I'm very pleased to say that today I'm joined by a representative from eSentire. So I'd like to invite Andy Lalaguna, who's the Senior Solutions Architect at eSentire, to join me up here on stage, grab a mic, and we can discuss about the innovation available on the market. And so please give a warm welcome to Andy Lalaguna. So thank you so much for joining me today. And as I said in the introduction, there's a wide range of flavors of MDR. So for you, what is MDR and what is your take on the MDR market? MDR is an interesting one. Every vendor talks about it in a very different way.
Where we'd like to speak about at eSentire is about outcomes. What does MDR mean to you? You define what MDR means. It's the vendor's responsibility to fulfill that. If you understand what those outcomes are, you can then qualify what the vendors are saying. Everyone's using the term. But Managed Detection & Response is about delivering an outcome.
For us, it's providing an ability to withstand the fact that an incident is going to happen and you have to get through it with a minimum impact to your business so that you can continue. And that's functionally what MDR means to us, but we hope that's one of the outcomes that you would like to have. So what do customers typically look for when they come to you and say, well, yeah, we're thinking about this? What is it that they want? Are they wanting the all singing, all dancing, or are they just wanting the skill gap fill? It's a combination of all of those things.
For us, our customers, our customer range from 12, 15 seats to 30,000 seats and everything in between. A common denominator amongst them all is that they're approaching a point where a SOC, a security operations center, is now becoming a necessity for them. And they're evaluating whether they invest themselves, build the skill capability and resource in-house, or they go outside to try and get that as a service. And that tends to be the cusp where we will operate, where the businesses are starting to ask those sort of questions. Yeah.
Well, that's pretty much what I found. And I think that's why I made the point that people need to kind of understand what it is that they're trying to fulfill. One of the things I forgot to mention is that for those of you who weren't here yesterday, you are able to ask questions, which hopefully we'll get to at the end. You just have to go into the session in the Kupinger Coal, well, into the Kupinger Coal app and find the session today. And then you have to, it's a bit tricky, I confess, you have to then add the session.
But at the bottom, then it'll enable you to ask questions, which Carsten will pick up and we can discuss that later. I'd like to just have a look at some of the kind of innovation areas that we saw in this report. The first two, obviously, are around AI and Gen AI. What is your approach to it?
Well, Gen AI for us is a recent addition, obviously. For us, it's always been machine learning. We've been feeding and nurturing and watering a data lake for 22 years in various formats. In its current format, it's about eight to 10 years old. It's predominantly machine learning driven AI for us. And Gen AI is specifically used internally to speed the tools to the analysts. We will use it for summaries. We will use it for summarizing activities taken and predicting what might be taken. But it's predominantly on how it's analyzing how the analysts themselves are actually working.
And then speeding that as a suggestion for the next analyst on the next challenge. Yeah, that's definitely what I found is that organizations are using AI in two sort of different ways. One is to improve their ability to deliver an MDR service. And then the other way is kind of more customer facing. And so those are the two different kind of aspects, I think. And I think we're going to see more of that.
Also, I see there's a heightened focus on securing cloud environments. Is that something that you're kind of spending special time on, or is it just part of the general range? I think it, well, for us, it's predominantly SOC as a service is the broad stroke that covers everything.
So for us, it's about getting experienced, qualified, and encouraged analysts to the task as quickly as possible. It's always been about the people, and the tooling is just to facilitate that.
For us, customers' environments will likely include some cloud provision of some description. It may be the usual suspects, it may be unusual suspects, but they're going to have a blend of.
For us, we're not looking at sort of an immediate fix for any of those problems, because customer's going to change their mind. Customer's prerogative, right? So they can move, and they can ebb and flow in and out of the cloud. And we have to have tooling and capabilities that allow us to facilitate, to grow with the customer, and follow their journey to where they're trying to get to. So I asked some very specific questions around support for cloud, and you can see that in the spider diagram.
So once again, if you are particularly interested in MDR service to support your cloud side of things, just look for the providers that have the strongest capabilities in that area. Now what about support for IoT? Because some of the vendors that I spoke to were, yes, definitely that's something we're investing heavily in, or that's something that we see as being a really strong potential market and others are going, oh no, we're just not, we're not getting, you know. So what's your kind of approach at eSendTime? You're picking on the sore subjects. IoT and OT is an interesting challenge.
