Firefighters have it tough, but at least they know when their job is done — flames are extinguished, time to go home.
The same can hardly be said for many of today’s SOC teams. Between the global pandemic and ongoing war in Ukraine, to an unprecedented surge in endpoints and cloud-hosted data, security professionals are wrestling with an increasingly complex (and at times, unrelenting) threat landscape that defies easy answers. As soon as one threat is vanquished, another one takes its place.
Lapsus$, Conti, Black Basta, DarkSide and dozens of other organized ransomware cartels have found ways to exploit this complexity, using endpoints as back doors for moving laterally through networks and holding data hostage. The result is that SOCs now receive hundreds of security alerts every day, a situation that has overwhelmed existing personnel and fueled record levels of burnout. A recent survey conducted by Forrester, for example, found that security teams spend up to 600 hours per month investigating and remediating threats, which is roughly equivalent to the full-time workloads of four employees.
As a result of these stresses, many organizations are getting help from the outside to address weaknesses on the inside. This is where managed detection and response (MDR), threat hunting and cybersecurity-as-a-service (CaaS) comes into play.
The rise of MDR
Managed detection and response is an arrangement whereby an organization outsources some or all of their cybersecurity needs to a vendor that can provide both seasoned threat hunting expertise and extended detection and response (XDR) functionality. But this novel combination – the bringing-together of product (XDR) and services (threat hunting) – has helped bridge a divide that had long existed in the security market, says Jeff Pollard, a VP and principal analyst at Forrester.
“For years, you had this neat divide that existed where you had product vendors and you had services vendors. The way it worked is, you’d buy a product and then you’d bring in a service to bolt on on top of that. So you had products, you had consulting, you had managed security services, and that was it.”
But with MDR, those divisions have blurred. Service vendors have expanded their portfolio to include XDR, and product vendors have begun recruiting and building up threat hunting experience. The result, Pollard says, is that while many security vendors now offer some version of MDR, it’s increasingly unclear what falls under that definition and what the customer will be getting out of it.
“A couple of years ago when we conducted our first MDR wave, there were almost a hundred folks where if you searched MDR, you could find it on their website somewhere,” says Pollard. “That’s only gotten bigger since then as MDR has validated and led to some really good security outcomes. So it’s difficult if you’re an organization trying to buy MDR, to sort through all of that.”
How to 'parse' the MDR landscape
There’s many factors and use cases for an organization to consider when evaluating a potential partnership with an MDR vendor, but that can be difficult with an alphabet soup of acronyms floating around — MDR, XDR, EDR, MSSP, CaaS, the list goes on!
What’s important to understand is that an effective MDR solution will consolidate the expertise and tools each of the other acronyms brings to the table.
- It should be able to provide XDR product functionality, using logs and other telemetries as context for classifying and prioritizing alerts.
- It should also provide strong response options, either finding and responding to threats automatically or advising the customer on the recommended methods to respond.
- Ideally, it should incorporate advanced analytics and security orchestration and automation to streamline operations that are tedious or redundant.
- Finally and most importantly, an effective MDR solution should provide access and availability to skilled threat hunters, who can construct hypotheses based on threat intel to identify vulnerabilities before they become multi-million dollar liabilities.
The value of threat hunting
As a benefit of MDR, the value of threat hunting can’t be emphasized enough. The cybersecurity skills shortage continues to have a debilitating effect across the industry, especially in small to medium-size companies that lack the budget and employee benefits to attract top talent. MDR helps companies sidestep this issue by giving them access to threat hunters, the “Navy SEALs” of the cybersecurity world.
Threat hunters are experienced and battle-tested professionals who use their creativity and curiosity to root out threats proactively, testing out hypotheses that a computer or AI might struggle to conceive of in the first place. Threat hunters are useful for breaking down barriers since their investigations can lead them to collect data from teams outside the traditional security purview, such as HR, Legal or Sales.
How to 'vet' MDR contenders
MDR is a huge market, and it’s only getting bigger. With so many options on the table, how should an organization decide which MDR vendor is right for them?
There’s several pre-buy exercises that experts like Forrester’s Jeff Pollard recommends:
- Ask yourself some questions: There’s a good reason or reasons for why an organization is considering MDR, and it can help to clarify those on paper. Is detection the problem that they’re trying to solve, or is responding swiftly and thoroughly the actual issue? Are they looking for more clarity on the root causes of their vulnerabilities? Does the organization feel confident when resolving a threat, or would they benefit from having a third party confirm that the threat is eliminated?
- Know the history of the vendor: MDR will look differently depending on the vendor and its history of offerings. Pollard recommends doing your due diligence in researching that history. “If you’re looking at a company that was a MSSP for a couple of decades (and which is now offering MDR), and they’re making the technology for themselves now, my guess is that they’d be really good at the service while still learning the product side as they build out the technology. Meanwhile, a vendor that built technology for 15 years in the past – they’re probably really good at the platform and technology – but they’re building out the service as they go.”
- Know your use cases and ask vendors to demonstrate. By clarifying its challenges and security ‘soft spots’, an organization will have a better reading of potential use cases for MDR. Before they commit to a MDR relationship, it’s a good idea to ask vendors to explain how they would solve these use cases or other security events that have made the news. By interviewing them for the job, organizations can determine which MDR vendor will be right for their needs.
- Assess your cyber maturity to determine your MDR needs. Organizations should be honest about their cyber maturity. If a company’s cyber workforce is frequently entering and exiting a revolving door, that turnover is creating unnecessary disruption that an attacker can exploit. It may not be in that company’s interest to have a MDR relationship that is fully outsourced, but having access to threat hunters when in-house talent leaves can preserve continuity that would otherwise be absent. But if an organization is struggling to keep up with day-to-day alerts or even discovering the source of threats, it’s in their best interest to consider a more involved MDR relationship.