16

see that responsiveness

17:18

um but really above all

17:20

with Google's vision for how they're

17:23

growing their security practice and

17:24

their security technology

17:26

um the vision that they have on making

17:28

their clients more secure all their

17:29

products are security first right we

17:32

really have great confidence and their

17:33

solution is going to grow as our needs

17:35

grow for our client and working with

17:37

directly with Chronicle Engineers on

17:39

building the solution out and helping

17:40

that scale to accentuate size we have

17:43

hundreds of clients globally we do many

17:46

many engagements across all of our uh

17:48

across all of our delivery centers this

17:51

is going to scale with us and so that's

17:53

a really exciting part to know with

17:54

confidence that as a client you're going

17:56

to get a great experience and you're

17:57

going to get a solution that scales um

17:58

with your experience

18:01

so for um kind of to to put a a little

18:05

bit of reality on it right we fully

18:08

recognize that clients have Investments

18:10

that they've already made and platforms

18:12

that they may already be very happy with

18:14

and so maybe you if you're one of those

18:16

clients you don't see the value in

18:18

necessarily what we're doing here

18:19

because this is a chronicle-based

18:22

solution you've already chosen what you

18:24

want to do or maybe you are one of the

18:26

clients that has very specific

18:27

requirements on what you need to do

18:29

whether your data needs to stay in a

18:30

certain region of the world or you have

18:32

some regulatory restrictions on who can

18:34

touch the platform and things like that

18:36

right there's solutions for each client

18:39

and that's what I think one of the key

18:40

messages that I want to address is

18:42

whether you are more aligned to one of

18:46

the two models and the two models are on

18:47

the left it's our full stack model

18:49

that's our platform our people 24x7

18:52

support globally delivered

18:55

based on the scale we can offer that a

18:57

really great price point right so that's

18:58

that allows us to achieve the most value

19:00

for clients it's typically what we want

19:02

to leave with what we want to lead with

19:04

in our discussions unless there are some

19:06

driving requirements that would cause

19:07

you to need or want your own platform in

19:09

which case we're happy to work with you

19:11

on that and that's the solution on the

19:12

right which is hybrid and you know for

19:15

the sake of being at the conference and

19:16

presenting this material right you can

19:18

insert your own vendor names into the

19:20

other SIM and soar products but these

19:22

are the reality of the environment that

19:24

we're in and we're never going to go

19:25

into a client environment and require

19:27

them to replace what they already have

19:28

that might be working well for them but

19:30

we do want them to benefit from the

19:31

managed service that we can deliver for

19:33

them and we do want to make this as easy

19:35

as possible for them so really that kind

19:38

of middle slice of that soar integration

19:39

layer that is what is really special

19:41

about the service because that is a

19:43

layer that allows us to bring our

19:44

Content Library our service delivery all

19:47

everything that we know about the threat

19:48

landscape directly to a client without

19:50

them having to re-architect their

19:51

environment and so this is an

19:53

approachable solution it's

19:55

straightforward to onboard it's

19:56

straightforward to utilize and we can

19:58

configure the solution for our clients

20:00

and really work with whatever the tech

20:01

stack is in the environment many clients

20:04

have multiple Sims for different reasons

20:05

that's fine right we can use that sore

20:08

integration layer to cut across all of

20:09

that I think that that might be a

20:11

value-added capability that you either

20:12

have to build yourself or it's tough to

20:14

find in the market because I don't know

20:16

too many you know of the source

20:17

solutions that can really do a good job

20:19

of centralized security monitoring with

20:21

multiple security platforms that you

20:23

have to pay attention to

20:26

so

20:27

thinking ahead I think I've shared

20:29

enough about what the you know the

20:31

overall solution is and maybe the

20:32

flexible ways that we can deliver it I

20:34

want to leave you with hopefully a

20:35

little bit of value in terms of what

20:37

good looks like in security operations

20:39

and ways that you can advance your sock

20:40

regardless of your Tech stack right

20:43

so

20:44

when we look at what success looks like

20:47

in security operations all roads point

20:49

back to intelligence this is what we

20:51

understand about our own environment

20:52

this is what the experts at Mandy and

20:55

Accenture and other threat intelligence

20:56

providers tell you about your

20:58

environment in terms of whether or not

21:00

you're secure whether or not you're at

21:01

risk but really if you can align on

21:04

business value and you know from the top

21:07

down what are the valuable assets what

21:09

are the valuable business processes what

21:10

are the aspects of the network that are

21:12

particularly sensitive what are our what

21:13

are our really sensitive subnet ranges

21:15

when you can understand all of those

21:16

things together you have a good

21:18

perspective on the threat landscape

21:19

because you know your business and you

21:21

understand your industry and you

21:22

understand the adversaries that

21:23

typically Target your business in your

21:25

industry

21:25

and you understand the vulnerability

21:27

posture of your organization and all of