We can address those from a network perspective. So once those things approach an IP network, we can start to touch them. The challenge for all of the vendors is that OT is so unique and specific to that platform that if you're developing a model for it or an engine for it, good luck. If you're good at it, please let me know because we'll bring you on board. The challenge is OT and IoT is becoming more internet connected. It's getting onto an IP network. At that point, it presents the risk. What can we do to change that?
Not much, but we can isolate them from a network perspective. So if you wanted a solution now, we can deliver that now. We do deliver that now. But obviously the challenge is how is that going to get standardized? How is that going to control? And NISA have been doing a lot of work for the last 10 years to try and bring in a program of how they're going to address standardized security practices in those platforms. The market hasn't followed suit, and I know they've been fighting with it for a long time. I've been involved in those discussions, but it becomes an interesting challenge. Yeah.
So that's perhaps, if that's an area of concern, that's something that when you're engaging with an MDR provider is kind of to find out exactly what their plans are. I don't know, Chris Carston, at this point, are there any questions?
So far, you are very clear. Otherwise, we'll just continue talking about the potential innovations. But I just wondered, you know, had there been any questions in the app, or does anybody want to field a question now for either of us? The wackier, the better, please. Andy's up for it. Okay.
Well, think about that, and do it through the app if you don't want to pull up your hand and speak. So the other thing that I saw as a trend in innovation is kind of deeper integration with other security tools. I think before it was like, okay, this is the stack we support.
You know, these are the tools that we think is a good set to have. This is what we're supporting. But I'm seeing that from last year to this year, the MDR providers are going, oh, well, okay, we want to try and be a bit more inclusive.
Yeah, and I think it's something the vendors have to do. And I'm not saying we're going to do it any different to any of the others. The reality is our customers have made decisions along the way to where they are now, and they're going to have other tools in their environment. If I was sitting customer side of the table, this would be the question I would be asking. But it would also be, for my own sake, if it were my responsibility, do all my tools behave well and play gracefully together? That becomes a critical piece of the puzzle. And that should always be a decision criteria.
I had a previous conversation with one of my directors at UBS. And he said, treat everything like it's an investment. You've got to look at deploying that solution into and decommissioning the previous. You've got to look at running that for its useful length and then decommissioning that. What is the cost of that investment? As an investment, do we put money into this ourselves, even if we're going to consume that technology to deliver a service?
And I think it's something that the market should also take a serious approach with because this is going to add the real value, understanding what those investments are. And if that tool is no longer fit for purpose, go through an evaluation process and choose one that is. And that isn't one that perhaps your peer is using or your neighbor is using. It's what's right for you.
Again, back to those outcomes. Where do you want to get to? Choose the tools appropriately. And that continual improvement that everyone has been saying, you have to keep going through that process. Is this tool still fit for purpose? So would you generally agree with me in the point that I made, though, about it being a partnership? It's not kind of a one-way street. And is that kind of generally your approach, is to try and engage the end-user organizations as partners rather than just... I think it is. I think we're not going to tell you how to do your business.
Why would we even dream of doing that? We're not going to do that with your tooling. We're here to work with you to deliver you to whatever your future might be. We have to partner with our customers to help deliver them. We're going to bring 150 SOC analysts, we're going to bring our organization to that company to support them in the areas that they can't support themselves. We have to partner with the customers. We can't just say, this is the way it's going to be and like it or lump it.
And worse, this is the way it's going to be at the beginning of the contract, and it's going to stay like that until the end of the contract. And that could be years down the line. Your business has moved on. Your infrastructure has moved on. Your approach has moved on. Perhaps your outcomes have moved on. We have to adapt to the customer, and we have to continually do that. Okay.
And now, what about enhanced capabilities for regulatory compliance and data privacy? Because as I mentioned in my presentation, this is something that's continually evolving and is continually sort of increasing almost. Every other day, you read a notice that this part of the world, they've brought in a new piece of legislation.
So, is this something that you can help customers with? The regulatory environment still remains the customer's responsibility. We will work with them to support that. For the tooling and areas that we're responsible, we have to. But as you say, the space is changing very, very quickly. It's to Dora. It's upon us. If you haven't been preparing for the last two years, I wish you every success. It's going to be painful. They keep changing their minds. They keep changing how they're going to audit and measure this. And this becomes a challenge.
Then you get the unique differences within each member state in Europe. UK is still undecided on what they're going to do at some point, rather than the NCSC continuing to threaten customers and audiences. Perhaps they'll contribute to actually building a regulation that's of value. But we're seeing emerging markets as well come out with very interesting policies. One of the more recent, Saudi Arabia, ECC1. It's a really good read. Give it a go. The English translation is exceptional. But they've blended ISO 27001 and PCI-4 in one document. Best of both worlds, yeah. Good luck.
