Delivering on the MDR promise

For any organisation facing the challenges of securing their network, the goal has always been effective detection followed by a robust response to any cyber threat.

What Managed Detection and Response (MDR) offers the industry today is a broader focus beyond endpoints and traditional security devices. It’s a platform to holistically drive security monitoring and response, looking to more telemetry data from network operations and user behaviour as more dynamic data points when examining threats.

User activities, for example, may not necessarily pose a direct trigger to a potential threat unless we apply the appropriate analytics and integrate other data points. However, that kind of visibility and analysis can be a powerful tool in establishing the organisation’s health. “More telemetry can only clarify user behaviour and offer a broad lens to what is happening in your network,” says Johnny Kho, Director, Managed Security Services, Singtel. “This is a key advantage and value-add Singtel customers enjoy as we can apply security from within, looking at the network edge-to-edge. And this is where MDR can be a game-changer.”

He adds that from a platform perspective, MDR offers a higher level of analytics heavily dependent on enriched cyber threat intelligence. The organisation is no longer looking at only known triggers. Instead, it develops visibility into what could be unknown triggers and dives deeper into what is deemed suspicious. Says Kho, “So in a very tangible way, MDR broadens your cyber threat perspective by ingesting more and more data.”

MDR works by integrating a security platform with analytics and expert-led services to provide threat detection and response recommendations across cloud, hybrid and on-premises environments and different endpoints. It identifies all assets, profiles their risks, and then collects activity information from logs, events, networks, endpoints and user behaviour.  

Threats and vulnerabilities are researched in the wild and codified to be quickly recognised when seen by the MDR provider. After that, MDR analysts can take over to validate incidents 24/7, escalating critical events and providing recommended response actions to remediate threats.

In contrast, many enterprises deploy Security Information and Event Management (SIEM) solutions that collect logs and event data produced from applications, devices, networks, infrastructure, and systems to draw analysis and security alerts while providing a holistic view of the organisation's IT infrastructure. SIEM solutions can reside in any cloud environment.

“SIEM solutions attempt to analyse threats on a rules-based engine and therefore focus on known threats,” says Kho. “MDR expands on this to ingest additional data from different network endpoints on top of the network logs. So SIEM solutions are another security application sitting beside the telemetry data being monitored for their security operations.”

According to Kho, MDR introduces a much broader, big data architecture to harvest information from endpoints leaving SIEM solutions to monitor more events and process alerts.

Kho emphasises that MDR will not displace SIEM solutions in the enterprise. “In a typical security monitoring platform, SIEM will coexist with MDR but evolve to incorporate machine learning analytics in its arsenal. So, it will go beyond the use case rules engine that currently predominates enterprise security monitoring processes.”

In the managed security service provider (MSSP) model, MDR can deliver even more enriched intelligence because of insights gained from different customer sectors the MSSP is serving. The additional telemetry and data points enhance visibility when there are impending threats.

“Fundamentally, the real cyber challenge for any organisation is about operationalising the security processes,” observes Kho. “In most instances, enterprises have a hard time working through the process, so an MSSP helps respond to a cyber incident on their behalf.” Kho believes this is where MSSPs can significantly add value to an enterprise MDR service.

Kho describes at least three critical areas enterprises should consider when deciding to procure MDR services from an MSSP; an honest evaluation of the internal cybersecurity skillset, how to augment the existing security apparatus with MDR and compliance monitoring. “If you comprehensively assess your current cybersecurity posture,” observes Kho, “an MSSP deploying an MDR service will enhance and elevate installed security processes with a machine learning analytics model to fill in the gaps.”

One key advantage of acquiring an MDR service via an MSSP is the comprehensive risk profiling the service provider can deliver. “At Singtel, we start with the fundamentals; what is the enterprise’s current digital exposure or footprint, what digital properties does it own and what is the risk to the organisation if this digital footprint and assets are targeted?” Kho notes that as an MSSP, Singtel evaluating these parameters will help quantify the actions needed in defining how to detect and respond to incidents.

“Our focus is on business alignment,” adds Kho. He remarks that as an MSSP, Singtel’s telco services expertise means a tighter integration of network services with its security services portfolio, including MDR. “So our strength is our network coverage because the network can help protect the customer,” he notes. “With network services such as SD-WAN, for example, we help enterprises connect to different critical services and sites right on the network edge directly from our network core. That’s really our key differentiator to our customers.”

It’s clear that threat prevention is increasingly more challenging to implement and manage for enterprises with older defence-in-depth strategies.

76% of those surveyed in a recent threat detection and response (TDR) study¹ identified this aspect of cybersecurity as much more complicated than it was a few years ago.  The report notes the top two reasons are volume and/or sophistication of threats and an increase in TDR workloads. It’s evident that enterprise security teams require help to boost cyber skill sets and better integration of existing security services.

The survey reports that most organisations ‘are using or are interested in managed detection and response (MDR) services to improve threat detection and leverage existing MSSP relationships.’

The reason is simple: chronic cybersecurity staff shortages, complex TDR solutions needing rapid deployment and existing relationships with an MSSP that offers MDR services in their service portfolio. In addition, the survey observed a clear trend of a ‘shift toward actively developing/building or purchasing an integrated software architecture for security operations tools to combine siloed security solutions’. It concludes that ‘future buyers of MDR want a platform option that integrates all their security operations tools.’

Resource

¹ ESG Master Survey Results: The Threat Detection and Response Landscape, 2019