It’s no secret that global cyber threats are increasing both in volume and sophistication with each passing year. Some estimates even predict that the total cost of global cyber crime damage will hit $6 trillion annually by the year 2021. Which is why companies, brands, and organizations across the board are enlisting help from third party vendors and partners in their cybersecurity solutions efforts, leading to the the recent rise of the Managed Detection and Response (MDR) model.
But exactly what is managed detection and response? Per Gartner, MDR partners provide services to companies and organizations that improve the way they detect cyber threats, respond to incidents, and continuously monitor their technology systems and assets in real time. By using managed threat detection and response services, organizations can better fortify their critical infrastructures against attacks, and respond to breaches and incidents quickly and effectively.
Before diving into an MDR partnership and implementation, you’ll need to know the basics of MDR services, the key areas that it covers, and how MDR response services can potentially be applied to your specific organization.
What makes MDR different?
MDR is a unique combination of technology and human skills that deliver things like advanced threat detection, deep threat analytics, global threat intelligence, rapid incident mitigation, and collaborative breach response. That being said, MDR is not a replacement for basic Managed Security Services (MSS), that traditionally cover areas such as log management and monitoring, vulnerability scanning, and security device management.
MDR is designed to enhance MSS, providing greater focus on detecting and responding to breaches by bringing in complementary technologies and services. This can be anything from security analytics to response orchestration and advanced threat intelligence. Think of MSS as the basic measures you’d take to secure your property (locking the front door, having an alarm system, etc.), while MDR is a proactive measure that seeks to identify threats ahead of time and formulate a response plan in case someone breaks in.
At the end of the day MDR is basically a set of services delivered by specialized vendors, focused solely on threat management. For the sake of continuity, most businesses gain maximum value from MDR services by utilizing the same vendor or partner they’re already working with for MSS. That being said, below are the key areas that MDR seeks to address for businesses and organizations across the spectrum.
1. Threat Anticipation
You can think of threat anticipation as the “tip of the spear” in most MDR models. Technology and expertise are combined to seek out and anticipate potential future cyber threats. Threat intelligence is constantly collected, sorted, and analyzed to gain a clearer picture of future threats your organization might be facing. Your MDS partner will help you contextualize threat intelligence data, along with your specific organization, to determine how to prepare for the most likely future threats.
The most important part of the threat anticipation phase of MDR is to covert threat intelligence data and analysis into actionable steps and tasks. If you’re an e-commerce company, maybe you’ve determined (in conjunction with your MDR partner), that one of the biggest potential threats is identity theft through your payment gateway. You still need to convert that into a concrete defense plan, as well as a response plan for that specific type of breach that will limit the damage as quickly as possible.
MDR vendors and partners deliver threat anticipation services in a variety of ways. For example, they might collect threat intelligence data from sources like newsfeeds, social media, and even the dark web to get a sense of what hackers might be up to. This data is then analyzed within the context of your organization, and recommendations for measures to be put in place emerge. You’ll work with your partner to figure out the likelihood of each threat, and develop an MDR threat anticipation playbook for each role, department, and individual within the company.
2. Threat Hunting
The threat hunting aspect of MDS typically uses some sort of data science and/or machine learning, in tandem with cybersecurity and IT personnel. Threat hunting is a critical support mechanism to threat anticipation, as multiple data sources are analyzed to help facilitate the detection of currently unknown or hidden threats. As a whole, the concept of cyber threat hunting is on the rise, so it’s no surprise that it’s a part of most MDR implementations.
The cybersecurity industry continues to bring forth new threat hunting technologies into the market. Technologies like network threat analytics (NTA), user behavior analytics (UBA), and endpoint detection response (EDR) are now being used in various threat hunting efforts under the MDR umbrella. Security monitoring tools are also employed, with firewalls, antivirus software, and threat intrusion software being used to hunt for threats as they begin to interact with your systems.
Work with an MDR partner that can either assist in threat hunting or provide a specialized threat hunting team that has expertise in working with advanced threats monitoring and detection technology to identify malicious actors as soon as possible. Your MDR partner should help you conduct activities such as connecting data sources to an analytics platform, helping your internal personnel interpret analysis, and put safeguards and procedures into place based on your findings.
3. Security Monitoring
Security information and event management (SIEM) is another critical aspect of MDR. SIEM solutions gather structured data from within your systems and then provide actionable analysis based on threat patterns. SIEM is designed to monitor systems and detect some of the most sophisticated cyber threats, processing large amounts of raw data from multiple sources at any given time.
More specifically, SIEM software will run through your system’s logs and security events to detect cyber attacks. Since SIEM technology is highly sophisticated, it can be difficult to operationalize consistently without the help of an MDR partner. If done properly, SIEM can automatically detect potential issues, log additional relevant information, generate a security alert, or even stop an activity’s progress altogether.
