From the DATASHIELD Resource Library:
Managed Detection and Response (MDR) for Intelligent Organizations
Jul 29, 2019
Outlined below is a brief synopsis of what MDR is, how it is different and valuable as well as how it is delivered.
MDR (Managed Detection and Response) is the ability to focus on a true threat instead of millions of alerts and notifications from various tools. MDR providers deliver services for buyers looking to implement or improve their threat detection, response, and continuous-monitoring capabilities. MDR includes 24x7 monitoring, analysis, and customer alerting of validated security events, with incident triage performed by an actual person. Instead of a constant, high volume of alerts, MDR produces a stream of validated, investigation-worthy events, rich in context, analytical detail, and remediation recommendations. This capability is enabled by a synthesis of multiple reporting sources.
Threat detection utilizes logs, netflow, full packet capture, endpoint data, and advanced intrusion detection technology to constantly monitor all traffic on your network – not just events that trigger an alarm. When suspicious indicators are detected, an MDR analyst investigates to determine if a real threat or incident exists. For a validated incident, all critical data is collected and delivered in a comprehensive report to provide the client with a granular view of what is happening and how to undertake remediation. Data reconstruction leading up to an event occurs and an MDR provider advises you on mitigation strategies for any compromised assets as well as future prevention techniques.
An MSSP transitionally managed your SIEM (Security Incident and Event Manager) for logs that occur in your environment. Most SIEMs focus on alerts being fired from existing tools and do not correlate the events with one another. In a recent study, the Ponemon Institute found that “an organization can receive an average of nearly 17,000 malware alerts per week”. The hours of time invested, and demands placed on current solutions and the personnel supporting them make this high-volume approach untenable and impossible to scale. Existing demands on thinly spread security personnel may force them to selectively pick alerts to triage, allowing real threats to slide by unnoticed, or worse – inundating teams to such an extent they become complacent and begin to suffer from alert blindness.
MDR, on the other hand, is a flexible, highly-scalable solution. MDR can be deployed quickly, see all network, endpoint, and security logs in one place, including both intrusion detection and packet capture data. MDR providers also have extensive threat intelligence knowledge and feeds, often using this data to scan across an entire customer base. This enables customers to share in the protection offered by a multi-tenant-capable MDR. The IoCs of malware in one client can be recycled and rescanned across all others, providing a “strength-in-numbers” approach to detection and response.
It is not impossible for an organization to implement this type of solution, but it is time consuming and expensive. Hiring and training the expertise is extremely difficult, and specific technical know-how required to build implementations and manage data can be rare and hard to come by. As Anton Chuvakin Research VP and Analyst for Gartner summarizes "...an MDR is simply an MSSP that knows how to detect actual threats..."
MDR is the best path to helping protect your business and delivering a true cyber resilience solution. Businesses face an ever-changing barrage of challenges to their cyber defenses, and organizations are struggling to deploy, manage and use an effective combination of expertise and tools to detect advanced threat actors and inside risks. A defense-only strategy is not enough to combat advanced targeted attacks that enterprises face daily. To realize true resilience, the resources in your arsenal should be skilled, precise, fast, and efficient.
Some businesses continue to invest in disparate technologies, layering multiple technologies that are not sufficiently integrated, leading to longer response times, poor productivity, or at worst, expensive solutions that never realize their full potential due.
Overburdened or limited security resources may not have the time (or expertise) to quickly review alerts, determine if a legitimate threat is present on the network and then respond to threats before damage is done. According to Verizon, the talent shortage gap will grow to 2 million people by end of 2019. With dwell times running 150 days or longer and cybersecurity talent gaps being an on-going challenge, visibility coupled with rapid detection, response and remediation is critical.
MDR is delivered utilizing a combination of the right people, process and technology. It’s crucial to have experienced staff with the capability to look for the knowns and unknowns within a clients’ environment. Workflows and processes built around MDR automation with the primary focus being on quick detection with immediate response containing all of the details concerning an incident. Utilizing the right technology is key, including the right visibility (i.e. full session reconstruction) along with the needed logs providing granular detail with all specifics of a suspected incident. A good MDR service will act as an extension on your internal teams and take the time to understand the customer, their network, strength and weaknesses, critical assets and utilize this information in communication with the client.