KPMG Managed Detection and Response

Critical capabilities to deliver effective MDR

Microsoft and KPMG Managed Detection & Response Webinar

Live date: April 12, 2022

Emmanuel Bernal, Microsoft

thank you so much for introduction so my name is Emmanuel Bernal I'm a global cloud solution architect within the partnership system organization with focusing security and today also I want to introduce the Charles Jacco Principal KPMG Cyber Security and Services and Tarun Sondhi Principal KPMG Managed Services from campaign video that will be delivering together this webinar and on today's Microsoft webcast delivered jointly with KPMG, we will provide insights

into the critical components of an effective manage detection and response

MDR solution with emphasizing on mitigating dual time managing

data sovereignty utilities utilizing managed services and the value in this case of a Microsoft platform and I want to highlight this because together with KPMG we are accelerating digital transformation across industries by bringing the latest advances in cloud AI and security to highly regulated workloads in tax audit and advisory qual from KPMG LLC of Microsoft bringing a very important message on how jointly this technology is helping us on security in a specific world as mentioning of tax audit and advisory so in in this case I want to start with kind of Charlie to explain more about KPMG.

Charlie Jacco, KPMG

Yeah thanks Emmanuel um so it's probably good to start out with you know what you know what is cape of KPMG from an advisory perspective and what do we really do globally right now and you know it we are we're growing like a lot of uh the cyber security practices out in the uh industry right now and uh we do uh have over six thousand going on seven thousand professionals globally uh but we are truly global you know well we've got you know a large practice in uh the U.S. North America and Latin America we also operate uh in Europe uh in in Asia pack in Australia um so we really are bringing that global like 24x7 support uh for really all of our engagements and we really are trying to think through a different model um that is both human-centric but more in an automated fashion and approach to cyber security and that's really why we've partnered with Microsoft on this endeavor here and we'll certainly get into our managed detection and response capabilities and how that ties to our core uh cyber capabilities but um you know as we think about this it really is a partnership with Microsoft that we are leveraging globally uh that we are bringing to our customers now um you know we think about this by you know organizing the human touch right around managing text and response and while it's important to understand that um you know yeah there's a global team we wanted to do something that was more than just the traditional MSSP approach which we felt was um very focused on really level one alerting uh triage and that takes well a lot of humans to do and you know together with Microsoft we've really been able to think about how to get that human touch together but bring technology and automation to it so that we can provide something beyond just alerting support and really think about that 24x7 monitoring think about threat hunting and think about incident response and again it's all about reducing dwell time and um it's important to tie together that human touch with the technology um so Emmanuel maybe you want to talk a little bit about you know how we thought about that from a Microsoft perspective and how you guys think about the technology side of all of that

Emmanuel Bernal, Microsoft

Thanks Charlie and I totally agree with you we're still being in the phase where we need to enable human factor human actions with machine learning with automation right so it's on security is part of this whole platform what makes things easier to the operations team to the IT team based on integration of different technologies threat intelligence when I talk in specific about the value of the cloud in this nowadays it's about threat intelligence it's only going to the cloud to make things easier it's how we can leverage the threat intelligence on these cases and unify with these methods that you're developing the security orchestration everything it's all together and their last but not least is the visibility that we need to have in all the areas right so that's why we're  saying our quotes enabling human action and result right because we are giving the tools we are giving everything to facilitate things and resolve right based on different frameworks and totally language KPMG is doing about thread counting monitoring is really connected what we can leverage in high amount in the cloud basically these three points thanks Charlie.

Tarun Sondhi, KPMG

Thanks Emmanuel when we think about the uh the capabilities that we want to bring to market there is a set of discipline and a structure that we want to bring in from implementation to how do you operationalize and provide 24x7 support and then through that optimization how do you leverage the right technology this discipline and structure are things that you want to continue to make sure that you evolve as the threat landscape changes as your technicians and your core analysts want to work a little bit differently to face off with threats that are being discovered in a client's environment so this constant maturing contracting and expanding of your operational team uh cannot be done just by sure you know sheer strength of those people you want to be able to layer in the right tools and using those tools to be able to continue to bring operational efficiency lower the amount of time our practitioners and our technicians are taking using the tools let the tools do the work and inform those analysts uh so that they can take but you know use their cyber IQ in order to respond to it so Emmanuel you want to talk a little bit about the technology that's available through Microsoft Sentinel.

