Transcript
One of them might be controversial, but we'll see, but looking for your expert opinion and very objective opinion, if you will, it says my EDR vendor is offering threat hunting and they run queries based on their own discretion. So they have any of this. So this MSP of ours or a customer of ours has an EDR vendor and they run their own queries. How helpful would you think that is given we are an MSP and we, and, uh, our analysts truly know our clients and their industries while our EDR vendors much just sees it as a bunch of generic logs. So what if I could get you? Yeah, that's a really good question because like on the surface you can do it right. But it does require that really special understanding of a network a lot of times. So if you're just looking for is a specific windows process anomalous, like, yeah, you might be able to figure it out based on just how windows works. But a lot of times what I found, especially like, you know, being at a Lumen or enable where we, you serve like, you know, thousands of customers that serve thousands of customers. You'll see that there's tons of stuff that falls within the normal baseline, right? So I think that, um, I'm sorry, I don't remember where I was going with that. So this has to do with a very nice, yeah. So I think if they can do it well, it's great. But I have the problem that like they would be reaching out to you a lot to provide context. So a lot of this is going to require like context specific awareness to be able to solve and resolve, right? Like, cause you don't know, Jane should be accessing, you know, the share in the legal department or the HR department. Like only somebody at the organization would know that. So for it to be super effective, I would say, yeah. The benefit is like, if they have pre-canned, like we do this as well and I do this, right? I have specific queries that aren't detections because they're so noisy and they're so loud and they are common and can happen. But like they're canned queries that I can go into at Lumen, right? And copy and paste and see if I get any hits, which I always do, but I can quickly using my eyes, go through those 73 hits and like, see if something looks pinky, right? And then investigate it further. So I think if they can do that, that's, that's good. But a lot of times I feel like they'll have questions because I have questions. A lot of times I'm reaching out to the customers, that's why I don't sell it. Yeah. I think in general, I'd make a statement is the more eyes on your environment or your customer's environments, the better. Just as if there are services that are sort of generically doing it for all, then the what you're going to get are the things that it's going to impact everyone. And quite often, if your environment is being breached and you really do need a hunter cause you're worried about being breached, then someone who really knows your environment, the better off it's going to be, whether it's your environment, as in the type of threat actors that are going after your types of environments or knowing your environment specifically, what is anomalous or not anomalous in your behavior. So I think there, there is a, some common good for someone that does a generic service or generic queries. Cause I watch with our teams, like with Kevin, we'll have playbooks or certain things they always look for. And then there are things that are specific to an environment that they have to uniquely look for. So there's a combination of both. Yeah. Like I always, like one of the first things I always look for is have there been any processes that launched with the like the windows UAC prompt disabled? That's something that like a lot of environments are configured to not even use UAC, right? It's something that like users can legitimately do. Like if we enable that as a detection, we'd see like, you know, millions and millions of alerts a day across the environments. But if I'm looking at like a specific network or a specific host, that's maybe like high priority that I'm really trying to hunt on to make sure my database isn't compromised. You know, you can more targetively look for those things.