Faced with a proliferation of security products and point solutions to combat increasingly sophisticated threats, it didn’t take long for companies to recognize that a certain amount of bench strength – knowledge and personnel – was required to manage unprecedented complexity and get the full value from these investments. Organizations turned to managed security service providers (MSSPs) to alleviate the burden of maintaining the health of these systems and responding to tickets. But as Winston Churchill once said, “However beautiful the strategy, you should occasionally look at the results.”
Outsourcing to MSSPs was an ideal approach when the number of alerts to follow-up on was relatively low. Security teams could keep up. However, today many security teams are finding themselves drowning in a sea of noise as MSSPs direct more and more tickets their way to investigate.
As the volume, velocity, and complexity of attacks magnifies, the mission that security professionals are charged with has expanded. Now it’s about proactively finding bad guys that have infiltrated your infrastructure and stopping them as quickly as possible to mitigate damage. This is proving to be a costly and difficult challenge for many organizations as it requires a different set of threat detection tools and expertise. Meanwhile a dearth of people with cybersecurity skills continues. In fact, new global research conducted by the Center for Strategic and International Studies (CSIS) finds that 82 percent of respondents admit to a shortage of cybersecurity skills, with 71 percent citing this shortage as responsible for direct and measurable damage. Respondents say that hackers target them knowing their cybersecurity is inadequate and a lack of staff has damaged their organization’s reputation and led directly to the loss of proprietary data through cyberattacks.
To address these new requirements for threat detection and incident response, as well as to help organizations overcome the challenges they face, new managed security services have emerged. Managed Detection and Response (MDR) services differ from traditional managed security services in three ways: speed, accuracy, and focus. Here’s how.
Speed: Accelerating the time to detect an attack is the true indicator of security effectiveness. MDR service providers offer an end-to-end service that includes the tools and expertise to quickly separate non-events from serious events in order to contain an attack, target mitigation, and remediate faster. In contrast, MSSPs measure speed through SLAs aimed at keeping up with alerts and conducting initial triage. While MSSPs’ reaction time is fast, the overall time to detect and confirm a threat is slower because security teams have to deal with hundreds, if not thousands, of alerts a day. The burden and risk is on internal resources to identify threats that have breached the perimeter, are moving laterally through the environment, and then contain and remediate. This can take months, which is far too long. By the time a breach is discovered credit card data, bank account information, credentials, and other valuable data and assets have been compromised.
Accuracy: To consistently detect serious threats requires ongoing visibility, additional data and context, and rapid analysis. The volume of information needed to confirm the threat often requires a set of sophisticated technologies beyond the capabilities of a typical MSSPs. MDR service providers use continuous monitoring and investigation along with full packet capture to eliminate security blind spots and detect incidents with greater accuracy. They are striving to map out the course of the attack with retrospective analysis in order to understand who the attacker was, what malicious activities were performed, and determine the best course of action to remediate the threat. MSSPs typically rely on signatures and rule-based detection with older technologies limited in their ability to collect contextual information to identify incidents at a specific point in time. As history has shown, sophisticated attacks can evade these traditional methods.
Focus: Instead of focusing on generating tickets, MDR service providers focus on finding high-fidelity tickets that reduce false positives and correspond to evidence of malfeasance. Access to big data platforms to collect and store massive volumes of data, real-time threat intelligence, and advanced analytics allow them to find and accurately confirm malicious activity quickly. This allows for proper containment and actionable recommendations for remediation (i.e., remediate these specific devices, update policies and controls to block specific types of files or behaviors, contact the FBI, etc.). MSSPs typically lack the threat detection and response tools and expertise to map attack behavior and complete a full forensic workup. This job falls to the internal security team. MDR service providers aim to offer the exact steps required to remediate the attack, reducing the time these internal teams spend handling additional investigation and enabling them to focus on core business initiatives.
MSSPs emerged at a time when security teams needed help maintaining the health of their security devices and responding to tickets. The mission for security professionals has now evolved from responding only to being proactive, so managed security services must evolve as well. With speed, accuracy, and focus, MDR service providers ease today’s heavier burden on security professionals to proactively detect and manage increasingly sophisticated and elusive threats.