Firefighters have it tough, but at least they know when their job is done — flames are extinguished, time to go home.
The same can hardly be said for many of today’s SOC teams. Between the global pandemic and ongoing war in Ukraine, to an unprecedented surge in endpoints and cloud-hosted data, security professionals are wrestling with an increasingly complex (and at times, unrelenting) threat landscape that defies easy answers. As soon as one threat is vanquished, another one takes its place.
Lapsus$, Conti, Black Basta, DarkSide and dozens of other organized ransomware cartels have found ways to exploit this complexity, using endpoints as back doors for moving laterally through networks and holding data hostage. The result is that SOCs now receive hundreds of security alerts every day, a situation that has overwhelmed existing personnel and fueled record levels of burnout. A recent survey conducted by Forrester, for example, found that security teams spend up to 600 hours per month investigating and remediating threats, which is roughly equivalent to the full-time workloads of four employees.
As a result of these stresses, many organizations are getting help from the outside to address weaknesses on the inside. This is where managed detection and response (MDR), threat hunting and cybersecurity-as-a-service (CaaS) comes into play.
Managed detection and response is an arrangement whereby an organization outsources some or all of their cybersecurity needs to a vendor that can provide both seasoned threat hunting expertise and extended detection and response (XDR) functionality. But this novel combination – the bringing-together of product (XDR) and services (threat hunting) – has helped bridge a divide that had long existed in the security market, says Jeff Pollard, a VP and principal analyst at Forrester.
“For years, you had this neat divide that existed where you had product vendors and you had services vendors. The way it worked is, you’d buy a product and then you’d bring in a service to bolt on on top of that. So you had products, you had consulting, you had managed security services, and that was it.”
But with MDR, those divisions have blurred. Service vendors have expanded their portfolio to include XDR, and product vendors have begun recruiting and building up threat hunting experience. The result, Pollard says, is that while many security vendors now offer some version of MDR, it’s increasingly unclear what falls under that definition and what the customer will be getting out of it.
“A couple of years ago when we conducted our first MDR wave, there were almost a hundred folks where if you searched MDR, you could find it on their website somewhere,” says Pollard. “That’s only gotten bigger since then as MDR has validated and led to some really good security outcomes. So it’s difficult if you’re an organization trying to buy MDR, to sort through all of that.”
There’s many factors and use cases for an organization to consider when evaluating a potential partnership with an MDR vendor, but that can be difficult with an alphabet soup of acronyms floating around — MDR, XDR, EDR, MSSP, CaaS, the list goes on!
What’s important to understand is that an effective MDR solution will consolidate the expertise and tools each of the other acronyms brings to the table.
As a benefit of MDR, the value of threat hunting can’t be emphasized enough. The cybersecurity skills shortage continues to have a debilitating effect across the industry, especially in small to medium-size companies that lack the budget and employee benefits to attract top talent. MDR helps companies sidestep this issue by giving them access to threat hunters, the “Navy SEALs” of the cybersecurity world.
Threat hunters are experienced and battle-tested professionals who use their creativity and curiosity to root out threats proactively, testing out hypotheses that a computer or AI might struggle to conceive of in the first place. Threat hunters are useful for breaking down barriers since their investigations can lead them to collect data from teams outside the traditional security purview, such as HR, Legal or Sales.
MDR is a huge market, and it’s only getting bigger. With so many options on the table, how should an organization decide which MDR vendor is right for them?
There’s several pre-buy exercises that experts like Forrester’s Jeff Pollard recommends:
Healthcare organizations across the U.S. have been warned by the Department of Health and Human Services regarding Venus ransomware attacks following a recent intrusion against a healthcare provider, BleepingComputer reports.
Prestige ransomware attacks against Ukraine and Poland have been conducted by Russian hacking group Iridium, which has overlapped with the Sandworm threat operation, according to The Record, a news site by cybersecurity firm Recorded Future.
Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.