Managed Detection and Response: 3 reasons why you need itTech Trends · Jul 29, 2019
Traditional defense is traditionally reactive. You block threats. End of story. But there is no further investigation. No exploration into the who, how or why.
Firewalls, end point security and maybe even Security Incident and Event Management (SIEM) have been security mainstays for mid-sized businesses. The mentality? Detect and defend.
But what about conclusions? Blocking a threat is great, but unawareness about where that threat emanated from is a serious blind spot that can be detrimental to your security.
Up until now, mid-sized businesses believed traditional defense was their only option. But that has changed with the introduction of Managed Detection and Response (MDR).
Correcting the misconceptions about MDR
Like most new security solutions with a lot of hype, mid-sized businesses don’t even expect an invitation to what they believe is the enterprise party. The belief about MDR is that it’s too expensive, out of reach and complex.
Many mid-sized businesses also believe that taking advantage of MDR’s capabilities requires significant investments in other technologies and solutions. Unfortunately too, some mid-sized businesses lack the security maturity to even recognize that MDR could be a viable solution to help them advance their capabilities.
It is a viable solution. And it’s within the reach of mid-sized businesses. So why do you really need it?
Reason #1: blocking without analysis and insight can still leave you vulnerable
When educating mid-sized businesses about MDR, I find this example really resonates. Time and again, we see companies blocking service message broadcasts coming from their networks. It’s a default action with a firewall. The companies block the apparent “threat” – but there is no follow up or exploration. Why are they seeing SMB version one and who is trying to broadcast these messages?
We end up discovering, in many cases, that the server generating the broadcast hasn’t been patched and was compromised without anyone knowing. So traditional security blocked the threat. But in the absence of a solution such as MDR, the companies were still vulnerable because they couldn’t analyze the root cause of the threat and address it.
Reason #2: SOC exhaustion
Even with some proactive security analysis, objectivity can be an issue. Often times, people reviewing the logs may see things that they deem insignificant, but that may in fact be interpreted quite differently to a threat hunter with a specialized skill set.
In addition, many Security Operation Centres (SOCs) rely on templated, standardized ratings from vendors to analyze data coming from the firewall. It makes them somewhat dependent on that vendor categorization, which can create limitations. Ultimately, the SOC’s ability to analyze or identify threats is only as good as the categorizations and ratings that it’s getting from those vendors.
Customization takes time and effort, but it’s worth it because it affords scale and perspective. Leading with your own point of view in terms of what is and isn’t important should always shape how you see and assess threats.
Reason #3: MDR adds another critical dimension to your security sophistication
Many mid-sized businesses hesitate about MDR and don't even entertain the conversation because they are intimidated by the cost. But MDR is not solely within the reach or domain of the enterprise. Many affordable mid-market solutions are now available.
I always ask the same question. Where are you going to spend your next security dollar? Traditional security components are important but can also become a bottomless ocean. You’ve already spent money and time building your security infrastructure, managing and maintaining it. How can you maximize your current security investments, amplify your capabilities and go beyond traditional defense?
MDR can help you add another critical dimension to your security sophistication by enabling you to detect, identify and respond to threats in an efficient way.
What you really need for MDR
MDR combines your traditional security defense mechanisms with analysis and forensics. That combination allows security analysts to:
Detect known and unknown threats based on a holistic view of the infrastructure (including network, end point and cloud)
Defend by threat hunting using traditional security (firewall, IPS), analytics capabilities (SIEM) or manual intervention
Detect and respond to threats
Arrest and mitigate threats by analyzing root causes
The security analytics tools and threat hunters examine all alerts, regardless of vendor ratings. It’s a more advanced level of analysis that takes a broader view of your environment.
MDR has made great strides in helping companies deal with advanced persistent threats. These types of threats reside in the network silently, often with minimal activity. Traditional defense mechanisms don’t usually detect them. MDR can not only detect them, but the solution can also quickly and efficiently react and respond to lessen the chance of compromise and the severity of any potential event.
What kind of MDR conversation do you want to have?
MDR is marked as the next big thing in security. It’s an exploding market. You’re going to read a lot about it in the next little while. Most of the information out there defines MDR, compares Managed Security Services with MDR and details how MDR can help you conceptually.
But we want to have a different conversation about MDR. Of course, we’ll help you understand it. But we’ll do that by illustrating what’s really happening based on conversations we’ve been having with mid-sized businesses considering or implementing MDR.
We’ll address your questions with relatable answers from the experiences of your peers. And with that insight, we’ll help you decide how you can make the most of MDR in your environment.