Innovation is an essential part of an effective response to constantly evolving cyber threats.
We asked Paul Sutton, Head of Research & Development at Redscan Labs, to tell us about the work he and his team are doing to ensure Redscan remains at the forefront of detection and response.
How does Redscan Labs support Redscan’s activities?
As a team, we support the company in diverse ways. Our work is mainly focused around analysing and acting on threats and developing our solutions to better prevent, detect and respond to them.
A big part of our work is the development of tools to help enhance the delivery of our services and support improved outcomes to our clients. A recent example of this is a detection tool we created to help organisations determine whether they have been compromised by attackers exploiting the critical Zerologon vulnerability.
We’re doing a lot of work with the developers of CyberOps™. This is the threat management platform we’ve established to help improve automation and ensure our teams have the telemetry needed to make swifter, more accurate decisions.
Given my offensive security background, another area we’re heavily involved in is the testing of SIEM and EDR use case rules. We work closely alongside our offensive security team to test that the detection mechanisms we implement are effective and optimised to identify the latest adversarial behaviours.
A big part of our work is the development of tools to help enhance the delivery of our services and support improved outcomes to our clients… We work closely alongside our offensive security team to test that the detection mechanisms we implement are effective and optimised to identify the latest adversarial behaviours.
How important is CyberOps in helping Redscan deliver its services?
CyberOps is essential to how we deliver our ThreatDetect™ Managed Detection and Response service to clients. CyberOps enables us to achieve comprehensive visibility across our client environments. Being technology-agnostic, it enables us to integrate with the latest threat detection technologies and intelligence, providing all the information our analysts need to analyse, triage and respond to incidents via a single pane of glass.
The detection and response of security threats can demand a range of security tools. Our CyberOps platform integrates these and via a process of enrichment and correlation, intelligently groups the disparate alerts that they generate together to enhance contextual awareness and reduce alert fatigue.
As well as improving the speed and accuracy of detection, CyberOps is also vital in helping us to accelerate the speed of response. This is achieved by triggered manual response actions that are safe to execute, but also automated response actions for defined use cases. In other words, we can automate responses that fire when a particular activity is observed. The overall benefit of this is that we can significantly reduce the mean time to respond to attacks, minimising the risk of damage and disruption.
This allows us to mitigate the progression of an attacker before an analyst begins their investigation, reducing the time pressures involved in live incidents.
What are the biggest security technology trends you’re seeing now?
Endpoint Detection and Response is the technology area that has grown massively in recent years. EDR definitely offers many benefits beyond traditional antivirus, enabling security teams to obtain deep threat visibility and improve coverage. Response capabilities tend to be much more targeted and effective.
However, using endpoint data alongside telemetry collected across networks and the cloud is the real trick to improving threat detection and response. This is what extended detection and response (XDR) brings, and it’s the reason that Redscan is investing a lot in our CyberOps platform to provide more comprehensive visibility across all types of detection technologies.
Using endpoint data alongside telemetry collected across networks and the cloud is the real trick to improving threat detection and response… Redscan is investing a lot in our CyberOps platform to provide more comprehensive visibility across all types of detection technologies
What do you find most rewarding about leading Redscan Labs?
I really appreciate the diversity of what we do. It’s great to be able to drive the projects we’re involved in and how far we go with them. I’m a technical person so being able to see something through and get into the depth and detail of matters is always a good thing. Every project teaches us something and gives us insight and experience that we take into the future.
Our ethos is very much about sharing and supporting each other in working towards a common goal as we’re a small team of specialists. Looking ahead, our team needs to stay focused on offensive security and what real-world attackers are doing. We also need to stay on top of our own specialist skills across the many technical fields we work in. Diversity in skillset, approach, ideas and thought processes is vital in a function like ours.
Tell us about your career path
I studied Computer Security at De Montfort University and went straight into penetration testing at a cyber security consultancy where I gained valuable experience in many different areas, both technical and client facing. I worked there for three years before moving to a boutique consultancy working with a close friend. After about six months there, I moved to Redscan first as a security consultant before moving to my current position as I got more and more involved in the defensive side of what we do.
Do you have any advice for people interested in working within security R&D?
I’d encourage anyone that is interested in this area to first obtain experience in pen testing and offensive security. You gain an incredible level of insight across all kinds of businesses and industries and their inner workings.
Working in offensive security gives you experience in many technical areas from standard web applications, to infrastructure and things like vehicle tracking systems. You also get exposure to the diverse ways in which businesses handle security. It’s a nice diverse skillset. Plus, ultimately as a consultant, you end up being able to talk to people which is always nice! Red teaming and scenario-based testing comes in later and that’s where the real fun begins, as you use all your experience to simulate real-world attacks which lead to full compromise. It’s all excellent prior experience for this kind of role.
If anyone reading has a good technical niche and is interested in working with us in R&D, please feel free to contact me or another member of the team through our Contact Us page.