Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Is an adversary lurking in your midst?

Discussion on proactive threat monitoring to help identify cyber adversaries and stop them in their tracks.

MDR, XDR, and ITDR are just a few of the buzzwords that are driving innovation and product development across the cyber landscape; they are also driving confusion and “analysis paralysis.” 

Listen as executives from KPMG and Microsoft discuss how you can gain clear understanding of what to detect and how to respond.

YouTube thumbnail image

Is an adversary lurking in your midst?


Peter Dorrington (ELN) (00:00:10): Hello, everybody, my name is Peter, and I am delighted to be the host for this webinar today. I’m joined by experts from KPMG and Microsoft. Now, we started a few moments early, but that's give us enough opportunity for people to continue to log on. But I'm particularly excited about taking part in today's webinar because we, not only are we living in a world which is very volatile and uncertain and complex, and goodness knows, we've got challenges coming at us from every direction, and that's in the normal world. But when we're looking at things that are going on in the field of cybersecurity, and different threat vectors and from every direction, this is a really interesting time to be in the field. Anyway, enough for me for the moment. I'm going to do the housekeeping a second, but before I do, what I would love to do is to ask our experts to introduce themselves. So, I'm going to start with Tarun. So, Tarun, if you wouldn't mind a brief introduction, please.

Tarun Sondhi (KPMG) (00:01:12): Hi, Peter. Thanks for that introduction. Hi everyone. I am Tarun Sondhi I serve as a partner at KPMG, and I lead our global cyber managed services capabilities for, for the firm.

Peter Dorrington (ELN) (00:01:25): Lovely. Thanks very much. Tarun. And now Kelly, would you mind doing the same? Please.

C. Kelly Bissell (Microsoft) (00:01:30): Hi, everybody. Look, look, and I'm pretty excited about being with Tarun and, and Charlie here because we've known each other in this space for so long. But I've been in this cyber space for 28 years and seen all kinds of things. But at Microsoft, what I do is run their incident response team, the threat intelligence function of services, and then, and then really helping our clients be safe with our products.

Peter Dorrington (ELN) (00:01:56): Perfect. Thank you, Kelly. And now I'd like to ask Charlie to introduce himself. Now I'm going to say Charlie is going to be the leader for our conversation today. So, Charlie, if you wouldn't mind, brief introduction, please.

Charlie Jacco (KPMG) (00:02:08): Thanks Peter it’s good to be here. So, like Tarun, I am a partner in KPMG cyber practice. I lead up our cyber threat management capabilities, which is really all of our services around defense response and recovery. So, like, like Kelly and Tarun here, I'm, I'm excited and, we got a lot, lot of fun stuff to talk about here. Thanks, Peter.

Peter Dorrington (ELN) (00:02:28): Great. I'm looking forward to it. Now, let me get the housekeeping out of the way. So firstly, it's a webinar. You don't need to worry about your camera or your microphones, but that doesn't mean we don't want to hear from you. So, there are a couple of ways that you can do that. At any point during our webinar, if you're watching live, you can make a comment or a suggestion or an observation in chat. So, find the chat speech bubble. And any point I say, you can make an observation or make a comment, but if you have a question, then use the Q&A tab, if you wouldn't mind. Now, I'm going to be paying attention to both of those, and what we'll try and do is leave some time at the end to answer as many of your questions as we possibly can.

I'm going to suggest we don't try and do those in the middle of the conversation because we may well answer it in the course of the conversation. So, let's save a couple of them up until the end, and I'll say we'll try and answer as many as we possibly can. So, use chat, use Q&A, ask questions, and share some observations, because when we all share as experts, it's a better experience. Now, you won't see me because I'll be off camera in a moment, but I'll be taking furious notes about this. But we are of course recording the webinar, so we'll send you details on how you can watch that on demand once the webinar has closed. So, if you don't catch everything, you will have another opportunity to go back over the material and then read that. So, the agenda for today, well, in a moment, as I said, I'm going to hand over to Charlie to lead the conversation with Tarun and Kelly. And whilst he does, I will go off screen. You don't want to hear from me. , but then I will come back at the end of that and we'll deal with your questions. So, I'm going to be here, I say I'm going to be reading the comments and the questions, and we'll put those to our panel once I come back. Then we will have a very brief summary after the Q&A, just some of the key points that have come out of the conversation. Charlie will lead with a couple, I'll lead with some things that I heard before, I tell you what happens next, and we get you all away and I promise we will not overrun the hour. So, we will get you all away on time. So, then it's my great pleasure to hand over to Charlie to lead our discussion. And whilst he does say I'm going to be offstage, but I will be back in a little while. Charlie, over to you.

Charlie Jacco (KPMG) (00:05:00): Thanks, Peter. So, thanks for being here all, like, like Peter said, if you have questions, please do put them in the chat and I'll be monitoring those as well. So, you know, interesting topic today, you know, there's been really in my mind an evolution, in how we think about detection and response. And you go back, you know, in time, 5, 6, 7, 8 years. And we, we started with the EDR concept, and that quickly evolved into managing, you know, more things. And now we've spun out MDR, that's evolved. We've got XDR, we've got, identity popping into things now with ITDR. And now you kind of combine them all together and you're getting MXDR. We’ll start with you Tarun. I mean, how are you feeling that our cyber practitioners are really navigating this concept? Do you feel that it's a lot of buzzwords? Is it an evolution? And, and how do you feel, and how are your clients navigating it and are they equipped to kind of go with the trends, if you will?

