He’s on to Something.

He’s on to Something.


He’s on to Something.

Dedicated Threat Hunting Investigations

I always enjoy reading an article from someone who truly gets it. This particular article was a preview of a forthcoming ebook from SC Media titled “All about MDR: What it is and how to optimize it.” The article describes managed detection and response (MDR) services as when a “vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.” [The analysts at Gartner would properly add that the vendor needs to bring their own technology to the table as part of the service as well.] The article emphasizes the following key prerequisites for anything called “MDR”:
  • Access to real human threat hunters – a truly rare breed.
  • Specific focus on threat detection and threat response.
  • Continuous monitoring and scanning.
  • Guided remediation and prioritization.
  • Working partnership built on shared and non-shared responsibilities.

Proactively Fight the Fire

The article goes on to distance MDR from (M)EDR, XDR, MSSP and SIEM/SOC services. Providers of these services often say they are performing “MDR Services” when they are just slapping a new label on their old MSSP services or selling products. MSSPs are more focused on the administration of alerts (reactive) than (proactive) threat hunting, threat intelligence and incident response. The later three skills define what you should look for in a MDR provider. When an MSSP, EDR, XDR or SIEM/SOC provider calls themselves an MDR provider, it’s akin to a Fire Department radio dispatcher saying they put out fires. A bit of a stretch. You want the people that actually fight the fire on scene with your team.

Dedicated Threat Hunting Investigations | PacketWatch

A Passion for Eliminating Threats

MDR is when a…

“vendor performs dedicated threat hunting investigations and incident response on behalf of a customer.”

Daniel Thomas SC Media

At PacketWatch, we employ dedicated threat hunters whose passion and sole occupation is to hunt and eliminate threats. That’s it – nothing else. Their vernacular is formed by the incidents they respond to each week. Our PacketWatch platform is the ultimate threat-hunting tool because it is designed by and for threat hunters. It provides the additional detailed visibility into the network and context that EDR, XDR, and SIEM lack. Our threat hunting team knows what to prioritize and how to kill it. That’s what hunters do.

So, good for the folks at SC media!  I look forward to reading the rest of their ebook. In speaking recently with the Gartner analysts, we expect they will be reinforcing many of the same points in their upcoming revised MDR Market Guide too.  The reason you want an MDR provider is for the quality and experience of the people you will be working with, not just another technology.  So, if you are considering Managed Detection and Response services (or want to upgrade from your current provider), please give us a call today at 1.800.864.4667.  We’ll be happy to show you what outcomes a real MDR provider can provide your firm.

Cybersecurity Law Report Includes PacketWatch Expertise

Cybersecurity Law Report Includes PacketWatch Expertise

Blog | Event

Cybersecurity Law Report Includes PacketWatch Expertise

Ten Cybersecurity Resolutions

Michael McAndrews, PacketWatch Chief Technology and Security Officer, was interviewed by Jill Abitbol from Cybersecurity Law Report for her annual “Ten Cybersecurity Resolutions for Financial Services Firms” article.

The article talks about how companies in the financial services sector are a natural target for hackers given the value and nature of the data they manage. It then dives into a number of steps firms can take to mitigate risk supported by interviews with prominent cybersecurity and law experts.

The other firms represented in the article are:

  • ACA Group
  • Debevoise & Plimpton
  • Drawbridge Partners
  • Proskauer
  • Sidley Austin LLP
Michael McAndrews | PacketWatch

“When an incident occurs, if a plan has not been practiced, it can be chaos.”

– Michael McAndrews

The “Ten Cybersecurity Resolutions for Financial Services Firms in 2023” article offers ten resolutions for financial services firms, which also apply to many other companies, to help improve their cyber defenses in 2023.

The article is available to Cybersecurity Law Report subscribers. New subscribers may request a 2-issue free trial subscription.

About CSLR

The Cybersecurity Law Report is an information service that provides business analysis of critical legal issues related to the cybersecurity, data protection and data privacy challenges facing entities across industries.   

Each Report contains practical, plain-English guidance on compliance strategies and best business practices to assist outside and in-house counsel and compliance professionals with the dynamic issues unfolding in this area.

There’s Your Sign.

There’s Your Sign.


There’s Your Sign.

Tools don’t Save the Day, People Do.

Swinging Pendulum

I think you’d agree with me that the pendulum swings too far in one direction sometimes. Over the past decade, we’ve watched the security pendulum swing from one tool to the next. Next-Gen Firewalls to Next-Gen AV to SIEM to EDR to Cloud to AI and now to XDR. While all these tools have been helpful in some regard (some more than others), you may have noticed the security problem has only worsened. A tool is meant to empower a human being to perform at a higher or more efficient level. But only if they are properly configured and monitored.

Here’s What I Mean

“On 31 March 2021, the HSE’s antivirus software detected the execution of two software tools commonly used by ransomware groups: Cobalt Strike and Mimikatz, on the patient zero’s workstation. The antivirus software was set to monitor mode, so it did not block the malicious commands.”

