Endpoint protection is a popular space in the market for businesses right now, whether it be to meet cyber liability insurance requirements or to boost an organization's comprehensive approach against threats.
Today, Jason Pufahl, Michael Grande, Matt Fusaro, and Mike Lang, all of the Vancord team, are proud to present Vantage MDR: a cutting-edge managed endpoint detection and response solution powered by industry-leader Microsoft, fully delivered by Vancord's security experts.
Endpoint protection is a popular space in the market for businesses right now, whether it be to meet cyber liability insurance requirements or to boost an organization's comprehensive approach against threats.
Today, Jason Pufahl, Michael Grande, Matt Fusaro, and Mike Lang, all of the Vancord team, are proud to present Vantage MDR: a cutting-edge managed endpoint detection and response solution powered by industry-leader Microsoft, fully delivered by Vancord's security experts.
00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. I'm your host, Jason Pufahl, joined today by Michael Grande, Mike Lang, and Matt Fusaro. Thanks for joining everybody. So, we are, we're going to discuss something probably, probably a little bit more Vancord service specific than probably a lot of our podcasts. But I think, you know, we really, it's intended to touch on those things that are important in the industry today, and a little bit about how we're trying to solve that. And, frankly, some of the, some of the rationale behind our decision making. So I want to introduce the idea of Vantage MDR, which is a service that we have sort of conceptualized and built over the last, probably last six months, we've been working on this. And I think it really meets a need in the industry to address sort of the word soup a little bit around that traditional antivirus, EDR, MDR. You've probably heard some terms called XDR, we're not gonna spend much time on that. But, you know, maybe you know, Matt, would you mind spending a minute on kind of what is, what is the endpoint protection space look like today? And maybe how has it evolved a little bit?
Matt Fusaro 01:30
Yeah, sure. So, you know, we're coming, we're at, I'd say we're pretty far out of the days now, where your traditional antivirus is what you would deploy on your endpoints or your servers. In a traditional line, the antivirus typically only provided you signature based detection. So if a file showed up, that was known malicious, we had a signature for it, we catch it, alert you, quarantine the file, the usuals. It's kind of evolved now to where we need a lot more data because attacks are a lot more sophisticated now. Exfiltrating data is, can be accomplished in quite a few different manners now. Web applications run everything, when it comes to business functions now. So a lot of these attacks can be file lists, a lot of these attacks can be much more, there might be a very long dwell time for these things to actually occur. And we want to see these behaviors taking place and detect them. So now what we have is what's called EDR software or endpoint detection response. And that drives a lot of what you would see for endpoint protection. EDR can be either separated from your typical virus type of scanning that you'd see traditionally, or all packaged together, which is probably more common, especially these days. So you'll get the best of both worlds. So you'll be able to detect all known attacks, and you'll also be able to detect behavior based or things that would take some type of correlation between lots of different endpoints, right? So now you have all your endpoints sending all their data up to a central place, where not only can we detect what's going on locally, but we can also detect on what's going on between all the assets that you're concerned about, and get a better situational awareness between all of that.
Michael Grande 03:21
So you spend a great, great summary of, of, of the MDR space and understanding the practical application of it. Why did we launch this service? What was our primary objective in doing that?
Matt Fusaro 03:35
Right. So I think, really, what we were trying to focus on is the MDR piece of it, right? So when we say MDR, we mean managed endpoint detection response. We have an innate knowledge of a lot of the clients that we deal with, we're really close to them, we, we know that we're good at doing it. We've proven that over 15, 16 years now, where when we engage with the client, we know, we know how to document, we know how to take alerts and information from them, documented very well so that we know how to deal with alerts, how to deal with their production systems. That was the thing that we found lacking in a lot of the other tools and a lot of the other services that we explored was that there was just not enough context, right? When you basically outsource that type of work to another company, they don't necessarily know much about what's going on inside. They don't really know what's important to you. We tried to fill that gap by being that provider that gets to know you a little bit better.