Tarun Sondhi (KPMG) (00:06:04): Yeah, I, think, just getting feedback from our clients over, and I think the questions that they ask really tell us a lot about how much they're getting caught up into the buzzwords. ITDR, MXDR, XDR, and EDR you know, PDR there's just so many acronyms out there. And, and I think, you know, one of the, the recent conversations, Charlie, you and I had, we were one of the largest financial services client that asked us a really interesting question. It's like, what outcome are you delivering? And I thought that was a fantastic way of, of saying, cut through all the acronym, tell me what is the outcome you're delivering. So, I think there is a little bit of a fog in the marketplace, and especially with the fact that based on which year's hype cycle we're in, there's a new acronym that takes birth and then that has its own narrative. And so ultimately, I think practitioners are asking a simple question that, that CISO at that financial services asked us, what is the outcome? I think getting to that is, and getting to that question early, getting ahead of that acronym is probably the most important part. So, so there is a little bit of a, confusion in the market. I think the second part that I will share is that, you know, often when we start talking about those outcomes, what we end up realizing is that there is yet again another tool, another product, another capability that you glue code into it, and then all of a sudden you have this new acronym alive and it creates an it enormous amount of pain for our clients because now they have to deal with 70 different products to solve for a problem, where theoretically that problem is just another use case. And so I think, you know, back to your question about acronyms and how our practitioners, professionals navigating those, they're asking those tough questions. What is the outcome that we're delivering? What are the problems we're solving for? How is this going to help me protect the crown jewels and lower the risk in my environment? So, I'll pass it back to you, Charlie.

Charlie Jacco (KPMG) (00:08:16): No, that makes sense. Kelly, any initial thoughts on that?

C. Kelly Bissell (Microsoft) (00:08:20): Well, I think Tarun is right, spot on. I mean, it is, we, we need, do need to get away from the acronyms and, and get to outcomes like he suggested. I'd also say that that industries are very different. I mean, the way we look at risks to a pharmaceutical company is very different from a retail company or oil and gas or government. And so really mapping those outcomes and those risks across the value chain of the business or a customer's business so they can know what to protect, what crown jewels, as Tarun said, to protect across that value is critical. And, and I think we're in this new era for the CISOs where they need not more complexity, more tools like Tarun said, but simplicity. So how do we move from that yet another tool to a platform? So, XDR, MXDR, you know, whatever you want to call it, it really gets to those outcomes of how do you simplify my organization? How do you protect my value chain of my business, and how do you reduce the cost of securing my company? That's it.

Charlie Jacco (KPMG) (00:09:25): Yeah, that makes sense. And, and just to, to follow up with that, you mentioned just the business context of all this, and you know, for me, in the end of the day, it's about accessing the right data and, and the telemetry that's out there. So, all of these acronyms that we're talking about are really about layering in more and more of the detections and finding the right things. You, well, Kelly, I guess we'll, we'll, we'll keep it with you. Do you find that there's too much data out there? Are we able to contextualize this the right way? And how are we getting the right data to find the right things in the hands of, say, the security analysts and that, that escalation tree?

C. Kelly Bissell (Microsoft) (00:10:03): So Charlie, what you said exactly right. It's the right data. And I don't, I, I do think that we have too much data in the sense that companies can't manually process it. I mean, we're talking about billions, trillions of, of data points. So, we need better technology to process that insight. But I wouldn't say we want to reduce the data. We actually want to expand the data. Because the more we have, the more we can reduce the blindness of, of that access and, and we can determine or correlate some maybe bad behaviors that are happening on the insider or even the external attacker that's got on the inside. And so I, just think that we need to provide the market with better tools that they can process vast amounts of data so they can make or, or derive insights from that data. That's the key.

Charlie Jacco (KPMG) (00:10:57): Tarun what do you think?

Tarun Sondhi (KPMG) (00:11:00): I couldn't agree more. You know, I think Kelly and I have been working together for almost a decade and a half together, so we kind of know where this industry is shaping. He and I had the privilege of shaping some of the solutions in the market and in the past as well. He's spot on. I, I, I think, you know, if you kind of crack through this veneer of, oh, I don't want to bring in that data because I don't think it's meaningful to cyber because it's about some type of a transaction. It is about other parts of the organization that aren't necessarily within the cyber domain. I think we have that narrative wrong, those datas and that input that Kelly has been talking about, we need those insights to be able to provide contextualization to this entire stream of information that we're getting, whether it's an end user, a customer, and or its internal processes that our practitioners are following and our employees are following because it's, it's not always about an external adversary. Oftentimes it's an internal insider thread that's taking that precious IP. So, if you, if you think about that supply chain that Kelly had talked about earlier, that IP is in that supply chain. So, if that insider is taking that information and slowly taking that data out, how are we going to catch that? You, you know, often practitioners think, well, we don't need that data because it doesn't have any cybersecurity, it doesn't have source port destination IP So why, why do we need that? And I think Kelly's point is spot on you in order to maximize, insight, to maximize the utility of the products that you have, you need these contexts in order to inform the analyst, the analyst and also the automation tools that you build into it that processes all that information and provides you a more contextualized view of, of the threats that are occurring. It's, around your business.

Charlie Jacco (KPMG) (00:13:01): You made a comment earlier Tarun, when you were just talking about the, the idea of finding and contextualizing, right? And I, I find that most, you know, traditional MSSP are very focused on how fast they're reacting to incidents or tickets, and it's very focused on typical KPIs, right? I think we need to be shifting towards reducing dwell time and finding the more meaningful things more quickly. So, you know, as you think about that, I mean, how do we get our, you know, leveraging, you know, these, these other layers of context and, and, and detections and bringing things together. You know, how are you finding that we're reducing dwell time, if you will?

