As cyber-attacks grow in both frequency and complexity, there’s an urgent need to shift focus from prevention alone to early detection and rapid response.
By Stephen Osler, co-founder and business development director at Nclose
Despite managed detection and response (MDR) not being a new concept, many businesses still rely on outdated, reactive approaches, leaving them vulnerable.
The reality of modern cyber threats
We see from many high-profile attacks around the world today that cyber criminals are succeeding despite the perimeter defences organisations have in place. Breaches are practically inevitable in the modern environment.
Whenever there is a big cyber-attack, and companies launch their PR, they generally start by saying they were victims of a “sophisticated” cyber-attack. In my opinion, 95% of the time, these were not super sophisticated attacks. Instead, the attackers were undetected for long enough to allow them to do severe damage.
Businesses often focus heavily on defending against complex cyber-attacks, but the key to staying ahead lies in early detection. By centralising their telemetry and monitoring for anomalies across the entire environment, they can identify threats early and take action before the damage is done. Speed is of the essence because the attack dwell time has shrunk. In 2021, the average was around 150 days, now it’s down to less than 10 days.
Understanding true MDR
The key to cyber resilience is true MDR, which enables organisations to detect attacks and mitigate their impact extremely quickly. Gartner defined MDR services in 2016, differentiating them from Security Information Event Management (SIEM) and Security Operations Centres (SOCs) services.
The definition included ‘24/7 threat monitoring, detection and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response.’ But while many vendors say they do MDR today, a lot of them don’t.
Many businesses understand the benefits of MDR, but many need clarification or guidance about what constitutes true MDR. Often, what they are buying is little more than managed EDR, or perhaps extended detection and response (XDR), but it’s not full-blown MDR.
The managed part is simple to understand. Detection is more complex. It’s vitally important, but you often find vendors whose detection capabilities rely on someone else – such as the firewall or AV vendors. Some can only look inside their own toolsets. Proper MDR looks at all the telemetry and every possible log source in the environment.
The response is equally important – the managed service provider must have the capability to investigate an incident properly, understand the root cause, contact the client and help them remediate and recover quickly, no matter where the attacker was in the kill chain.
Comprehensive monitoring and analysis
At Nclose, we investigate alerts by reviewing telemetry from over 120 technologies and seeking contextual information to understand the root cause of an attack. We monitor anything and everything – from networking and authentication technology to cloud infrastructure and security tools.
Where stereotypical vendors might use only AV as a log source, we want more. For example, we deploy other tools on the endpoints and look at Windows utilities and Active Directory. We find that having multiple log sources tells a bigger story. We’ve built toolsets that allow us to investigate very quickly, supported by our AI bot JARVIS.
True MDR should offer both proactive and retroactive threat hunting to find incidents that traditional alerts cannot find. Threat intelligence is also crucial. MDR providers should have real-time access to both in-house and external threat intelligence sources.
In conclusion, as cyber threats continue to change and become more sophisticated, organisations need to adapt their security strategies to suit. True MDR offers a comprehensive, proactive approach that combines advanced technology with human expertise to provide robust protection against increasingly sophisticated attacks.