The cybersecurity threat landscape is continuously evolving, with the frequency and impacts of threats like malware and ransomware increasing every year. Today, organizations of all sizes and in every industry sector must be proactively searching for emerging threats and actively monitoring risk to protect themselves – and respond quickly in the event that a threat is identified. Amid this challenging threat landscape, organizations are struggling to find enough cybersecurity professionals to staff their teams. Globally, there is a cybersecurity worker shortage of nearly 4 million. So how can companies undertake proactive threat detection and response during a vast skills shortage?
Cybersecurity is no longer limited to locking down endpoints and putting firewalls around an organization. Businesses today must be actively monitoring for threats while also threat hunting and preparing to respond at any moment. While technologies like extended detection and response (XDR) and security information and event management (SIEM) can correlate data from various sources and help detect threats and facilitate investigations, they miss some of the proactive security elements needed to stay secure in today's advanced threat landscape. Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditional managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.
Increasingly, organizations are turning to managed detection and response (MDR) services. MDR is one of the fastest-growing areas of cybersecurity. The analyst firm Gartner estimates that 50 percent of organizations will be using MDR services by 2025. Yet, there is often confusion in the industry about what MDR services should include and who is best capable of providing them. Some boutique providers specialize in MDR, with very limited adjacent capabilities and telemetry support. MSSPs claim to provide MDR but are, in reality, only reactively investigating automated alerts. Before investing in more cybersecurity technologies and services, organizations must understand the true value that MDR services can deliver, the differences between MDR and other managed security services, and how to choose the right partner.
Getting the Most Out of Your Security Spend
Even when an organization has the budget to do so, the effort, time and expertise needed to establish 24/7 threat detection and response capabilities in-house can be overwhelming. Deploying and properly configuring complex technologies like XDR and SIEM platforms across a large number of endpoints, servers, clouds and networks can often take months. Even after these technologies are implemented, it takes further time for an organization's in-house security analysts to gain expertise on the systems, learning how to properly configure and maintain them.
In contrast, an experienced MDR provider can dramatically reduce the time-to-value for cybersecurity solutions, helping an organization achieve its expected ROI much more quickly. By leveraging endpoint detection and response (EDR) agents that can be rapidly deployed and the XDR evolution of EDR that includes out-of-the box integrations with cloud infrastructure solutions, a good MDR provider can have a high-fidelity service running within an organization in a matter of hours – ensuring that your organization is quickly protected from emerging threats.
Another significant benefit of an MDR service is that it can help an organization improve the return on investment (ROI) of the cybersecurity tools they already own. Many organizations make the mistake of buying top-of-the-line cybersecurity technologies. But then they lack the expertise and resources to configure them and use them to their full advantage properly. A good MDR provider brings a wealth of experience with these technologies, as well as round-the-clock monitoring and threat intelligence from other client sites – providing an instant boost to your cybersecurity capabilities, coverage and expertise.
What to Look for in an MDR provider
Effectively detecting and responding to the advanced threats targeting organizations today requires a sophisticated mix of people, process and technology. Knowing what to look for in an MDR provider will help organizations get the value they seek out of their cybersecurity program:
- Technology: Early MDR services were very endpoint-focused, helping organizations operationalize their EDR solutions. Today, threat detection, including threat-hunting, must go far beyond an organization's endpoints. As businesses have moved more of their IT infrastructure to the cloud and more people are working remotely, the number of potential risks, vulnerabilities and entry points into an organization has increased exponentially. A strong EDR deployment is still a good starting point, but organizations should look for an MDR provider that is experienced with XDR and SIEM technologies in order to bring together threat telemetry and forensic data from throughout the organization's broader IT infrastructure, including networks, email, cloud infrastructure and more.
- Detection: Threat-hunting is without a doubt one of the more important aspects of MDR services, but the methods used by MDR providers can vary greatly. Most MDR services incorporate threat-hunting on at least a periodic basis, but some providers are more threat-hunting sophisticated than others. It's important to look at how an MDR provider detects threats. Is it human-led, hypothesis-driven threat hunting, or is it merely automated searching for IOCs? Many traditional MSSPs claim they offer threat hunting capabilities based on data from logs, but this approach is limited to historical and limited data. Threat hunting needs to involve proactively exploring and interrogating systems for their current state as well as historical data. A quality MDR partner should combine human-led threat hunting with 24/7 monitoring and real-time analysis and investigations.
- Response: Response is another area where levels of service can be very different. For some MDR providers, a response means simply making recommendations on how to proceed. To get more value from your MDR services, look for a provider who responds to threats by containing them and keeping them from spreading further. Rather than stopping at notifying and alerting, your MDR provider should be able to take action remotely on your organization's endpoints, within the network, or other applications to isolate systems and stop threats in their tracks.
- Research Capabilities: Threat intelligence is often the foundation for effective detection and threat hunting. Look for an MDR provider with an active research arm and can incorporate other cyber threat intelligence to benefit from the latest information on emerging threats around the globe. Understand how they conduct their research and curate threat intelligence. By studying adversaries and their techniques, reverse-engineering malware, conducting breach investigations and more, a strong research team helps organizations stay a step ahead of threats.
- Field-Tested Experience: If you'll be providing your MDR partner the ability to make changes within your environment in order to respond to threats, you will want to make sure they have field-tested experience with incident response. Hasty responses can result in negative consequences like shutting down systems and business processes unnecessarily. You need to know that your MDR provider has field-tested experience in making the right decisions about what actions to take and that they have a mature methodology for the incident response process.
- Culture: An important aspect that organizations often overlook is culture. Consider the provider's operating model, how they will work with your organization, and their demeanor in your interactions. Are they the type of people you want to work with? Are they credible, and do they enjoy a good reputation in the industry? Are they of large enough size that they'll be able to provide a consistent, long-term partnership? These are all questions to consider when determining if their company culture is a good fit with your own.
A quality MDR provider does much more – actively interrogating endpoints, conducting threat research and hunting, performing forensic investigations, and quickly responding to incidents to mitigate their impact. They bring important insights and contextual knowledge about threats and vulnerabilities derived from other client environments that enable them to be more effective in your environment. Lastly, their expertise on complex cybersecurity technologies and tools enables them to optimize your existing investments, speeding time to value and improving ROI.
All of this affirms that choosing the right MDR provider is perhaps the most important security investment of all.