MDR – A Snapshot of the Future of Cybersecurity ServicesCybersecurity services continue to evolve as risk and the nature of the threat change. By: Matt DeMatteo
There is one phenomenon that makes cybersecurity both interesting and frustrating: Change.
Constant, dispassionate, unpredictable change.
SIEM, MSSP, EDR and now MDR
Change brings new opportunities and disrupts existing strategies. One of the biggest changes in computer security in the past 10 years is the focus on the endpoint, as opposed to the network. As perimeter-based protection and detection strategies gained adoption, adversaries rethought their tactics to avoid these controls. Now perimeters are disappearing and endpoint-based visibility and control are critical.
These changes bring two challenges. First, cybersecurity remains a developing area inside of many organizations. Most do not have a level of program maturity that their risk profile requires. Second, many security practitioners don't have the tools or skills required to meet the threat.
To address these challenges, organizations need to be more realistic about what they expect from their perimeter controls; they need faster adoption of advanced endpoint protection and detection technologies; and they must establish capabilities to perform investigations centered on the endpoint.
For many organizations, these demands exceed their current and near-term resources of people, skills, and time. Security decision makers are seeking greater competency and specialized skills when selecting as-a-service security offerings and Managed Detection and Response (MDR) services are often the best strategy. MDR aims to satisfy this client need by creating a service that brings together perimeter telemetry, advanced endpoint telemetry, and analysts who perform investigations. The end results are incident reports that approach the level of detail typically produced by very large in-house or outsourced security programs.
MDR Security Solutions Typically Include These Service Components:
- Endpoint Detection and Response (EDR) – Advanced endpoint security tools form the core of any MDR service. EDR tools quickly rose to prominence because they offered vastly superior detection and forensic capabilities than perimeter controls, traditional endpoint software, and OS or Applications logs. However, EDR tools require additional skills and experience that many practitioners don't have.
- Perimeter Telemetry – Perimeter controls still play an important role in an MDR solution. Data from firewalls, IDS/IPS, WAFs, and network infrastructure (like proxies) are critical for confirming and expanding on what the endpoint reports. MDR service providers are able to correlate this data to more quickly investigate alerts. Faster investigations means that an MDR provider can provide a better quality investigation in a shorter amount of time than most organizations can achieve on their own.
- Incident Management and Response – Anyone can douse a flame with water, but we don't all have the title of fire fighter. Serious security compromises should be rare occurrences. Therefore, it is unreasonable to expect in-house responders to match what an MDR vendor can provide for experts. MDR vendors are able to attract, retain, and utilize remote and in-field incident responders. The diversity of industries, threats, and events that these incident responders are exposed to likely make their value to an organization far higher than an in-house responder with the same skill set.
- Threat Intelligence – Threat Intelligence touches all parts of any security services offering, but with an MDR service, the maximum value a vendor can provide is determined by that vendor's threat intelligence gathering capability. MDR vendors must go beyond typical alerting to quickly provide the "who, what, where, why, and how" of a situation. The only way to do this without a lengthy incident response engagement is to have threat intelligence that is categorized by threat actor, tools, campaigns, etc.
When organizations with small security teams adopt MDR, they are able to reprioritize their day-to-day activities. They can focus on strategic or technical projects because detecting, alerting, and investigating (L0-L2) security events are the vendor's responsibility. The responsibility for the client starts to move from operational skills to risk management, communicating within the organization, and being a champion for improving the organization's security posture based on legitimate business cases.
Navigating Challenges of MDR Adoption
Security leaders will have to navigate some challenges if they incorporate an MDR vendor into their security program. First, existing staff will need to be retasked, retrained, and most importantly, reassured that their value within the organization is going up based on the decision to purchase MDR services. Existing staff should realize that it is their understanding of how their organization works that will enhance the value MDR can provide. MDR vendors need to partner with security-savvy, integrated points of contact in order to tune and improve MDR services over time. The most qualified people to help an MDR vendor execute their service and to evaluate the quality of that service are the people who used to have those same responsibilities. Second, leadership will be required to take MDR findings and recommendations and use them to improve security posture. MDR vendors should be providing more insights into root cause of high volume security events (like opportunistic malware activity, exploit attempts on public facing resources, etc.). Those insights need to be mapped to risk and form the basis for policy or technology changes.
Seasoned security leaders know that the "what" of cybersecurity is more important than the "how." Security leaders need to give their organizations confidence that cyber risk can be limited and mitigated to enable growth. As more organizations develop or continue to invest in their cybersecurity programs, it's important to realize that repeatable, predictable outcomes are more valuable to maturing a program than a tool that allows for one new capability or a marginally better detection rate. Throughout our longstanding history in this still emerging industry, we've seen the adversary evolve in ways that outpace the traditional methodologies for prevention and detection. MDR helps deliver better outcomes by maximizing visibility, reducing complexity and increasing speed response. It is a market-need driven offering that illustrates what the future of cybersecurity services look like.