Well, I'd like to invite Andy Lalaguna to the stage from eSentire, and we will talk about this. So, Andy, feel free to introduce yourself and what you do at eSentire. Absolutely.
Hi, I'm Andy. I'm a Senior Solution Architect at eSentire and support the international region.
So, yeah, eSentire participated in both MDR and XDR, and thank you for that. I guess start off with a few questions about, you know, I was really interested in going through and talking to the vendors and customers about how do they go about what's driving them to move to XDR.
So, I was curious, what have been some of your experiences with customers, you know, why are they looking for an XDR product in the first place? I don't think necessarily they are looking for a new XDR product. It's just a new label for what we've always been doing. The fact is, as a company, having an IT organization that supports it, my tools have to work gracefully together. If they're not, I have challenges.
So, I should be choosing tools that work together. XDR, as an extended detection response, is more, I would say, an approach to delivering the outcome. That they work gracefully together, and therefore, I should get closer to understanding what's going on in my environment sooner. Time being of the essence in allowing that.
Obviously, everyone is trying to reinvent their language, and for the audience, the challenge is one of them must be lying. So, you know, they're just making up language, and the taxonomy obviously becomes a problem, particularly if predominantly most of these companies are North American. English isn't the first language for the majority of the audience. There's a challenge, right? There's a challenge, right?
So, we've got to bring all those things together. We want the tools to work gracefully together. The references you've made, John, are all about companies that are trying to retain their existing customer base and extend their reach into them.
Obviously, the devil is always in the detail. You've got to focus very closely on service descriptions, what they're actually offering contractually, what they're actually offering to deliver for you as a consumer of those services, and if we look at that at the surface level, we're covering, yeah, we're going to get good coverage, but the detail being underneath, well, what does that actually mean to me? Is it actually delivering what I want to consume as a consumer of those services? And I think we have to be very careful there. We do consolidate tooling.
We do work with what customers have already got. We choose to take that approach because we're trying to deliver an XDR experience and outcome. I should stop talking with my hands.
So, you sell managed detection and response services, and you offer XDR. So, obviously, your own XDR backend is what's providing your MDR services. If we understand XDR to be a consolidation of the majority of the tools that you've mentioned, yes, that's what we offer. Okay.
So, when you say you work with customers with what they have, I suppose they come in with lots of different kinds of use cases and bits and pieces of an architecture that then you kind of help fill in the gaps and bridge that then. A hundred percent.
Again, for us, we will drive from an outcome perspective. What are you trying to achieve? Where are you trying to achieve that? Where's your principal risk? Where are the other risks? What's the priority to those risks in you addressing them? Do you want to start simple? Do you want to start complicated? We have customers ranging from a whole variety. I'm morbidly fascinated with endpoint. We want to get that sorted. The tool we've got isn't working, or the service provider we've got isn't delivering to our expectations.
Maybe their maturity has changed during the period they've been consuming that, and they want to get something better. They feel there's something missing.
So, for us, it's, well, where are the gaps? How do we address those? How do we make that more complete?
Again, our approach, as we highlighted yesterday with Warwick Session, was about addressing those gaps and bringing those outcomes as a partner. We're not here just to sell you stuff.
In fact, actually, if it isn't going to fit, we won't. We're quite open about that. We try to get to that discovery point very, very quickly. This is a very delicate area. It's a very sensitive area for the audience and for us as well. We've got to work well together to deliver the outcomes that we're promising. Do you find that most customers come with an endpoint product that they're happy with, and they're just looking for additional network and cloud observability? Where do you think their gaps are mostly?
Well, it's difficult because every customer is different. Every customer has a different focus. Ransomware, the last 18 months, everyone's been talking about ransomware.
Again, as we said yesterday, reaching that outcome, whatever tools you've got, they're not working. You shouldn't get to that point because you should have been able to stop it prior to that point.
Obviously, there's gaps, need to address the gaps. Customers, and the audience particularly, don't allow yourself to get complacent. There are likely still gaps in your architecture. You still need to address them in one way or another. That constant re-evaluation of, is what I'm doing effective, still effective? Could I do better?