Tarun Sondhi (KPMG) (00:13:50): Well, well you poked, you poked on a note there that about dwell time and detection response KPIs. You know, my position on that, I, I may be in the minority here, but I strongly believe the meantime to detection and the traditional meantime to respond are, are dead. Those, those don't matter anymore. There are operational metrics for us to make sure that we have enough practitioners looking at the data. What really, really matters at the end of the day is the dwell time that you talked about. How long has an adversary been in the environment before they were caught? So, talks about the defenses in your environment, how effective they are. And then there's a detection piece that if they are able to permeate through the environment, which we know applications network to all porous, you need to continuously assess those vulnerabilities that exist in the applications and those networks and make sure you're staying on top of it. But dwell time is, once the adversary gets in, are you able to eradicate and detect that? Well first detect it and then eradicate that adversary. That is dwell time. It is the, i in my view, the most important metric that we are measuring today for our clients. It's really informing them and answering the tough questions that we, that the boards ask of our CISOs and CIOs. Are we doing better today than yesterday? Are we doing better than our peers? Because they want to know, they, they don't understand the nuances of use cases. They don't understand the bits and bytes and the bad IPs and bad URLs. What they understand is the board has given an approval for a budget to go out and secure these products that the CIO and CISO wants and did that. Are they getting ROI? Are they better off today than yesterday? How do the answer to the investors to say, we're doing all the right things to protect the IP that everyone is investing in serving our clients. So you're absolutely right. It is a functional equation. At the end of the day, we need to understand the time and the detection and make sure that we marry those two things up as part of the dwell time.

Charlie Jacco (KPMG) (00:16:01): Yeah, I mean, Kelly, any, additional thoughts on that? I mean, you guys are obviously building platforms to bring all this data together. Hope, you know, to solve, you know, much of that. But how do we get, you know, even our, our CISOs, you know, as clients to, to think about reacting isn't necessarily reacting stuff isn't necessarily the right, the right approach here anymore. How are you helping contextualize this problem so we can reduce that dwell time?

C. Kelly Bissell (Microsoft) (00:16:27): Charlie, this is good. Look, you know, the, the old saying is it takes a village and this is where, you know, partners with, with you guys, which I, I love to work with on problems, but also with customers directly. This is where we've gotta reduce what, you know, that dwell time or TDD, you know, that time did detection, because the longer they're in, obviously the more exposure they the attacker has to your environment and the more damage they can cause. And so what's Microsoft's role? I I think in our role with our 685,000 customers around the world and all the telemetry, 65 trillion daily signals, I think is our job to make sense of that, that data and how do we give that back to customers and to partners. And I think, you know, like partners like K KPMG are going to be so much closer to the end customer problem than even a software vendor like Microsoft will be. So how do we work together to solve this problem so we can detect early, that attacker or that anonymous behavior because maybe it's an insider <laugh> and how do we, how do we sort of put guardrails around it and then expel them, but then get back to normal operations? I mean, that's what we have to do. And, and I think Microsoft's role in this is how do we make sense of that 65 trillion signals or if we see an attack for one customer, how can we inoculate, if you will, the rest of the customers around the world? That's, that's our play.

Charlie Jacco (KPMG) (00:18:00): Yeah, that, that makes sense. Let, let's stick with that for a minute because there are a lot of signals, right? And finding, you know, we use this finding a needle in a haystack, right? And I think I, you know, finding the right data, leveraging the right telemetry is important. You know, so Tarun, we, what do you feel are the right pieces of data and, and how do you tie them together? And my head, somewhere along the lines, there's tying together some level of threat intelligence, you know, pick the beads that you have. You've got vulnerability scanning data out there. You've got your SIM throwing log data over the fence, you've got, you know, with some detections on it, right? You've got firewall information, you've got, stuff coming from various cloud providers. How, how, how do you bring this together and make something meaningful out of it to find and correlate the right things together?

Tarun Sondhi (KPMG) (00:18:55): Well, you, you just uttered the, the most important term in there is correlation of that data, right? We, we need to stop aggregating information. So traditional sims that they're going to be around, I, I think there was a narrative a while back, SIM is dead. We need to move on. The reality is SIM is always going to be here because it does an important function on top of aggregating that information, which is to correlate that based on use cases. So, if we take a, a simple use case like a temporal attack, right? You have, five fail logins followed by a successful login within a second. How is that humanly possible, right? So, it's not enough just to ask that question to say, well, this seems like an anomaly. Well, that anomaly will then go to an analyst or process by an AI engine, and they're going to take some time for them to get to make the right decision. At the end of the day, we're, we're trying to practice the Cyber IQ of a practitioner and the analyst that Cyber IQ, we want to reserve it for the most important things. And so that data that you talked about, correlation of events that are occurring at the endpoint firewall, whether it's identity data, vulnerability data, they're all insights, they're all inputs. And most important input is also the data that Kelly had talked about, those trillions of insights. You know, there they are telemetry data, but at the end of the day, they're all important information that informs our analyst that this is what's occurring. This is what occurred before, this is what's occurring now, and this is what occurred after the adversary got into the environment. And by the way, this has the markers and the DNA of this adversary out in the marketplace that's, that's wreaking havoc. So that insight, that intelligence that Microsoft has that Kelly's been talking about is absolutely critical. There's no other sensor out there, there's no other honeypot that I know of that's out there that's bigger than Microsoft because you have trillions of sensors. Every device is a sensor of insight that provides us that intelligence back. So, intelligence correlated with all those, data points Chris, Charlie is exactly what we're looking for.

Charlie Jacco (KPMG) (00:21:10): Yeah. I mean, Kelly, with all that signals out there, you, you mentioned around, you know, kind of simplifying and, and getting everything out there contained. And if you see it for one kind of isolating contain and, and remediate for others, like maybe talk a little bit about how Microsoft is doing that and how you are taking some of that data and leveraging correlation and helping others across when you see it here, help over there.

