Cyber attacks are rising faster than ever, resulting in malicious threats infiltrating corporate networks and just about anything technology based. This reality has brought about a shift in the cybersecurity landscape and for good reason.
Traditional Managed Security Service Providers (MSSP) and Incident Response (IR) services are limited in how they can address the realities of today’s threats. Companies are realizing, albeit slowly, that traditional approaches are largely ineffective and proactive incident prevention is the next level of security maturity. This shift has led to the formal definition of Managed Detection and Response (MDR) services, and its growth has taken off.
Why Managed Detection and Response is Needed
Over the last few years, the cybersecurity industry has faced a number of challenges. However, four major challenges have been a driving force behind the creation of MDR.
- The Technical Challenge
The WannaCry ransomware attack, which quickly brought down computer systems from Russia to China to the UK and the US, highlighted the level of sophistication we continue to face. It was not the most advanced threat ever seen, but rather a visible reminder that threat actors continue to evolve, the landscape continues to change, and traditional methods don’t work. Combating these challenges requires a different approach.
- The Financial Challenge
Companies continue to invest in new technologies and products hoping they will fix their security problems. In fact, Kaspersky Labs found that nearly 80% of security spend goes toward traditional prevention technologies, while the remaining 20% are split across detection and response technologies. That approach, which put a lot of eggs in one basket, creates an issue that when the technology fails organizations don’t have the visibility and capability to detect and respond. The reality is no one product or technology is going to do it all—there is no “silver bullet” to cybersecurity. Ideally, organizations need to achieve a proper balance of prevention, detection, and response.
- The Talent Challenge
Tools and technology alone won’t keep a company safe. Talented, passionate people are needed to do the work. Unfortunately, finding qualified security professionals, developing them, and keeping them is a constant challenge for organizations. According to respondents to ISACA’s State of Cybersecurity 2017 survey, only 1 in 4 job candidates had the necessary skills, and 25% said it took 6 months or longer to fill a position.
- The Priority Challenge
Organizations are investing in a myriad of new technologies, but that approach tends to create more issues. Security Week found that on average, organizations deal with 16,937 cybersecurity alerts in a typical week. Of those alerts, only 19% are deemed reliable, and 4% are actually investigated. This statistic highlights that either an organization doesn’t have enough resources to properly investigate alerts or the amount of noise created by the various technologies is a challenge even for well-staffed organizations.
Why Traditional Services Fall Short
Traditional MSSP and IR providers offer some important services, but unfortunately, there are significant gaps between the two services. Traditional MSSPs largely focus on device management, alert management, and ticket management, while IR services provide incident forensics and remediation support once something “bad” has happened. Neither focus on addressing the threat or leveraging threat intelligence to address future prevention. This is where MDR was born.
MDR is not about waiting for an alert to respond to. Rather MDR provides a continuous end-to-end approach that detects malicious threats earlier, provides comprehensive analysis of the intrusion, and delivers actionable guidance for future prevention based on gained intelligence. The service gives client organizations access to experienced analysts, proven processes, and enabling technologies that detect and respond to both known and unknown threats. This type of “predictive prevention” is comprised of three elements.
- Visibility. Continuous end-to-end monitoring detects malicious threats earlier. Rather than look at a single activity, MDR looks at the full lifecycle of an intrusion. Doing this enables MDR to detect threats earlier in the lifecycle, prompting action to be taken sooner and intrusions to be stopped before something “bad” happens. This capability is aided by a robust technology stack that provides maximum visibility across network boundaries, as well as visibility into adversary actions.
- Human Analysis. While technology such as behavioral analysis and machining learning plays an important part in detection, experienced analysts are still needed to examine the big picture.
- Threat Intelligence. MDR improves an organization’s situational awareness and readiness to respond by gathering and analyzing threat intelligence. MDR reveals threat activity previously unknown and undetected by asking questions such as, “what have we seen this threat actor do in the past?” and “what other actors have used this approach?” These insights inform organizations of potential risks for future incidents. And finally, MDR seeks to identify and address gaps before cyber threat actors exploit them.
If you’re currently evaluating MDR providers, ask how their service is built and delivered and what makes it effective. Listen for how people, process, and technology fit into the response. Too often, we see providers missing one of the three key components. For example, they talk mostly about their technology and may have an established process, but they lack the analysts needed to execute and deliver an effective defensive service. Understand how MDR fits into the big picture of defending your enterprise and look for a partner that shares that vision.