Emmanuel Bernal, Microsoft

Yes Tarun so as you know security is a continuous integration development so we work on that on that spectrum that we were talking before about trade intelligence and in the previous slides so it's connected the frameworks that we have worldwide everything that you're working from the implementation perspective in the Microsoft cloud it's a continuous integration and development so it's  if you develop the solution you need to continue uh with the updates with a specific framework that will help you to be updated in security areas nowadays the second one is automation right for in a specific we need help from automation as well so these are patterns that we already know behaviors that it's already established in organization and we can leverage automation so automation so we will have a lot of savings on time and costs based on that so that will help us we don't need to rely as you mentioned everything on automation but it's really 50 percent of the job that we can leverage and continue based on all these four areas in specific for operationalization that keep KPMG is doing rely on automation for this task the other is machine learning right based on those topics that we can leverage those types of scenarios that will help us to understand be updated with the CBS everything on that perspective and at the end artificial intelligence will be connected with your source well right a lot of that is connected to this based on the cloud that will help you to optimize processes detect and respond immediately right in less time than other areas that we can leverage the security on this type of scenarios so in this case I want to talk about the modern security operations so it has been a really a good topic about I want to show you a specific how we're moving on that connection that we were talking before with modern security all operations of Secops right the modern Secops that we were talking so this is a framework that it really connected with what KPMG is doing about detection and response right bringing together all the benefits of Microsoft and the MDR solution that you have it's really connected to this so you're moving through the modern security operations that's the reason I want to highlight this slide and this architecture because it's really important how you can have a broad enterprise view from that specific task talking about the cm thread intelligence so everything that we were talking before you can connect this with the framework modern security operations so you are doing current modern security operation at this point and you will have your deep insights as you were mentioning raw data that will help you in different perspectives and be more agnostic and holistic on security as you can see on detail who are bringing the network the IT identity everything together so we can extend the detection and respond not only in one area not only one product so we will have this connectivity as we were highlighting before about the single platform and single integration about this case and then it's connected to the message Charlie and a room based on the automations or incident responses everything here so everything that I want that you mentioned is connected here in a framework that you want to align the mission and continue to improve base on responsiveness and effectiveness that we talk and again connecting with the human operators as expert assistants that we have and this is a this is something also connected to me to the privileges they converting tools and data based on these security modern operations because it gives you a single portal experience that's really good so it's a feedback from the field that we need to work more on that and now you can have this single portal experiences with Microsoft 365 defender with incidents investigation on trade analytics and then creating this connection with sentinel so that's really cool what you were mentioning about the solution connecting that that's the reason you will see that from that perspective playbook for automation so you can orchestrate remedy that have your specific silos of areas that you can map and have organized based on security and the semantics and meaning right what is an event what is an alert what is an incident an incident can have many alerts so that's something that also we are working from the security operations it's to create the semantics and meaning from different perspective you have been looking at our roadmaps where updates on the product and all most of the solutions are converging and are having a correlation and property or orchestration from the defender perspective and at the end you will have different signals right different signals from different points of view different blocks of agnostic and holistic security points of views on the organization that its identity employee email applications and others that you can have these unified identity definitions based on different patterns like machines emails and you can correlate at the end so that's the reason I want to highlight these slides because it's how modern security operations is converging in different tools and data and how we can you are bringing together this with MDR solution as well

