Using a defence-in-depth strategy with adequate visibility and instrumentation has been shown time and again to reduce the time to detect and effort to respond to cybersecurity attacks. People and processes, however, must support the instrumentation. The problem will not be solved solely by technological means. Nidhi Shail kujur of Elets News Network (ENN) interacted with Tim Wellsmore, Director of Falcon Complete, APJ for CrowdStrike on how MDR providers have the potential to play a critical role in assisting organisations in mitigating cyber threats.
Give us an overview of MDR – Importance, benefits and why MDR is critical in combating today’s adversaries. What are the main categories of MDR services available in the market, and what reasons why organisations are transitioning to MDR services?
Managed Detection and Response (MDR) is the modern evolution of an outsourced 24x7x365 cyber security service to protect your organisation from cyber-attacks. MDR providers not only rely on a cyber security technology layer that undertakes the “detection” of the threat component, but they also use highly skilled incident responders to “respond” to these detected threats.
Truly effective MDR providers will use cloud-based endpoint detection and response (EDR) technology that is fast to deploy, and full of proven features necessary to not only detect and respond but to remediate your systems if a threat is detected also fully. The top tier providers will also utilise advanced threat hunters who sit alongside the incident responders and use the technology layer to vigilantly “hunt” for the most elusive attackers who continually try to evade the detection technology. This hunting force has now proven to be a must-have layer of capability augmenting the detection technology and response teams.
Effective MDR services are delivered by an expert human workforce strongly coupled with the technology necessary to provide a hunt, detection, response and remediation service for their customers. An MDR service is the fusion of this human expertise and the EDR platforms which are both critical components for success, analogous to a modern racing car – without either the expertise of the driver or the advanced technology of the car, there will always be poor performance. Just as the driver and the car need to continue to evolve to maintain the edge over the competition, in this case, the expert incident responders and the detection technology need to maintain the edge over the relentless and ubiquitous cyber hackers.
The sheer cost and effort of maintaining an effectively skilled cyber response team for a normal business are no longer feasible. In light of the widely reported cyber skills shortage, it is also a challenge to achieve from a talent perspective. Unfortunately, it has taken too many years and countless successful attacks against an alarming number of businesses for organisations to realise that a trusted, quality MDR provider is an effective investment that can truly provide the protection necessary in the modern threat landscape, who even provide a warranty on their service for added peace of mind.
MDR has several flavours, known as MEDR, MNDR and MXDR
The “E”, “N” and “X” stands for Endpoint, Network and extended, and focus on either Endpoint detection technology, Network detection technology and Extended Detection. Extended Detection translates to a combination of at least Endpoint, Network and several other detections or threat-related data points that enriches the data available to the expert human responders to discover, understand and respond to the attack.
While there are many proponents for each flavour, the reality is that without endpoint detection the true intent or impact of an attack is often impossible to determine, and the more relevant data available, such as intelligence, specific log files, user identity events; the more fidelity you can have around detecting, responding and remediating an attack.
What role does MDR play in security posture for organisations?
MDR plays a critical role in the security posture of an organisation, but it doesn’t remove the need for a security team, as there will be complementary functions that fall outside the scope of MDR providers. Understanding the exact scope of services provided by your chosen MDR organisation is a critical requirement, so your organisation can understand what must be completed by your team, vs the virtual team that will be providing the MDR service.
Good MDR providers will have the scope that covers monitoring, responding, and remediating important components of your business systems, such as cloud workloads, identity infrastructure and the major operating systems; and should not leave your organisation with much homework to do after they have remediated any detected threats.
An organisation that works closely with its MDR provider can expect to improve security posture whilst identifying and stopping threats, including hidden, sophisticated threats aligned with having systems restored to good working states as part of the remediation service.
However, it is important to partner closely with your MDR provider to ensure that their service augments well with your business, and continue to work together to understand the evolving threat landscape as well as threat detection and response methodologies and capabilities.
What are the core elements of MDR? How do they differ from a managed security services provider (MSSP)?