21:29

that is able to be integrated into the

21:30

platform and you understand through your

21:33

own analytics what you're experiencing

21:34

and seeing on your network today you can

21:37

bring all that together that's true

21:39

leverage intelligence that's applied

21:40

intelligence

21:41

and when we have the conversation with

21:43

our clients about what does Intel mean

21:45

to you and they may have a very prolific

21:47

answer to that or they may be struggling

21:48

to respond to I don't know that we've

21:50

really figured it out it's a feed that

21:52

we have it when it you know dings we we

21:55

pay attention but we don't get much more

21:57

out of that right whether you know

21:58

whether you're you're in either of those

22:00

camps

22:01

um where we start with our clients is a

22:03

structured conversation on helping them

22:05

understand that understand their threat

22:07

landscape and so left to right in the

22:09

bottom of this graphic are really how we

22:11

have those conversations and so we take

22:13

a threat actor and we understand their

22:15

way of operating their their tactics

22:17

techniques and procedures or ttps we

22:19

understand we help them understand that

22:20

right based on their industry based on

22:22

their environment we if they can name an

22:24

apt group or an adversary that they want

22:26

to Target we can tell tell the client

22:28

what we know about that and help them

22:29

work through that what that helps with

22:31

is prioritizing the content that we have

22:33

and prioritizing the rule sets that we

22:35

configure for them again it's all about

22:36

prioritization so if we're building in

22:38

the right direction because we're

22:39

starting with the right content

22:40

foundation in our seminar Technologies

22:42

if we are aligning our capabilities in

22:45

order in in terms of our response

22:47

processes on the right order of

22:49

operation based on the threats that we

22:51

see we can be very successful and we

22:52

help our clients stratify on that so we

22:54

put that in a priority order and finally

22:56

we help advise our clients on the

22:58

benefit of a threat intelligence

22:59

platform because whether it's Accenture

23:01

is provided or it's another uh threat

23:03

and tell platform that's provided in the

23:05

market this is really where a lot of

23:07

that comes together and you start making

23:08

this real for your Enterprise and so I

23:11

like to think about it this way right

23:12

other organizations may know a lot about

23:14

you because they are you know scraping

23:17

the internet and they are scraping the

23:18

dark web and they are dredging up all of

23:20

all of that intelligence that's relevant

23:21

for your business the one thing they

23:23

can't see is inside of your Enterprise

23:24

and those are where some of the hardest

23:26

and most important Lessons Learned are

23:27

and you have to have a way to

23:29

memorialize that within your environment

23:30

and so when we think about threat

23:32

intelligence organic or original threat

23:35

intelligence is some of the most

23:36

valuable that we have and so we'd advise

23:38

you to certainly collect that use that

23:40

tell stories about that in your

23:41

environment I meant talk about why

23:42

that's important and why you never want

23:44

to experience that kind of incident

23:45

again and what you learn from it but

23:47

also if you can share that back with us

23:49

as a partner we can be more effective in

23:51

preventing you from experiencing that

23:53

and preventing our other clients from

23:54

experiencing that in a way that protects

23:56

your privacy and we can do when we can

23:57

do that across our hundreds of clients

23:59

globally that's a really powerful force

24:01

and so I'd like to share with you one

24:04

more thing which is maybe my favorite

24:05

metric in what it means to be successful

24:08

long term in detection and response

24:10

so for those of you who are familiar

24:12

with minor attacker but maybe you're not

24:13

this is a 12-step process of decomposing

24:16

what we know about a threat actor's

24:18

activity this is the attack life cycle

24:20

broken down into granular Bits And the

24:22

reason we do this is because we can be

24:24

more much more effective at defending

24:26

against this when we understand the

24:27

specific stages of an attack and how

24:29

that typically plays out

24:31

and when you look at the model and when

24:33

you understand left to right left is

24:34

we've done a really good job and we've

24:36

you know eliminated risk early on in the

24:38

cycle or you look right and it's a

24:40

disaster and you know these are you know

24:42

business impactful events

24:44

um you start to think about okay well

24:46

obviously how can we get as far left as

24:48

we possibly can be and so by gathering

24:51

your data and by organizing your data by

24:54

where where are we detecting this and

24:55

where are we remediating these threats

24:57

we can be really effective in telling a

24:59

message of are we getting any better I'm

25:01

sure you've all been asked the question

25:02

from your leadership are we secure and

25:04

it's an impossible question but you can

25:06

spin that slightly and say this is how

25:09

much more secure we were from last year

25:11

and this is how we do it right we we

25:13

break it down into the average time to

25:16

detect and the average time to remediate

25:17

we plot that out and we can show them

25:19

the growth over the time this is what

25:21

that looks like

25:22

so the y-axis is those 12 steps of the

25:25

miter attack framework

25:26

and as you see the plot lines what

25:28

you're looking for is a downward Trend

25:30

and in this case it's a good news story

25:32

and this is what we would tend to expect