Tarun Sondhi, KPMG

Yeah thank you Emmanuel for walking through the technology you know at the end of the day we wanted to listen to  our clients to understand when there is so much technology available capabilities available what are some of the challenges that they're facing and how do we bring those two things together if you will and solve for those problems and I think the first one that you see on the left-hand side on the top left-hand side is really that speed of business being able to work at the speed of the organization meet the demands from their increased cloud adoption to how they want to interact with their customers and at the same time they want to make sure that they're securing and managing their data their IP and their customers data as well to things like high value threat intelligence we've heard the term threat intelligence for so long for almost two decades we've talked about threat intelligence but how do you take that threat intelligence and convert it into actions what does that actually mean for me as an organization as a technician as a practitioner of from an analyst perspective how can I use that context to drive better decision and find the adversary I want to read through the rest of the kind of things that you see under the capabilities but at the end of the day our clients are looking for ways to make sure the data isn't leaving and in particular with new regulatory requirements around the world that require data sovereignty for the data or any data that's originated in that country to stay within that country and not leave the boundaries of that or that our country itself we're going to continue to see more and more uh countries out there are going to require that that the data must remain in there especially that they want to safeguard PII information and so on getting better security visibility to be able to understand what end to end really means and what is too much data and what is sufficient data to be able to drive the right contextual behavior uh of an adversary and kind of optically bring that to the forefront so our practitioners can take action on it or the tools can take action on it at the end of the day you know where we find our clients kind of raising their hand and saying look we have a problem we want to solve for that the issue really comes down to the lack of resources I think there are a number of different numbers out there that talk about we are in deficit of 24 percent 36 percent uh deficit of security practitioners to available jobs that are out there you know that problem isn't going to go away so how do you optimally use the technologies manual that you talked about a capabilities the instrumentation of those threads at its optimal state using the right technology and you use your security practitioners for the things that we need them for which is to really analyze the information that's been presented to them and make that judgment if this is an adversary that is uh causing harm or are these insider threat types of malicious activities that need to be brought up and taken action against so Charlie if we can go to the next slide when we listen to our clients looked at the capabilities that are available by Microsoft particularly with the Microsoft sentinel product we thought the best way to be able to solve for all those problems of climb problems that are being presented and also leveraging a leading technology like Microsoft sentinel the things that you see on the left-hand side are methods and in order to power those methods we leverage the technology to again instrument those threats bring them up to the analysts almost have furnished information so that the analysts can take do what they do best which is to exercise their cyber IQ to be able to go on this kind of quest of discovery um and be able to go out and listen to the information that's being provided to them so they can take action on it and make that judgment uh if this is a malicious activity that requires attention you know the things that you see on the left-hand side reduce mean time to acknowledgement reduce mean time to remediation or detection these are all operational metrics what KPMG has done is really thought of these metrics a little bit differently and said look these metrics help us drive how much staff do we need how much more automation do we want to create and how quickly can we find threads but the ultimate unit of measure to us is dwell time this is how long has an adversary been in the environment before they are eradicated or caught and that is a something that we have an obsession over that everything that we look at whether we want to look at how to optimize our practitioners or optimize the tools and the instruments or the apparatuses that are being provided to them to use how do we optimize that to reduce that adversary dwell time ultimately we believe that that's the single unit of measure that allows an organization to demonstrate that all the investments that they have made is paying off because they're able to find the adversary kind of this concept of shift left has been a hard problem to go after and we're working together with Microsoft sentinel technology to be able to move our organizations to shift left go before bang as much as we can find those secondary and tertiary indicators those early signs that something is goofy something is going wrong that deserves an attention and for us to be able to block that particular adversary from causing harm if we can go to the next slide Charlie so we took the capabilities as we talked about uh earlier which is how do we deliver those types of services all those are methods right we talked about cyber hunting being able to instrument and using the threat intelligence to curate uh unique indicators of compromise or unique context but in order to be able to deliver that to our clients we came up with a unique model that allows us to be able to work with our clients using their Microsoft Tenant Microsoft Sentinel tenant without any data ever leaving their organization and coming to us so you heard earlier I talked about how countries different countries out there are restricting data or they're putting a particular challenge for organizations to make sure that any data that's created there stays in that

 country and never leaves and so the idea around this architecture which is very unique to the way that KPMG and Microsoft work together on it allows for that data to stay in the client's uh tenant in the Microsoft tenant and we are able to synthetically log into our clients environment multiple client environments and manage and detect different threats that are occurring now one question that you may have is this all about Microsoft technologies no we are we obviously have some really neat ways that we can leverage the core capabilities of Microsoft native applications and native tools such as Microsoft defender uh and defender for identity o365 uh atp and so on there are some very unique capabilities that are available for that but we don't discriminate against any log source whether you're using a different technology a firewall or another sim we're able to connect those together but bring all of that into a single view so that we can instrument that thread in a very unique way and be able to uh respond to those activities very quickly uh a lot of a lot of our quest when we went out looking for capability to deliver MDR we looked at different technologies but ultimately we settled on Microsoft sentinel particularly because it was one tool that all the capabilities all the ways for us to automate to create efficiencies to bring a single kind of view of activities that are occurring in a client's environment this was one tool that had all of those natively uh and that to me was great because I can spend less time in engineering and maintaining APIs and connections to different tools and I can really force my investment in the people that matter most to our clients where our clients see the value is really around the analysis of the uh of the threats that we're seeing in a client's environment so that's why we chose Microsoft sentinel it gave us a unique way to deliver uh to our clients and Charlie if we can go to the next slide please so Emmanuel I think you're going to walk us through uh the threat intelligence

