By Bharath Vasudevan, Vice President of Product and Technical
Marketing, Alert Logic
There are two realities that all security practitioners deal with on a daily
basis: You can't secure what you can't see and no amount of prevention will
make you 100% secure. The defining characteristic of managed detection and
response (MDR) is its focus on delivering a meaningful security outcome meant
to ease both of these concerns - through maximum visibility and the capability
to detect and respond to threats, minimizing the impact of vulnerabilities,
configuration issues, and attacks.
The term "boom" is used to describe the moment of breach, the
moment when an attack succeeds. Solutions that only detect and respond to
threats and vulnerabilities are considered "left of boom" or LoB. Solutions that only detect and respond to
attacks after they succeed are called "right of boom" or RoB. Currently, most vendors focus on only one: "left
of boom" or "right of boom." Experience shows that a lack of attention and
effort on both fails to provide the kind of protection that organizations need.
In order to achieve that desired security outcome, effective MDR must first
detect and respond to the gaps, vulnerabilities, and threats that can appear
before attacks, but also detect
and respond to attacks as they happen.
Defining Left and Right of Boom
In the sequence of events that compose a data breach, left of
boom refers to everything that happens prior to the moment of breach or
compromise. Sophisticated attacks require the perpetrators to spend more time
researching their target before launching an attack to maximize the likelihood
of a successful result. During this reconnaissance stage, the attacker may be
collecting information, stealing credentials, studying network topology, and
plotting when to strike. Sometimes these are as simple as phishing schemes,
which may offer a lower probability of success, but don't require all the
up-front investment by the bad actors. Left of boom activities can be
coordinated and orchestrated over many months or they opportunistically exploit
a vulnerability that has recently been made public.
Right of boom implies a successful entry into the company's
environment and includes everything that happens after the attack. This can
include lateral movement through the compromised environment, identifying
privileged accounts, and locating and stealing sensitive information. Right of
boom is where the real damage is done, both in terms of the material cost of
the attack's destruction and the potential damage to the company's reputation.
Addressing Both "Left of Boom" and "Right of boom" with MDR
When MDR providers offer only right-of-boom capabilities they
are behaving like fire departments or ambulances. They aren't actively looking
to minimize the likelihood of a disaster, but they are investing to make the
damage less severe. These services start at the moment of identified entry,
focusing on root causes that led to the attacker's penetration of the network
and the damage that was done once the attacker was inside. A right-of-boom
focus is critical to managing a breach and executing an effective response, but
the job is harder or even impossible because the attacker is already in the
environment and it may be too late to find their tracks or reverse the damage.
On the other side of the fence, when vendors focus on
left-of-boom detection and response, they are working to decrease the
likelihood that the attacker will get through in the first place. These providers
help organizations get ahead of threats by identifying and addressing the vulnerabilities
and configuration issues that are commonly exploited. Left-of-boom services have
the obvious advantage of eliminating these threats, but they ignore the obvious
reality that even the best defenses get breached. When they do, purely preventative
measures can't help organizations respond to attacks that manage to succeed.
This is why MDR requires
protection both left and right of boom. This is the only way to minimize both
the likelihood AND the impact of a successful attack. It pairs 24/7 visibility
with continuous threat intelligence to identify the vulnerabilities most likely
to be exploited and to cause the most damage, advising organizations on the
prioritization for their orchestrated threat response. By also providing attack
and breach detection, MDR delivers the ability to accurately identify and
respond quickly to attacks in progress, minimizing the impact when one
succeeds.
Happily, left-of-boom and right-of-boom also support each other
to effectively respond to today's aggressive threat landscape. Effective left
of boom management reduces the number of attacks that are ultimately
successful, decreasing the work required right of boom when responding to
successful attacks. It also informs
detection capabilities and threat intelligence, enabling faster detection of
the latest threats. Similarly, effective RoB capabilities can leverage machine
learning and behavioral detection to improve LoB vulnerability detection by
identifying new exploits first seen in the wild (0 days). Having that knowledge
enables proactive threat hunts that can find similar situations within a large
managed customer base, informing them before they are compromised.
The combination of LoB and RoB provides enough context to ensure
precision response when required. This is why we firmly believe that when LoB
is managed properly, RoB is far more effective and vice-versa. Given the
scenario described above, when LoB prevention is provided by the same vendor delivering
RoB, it provides optimal protection for the client.
MDR and Comprehensive Protection
Only with both LoB and RoB capabilities can MDR providers offer comprehensive
threat management. An effective MDR provider must offer both left-of-boom and
right-of-boom outcomes in order to deliver peace of mind when it comes combatting
advanced threats, and to ensure that successful breaches do not become critical
problems.
##
Next
Up: Defining Visibility and Threat Management
About the Author
Bharath Vasudevan is the Vice President of Product and Technical Marketing at Alert Logic. His
team is aligned with R&D and develops positioning, messaging, and
competitive differentiation, which ultimately drive pipeline and helps
close sales opportunities. Additionally, the team owns field enablement
and strategic marketing at the product level, including product launches
and supporting campaigns.
Prior
to joining Alert Logic, Bharath held several leadership roles
Forcepoint, Hewlett Packard Enterprise and Dell Technologies across
engineering, product management, business development and technology
partnerships. In his 20 years in the IT industry, Bharath has been very
active in intellectual property programs and has received 13 patents
from the USPTO covering both hardware and software designs. He holds a
bachelor's degree and a masters of science in electrical and computer
engineering from Carnegie Mellon University.