BizTech Next Level BizTech Podcast

56. Why the "R" in MDR I so Important Now. With guest Elia Cohen of AT&T

February 15, 2023

Subscribe to the Next Level BizTech podcast, so you don’t miss an episode!
Amazon Music | Apple Podcasts | Listen on Spotify | Watch on YouTube

Listen in today as one of the top experts in the security industry, Elia Cohen, Cybersecurity Director at AT&T, weighs in. Elia discusses where he got his start and how he got an early interest in security. Also, Elia opens up about the amazing toolset AT&T Security has to offer with everything from MDR & Security Framework build-outs to prem and web application firewalls along with Compliance checks throughout. Prepare for a wealth of knowledge!

Transcript of episode can be found below.

Josh Lupresto (00:01):
Welcome to the podcast that is designed to fuel your success in selling technology solutions. I’m your host, Josh Lupresto, SVP of Sales Engineering at Telarus. And this is Next Level BizTech, everybody. Welcome back to another episode. We are on the security track, and today we’re talking about the r and that R is the R in managed detection and response, or you might know of it as MDR. And today we got on a special guest, dear friend a, a peer in the space that’s helped us be extremely successful in the security space. Mr. Elia Cohen, director over cybersecurity at AT&T. Elia, welcome on, man.

Elia Cohen (00:44):
Hey, thanks for having me, Josh. Really excited to be here and talk about this really popular solution out in the industry today.

Josh Lupresto (00:52):
I’m excited you know, for the sake of time, we could go on forever with all the great stuff that you guys have over there that I don’t think a lot of people know about. But we’ll dive into a little bit of that here as we get going. I, I wanna kick us off though first about you. You know, personally, we know right now you were the cybersecurity director at AT&T and we can talk about what that means in a second. But where did you start? What, what’s your path? Has it always been tech? Has it always been security? Has it been something completely unrelated? Where did it begin and how did you get here?

Elia Cohen (01:21):
Yeah, I mean, so in terms of where, where I’ve come from and where I am now I think I kind of fell into this for the lack of a better term. a as a little kid, I always worked with my mom helped her with her small business selling our supplies, and we would go off and do trade shows and, and that’s, I started doing sales at the age of probably about five in collaboration with her. A little bit of child labor there, but don’t tell anybody . And so over, over the course of time, I eventually started to move into it. And when I was at the university getting my bachelor’s, I started working for the IT team. And a lot of the cases that I had to work on were malware remediation. So a lot of, a lot of kids, a lot of students, a lot of faculty and staff would come in with their laptops compromised, and somebody had to go figure out what was on going on, eradicate it, protect their documents, and also tell ’em what not to do. And I won’t get into what not to do here because

Josh Lupresto (02:24):
Family show, family show haha.

Elia Cohen (02:26):
Exactly. That, that that’ll keep, keep PG. Yeah. But ultimately education is really where it, it helped people get to a better spot. And so as I did that, I started to move into I got my first job outta college for security company more on the engineering side, and eventually started to move back towards sales probably four or five years into that. And then I’ve been doing technical sales and cybersecurity sales ever since. And it’s been probably a good 15 plus years now.

Josh Lupresto (02:59):
Love it. Love the journey. Talk to me about, you know, at t’s a big name. You know, I, I, I don’t think, and, and, you know, when we learned early on, I, I don’t think we knew the depth of the practice as it has with security. And then it’s certainly even expanded since we started. But we’re gonna get into products here, some more depth in products in a little bit, but maybe gimme a little you know, your segment of AT&T and your security side. What is that all about? What does that practice entail?

Elia Cohen (03:28):
Sure thing. So, yeah, I mean, I’ll, I’ll, I’ll, I’ll echo your sentiment that yes, AT&T does have a cybersecurity practice. , there’s an entire organization dedicated to cybersecurity. And the, the little known fact is that it’s actually separate from the core business. So everything that we do in terms of cybersecurity is very different from the rest of the AT&T services that, that our partners here may have experience with. So when it comes to the sales, but also operations, product management, delivery, everything’s completely independent. So that gives us a pretty unique ability to solve for customers problems in a, a pretty powerful way. And really following the industry best practices for cybersecurity versus core AT&T and transport and all that other stuff. So in terms of the cybersecurity practice, we’re ranked consistently in the top five globally MSSP. So pretty powerful there. And our focus is really managed services which is also very relevant to this conversation. But we also have a great cybersecurity consulting practice. And so when we start to look at MDR and the, the different related components that customers need to have in place in order to be successful with that, that’s where having a blend of both managed services and consulting services come together. And we’ll, we’ll touch on that a little bit in this conversation.