C. Kelly Bissell (Microsoft) (00:21:37): Yeah, and this in the simplest approach we have, we have engineers who actually, or hunters that actually track attacker groups. They know their signature. We actually have a China desk, a Russia desk, an Iran desk and so forth throughout the world. And they track the attackers. They understand what code they're writing, actually, what their targets are, maybe to active directory or maybe some OT device or, you know, or something other software programs. So, we know what they're targeting and then we can correlate, oh gosh, they're after Johnson Controls or Schneider Electric or Microsoft or somebody else. Then we can correlate that to, well, what customers use that product? What industries are they in, what geographies? And then, and then we can learn so that as the attack is forming, then we can build con protective controls in place. And, you know, all that will flow either directly to national security agencies that we work with, or it will fold right into the defender family products so that we can make companies big and small safe. And so, this is really important to understand that industry, that geography, that asset that is targeting. Charlie, you mentioned all that signal, we can reduce signal to noise. So, if the, if I don't have a Johnson Controls or if I don't have a particular Microsoft product or some, some other software product, then don't send me that data <laugh>. And this is where we can be very surgical about what, what customers need to know about some intelligence that only apply to them in that context of their business. And that's where we're going with all this. So, we can secure the world and make it a little bit safer. But, you know, it's important that we need, you know, partners like KPMG because you actually know more about industry regulation and even the operations that happens at our customers sometimes better than Microsoft. So this is, again, back to that village thing, it takes us working together to be able to solve this problem.

Charlie Jacco (KPMG) (00:23:50): Well, that's a good point on the industries, right? My head went immediately to the ISACs that are out there and, you know, how do we take and contribute this type of intel, you know, back to the ISACs Yeah. so that they can disseminate across their membership as well. And I think that that's the village concept in my head. Kind of all for one, if you will.

C. Kelly Bissell (Microsoft) (00:24:11): Charlie, one thing on that ISACs, just, just from my point of view, I, I think the ISACS are really important part of this equation, but we're one step away from the operations inside the company, and this is where yeah. Fender, if I can, if I can push it directly to Fender or Sentinel, you know, back to the sim, then I can actually again, reduce that exposure and get to protection faster as opposed to have to wait to a feed that actually now I have to correlate and now I have to. So I, I just think that we, although the ISACs are really critical, I think, I think we have to rethink this of how do we protect customers faster? All sizes, not just the big ones, but even the SMBs, because they don't join the ISAC, they don't know they don't have the resources. So, we gotta we gotta fix that across the ISAC problem.

Charlie Jacco (KPMG) (00:25:03): Well, you, you, it's a good point. I mean, you mentioned, you know, detect faster, you know, use some level of automation to detect breaches more quickly. I mean, how are you finding, you know, customers leveraging automated automation to, really change their control environment, you know, in a more real time way to kind of protect and detect more quickly? What, what types of automation are you seeing there?

C. Kelly Bissell (Microsoft) (00:25:26): So, look, we've learned this in 2017 when we had this really major ransomware that spread through one company, 43,000 servers in two minutes. Look, this is not humanly possible to detect and then act on it. So, this is the bad guys bringing a gun to knife fight <laugh>. So, what we have to do as good guys is step up our, you know, our automated capabilities. To your point, Charlie, and this is where we've been working on this AI, this security copilot for a long time. And this is not a commercial about Microsoft, but this is where us and Google and others are, are really building artificial intelligence to put it in the hands of the good guys so that we can really automate the protection, the detection, and the protection of these attackers. And that is what we have to do. So we can be not only even on par with the attackers, how can we be ahead of that attackers? And if we can do that, then we can actually make a big difference in this market.

Charlie Jacco (KPMG) (00:26:36): Tarun, how, how are you thinking, so AI, right? That, that's obviously you've become a super hot topic in the, say, month, six weeks, eight weeks. How are you thinking about leveraging AI even in our own solutions so that we can kind of get more, force multiplication if you will, on, on the, you know, security analyst help desk?

Tarun Sondhi (KPMG) (00:26:58): Well, you know, Kelly is being a little humble about not doing too much advertisement about Microsoft, but I'll do one for him. , two years ago we set out to look for some new apparatus that we want to bring to solve for security monitoring for our clients. And, and we looked at a bunch of different things. All roads for us led back to Microsoft. And I'll, I'll share why, because I think it's going to tell the story about automation for us. You know, I think Kelly said something earlier about there, 63 different tools that the clients have to fight through and figure out how to glue code together or connect them together, and then one gets an update, everything else breaks, you know, that problem exists in the marketplace. and, and it's, it's a really big problem. So, I think this is where Microsoft was created, that gravitational force to them is that this entire ecosystem of products that they have, and as Kelly calls it, sits on a platform whether you have endpoints using Microsoft defender, ITOT, or you have exchange data O365, all those instrumentation that happens within Microsoft, all centers down into Microsoft Sentinel. And that becomes our apparatus that we look into and try to decipher what's going on. Now, one of the functions of a cyber managed services organization, a service provider like us, is to make sure that we're reserving our most important assets, which is our analyst Cyber IQ, to solve top problems. I've mentioned this once before, we can't possibly look at a hundred alerts per second. And as Kelly pointed out, within two minutes, be able to go after 63, you know, servers or whatever that number was, Kelly. And it's just not possible. It's not humanly possible. And so, to augment that with the AI tools that are natively available, I don't need to go buy another sort of technology that are natively available within Microsoft and just connects effortlessly across all the Microsoft products, is what we were looking for. And, and since the birth of Microsoft Sentinel, we have been super excited about its ability to be able to go directly into exchange, that temporal attack that I had mentioned earlier, to go in and quickly reset my password within a microsecond that automation kicks off to say, Hey, anomalous behavior, we're not really sure, but let's, you know, err on the side of caution and go out and, and reset the password of this user that went through that process. So, you know, automation is at the core. Without it, we can't survive because we need to get rid of all of that work and go from the, you call a needle in the haystack. I think it's a needle in the needle stack that we're looking for. And to go from there into a needle in the haystack and from there to really the most important signals that we want our practitioners, to focus on. So, AI automation, automated response, the more native connection you have, the more autonomic behavior we create. So as soon as we see issues that, you know, Kelly was mentioning earlier, by region, by country, by client, as those things are starting to unpack in each layer to say, in this region, in this country, we're seeing these types of attacks, and in this client and these sets of clients in this industry, we're seeing these types of attacks. What if we could get ahead of that and say, you know what, we will go in automatically into the defenses that are available and go in and put in these blocks and stop it as much as we can. And that autonomic behavior is what we're trying to build in together with, with Kelly's team into the solution.

