Virtualization Technology News and Information
Gartner Says That Half of Organizations Will Use MDR Services Within Five Years

Here's Why - And Here's What You Can Do to Derive the Greatest Value from an MDR Provider

By Dave Martin

Gartner recently published the Market Guide for Managed Detection and Response Services. The research and advisory firm created this guide to help security and risk management leaders determine whether managed detection and response (MDR) is a fit for their requirements and, if it is, how these leaders can choose the MDR service that best meets their needs.

The firm says that MDR services enable these leaders' organizations to benefit from a modern, turnkey and 24/7 approach to cybersecurity. It suggests that organizations lacking internal 24/7 cybersecurity operations embrace an MDR service that employs containment for incident response. And it notes that by 2025 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.

MDR Has Become a Cybersecurity Best Practice

Gartner's forecast that half of organizations will be using MDR services within five years validates our belief that combining your enterprise's existing preventive controls with continuous cybersecurity monitoring is a new best practice for minimizing organizational risk.

The importance of continually monitoring your potential attack surfaces may seem like a no-brainer. But, as you may know, that's not typically how enterprise cybersecurity has worked.

Siloed, Set-It-And-Forget-It Approaches Alone Don't Cut It

Historically, enterprises and their suppliers followed a technology-driven security model. Under this model, enterprises would buy the latest, greatest security technology in an effort to be safe.

A typical evolution of the security stack would start with enterprise investments in firewalls. Then enterprises realized they also needed antivirus solutions for their endpoints. Antivirus wasn't enough, they soon learned, so endpoint detection response (EDR) became the next big enterprise security investment for the endpoint.  An organization wanting to minimize risk further might make investments in email security, intrusion detection systems (IDS) or data loss prevention solutions. Every year someone in the enterprise would buy and deploy new cybersecurity technology. But these individuals have largely done that with a set-it-and-forget-it approach.

Relying on a wide array of disconnected point cybersecurity solutions clearly doesn't work because global spending on security solutions exceeds $100 billion annually, yet damaging breaches continue to occur. Threat actors are masterful at exploiting siloed security solutions.

Cybersecurity Complexity Calls for a Continuous Feedback Loop

The reality is that the enterprise cybersecurity challenge is quite nuanced and needs more - and more consistent - attention. Any complex system needs a feedback loop to keep it operating correctly. Without MDR, your cybersecurity strategy will lack a feedback loop.

To truly minimize your risk, you need to assume that you are in a constant state of breach and continually monitor your potential attack surfaces.

MDR monitoring spots advanced threats that have bypassed your existing security controls.

To Benefit from Monitoring You'll Need a SOC - or Partner That Has One

To make MDR happen, you need a security operation center (SOC). You can build and try to staff your own SOC. But that's expensive, and it's hard to find and keep experts to staff a SOC.

The alternative is to use an MDR service provider. This provides you with a SOC and 24/7 monitoring for a fraction of the time, cost and effort it would take you to create and run a SOC.

MDR casts a big net, which catches a lot of commodity threats. Look for an MDR provider that focuses on tactics used by threat actors. This is valuable because threat actors reuse tactics and this type of detection is difficult to evade from a threat actor perspective.

This Modern Approach to Cybersecurity Is More Important Than Ever

Embracing MDR and taking a zero trust network access (ZTNA) approach is vital today.

The COVID-19 pandemic has led to an even more distributed workforce. More people are working in more places, greatly expanding the enterprise attack surface.

Also, organizations aren't necessarily using all the security controls and preventive measures they employ when workers are in the office. Plus, organizations are increasingly migrating services from on premises to the cloud, creating a whole new set of security challenges.

That makes it even more critical to have continual monitoring to find out what's going on.

Awareness Is Key, But You Need to Act on That Intelligence

You only get value from threat intelligence if you act on it by containing the identified threats.

Most service providers approach containment based on what they can control. They may isolate a host because they have an agent on the host that has been compromised. If that service provider is in the network, it might do blocking on a firewall.

But for some threats, these methods don't work. Consider credential theft, in which a bad actor has stolen passwords, for example. This has nothing to do with isolating an endpoint or putting a filter into a firewall. Instead, you need to reset passwords on the impacted accounts.

When all you have is a hammer, everything looks like a nail. That's where the market is today. But that's not the best approach. Be sure to select an MDR provider that applies the right tool for the job, using the nature of the threat to define what the best containment action is.

Automating Response Efforts Enable Faster Action and Decrease Damages

As Gartner's Market Guide notes: "Threats move too fast for most organizations these days." The firm goes on to say that some MDR providers are exposing security orchestration and automation to enable their customers to define response workflows and activities.

This approach is compelling for enterprises because it can contain threats more quickly. That's key since the more time a threat is in the network, the more damage it creates.

Ponemon Institute says the average cost of a data breach at organizations using security automation was more than $3 million less than at other organizations. And other industry forecasts estimate that global cybercrime will cost businesses $11.4 million per minute by 2021.

Also, most sophisticated attacks are multistage. It's likely that in the first phase of an attack, the threat actor achieved some level of persistence and is still in the network preparing for Plan B.

Choose an MDR provider that can both identify threats and can act fast to contain them.

Automated Containment Requires Upfront Collaboration

Select an MDR with the people, processes and technology to expertly execute automated response. Understand that expert MDR providers do not rely on their customers to define their workflows. But know that MDR providers need to match their efforts to your environment.

Choose an MDR provider that takes the time to work with you upfront to integrate with your workflows and security controls. That will provide you with greater value going forward.

Enterprise Leaders Want Success Stories, Not New Items on Their To-Do Lists

I recently spoke with a CSO who beautifully summarized the value of this co-managed approach.

He said that if he gets an email from his MDR provider with a threat notification and recommendations for containing it, he now has a new item on his to-do list. And it's probably not just one item. He may need to take a host offline, clean or restore a machine, and/or reset accounts. He then likely needs to communicate what happened to his board.

This CSO said that what he would really like is to wake up to an email from his MDR provider with the following details: What happened and how the MDR provider contained it using what remediation. That way, it is taken care of, and he can go to his board with a success story.

He's a hero.

By selecting the right MDR provider, you can be a hero, too.


About the Author

Dave Martin 

Dave Martin is senior director of product management for threat response at Open Systems.

Published Thursday, October 29, 2020 7:37 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2020>