Josh Lupresto (04:55):
Love it. Let’s talk about, let’s paint a picture of what it was like before maybe one of the early on deals that, that you sold. Walk me through, you know, whenever this was. I, I don’t care how long it, how old it is, how much it dates you, it doesn’t matter. Let’s make it more entertaining. But tell me about one of the first deals that you sold in this, and when, when did that really open your eyes to the idea of, of what we could do in security?

Elia Cohen (05:20):
Yes. I’ve been in the security space for quite a while now, and I, I’ve sold EDR before it even existed and sold kind of the traditional antivirus or endpoint protection solutions, and was with an endpoint company when EDR was becoming a thing. And so it was pretty interesting to see the evolution of the technology going from pretty static types of detections, very signature based detections to the evolution of moving towards machine learning and, and advanced algorithms for detection. And so, as you can imagine, back then, it wasn’t a perfect science probably still isn’t today , but it’s a lot better than what it was before. And when you look at the detections that are being made it accentuates the amount of resources that are needed to understand what’s taking place.

Elia Cohen (06:16):
So at the time I was working with a, a fairly large insurance company, and they needed to advance their, their, their, their game when it came to protecting their endpoints. And they had stuff all over the place and data centers that they own in the cloud and then all of their end user compute devices that they needed protected. And so pretty common, they had a ra rather small team of individuals that was mostly focused on it and then a couple of named security persons. And so clearly wasn’t enough when it came to being able to manage a solution and look at all the different detections that were taking place 24 by seven. But that was the model back then. The, the M part of MDR didn’t really exist then. So we were really selling the point solution.

Elia Cohen (07:06):
And just like the evolution of the endpoint in its technology to edr the market kind of realized that there’s a big gap when it comes to the overall 24 by seven monitoring and response capabilities. And so this MDR space started to come in. So at the time, we didn’t have an MDR solution with that company, so we really just focused on selling, selling them the end product. But over time they started to build up more staff and they had a hard time doing that. And fortunately, within a couple years, they ended up having a service to add the management on top of that.

Josh Lupresto (07:42):
Love it. You, you bring up a good a good point, which is one of my next questions, which is the evolution of this. And so, you know, I I, I think I would love to hear maybe from you a little bit about how this helps the customers see an roi. But, you know, maybe weave in, you mentioned, you know, this has evolved. It used to be called antivirus, and then it was edr, and now it’s MDR, and there’s these other ideas of XDR and, and kind of what’s, what’s coming up next around. But talk to me about a, how and why has some of this evolved from your perspective in the trenches, and how do you still, no matter what, help a customer see ROI around that?

Elia Cohen (08:21):
Well, I would say, when it comes to cybersecurity, ROI is a dirty term these days. , and I would say maybe three, four years ago, ROI was really what people were looking at when making any kind of a business investment. And these days, there’s been a, a pretty significant shift in the marketplace of fourth cybersecurity specifically. And instead of seeing it as as an investment, it’s being seen as an enabler. And so there’s less of a focus at the, the c and board level to look at the, the dollar gain from investing in an antivirus or other type of security solution. Instead, it, the, the, what they are focusing on is what can we now do as a business? What are we now protecting? How are we becoming more resilient as a business in a landscape where a tax and breaches and data loss is so significant.

Josh Lupresto (09:16):
Do you see, I mean, to to your point where it did used to be all about roi, do you see, though, when people come to you for a security need, is it about the ROI at all, or is it, I have this problem and it’s so important? Cost is the fourth thing on my list of priorities right now. What’s your trend?

Elia Cohen (09:36):
So there’s different types of customers out there, and it, and you really have to go back to the drivers that are leading this conversation. So anybody that’s had a reach will tell you outright that they will, that, that it’s probably the most awful experience that they’ve ever had, and they don’t ever want to have that again. And they’re ready to pay a good amount of money to reduce the likelihood of that occurring again. So if that takes place, they’re gonna buy everything in the kitchen sink to protect their business. So not really looking for an investment, they just don’t want to go through that again. Yeah. if you’re looking at a customer that has say some other driver cybersecurity insurance is a really common driver these days that will often not just say, you have to have a solution to protect your endpoint is to secure it, but they’ll actually dictate you need to have an EDR solution.