Charlie Jacco (KPMG) (00:30:45): I want to stick with automation and AI here for a minute because this is, you know, a topic for me that, and even tying it back earlier to, into a comment you made about trying to elevate the, the cyber IQ, I mean, I have a stance personally that there aren't enough level one security analysts on the planet to keep up with all the triage, right? So just kind of open question here for you, both maybe, Kelly will start with you. I mean, what do you feel like the security and the SOC looks like in five years? Is it, like, right now I feel like it's, it's kind of like this pyramid, it almost like it needs to reverse in my head. I mean, how do you feel about that concept leveraging automation and ai more threat hunters and less triage analysts? Right.

C. Kelly Bissell (Microsoft) (00:31:31): Look, I, I think the SOC of not even five years, I think the SOC of two years from now is going to look totally different from the SOC today. And, and I'll, I'll tell you the most SOCs what, what they look like today, whether you're an SSP or you have your own built-in SOC at your company is made up of, like Tarun talked about all these tools cobbled together in a Frankenstein platform. And there's, each product has a cost associated with not only the acquisition cost of the software, but also all the integration cost that Tarun was talking about. And so that cost of service is gigantic. So here's, here's what the sock looks like just two years from now. It is where we remove all L one and L two, all we have is three, or maybe even just four. The practitioners in the SOC are less about super deep, cyber developers, which is what it takes to running a bunch of scripts and so forth to find anomalies and more of a business risk manager using AI tools to correlate vast amounts of data super fast. So, what would take me in the SOC a couple of days to build a, write a program, test it, make sure it works, and then gather some data or find it a few times and then take action on it. I can do in 30 minutes. Actually, do that today with 11 customers that I have in a, in a sort of internal private preview of our security co-pilot. So,really the, the SOC tomorrow is a platform with reduced amount of number of tools, and on top of that an AI co-pilot, and we chose that term on purpose, meaning human plus machine working together, the co-pilot, the humans, the pilot, AI is a co-pilot. And so, working together actually to derive those risks so we can see those adversaries lurking inside, if you will, faster so we can reduce the risk to the company. And that is the SOC tomorrow. So, we've probably reduced the SOC by 30% and we reduce the exposure by probably 60, 70, 80%, and we reduce the time it takes to, to learn things by probably 90%. So really, we're talking about a much better security operations center than we've ever seen before that. That is what really makes me excited about being in this market for 28 years. This is the first time I've seen something that's really truly going to transform the marketplace.

Charlie Jacco (KPMG) (00:34:26): Well, I think, you know, boards of directors will hear that and say, sound is cheaper, right? So, from a cost perspective, I think that's the, you know, the other side of it, from a business perspective, you get a lot of, well, we're giving the CISO all this money, right? When, when are we done? I mean, the answer is never right. We gotta get more and more mature, you know, alongside of our, the malicious attackers. But you, you made a comment earlier on all the tools that are out there, you know, I, I feel like cyber defense and the SOC is probably the last piece that's really been pulled together into a platform, right? It started with identity 20 years ago. Yeah, yeah, right. With all of these spoke things, getting gobbled up and painted specific colors, and now we're bringing that to the cloud. I mean, how far away are we, do you think, where we've gotten mass adoption on a platform with kind of AI as a copilot that CISOs will trust the cyber gnomes, if you will, right? Yeah, that's right. I guess we'll start with you Tarun.

Tarun Sondhi (KPMG) (00:35:32): Wow. I, think, I think we're going to continue to see some of that pushback in the marketplace because they really don't understand that they have a tough time understanding all these defenses that they're putting in place. Is that really working? Because we know that adversaries are using similar tools, they're using far more advanced tool. Guess what? They don't have a project management group. They don't have a board that they have to go tell, like Kelly has to go to the board, goes, goes to Satya and talks about a vision of a new product he wants to build, and then several months later he's, he'll get funding and then he has to put a team together, a committee together. Adversaries don't have any of that. They just dream something up. They have all these tools available to them, and within seconds they've launched a new attack that is a speed that we're trying to combat against. Right? Think about that, like that two minute example that Kelly used that really stuck in my head because that, that is super fast. I, I I feel like it's, it comes back to composite of different things. It can't just be about security monitoring, right? And detection and response. It has to be cobbled together with other things to secure the most important risky assets or assets that, that, that have the highest risk in an organization. And those are techniques such as the ambition we have to get to an RTO of zero. Imagine finding an anomaly and within a micro millisecond booting up to an image that's safe, right? Insulating that adversary. Getting to that RTO of zero is I think, where I believe just adding on to what Kelly said earlier about the SOC of the future, I think the SOC of the future also controls the RTO to zero plan. They, they're the ones who are going to bring IT and Cyber together in a much more meaningful way, in my opinion. I don’t know, Kelly, if you have any thoughts on that?

Charlie Jacco (KPMG) (00:37:37): Yeah, I mean, it sounds, Kelly, I mean, Microsoft feels like the natural player to start bringing all this together into a platform, and it feels like you're starting to do that. I mean, what's your vision for the, for all of these things together in one spot?

C. Kelly Bissell (Microsoft) (00:37:52): Look, we, I mean guys, we, we worked together for a long time, the reason I joined Microsoft, and not just me, but people who have been here for a long time and, and newcomers like Charlie Bell and Vasu and, and all these folks, Andy Elder, we, we came because I actually think Microsoft has a responsibility even to build a platform and to reduce this cost of security around the world. And I, I think that we have all the right capabilities of doing it. Are we there? I I think we're pretty close, but there maybe I'm never satisfied. Maybe there's always more we can do, but, but I just think that, Microsoft from a, from a platform standpoint is well on its way. And, but I also think that there are other players in the marketplace that have an important play in this game. I mean, so the, the last thing I'll say is this is sort of standard market dynamics. I mean, you can look at hotel companies or oil and gas or, retailers or whatever. There's a standard market dynamics of, of thousands and thousands of players. Then it moved down to maybe the big four, which you guys are part of. And, and I just think that Microsoft's one of those big four platform providers within the security world. And I think there's a lot of good that we can do and, and we have, but there's more for us to work on. But it's also where we gotta work with you with KPMG and others so that we can secure the world better. And so, you know, we're on a journey. One thing you said, Charlie, you said the board's asking when is cyber, when are we done with security? Security shouldn't, should be thought of as almost like R&D, it is actually never done. It is a journey. And I think we gotta make sure that we partner with you and customers so we can help them on that journey so they can reduce cost over time while they increase that capability of as security of their organizations. That's our mission.

