Managed Detection And Response

How To Choose A Managed Detection And Response (MDR) Solution

The functions and capabilities of an MDR (Managed Detection and Response) solution can seem overwhelming – how do you choose one that is appropriate for your organization?

How To Choose An MDR Solution

For many organizations, there simply aren’t the resources to employ a fulltime, dedicated cybersecurity operative, let alone a whole team. Although the dangers that cyberattacks pose are significant, these risks must be side-lined in favour of more practical, pragmatic concerns. 

Organizations, of all sizes, can fall victim to a range of cyber-attacks – phishing, business email compromise (BEC), and malware are the most common. Hackers use a variety of techniques to bypass security features, exploit user’s trust through “social engineering” and harvest valuable data from security vulnerabilities. In 2022, IBM found that 83% of organizations have had more than one cybersecurity breach.

The report goes on to put the average cost of a cybersecurity breach (in critical infrastructure like financial services) at USD $4.82 million. Such a high cost is likely to have a devastating effect on many organizations. Effective cybersecurity tools cannot be considered an optional extra but must be an integral part of your organization’s policies and planning.

However, not having the in-house expertise, time, or resource to implement security doesn’t necessarily mean you’re doomed to fall victim to a cyberattack. Managed Detection and Response (MDR) solutions are designed to provide enterprise-grade security, without the need for enterprise-grade resources.

But what exactly is Managed Detection and Response, and how can you make sure you’re choosing the right MDR solution for your business?

What Is An MDR Solution?

MDR gives you the benefits of an Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solution, without requiring you to have a high level of technical knowledge. This is because the “M” in MDR stands for “managed” – there is a third-party who oversee the installation, running, monitoring and remediation of cyber events that threaten your network.

Features of an MDR solution include:

  • Threat triage and alert prioritization
  • Endpoint data gathering
  • Information analysis and threat telemetry to predict threat behavior
  • Proactive threat hunting
  • Device isolation and network segmentation
  • Automatic, facilitated, and managed remediation options
  • 24/7 service
  • Vulnerability insights
  • Support team on hand to offer advice and assistance

Who Needs An MDR Solution?

MDR solutions are designed to give organizations without the resource to run their cybersecurity operation internally access to enterprise-level security. As such, there are options to suit all sectors and sizes of organization. For SMBs, a comprehensive MDR service is important as it will protect your organization from attack, whilst putting you in contact with cybersecurity professionals who can optimize your cybersecurity infrastructure. 

What To Look For In An MDR Service

Partnership

By installing an MDR solution, you will be entrusting a third party with your cybersecurity. This is a big deal. The consequences of a cyber-attack can be severe – loss of earnings is compounded by the cost of fixing infrastructure, reputational damage, and, in some industries, regulatory penalties. It is, therefore, important that you find a MDR provider who you can build a relationship with. They need to understand how your organization works, and the issues that you face. You need to understand how the MDR service can protect you, as well as its boundaries, so that you can implement other security tools for any outstanding threats that can’t be mitigated via MDR.

As your relationship develops, you can ensure that your MDR configuration is as effective and tailored as possible. This may influence the products that an MDR provider adds to their security stack. By having this ongoing conversation, you can ensure that your network security is always up-to-date, and you are protected with the most sophisticated solutions. 

Building a strong partnership with your MDR provider will also ensure you are best placed to respond to severe cyber-attacks. There may be times when your organization needs urgent support resolving an incident. You need to ensure that your MDR provider are contactable 24/7/365 – cyberattacks can happen at any time. It is important that the out of hours service is not diminished but will be able to respond robustly to any attack. MDR providers tell us that there is an increase in cyber-attacks during public holidays and long weekends. This is because hackers know that there will be fewer staff in the office to respond to an attack during these periods.

The bottom line: build a relationship with your MDR provider to ensure your solution is tailored, appropriate and effective.

Technological Capabilities

To question the technical credentials of your MDR solution might seem like an obvious point – and it is an obvious point, but it’s also an important one. Before investing in an MDR solution and trusting that it will protect you, you need to know that it is powerful enough to do the job. An effective MDR solution will offer comprehensive visibility across all your endpoints and assets – any region that is not covered could be an access point for an attacker.

One of the capabilities that you should look for in an MDR solution is log detection – this is where OS and application logs can be analyzed to identify any anomalous or malicious behavior. Network detection is another key feature – it is important that an MDR can detect threats wherever they occur on your network, be it cloud-based, on-premises or hybrid. You want your MDR solution to have full visibility over all your endpoints, and across all the applications that your organization uses. 

As the cyberthreat landscape is continually shifting, it is essential that your MDR solution stays ahead of the threats to keep you safe. Many MDR solutions are connected to a data network that can share intelligence regarding new threats, indicators of compromise (IoCs), and tactics, techniques, and procedures (TTPs). This information enables your MDR solution to act quickly and effectively to threats it has not seen before, but which have been carried out somewhere else.

