The threat landscape is evolving at breakneck speed and corporate cyberattack surfaces expand, with many trends and developments kicked into overdrive as a result of the surge in digital transformation investments during and after the COVID-19 pandemic.
But the growth of the attack surface often results in a gap between attackers and defenders – across skills, capabilities and resources. Fortunately, there are things that corporate security teams can do to (re)gain some of the initiative, for example ensuring that their approach is proactive and considers prevention, detection and response, including possibly by outsourcing capabilities to expert industry partners.
Managed detection and response (MDR) combines all this. But not all solutions are created equal, so let’s take a look at why your organization may need MDR, and five key things to look for in a service offering.
Why you need MDR
The pandemic-era surges in investments can be observed in trends such as:
- Rapid adoption of cloud computing which is outpacing internal skills, leading to misconfigurations that expose organizations to attack.
- An emerging hybrid workplace which means potentially more unmanaged machines at home and more distracted, risk-taking employees using them.
- A surge in supply chain complexity that provides attackers with opportunities to target managed service providers (MSPs), upstream open source repositories and smaller suppliers.
- Ransomware as a service (RaaS), which has democratized the ability to launch sophisticated multi-stage ransomware attacks.
- Use of legitimate tooling for lateral movement, which makes it harder to spot the tell-tale signs of a breach.
- A cybercrime underground saturated with breached data, possibly making it child’s play for attackers to sneak past perimeter defenses using legitimate credentials.
- A mature cybercrime economy where individual players, such as Initial Access Brokers (IABs), all have a clearly defined role in the attack supply chain.
- An increase in published CVEs that gives threat actors even more opportunities to compromise their targets.
All of these trends and more make compromise more likely. 2021 saw publicly reported data breaches in the US hit an all-time high. And it makes those incidents harder to detect, and more costly to contain. The mean time to identify and contain a data breach now stands at 277 days, and the average cost is US$4.4 million for 2,200 to 102,000 compromised records.
Beyond prevention
In this context, a preventative approach to security simply isn’t good enough. Determined threat actors will always find a way into your corporate network—if not via vulnerability exploitation, then by using breached, phished or brute-forced credentials. That means you must add threat detection and response to preventative efforts. This approach posits that if attackers get past your defenses, you have the continuous, granular monitoring in place to spot any signs of suspicious activity before the bad guys have had a chance to make an impact. Your SecOps team rapidly responds to contain the incident before it becomes a serious breach.
Extended detection and response (XDR) is an increasingly popular way of achieving this. It combines critical detection capabilities across endpoint, email, cloud and other layers plus response and remediation to stop attackers in their tracks. However, for some organizations, XDR isn’t a panacea. Its usefulness can be limited by:
- In-house skills gaps which mean there are few trained analysts to operate the XDR tooling
- Deployment and management challenges, again due in part to staff shortages and particularly acute when managing XDR across multiple regions
- High cost of staffing and buying and maintaining the right XDR tools
- Alert overload from tools that fail to accurately prioritize threats for stretched analysts
That’s why MDR is increasingly favored. It effectively hands over management of XDR to an expert outsourcing provider, meaning that their trained analysts handle threat detection, prioritization, analysis and response. However, with so many solutions on the market, how can you choose the right one for your business?
Five things to look for in an MDR vendor
MDR is at its best a blend of industry leading technology and human expertise. They come together in what is ostensibly a managed Security Operations Center (SOC) where skilled threat hunters and incident managers analyze the output of tooling to help minimize cyber-risk. Here are five things to look for in a service:
- Excellent detection and response technology: Shortlist providers whose products are well-known for high detection rates, low false positives and a light overall footprint. Independent analyst appraisals and customer reviews can help.
- Leading research capabilities: Vendors that run renowned virus labs or similar will be best placed to stop emerging threats. That’s because their experts are researching new attacks and how to mitigate them every day. This intelligence is invaluable in an MDR context.
- 24/7/365 support: Cyberthreats are a global phenomenon and attacks could come from anywhere, so MDR teams must be monitoring the threat environment at all times of day and night.
- Top quality customer service: The job of a good MDR team isn’t just to detect and respond rapidly and effectively to emerging threats. It’s to act like an extension of the in-house security or SOC team. This should be a partnership, not simply a commercial relationship. That’s where customer service comes in. Providers should marry hyperlocal language support with global presence and delivery.
- Services tailored to order: No two organizations are the same. So MDR providers should be able to customize their offerings for each client, based on their size, the complexity of their IT environment and required level of protection.
The global MDR market is predicted to grow at a CAGR of 16% over the coming five years to reach US$5.6 billion by 2027. With so much at stake and so many vendors out there, it pays to do plenty of due diligence before making your decision.