Introduction to MDR
Managed Detection and Response (MDR) is crucial in the ever-evolving cybersecurity landscape. MDR blends cutting-edge technology with human expertise, offering unparalleled threat-hunting, monitoring, and response capabilities. The primary advantage of MDR is its ability to swiftly identify and mitigate threats, thereby circumventing the need for additional staffing.
Business Challenges for MDR Adoption
Staffing and Resources
The solution typically deployed by organisations to monitor for potential vulnerabilities is a Security Operations Centre (SOC). A SOC is a combination of tools, people skills and processes that, when built and operated successfully, can dramatically reduce the risks of cyber-attacks that all businesses face. Amongst the critical people skills and toolsets is an MDR system. The MDR ingests and analyses the information provided by the other data sources, such as system logs, collated by an SIEM, End Point systems, Network traffic monitors and other applications and devices. It helps the SOC team detect real threats and filter out benign or false positive alerts, allowing them to focus on investigating the highest-priority security events and alerts.
A successful SOC must operate on a 365 x 24 x 7 basis and monitor the activities on the IT infrastructure around the clock every day of the year. SOCs that work regular business hours are exposed to attacks when monitoring is not in progress. There are, however, several challenges that organisations face when implanting and operating a SOC independently:
- The setup costs can be extremely high. At a minimum, the organisation would need to build a dedicated operations room or area that could operate 24/7 with the associated IT facilities. Licenses for the SOC applications and tools would need to be purchased, followed by an implementation project to establish the operational system. For a large organisation, these could amount to almost £2M.
- The SOC would need to be resourced on a 365 x 24 x 7 operating model, so the appropriate number of full-time staff would need to be recruited and deployed. Typically, this would be a minimum of 2 x staff per shift.
- In large organisations, there are typically thousands of events per day that the system logs record that the SOC staff need to process. Processing is essential to filter out the benign events, false positives, and low-priority alerts so the team can focus on the higher-priority events that pose a risk.
- A viable option for organisations would be to outsource the SOC. Outsourcing this essential function would provide many benefits: -
- There would be no need to build a physical SOC facility, invest in additional IT infrastructure or purchase software licences.
- The outsourcing partner would resource the SOC function, removing the need for the trust to hire additional staff.
- Depending on the service provider selected and their technology, larger volumes of events per day can be assessed and categorised using the system intelligence, whilst their senior level staff can focus on the priority events and threats.
Alert Fatigue
Managing many alerts from different security technologies is a significant challenge. The issue is compounded by the increasing number of endpoints through IoT, remote workers, and hybrid networks. Every alert requires substantial time and expertise, which an in-house team may not possess. MDR (Managed Detection and Response) can help bridge this gap by providing 24/7 coverage and expert response to significant threats. There are usually thousands of events per second (EPS), and with an MDR system, it is possible to review all of them. Critical alerts can be easily missed when faced with such a large number of notifications. Additionally, what may appear to be a threat could be harmless, but it still takes valuable team time to investigate. This is where the AI component of a good MDR solution comes in, along with Core to Cloud, to investigate legitimate threats.
How MDR Works
MDR operates through remote monitoring, detection, and response. Leveraging an Endpoint Detection and Response (EDR) tool for visibility into security events, MDR amalgamates relevant threat intelligence and forensic data. Human analysts triage alerts, determine appropriate responses, eliminate threats, and restore affected endpoints by blending human and machine capabilities.
Core Capabilities of MDR
- Prioritisation: Managed prioritisation streamlines alert assessment, distinguishing actual threats from false positives using automated rules and human inspection.
- Threat Hunting: Human threat hunters with extensive expertise identify and alert on evasive threats, complementing automated detection systems.
- Investigation: Managed investigation services enrich security alerts, providing a comprehensive understanding of threats for effective response planning.
- Guided Response: Offering actionable advice, recommended response aids in containing and remediating specific threats, from isolating systems to sophisticated recovery methods.
- Remediation: Managed remediation ensures a complete recovery, removing malware, cleaning the registry, preventing further compromise, and restoring systems to a known good state.
Benefits of MDR
Organisations adopting MDR witness a drastic reduction in time-to-detect, from months to minutes. Beyond rapid threat identification, MDR offers the following benefits:
- Enhanced security posture and resilience through optimised configurations.
- Identification and prevention of hidden, sophisticated threats via continuous managed threat hunting.
- Effective response to threats, restoring endpoints through guided response and managed remediation.
- Reallocation of staff from reactive incident response to more strategic projects.
How MDR works with other Endpoint Protection Solutions
MDR + EDR
Endpoint Detection and Response (EDR) is a component of a SOC. EDR is focused on end-point devices, such as workstations, laptops, servers and mobile devices, which is vital to identifying malware and viruses. An agent is installed on each device, enabling the platform to flag any anomaly and notify the team. At the same time, it can be integrated with the MDR system, which can respond to alerts generated by the EDR. By introducing human expertise, mature processes, and threat intelligence, the combination of an EDR with an MDR ensures enterprise-grade endpoint protection without the need for an extensive security staff.
MDR + MSSP
We’ve now explored the relationship between the various technology components, people, and processes that make up an effective SOC. An organisation needs to answer the following key question: ‘Should I build my own SOC, or should I use the services of a Managed Security Service Provider?’ A business must decide on its strategy. Should they build or outsource?
There are various considerations before making this decision, including:
- Can I afford to build a SOC from scratch?
- Do I have the current and future skills and number of resources needed to operate a SOC 24/7?
- Which option is the most economically viable?
- Where do I want the responsibilities to lie?
- How do I choose and integrate the right toolsets to the greatest effect?
The most straightforward decision criteria is economic viability. If your business is a small to medium enterprise or public sector organisation, then contracting the services of an MSSP is the most cost-effective solution, with annual costs being a fraction of the SOC build price. For example, the capital investment of building a SOC could fund 8-10 years of a managed service from an MSSP. With larger organisations where the cost of building a SOC would be a small percentage of their IT spend, an outsourced service could also be an attractive option if the CFO wants to use operational expenditure versus capital spend. The other consideration would be people skills and staff retention. Outsourcing hands the challenges of maintaining resources and abilities to the service provider, not the in-house security team.
How to Choose an MDR Service – 5 Key Questions
- Expertise of Analysts: Ensure the MDR vendor provides new skills and maturity without necessitating additional staff, emphasising knowledge transfer.
- Data Access and Timeliness: Evaluate the MDR solution's access to necessary data in real-time, with preference given to cloud-native solutions.
- Threat Intelligence: Choose an MDR vendor with a team that stays current on the latest threats, considering cultural, geopolitical, and linguistic factors.
- Communication with Your Team: Seamless communication through a central hub ensures a smooth workflow transition from the MDR team to your organisation.
- 24/7 Coverage: Confirm that the MDR service operates around the clock, acknowledging the continuous nature of cyber threats.
Conclusion
In cybersecurity, MDR emerges as a beacon of comprehensive protection, seamlessly integrating advanced technology with human expertise. As organisations navigate the challenges posed by staffing shortages and alert fatigue, MDR is the solution, offering rapid threat detection, efficient response, and robust remediation capabilities. Choosing the exemplary MDR service becomes imperative to fortify your cybersecurity posture and stay ahead of evolving threats.