By Rohit Dhamankar, Vice President of Threat Intelligence at Alert Logic
Threat management in
today's dynamic environment requires a deeper level of visibility than ever
before. Malicious actors are more sophisticated and increasingly likely to
launch multi-stage attacks. These attacks are perpetrated in incremental steps
and target multiple threat vectors. Because these can appear to be distinct
events, it's a challenge to identify them as components of a single coordinated
security incident.
Understanding your
organization's assets and exploitable vulnerabilities they contain is critical
for defending against these advanced attack techniques. But many companies lack
the internal control and capabilities to maintain comprehensive visibility on
their own, which inevitably results in security gaps. MDR promotes a deep
familiarity with an organization's environment that helps them implement
proactive, comprehensive defensive measures that enable more effective threat
responses.
You can only secure
what you can see
Comprehensive
visibility is required to defend increasingly dynamic business environments.
Multi-stage attacks can come from any and all directions. This makes it
essential for organizations to understand all their assets and potential
vulnerabilities. Undiscovered assets can't be protected, and if an organization
is not aware of how an asset works normally, it won't be able to recognize the
abnormal activity that often signals the early stages of an attack.
But even the best
security tools leave blind spots that can be exploited. Vulnerability scans,
for example, are great for detecting system weaknesses in a network, but they
won't recognize atypical user behavior. Typically, organizations scan their
networks to find and patch or remediate vulnerabilities once per week or month.
That's not adequate for today's complex systems, particularly in autoscaling
cloud environments where servers are being spun up and shut down constantly. Visibility
is needed on a per day or even per hour basis to ensure threats aren't missed.
Lack of visibility can
have dire consequences for a business' threat detection. The average time for
an organization to identify
a data breach is nearly 200 days. And the longer a threat hides in your
network, the more damage it can inflict and the costlier it is to resolve.
MDR emphasizes the full
visibility that enables organizations to recognize when an unauthorized event
is taking place anywhere in their environment. MDR services collect and analyze
data from across the organization's network, endpoints, servers, and cloud.
That data is processed and contextualized using machine learning and behavioral
analytics and integrated with the expertise of a range of dedicated security
professionals to identify and validate security events. This allows the MDR
provider to correlate and condense data in multiple ways to create a
comprehensive picture.
The four pillars of
visibility
MDR provides multiple
levels of visibility to identify potential vulnerabilities and threats and unify
detection across the technology stack. These can be grouped in to four pillars:
-
Endpoints: MDR looks at what is on the organization's
network-desktop machines, workstations, printers, containers, mobile
devices-and evaluates health status and identifies potential hazards.
-
Cloud environment: MDR examines the organization's cloud assets,
policies and configurations
-
SaaS environment: MDR identifies who the organization's users
are, what resources they're accessing, and what data they are sharing
-
Custom web apps: MDR strongly focuses on the organization's
custom apps as these often contain unique vulnerabilities for which companies
often don't test
This level of
visibility also allows an MDR provider to monitor and respond to changes in the
organization's environment over time. Informed by continuous threat
intelligence, it is able to maintain visibility into current threats and
vulnerabilities across all of these platforms. MDR analysts are able to
identify new threats, prioritize alerts based on the customer's unique
environment, and respond quickly to vulnerabilities and attacks.
How visibility empowers
threat detection
Deep visibility is a catalyst
for more effective threat detection. It reduces the noise of certain detections
by checking the asset types-for example, a network detecting an Apache attack
attempted against an IIS server. It enhances the risk algorithms based on asset
criticality. And it provides richer context for the SOC and automated response.
Complete and accurate
visibility is the foundation for detecting modern cyberattacks and mitigating
their damage. Addressing this challenge requires tools and expertise most
organizations don't have. MDR can provide the clarity and 24/7 monitoring along
with the response capabilities to enable a more proactive security posture.
##
Next Up: Defining
Active Threat Hunting and Threat Intelligence
About the Author
Rohit
Dhamankar is vice president of threat intelligence at Alert Logic. Dhamankar has over 15
years of security industry experience across product strategy, threat research,
product management and development, technical sales and customer solutions.
Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte
and founded consulting firm Durvaankur Security Consulting. He holds two Master
of Science degrees, one in physics from the Indian Institute of Technology in
Kanpur, India, and one in electrical and computer engineering from the
University of Texas.