Created in 1994, the J.W. Graham Medal in Computing & Innovation recognizes the leadership and innovative contributions to the University of Waterloo and the Canadian computer industry by J. Wesley Graham during his career as a professor and university administrator. The medal is awarded annually at spring convocation to a graduate of the Faculty of Mathematics currently in business, government or education who exemplifies the qualities shown by Wes Graham during his career.
Eldon graduated from the University of Waterloo with a BMath in 1991, majoring in computer science and minoring in economics. He is founder and Chief Innovation Officer of eSentire. Headquartered in Cambidge, Ontario, eSentire is a pioneer of managed detection and response — a new approach to security that provides clients with a round-the-clock embedded incident response.
Tell us a bit about yourself.
From a career path, it has been a bit of an offbeat journey. Since graduating, I have worked as a programmer, systems administrator and network administrator before eventually discovering that my personality was best suited within information security. I have some competence in seeing gaps in systems and processes; that is where vulnerabilities can be found and where improvements can be made.
I feel that I have been incredibly lucky to have had the opportunity to gain extremely broad experience in tech before focusing on information security. I started consulting as a sole practitioner in the field for five years before I co-founded eSentire, where I am now the Chief Innovation Officer.
What area of information security do you focus on?
Managed detection and response is a recently created and rapidly evolving description of a very specific subset of information security service offerings. One of the oldest definitions of information security services is that of a managed security services provider, which describes companies that manage hardware — for example, firewalls and VPN — and anti-virus software that sends alerts to a client.
My definition of managed detection and response turns this category on its head: we assume that every indicator of compromise or concern is evidence of a successful attack and requires investigation. This investigation requires a rapid response with deep data sources, usually including full-packet network traffic, endpoint and log data. In short, to give a remote security operations centre the mandate and ability to investigate potential security incidents with the tools that an on-site incident response team would have at their disposal, with the intent of reducing damage through rapid response.
We used to call it by several different terms, including collaborative threat management, embedded incident response, and micro-incident response. A few years ago, shortly after a Gartner industry analyst visited us and heard our story of how we differentiated from their classic definition of managed security services provider, they formulated the term MDR — managed detection and response.
Where do you see this field going next?
We continually work to improve methods to detect and respond to attacks. Ideally, I would like to continue our successes to increase our visibility into all attack vectors within our clients, and offering differential responses as appropriate, depending on the severity of the attack and the ultimate intent of the attacker. By this, I mean that our general mandate is to quickly expel an intruder when they are detected, regardless of their goal. However, there are cases I can foresee where we would want to discern intent and sophistication of the attacker and better match it with the effort of investigation. Attacks from script kiddies” — unsophisticated attackers — would automatically receive a different response than would attacks from sophisticated actors.
Tell us about your work with machine learning models.
For a few years, the eSentire staff had worked with machine learning models to help deal with the ongoing and ever-increasing deluge of data and to identify inappropriate behaviour that is difficult to assess at scale with static regular expression rules.
We have had significant successes with our current human-assisted machine-learning models to date and continue to push the envelope. Approximately a dozen employees work in a group called Advanced Threat Analytics within eSentire. They look at the most cost-effective methods to detect threats with our clients, including the extensive use of machine learning where appropriate.
As well, in late 2018 we acquired a firm from Seattle that focused on machine learning models using network traffic metadata that gives us better insight from an even broader perspective for use from data gleaned from both on-premise environments and AWS EC2 instances, as one example.
We have coined the phrase “human expertise at machine scale” to reflect this corporate philosophy.
What should every company know about information security analysis?
It is not easy. It was not easy 20 years ago, and it is even more difficult now.
Given the broad expanse of access vectors, including mobile devices, the ongoing disintegration of any perimeter, and the rapid consumerization of IT, there is a plethora of threat data to analyze and no single silver bullet to solve it. It is a challenging and ever-changing problem and it is a great honour to, in some part, represent the public face of a company that is working to combat it.