toggler

Customer Conversation – Cimpress deputy CISO on SOCs, SIEM, and Working with Hunters

John Fung is the former deputy CISO of Cimpress. Cimpress is the parent company of 13 separate printing and marketing businesses, including National Pen, VistaPrint, and PixArt Technologies. Their security team encompasses 30 people spanning four continents, and operates 24 hours a day to monitor over 15,000 end users.

John sat down with Yael Macias, Hunters Head of Corporate & Customer Marketing, for a one-on-one interview and discuss how Hunters has impacted his organization. The following is an extract of that conversation.

YAEL: Thank you so much for chatting with me today, John. Can you tell me a bit about what your security team looks like, in terms of analysts and threat hunters? Are you using outsourced or managed services for any functions within the security organization?

JOHN: The security monitoring group, which handles traditional level one through three monitoring and incident response, is a collection of 13 analysts spread in two different locations. As a relatively small organization, what would typically be called a level one analyst might be doing level one, level two, and incident response work at Cimpress. In our team, we have individuals doing vulnerability management, incident response, pentesting, red teaming, and application security.

YAEL: Let’s talk about the IT security architecture and the different tools the security organization within Cimpress is using. What does it look like in terms of cloud based applications, number of vendors you're dealing with, and number of security tools? Are you using a SIEM for log collection?

JOHN: We currently use a lot of different vendors. Traditionally, we tend to use very short contracts, with one- or two-year engagements, which allows us to be extremely flexible, and to introduce a high amount of accountability into the vendors that we do business with. We do use one of the big three cloud providers, and of course we do a lot of business with traditional large SaaS vendors as well. Before we actually started exploring what ‘XDR’ (Extended Detection and Response) could offer us, our SIEM was a traditional, on-premises vendor that recently had started to migrate to the cloud. However, the way that they were architected didn't really work for our business model.

YAEL: Before we get into your experience with Hunters, I’d like to ask you more generally about your predictions for the future of the SOC. What are the main challenges that CISOs and security managers are increasingly facing, and how will they need to be overcome in the near future? 

JOHN: What we're going to start finding is that a lot of the technologies that are trying to move to the cloud are going to start seeing their limitations laid out very, very publicly. You can't simply take an on-premises technology or strategy and move it to the cloud, because you're bringing with you all of the problems and inefficiencies it already has. It’s simply not going to scale properly. Not only that, but with the speed at which things are taking place now, traditional technologies can't keep up. There are more custom applications and short-lived applications being used, as businesses surge in the way that traditional SIEMs can’t handle. 

YAEL: Interesting. So when you started deploying Hunters, how was the integration with your existing tools? Were there any challenges with integrating your cloud based applications or anything else you're using in the security organization that is now streamed into the Hunters platform?

JOHN: Originally, the deployment process involved quite a bit of work on our side. This wasn't because of the way Hunters needed to ingest our data, but because of the proprietary nature of how we had to get data into our last SIEM. We actually re-architected all of our data pipelines internally, so that all of our data landed into an S3 bucket, which Hunters pulled the data out of into their platform. So the deployment of Hunters was remarkably simple, but making our environment agnostic of our previous SIEM vendor was where the work really came into play. Hunters now integrates with our tools and it scales its detection seamlessly with us. Hunters probably doesn't even notice the change in the environment because it's happening constantly and smoothly.

YAEL: What's your opinion on centralizing security operations into one platform in terms of security collaboration and having a single source of truth? 

JOHN: From a maturity standpoint, the fewer clicks and the fewer screens that an analyst has to look at during the course of their day, the more effective they are. If you find yourself having to pivot between platforms and different technologies, that's where things get dropped, things get overseen, and you don't see the connection between your data. Whereas if everything's brought into one central location, all the data is right there. The analyst doesn't have to worry about remembering a number or machine name as they pivot between screens. It's fast, it's accessible.

YAEL:  From a detection & response perspective, what was the immediate value you saw when you deployed the platform?

JOHN: While we were doing our POC with Hunters, we still had our current SIEM running with their “best of breed” logic. When we had a security incident across three of our business units, our traditional SIEM didn't alert and contextualize the event. Hunters, on the other hand, actually reached out directly and said: “You have a problem. This is what is going on in your environment. Here is a report detailing what took place and all the adversarial actions.” It was impressive, and it was humbling because we had just started, my team wasn't even fully acclimated to the environment yet, and it was already showing more value than a tool we have had for years. 

With our traditional SIEM, we would have canned searches that we would have to run to manually contextualize IP addresses, machines, and events. We would have to put all this manual effort into actually telling the narrative of what took place. Contrast this to Hunters, where it was laid out in a chronological time frame that was human readable. It wasn't simply epoch timestamps going from earliest to latest, it was designed for a human to consume that report, which was incredibly helpful, because I could take it and give it to my leadership team. And they now had something they could immediately understand and make informed decisions with.

YAEL: All things considered, would you recommend Hunters to other peers?

JOHN: I would 100%. If you don't have an extremely large organization, with unlimited human resources to throw at your SIEM, then Hunters is easily the best solution for you. And the reason I say that is not simply because we found success with it, but because it enables our team to do more with less. And now we're no longer managing our SIEM in the way that we had to. We're no longer babysitting alerts, babysitting logic. We're now allowed to be security practitioners, look at events, and make meaningful strides to improve maturity, efficiency, and cost optimization.