In recent years, cyberattacks have transcended industries and demographics. In the modern cyber landscape, everyone is a target and every business needs to defend itself against cyber threats.
Driven by an explosion in the number of cyber roles in the market and a scarcity of qualified security professionals, this market of low supply and high demand is complicating both the acquisition of new talent and the retention of existing expert security professionals.
For a security professional to obtain and achieve the level of experience that modern cybersecurity requires is difficult. Contemporary security challenges are so complex that extraordinary effort, planning and environmental readiness are needed to understand them.
Until recently, organizations that have lacked the resources to build an internal detection and response capability have been without many options. Purchasing advanced products that are not properly staffed has little effect. And while Managed Security Service Providers (MSSPs) supports many different parts of a security program, detecting and responding to advanced threats is not where they specialize.
Managed Detection and Response
So, organizations large and small have been looking for sophisticated vendors who can identify malicious activity within their environment and ensure a quick response. This is the void that MDR (Managed Detection and Response) is filling.
As organizations consider MDR, it is important that they understand key differences when compared to the traditional outsourcing option of MSSPs. Many organizations that are predisposed to pass over MSSP detection and response offerings will find that MDR can help them fill gaps within their internal capabilities.
MDR solutions approach detection and response the same way an internal security team would. It starts with collection and MDR services requiring a robust data set to perform their detection. Organizations should expect their MDR to either request access to the existing security stack or require the deployment of additional technology for greater visibility. MDR solutions then use advanced detection capabilities that use multiple sophisticated technologies. These include analytics engines, behavioral-based detection, machine learning and anomaly detection.
While MDR providers may vary in the degree of response delivered, at a minimum it includes remote investigation of potential threats. They employ a team of knowledgeable experts who understand how to interpret the events produced by the detection technology. These individuals often have years of investigative experience and know how to accurately identify advanced attackers. These services will also typically provide a high degree of support in containing and responding to threats once they have been detected (and some even perform the response).
The best MDR offerings closely integrate into an organization’s security team, continually learn about the environment and use that information to support investigations and threat hunting. The end result is that MDR customers have a team of experts who are continually monitoring and searching through their environment to quickly detect threats and strengthen the response.
MSSP is Not Enough
MSSPs typically focused on basic security tasks like monitoring standard ingress-egress traffic on perimeter products and vulnerability management. They are meant to provide high-level security coverage for basic and repetitive tasks across an organization’s entire security stack. MSSPs mostly rely on signatures and rule-based detection and frequently miss advanced threats (and increasingly even basic attack tactics).
When incidents are discovered, many MSSP customers are still responsible for managing containment and mitigation unless they pay the provider’s Incident Response team extra for help. Even then, the MSSP’s staff may not be specifically trained to effectively respond to an incident.
Conversely, MDR services focus specifically on improving an organization’s advanced threat detection, investigation and response. They are used to augment and enhance internal capabilities. They frequently examine similar data sets as MSSPs such as network logs or endpoint telemetry, but at a much greater depth. They are specifically tailored to use advanced technologies such as Endpoint Detection and Response (EDR), behavioral analytics, specialized forensics tools and custom security event management platforms. The most sophisticated MDR providers focus heavily on detecting behaviors like lateral movement, credential theft and credential escalation, all behaviors of today’s advanced attacks.
Some even operate large software and security engineering teams to design their own detection and response technology. MDR services are usually built with integration in mind so that they can be plugged into a pre-existing security program and workflow.
Why Now?
The world of cybersecurity has exploded in the last 2 years to include technologies and processes that are far more complex than they had been in the past. Enterprise, mid-market and SMB firms are turning to MDR because they want the benefits of today’s most advanced detection technology and practitioners to defend their organization in the face of this increased complexity. They will likely not have the skilled resources to build a highly specialized team or they might want to layer a specialized solution on top of their existing security program.
Advanced collection and detection technology is the first step to detecting previously unseen threats and remediating them. These new tools—Endpoint Detection and Response (EDR), User Behavior Analytics (UBA), thorough network analysis engines examining full PCAP records, etc.—require constant monitoring, tuning and process improvement. Additionally, advanced detection tools detect potential threats. They will generate hundreds to thousands of events per day that need to be investigated prior to mitigation. Investments in these advanced tools will be largely wasted without an advanced security team who knows how to run an in-depth investigation, manage automation engines, understands malware analysis and has a sixth sense about how attackers operate.
A true detection and response capability requires equal investments in advanced technology, experienced security practitioners and a process that focuses on efficiency and accuracy.
ROI
The opportunity costs and actual costs of acquiring advanced technology and talent and building an operational capability are extremely high and usually unrealistic – the talent sought is frequently unavailable and occasionally unmanageable. Instead of fighting for resources in your own small corner of Missouri, why not hire an MDR provider that can offer a full capability that doesn’t require a dozen individual investments and months to years of implementation? Most MDR providers are priced significantly below what it would cost an organization to build internally.
The other compelling driver is that MDR solutions work. They accurately detect threats ranging from malware to advanced attackers and ensure that all threats are addressed.
Small or large, in-house security teams are augmented by managed service providers who help round out their team and provide the capabilities that they desire. Today, many businesses can rely almost entirely on outsourced security operations capability. Do they?
No.
Why not? It is a perfect solution for so many challenges, training, career development, management of hard stuff, liability transfer, dramatically improved security posture, breathing room for the IT folks in charge, etc.
Yet, 9 of 10 companies that should have outsourced managed security have not done so yet.
Why?
Change is hard – turning over critical systems to someone you don’t know requires a leap of faith – but in light of today’s reality, not turning them over indicates a state of denial that will have very expensive results after that first ransomware attack. In fact, we would argue that instead of choosing between an MSSP and an MDR provider, you choose both.
MDR and MSSP Expectations
Since the world became familiar with the potential of an infrastructure attack on US soil and the frequency of ransomware attacks, it has become common for organizations to use an MSSP in addition to MDR. This combination satisfies basic security watch fundamentals with the MDR provider specifically focused on identifying threats.
Regardless of strategy, all organizations recognize their existing security program stops a percentage of threats but can never realistically stop every threat. Commonly held beliefs by organizations using MDR: Satisfying compliance requirements is no longer enough and additional security investments must be made to reduce risk. No matter how many products are put in place, attackers will always find a way in.
Visibility, monitoring, detection and response is the only way to reliably identify attackers within an environment. Detection and response are a capability, not a product. The capability requires equal parts technology, process and expertise. Building an internal detection and response capability will be burdensome and there are new advanced services delivering a true capability that can be trusted to help secure an environment.
Organizations using MDR might have a SOC with dedicated threat hunters who want a second set of eyes watching their environment. Or, they might have a lean security team managing day-to-day security operations with no extra time to build a full detection and response capability. All are investing in MDR to accomplish one goal: quickly identify new threats and limit an attacker’s dwell time within an environment.
Is it expensive? Yes, but not even close to what it will cost if you become victim to a breach.