Emmanuel Bernal, Microsoft

Yeah, thanks to connecting the message for our credit intelligence and it has been a good topic about security so everything that we can bring to the

 solutions that you were mentioning right on the right side of the slide a lot of solutions that really focus with different areas of security but here it's how we can leverage in all our solutions the threat intelligence of Microsoft right so it's not only about your you were mentioning ask about different customers that hey I have my own patterns my own behaviors training intelligence and also we can connect that with ours but here is the detail about how we can leverage the Microsoft intelligence in all time right and most of our solutions are gathering these different sign ups thread fits an original research that you will see on the on the detailed light and with a lot of sign-ups right you will see millions trillions right now that we are bringing it to the cloud every day I can set every single second a minute so we're bringing whatever it's happening around the world not only in your area and only on the on your industry so you need to feel secure that we are bringing 24 trillion signals daily and that will increase the next month the next week so that is connected with all our machine learning everything that we were talking before is there right so how we are bringing the product and we call it in the technical world the telemetry that we are giving to all the customers in Microsoft cloud services and products and it's what is now the telemetry in the past but basically it's a the thread intelligence that we're bringing based on that and one important thing to highlight here based on your previous comments around the customer intelligence that we can also bring together and put together on sentinel that you will mention different signals different sources that we have everything together so this creates more effectiveness when responding to specific a thread or beam also to prevent or having more certainty what is happening if it's good or not I will have more data that it's helping inside Microsoft and with this uh we have all the telemetry in that and we start doing predictions actions and that's where all the machine learning ai is working here it is right it's more in detail that I was previously talking about so all the data collection analysis things Charlie that it's connected to every single product and then we're stand doing this behavior these parents and this will help you all the time to realize new discoveries and you were mentioning about uh focusing on other tasks from the security perspective not only responding not only being aware of threats you can start using to the develop new solutions that will help you new discoveries in your organization that products that you are working on that make data available and also with the great use of apps to access these results and have this correlation and then it will generate that with fits back into system for example right so it's a cycle that really helps us to understand better and again as you will see on the live humans right thread contents engineered data scientists are more it's not only or machines working behind third intelligence we have a lot of areas inside Microsoft that are working and a lot of engineers a lot of prepared people jedi teams as we call it that are really focused on any specific world to develop the threat intelligence and bring it to you with the best behaviors with the best collection normalization analytics so it's connecting again human and machine factor right based on these benefits that you will have from the inside view of thread intelligence thanks Charlie and I want to connect to that message I want to talk about the this I know we have been running in in a really tough year about ram somewhere in around the world and we have this pattern called the human operating ransomware right so right now it's really a putting organizations in high alert if they don't have specific solutions but it's more assisted by scripts and malware but they are human operators at the end so imagine attacking through a big technology like a solution they develop on the cloud specific malware they develop on a big system so now we want to put this a how is connected to our defender solutions and how KPMG is doing that based on the framework so it's connecting the these this specific ransomware that people are doing and how will be the at the end the human attack operators right so as I was mentioning right now is not doing only attacks from a machine right from my own computer I’m creating the attacks coming from a data center as an examples and they will try to go with the organization and buy access who did like a kidnapping the servers right and say okay you need to give money I can put this data so right now we need to make awareness about how big it is right and then when these attackers gain access to the organization how they traverse and spread not only the specific server to specific credentials specific email they will go with all the data right they start traversing based on all the specific solutions that we have because this is the combination of human attackers with high level technology that they are using big servers big amounts of queries dos so we need to make sure we are aligned with these based on signals and not everything can be an attack but maybe we start to see something and we were trying to explain before about the discoveries the new discoveries that came maybe from a dos and that can be the point that we need to discover or make sure that we are aware what is coming right and at the end they will execute objectives right based on the framework that a Charlie show in traverse and spread execute objectives and then the end they will do the extortion right as I was mentioning before right so give me money and we need to make sure we don't get to this point so it's a very good point because it's really our telemetry intelligence is working really on this on this type of human operating ranger that we want to want to have and with this MDR solution you can have everything from that perspective and have this detection prevention and response from this specific and then be prepared prevent that and in case we don't want to react as Tarun and Charlie were mentioning at the beginning these are um some examples that have been from the human operated rams somewhere but really heavy nowadays right

