Tips for evaluating and implementing managed detection and response

Tips for evaluating and implementing managed detection and response

Tips for evaluating and implementing managed detection and response

The recent shift to remote working due to the pandemic has driven more companies to embrace managed detection and response services (MDR). Jan van Vliet, EMEA VP and GM at Digital Guardian, explains why MDR services are important in today’s world.

Building a cybersecurity team with the skills to leverage today’s sophisticated detection and response platforms is a difficult task. In recent years, managed detection and response (MDR) services have become a popular choice for organisations who want to address the types of advanced attacks that even a managed security provider might be unprepared for.

The recent massive shift to remote working, however, is driving even more enterprises to embrace MDR services for two reasons.

Alongside a pressing need to bolster traditional perimeter security tools to cope with the evolved threat environment posed by so many users operating outside the corporate network, organisations are also having to rethink data resilience strategies in the face of a significant activity uptick by external threat actors.

A tsunami of internal and external threats

The move to working from home prompted by the World Health Organisation’s pandemic announcement in March triggered a flurry of malicious activities by opportunistic cybercriminals. Recent research revealed that organisations experienced a 41% increase in endpoint malware infections and a 27% jump in phishing attempts.

That wasn’t the only risk factor posed to corporate data. In the weeks following the WHO pandemic declaration, employees were moving classified data at unprecedented rates, with cloud storage and USB devices accounting for 89% of all data egressed. More worrying still, over 50% of this data was classified. In particular, the 123% increase in the volume of data that was downloaded to USB devices should serve as a major wake up call for IT and security professionals, as the inherent portability and likelihood of such devices being misplaced, lost or stolen significantly elevates the risk to sensitive data.

With remote working models set to become the norm for the long term, the growing need for a no-compromise data protection strategy is prompting organisations to re-evaluate how they identify and mitigate against data loss or damage.

Since spinning up a security operations centre (SOC) takes time, resources and expertise, enterprises are turning to MDR services in a bid to improve their ability to detect and respond to threats.

Scoping the requirements

With the security landscape growing more complex and the costs of maintaining adequate in-house security teams high, it makes sense for many companies to outsource the tasks of threat hunting and response to MDR providers that can integrate specialist tools like end detection and response, analyse risk and correlate threat data to pinpoint patterns that could indicate a larger attack.

Prior to partnering with an MDR provider, however, companies should undertake a detailed evaluation to define a detailed set of identified needs. This should include consulting with all stakeholders to identify what assets – end-point assets, databases, applications, IP, content delivery – need to be protected and if the technology stack in place is appropriate for an EDR deployment.

Next, clear rules of engagement and SLAs will need to be defined and established. Since MDR isn’t a ‘passive’ service, close integration with the company’s existing cybersecurity strategy means action plans need to be generated.

For example, pathways covering how threat notifications from an EDR provider are escalated and actioned together with pathways for intelligence sharing and investigation requests will need to be defined. If there is limited internal capability to respond to potential incidents, to what extent will the MDR provider be allowed to engage with the organisation’s environment – in other words, can they take action beyond simply quarantining endpoints?

Since the provider will be acting as an extension of the IT team, it will be important that security event information is communicated in a way that is both understandable and actionable. In today’s volatile threat environment, a weekly retrospective report simply won’t cut it – plus, IT leaders will need to consider if API integrations will enable the automated flow of threat data into existing workflows.

Undertaking a detailed internal needs evaluation is essential for organisations that want to ensure they engage only with providers that can offer the tools, capabilities and services most appropriate to their specific environment and protection needs.

Provider evaluation – the top areas to check

An effective provider should be able to monitor user, system and data events to spot suspicious behaviours, protect against malware and prevent data compromise, delivering insights on everything from what critical systems have been affected – on what devices, whether a third party represents an entrance vector for attacks, the downtime to production systems and whether data has been exfiltrated. That includes whether privileged user accounts are being leveraged for unauthorised access.

Generate a list of documented use-cases you expect a provider to solve covering visibility (system, user, data), remediation and response (indicator blocking, malware removal, endpoint isolation) and forensics ($MFT, registry, memory) and then test their services, using penetration or threat simulation services. This will give you a full experience of their technology and service offering. A good MDR provider will handle advanced threats – such as lateral movement by hackers, credential theft and escalation and C2 activity – but won’t let less sophisticated attacks slip through its fingers either.

Finally, organisations should expect a truly human interaction with the provider’s security analysts. Be wary of being forced to rely on dashboards, e-mails or portals when it comes to alerting, investigating security events, case management and other activities.

Expectations vs. reality

Not all MDR providers offer the same services and since no one size fits all, so understanding the tools and procedures on offer and carefully weighing all considerations will be vital for selecting a provider that represents the ideal fit for the organisation’s size, existing security controls and needs.

Asking detailed questions about the standard practices and technologies vendors utilise should help companies benchmark and compare providers and provide insights on how they would react to a specific security incident. Finally, it will be vital to assess if their threat response can be tailored to your processes – or if these are out of the box, with no flexibility.

There is no technology-based silver bullet for addressing cybersecurity challenges. Ultimately, it is the human factors, threat-protection techniques and process-based responses that make the difference between success and failure, so partnering with an MDR provider that can offer the right combination of technology, support and strategic guidance will be essential for elevating and optimising enterprise data security.

Browse our latest issue

Intelligent CISO

View Magazine Archive