Jason Pufahl 04:42
So a core component of what we settled on was Microsoft technologies, right? Really specifically, you know, Microsoft Defender for Endpoint. But, you know, understanding that the Microsoft space is really improving from a security standpoint. Mike, can you give me, just give me a sense of what, what type of qualities really led to us selecting Microsoft and sort of making that the underpinning of this, of this offering?
Mike Lang 05:11
Sure. Um, so first and foremost, I mean, we really do see, Microsoft as one of the leaders in this space. So this helps out a lot because, you know, they have a proven track record of supporting really big customers, they have a lot of insight into their own technologies, so they glue right into their own Microsoft operating systems really well. They're also trying to expand the other security spaces for the future, so it leads into XDR in the future, when we want to get to that. So they really have the ability to sort of do all this SIEM and automated aggregation of logs and events, and really correlate it all together for the EDR space. So for us, it's, it's a good place to be in where we can pick a market leader like Microsoft, get most of the technology trusted upfront, and focus on our personal expertise of being able to monitor the system. And like Matt was saying, we know our customers, we understand the alerts, we're trying to couple this together with all of our SLAs and ensure that we're monitoring and notifying customers in a reasonable timeframe to ensure that they don't reach severe cyber attacks.
Matt Fusaro 06:22
And Microsoft's been doing this for a long time too, right, they've got some of the biggest databases out there of activity, behavior, machine learning modules. They put all that together. But also, I think the key here really is they built the operating system. And they're the ones that can see what goes on inside of it. No other vendor can really do that, they have partners that are certainly privy to certain things. But you can't really get better than the company owning the code base when it comes to those.
Jason Pufahl 06:53
Right, yeah, that's fair.
Mike Lang 06:54
We're very impressed with their false positive rate. I mean, they seem to analyze things extremely accurately, they get it right the first time. So it's not really sending us on a wild goose chase at all, most of the time. Most of the time when they get something and it looks actionable, there's a lot of telemetry there, it's boiled down correctly, we look at it, we approve their assertion and sort of respond to the way the customer wants us to respond, whether that's to automatically do host containment or notify them after hours. Quick question, you touched on it briefly there regarding sort of licensing, what, are their other platform options available?
Matt Fusaro 07:35
Yeah, so they cover everything that you would see in your typical business at this point. So if you're, if you're running Windows, obviously, that's, that's covered end-to-end there. But, you know, a lot of, a lot of end users, they like using MACs, you know, some of your more tech guys or special application guys will be using Linux, especially in the server space, right. We see Linux all the time. All of that is covered under the defender suite.
Jason Pufahl 08:01
So similar to that, that licensing question. You know, I think people think of Microsoft licensing is complex, I'd say it's pretty flexible. You know, we've got, we obviously have a huge client base that has pretty much purely centered on the Microsoft ecosystem. But you know, there's, there's clients out there that use Google infrastructure for a variety of things. Does it matter if you're a Microsoft customer, can you license this if you aren't already? You know, can you talk about some of the licensing options, I think that might make this compelling for certain for certain businesses.
Matt Fusaro 08:36
Yeah, for sure. So you don't necessarily need to be a Microsoft customer out of the gate, we help you navigate that. You don't need to be invested in all their other services in order to utilize defender for endpoint. And like you said, they provide a lot of flexibility. But I think it'd be hard, hard to argue that it's not complex, sometimes it really depends on your situation, where you currently have licensed. But to that point, whether you're in the enterprise licensing space, so the Microsoft 365 licensing space, or if you're just kind of getting ala carte type licenses, we can support all that. There's also the the Business Premium and Defender for Business options that are out there as well. We're focusing mostly on the enterprise licensing, educational licensing, nonprofit licensing, and the ala cartes right now.
Michael Grande 09:28
Could you just touch on briefly, maybe the summary of what a typical SLA might look like for a client here?