Obviously, that's the challenge. Building the business case to establish whether you can secure budget for that or not, again, that's part of the challenge. A lot of customers will come to us with one product, and they've been happy with it for a while, but suddenly, there's a nagging feeling in the back of their head that perhaps they need to do something else. Network becomes an issue. Boundary defenses become an issue. Perhaps they've not tuned their firewalls accurately. Perhaps they're not re-tuning their firewalls on a regular basis. There are gaps in addresses.
The company may be particularly acquisitive. What's the security like in your acquisition? How do you evaluate that before you connect it to your existing infrastructure? All of these sort of challenges, and we find that customers come from all particular areas. What we are starting to see is that certainly, for example, in the PE space, we're finding that we get these governing companies that are sponsoring their investments are recommending practices. You should be addressing these gaps. If you haven't, you need to have a discussion about it.
Here are some options for you to consider, and there seems to be more sharing in this space as well. Obviously, these type of events as well help because the audience wants to know, am I missing something? Is there something I can do better than I'm currently doing? You mentioned ransomware. Do you have a customer prospects approach? You would say, hey, we just had a big ransomware event. Maybe if we were using XDR and what you have to offer, could we have detected it? Is that kind of another driver for business? I have a very funny example. It's not funny. It isn't funny.
The guy was absolutely pulling his hair out, but he was driving home at the end of the week, and he was conducting two calls on his mobile, one to us, one to his insurance company. He was in the middle of a breach. We have a separate digital forensics and incident response team that are seasoned veterans due to an acquisition we made four years ago now. Four years ago now. He negotiated with his board on the call on his drive home to secure the team. By the time he got home, the team were online with his team in the office. They were installing agents, deploying and containing live.
By the time he had his 15th cup of coffee that evening, the incident was contained to a point that they could look at what are they going to do to remediate and get out of the mess. We have calls like that a lot. Customers are in that situation a lot.
Obviously, we would rather, as we mentioned yesterday, catch at the beginning of the cyber kill chain rather than at the resulting action that's going to take place if ransomware is what's happening. As you mentioned, it's often just collecting material. Data is the real value here for those attackers, and they're going to build that and collate that. Ransomware is a service now. You can go out and pitch for that. You don't even need to be involved. Someone will provide you the malware. Someone will run it. Someone will manage and operationalize it.
Someone will do the data collection, do the analysis and sell on the data, and you just take your margin off the top. You don't even need to do anything. Plenty of adverts out on the dark web for that stuff now. The reality is that's probably why it's becoming more popular, because it's ridiculously easy to do.
Obviously, in the meantime, we have to work with our customers to make better choices to try and resolve those issues so that they get the desired outcome, which is little or no interaction with these bad guys. Yeah, I think it's important to note this isn't something that's going to go away.
I mean, we're predicting it's going to get worse because of exactly that. I mean, it's a business model. It's a well-developed business model with lots of labor specialization. The people that steal the accounts, the people that produce the malware, I mean, they have tech support for operating the malware even.
So yeah, it's not going away anytime soon. But this is the value of XDR's approach. My tools need to work gracefully together if I'm to move towards the beginning of the kill chain rather than the end of it.
And again, that's why these things need to happen. So if there are gaps in your coverage, you need to think about how you're going to address those or perhaps better architecture infrastructure to mitigate some or most of those risks.
And again, your architecture that may have been appropriate three, four, five years ago, it's well overdue for a refresh. And again, the approach, how you address that, how you cover and support that, those are all issues. Can these XDR vendors support that? Can they partner with you to deliver that? That's a question you need to be asking. What's that going to look like? What is the experience going to look like with those choices that the audience is going to make? A couple of minutes ago, you mentioned insurance.
And I know in Orick's section yesterday, and we sort of talked about it separately too, cybersecurity insurance I think can be driving positive change in the industry now because I know a few years ago it was said that cyber insurance is sort of exacerbating the ransomware situation because, oh, it's just you get a ransom note, you pay the ransom and get reimbursed for it.
