Unlike legacy security solutions that alerted after nearly every log event, today’s MDR services can detect—and resolve—many security issues with minimal disruption.
A few years ago, identity theft protection company LifeLock aired a commercial that humorously contrasted its competitors’ security monitoring services with its proactive services. The clip opens with masked robbers entering a bank with baseball bats. Everyone drops to the ground in fear except for a security monitor who just stands there. The customers in the bank tell him to do something about the burglars, but he explains that he is only there to monitor the bank for robberies, not to do anything about them. The message highlighted in the commercial also serves as a fitting analogy for what many firms experienced in the early days of managed security services (MSS). From IDC’s perspective, the first generation of MSS, classified as MSS 1.0, provided the monitoring of traditional security devices and even included basic alert management. However, although they offered some guidance and recommendations, they lacked in-depth capabilities.
Over time, security service providers moved up the stack to MSS 2.0, which included machine learning (ML), artificial intelligence (AI), automation and orchestration and the use of security information and event management systems (SIEMs) to aggregate logs and compliance reporting. MSS 2.0 offerings gave organizations more visibility to their growing attack surfaces and went beyond device management, also focusing on data and apps. But there was still something lacking.
MSS 3.0—Managed Detection and Response (MDR)
A new managed security service model was needed to have a complete response lifecycle for security services in today’s threat landscape. MDR represents the third evolution of managed security services. MDR combines the tools, technologies, procedures, and methodologies used to provide full cybersecurity lifecycle capabilities for an organization.
The service utilizes vulnerability scanning and SIEM functionality, adding detection, response automation and threat hunting capabilities. These added features provide visibility down to the endpoint to ensure a complete picture of any potentially malicious activity and response orchestration to automate remediation.
For example, suppose an employee who normally logs into the corporate network from his home in Atlanta, Georgia, suddenly tries logging in from London, England. In that case, an MDR can detect the anomaly. Before triggering an alert, however, it can check the employee’s Outlook calendar and see that he’s traveling to Europe for the week. As a precaution, the MDR service may simply require the employee to re-enter his login credentials before accessing the network.
The real genius behind MDR is how it can aggregate and observe data from multiple sources (e.g., firewalls, web proxy gateways, Active Directory, email systems) and respond intelligently. The example above highlights the difference between locking out a person’s account and alerting several admins to automatically verifying the user’s identity and enabling him to continue working with minimal disruption.
The thing about using intelligent security technology is that it’s less intrusive to users than legacy security options, which can spring into action over every Windows server log or after a security incident. For example, receiving a call or email letting you know you have ransomware isn’t helpful when you already see a message on your screen with a countdown clock and payment request.
Besides continual security monitoring and response, MDR alleviates several tasks from your internal security teams and:
- Provides access to security experts – MDR service providers have seasoned analysts on staff, augmenting your internal IT team with an instant security team. Additionally, those who attempt to build their own SOC find that maintaining a staff of security analysts long-term is a significant challenge. On the other hand, SOC service providers can rotate analysts into different security roles, creating higher job satisfaction and longevity.
- Is cost-effective – Compared to the cost of building a SOC, hiring seasoned analysts, implementing security solutions, and establishing response protocols, an MDR service becomes little more than a monthly operating expense.
5 Tips for Selecting an MDR Service
When considering an MDR service, here are a few key criteria you should consider:
- Your staffing – Do you have—and are you able to maintain—enough security analysts internally to provide 24×7 support for your organization? Or would it be better to outsource these tasks?
- The MDR’s visibility – A SIEM or other monitoring tool alone doesn’t provide complete visibility into threat actions. Ask about the solutions the offering is based on and review the threat visibility provided.
- The SOC provider’s staffing – Some MDR offerings include dedicated Tier 1 analysts. Be sure to understand what kind of staffing comes with your MDR service.
- The SOC provider’s expertise – Cybercriminals are constantly changing their attack strategies, which means that your MDR provider must continuously update its technology. Make sure your prospective provider follows industry best practices, including the management, growth, metrics and assessment (MaGMa) Use Case Framework (UCF). This framework gives providers control over security monitoring processes and will help them align their operations to your business and compliance needs.
- The SOC provider’s response capabilities – If an MDR provider relies on manual responses rather than automated response orchestration, proceed with caution. Organizations today face far too many daily threats for any individual to handle them manually.
MDR Isn’t a ‘Set it and Forget it” Service
Despite the automation and intelligence built into MDR services, the garbage-in, garbage-out (GIGO) principle still applies. Therefore, you’ll need to work with your service provider to establish a starting benchmark for the service, and you’ll need to alert them if anything changes. For example, if you change from Cisco firewalls to Palo Alto or you’re retiring your email system, your SOC provider must be aware so that they can make the appropriate updates.
The need for security monitoring and response services is evident to many organizations. However, what’s also apparent is the high cost of building, staffing and maintaining an internal 24x7x365 SOC. By procuring MDR services from a reputable SOC services provider, organizations can get comprehensive security monitoring, detection and response without the staffing and overhead costs and headaches associated with doing it themselves.