When looking at SIEM system capabilities and partners, you’ll want to consider several key factors and functionalities. You want to make sure that your SIEM integrates well with all of your current systems. The SIEM should be able to quickly command and control other systems in the event it detects and attack. Also consider compliance reporting capabilities, as government agencies may become involved in the event of an attack, and investigate whether or not your cyber security measures are in compliance. Most importantly, find a partner that is able to fine tune and adjust your SIEM over time, as the nature of your business and external threats change and evolve.
4. Alert Response
In MDR, alert response functions as a bridge between discovering a threat and activating your response plan. Alert response focuses on triaging alerts stemming from SIEM and focusing on the most relevant threats at any given time. Here, you’ll investigate breaches, identify the attack chain, and analyze the “blast radius” to determine what (if any) information assets are potentially affected.
In the real world of MDR, many alerts can be generated that simply don’t warrant a significant response. Remember that SIEM and other technologies focus on pattern recognition and meta-data analysis to identify potential threats. Although SIEM may pick up on activity patterns that might be malicious, after further investigation your staff might eventually determine that there’s simply no attack taking place. Your MDR partner will help you devise an efficient alert response plan, outlining the most pressing alerts that need to be investigated immediately.
Your alert response plan should cover the who, what, when, and how of your response to various types and levels of security alerts. Look for an MDR partner that will help you to quickly triage alerts, and contextualize those alerts with other factors like threat intelligence to prioritize which alerts take priority for deeper investigation. Have detailed mitigation steps so that, if an actual attack is identified, the damage is limited until a permanent solution to end the attack is initiated.
5. Incident Response
This is the part of MDR that involves the orchestration of your active response to a cybersecurity threat. Incident Response involves carrying out rapid, coordinated activities for threat containment, systems remediation, and data recovery. While a good deal of incident response can (and should) be automated, you still need the human skills, expertise, and knowledge base available to conduct responses on the fly, in real time.
Many organizations using MDR view the incident response process as a collaborative effort with their cybersecurity partners. While your internal staff may be skilled and trained, it’s often beneficial to have access to an external “response team” that can come in and make sure everything goes as it should. Some vendors even provide specific response automation platforms that contain advanced functionality such as response workflows, case management, and forensic tools for a post-response autopsy of the incident.
No matter what technologies you choose to employ for MDR incident response, you’ll want to select security analysts that can work with your teams (either on-site or remotely) at a moment’s notice should you experience a real threat or attack. Work with your partner to develop, and continually refine, a company-wide incident response playbook that all of your employees can refer to. If a cyber incident that warrants response does occur, there should be no confusion about who should do what.
6. Breach Management
You’ve identified a threat, initiated a response, and eliminated any short term, immediate threats to your critical data. Under a managed detection and response model, there’s still quite a bit more work to be done. You still need to manage the after effects of the breach, assess the damage, deal with potential compliance issues, and take steps to ensure the same thing doesn’t happen again. These activities fall under the breach management aspect of managed threat detection and response.
Whether your data is personal cardholder information, personally identifiable information (PII), or confidential HIPAA information, your MDR partner should be able to assist in the aftermath of an incident. Cyber forensics play a key role in the breach management process, assessing the attack chain, attack methodology, and potential actors that could be responsible for the incident. Cyber forensics is an increasingly complex and specialized field, which is why many organizations work with an MDR partner in the first place. While you may have staff with forensics capabilities, partners with digital forensics experts can come in and dedicate themselves to combing through the evidence and applying their expertise to mitigate damage and prevent future attacks.
Your MDR partner should also how breach forensics, evidence collection, and impact assessments all relate to the relevant compliance rules and bodies. Many regulations, such as HIPAA, require certain government bodies to audit your breach and mandate that you notify affected parties within a certain period of time. A good MDR partner will not only assure that the threat has been expunged, they’ll make sure you’re protected from any potential compliance-related fines or penalties.
By now you should not only be familiar with the foundation of managed detection and response but also differentiate it between managed security services. The two work hand in hand, with MDS providing an additional layer of threat detection, response, and incident management. MDS is a combination of in-house planning, technology systems, and third-party expertise that helps shore up cyber defenses and create a plan in case something goes wrong.
How you implement MDS will depend on your organization, industry, and the nature of confidential data you’re protecting. Look for an MDS partner that has experience locating threats before they happen, and can tailor their approach based on your specific situation. If you’re a financial company that requires PCI compliance, look closely at the vendor’s track record within that sphere. Try to enlist a partner that has experience in continual training, as your alert and threat response plans will need to be internalized by all of your key stakeholders.
Most importantly, bear in mind that MDS is a holistic approach to today’s cyber threats, which are constantly changing and adapting to the latest security measures. MDS isn’t just a “set it and forget it” type of deal, it’s a team effort that requires constant monitoring, tweaking, and updating as time goes on with your trusted security professionals.