Here's
Why - And Here's What You Can Do to Derive the Greatest Value from an MDR
Provider
By Dave
Martin
Gartner
recently published the Market Guide for Managed
Detection and Response Services. The research and advisory firm created this guide to help
security and risk management leaders determine whether managed detection and
response (MDR) is a fit for their requirements and, if it is, how these leaders
can choose the MDR service that best meets their needs.
The firm says
that MDR services enable these leaders' organizations to benefit from a modern,
turnkey and 24/7 approach to cybersecurity. It suggests that organizations
lacking internal 24/7 cybersecurity operations embrace an MDR service that
employs containment for incident response. And it notes that by 2025 50% of organizations
will be using MDR services for threat monitoring, detection and response
functions that offer threat containment capabilities.
MDR Has
Become a Cybersecurity Best Practice
Gartner's forecast
that half of organizations will be using MDR services within five years
validates our belief that combining your enterprise's existing preventive
controls with continuous cybersecurity monitoring is a new best practice for
minimizing organizational risk.
The importance
of continually monitoring your potential attack surfaces may seem like a
no-brainer. But, as you may know, that's not typically how enterprise
cybersecurity has worked.
Siloed,
Set-It-And-Forget-It Approaches Alone Don't Cut It
Historically,
enterprises and their suppliers followed a technology-driven security model.
Under this model, enterprises would buy the latest, greatest security
technology in an effort to be safe.
A typical
evolution of the security stack would start with enterprise investments in firewalls. Then enterprises realized they also
needed antivirus solutions for their endpoints. Antivirus wasn't enough, they
soon learned, so endpoint detection response (EDR) became the next big
enterprise security investment for the endpoint. An organization wanting to minimize risk further
might make investments in email security, intrusion detection systems (IDS) or
data loss prevention solutions. Every year someone in the enterprise would buy
and deploy new cybersecurity technology. But these individuals have largely
done that with a set-it-and-forget-it approach.
Relying on a
wide array of disconnected point cybersecurity solutions clearly doesn't work
because global spending on security solutions
exceeds $100 billion annually, yet damaging breaches continue to occur. Threat actors are
masterful at exploiting siloed security solutions.
Cybersecurity
Complexity Calls for a Continuous Feedback Loop
The reality
is that the enterprise cybersecurity challenge is quite nuanced and needs more -
and more consistent - attention. Any complex system needs a feedback loop to keep it operating correctly.
Without MDR, your cybersecurity strategy will lack a feedback loop.
To truly
minimize your risk, you need to assume that you are in a constant state of
breach and continually monitor your potential attack surfaces.
MDR
monitoring spots advanced threats that have bypassed your existing security
controls.
To
Benefit from Monitoring You'll Need a SOC - or Partner That Has One
To make MDR
happen, you need a security operation center (SOC). You can build and try to
staff your own SOC. But that's expensive, and it's hard to find and keep
experts to staff a SOC.
The
alternative is to use an MDR service provider. This provides you with a SOC and
24/7 monitoring for a fraction of the time, cost and effort it would take you
to create and run a SOC.
MDR casts a
big net, which catches a lot of commodity threats. Look for an MDR provider
that focuses on tactics used by threat actors. This is valuable because threat
actors reuse tactics and this type of detection is difficult to evade from a
threat actor perspective.
This Modern
Approach to Cybersecurity Is More Important Than Ever
Embracing
MDR and taking a zero trust network access (ZTNA) approach is vital today.
The COVID-19
pandemic has led to an even more distributed workforce. More people are working
in more places, greatly expanding the enterprise attack surface.
Also,
organizations aren't necessarily using all the security controls and preventive
measures they employ when workers are in the office. Plus, organizations are increasingly migrating services from
on premises to the cloud, creating a whole new set of security challenges.
That makes
it even more critical to have continual monitoring to find out what's going on.
Awareness
Is Key, But You Need to Act on That Intelligence
You only get
value from threat intelligence if you act on it by containing the identified
threats.
Most service
providers approach containment based on what they can control. They may isolate
a host because they have an agent on the host that has been compromised. If that
service provider is in the network, it might do blocking on a firewall.
But for some
threats, these methods don't work. Consider credential theft, in which a bad
actor has stolen passwords, for example. This has nothing to do with isolating
an endpoint or putting a filter into a firewall. Instead, you need to reset
passwords on the impacted accounts.
When all you
have is a hammer, everything looks like a nail. That's where the market is
today. But that's not the best approach. Be sure to select an MDR provider that
applies the right tool for the job, using the nature of the threat to define
what the best containment action is.
Automating
Response Efforts Enable Faster Action and Decrease Damages
As Gartner's
Market Guide notes: "Threats move too fast for most organizations these days."
The firm goes on to say that some MDR providers are exposing security
orchestration and automation to enable their customers to define response
workflows and activities.
This
approach is compelling for enterprises because it can contain threats more
quickly. That's key since the more time a threat is in the network, the more
damage it creates.
Ponemon
Institute says the average cost of a data breach at organizations using security
automation was more than
$3 million less than at other organizations. And other industry forecasts
estimate that global cybercrime will cost businesses $11.4
million per minute by 2021.
Also, most
sophisticated attacks are multistage. It's likely that in the first phase of an
attack, the threat actor achieved some level of persistence and is still in the
network preparing for Plan B.
Choose an
MDR provider that can both identify threats and can act fast to contain them.
Automated
Containment Requires Upfront Collaboration
Select an
MDR with the people, processes and technology to expertly execute automated
response. Understand that expert MDR providers do not rely on their customers
to define their workflows. But know that MDR providers need to match their efforts
to your environment.
Choose an
MDR provider that takes the time to work with you upfront to integrate with your
workflows and security controls. That will provide you with greater value going
forward.
Enterprise
Leaders Want Success Stories, Not New Items on Their To-Do Lists
I recently
spoke with a CSO who beautifully summarized the value of this co-managed
approach.
He said that
if he gets an email from his MDR provider with a threat notification and
recommendations for containing it, he now has a new item on his to-do list. And
it's probably not just one item. He may need to take a host offline, clean or
restore a machine, and/or reset accounts. He then likely needs to communicate what
happened to his board.
This CSO
said that what he would really like is to wake up to an email from his MDR provider
with the following details: What happened and how the MDR provider contained it
using what remediation. That way, it is taken care of, and he can go to his
board with a success story.
He's a hero.
By selecting
the right MDR provider, you can be a hero, too.
##
About the Author
Dave
Martin is senior director of product management for threat response at Open Systems.