After yet another year marked by an excessive amount of high-profile cyber-attacks and data breaches, every company, no matter the size, should now expect to be breached. There is a dangerously unstable balance between the ever-increasing cyber threat and cybersecurity solutions. Increasing threats across industries, and the proliferation of connected endpoints to a myriad of corporate computing resources and other initiatives like Bring Your Own Device (BYOD) are outpacing protections of decade-old cybersecurity programs.
Addressing the high level of security events and alerts created by security information and event management (SIEM) solutions is becoming unsustainable as the demand for cybersecurity professionals is outpacing supply. Companies need to honestly assess whether they have the in-house capabilities to adequately protect their business from these security events. In our experience, many do not, and, according to a study conducted earlier this year, 80% of CISOs plan to work with a Managed Security Services Provider (MSSP) in the coming year.
By leveraging outside expertise, companies allow their cybersecurity arsenals to include real-time threat detection and incident response capabilities with managed detection and response (MDR), which leverages EDR (Endpoint Detection and Response) technology and capabilities. Traditional methods built around log collection still align with compliance use cases, but newer forms of attacks require adaptive, future-ready capabilities of advanced threat detection with deep threat analytics for a more collaborative breach response.
So just why is MDR gaining momentum?
As the threat surface increases and nefarious actors become more sophisticated, the next generation of security operations will require supplementary technologies like MDR. From a different vantage point, MDR flips legacy models by using agent-based solutions that get deployed to endpoints and gain kernel-level access to look for specific types of behaviors. Unfortunately, building such modern capabilities for threat detection and response is not feasible for most organizations. Instead, they need an MDR provider to bridge the gap with an as-a-service approach to remove the complexity and costs associated with building in-house, next-generation security operations capabilities.
Below are six security trends propelling managed detection and response.
1. Compliance guidelines are getting more specific.
The regulatory environment often dictates industry security requirements and compliance and has moved from pass-fail to new standards that require evidence of continuous monitoring to achieve compliance.
2. The shifting threat landscape requires full left-to-right protection.
The entry points where intruders gain access to infrastructure are often not their ultimate target. Instead, they use it as a jumping off point to move laterally in the environment to accomplish the ultimate exploitation. Today, the adversary gains a foothold in the corporate environment and “lives off the land” for weeks or months before they are discovered. This living off the land behavior, as well as other trending threat activities, requires a more robust left-to-right protection such as an MDR solution.
3. Security technology isn’t enough anymore.
As the threat landscape becomes more sophisticated by the day, we’re becoming more and more aware of the shortcomings of antivirus software. But what might not be so obvious is that, despite stronger supplemental practices like endpoint detection and response (EDR), human-powered protection should still be a top priority. Some malicious behavior may be too subtle to warrant an automated response and, therefore, actual people (presumably cybersecurity experts) should be looking for evidence of such behaviors.
4. Attackers are living off the land.
In the 1,579 successful data breaches in 2017, detection by defenders took, on average, 191 days to detect. It then took another 66 days, on average, to contain the breach.
Bad actors are increasingly employing tools already installed on targeted computers, or are running simple scripts, scheduled tasks, or executing shellcode directly in memory of those compromised hosts. By creating fewer new files on hard disks, attackers have less chance of being detected by traditional security tools or legacy antivirus solutions. Even when log files are generated, it can be difficult to spot anomalies because the tools are ubiquitous and used by system administrators for legitimate work.
5. Phishing attacks are on the rise.
According to research conducted by IBM Corporation, 59% of ransomware attacks originate with phishing emails, with 91% of malware delivered as attachments to email. These campaigns have also matured. Well-known inbox-based attacks that attached malicious Microsoft Office documents that required macro enablement are being outdone by new campaigns that use booby-trapped, macro-free attachments. Without having to click “Enable Macros,” when recipients open the attachment, there are no warnings or pop-ups to alert the victims.
6. The supply chain attack surface has increased exponentially.
With more suppliers like cloud and as-a-service providers handling sensitive data, supply chain attacks—which occur when a hacker infiltrates a system through an outside partner or provider that has access to systems and data—are becoming more common. In the case of ProtonRAT in 2017, victims were prompted to register the domain that spoofs a well-known blog for the information security provider Symantec, one of many legitimate brands emulated in supply chain attacks.
These types of seemingly harmless traffic that exploit access sneak by traditional security measures that don’t account for unlikely behavior. According to Data Risk in the Third-Party Ecosystem: 3rd Annual Study by Ponemon, 59% of organizations have had a breach that was caused by one of their third parties. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 in 2016 to 471 in 2017 and to 588 in 2018.
Get on the MDR bandwagon.
The dangerous shifts in the macro-environment isn’t something that will just phase out, and the same goes for the surge in MDR adoptions. Assuming a breach does happen, how quickly will the victim organization be able to detect it and respond to it to avoid the event from becoming catastrophic? With MDR, companies no longer have to worry about this and can keep their strategic focus on running their businesses. Using an MSSP promises faster threat detection and incident response and ensures that the corporate computing infrastructure remains secure, compliant, and well managed.
There are many benefits of adopting MDR, including:
- Specialized expertise and full-time threat hunters to ensure continuous improvement.
- Context-specific data enhanced with analytics and machine learning to identify suspicious patterns and anomalies across a real-time and historical dataset.
- Prioritization and validation of alerts so that less time is needed to research the validity of an event, and more time can be dedicated to fast incident response.
- Reduction in total time devoted to maintain a strong security posture.