Elia Cohen (10:27):
And by the way, you also need that to be managed. So now the customer doesn’t really have a choice. If they want to have cybersecurity insurance, they have to go buy a managed EDR service somewhere, somehow come up with that, they can’t check that box, then they’re gonna put their policy at risk. And sometimes they may start to wonder, do I really want cybersecurity insurance? And then they start to realize, well, that contract that we have with this, with one of our customers is dictating that we have to protect their data by X. And the only way that we can have money tied up to allow for that is just by having an insurance policy. So then they’re pretty much being forced down that path. And for, for us, it’s great in sales to be able to have customers that have those, those strong requirements, but it’s also really good for customers because having a solution in place is, is really key. And this is one of the, the, the most important elements of protecting endpoints.

Josh Lupresto (11:24):
You know, you bring up a good point. I mean, sometimes I think when we get in, we uncover the situation of what they really need. We just ask that we just want ’em to do something. I, I think that’s the overall idea with part of a security strategy is that, yeah, you can’t, you know, you, you could spend 80 of your 80% of your time covering 20%, or you’re gonna spend 20% covering 80%, right? E e either way. And I think when you have to look at it, we just want them to walk away and do something and make some progress to that point. So, yeah, I, I, I think we’re just happy now that their hands are forced to some extent, but it really just, it requires them to take a long look at it. And I think we’ve found the same thing, you know, 70% of the it’s responsibility has been it, and then they’ve maybe done, you know, security 30% of the time, and they still just need help even before all this craziness. You know, there was, there was a massive shortage in security when, when employment and all those things were normalized. So, good points.

Elia Cohen (12:19):
Yep.

Josh Lupresto (12:20):
So, all right, let, let’s spend a little bit of time here unpacking the AT&T product set. If, if this podcast for a three hour podcast, we could probably do it cuz you guys have so much good stuff in there. But if, if, if I, if we try to make a decision here for the sake of time we could talk framework building. We, to your point, more services, cmmc compliance readiness, you know, the MDR products that you guys have, pen test, there’s security awareness training. Maybe boil this down for me. Let’s, let’s start with the top three, maybe the top four. What’s the first product that you want to talk about so that we can make sure that everybody understands it from your side?

Elia Cohen (13:01):
Yeah, so as I mentioned before, the there’s really two focuses in the portfolio. One is managed security services, the second is security consulting. And and, and we, we have a number of solutions in both of those areas. So when it comes to protecting assets whether it’s your users, your endpoint or your applications and data, we have solutions that span across all of that. When you start to look at consulting, it’s kind of a weaving fabric for the managed services. So even though we might be providing a, a managed firewall or a managed endpoint solution there’s usually some thought that has to go through in how to do that effectively. And is that enough? Do we need more? Are there other things that we should be doing or could be doing? And what are the pros and cons of doing thAT&The risk that we’re managing with that? And that’s really where consulting comes into play. Getting a good sense of kind of the assessment, the framework that you mentioned of what we could do should do, and how does this align to industry best practices. And when you start to look at the different regulations that are out there this could be just a self initiative that the, a business could have, or it could be a regulated and mandated like PCI or CMMC or any one of the other regulations out there.

Josh Lupresto (14:24):
So, so if we, if we go over what you just mentioned again, and we do a little bit of kind of vendor soup, OEM soup I think that’s where sometimes the, the asks come from the customer side. So if we think about, I’m just going to, we’ll speed date this for a second, but if we talk about obviously frameworks, if we talk about what frameworks we’re building out, I mean, it, it doesn’t matter if it’s NIST, it doesn’t matter if it’s CIS. You guys have expertise to build out any of those and any others that I missed in there that you wanna cover?

Elia Cohen (14:54):
Yeah. HIPAA, I trust, pretty much the, the ISO, SOC2, pretty much all of the different types of initiatives for security that you can think of, we can support and provide the assessment services as well as some of the remediation and fill in some of the gaps, whether it’s with more consulting services or with with the managed security services.