– Excerpt from Conti Cyberattack on the HSE Independent Post Incident Review

Consider this stunning example found in the Independent Post Incident Report covering the 2021 Conti Ransomware attack on the Irish Health Service Executive (or “HSE”).  [Hat’s off to the HSE for releasing it to the public.] The massive breach at the HSE disrupted the operations of some 4,000 locations, 54 acute hospitals and over 70,000 devices. Turns out patient zero was infected by a simple phishing email with an infected Microsoft Office Excel document.

Any good antivirus should have stopped it at that point. Two weeks later the antivirus tool alerted that Cobalt Strike and Mimikatz had been executed. Yikes. The execution of two well-known penetration testing tools should have been stopped by the antivirus and set off the equivalent of a ‘Mariachi Band’ in the SOC.

They didn’t have one. However, the report goes on to say that the antivirus tool was deployed in an ad-hoc fashion (i.e., not thoughtfully) and was configured only to monitor, not block. Plus no one was monitoring it. Ouch. There’s your sign! Their tools were useless without the proper people to architect, configure and monitor them. The event cost the HSE an estimated $600 million.

Experienced People

I like the first recommendation listed in the report: “Appoint an interim senior leader for cybersecurity (a CISO) who has experience rapidly reducing an organisation’s vulnerability to threats and designing cyber security transformation programmes.” I read that as a polite way of saying: Get someone in here who knows what the hell they are doing!

In other words, the security pendulum needs to swing back towards experienced human beings. We need to focus more on making more experienced people! Tools can never replace them. If you need some experienced human threat hunters to help you ensure this doesn’t happen to your organization, give us a call at 1-800-864-4667, or reach out via our Contact Us form.


PacketWatch Article Published on Law.com

PacketWatch Article Published on Law.com

Blog | News

PacketWatch Article Published on Law.com

So Where Did the Leak Come From?

PacketWatch CEO Chuck Matthews collaborated with Jeffrey Dennis, a privacy and data security expert from the law firm Buchalter, to write an article that explains why it is more important than ever to address data security in detail from the start of new vendor relationships.

The article described a recent client case where sensitive information was leaked to a dark website, but no data breach was found. A vendor was likely the target of a  cyberattack, but they refused to cooperate.

The article shares several components that should be included in a vendor agreement data security addendum. These representations, warranties, and covenants could have prevented many of the headaches the client experienced.

If you would like to learn how to protect your organization from a similar fate, read “So Where Did the Leak Come From? Settle Key Data Protection Issues With Vendors Before a Crisis” on Buchalter.com or Law.com (requires registration for a free account).

If you need assistance with any of the recommendations in the article, please contact us for assistance.

“Common sense provisions should be ironed out when starting a relationship with a vendor, not in the midst of crisis.”


Lawyers for Civil Justice | 2022 Fall Meeting

Lawyers for Civil Justice | 2022 Fall Meeting

Blog | Event

Lawyers for Civil Justice | 2022 Fall Meeting

Who’s Discovering Your Discovery?

Our Chief Technology and Security Officer, Michael McAndrews, is a principal speaker this week at the prestigious Lawyers for Civil Justice 2022 Fall Meeting in New York City. Other scheduled speakers include federal judges Robert Dow, Jr., and Robin Rosenberg, former U.S. House Ethics Committee Chairman Charlie Dent. The meeting runs from November 30th to December 2nd. Twice a year LCJ assembles nationally recognized policymakers and practitioners, including members of Congress, distinguished judges, and other opinion leaders, to discuss the latest developments in civil justice reform.

Michael’s session is “Who’s Discovering Your Discovery?” He’ll provide a tour of the Dark Web and show the audience what they need to know about how it exposes confidential information exchanged in civil litigation.  They are a few other sessions throughout the day discussing the importance of cybersecurity and privacy during the civil discovery process.

The organization’s membership includes over 60 law firms and 25 corporate members. Corporate attendees this year include Google, Microsoft, AstraZeneca, CVS Health, Johnson & Johnson, Walgreen Co., Bayer, Campbell Soup Company, Chubb, Comcast, ExxonMobile, Toyota, Walmart, and many others.

“Law firms and healthcare providers are enticing targets at the moment because they hold so much confidential information.”

– Michael McAndrews

The audience was introduced to the way the Dark Web works—it can be eye-opening and a little scary for most law-abiding citizens. Michael walked them through:

  • How tor and a tor browser work
  • How people remain anonymous on the Internet 
  • How ransomware groups extort victims
  • How Confidential Information gets posted on the Dark Web
  • How contraband is sold through Dark Net Markets

The primary takeaway was seeing how quickly and easily criminals can capitalize on stolen information. Securing data is hard work. Enterprises invest heavily in people, processes, and technology to keep their trade secrets, proprietary information, and employment records safe and out of the hands of criminals. But once a judge requires that it must be shared as part of Discovery, the security of that data is now in the hands of multiple, smaller organizations (i.e., law firms). Criminals know their job just got easier—the defenses likely won’t be enterprise-grade, and there are more people to target (phish).

If you are in New York City for the conference, be sure to stop by the session on Thursday or reach out to Michael on LinkedIn if you want to connect in person.