Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Why the Tools You Choose Matter for Threat Detection and Response

Progress in the battle against cyber threats is a mixed bag. The good news is that advanced threat protection has improved significantly in the past few years. The not-so-good news is the market for solutions that address cyber threats is fragmented at best, filled with multiple vendors with varied levels of capabilities – but similar messages. How do you narrow the options and find the right fit?

With the emergence of Managed Detection and Response (MDR) services as a best practice in threat defense, the premise is that security teams are no longer left to sort out potential threats alone.   Instead of correlated log alerts that place the investigation responsibility on you, MDR services are designed to provide specific recommendations to investigate findings and, with more advanced services, remediate threats on your behalf.  

In other words, MDR services should provide effective response sooner and more effectively. This may sound utopian, but, especially if you are a battle-tested security veteran, the cynic in you might question if it sounds just too good to be true. I would agree that the devil is in the details.

By definition, MDR is a service. And a service encompasses the people, process and tools needed to achieve a desired goal. Using the field of medicine to illustrate, a surgeon is a skilled professional with significant training and experience, providing the best chance for success in the operating room. But what is the difference between an operating room doctor in 1919 compared to 2019?  Besides the obvious advancement in medical knowledge, the greatest factor for increased success is the tools the surgeon has at their disposal. So, whether you are developing an internal strategy to tackle defense on your own or enlist an MDR services provider, it’s worthwhile to better understand your available tools.

MDR services typically leverage analytics-based technology (with or without log-based technology) to provide real-time basic analysis, protecting against known threats immediately while providing analysts with crucial insight into other potentially malicious activity. Endpoint-based tools are most common, although there are network-centric solutions as well. As MDR is meant to address your entire enterprise (both endpoints and network devices), comprehensive MDR services often encompass multiple types of technology.  

Therein lies the challenge. Multiple tools add to complexity while reducing effectiveness. Aside from the learning curve, disparate tools often have limited or no data stream integration or correlation without additional effort, resulting in lost time and insight into potential threats. Though the collection-of-tools approach is the norm today, the market is maturing.

As advanced threats evolve and analysts continue to search for signs of more complex (and previously unknown) threats, the advancement of the underlying technology to quickly automate analysis techniques across the enterprise will be key to success. It will give experienced security analysts a significant edge in identifying potentially malicious behavior. What is the best way to take advantage of this future reality?

1) Decide on a Strategy

Security strategy is about risk mitigation. As with your overall security strategy, your organizational goals and budget will define how you move forward in defending against cyber threats.  MDR services will help alleviate much of the responsibility in responding and remediating advanced threats, but at additional upfront costs. On the other hand, threat detection tools for endpoints and networks are available for your internal security team. However, don’t underestimate the cost of learning and managing these tools to make them effective for you.

2) Keep it Simple

Whether you are using external MDR services or bringing the function in house, take the time to walk through the people, process and technology that will protect your organization from threats, looking for areas of complexity. Today, there are no simple solutions to solve the threat dilemma, but that doesn’t mean everything should be difficult. Expertise may be the most difficult parameter to evaluate, but technology is not.  Ensure your technology covers the scope of the environment to be defended and then investigate the depth of defense (spoiler alert: there are more response options available for endpoints than network devices).  If you are looking for a tool set to support an internal team, don’t forget to evaluate ease of use.  Lastly, remember that simple is typically better. One integrated data stream is easier and quicker to analyze, compare and action than data from multiple sources that must be processed in different ways.  

3) Embrace Uncertainty

Not to be captain obvious, but you don’t know what you don’t know. As IT and security professionals, we have to resist the tendency is to systematically layer solutions to increase our security posture and declare victory. In the battle against threats, we must embrace uncertainty and assume that even the best of plans can fall to an unknown threat. So, whether you leverage your internal security team or employ MDR services, have a clearly defined plan on where you or your provider would turn for help in a worst-case scenario.

***

One final note: Trustwave partner, Palo Alto Networks, is an early leader in a trend to provide a holistic approach to advanced threat protection.  With the release of Cortex XDR, Palo Alto Networks has migrated advanced endpoint detection and response technology into its Traps advanced endpoint protection product, while integrating network-related findings from network and cloud-based devices. XDR data can also be executed by Palo Alto Networks’ automated malware analysis service (Wildfire), compared against similar threats in the company’s threat intelligence repository (AutoFocus), and given additional context with Palo Alto Networks threat research (Unit 42) or third-party threat intelligence.

Learn more here.

And if you’re heading to RSA Conference 2019 , be sure to visit Trustwave at booth #5565 in the north hall, where Trustwave VP of Systems Engineering Steven Baer and Palo Alto Networks MSSP Systems Engineer Marcello Lima will discuss how a fully managed service offering that fuses threat detection and response across your network can significantly mitigate the negative outcomes of cyberattacks. Their talk is scheduled for 1 p.m. on Wednesday. Check out the full details here.

Scott Stevens is a product management director at Trustwave.