By Jack Danahy, SVP and
Chief Evangelist, Alert Logic
Complexity has become
the defining characteristic of cybersecurity today. Cyber threats have become more sophisticated
and automated while security teams are being asked to protect a rapidly
expanding attack surface. As the
challenge of meeting these threats has become increasingly complicated, so too
have the tools designed to address them. Few businesses have the necessary
resources or security expertise to untangle these knotty issues, making
protecting their assets an uphill battle.
In this environment, no
level of investment can provide complete immunity from attacks, and new
attention and urgency have been given to rapid detection and efficient
response. Companies are increasingly turning to a new kind of managed security
service - managed detection and response (MDR). As with any new approach, there
is confusion about the benefits and definition of MDR, from the security outcomes
that should be expected to how it differs from traditional managed security services
(MSS). By resolving these questions, businesses will be able to recognize and
extract maximum value from MDR.
The role of traditional
MSS
Organizations of all
sizes use MSS as an extension of their in-house security operations. The
company is able to partially or fully outsource a range of common but critical
tasks like firewall management, anti-virus, intrusion prevention and detection,
and compliance reporting. Organizations tap into external security expertise
and resources at manageable cost, and the MSS provides a basic level of
security.
Potential security
incidents are identified by matching monitoring data against rules and signatures,
and MSS providers decide which alerts to send. The company is then left to
investigate these alerts and determine their relevance and the appropriate
response. While these services have helped resource-constrained security teams
extend their capabilities, they are not designed to help organizations respond
to the active, sophisticated threats seen in today's more aggressive threat
landscape. The result is a high noise level, alert fatigue, and an inability to
identify and respond quickly to attacks in progress.
Traditional MSS are also
limited in threat detection. The data produced from the combination of multiple
disjointed tools and services isn't easily normalized for analysis, making it
difficult to detect more complex threats. Proactive threat identification, like
threat hunting and user behavior analytics, are usually absent in these
services.
So, while traditional MSS
delivers security management capabilities, they aren't designed or equipped to
respond to today's barrage of security incidents, threats, and vulnerabilities.
The MSSP's expertise is in configuring and monitoring security
technology-managing the systems, maintaining their health, and providing the
output from them back to the organizations they serve. They cannot investigate
or contextualize alerts or respond to a fast-spreading attack. This is where
MDR comes in.
What is MDR?
MDR sits under the
umbrella of MSS, but MDR isn't focused on device management. MDR services
reduce the likelihood or impact of successful attacks, proactively monitoring,
detecting, and responding to new vulnerabilities and threats across an
organization.
MDR services collect
and analyze data from across the organization's network, endpoints, servers,
and cloud to detect advanced threats. Analyzing this data employs advanced techniques
that start with continuous threat intelligence to maintain visibility into
current threats and vulnerabilities across all of these platforms. The high
volume of monitoring and threat data is then processed and distilled through
the use of machine learning and behavioral analytics to identify security
events. Together, these methods enable MDR analysts to identify new threats,
prioritize alerts based on the business's unique environment, and respond
quickly to vulnerabilities and attacks.
MDR delivers a much a
higher level of guided expertise and human contact around alert data than does
traditional MSS. MSSPs emphasize automation with little human security support,
where MDR, by contrast, always integrates the expertise of a range of dedicated
security professionals in validating and communicating alerts. These analysts,
incident responders, and threat hunters deliver hands-on services tailored to
the organization's unique needs.
As a result, MDR
providers detect verifiable threats and help the organization determine and
execute the most effective response. Organizations are given the option to
respond on their own, to act in conjunction with the MDR provider, or to fully
rely on the MDR provider's response capabilities. Depending on the nature of
the security event, the response actions will include some or all elements of
investigation, notification, containment, elimination, and remediation.
What to look for in an
MDR solution
In response to growing
market demand, some traditional MSSPs are renaming their existing solutions as
MDR. Others are adding new services in an effort to deliver MDR. With no
universally accepted definition, offerings have to be evaluated based on the outcomes
that MDR should provide.
The purpose of MDR is
to reduce the likelihood or impact of a successful attack. To do that, MDR must
be continuously refreshed with research on new and evolving threats. It has to
maintain a high level of visibility across all of an organization's assets. And
it must accurately identify attacks in progress to mitigate the damage that can
be caused. These principles and others are outlined in the MDR
Manifesto,
a document created with input from analysts, experts, partners, and
practitioners in the security space. Together these tenets provide the
groundwork for defining the capabilities and value organizations should expect
to get from an MDR provider.
MDR in demand
MDR isn't just a new
acronym for MSS, and it requires investment in a different type of data
gathering infrastructure, analytics, response capabilities and analysts. While
it can be part of a larger MSS solution, it provides a different and specific
outcome: minimizing the impact of threats on an organization. Addressing the
constant change and advanced actors in today's sophisticated threat landscape
requires tools and skills most businesses don't have. MDR fills this gap,
providing an effective and affordable way to strengthen an organization's
security posture.
--
Next Up: Defining
Detection Left of Boom and Right of Boom
##
About the Author
Jack
Danahy is SVP and Chief Evangelist at Alert Logic, where he applies nearly 30 years
of security experience to the challenge of managed detection and response
(MDR). He is an innovative security leader with proven success creating,
delivering, and evangelizing new security approaches. He has founded
three successful security companies, most recently the endpoint and behavioral
analytics firm Barkly, acquired by Alert Logic in 2019. In 1999, Jack founded
Qiave Technologies (acquired by WatchGuard Technologies in 2000) and in 2003,
he started application security pioneer Ounce Labs (acquired by IBM in 2009).
At IBM, Danahy was Director for Advanced Security, and also led the delivery of
security services for IBM across North America. Jack holds a dozen security
patents and is a frequent writer and speaker on a wide range of security topics.