Tarun Sondhi, KPMG

yeah thank you for that Emmanuel I think you know you had some core points there particularly how do you bring in the right thread intelligence information the telemetry of different uh sources of insights that are being generated we believe that there is you know this this kind of road map that we're depicting here takes us for more uh where an analyst is starting to exercise its curiosity looking for information to there's  a journey a clear path that we see towards more predictive or autonomic uh security that kind of self-healing self-discovery and being able to resolve things as it's learning ai is at the center of it machine learning is at the center of it and through this composite of different data different telemetry different insights we're going to continue to see better uh behaviors being put together and being predicted by the analytics machine and for that we need a lot of cross-functional data and I think there's been different terms being thrown around for a number of years now such as fusion cross-functional and so on but there's a journey we know clients are across the spectrum somewhere they pick a particular path on where they want to be as part of this kind of security maturity if you will from a modern stock operations perspective because there's a balance that you want to be able to keep you want to be able to invest based on your particular risk profile your risk appetite and what we are able to do together with Microsoft is be able to traverse this entire spectrum and take our clients to either more of a predictive and autonomic side of security to uh maybe still staying within the inquiry mode the more discovery and looking for information uh and that kind of a maturity side of the business but wherever you are in this particular journey um KPMG is here to help particularly with our managed action and response capability and also our transformation to help you implement these different tools optimize those tools and we can run that on your behalf I think we're coming to a time where we want to take a quick pause and uh open it up for questions Charlie is that is that next

Charlie Jacco, KPMG

um I know there's a little bit more content to room but I think we're starting to see some good questions in the chat you know the first one I saw was around um non-Microsoft connections and um you know I think Richard you know posted some kind of standard you know connectivity’s that are you know that are available in the Microsoft store I think we talk about some of the stuff that we've created as well as additional ways to connect outside of but maybe some real examples the Splunk’s to follow out those of the world type discussion

Tarun Sondhi, KPMG

Sure no it's a great question we get that quite a bit ultimately like I said earlier we don't discriminate against any type of log source whether it's coming directly from a sim we're able to extract that data bring it into Microsoft sentinel process that information using other sources of data or other telemetry that we want to bring in where we can uh you know it's our recommendation that that we get the data uh the logs if you will or any other types of information that we want to bring in directly from the source into Microsoft sentinel so it's unadulterated there's no change made to that data uh that way we can look into that information a little bit deeper and get in uh get the optics that we're looking for from it um so that's  an example of a sim technology like Charlie mentioned whether you're using Splunk or anything like that I think a natural next question would be well if I already purchased a sim I've invested in that what can I do with that um you what we recommend one of the things that you could consider is to turn that more into a log management system where you store your logs based on any regulatory requirements that you may have or compliance that you want to be able to meet and we can we can leverage Microsoft sentinel for maybe up to 90 days of data we don't find that many use cases that fall outside of 90 days that you need to keep that data hot you can put it into warm or cold storage after that and we can always play that back if we need to go find patient zero but technically speaking these are all ways that we can bring in the information we can convert you existing tools into other tools other capabilities such as you want to do some dashboarding and bring in some information to drive more business types of behavior understanding and so on um and also the same thing goes for non-Microsoft technologies whether it's an endpoint uh or a firewall or an ids and ips sensors uh there is out there connectors I think uh somebody's already made the comment uh Richard diver's already made the comment that there are connectors that are already available and when there isn't a connector available we have an entire process and discipline by which we can build a custom connector and bring those that the data that we need in order to do our job or basically hydrate the use cases yeah that's good um we were spending time earlier talking about yeah

