The evolution of managed detection and response (MDR) within the enterprise has a significant impact on the modern security operations center (SOC). Enterprises increasingly outsource MDR services in their journey to attain cyber resiliency and maintain an effective security posture.
MDR is becoming a key strategic pillar in the effort to be cyber resilient, but organisations have to be vigilant if they want to choose the right MDR partner services. Too often, service providers over-promise and under-deliver.
As MDR is an evolving service offering, here are a few key considerations to use while evaluating deployment options.
Quality and Richness of Data for Analytics
The underlying technology that provides the foundation for data detection and investigation is extremely critical. As we are aware, garbage in invariably leads to garbage out. While an organisation needs lots of data from a broad array of sources, the key to a successful investigation process is having good quality data. This means high-fidelity forensic recorded data of all activities within an endpoint, including network data and event log sources. This should include full coverage of process execution, file and registry activity, network layer and memory injection events. Your ability to conduct investigations is far superior and more effective if you are able to generate, for example, a User ID log, application logs and full-packet capture inspection data. This can provide organisations with SSL/TLS and SSH decryption insights to overcome evolving threats from the network.
Protection of Endpoint, Network and the Cloud
Deploy multilayered prevention as a standard. Any truly complete approach to MDR should rely on technologies providing behavioural threat analysis, using techniques that include machine learning, artificial intelligence and human intelligence. Coverage should stretch across the endpoint, the network and the cloud, and it’s best if it’s also augmented by global threat intelligence capabilities to prevent both known and unknown threats. The ability to monitor and analyze north-south traffic as well as east-west traffic provides further context laterally throughout the network. It’s important to be able to monitor normal network traffic and highlight or protect against anomalous traffic.
Process Orchestration and Automation
Process orchestration and automation capabilities are key MDR criteria for deployment due to their ability to allow collaboration and support realtime investigation and response. The ability to automate repeatable tasks and common incidents while minimizing the investigation time from compromise to detection to incident resolution helps to mitigate risk and provides invaluable speed and agility, strengthening the security posture in a SOC. At the same time, orchestration and automation can coordinate seamless operations, helping people, processes and technology work in tandem. A SOAR platform can reduce the time it takes to perform an investigation, allowing analysts to focus on critical tasks while repeatable tasks are automated. Thus, investing in a SOAR platform as a part of an MDR program has significant returns on investment and is an important consideration for an organisation’s defence strategy.
Threat Intelligence as a Platform
Look for MDR providers that utilize sophisticated threat intel management (TIM) tools and participate in threat exchanges such as FS-ISAC and SANS-ISAC to improve efficiency of processes within the SOC. Security teams require deep visibility, context and insights to quickly prioritize and respond to sophisticated attacks. Threat intelligence gives analysts an edge, but many of today’s approaches provide limited value to security operations because the methods are extremely complex and time consuming. The promise of threat intelligence, however, is to allow organisations to use meaningful insights from past incidents to reduce the false positive rate. TIM platforms have the ability to aggregate, organize and operationalize all types of threat intel in a feed, granting full control of the indicators acquired and allowing them to be matched to an organization's environment. Collaborating in realtime with case management, threat intelligence as a platform closes the loop between intel and action via automated playbooks.
Delivery Framework
Look for the ability to provide global, on-demand, 24x7x365 support, including access to a specialist cyber incident response team in the event of a cyber incident. A good standard for rapid and effective response, which can reduce the impact of an incident in the event of a cyber breach, is a guaranteed immediate reduction of mean time to detect (MTTD) and mean time to respond (MTTR) to under 60 minutes. Access to a wide range of cyber security, forensic, business advisory and legal experts in times of crisis are also important considerations for any MDR service. Next-generation MDR services delivered through the cloud provide an effective combination of broad threat detection insights and comprehensive response capabilities. This is powered by cloud-native technologies and augmented by artificial intelligence and machine learning algorithms to provide visibility across multiple security tools and correlate incidents, resulting in faster and more effective response. When evaluating the efficacy of an MDR delivery framework, it’s critical to consider cloud use cases: Can the delivery framework seamlessly integrate with an organisation’s cloud stack? Can it work across multiple clouds, including containers, microservices and data repositories?
Economic Consideration
An MDR service should be outcome-based, with a governing and common acceptable SLA. Ideally, it would be consumed as a subscription service and priced per-endpoint with all licenses and data storage included. Look for preparation of relevant plans, documentation and a roadmap for incident response maturity, ensuring customisable service agreements to suit your specific business requirements. To maximize return on investment, ensure unused retainer hours can be applied to readiness and cybersecurity advisory services. MDR service contracts will now need to be forward-looking, with provisions that reflect declining cost; maturation of service offerings; anticipated efficiencies across processes, skills and technology; and economies of scale. An MDR service provider that offers declining costs over time, and at the same time can guarantee a demanding service SLA, will typically provide better options for organisations looking to deploy MDR services.
Managed Detection and Response Is an Evolving Service
An effective MDR service must provide a customized solution that accommodates organisations’ business needs. The MDR service provider must have the ability to build a comprehensive risk-mitigation strategy, including regulatory and compliance requirements overlaying a multilayered prevention, detection and response framework. This drives cyber resiliency and keeps cyber adversaries at bay.
The current outlook and global effect of COVID-19 have further reinforced the need for organisations to actively consider MDR as a service. We’re witnessing an unprecedented environment where working remotely has become the new normal for many people. In this scenario, the demand for MDR is growing as organisations’ efforts to manage and monitor endpoints are becoming more critical – and more challenging. Managed Threat Hunting can be an important way to combat both external and internal threats across an organisation. When a service is armed with big data analytics, threat intelligence and integrated visibility, it becomes a key component to mitigate risk in scenarios where we can expect threats that will trigger data exfiltration, lateral movement and malware using command and control (C2). Learn more about our Managed Threat Hunting service.
About the Author: Anup Deb leads MDR Practice across the APAC region for Palo Alto Networks. Anup has a rich background of working in the cybersecurity industry, and has specialized in the risk and compliance domain. He is also a subject-matter expert in incident response. Anup has been a speaker at industry events and conferences across the region, and is an active blogger. Anup has worked with emerging technology startups and leading IT companies globally.