Don’t have a team of security experts and trained incident responders ready to respond and remediate the latest threats? You’re not alone, most organizations, especially at the mid-size, struggle to adequately staff their security teams to meet the rising number of threats. This is one of the reasons why organizations increasingly look to an outside partner to help them manage their endpoint detection and response.
This market -- called Managed Detection and Response (MDR) – is growing rapidly. According to Gartner, “by 2024, 25 percent of organizations will be using MDR services, up from less than 5 percent today.”1 But confusion around vendor selection and what effective MDR looks like is high. The sheer number of providers capitalizing on interest in “MDR” is growing by the day, but their capabilities vary wildly. Gartner noted that “some MDR buyers are already considering, or have already moved to, their second provider due to mismatched expectations and unfitting outcomes.”2 We believe that getting it right the first time is critical.
We talked to Brian Hussey, vice president of Cyber Threat Detection and Response at Trustwave, and Martha Vazquez, Senior Research Analyst at IDC, to find out what organizations should do to prepare their organization for effective endpoint detection and response and what to look for in an MDR provider.
Brian Hussey explains how he defines MDR: “MDR refers to 24/7 monitoring, analysis, investigation and containment across an organization's network, specifically their endpoints, by a professional team of security analysts and forensic investigators. The proper EDR technology should provide sufficient visibility, correlation and contextualization into the relevant events for an analyst to formulate a root-cause chain that enables rapid response and containment in a compromise or breach scenario.”
Martha Vazquez noted that IDC is seeing a strong push for managed detection and response offerings compared to traditional managed security services. “The demand for MDR is driven in demand by organizations that need to outsource advanced detection tools and technologies from security service providers. Demand for security services continue to be driven by the need for protection against these advanced security threats, 24X7 support and security expertise, improved availability and performance and for access to new emerging security technologies.” So, in other words, there are two main components to MDR that we will dive into — the tool and the team effectiveness.
Is your EDR tool capable?
Before you can respond appropriately to any event or potential problem, you need to ensure your tool is capable and offers the right kind of detection and response for your organization and environment. According to Brian, that comes after you’ve done your due diligence, assessed your organization’s risk tolerance, and identified what your most valuable assets are and where they lie within your environment. Then you can choose a tool that works within those specifications. However, Hussey also strongly recommends that your tool provides the right kinds of alerts and allows you to add customized behavioral rules, threat intel and if/then rules for better detection.
Martha added that In an IDC U.S. Managed Security Services survey, 31.1 percent of organizations believe that advanced detection tools such as capturing network data to analyze user behavior was the most effective in detecting threats.
Hussey explained, “A tool that provides thousands of alerts on a daily or hourly basis will render teams ineffective —they’re inundated and can’t separate the important alerts from those that are just noise. And without customization options for your tool, you’re essentially stuck in the past. Modifying your tool based on new threats and attacks will provide a better understanding on how your network can be compromised.”
How comprehensive your tool is also affects how well you can respond should an event occur. “Any EDR tool worth its salt should include deep forensic investigation capabilities, allow you to reverse engineer malware, extract malicious code, and essentially learn from any attack to give your team more information to protect and defend against another attack, especially a similar one,” He added. This brings us to our next point:
Is your team capable?
Having a tool that can ingest the right kind of threat intel and produce detailed and granular information about a potential attack, a network intruder, or a malware strain is one thing. But having the right team to be able to use, break down, and analyze that information, is another.
Martha explained, “From IDC's perspective, the biggest challenge that organizations face around MDR is what it all means and what core technologies and tools should be included in this type of offering. Many customers believe that MDR includes only one component such as endpoint detection and response, but that is not the case as it should include several other advanced technologies as well as human expertise. The combination of advanced technologies and tools, people and methodologies used should be included to help an organization make an effective business outcome for the organization.”
Skillset is important when it comes to effective detection and response. You may not be able to effectively respond to an important alert if your team is just made up of network analysts - a team with an updated skillset is necessary.
“Endpoint forensics and forensic analysis used to be esoteric but it’s now a mainstream security discipline,” says Brian. “But at the same time, it’s different from other security disciplines and the standard network analysis most security organizations deploy. It’s a completely different practice and science.”
Here’s where, if you haven’t yet, you’ll have to consider working with a partner in order to have a fully managed detection and response system within your organization. If training your team or bringing in new talent will take too long or cost too much, then you should find a partner who will provide the resources you need.
What does an effective response look like?
Brian says that not every organization can afford to do a deep dive on every alert. How an organization responds, whether they should click the ‘kill process’ button or conduct a deep forensic analysis of an attack, depends on several considerations:
- The data that the organization needs to protect
- How risk tolerant the organization is
- What is the alert communicating?
This comes back to our earlier points. Knowing what your most valuable asset is helps you discern when an alert or an attack requires extensive investigative resources or not. Having an understanding of your risk tolerance can also guide how you react to these alerts. For example, government organizations or those in the healthcare industry that are high-value target may look into more common alerts as they may be a sign of a bigger attack to come.
What an attack or alert is also matters. If the attack is localized and doesn’t look like it’ll expand beyond its initial reach (cryptomining, for example), then an organization can kill the process, perform a quick sweep of their environment, and move on. However, if there’s a lot of lateral movement within the environment, multiple vectors are being attacked, or if there’s a data breach or dump involved and/or multiple accounts are compromised, then a deep dive is likely necessary.
This is why it’s important that your tool allows customization and that your team can perform the necessary analysis. With each forensic analysis and deep dive your team can handle, they’re adding more and more information and behavioral rules to your tool that will only make your detection and response better in the future.
Preparing your organization for effective MDR
For most organizations, the challenge lies in finding the right team to manage their detection and response tool. If an organization doesn’t have the right manager to hire new talent or can’t invest the time or resources, then they should consider having a partner. A partner can also fill the gaps that a well-built security team can’t. For example, ensuring there’s 24/7 and year-round detection and response while also ensuring that there aren’t gaps in security if employees leave, given that retention is also a challenge for cybersecurity organizations.
Bringing in a partner early on can also be helpful as they can advise or consult on which EDR tools will be most effective and useful given your organization’s specific needs, team, and budget, among other considerations. Having a partner to help you manage your detection and response will ensure you’re protecting your organization and learning which each challenge.
Martha added, “With MDR done correctly, organizations will be able to have a team of experts that can assist with various security needs, and assist the organization in making better security decisions, outcomes and effectiveness. In addition, organizations that have limited security visibility can use MDR services to detect and respond faster to advanced threats or attacks than doing it in-house."
Learn more about Trustwave Managed Threat Detection and Response here.
Cas Purdy is vice president of corporate marketing and communications at Trustwave.
1Source: Gartner, “Ask These Critical Questions and Consider These Risks When Selecting an MDR Provider” by Toby Bussa, Kelly Kavanagh, Craig Lawson, Pete Shoard, 31 October 2019
2Source: Gartner, “Ask These Critical Questions and Consider These Risks When Selecting an MDR Provider” by Toby Bussa, Kelly Kavanagh, Craig Lawson, Pete Shoard, 31 October 2019