In the 1983 film War Games, amongst the earliest movies on cybersecurity, officials rush in the hackers of a supercomputer, designed to work without human interface. At stake is a world war that stands to be triggered by the supercomputer.
Cut to 4 decades later. Security Operations Centers (SOCs) are reeling under the dual pressures of multiple attack vectors and limited cyber specialists to manage them. The need of the hour is a service that combines the automated proactive detection of cyber threats with analytical human investigation. Threat-hunting experts will be tasked with delivering actionable and conclusive neutralization measures.
MDR simplified
In its most simplified form, MDR or Managed Detection and Response is a cybersecurity service that combines technology and human expertise to perform threat hunting, monitoring and response[1]. MDR entails putting to use technological tool stacks in an organization’s arsenal to effectively identify threats as they arise over the network or the cloud, analyse and investigate them, and then suggest measures to counter or contain them. The human interface in the process involves ‘task forces’ of threat intelligence experts responsible for incident management [2].
The Benefits of MDR
MDR offers many advantages in the field of threat detection and remediation. Though a robust system may take a while to stabilize once initiated by an organization, its value addition to threat-countering initiatives and the overall contribution to the SOC is tremendous.
- Turnkey solution: MDR boasts of a comprehensive solution, combining technology tools and human expertise, and offering both detection and containment measures
- Real-time data: MDR works best with real time information. Hence cloud-based data provides it with the perfect basis to work on
- Round-the-clock coverage: MDR is a 24×7 service, offering continuous threat analysis and remediation
- Proactivity: Unlike other systems like Managed Service Security Providers (MSSPs), MDR works proactively, rather than reactively when dealing with threats
Challenges for organizations
Considering the advantages that MDR bring to the cyber threat landscape, and the single-point, under-one-roof approach that it represents, one would think that MDR would be quickly adopted. Instead, this is not always the case.
- Heavy investment [3]: Considering the heavy investment involving tools and experts, many small and mid-sized organizations find it unaffordable to put an MDR solution in place, something that larger organizations find relatively easy.
- Experts and increased human capital cost: Most organizations find they lack the skilled resources necessary to put an MDR solution in place. Since MDR is almost always an outsourced service, organizations with their own in-house resources are faced with costs, for their existing staff and for the outsourced service.
- Ongoing investment costs: MDR tools, like all other technological tools, need frequent updating and ramping up, compelling organizations to make investments on an ongoing basis. Organizations also face the issue of ‘non-performing’ investments in technology stacks which lie unused due to various circumstances[1].
- Alert fatigue[1] : Another challenge arises from ‘alert fatigue’ from the proliferation of threats arising on an ongoing basis. Though this is to be expected, the human interface aspect inherent in MDR which requires constant responses from threat hunters, can prove exhausting.
- Implementation time[1]: Organizations looking at implementing MDR in a matter of weeks or months may be indulging in wishful thinking. Experts are of the opinion that a mature and robust threat-detection and response MDR system could be looked at normally in a couple of years.
Implementing MDR
Organizations that are keen on implementing an MDR solution, would do well to work with an external partner, that has expertise and established references in the MDR space. Experience in the organization’s specific line of business would be a good-to-have.
Since data security is at the heart of the entire exercise, organizations with sensitive data should evaluate the business risk of sharing data openly with the service provider. Organizations should consider providers with appropriate security certifications, so as to mitigate the risk of data loss.
Organizational needs, budgets and existing specialists are crucial criteria in the MDR route taken by the organization. While the former two will determine the kind of features that the MDR solution must have, existing specialists would need to be upskilled for the MDR implementation.
Aurora can help evaluate your cybersecurity needs and recommend MDR solutions and services that best fit your organization’s goals.
How to get started?
Considering the many advantages that it offers over EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management) systems and MSSPs (Managed Security Service Providers) which are generally looked on as the predecessors of MDR, it is advisable that organizations consider putting in place an MDR solution, after taking into consideration their own needs, security tools, resources and vision.
Call or email mailto:sales@aurorait.com to learn more about the solutions and services that we offer.
In the amusing close to War Games, the supercomputer, breaking form to interact with its human interface, gives its take on nuclear war to the hacker (the central character in the film). ‘Strange game,’ it says. ‘The only way to win, is not to play.’
Not quite what the MDR threat analyst and response expert would say, when it comes to cyber-attacks!
Sources:
[1] Crowdstrike : https://www.crowdstrike.com/cybersecurity-101/managed-detection-and-response-mdr/
[2] Gartner: https://www.gartner.com/reviews/market/managed-detection-and-response-services
[3] Trendmicro : https://www.trendmicro.com/vinfo/us/security/definition/managed-detection-and-response