Charlie Jacco, KPMG

We spent some time talking about dwell time and we started to talk a little bit about the response side but you know as a true managed detection and firewall response offering maybe spend a little bit of time talking about the part um and how we maybe differentiate a little bit than you know maybe some of the more traditional MSSPS out there

Tarun Sondhi, KPMG

Yeah, it's a great question so um we have taken I think it's close to about 300 different use cases that are available uh natively within Microsoft Sentinel and then we added some more use cases to it as well so let's just call the number 350. not only do we take those native use cases that are available within the tool and added stuff to it but we've gone through every one of those use cases and written out play books and run books in addition to that we're able to now create a lot of automation using again the native capabilities one of the amazing things about Microsoft that we liked is that everything is needed I don't have to bring in another tool uh in order to do sore types of capabilities now uh dwell time a key unit of measure that we talked about earlier and the obsession that we have around it is to be able to reduce the dwell time so in order to reduce it you have to move at lightning speed to create those response actions now where we can um there's really kind of two channels or two modes that we think about one is a fully automated mode these are things and actions that we can automatically take on our clients behalf that we believe are benign activities such as um if let's just say there's an infection that's found in Tarun’s laptop can we force a restart or Microsoft defender can we force it to update its signature those are benign activities that won't really stop me um from doing my day-to-day job we recommend those things to be fully automated even things like if we have convicted a particular IP or URL as malicious go ahead and add those objects into your firewall to block that activity until we can manage any type of malware that's in a machine again that's a benign activity that really doesn't stop a user from doing day-to-day stuff now it may turn out that that IP isn't malicious uh we can always reverse course on it and again all of that is fully automating so now think about this um if we were depending on humans to take that action it will go from the security team that case would go from the security team to someone in it and I t will take an action on my particular machine in that example of the malware that exists on my on my laptop and that may take hours if not days could be weeks before they can get around to it depending on the size of the organization and also the criticality of that malware using uh automation and store capability we can get to it in seconds and especially those that we have pre-agreed with the clients these are fully automated actions that don't require uh permission from you because they're benign in nature and we both parties agree on it uh we'll go ahead and do that the second path or second mode is a semi-automated mode these are fairly invasive techniques such as dropping someone into a plan and putting them in a penalty box until someone can take action on that particular machine or do some more investigation or kicking them off and completely or forcing a password reset now you know some of us may think but that's really not that big of a deal but think about a clinician in a in a hospital that needs access to that to that to any machine if you will access to their ad to be able to do their job that's a fairly invasive maneuver it's warranted but we require a couple steps of approval to make sure that we do this they may not have access to their machine and it could be the right thing to do but those are again things that we will fully automate so it

doesn't require a human to make those changes or kick them off a d as an example uh and again after we get the approval it's within seconds that action is taken um there are other unique things that we do uh with the automation especially when you're bringing and fusing together different types of information to drive uh better decision making so hopefully uh Charlie that kind of covered some of the questions uh that was in the chat

Charlie Jacco, KPMG

It does I mean just one follow-on I mean all that's great but we kind of bringing it back to reducing dwell time like how we measure this right so maybe talk a little bit about some of the KPIs that we produce to make sure that we're holding ourselves accountable to exactly that that kind of time reduction

Tarun Sondhi, KPMG

Yeah one of the great things about the Microsoft sentinel platform is everything is transparent so everything that we do and actions that we take on our clients behalf from an MDR perspective are things that they can see behind the scenes so the KPIs we talked about earlier such as the operational KPIs of mean time to detection mean time to repair all that data is available and within the dashboard we actually built a custom bi tool uh that brings information about uh when was the source the first signal from that particular endpoint uh or you know any type of technology that we're detecting it on and so on uh any type of a signal that we receive from that endpoint that later we're able to convict as militias we're tracking all of that and presenting that in the bi tool so our clients can see um that data uh very clearly and make the appropriate decisions the other thing we've done is we've taken the moderate attack framework and the defend framework and wired in all our use cases all our content and our KPIs to start to show to our clients that not only is our detection effective and where there are gaps if they don't have sufficient coverages across a minor attack framework that will clearly get lit up on the board if you will and will show you as a green red yellow if you will that there are certain aspects of it that are missing that you should get coverage on and we're happy to demonstrate to uh any one of you that would reach out to us after this session we're happy to do a one-on-one demo to you and show you these uh these graphics that we have built up and the different KPIs that are available to start to show the dwell time the operational metrics and also threat metrics so these are things that you would take back to the board and say here's the effectiveness of our security spend here's the type of coverages that we're seeing again we're using minor attack framework as a core backdrop but it gives you a lot of information to tell you where you have gaps and where you need to improve on uh to protect your organization now does that help Charlie you think that's sufficient or cover some more