Tarun Sondhi (KPMG) (00:40:00): Right. You know, I want to pull on something there, Kelly, right? You mentioned the, I think the, one of the most keywords there is partner. It is a, a three-way partnership here. The client partnering with a service provider like us, right- a big four. And also, with a product vendor together to solve these problems. This is not about pinning one against the other, right? At the end of the day, this partnership works. We we're all focused on a single mission and, and jointly serving not just the firm itself, but also the community that we represent. Because we're all batting together to fight against these adversaries.

C. Kelly Bissell (Microsoft) (00:40:39): It's team sport, right?

Tarun Sondhi (KPMG) (00:40:40): It is absolutely team sport. Going back to your previous comment about it takes a village, the village has to be together. We absolutely must work together and be a little bit more open across industries. I know we're, we're kind of going off the point, Charlie, you talked about, about spending, but we do want the board to recognize and also encourage their organization leaders to be a lot more open with other industries that their peers too or some other, even part of their supply chain. Anyone that's providing supplies to them, and, and products and tools to them so that they can service their customers. They really need to get into an information exchange. To me, we are obviously best positioned to do that, as Kelly talked about earlier, where we have the business context, we have the relationship with the product vendors, and we also have the obviously relationship with the, with the clients, or whether it's us, whether it's Microsoft, whether a client takes it on and says, Hey, we want to be the information exchange, we want this open sharing. I think that is the really the next big thing that we need to solve for Kelly. I don't know how you feel about that, but that is something I've been pushing really hard with our clients to say, let's get a lot more open.

C. Kelly Bissell (Microsoft) (00:41:56): I agree. I I'm with you and I do think we're, we're almost a tipping point where most of the CISOs know that they've gotta simplify their environment, that to rethink their strategy, it can't be best of breed because they, they, they actually create unintendedly seams of risk in their environments. I mean, they need you around that regulatory issue, that cyber strategy, the implementation, the managed service, you know, our role in this game is, is the software platform side plus the threat intel and some maybe some other things. But this is where we have to think about this thing holistically. And then, gosh, everything's changing because the attackers changed. Regs change. As you guys know, the s SEC's trying to push boards to have a cyber aware person on the board, which I am all for. So, I mean, I think we just gotta help our customers through our clients through this journey together.

Charlie Jacco (KPMG) (00:42:57): So on the journey I mean, everything we are talking about is now, right? It's happening for the, for the security practitioners out there that are thinking this is great, would love it. But I've spent years right, writing detections on my current SIM and it's like open heart surgery to even consider a new security architecture around that. Like, how, what would you guys give as the pointers? Like how do I get to an ROI without completely deflating my entire SOC to make a swap? Because all this sounds great. Maybe. Yeah. Go, go ahead, Kelly,

C. Kelly Bissell (Microsoft) (00:43:38): You want to start or you want me to start?

Tarun Sondhi (KPMG) (00:43:40): It’s okay. Go ahead and start. I'm, I actually, Kelly, I'm waiting. You don't, you don't get into a session without a dad joke. I'm just waiting for a dad joke from you.

C. Kelly Bissell (Microsoft) (00:43:49): It's coming. I've got wind of the back of my mind, so

Tarun Sondhi (KPMG) (00:43:53): I know it's coming.

C. Kelly Bissell (Microsoft) (00:43:54): But, look, I, I think as, as a recovering CISO as I would say, there, there, there's always a balance right now with CapEx, OpEx cost and the risk of the organization. That's really the job of the CISO balancing the cost and risk. And I think if I think today, again, back to that simplicity, like if we're more simple, can we be more agile? Can we move faster? Can we be ahead of the attacker? The second thing they're asking themselves, gosh, if I had fewer than 83 on average software products, if I move to a platform, plus I'll call it, plus then can I actually reduce my CapEx and my OpEx and, and move forward? So, I think right now, and I've helped, gosh, in the last three months, I've probably helped 10 or 12 CSOs build that business plan that goes to the audit committee or to their CIO or to the full board that says, here's where I am today. Here's where I need to move to. And it's, and it's a three-year journey. I can't do it overnight and I might spend more in year one and year two, but over time my run rate is going to be far lower and I'm going to have improved security. That is actually what the board wants to hear. And they'll, management will spend more money if they know that they can lower the run rate and reduce risk over time. And I just think our customers, our clients, our joint clients here, we, they need our help to help them build that business case. That's the key. And if they can do that with a newer technology on a platform plus AI and where other things where, you know, Microsoft and maybe others are going, that's what we, that's our job to help them build that case.

