Cyberattacks are a crime scene, and to get to their root cause and prevent them in the future -- much like law enforcement -- you need skilled forensics investigators.
MSSPs know that forensic cybersecurity can provide clues as to who was behind a cyberattack, how your security was breached, corrective measures to take and, most importantly, prevent a future an attack from succeeding.
Deepwatch, an MSSP Alert Top 250 MSSP and MDR Top 40 company for 2023, has been carefully watching the forensic science behind threat hunting and recently introduced Threat Signal, its standalone forensic-focused operations service.
Why Forensics Are Important to MSSPs
MSSP Alert recently spoke with Deepwatch company leaders, who explained their ideas around cybersecurity forensics and described how Threat Signal can proactively identify attack vectors and to keep customers safe.
Threat Signal is a managed detection and response (MDR) capability that provides protection “beyond traditional security measures” — pinpointing advanced cyber threats that may have bypassed existing controls. To accomplish that mission, Threat Signal uses an “outside-in” methodology by evaluating an organization’s externally accessible presence — from an attacker’s perspective — to investigate risky systems and services before they disrupt an organization.
“It’s critical that we look beyond a company’s existing security controls to ensure they are identifying and proactively protecting the business from external threats,” said Jerrod Barton, vice president of Cyber Operations & Intelligence for Deepwatch. “With Threat Signal, we’re able to help our customers view their security readiness through the lens of the attackers, ensuring that they can rapidly respond to any incoming threats.”
A Deep Dive Into Forensics
Just how deep into the attack vectors can forensic science go? Neil Humphrey, vice president of Market Strategy, explained what Deepwatch means by a forensic “dive.”
“This is where we're utilizing a piece of software, as an agent that allows us to get forensic level information directly off of the boxes, to start digging through additional information, boot records and other pieces of data,” he said. “That’s information you're not really going to see from an alert or from a log perspective, which allows us to do a lot deeper and longer term piece of a dive.”
Humphrey said that threat hunting is first and foremost more of an automated capability his company brings to all its customers. The human element is important too, he said, as Deepwatch will conduct a “manual style hunt” using their own threat hunters on staff to probe the various cyber vulnerabilities.
Humphrey said the forensic Threat Signal capability is available on an annualized basis with additional time-based check-ins for exposures. He likened Threat Signal's license of its forensics capabilities to a spotlight watching a fence. It doesn't stay in the same place all the time. It's constantly moving around.
Barton noted that any CISO who has lived through an incident knows the value of threat signals and would welcome an opportunity for a tailored operation on their environment, validating certain behaviors that could have occurred in that network.
“We’re proactively looking for attacks or threats or signals or anything that may have bypassed the controls that in your environment,” Barton said. “How we do that is what I feel makes us unique, whether that's a hypothesis-based, intel-based or forensic-focus-based. We're looking for behaviors and indications that have bypassed what you had purchased to protect your organization.”
Detailed Reports and Analysis Delivered
Deepwatch sells an annualized package as part of its Threat Hunter offering, which is all in-house and mostly included as part of its base MDR. The offering includes detailed reports and reviews on a variety of security assessments and subjects:
- Weekly intelligence briefs on analyzed open-source intelligence with Deepwatch recommendations
- Summary presentations on the solution engagement status, including but not limited to, hunting reports
- Up to two executive reviews of the solution and observables per year
- Ad-hoc awareness briefs of security advisories based on Deepwatch threat criteria
- Malware analysis from theDeepwatch Adversary Tactics and Intelligence (ATI) team
- Attack surface profiles that provide customers with an actionable report, detailing external opportunity areas that an attacker could leverage against an organization, including high-risk areas, mitigation recommendations and threat hunting leads
Deepwatch’s Channel-First Strategy
Deepwatch is 100% channel driven, with partnerships in place with Lacework and other technology and cybersecurity companies.
In September 2023, Deepwatch unveiled a new tiering framework for its Xcelerate Channel Partner Program. The framework consists of Silver, Gold and Platinum tiers based on revenue and specialization requirements.
The Deepwatch Academy platform launched in April 2023, providing sales training, resources and certification programs to Xcelerate partners. With Deepwatch Academy, Xcelerate partners can access case studies and webinars and schedule cybersecurity training sessions.
Resources and Further Reading
Forrester: How to Make Threat Intelligence Actionable
Forrester: Threat Hunting 101 Department of Homeland Security: Cybersecurity Forensics Support for Law Enforcement Fact Sheet