Josh Lupresto (15:17):
Okay. How about from an awareness training? Is there a specific software specific manufacturer that you guys have had a lot of success with? Or ones that, that you tout?

Elia Cohen (15:27):
Yeah, so we have a couple of tools that we have in place. One from health systems, one from Orion. So those are kind of our two leading solutions. Yeah, I, I’d say that there’s a lot of folks out there that that already have security awareness training but what they’re doing with it, how that weaves into maybe some of the other services that they could be or should be doing. So typically if you have training, that’s great, but you should also be doing some phishing simulations. If you have phishing simulation, you should sometimes start thinking about getting social engineering and getting an actual human to your locations. So thinking about AT&, then starting to then test the environment with penetration testing to then test the defenses that are in place, which could also potentially indirectly test in the users. All of that kind of in concert is how we can start to look at solutioning for a customer versus just give them that one widget of say the, the security awareness training.

Josh Lupresto (16:27):
And from a, from a pen testing perspective, let, let’s, let’s lump in here pin testing and vulnerability assessments for a second. Is it safe to say that whether we need external ips just scanned to see if we have any open vulnerabilities versus even inside application level we, we could carve out a program for you to come in and, and, and scope out all of those, right. Internal, external, everything, everything adjacent.

Elia Cohen (16:53):
Absolutely. And I can’t stress this enough that our partners here don’t have to understand all this stuff, when it comes to penetration testing and all the different nuances to it and different types. But yes, we do have the internal external application API. We can even do source code reviews if we’re built doing the building blocks. So really kind of anything that, that a customer may need to test their, their resiliency we can support with.

Josh Lupresto (17:22):
Okay. One of the last couple here, maybe talk about MDR and then you know, firewalls both web app and, and prem and, and cloud, things like that. So from an MDR perspective, that, that important, you know, that that important technology to isolate whatever happens at the edge, at the endpoint server device. What, what are some of the MDR tool sets that you guys like that you’ve seen good results out of?

Elia Cohen (17:48):
Yeah, so there’s only one that we really lead with here within our portfolio, and that’s with Sentinel One. And so we have a very large partnership with Sentinel One. They’re a leading EDR solution in the industry. And so, so that’s what we focus on for edr on the network side. Again, alphabet soup, like you mentioned mm-hmm. for all of the different providers that are out there from Fortinet, Cisco, Palo Alto checkpoint Meraki, pretty much you name it, we have it, and then we offer it in a managed service fashion. And so as we start to look at this problem, though, the, the thing to keep in mind for both the endpoint and the network is that it’s evolved significantly the last few years where there, there really is no border there, there’s no edge anymore.

Elia Cohen (18:38):
The edge is kind of the internet mm-hmm. . And so, and the users are on the internet when they’re at home, they’re at a, at, at a customer’s office. If they’re at our at, at a, you know, using resources, a data center, SaaS their endpoints are kind of everywhere. Their endpoint types can also differ from your typical laptop workstation to now we can do so much with our mobile devices and tablets. So you have to start thinking, how do I protect from an anti-malware perspective, all of these different endpoints wherever they are? And then how do I also protect the internet and web traffic for all of these endpoints, whatever they are, wherever they are. It’s a, it’s a, it’s a new evolution and there’s a lot of businesses out there that that are making shifts. Both the initial first phase shift that we maybe saw with some customers a few years back moving to traditional SD WAN solutions. And now we have customers that, that had SD WAN that are moving to Southie. And we have some that are just moving straight there that maybe didn’t have that intermediary step of SD wan. So there’s a lot of a lot of projects out there, and a lot of ways to make some good money on this

Josh Lupresto (19:53):
Great stuff. All right. Speed dating round over. And I know we just, we, we, we probably skipped over a whole bunch of good stuff, but I, I think it, it shows people the depth of what you have. It’s not just about, to your point, the, the point solution. It’s about what you do with those results, what you take action on, what best practices we recommend after. Cuz anybody can sell a point solution. So this isn’t about that. And I think that’s why you guys have had such good success, cuz you see that it’s in the services, it’s in the results, it’s in the, it’s in the skills and the people. So, great stuff. Okay. Let’s, let’s talk about you know, rather than roses and rainbows, let’s talk about the difficult parts. Let’s talk about the sales process. Help me walk through, if you have a hurdle.