But now cybersecurity insurance providers are doing, I think, a lot of good by forcing people who are applying for policies to have certain kinds of tools in place, either if you're going to do this yourself or use an MDR service. And I know a few cases, at least in the US, where cybersecurity insurance providers are actually running MDR services with XDR backend. So I think, I mean, what's your experience with that? Or have you had any? We do get a lot of experience and exposure to that.
Obviously, North America has a particular way of running cyber insurance. They're particularly more open to paying ransomware. There are more regulatory controls in Europe and beyond on how that happens. Cyber insurance companies, certainly in the European space and in the UK space, are getting a lot more wise to that. If you are insured, that insurance is to help you recover, not to pay the ransom. NCSC will strongly recommend you do not negotiate and pay the ransom. And in certain cases, and I'll bring you back to that example I gave, they actually threatened the customer.
He's like, hang on a minute, you're supposed to be helping me. And he goes, if you pass this on, we'll come after you. Unquote. I was mortified. That's not the response we should expect. So there are regulatory controls in how you behave with that. His situation, that particular customer's situation, was bad in that the attackers didn't just steal his data. If they had done just that, that would have been fine. They actively destroyed the platforms that were hosting his services to the point that he had to refresh all his hardware.
The engineers, it was a VMware-hosted infrastructure they'd built, the engineers who went to evaluate what the damage was had never seen that before. And I'd never heard of anything like that before to that point. This is two years ago. They had done so much damage to the hypervisors themselves that the chassis on which they were hosted were trash. They had to throw them away and start all over again. So obviously cyber insurance at that level is to help you reestablish your hardware, reestablish your platforms, reestablish your services, so you can get back operational quickly.
Again, architecture that would support that rapid recovery, manpower to support that rapid recovery is typically where we're seeing insurance being paid for, paid out for, certainly within the European space. You mentioned regulatory compliance, and I was saying that at least on the XDR product side, I don't see a lot of the other vendors are really trying to exploit that by giving out tons of really good regulatory compliance features.
What do you see in terms of maybe customers coming to you asking, can you help us with an MDR or an XDR service that will help us with NIST 2 or DORA or SEC in the US? We're contributing for the components we're supporting. So if we have to help factor and format reporting for those platforms against those regulatory requirements, yes, we'll do that. The challenge, particularly if we're looking at, say, NIST 2 or DORA here in Europe, is that you'll have the European governing regulation, and then you'll have the local regionalized version of what that regulation is. That becomes a minefield.
That's 42 different flavors of regulatory reporting anywhere across Europe, plus the European Union level reporting as well that's required, should an incident be of sufficient severity to report. So it becomes a nightmare, which is probably why the vendors aren't doing it. There isn't enough market for each of the regional member states in the EU to create a product for them. And it is a minefield.
Yeah, certainly sounds like it. Does anybody have any questions? Anything online? Okay. Are there any particular features that your customers have been asking for that maybe you've either already rolled into the product or have slated for future roadmap? I think a lot of what we're seeing is customers having made choices, because obviously no field is a greenfield when it comes to customers and trying to support their security efforts.
What we're seeing is customers are coming to us with very extended contracts in solutions that they may have applied to components of an XDR approach, and then we are looking to how we're going to integrate with those and offer a number of ways. Looking forward, everyone's picking up on AI. I've got to be doing AI. Really? Okay.
Well, yeah, we do AI. Again, this is more, as a security service, this is more about people with experience and skill sets and people who actively want to do the job a particular way and deliver an outcome in a way that the customer wants to consume it.
Again, this has to be a partnering effort. It's about human beings. What we're seeing is customers want to understand more of what's going on underneath the covers. They don't want a black box solution anymore. Some of these solutions out there are offering a very pretty front end. There's very little substance underneath. What we're seeing is the customers actually want to see that. They want to start to learn to do it better. They want to understand it better.
Anything that helps that, again, European space focus, for me and for us, is about providing a better understanding because the customers want to understand how and why because that's going to drive them towards their outcome, and they want to participate. Certainly, that's what we're seeing in Europe. Okay.
Well, great. Thanks, Andy. Thanks for participating.
Thanks, Paul.