Trying to operate in that market is now really difficult. But again, the reality is we have to make a concerted effort together with our customers to meet those regulatory requirements and their changes. So we have to be in front of that as well. And that GRC for us becomes a big part of the puzzle to try and contribute towards the customers' pain.
Okay, yes. So yet another reason why MDR can be part of the... I remember a slide from Martin yesterday where MDR was part of the puzzle. So you need to decide how big a part that is. I don't see any questions in the app. Are there any questions in the room before we carry on? We'll fill the time talking about the innovation, if that's what you're interested in. But if there's anything that we've mentioned that you go, yeah, I'd like to hear a little bit more about that. Or you'd like to come up with a wacky question for Andy. Here's a chance.
Going, going. Anyone? Okay.
Yes, we have over here. Do you want to... Do you need to speak up a bit? So I'm not a technical person. I'm more knowledgeable in financial services. And I would like to know, since you mentioned, yeah, also compliance. And this MDR, it's about response. And lately there have been some regulations in finance that demand a quick response in a specific amount of time. And since this MDR, it's about response, I was curious, yeah, if this adds more burden, this specificity of responding in a certain amount of time. And what's challenging about, yeah, having this limited amount of time to respond?
And how do you cope with this challenge? Response times are also very important. And we need to be very careful.
Again, the language in the industry is poor. MDR means different things to different people. Response means different things to different vendors.
For us, I haven't got eSentire written on me, have I? For us, eSentire, our mean time to contain is a key metric for us. So that's stopping whatever it is that's happening moving any further. In automated responses, agreed with the customer, we have not exceeded 15 minutes in the last five years now. We hit 15 minutes as an average Q1 last year. We've been sub-15 minutes before and after. The response times are important. The targets are targets. But obviously, what do I automate? What do I not automate? What do I do in conversation with the customer? It's about delivering those outcomes.
If you are meant to deliver an average time over a period of time response, how much of that can be automated? It means eyes on glass. It means analysts on glass. It means responsive customer, whoever's responsible for those platforms to agree a course of action. For that to happen within that time frame, it's about human beings and immediate response from those human beings. Those responses can then happen to that time frame. It's a challenge, 100%, absolutely. Have a look at the report again.
Because all the leading vendors have got, or most of them have got, mean time to respond, mean time to contain. Obviously, eSentire is one of the leading vendors there because that's what helped boost their score. The other areas were ransomware and customization to meet a different organization. Have you got any comments on the ransomware bit? Ransomware is still a fairly popular word in certain markets. It tends to focus people's minds.
Again, if we place that as an outcome of a cyber kill chain, for us, we're trying to get to the point of being a left hand. If it's traveling left or right, we want to be at the left hand edge. Indicator of concern becoming indicator of compromise. If ransomware has realized this now for us, our language becomes an incident response. Incident handling whilst an incident is developing. If ransomware is the outcome, you're right at the other end of the kill chain.
We want to catch it early, which is why we prefer to blend with tooling the customer may already have or recommend tooling that they don't have to fill those gaps to be earlier in the detection cycle. Ransomware is a real thing. We have an incident response team dedicated for that practice. They can deliver a containment within two hours from a dead start. They've been at it for a little while. They're a spectacular bunch, actually. I've been on a couple of calls with them. They're outstanding. They've been doing 16, 17 years average experience in the digital forensic space.
They're mature veteran incident handlers. It becomes a challenge. If it's got to that point, again, for all of us, I think the challenge is gaining budget to deploy these tools. It's not whether it's the right thing or not the right thing to do or the right area to focus on or not the right area to focus on. It's does the business want to invest in delivering that protection? That becomes the challenge. NCSC's comment yesterday, notwithstanding, yeah, you've got to do something.
Yeah, we knew that. We do have to do something. Getting money out of the CFO is like getting blood out of a stone. It's just not going to happen. I'm sure you're well aware. I think we'll draw a line under it there with all that standing between you and coffee. Thank you very much for your attention. Please go to the report. You'll get the slides. There will be a link. You can also use the QR code. We're closing that morning session with that. Coffee break, what we've already mentioned.
I'll leave you with a thought around the kill chain that you just mentioned because at the end of the day, you're absolutely right. Hit them on the left. If you stop them there, then a ransomware attack is nothing more than a usual phishing attack. As a thought for your discussions over coffee, thanks for joining us this morning. Have fun for the rest of the day. We'll see you tomorrow.
