The Value of Managed Detection and Response

Glen Combs and Troy La Huis
| 7/10/2019
The Value of Managed Detection and Response

In response to the recent alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and due to elevated cyberattack activity around the world across all industries and company sizes, many organizations are turning to a new breed of managed service called managed detection and response (MDR).

The value of MDR

In its 2018 Market Guide for Managed Detection and Response Services, Gartner describes MDR providers as able to “deliver 24/7 threat monitoring, detection and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response.” An MDR service can be a solution for organizations evaluating how best to respond to and prepare for existing and future threats.

Specifically, an MDR service can help organizations:

  • Adapt to the rapidly changing threat landscape
    Twenty years ago, cybersecurity specialists dealt with “script kiddies” defacing websites. But today, cyberthreats include nation-state actors launching retaliatory attacks to cause widespread disruption and organized crime syndicates hijacking municipality networks and demanding exorbitant ransoms.

    Clearly, the current and emerging attack surface is larger and more complex, threat actors are highly motivated, and attack methods are increasingly sophisticated. An MDR service is a way for organizations to outsource the expertise and skill sets needed to stay up to date on the threat landscape.

  • Detect attacks in real time, not months afterward
    Dwell time is defined as the time between when an adversary gains access to an environment and when the breach is identified. Studies such as the Ponemon Institute’s 2018 Cost of a Data Breach Study: Global Overview show that the longer an attacker can dwell in an environment, the higher the costs of the breach.

    The reactive nature of security tools and managed monitoring services as well as reliance on alert engines, weekly reports, and busy personnel who don’t have adequate time to review information contribute to an average dwell time of 197 days. An MDR service can provide a 24/7/365 security operations center staffed with expert security analysts who can detect attacks as they happen and coordinate incident response plans as necessary.

  • Detect attacks geared to bypass existing security controls
    The growth of cyberbreach activity is evidence that bad actors manage to stay one step ahead of current tools and processes. New vulnerabilities and corresponding exploits pop up every day. Additionally, many attacks start as activity that appears legitimate. For those with static detection mechanisms, if these exploits don't trigger a pre-existing rule, no one will know an attack is happening.

    An MDR service augments existing security controls with advanced technology and dedicated security analysts who are trained to proactively uncover evidence of threats. The detection rules by which alerts are created are constantly being updated to incorporate the latest publicly available exploits. The human component provides experience and threat intelligence to make the call on what is important to an organization. Last, rather than relying solely on static signatures, the service uses heuristic analysis to examine behaviors and patterns. (For more on why signature-based detection is a problem, see the code comments for TrustedSec founder David Kennedy’s Magic Unicorn script. Ironically, the comments themselves have become signatures within the products they mention.)

  • Minimize false positives and alert fatigue
    One of the biggest problems facing security teams is tool and alert overload. All the security controls organizations have put in place to prevent breaches produce millions of events and tens of thousands of alerts that require attention. Even with a security information and event manager (SIEM) available to centralize logging and alerting, the rules go out of date quickly and start producing an overwhelming number of alerts and false positives that bog down IT and security teams.

    An MDR service eliminates this problem. It can take on the job of collecting all the events and alerts from information systems (including the SIEM) and apply the threat intelligence and advanced analytics needed to find the threat signals amid all the noise. In this model, IT and security teams receive notifications only when significant evidence and a high level of confidence demonstrate that an attack or breach has occurred.

  • Access cybersecurity professionals
    Skilled cybersecurity engineers and specialists are in high demand, and they’re hard to find given the shortage that exists in today’s market. Organizations struggle to attract and retain the broad array of talent needed to manage such a complex function as cyberthreat detection and response.

    An MDR service eliminates the need for organizations to staff their own 24/7 security operations centers. It also makes existing security teams much more productive by reducing time wasted responding to false positives.

Quantifying a return on investment

Security leaders have to make many decisions about detecting early threats and minimizing dwell time. They have to consider types of technology, complete outsourcing versus co-management, 24/7 monitoring versus business hours, cost and skill set of personnel, and ongoing management. An MDR service can manage these variables and be operational within weeks versus months, often at a fraction of the cost.

What to do in the event of an attack

Any organization that suspects it has been compromised should follow an incident response plan. In addition, CISA is asking that attacks and breach activity be reported using this email: [email protected].

Please contact Troy La Huis, digital security leader at Crowe, at +1 616 233 5571 or [email protected] if you have any questions about how your organization can best respond to the CISA statement.