Chris Cheyne, SOC Director and CTO, SecurityHQChris Cheyne, SOC Director and CTO
Chris Cheyne, SOC Director and CTO for SecurityHQ, is responsible operating six global Security Operation Centres, and specialises in threat hunting and intelligence, EDR, SOC monitoring, behavioural analytics, SIEM and more.

As a Global MSSP, that detects, and responds to threats instantly, how is SecurityHQ making a difference in the Managed XDR Space?

There is a lot of confusion of what XDR, MDR & EDR implies. SecurityHQ’s approach, in terms of making a difference, is to not get pigeonholed between terms. At the end of the day, it is Managed Defence, meaning we are here to defend our customers, to provide a service that incorporates several different core components.

The first element is around visibility. When we talk about what goes towards Managed Defence, it’s really looking at gathering data from multiple sources. This includes events from your Cloud environment, on-prem environments, firewalls, endpoints, and enriching that with network analytics data. This is where we look at network flows, the application layer traffic, and decipher the anomalous nature of traffic, and enrich it with endpoint telemetry.

Our model allows us to bring our own flavour of those elements. If the customer has their own choice of next generation endpoint solution, they can bring their own licensing, that we can adopt. Otherwise, we bring our own.

In terms of responding to threats instantly, this problem is beyond human scale. We need to have humans orchestrate the machine, to allow rapid triage and response. When an event is detected as an anomaly, that transpires to be an incident, we can quickly correlate that, contextually enrich it with additional data from threat intelligence, and within seconds, determine if it is a true threat. With SOAR capability, response to stop, block and isolate accounts is instant.

In your interactions with leading companies, what sense do you get of the challenges they face in the Managed XDR Space?

Complexity is an issue. With a rise in need of cyber security, there are less mature/experienced organisations coming into the market. Technical buzzwords and marketing campaigns make the latest silver bullet more confusing by the day. And while services may have the similar names, few are the same. The most common mistake is going for a service that is either too vendor-led, or an alert management service that drowns you with issues that you have no capability to solve.

Please cite an example on how you have enabled clients to overcome hurdles.

The biggest move right now is cloud adoption. Customers think that by migrating all their services to Azure, AWS, any Cloud solution, that their security requirements are covered. That is not true.
  • Our model allows us to bring our own flavour of those elements. If the customer has their own choice of next generation endpoint solution, they can bring their own licensing, that we can adopt

With many services (SaaS or PaaS based), you need to understand how to get that data out of there, and what that data means in terms of correlation, analytics, and detection. Cloud adoption, and the use of highly containerized environments, is where we provide a lot of expertise. We design use cases around customers specific environment, and support them in understanding their cloud environment, what’s hosted, what’s publishing, and how it’s accessed.

What are the differentiating factors that give you a competitive edge?

We offer bespoke, customised, and tailored services. We are not just a big machine, the people behind the wheel help you build, tune and tailor to your requirements. Our SHQ Response App is accessible day and night, from any location, and most customers are on first name terms with specialists, ready to answer the phone 24/7.