Virtualization Technology News and Information
Defining Left of Boom and Right of Boom

AlertLogic VMblog 

By Bharath Vasudevan, Vice President of Product and Technical Marketing, Alert Logic

There are two realities that all security practitioners deal with on a daily basis: You can't secure what you can't see and no amount of prevention will make you 100% secure. The defining characteristic of managed detection and response (MDR) is its focus on delivering a meaningful security outcome meant to ease both of these concerns - through maximum visibility and the capability to detect and respond to threats, minimizing the impact of vulnerabilities, configuration issues, and attacks.

The term "boom" is used to describe the moment of breach, the moment when an attack succeeds. Solutions that only detect and respond to threats and vulnerabilities are considered "left of boom" or LoB.  Solutions that only detect and respond to attacks after they succeed are called "right of boom" or RoB.  Currently, most vendors focus on only one: "left of boom" or "right of boom." Experience shows that a lack of attention and effort on both fails to provide the kind of protection that organizations need. In order to achieve that desired security outcome, effective MDR must first detect and respond to the gaps, vulnerabilities, and threats that can appear before attacks, but also detect and respond to attacks as they happen.

Defining Left and Right of Boom


In the sequence of events that compose a data breach, left of boom refers to everything that happens prior to the moment of breach or compromise. Sophisticated attacks require the perpetrators to spend more time researching their target before launching an attack to maximize the likelihood of a successful result. During this reconnaissance stage, the attacker may be collecting information, stealing credentials, studying network topology, and plotting when to strike. Sometimes these are as simple as phishing schemes, which may offer a lower probability of success, but don't require all the up-front investment by the bad actors. Left of boom activities can be coordinated and orchestrated over many months or they opportunistically exploit a vulnerability that has recently been made public.

Right of boom implies a successful entry into the company's environment and includes everything that happens after the attack. This can include lateral movement through the compromised environment, identifying privileged accounts, and locating and stealing sensitive information. Right of boom is where the real damage is done, both in terms of the material cost of the attack's destruction and the potential damage to the company's reputation.

Addressing Both "Left of Boom" and "Right of boom" with MDR

When MDR providers offer only right-of-boom capabilities they are behaving like fire departments or ambulances. They aren't actively looking to minimize the likelihood of a disaster, but they are investing to make the damage less severe. These services start at the moment of identified entry, focusing on root causes that led to the attacker's penetration of the network and the damage that was done once the attacker was inside. A right-of-boom focus is critical to managing a breach and executing an effective response, but the job is harder or even impossible because the attacker is already in the environment and it may be too late to find their tracks or reverse the damage.

On the other side of the fence, when vendors focus on left-of-boom detection and response, they are working to decrease the likelihood that the attacker will get through in the first place. These providers help organizations get ahead of threats by identifying and addressing the vulnerabilities and configuration issues that are commonly exploited. Left-of-boom services have the obvious advantage of eliminating these threats, but they ignore the obvious reality that even the best defenses get breached. When they do, purely preventative measures can't help organizations respond to attacks that manage to succeed.

This is why MDR requires protection both left and right of boom. This is the only way to minimize both the likelihood AND the impact of a successful attack. It pairs 24/7 visibility with continuous threat intelligence to identify the vulnerabilities most likely to be exploited and to cause the most damage, advising organizations on the prioritization for their orchestrated threat response. By also providing attack and breach detection, MDR delivers the ability to accurately identify and respond quickly to attacks in progress, minimizing the impact when one succeeds.

Happily, left-of-boom and right-of-boom also support each other to effectively respond to today's aggressive threat landscape. Effective left of boom management reduces the number of attacks that are ultimately successful, decreasing the work required right of boom when responding to successful attacks.  It also informs detection capabilities and threat intelligence, enabling faster detection of the latest threats. Similarly, effective RoB capabilities can leverage machine learning and behavioral detection to improve LoB vulnerability detection by identifying new exploits first seen in the wild (0 days). Having that knowledge enables proactive threat hunts that can find similar situations within a large managed customer base, informing them before they are compromised.

The combination of LoB and RoB provides enough context to ensure precision response when required. This is why we firmly believe that when LoB is managed properly, RoB is far more effective and vice-versa. Given the scenario described above, when LoB prevention is provided by the same vendor delivering RoB, it provides optimal protection for the client.

MDR and Comprehensive Protection

Only with both LoB and RoB capabilities can MDR providers offer comprehensive threat management. An effective MDR provider must offer both left-of-boom and right-of-boom outcomes in order to deliver peace of mind when it comes combatting advanced threats, and to ensure that successful breaches do not become critical problems.


Next Up: Defining Visibility and Threat Management


About the Author

Bharath Vasudevan 

Bharath Vasudevan is the Vice President of Product and Technical Marketing at Alert Logic.  His team is aligned with R&D and develops positioning, messaging, and competitive differentiation, which ultimately drive pipeline and helps close sales opportunities. Additionally, the team owns field enablement and strategic marketing at the product level, including product launches and supporting campaigns.

Prior to joining Alert Logic, Bharath held several leadership roles Forcepoint, Hewlett Packard Enterprise and Dell Technologies across engineering, product management, business development and technology partnerships. In his 20 years in the IT industry, Bharath has been very active in intellectual property programs and has received 13 patents from the USPTO covering both hardware and software designs. He holds a bachelor's degree and a masters of science in electrical and computer engineering from Carnegie Mellon University.

Published Monday, July 06, 2020 7:35 AM by David Marshall
@VMblog - (Author's Link) - July 6, 2020 8:05 AM

Companies are increasingly turning to a new kind of managed security service - managed detection and response (MDR). As with any new approach, there is confusion about the benefits and definition of MDR, from the security outcomes that should be expected

Defining Active Threat Hunting and Threat Intelligence : @VMblog - (Author's Link) - August 31, 2020 9:58 AM
Defining Daily Tasks and Skills of a SOC Analyst : @VMblog - (Author's Link) - September 10, 2020 8:34 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2020>