What our customers have taught us
It’s launch day! Again!
Well, today we’ve reached another milestone with general availability of our full Expel 24x7 transparent managed security service. And rather than repeat everything I said in my previous launch post, I thought I’d use this opportunity to talk about some of the things that we’ve learned from working with our early customers.
When we set out to build Expel, we made a few core assumptions:
- First, we said that customers wanted transparency. We thought they were tired of the black-box approach managed security service providers (MSSPs) have been operating with for the better part of 15 years. We believed customers wanted to understand what’s being done with their data and that they’d want to be able to see for themselves how their MSSP was making decisions on their behalf.
- Second, we thought that one size no longer fits all. In fact, it never really did. But, in our opinion, it was time to do something about it. Change is constant in security and every organization is different. Organizations care about different things, they make different investments and they’ve got their own way of doing things. We thought customers would gravitate towards a managed security service that paid attention to the things they care about (not just an SLA).
- And finally, we believed strongly that customers really just want to get better. We didn’t think that it was enough for an MSSP to just find bad things. That seemed like table stakes. We thought companies were looking for a service that – in addition to finding the nasty stuff in their network – would make them measurably better over time by helping them keep bad things from happening again (and again) or tell them how to make changes that would prevent them from happening in the first place.
So, did we nail it? In short: sort of.
Here’s my scorecard on how our assumptions held up… plus a few that I’d rewrite with the benefit of hindsight.
Conclusion #1: transparency breeds teamwork
At Expel, transparency permeates everything that we do.
We built the Expel Workbench to deliver an experience for our customers that was 180-degrees different than what they get from other managed security service providers. Customers can see and work with the same data and tools our analysts use, in real time. We thought it would build trust with our customers. So how has it panned out?
So far…better than we could have hoped. It has created a level of teamwork between our team and our customers’ teams that I haven’t seen in the last 13 years of doing this. In fact, one of our customers recently told us, “The insight that we get into the work you’re doing – not just the output – is fantastic. It feels like we’re working as one team, which is new for us when it comes to managed services.”
One thing I didn’t expect (but probably should have) is how transparency has allowed us and our customers to work as a single team. Our analysts aren’t just the “people behind the curtain.” We use Slack to communicate with our customers. Our team is in these chats all the time, and it has allowed us to fit into our customers’ business processes (and vice versa). When questions arise (on either side), it’s easy to get quick answers – whether we’re discussing an ongoing incident or just sharing sweet memes with each other. Also, when we begin an investigation, we’re able to alert our customers and immediately begin passing important details back and forth. It also allows our customers to provide us with critical information as the investigation unfolds. In one case, our customer was able to fully remediate a security incident before we’d actually finished our full investigation because of the details we shared with them quickly via Slack.
So, in short, it seems transparency has tapped into a need… and then some. Expect to see more of it… including when we screw some things up (which is certain to happen).
Conclusion #2: one size doesn’t fit all – and everyone’s sense of style is different
This one seems obvious, and we knew it to a certain extent.
The seemingly unrelenting (and unending) onslaught of security technologies to address each new threatey threat means every customer’s environment can look a little different. Each of these technologies needs a plan and resources to be used effectively. And one reason customers choose to work with MSSPs is because they want help getting the most out of the security tech they already own. We knew new tech was a pain in the neck (heck, some of us at Expel created a few of those products). We also knew it would be challenging to make the pain go away. It turns out we were right. We started by building a handful of initial integrations with the big network, SIEM and endpoint security products. That list has unsurprisingly grown as we work with customers. Some of the newest integrations we’ve added over the last few months based on customer feedback include: Darktrace, Attivo Networks and (very soon) ProtectWise.
On the other side of the coin, though, we’ve developed a really good understanding of how to distinguish between behavior that’s distracting noise to one customer and business-impacting-important to another. To help deal with that, we’ve engineered our own tech in a way that allows us to flex with our customers. That means one customer doesn’t have to miss out on knowing about something that’s important to them even if it’s a distraction for the other 99% of our customers.
For example, a few months ago, one of our analysts, Evan, was investigating an alert for a customer. It started simply as communication with a known tor relay. After completing his investigation, Evan had identified the specific user responsible for the traffic that had triggered the alert. He confirmed that a BitTorrent application was generating the traffic and that a user was downloading pirated copies of TV shows. Many organizations would probably want to know about this type of activity, but few would consider it a big problem. However, this particular customer makes the vast majority of its money by licensing media. For them, having an employee pirating TV shows was a really big deal. It was a high priority alert.
We’re looking closely at how we can capture more customer-specific context in our system so we can get better and better at this. I’m especially curious to see how it will evolve as we get more familiar with our customers. It’ll also be interesting to see what customers ask us to do as they understand how we can tailor our service to their environment.
Conclusion #3: getting better is hard work
When we set out to build Expel we knew that customers ultimately just wanted to get better. Who wouldn’t? They told us they were sick of every day being groundhog day – responding to the same incidents over and over again, re-imaging machines and resetting user account passwords only to have the same machine and the account compromised again the next week.
MSSPs did a fine job tossing alerts over the wall… but we heard a frequent complaint: “they can’t tell me how to prevent it from happening again tomorrow.” Oh… and “when they’re not firing alerts at us how do we know they’re providing value?”
We came up with the concept of resilience recommendations to help address this problem. Here are a couple examples of what that can look like in practice:
In one case…
during the course of investigating a security incident, we learned that a customer had inadvertently exposed RDP to the Internet (which had been brute forced to cause the incident in the first place) – not something you want to do, but the type of thing that we see regularly. Naturally, we recommended that they close that exposure to avoid future compromise.
In another example…
while hunting in a customer’s environment, we identified a local administrator account and privileged domain accounts that would have been relatively easy for an attacker to access because they were recoverable via the Microsoft Group Policy Preferences vulnerability. We were able to identify the issue (in this case the credentials were stored in %systemroot%\sysvol\Groups.xml and though they were encrypted, the AES private key was well-known and documented) and provide clear recommendations to the customer so they could prevent attackers from exploiting it in the future.
One thing that we’ve learned as we work with customers on these resilience recommendations is how hard it can be to act on them. It’s easier said than done – even when the recommendations seem obvious. A lot of the resilience recommendations are strategic in nature (aka they often require our customers to work with some of their peer teams internally to implement them). We’ve realized that helping our customers make the case to implement a change is as important as the recommendation itself. We do that by providing them with data from their environment (as well as anonymized data from other customer environments) so they can print out a single piece of paper and walk it over to IT (or whoever’s help they need).
The last 18 months have taught us a lot. So what’s ahead?
As you’d suspect, we’ve got a whole bunch of new things on the to-do list for the upcoming year. Here are just a couple of things you’ll see us working on:
- First, now that we have unique working relationships with our customers, we’ll be working hard to optimize our shared workflows. Our customers will guide the direction we take, but it could mean helping them adapt their incident response processes to make Expel Workbench their new IR workflow system. Or, you might see us integrating with our customers’ existing ticketing systems and building tighter integration with Slack.
- Second, it’ll come as no surprise that all of our customers are trying to figure out how to secure customer cloud infrastructures. There’s no one-size-fits-all approach to cloud security. So, we’re working to understand how our customers are going to the cloud and what risks they care about most when they’re making that transition.
I’m really excited to continue working with our customers to learn more and more about how we can help them get back to doing what they love about security. We’re always interested in talking with people to get feedback or additional insights, so if you think what we’re up to is interesting, please spread the word by sharing this with a friend (or on LinkedIn or the Twitters).