Tarun Sondhi (KPMG) (00:45:45):And, you know, I'll, I'll add on to, to what Kelly talked about and, and maybe what I can give as a more point of view from a, doer standpoint, right? So I, I saw a text message pop up or a message in the chat pop up about the endless exercise of creating some use cases. I feel like, you know, an important keyword that I'll, I'll borrow from Kelly is a simplification. Yeah. So my advice to the practitioners that are on the ground, hands-on keyboard working through this process is go back and rethink and, and reimagine your SOC as a tearless SOC Reimagine your SOC as a not, it doesn't have six different divisions of engineers, developers, rather, you're all doing the function and you're doing it right up front, right? , for instance, you don't want to get into a process which is highly inefficient that it, you're developing a use case and through that use case, it's a separate QA process, a separate QC process, separate development process. Make sure your practitioners and engineers are well equipped to do this just in time. Develop these use cases. Let them go out there and start getting hydrated, start getting active in the, across the, you know, from, from the signals that they're getting correlation and so on. And then tweak them. Remember what we said earlier, right? Which is the speed, the speed of innovation with the adversaries of quickly deploying an attack to that, taking two minutes to take down an entire universe of servers, if you will. You can't match that speed if you put in all these processes in place, simplify it, get to a tearless SOC, get to on the field development of new use cases. As you imagine, as you're exercising that curiosity of your, you know, using your cyber icon and say, you know, I'm curious about this. Put in that rule, let it go out there, let it soak for a little bit and then you pull it back if you need to, or adjust it as you need to.

Don't get that into this endless cycle. I, think that's, that's one of the biggest things that I'm noticing, at least the things that we're doing to be a lot more efficient because we can't possibly hire enough analysts in the market that just don't exist, right? Right. We can't train them fast enough. And so those that we have, we're trying to maximize their utility and also keep them interested. You just cannot keep these really high cyber IQ. They're, there's just fantastic practitioners and they want to constantly exercise their curiosity. If you give them a mundane task, they're gone.

Charlie Jacco (KPMG) (00:48:29): I, just to pull on that a minute, you know, I'm seeing, do we, do you feel that the automation and the AI that's out there, the co-pilot if you will, is out there to suggest new use cases and add more layers of rules? Or is it to solve the calculus around the rules themselves? Because for me, at some point we have to get beyond third grade algebra, right? And move more towards freshman year calculus if you will. So, what are your thoughts on how just bringing it back to automation, we're going to add on these use cases and get to that level three and four, like you were saying earlier, Kelly.

C. Kelly Bissell (Microsoft) (00:49:06): Look, look Charlie, I still have bad dream about geometry and calculus. So, you know, this is actually one of the reasons why I'm super excited because it's not one or the other. It's not can, can AI write help me write scripts and code? Or can it help me, learn new use cases? It could do both. And so early on, I, I was working on this since September, this AI copilot thing, and, I polled, I don't know, 15 CISOs that are who I think are really hardcore, really, really good CISOs. And I said, if you could ask the security copilot anything, what would you ask? And I kind of compiled these 10 things and they were really good because they were 10 things that are really correlating things that they can't do themselves or they'd have the right programs for that AI can do it for them. And it was things like, hey, tell me about trends in the marketplace. Tell me about new things that I should be worried about that I maybe don't know. And they're asking all kinds of things on the external side that were making them smarter. And that's really what security copilots do. It is, is helping them on both sides and analyze really complex things like an incident and even building a, a breach report for you fast. So there's all kinds of things that I think this, this AI is going to help the CISOs job be better and not just their job, but the whole staff. So that's why I'm excited about this revolutionary change in the marketplace.

Tarun Sondhi (KPMG) (00:50:45): Agreed. Sorry about that. I lost my connection for some reason and my battery was in 1% so I think

Charlie Jacco (KPMG) (00:50:53): Too All

Tarun Sondhi (KPMG) (00:50:53): Good. Yeah.

Charlie Jacco (KPMG) (00:50:56): , so, Peter, I know we're, we're about, you know, wrapping up here on time and then there were a few questions out there. I'm going to hit on one of them quickly because I, I didn't get to it earlier and they were asking about, just the ISACs in general. Yeah, I'll take that one. We guys can, can compile on. So, for those that aren't aware, the ISACs are information sharing in an analysis centers. And I believe the first one that was created about 20 years ago, or more actually at this point, was the FS ISAC for financial services. And each industry has created others. And the intent is that while those companies are competitive in nature, all for one, one for all on cybersecurity, and they are actually all share, threat intelligence together and a typical traffic light protocol, you know, red, amber, green if you will, where the reds are highly critical, what only members can see and others can contribute to it. So the, the mission is protect the industry hopefully that answers that question. 

C. Kelly Bissell (Microsoft) (00:51:59): Yeah, if I could add Charlie something on that look, they're really, really, really important because they do protect the industry and they have similar risks, but they're also other industries that they can learn from. So, I think there's inter ISAC in intra ISAC that's important. And I think their goal is a really good one in that, I mean, Microsoft has one view of the market. Google has a different view, Apple has a different view, Cisco has a different view if we're thinking about the major players in the marketplace. So, their job is to bring all that together so they can share through the, through the industry. I just think we haven't done that last bit, which is really very good applied threat intelligence to the context of that particular business of their assets. And that's what we gotta get to and we gotta reduce the, the speed all at the same time.

Charlie Jacco (KPMG) (00:52:59): Back to the original point from the top of the hour, context matters, right? Yeah. So, Peter, welcome back.

Peter Dorrington (ELN) (00:53:07): Oh, my pleasure. Thank you very much. It's been really interesting and although you couldn't see it, I've been taking loads of notes from here. I've also been watching, the chat and the q and a such an interesting topic. And as I say, I one that's been of particular interest to me, has anybody involved in digital transformation right now will tell you, all businesses today are in the business of data and that data is one of the most precious assets that they have. And so anything we can do to protect that as well as infrastructure. Now I'm going to, if you wouldn't mind guys, I'm just going to ask a couple of questions and Charlie, why don't I, I start with you because I think you've doing a great job of leaving the conversation. Let me put you on the spot. Sure. this is clearly an area that needs a lot of corporate attention to move forward. Who would you say needs to be on the core team? It can't just be the CISO you need a, a surely a wider church in order to make this a reality.