25:33

over a year serving a client

25:36

and uh that green line at the bottom

25:39

that's the Baseline that's what we're

25:40

seeking that's our Target that's what

25:41

we're going for this is an organization

25:43

set priority but it's really what we're

25:45

striving for and so you see the first

25:48

chord this is a quarterly plot so the

25:50

first quarter you see we weren't doing

25:51

very good we were being heavily impacted

25:53

by uh the threat activity in our

25:56

environment these are things that are

25:57

causing big impacts to our business and

25:58

consequences probably costing us a

26:00

fortune maybe we're having to file

26:02

claims against our in our cyber

26:05

Insurance maybe we're really having some

26:07

painful conversations about Lessons

26:08

Learned maybe our leadership team looks

26:11

different I don't know that that's a

26:12

really bad news story if that's where

26:13

we're starting as a data point and you

26:15

see we're not being effective in

26:16

detecting or responding to any threats

26:19

as we move to the second quarter you can

26:20

see we've had a significant noticeable

26:22

Improvement in detection

26:24

but remediation really hasn't moved that

26:26

much maybe that's because we pooled all

26:28

of our resources said we're really in

26:30

tough shape let's at least try to find

26:31

where these you know threats are

26:32

targeting us and do a really good job up

26:34

front at detection

26:35

then but maybe we haven't had enough

26:37

time or energy to devote to having the

26:39

remediation conversations or we're

26:41

having trouble building a relationship

26:42

with the people that actually remediate

26:44

because we really need that solid

26:46

partnership with infrastructure with

26:48

endpoints with applications with network

26:49

with all the parts of our business to be

26:51

effective in actually responding and

26:53

remediating and so you know we're we're

26:55

slightly improving but we've got a room

26:57

to go and then in quarter three we see a

26:59

noticeable Improvement in remediation

27:01

maybe we've been successful in

27:02

negotiating what good looks like and

27:04

maybe enabling sorta do its job and do a

27:07

really good job in protecting us from uh

27:09

the threat activity but our detections

27:11

have actually gotten worse overall

27:14

because maybe we're getting targeted by

27:16

a different group or maybe

27:18

um we just didn't have you know the

27:19

right detections in place for that so

27:21

maybe the situation looked worse before

27:23

it got better because we just brought a

27:25

new capability on board

27:26

and then finally we can tell a good news

27:28

story in quarter four because not only

27:30

have we you know brought the detection

27:32

and Remediation statistics to the you

27:34

know all-time low from our measurement

27:36

but we can tell a really good story

27:38

about how much better off we are now

27:40

that we've been on this journey and

27:41

whether you're doing this through a

27:43

partner like Accenture

27:45

um and and or consuming a service like

27:47

Accenture mxdr that's powered by Google

27:49

or you're using another solution this is

27:51

absolutely something that you should

27:52

consider tracking because we all have to

27:54

tell the story about how much better are

27:56

we this is a really effective way

27:58

um and and helping and it's a way to

28:00

socialize some of the vernacular that we

28:02

use in security

28:03

with our executives

28:06

so obviously I'd be remiss if I did not

28:09

mention generative Ai and how we're

28:10

leveraging generative AI but I'm happy

28:12

to say that this is a real capability

28:13

that we are using to not only scale but

28:16

also help improve the quality of our

28:18

delivery very very rapidly and so in

28:22

addition to all of the great generative

28:23

AI capabilities that we're leveraging

28:25

building on vertex Ai and and the whole

28:28

Google ecosystem we are also building

28:30

our own security AI assistant and this

28:32

is for our security operators that are

28:34

serving our clients to be able to be

28:36

most effective and efficient in what

28:38

they do and I think some of the toughest

28:40

challenges in the field are knowing what

28:42

to prioritize being able to act quickly

28:45

spending most of our time on value-added

28:47

activities and really being able to be

28:49

confident about yes we took the right

28:50

action and we we did that correctly and

28:53

that whole closed-loop feedback process

28:55

for the analyst and those are some of

28:57

the use cases that we're working on so

28:58

as you look around the the wheel of the

29:00

the use cases that we're working on

29:01

those are real things that we're

29:03

powering generative Ai and our models

29:06

that we're utilizing both you know

29:07

models directly in vertex Ai and our own

29:10

models that we've trained on security

29:11

data to be able to say this is how our

29:13

operations team is doing and this is

29:15

going to be their assistant to be able

29:16

to help them through an investigation

29:18

and rapidly reduce and if you want to

29:20

see a demo of this capability we're in

29:21

Booth 401 I'd love for you to stop by

29:23

and see this capability and kind of how

29:25

our operators are going to be able to

29:27

interact with that in November we're

29:29

launching two of the modules here one is

29:31

the incident response reporting for our

29:33

client so in other words making sense of

29:35

this and being able to roll this up and

29:36

communicate this clearly to Executives

29:38

that's going to add a lot of value as

29:40

well as our ability to translate across

29:42

the many languages that we have to work

29:44

with right when we work with truly