Jason Pufahl 09:28
So, I want to actually go back really quickly to the beginning of the conversation, right, where we talked about that distinction between EDR and MDR. From a licensing standpoint, right, anybody can go out and purchase Microsoft product and get an EDR. What we're really, what we're really talking about here is the ability to manage that for them and provide that visibility, the containment and the alerting, right, the managed part of the service. I think that in a lot of ways is where the value that we bring, but we really look to tie this into a partner like Microsoft, where we know they bring that sort of quality of alert and quality of data that's really important to us.
Mike Lang 09:37
Sure. So we're trying to split it up into three different categories, pretty typical, low, medium, high, high are critical, being the most severe. And what our goal is, is really to accurately identify when critical events are occuring, and respond to them in, let's say, like a two to four hour timeframe. So the idea is, we're always receiving alerts, when we receive the critical ones, we're acting among quickly to verify that they're actually true. And if so, we respond in the manner in which we figure out with the customer, where we do the onboarding and discover how much appetite they have for host containment, we understand that they have business needs, and certain systems might be critical for business and can't be interrupted at any time. Maybe systems are workstations out across the network, they can just be easily contained. So we figure all that out and we respond to their manner. For the medium and low SLAs, it, these are things that are either administrative behavior that may or may not be malicious, or they're possible false positives, or spyware type information that are not as critical, we wouldn't be aiming towards waking up customers or alerting over the weekend for those in order to respond in a day's worth of time or so.
Jason Pufahl 11:38
Okay. And that, you actually touched a little bit on I think an important part which is onboarding. So, how much work is this for for a client to do? You know, in terms of getting software deployed, maybe or, you know, providing information that we need to make, make sure that there's a high quality of alerting that comes out of the system, give us a sense of what onboarding looks like.
Matt Fusaro 11:59
Yeah, sure. So, from a technical standpoint, as far as getting the technology up, we've got an application that gets registered in Azure, so that we can talk to the defender system. So you, I guess that's one nice part about this is that you, you will own the the the deployment of defender for endpoints. So if at any given time you wish to go in there and either have someone else looking at it, manage it, just try to get data out of it, you own that whole piece. So we help you set it up, in terms of getting the account ready, making sure the licenses are applied, we'll get that application registered. And then for all intensive purposes, we're off and running. There's some other things that we definitely would do during onboarding, which would include, you know, marking certain assets as high value, marking certain assets as, never contain, or allowed to contain, so that when our analysts see a critical incident, then they can go in there and make a decision without, not necessarily needing to talk with a customer. So we kind of get a feel for that, on our onboarding calls to understand what's what's important, as far as host containment is concerned, and what are the rules of engagement.
Jason Pufahl 13:12
So, kind of in conclusion, it occurs to me as we're talking through this. You know, Matt, you and I have been doing a podcast for a while, we did security fundamentals as the very first one, we thought it was important enough that we re-recorded it, I think it was the 40/41st episode. One of the, one of the major things we talk about every time is the EDR/MDR space, it's required by cyber liability insurance, it's kind of that first level of protection for almost everybody, especially as people have a more remote workforce, right? It's really important to get visibility on these, these endpoints. And now we're kind of in position, we're actually bringing a solution forward that addresses all of this. So I'm thrilled that we're able to rely, frankly, in large part on ourselves to deliver this with our own analysts that are all in Connecticut, providing the alerting, providing all the email information providing the you know, after hours containment. I think it's it's the direction we we've looked for for a long time, and I'm excited to to announce this.
Michael Grande 14:19
Absolutely. I'm really proud of the team, really proud of everyone who had a hand in putting this together. It's obviously it's been quite a Herculean lift, but very excited about what the future holds.
Jason Pufahl 14:30
So, as always, if anybody has has questions, or if they want to talk a little bit more about Vantage MDR, you know, what it looks like today, where perhaps in the future, it might go, we'd love to chat more about it. We think we put something together that competes very strongly in the market with a with a partner in Microsoft that has extremely high ethicacy in alerting. I think people would be thrilled. So yeah, happy to talk more about it. Mike, Matt, Mike, thanks for joining today, appreciate it.
Michael Grande 15:00
Thank you.
Matt Fusaro 15:01
Appreciate it, thank you.
15:03
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient this has been CyberSound.