An Interview with Ben McGraw, Cybersecurity Manager at Digital Guardian Part I
In part one of our Q&A with Ben McGraw, we discuss his journey to Digital Guardian, insights from DG's Analytics & Reporting Cloud, and what makes a good threat hunter.
Thanks for sitting down with us today. To start, can you tell us a bit about your journey to DG?
My career started as a programmer/analyst for a government contractor in the Northern Virginia area working and supporting projects for various organizations. I did that for four and a half years, but eventually decided I wanted to travel less so, I moved back to central Florida and started working as an IT consultant/CIS admin for a pre-employment testing company. I wore many hats, but I was primarily responsible for managing the corporate network and supporting IT operations. Including everything from firewalls to end-user support.
After seven years there, I decided I wanted to move on and started working on the threat team for a large contract manufacturer out of St. Petersburg, Florida. This is where I was first exposed to Digital Guardian’s technology, as my team was the primary consumer of agent metadata. We had an incident there early on and Tim Bandos (DG's Chief Information Security Officer) said, “I'll fly out tomorrow to help with the investigation.” That was my first experience working with Tim. A very impressive first experience. We kind of hit it off and I thought I'd love to work for him and DG. As soon as an opportunity came up, I jumped at it. I've now been with DG for four-plus years.
When you were working at the contract manufacturer, did you have positive experiences with DG? Was DG on your radar?
I had not heard of DG prior to working on that threat team, but had a great experience working with DG. The threat team used the endpoint metadata for incident response and user investigations as well as reporting metrics to support various parts of the business. Once I saw the visibility of the agent and the insight it was providing, I couldn't stop learning about it. I thought it was an amazing technology.
To me, personally, when I see a customer leave, I ask myself, have they even compared the technology to the competitor? Because, yes, there are aspects of other tools that are similar, but do they have all encompassing, end-to-end visibility, from system and user activities to interactions with or movement of data? All together it provides context for a complete picture.
And the context the technology provides...
The context really helps tell a story. Was it a user that initiated the activity? Or was it IT operations or development related? Where did the data go? All of the extra context was at the time mind blowing to me. I'd seen other products that generate endpoint telemetry similar to Sysmon, but they’re not quite the same. All of the data makes its way into our analytics environment, where we can pivot across it really quickly. Digital Guardian’s Analytics & Reporting Cloud, ARC, has taken it to the next level, in my opinion.
On ARC, have you found that having a larger data set has led to new insights? Does that help you make decisions faster?
Absolutely. If you're seeing something that looks sort of suspicious in one environment, being able to search across the managed service for similar or events that follow that same pattern is so valuable because you're able to determine whether or not it's common practice elsewhere or if it’s actually an anomaly for that environment. Then you can focus your attention more on the activity and decide, at a more granular level, whether it's a threat, IT related activity, or a process that needs to be modified on the company side. All of that context helps.
Taking a step back, if someone didn't know much about security, how would you describe your role? On the most basic level, what do you do at DG, and why does it matter?
Great question. I wear a lot of hats, but my primary focus or responsibility is manager of the MDR (Managed Detection & Response) service. So, this is protecting customers from any threats in their environment where our agent is installed. We will generate telemetry from an agent, which triggers alarms, and then my team reviews it. I’ll often review data myself, triage alarms, lead incident response or threat hunting engagements as well as notify customers of threats.
I am also on customer calls quite a bit discussing incident details, policy deployment, or helping to solve use-cases. There are various aspects, but my primary focus is managing the MDR team and delivering our service to customers.
Ransomware has been in the news a lot recently. How can DG's product and solutions help mitigate the threat?
We have a variety of detections focusing on each stage of a ransomware, or malware attack chain, everything from the initial entrance or execution stage of an attack to lateral movement or data exfiltration.
Ransomware and malware in general are always evolving to avoid detection and by focusing our detections at each stage of an attack, it gives us a greater chance to catch known and unknown threats.
If we broaden the scope of detection across that entire attack chain, we have a higher chance of stopping or disrupting the attack and it’s possible it won't progress to the point of encrypting the data. We have a variety of detections and controls mapped to the MITRE ATT&CK framework, most of which focus on tactics or techniques of malware in addition to indicator-based detection fed by threat intel sources.
In your experience running a threat hunting team, what traits serve someone well as a threat hunter?
What makes a good analyst or a good threat hunter, from an analyst perspective, is being able to ask the next question. You may not know the answer or what exactly is going on when you're looking at some telemetry or a problem you're facing, but it's about being able to ask the right next question in a series of questions that ultimately get you closer to the answer.
You also have to be able to go through that data and have that analytical mindset. You’ll run up against what you think is the solution or you think you have found the threat or maybe you can't find it. You're pulling every single thread and you just want to give up. I mean, there's a time and a place for cutting bait but ultimately, it's being able to ask that question, pull that thread, and rule it out. Ask the next question, pull the thread, rule it out until you find one that keeps going. So that is, to me, one of the biggest skills I look for, but that's a difficult one to gauge. When you're hiring, you don't necessarily see that right?
What we typically do is we provide a challenge to the applicants, and we leave it open ended, because we want to see how they perform and what type of presentation they’ll provide back. And then their analytical abilities will show through that particular challenge. We'll send them a forensic artifact, tell them to parse and analyze the data for anomalies, send it back to us for review. The process really tells us a lot about a potential candidate. Ultimately, having a strong analytical ability and being able to ask that next question is huge.
Check out or blog next week for part two of our interview with Ben McGraw!
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business