The bottom line: ensure your MDR solution can integrate with your existing security products and is powerful enough to identify and respond to threats as they occur.

Integration

Although an MDR solution will usually include its own stack of security products, it is important that it can integrate with any security tools that your organization already uses. It should be able to analyze data from your own security products and orchestrate remediation using that data. It is only through deep and effective integration that your MDR solution can fulfil its potential.

Your MDR solution should be able to integrate with the endpoints that your organization has, the applications that you use, and your way of working. If, for example, your employees use tablets (or even have a BYOD policy), these endpoints need to be covered by your MDR. If this is done effectively, these devices can gather useful information and enhance intelligence gathering.

With a fully integrated MDR, threats can be identified quicker, and therefore remediated in a shorter time. As your organization evolves, you want to ensure that the MDR solution is flexible enough to scale as you grow. In the future, you might have more endpoints to cover, and you will want to ensure that your MDR has the capacity to ingest this extra data and produce actionable intelligence.

The bottom line: to identify threats across your network, your MDR needs to integrate effectively with your whole network and adapt to changes in the future.  

Effective Response

Although the clue is in the title, it is imperative that your MDR solution can provide an effective and comprehensive response to threats once they are detected. MDR should be an equal balance between detection and response. Being able to give detailed intelligence is only useful if it can inform remediation decisions.

Response capabilities should be configured to run automatically, where appropriate. This means that commonplace, more minor breaches can be remediated without the need to involve a security staff member. On a network, there are too many endpoints, and consequently too much data, for a human to sift through to remediate every threat individually. 

Automatic remediation ensures that threats are dealt with quickly, allowing your security staff to focus on other issues. This also reduces “alert fatigue” – the phenomenon where a security operative is overwhelmed by the number of notifications, which leads to their effectiveness reducing.

Any threats that are more significant, and need admin intervention, should have detailed and actionable intelligence to inform remediation decisions. This point will be further explored in the Alerts and Reporting section of this article, but this intelligence could involve root cause analysis, forensic reporting on how the attack has evolved and what areas have been affected, and information on how best to remediate it. 

According to Mandiant, the median dwell time (duration that a threat is present in a system) was 21 days in 2022. That’s over 500 hours where a threat is active on your network. During this time, it can search for valuable information, or vulnerabilities to further exploit your network. To combat this, MDR solutions should provide proactive threat hunting features. This involves continuous monitoring and scanning of your systems to identify any anomalies or dangerous software that has made it past other security tools.

With some MDR solutions, threat hunting is a hybrid practice that leverages human threat hunters and the extensive. As malware is created by humans, it is important that humans are part of the response. SonicWall discovered 270,228 new types of malware in the first half of 2022 – that’s 1,501 new variants per day. Even if your MDR solution has a large database of known threats, it needs to proactively hunt threats to identify any of these new variants.

The bottom line: without an effective and proactive response, any intelligence is of limited use. Specific intelligence can ensure that remediation capabilities are precise and quick.

Alerts And Reporting

Although we have already discussed the importance of automated response in reducing alert fatigue, that does not mean that there is no place for alerts at all. It is important that the balance between automation and reporting is right, as this will ensure that admin have enough information, without being overwhelmed. 

Depending on the size of your organization, a network can easily span hundreds of endpoints. With each of these reporting data in real time, the information can quickly become overwhelming. An effective MDR solution will filter out the less relevant information and highlight specific data that admin needs to see. This information should be triaged by your MDR solution to ensure that admins are only alerted to the most relevant and significant threats.

This data should be displayed in a simple and ergonomic dashboard that can be customized by the admin. There should be the ability to pull up records of historic incidents to inform remediation methods. Being able to compare current data with historic allows admins to identify how effectively risk is being managed. Real-time monitoring of endpoints will also allow admins to respond quickly when needed. Information regarding automated responses should be easy to find, or provide periodic notifications to ensure admins are up-to-date on network threats.

A useful way of illustrating threat behavior is through a threat timeline. This graphic shows how a threat entered a network, which systems it has been in contact with (and may therefore be infected), and how the threat was remediated. This graph will detail the response time, and identify if any areas of the network should be isolated to prevent the malware from spreading.

The bottom line: an MDR solution is a very complex cybersecurity tool – it is essential that there is a manageable way of understanding the data produced and response taken by the MDR service.

Summary

An MDR solution is an incredibly powerful tool that can give organizations of all sizes top of the range cybersecurity. Before investing in a solution, it is important to understand what your organization needs from an MDR solution. Only then will you be able to properly engage with providers to find the best set of MDR features for your organization. 

For more information about what MDR solutions are available on the market, read our Top 8 Managed Detection And Response (MDR) Solutions article here.