Charlie Jacco (KPMG) (00:54:01): I mean it all starts with the board, right? And Kelly mentioned it earlier that the SEC is pushing for let's say a cyber practitioner or someone with a cyber practice, you know, cyber background to be on the board. And the end of the day, this needs to be important, right? KPMG's actually done annual CEO surveys and, you know, starting probably about four years ago, like cyber was say number two, number three, it's been consistently the number one risk that needs to be solved for, for the board, and we can't have this as reactionary to the latest news cycle or whatever. We're seeing the latest breach, you know, on the news, right? This needs to be a proactive measure. So with that comes investment, right? So, you also need right, the CISO is not necessarily building everything, so you need the rest of the broader technology group. The CIO needs to be on board, right? But on the other side of it, and depending on the industry, right, the chief risk officer and that second line of defense around understanding where the key risks are, in the end of the day, you're not going to be able to solve and protect every endpoint. You're not going to be able to solve every cloud environment that is out there. You have to be able to have an informed decision based off the key risks and the inherent risk of your firm and protect what really matters and get better at reactive in detecting the rest. So for me, it's like we keep using, it's a village. It needs to be across the board, the chief risk office, as well as the, the, the traditional CIO, you know, function.

Peter Dorrington (ELN) (00:55:36): Great, thanks very much for that. Charlie, and I'll ask you a very similar kind of question, if you wouldn't mind. this is an ever evolving changing landscape. It's deeply technical. you, we talked right at the beginning, alphabeti spaghetti out there, so many acronyms. and obviously most of the board are not experts in this field. They don't understand the technology, the threats or the risks. What level of education turn do you think you need to do to get to that point where they will be willing to reach in their pocket and fund this? Because I think you can't just hit them with a stick or would neither. You can baffle them with the science you need to engage them. So I'd love some tips from you, if you wouldn't mind. How do you sell this to people who don't really understand it.

Tarun Sondhi (KPMG) (00:56:18): Yeah. So, you know, we, we've been very lucky to be invited by the, to speak on behalf either by the CISO to speak on behalf of him and give some perspective around this. I, what we've found that resonates with the board in order to open up those purse strings to invest is really breaking this down into what it means to the business from a financial impact. How does it help enable business? And also how does it protect like a shield from the business being harmed? We know through the COVID process how important supply chain is and when there's a disruption,to that supply chain, it has downstream and upstream impact to the entire ecosystem. Similarly, cybersecurity has a similar effect. If there's a ransomware that shuts down the server, several important assets of an organization, they aren't able to communicate with their customers. They aren't able to produce whatever that product that they're producing or the services that they're providing. That translates into dollars loss, credibility, lost, and also employees that are frankly, a lot, it's a lot easier to move from one business to another. And employees are becoming a lot more selective about who do they want to work for and what is their ESG position. So this sustainability, this governance around data and the inside is, is absolutely resonates with the board. Those are some of the things that we've found is that breaking it down into those dollars really, really helps the board understand and process that information in terms of an ROI.

Peter Dorrington (ELN) (00:58:02): Perfect. Thank you very much. Wow. Now I did promise we wouldn't overrun. So, Charlie, what I'm going to do is go to you for just a couple of bullet points. If you wouldn't mean couple of mind, couple of key things. What should we take away from today, if you wouldn't mind? Couple of bullet points.

Charlie Jacco (KPMG) (00:58:15):, no, I appreciate it. Now my, my key takeaway here is, you know, just going back to the top, in the end of the day, all of this needs to come together and it's about correlation of more data in a more meaningful way. And getting that context is not easy. the correlation is not easy, but it's going to take, you know, more platformization if you will, of all of the bespoke platform products that are out there to really come together, together to make it make sense. And in the end of the day, the end result is to find, faster, right? It's not about, you know, responding to tickets more quickly. We need to eliminate that level one desk, if you will, and get more to a high cyber IQ talent, right? And, and get to folks really focusing on the level three and the threat hunt type activities and letting the automation do it, do its thing, right? And that, that we're there soon, right? It's not a 5, 6, 7, 8 year out thing. As Kelly mentioned, it's probably a two-ish year thing and it's not about eliminating the tools that are out there, it's about bringing all that data together.

Peter Dorrington (ELN) (00:59:26): Perfect, thank you. A couple of points then I'll just add to that. So firstly, I think that obviously we're going to need technology to augment our staff. They're in short supply is a deeply technical field. Anything we can do so that they can focus on the most pressing use of their time where they're most valuable, rather than monitoring logs and so on, is incredibly important. The threat vectors keep changing a lot. I was going to come to you, Kelly, and trying to get you to crystal ball gates, but I thought I realized that's so unfair. So, what I'm going to do is let me then just quickly wrap with the next steps and we'll see if we can get everybody your way a few seconds early. So we are going to reach out to you after this webinar. We'll include instructions on how to watch it on demand, but we're also going to give you an opportunity to continue this conversation one to one so you can ask all of those tricky little questions you didn't feel you were able to today. And obviously within the context of your own organization, because for many of us, the threats are very similar, but our organizations and our response is very different. So look out for that. Also, I would really like to thank our speakers for today. So Kelly to Tarun, Charlie especially, thank you so much for great guys there. I took loads of notes, you've given me enough to think about and you're probably going to cause me a few sleepless nights as a result, but that's actually a good thing as far as I'm concerned. I also want to thank KPMG and my Microsoft without whose support this webinar would not have taken place. So thank you to them and indeed to Jadene and the team at the Executive Leaders Network for doing all the hard work in the background. By the way, thanks for the reactions folk enjoyed seeing the icons, but most of all, and last, but by no means least, I want to thank all of you for your attention. I'm sure like me, you have taken away a lot to think about from here. , still quite a lot to learn. It's a never ending problem. But until the next time, take care now. Take care. Cheerio.

Charlie Jacco (KPMG) (01:01:26):

Bye-bye. Thank you. Thanks Tarun. Thanks Kelly. 

Meet our team

Image of Tarun Sondhi
Tarun Sondhi
Principal, Advisory, Managed Services , KPMG US
Image of Charles A. Jacco
Charles A. Jacco
Principal, Cyber Security, KPMG US

Explore more

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.