The core capabilities of an MDR are:
Managed prioritisation helps organisations that struggle with the daily effort of sifting through their massive volume of alerts determine which to address first. Often referred to as “managed EDR,” managed prioritisation applies automated rules and human inspection to distinguish benign events and false positives from true threats. The results are enriched with additional context and distilled into a stream of high-quality alerts.
2. Threat Hunting
Behind every threat is a human being who’s thinking about how to avoid being caught by their targets’ countermeasures. While machines are very smart, machines are not wily: a human mind is needed to add the element that no automated detection system can provide. Human threat hunters with extensive skills and expertise identify and alert on the stealthiest and most evasive threats to catch what the layers of automated defences missed.
Managed investigation services help organisations understand threats faster by enriching security alerts with additional context. Organisations can more completely understand what happened when it happened, who was affected, and how far the attacker went. With that information, they can plan an effective response.
4. Guided Response
Guided response delivers actionable advice on the best way to contain and remediate a specific threat. Organisations are advised on activities as fundamental as whether to isolate a system from the network to the most sophisticated, such as eliminating a threat or recovering from an attack on a step-by-step basis.
The final step in any incident is recovery. If this step is not performed properly, then the organisation’s entire investment in its endpoint protection program is wasted. Managed remediation restores systems to their pre-attack state by removing malware, cleaning the registry, ejecting intruders, and removing persistence mechanisms. Managed remediation ensures that the network is returned to a known good state and further compromise is prevented.
A Managed Security Services Provider is different from an MDR provider and is often considered a legacy provider now that MDR providers have evolved with modern EDR platforms to effectively protect modern organisations from the latest attacks. Some MSSPs now include some MDR services as well as part of their wide suite of services but it’s not a specialism due to their broader focus.
Generally, an MSSP relies on monitoring your organisation’s security infrastructure remotely and notifying the customer organisation to undertake the necessary tasks to resolve any alert, issue or incident. An MDR provider is a more targeted service with a greater depth of technical expertise and capability in threat detection, response, and remediation actions for effective cyber security protection.
What are some of the best practices needed in cybersecurity programs to improve an organisation’s ability to respond to a cyber incident?
The best practice for any organisation to improve its ability to respond to a cyber attack is to prepare for such an event. It is still the case that many organisations wait for an attack to occur before they try and work out how to respond to it. This is like not practising for a fire drill until the building is on fire.
The modern operating environment for every sector of business and government is that cyber attackers will attack most organisations for financial, political, economic or military gain regardless of size or reputation. The 2022 CrowdStrike Global Threat Report identified a 45% increase in interactive intrusion campaigns and an 82% increase in ransomware-related data leaks to show how cyber threats are increasing.
The first step to preparing for such an attack should be assessing the risk of a cyber-attack specific to your organisation through a Cyber Risk Assessment. There is little point in preparing for an attack if you do not understand what in your organisation is likely to be attacked and for what purpose. It’s not often the obvious items you may consider valuable that an attacker will be able to monetise or leverage for gain. These are critical points to know for your organisation so you can then move to the next step of developing an Incident Response Plan (IRP).
These fundamental steps can easily be undertaken and will both prepare and educate your organisation and your leadership as to the realities of the cyber risk as well as highlight technology gaps such as an effective EDR solution or other missing skillsets, that could include effective threat hunting, detection or response capabilities that you may need to engage from an MDR provider to ensure your organisation is protected.
An Incident Response Plan will also identify the roles and responsibilities of key members of your team and any external provider, such as an MDR service provider and how they fit into your response plan. Ultimately, the plan should also identify the “who, what and where” for key steps and actions throughout an incident.
Finally, and importantly, is to test the plan – undertake some simulations or exercises to see if the organisation is ready. Like any response plan, without customising it to your organisation, testing and updating it regularly, it will quickly age and become ineffective.
The last thing you want is to wake up one day and have a serious cyber incident that risks your entire business’s livelihood, such as ransomware. By that point, it’s too late to realise you needed to invest the little time necessary to understand the risk and develop an effective plan. This inaction can lead to a cyber attack and the risk of being asked to pay a multi-million-dollar ransom by cyber hackers.
In the modern business world, you must be as prepared as you can be, as cyber-attacks are occurring in your industry s every day, and history clearly shows these attacks will not stop anytime soon.