Josh Lupresto (20:34):
I mean, we’ve all been in those conversations with customers where they just don’t think that they need help. How do you, I guess what’s, what’s your strategy in the conversation or what do you recommend for the partners listening to this that, you know, I, I, I know we’re telling them they don’t need to be experts. We’ve got a, a plethora of amazing engineers and architects, our team, your team that can help them with this, that are there every single step of the way. But when you’re in a discussion and, and you’re, you’re being asked to come on this call, how do you help get through that, that customer that just doesn’t quite see that they need help? What’s your, what’s your go-to talk track there?

Elia Cohen (21:11):
So I would say that everybody needs help. Everybody out there needs help when it comes to cybersecurity. There’s not there, there’s no, no, there isn’t one single thing that you could be doing. And I, I’ve yet to find a customer that tells me that they have adequate tools and personnel 24 by seven to go solve all their needs. So that being said typically when I hear customers indicating that they don’t need help, that they have things under control or that they they, they don’t need a particular solution typically it’s, it’s more indicative of maturity. And so oftentimes, instead of maybe trying to push or, or recommend say MDR or, or a Simmons SOC solution that might just be too advanced for the customer, they haven’t done some of their table stake guidance. Like, no, what’s in their environment?

Elia Cohen (22:08):
Do you have an asset management solution? Do you know what all the devices are that are communicating on your network? Do you know where they are ? Do you know what kinds of vulnerabilities exist on your network? Do you have a tool that’s continually monitoring for that? Are you patching your devices? Do you have a tool that helps you patch or do you go off onesie, twosies to the different endpoints within the environment? And yes, people still do that. They, think that they’re very secure because they haven’t had a breach. But that’s indicative of their maturity and what maybe where we can help to not shift away what we know they need most, but to help them where it hurts the most right now, which is that day-to-day administration that prevents them from seeing all the other things that they could be or should be doing.

Josh Lupresto (22:56):
Love it. All right. I want to get into the last couple points here as we wrap this up. An example. So we talked about in the beginning, one of the examples that you saw, one of the deals that you worked, how you helped them through that. Give me through a, a situation here where, you know, maybe you got brought in, Hey, Elia, this situation and the environment looks like this. And you get in and find out it’s something completely different. Maybe you got in and, and it’s exactly what you said, but maybe just walk us through a situation that you were in where you guys were able to add a lot of value, but really what was the tech that you pulled out or what was the business problem and, and what kind of solutions did you end up putting in?

Elia Cohen (23:32):
Sure. So I’ll cover a a healthcare customer. They were doing and still are they’re doing clinical research using big data in the cloud. And they’re using multiple, multiple cloud platforms. Yes, they’re a startup, so , they’re running fast, very nimble not a lot of personnel that are running the business. Everybody’s focused on building the technology. Pretty, pretty typical for mm-hmm. a startup. So they were probably about two to three years in when we started talking. And it was pretty clear right from the get-go that they, they needed to do something more. And, and the good news is that they had hired a a security director to build out a practice and to hire some resources, but also assess and figure out what tools to bring in and how to, how to protect the business. So they, this, this individual started to look at the environment, saw that they needed they needed to consolidate on an endpoint solution. They had multiple anti-malware types of technologies in place, some that came free with the system, some that didn’t, because, you know, it’s a Mac, so it doesn’t need protection, right? Just kidding. For those that don’t know , .

Elia Cohen (24:48):
And so so he decided to start working with us on that. And then meanwhile, because of all their different environments, they started to realize they needed some help to get a better sense of what’s out there. And so we started to look at both the, some vulnerability management capabilities as well as more of the Simmons SOC as a service. And since we were talking about that, we started to ask them what would happen if an incident takes place? Who would actually be responsible for caring forward, not the response, but the remediation, the eradication of, of the malware that’s in place, and also making sure that things are forensically sound if, if a law enforcement type of agent investigation needs to take place. And of course, they didn’t really have anything like that in place. So the, what the solution turned into was an MDR with Sentinal one, Simmons, the service with alien Vault managed vulnerability with qualis.

