Why Organizations are Turning to Managed Extended Detection and ResponseBy: Nick Cavalancia
Phishing attacks are at an all-time high, with the number of attacks observed in the second quarter of 2022 nearly quadrupling since the same period in 2020. In addition, ransomware payments and the average target organization size have both reached their highest values ever. The natural result of a thriving cybercrime economy is that it's only going to evolve and improve in its execution.
Traditionally, organizations have relied on a layered security model – one that primarily revolves around protection, prevention, and detection. While these aspects of cybersecurity certainly have a place in an overall cybersecurity strategy, the current growing effectiveness of cyberattacks demonstrates that an ability to respond is equally needed. Take the analysis of the average lifetime of a malware sample used in cyberattacks: in November 2022, this figure was just 1.7 days, down from 2.3 days in Q2 of 2021. This means, almost daily, threat prevention and detection solutions are facing malware they have never seen before. And with an average of about one in nine attacks making its way past security defenses and all the way to a user's inbox and endpoint, your default cybersecurity stance should be based on the premise that some small percentage of attacks will get past your defenses.
And according to a new report from Cybereason, there's an uptick in cyberattacks on weekends and holidays — a period when two-thirds of organizations are operating with half of their IT staff or less. When compared with attacks occurring during office hours, about one-third of organizations take longer to assemble their response team for a weekend or holiday attack.
So, what does that mean for cybersecurity strategies that primarily seek to prevent attacks from happening?
In short, it's not enough.
What's necessary is a renewed focus on round-the-clock threat monitoring and response technologies, services to help organizations quickly identify an attack and its scope, and the ability to respond rapidly to mitigate the threat before it has an impact. But many organizations lack the budget, staff, infrastructure, expertise, and experience to quickly and cost-effectively build and maintain an internal Security Operations Center (SOC). Therefore, they look for managed detection and response services, where some or all of the environment is monitored 24x7 by an outsourced SOC. The outsourced SOC comes equipped with a team of security analysts, and the playbooks and automations they need to be prepared to address a detected threat. But for many organizations, finding the right managed service provider is a journey.
The Inevitable Path to Managed XDR
Every organization that desires to outsource the detection of and response to threats is looking for monitoring coverage to be as comprehensive as possible. No one wants to pay a service to watch just a portion of the network while threat actors compromise the part that isn't under surveillance. A number of technologies and services have evolved to address this. Let's look at each as we walk through the various means of detection and response.
It started with EDR
Many organizations likely started with endpoint detection and response (EDR) as a means of automating the response to attacks by way of endpoints. But for attacks in which the initial attack vectors are vulnerabilities or remote access/VPNs, EDR isn't effective, since it only identifies and responds to threats on the endpoint.
Then came MSSPs
Managed Security Service Providers are often seen as a means to solve the work of monitoring (read: detection) and the responding to detected threats. But many MSSPs want their customers to adopt the MSSPs service-centric holistic approach that includes other managed services, including managing the firewalls, vulnerability scanning and management, risk and threat modeling, penetration testing and vulnerability assessments, security audits, and more. For organizations that want to address threat detection and response, the MSSP may offer more than is currently needed.
MDR: The Next Step
For many organizations — especially those experiencing a gap in SOC coverage — security vendors began marrying software solutions with personnel to create managed detection and response (MDR) solutions: a catchall term for any kind of detection and response service that is managed by a vendor. MDR quickly became the go-to service for many organizations with smaller IT and cybersecurity teams because it was a cost-effective way to provide continual monitoring with high response efficacy while augmenting the internal IT staff.
With MDR, the ideal solution for many organizations was within sight. But an MDR solution, no matter how skilled its management staff, is still only as comprehensive as the software that equips and enables its threat detection and response. With the attack surface rapidly expanding and diversifying, MDR solutions with traditional endpoint and network detection were still falling short of organizations' needs.
At Last, the Answer: Managed XDR
The pivotal step in this evolution of technology and services is a mixture of two concepts: MDR plus extended detection and response (XDR). The result is the first fully realized managed detection and response solution, Managed XDR. The “extended” in XDR refers to monitoring the entirety of the enterprise. That includes everything on-premises, including cloud-based platforms, cloud infrastructure, SaaS applications and data, IoT, OT, and more.
With Managed XDR, organizations can finally realize the full benefits of MDR. These benefits include faster mean time to detection and mean time to response, as well as cost-effective offloading of detection and response to a dedicated SOC and analyst team. Additionally, Managed XDR delivers faster and more effective automated response, and a unified approach for monitoring and response that includes every part of the organization's environment.
So, why should you consider Managed XDR?
Let's recap from the journey above:
- Comprehensive threat detection and response is an absolute must: A mature cybersecurity strategy needs to assume that despite the best efforts of threat protection and prevention solutions, some portion of attacks will get through. This makes the monitoring for and response to threats essential to every cybersecurity stance.
- Threats don't sleep: Threat actors don't work “9 to 5” hours, and neither can your cybersecurity strategy. Organizations must assume a continual preventive and responsive stance against threats.
- Attacks can happen anywhere: Initial attack vectors like vulnerabilities, phishing, remote access/VPN, and social engineering can result in a compromise of a system, application, or platform everywhere your attack surface resides.Any detection and response must cover every millimeter of that environment, whether on-premises or in the cloud.
- Get a full team on the ground: Too many organizations simply don't have the resources to cost-effectively design, build, staff, and maintain a full-service SOC. But every organization can meet this standard — an SOC available 24/7/365 — through managed services, coupled with extended detection and response technology to incorporate the latest advances in detection technology.
Managed XDR ensures that the entire organization is under careful watch for threats, and that any detected threat is neutralized and remediated quickly, effectively, and accurately.
To learn more about how Secureworks® Taegis™ ManagedXDR can change your security stance and yield better ROI and security outcomes for your organization, visit secureworks.com/taegis.