Virtualization Technology News and Information
Defining Visibility and Threat Management
AlertLogic VMblog

By Rohit Dhamankar, Vice President of Threat Intelligence at Alert Logic

Threat management in today's dynamic environment requires a deeper level of visibility than ever before. Malicious actors are more sophisticated and increasingly likely to launch multi-stage attacks. These attacks are perpetrated in incremental steps and target multiple threat vectors. Because these can appear to be distinct events, it's a challenge to identify them as components of a single coordinated security incident.

Understanding your organization's assets and exploitable vulnerabilities they contain is critical for defending against these advanced attack techniques. But many companies lack the internal control and capabilities to maintain comprehensive visibility on their own, which inevitably results in security gaps. MDR promotes a deep familiarity with an organization's environment that helps them implement proactive, comprehensive defensive measures that enable more effective threat responses.

You can only secure what you can see

Comprehensive visibility is required to defend increasingly dynamic business environments. Multi-stage attacks can come from any and all directions. This makes it essential for organizations to understand all their assets and potential vulnerabilities. Undiscovered assets can't be protected, and if an organization is not aware of how an asset works normally, it won't be able to recognize the abnormal activity that often signals the early stages of an attack.

But even the best security tools leave blind spots that can be exploited. Vulnerability scans, for example, are great for detecting system weaknesses in a network, but they won't recognize atypical user behavior. Typically, organizations scan their networks to find and patch or remediate vulnerabilities once per week or month. That's not adequate for today's complex systems, particularly in autoscaling cloud environments where servers are being spun up and shut down constantly. Visibility is needed on a per day or even per hour basis to ensure threats aren't missed.

Lack of visibility can have dire consequences for a business' threat detection. The average time for an organization to identify a data breach is nearly 200 days. And the longer a threat hides in your network, the more damage it can inflict and the costlier it is to resolve.

MDR emphasizes the full visibility that enables organizations to recognize when an unauthorized event is taking place anywhere in their environment. MDR services collect and analyze data from across the organization's network, endpoints, servers, and cloud. That data is processed and contextualized using machine learning and behavioral analytics and integrated with the expertise of a range of dedicated security professionals to identify and validate security events. This allows the MDR provider to correlate and condense data in multiple ways to create a comprehensive picture.

The four pillars of visibility

MDR provides multiple levels of visibility to identify potential vulnerabilities and threats and unify detection across the technology stack. These can be grouped in to four pillars:

  • Endpoints: MDR looks at what is on the organization's network-desktop machines, workstations, printers, containers, mobile devices-and evaluates health status and identifies potential hazards.
  • Cloud environment: MDR examines the organization's cloud assets, policies and configurations
  • SaaS environment: MDR identifies who the organization's users are, what resources they're accessing, and what data they are sharing
  • Custom web apps: MDR strongly focuses on the organization's custom apps as these often contain unique vulnerabilities for which companies often don't test

This level of visibility also allows an MDR provider to monitor and respond to changes in the organization's environment over time. Informed by continuous threat intelligence, it is able to maintain visibility into current threats and vulnerabilities across all of these platforms. MDR analysts are able to identify new threats, prioritize alerts based on the customer's unique environment, and respond quickly to vulnerabilities and attacks.

How visibility empowers threat detection

Deep visibility is a catalyst for more effective threat detection. It reduces the noise of certain detections by checking the asset types-for example, a network detecting an Apache attack attempted against an IIS server. It enhances the risk algorithms based on asset criticality. And it provides richer context for the SOC and automated response.

Complete and accurate visibility is the foundation for detecting modern cyberattacks and mitigating their damage. Addressing this challenge requires tools and expertise most organizations don't have. MDR can provide the clarity and 24/7 monitoring along with the response capabilities to enable a more proactive security posture.


Next Up: Defining Active Threat Hunting and Threat Intelligence


About the Author

Rohit Dhamankar 

Rohit Dhamankar is vice president of threat intelligence at Alert Logic. Dhamankar has over 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded consulting firm Durvaankur Security Consulting. He holds two Master of Science degrees, one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.

Published Thursday, July 23, 2020 7:33 AM by David Marshall
Defining Left of Boom and Right of Boom : @VMblog - (Author's Link) - July 23, 2020 7:38 AM
Defining Active Threat Hunting and Threat Intelligence : @VMblog - (Author's Link) - August 31, 2020 9:58 AM
Defining Daily Tasks and Skills of a SOC Analyst : @VMblog - (Author's Link) - September 10, 2020 8:34 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2020>