Charlie Jacco, KPMG

I know we're about out of time here there was a question around um you know how we think about pricing and scoping and uh just you know tying that back to an annual budget and how that kind of fails over time so we can kind of end with that one and then you know anything that comes in we can follow up offline

Tarun Sondhi, KPMG

Yeah that's a great question Keith thanks for asking that question so we have completely reframed the way that we deliver uh to our clients you know too often uh organizations go out there that provide this MDR service really come back to this idea of how many people do you need at what different levels what is the hourly rate what's the coverage that you need uh and I think those things have kind of they we've gone through the course of that uh and now we have we've brought in a new wave of thinking and original thinking around that that no longer really matters how we optimize our tools how many people that we need to be able to deliver the service should be the headache of the service provider in this case KPMG I take on that headache as a cyber managed services leader to make sure that there's enough staff available enough skilled resources available just having staff that are administrators isn't going to solve a cyber security problem and so you need core cyber security analysts that have the right mindset and they have the right cyber IQ in order to analyze information that's coming in so we take on that headache of staffing where we measure and work with our clients from a pricing perspective is really distill that down into very simple units of measure which is to think about the number of events that may get translated a number of alerts and ultimately a number of incidents per month and with and out of those incidents what is the probability of a p1 versus p2 and p3 we work with you on that and now a natural question will be let's just take for example you get about 100 incidents a month there's a value associated to that our clients are placing a value on that on the incidents because we're managing it through it well what happens in the next month that it becomes 120 or 110 or 90. you know we want to make this experience completely frictionless with our clients so we look at a 90-day trend historical trend to see are we trending in a pretty um in a kind of a flat way if you will one month it's a hundred another month it's 90 the next month is 120. look if the trend is flat and we don't see that much breaching against the uh the 100 incidents per month you won't hear from us again it's a flat monthly fee for the next three years that you pay as long as we kind of stay within those tolerances that we have established in our contract with you and that's it that's the only that's the only way that we charge our clients we don't break that down into uh worrying about how many people do you need what kind of shifts all that is our headache that we manage we believe that we have one of the best ways to be able to solve for that for our clients and make that experience extremely frictionless

Charlie Jacco, KPMG

Perfect appreciate that I think uh Paul where I think we're out of time here so I think we should probably wrap it up here and uh give me some people some opportunity to kind of follow up offline yep so I am showing the closing slide here um uh thank you everyone for joining in the survey link and the QR code is in the chat window I appreciate everyone submitting a short survey and any other final words from the speakers I'll let you say goodbye and thank you everybody and have a great day thanks everybody really appreciate it thank you thank you thanks everyone

Attendee Q&A

[4/12/2022 8:27 AM] Castro, Miguel

Will you be sharing a real example of the integration with non-Microsoft solutions with the KPMG MDR? Example Network/FW devices.

[4/12/2022 8:30 AM] Richard Diver (HE/HIM)

Castro, Miguel (External)

Will you be sharing a real example of the integration with non-Microsoft solutions with the KPMG MDR? Example Network/FW devices.

Hi Miguel, you can see details of non-Microsoft data collection here: Find your Microsoft Sentinel data connector | Microsoft Docs

Find your Microsoft Sentinel data connector

Learn about specific configuration steps for Microsoft Sentinel data connectors.

[4/12/2022 8:31 AM] Jacco, Charles

Castro, Miguel thank you for your question. I will bring this question up during Q&A and we can certainly share some examples

[4/12/2022 8:41 AM] Keith Brooks

How would a KPMG MDR - Sentinel be scope / priced for customers sensitive to yearly budget cycles?

• What are the key cost components – how does this scale within a planned budget?