Elia Cohen (25:50):
And then also our incident response and forensics retainer. And before we even got a chance to stand up any of these services, we got, I got a phone call, personally, late on a Friday of, I think something’s going on. I need some help . And so fortunately we had had the incident response retainers established and, and transacted. So I immediately called our consulting team that runs incident response and got some resources over there. And they were right. They had their their APIs that were managing all of their big data of clinical data, including PII, was being targeted and was pretty loosened the way that it was open to the world. So we quickly helped them close that down, helped them with some source code analysis and application analysis to understand how to best resolve this longer term and and then get them back on track.

Elia Cohen (26:51):
And then, of course, in parallel, we started to, to work on getting the, the endpoints deployed, the SIMs deployed, and it wasn’t probably more than another couple months before they had another attack that we detected this time. Ooh, using our MDR services, targeting their oh 365 environment, all their users, it’s mostly their executive staff. But ultimately the investigations that we did came and surfaced that their office 365 policies were fairly lenient in allowing adversaries to just communicate with their employees a little bit too directly mm-hmm. . So really having things thought through around the different areas that, that are related to an MDR are pretty important. And having the right partners in there with you to have that conversation, whether it’s the Polaris team, an engineering team, or, or bringing us in to talk to the customer and making sure that we’re, we’re touching all the areas leading up to the, the MDR offering and beyond.

Josh Lupresto (27:55):
Love it. Boom. if I had a mic drop sound effect, I would play it right now. It’s a great example, but, but it’s really typical. I mean, that’s exactly why we do this. That’s exactly why we need the solutions that we have out there from our vendors like yourself, because without that, we would not be able to solve these problems. So, nice work excited to keep, keep doing more of those great stuff. All right. So as we get to the end of this here, I think we’ve established the point of what the title of this is, is, you know, why is the R so important, right? The remediation, the response, because it’s not, things are gonna happen, bad things are gonna happen. We’re not defined by the quantity of things that happen, just like in life. We’re defined by how we respond to those things and what we learn and how we get better.

Josh Lupresto (28:38):
And so definitely, I think we’ve, we’ve called out the fact that people still need help. There are gaps all over the place, no matter how mature the organization is. So we have to work to find those. So awesome stuff. I think you really put a bow on that. Final thoughts here. So if we, and this is a hard space to look out more than 12 months, more than 24 months, but if we grab our crystal ball and in, in Eli’s humble opinion, as we look out, I don’t know, let’s call it twelve, twenty four months, what do we think changes? Does, does the, does the agenda change? Do the strategies change as to how we help customers with this? What, what do the products change? What do you see happening or, you know, what do you want to caution partners or give advice to partners for over the next next little while?

Elia Cohen (29:25):
Yeah, I would say that in the next 12 to 24 months security’s still gonna be a focus. There’s still gonna be a lot of of folks that are going to be increasing their level of maturity. So understanding where your customers are, are where some of their gaps are understanding what drives their business is gonna be really important. So if, if there’s some, some final words that I can share around what partners could be doing with their customers, doing what they do best, have a business conversation. Talk to them about what their business is, what their core competencies are what makes them viable as a business how they’re utilizing technology to drive their business and start to uncover some of the risks of what if your technology went down, what if your data was compromised? What if your operations weren’t able to continue forward, and have you thought through how to mitigate some of those risks? So really the focus, I think, should be around risk management. And what you’ll uncover is that some customers have a risk management practice in place, some don’t. Some have varying levels of it. And talking to them in that type of a tone, we’ll start to get them to be more open-ended around the responses that you’re gonna get, which then will open you up to a lot more opportunities s versus just widget selling

Josh Lupresto (30:55):
Love. Okay. Good stuff. All right. Well, man, hey, kudos to you. What you’re doing, what you’re building on the security practice, we appreciate everything over there. You know, big kudos for for Kelly Owoseni, you know, making sure that we really got a good understanding of everything that AT&T has to offer. You know, we got a lot of big advocates of your guys internally. So I, I appreciate you coming on and doing this with me, man.

Elia Cohen (31:17):
Hey, thanks for having me. Great conversation and looking forward to some of the, the momentum that we get after this.

Josh Lupresto (31:23):
All right, good stuff. Okay, everybody that wraps us up for today. I’m your host, Josh Lupresto, SVP of Sales Engineering. Elia Cohen, cybersecurity director at AT&T. This is Next Level BizTech. Until next time.