The Strategic Cyber Security Leader: How To Know When It's Time To Switch To MDR
By Lyndon Brown, Pondurance
Technology always has been about transitions. Through the decades, we went from using the DynaTAC 8000X to the BlackBerry to the latest Androids and iPhones. We evolved from a desktop office culture to one in which smartphones, laptops, and tablets have created a virtual workplace that allows us to get the job done wherever we are.
Similarly, in cybersecurity, we’ve segued from focusing on fortifying the perimeter with firewalls and other traditional tools to defending an enterprise with no readily defined borders — requiring increasingly innovative approaches to protect digital assets and reduce risk.
Given the inevitability of change, chief information security officers (CISOs) must routinely re-assess their operational models to determine if they need to rip up the current blueprint. And, more than ever, these CISOs are turning to a managed detection and response (MDR) partner to elevate their maturity and meet today’s challenges. By 2025, one-half of organizations will be using MDR services for monitoring, detection, and response functions to contain threats, according to a projection from Gartner. Research firm EMA surveyed midsized and large enterprises investing in MDR capabilities and found that a full 37 percent of respondents reported reducing mean time to resolution (MTTR) of attacks by between 50 to 100 percent, reflecting where triage time was slashed or averted altogether.
As a CISO, CIO, or other decision maker, how do you know when it’s time to transition to MDR services? Here are three telling signs:
Your MSSP Is No Longer Up To The Task
MSSPs (managed security service providers) arrived in an era when IT departments purchased firewalls, antivirus products, and email security solutions. Organizations outsourced the oversight of these because there was no budget to hire, certify, train, and manage people to do it internally. But as attacks grow in sophistication and volume MSSPs lose relevance.
Why? Because they often generate too much noise and put the burden on the customer to sift through thousands of alerts. These services were never designed to perform investigation and response — and customers struggle to do that on their own. Additionally, these providers are reliant on simple preventive controls and lack visibility into the bulk of modern attacker techniques.
In contrast, MDR is a “security as a service” offering in which external teams search customers’ networks 24/7/365 to detect suspicious activity and launch effective mitigation/prevention measures backed by proven data. This decreases the number of days, weeks, or even months that a threat can hide within a network and compromise/steal data — i.e. “dwell time.” At their core, the most valuable MDR services combine advanced technology, a balance of machine learning, and nuanced human analysis (or “authentic intelligence”), and expertise to stay one step ahead of attackers.
What’s more, the best MDR providers will not only tell customers what was flagged — they will explain what it means. If an alert goes off on someone’s laptop, for example, they will dive deep to explore whether the issue is unique to that device, if it has spread to others within the enterprise and if there is suspicious activity associated with it. With the MDR provider sharing a wealth of threat intelligence and data, CISOs obtain a comprehensive view of their entire cyber risk landscape and make better decisions as a result.
You Want To Manage False-Positives To Avoid False Negatives
It’s safe to say that organizations are drowning in alerts. Two of five field at least 1,000 alerts a day (14 percent deal with no less than 10,000 a day) and 83 percent of security team members are experiencing “alert fatigue.” Without MDR, they will either spend too much time, energy, and resources attempting to chase down all of the alerts and go down assorted rabbit holes, or they’ll just give up and stop trying.
MDR services bring the talent of highly experienced professionals who understand how to sift through the endless alerts and make sense of it all. In addition, their outside objective eyes can draw meaningful conclusions from false-positive alerts to learn from alarms that others may simply discard as a nuisance. This is preferable to the alternative — a false-negative — where you are missing a threat entirely.
Consider a physical security analogy: Suppose a package with suspicious features like excess tape, a missing return address, and what looks to the casual eye like stains or residue turns up at a warehouse or office, leading someone to sound the alarm. Because the risk of injury from explosives and bioweapons delivered through the mail is so severe, we have to credit alert staff and facility procedures that flagged the package. Even if police and hazardous materials teams confirm it was all a false alarm, it would be a mistake to dial-down physical security and mailroom procedures, because we do not know what will be in the mail tomorrow. However, evacuating the mailroom every time any package arrives would be disruptive.
What if packages could be safely inspected, at speed, by experts, before arriving in the mailroom? And the same experts could monitor and respond to threats that may have slipped past preventive controls powered by thousands of similar investigations.
Good cybersecurity analysts and incident responders tune their visibility and control to account for technology evolution, massive shifts like remote work during a pandemic, and human errors. This is another example of where MDR capabilities can discern between true and false positives, by providing context and historical timelines in an instant. The problem with false positives is not that they exist, necessarily — it is that internal staff is so inundated with data, that they reflexively want to pare down the firehose of alerts - which can silence true positives.
You’re Seeking A Seat At The Strategic Leadership Table
CISOs use to keep relatively low profiles — until something is breached. But this dynamic is changing, especially in a pandemic environment in which so many organizations have added new technologies to the CISO’s defensive scope, like remote-access control systems, niche SaaS applications, contactless payment platforms, and building automation. C-Suite leaders used to equate “technology” with a “support” function of the business but it is no exaggeration to say that now technology is the business. Meaning the CISO’s team, tools, and partners are what stand between business resiliency and an attack or disruption bringing the business to a halt. In other words, CISOs are rising influencers and they must “prove that security is happening” by distilling insights and metrics from all that data.
Yet, it’s difficult to strategize and distill when you’re constantly sidetracked with firefighting duties. By handing off the monitoring and firefighting to the MDR team - and keeping them accountable, CISOs stay focused on the strategic visions which build, validate, and champion an optimal state of protection and risk reduction — securing their seat at the leadership table.
It all comes down to how you’re going to invest your time, energy, and budget. Do you pay to build and run your security operations center? Accounting for holidays and vacations, it takes about 15 full-time resources to staff a moderate 24/7 SOC. In even large organizations, this pulls resources away from projects and other strategic initiatives. Where will you find your talent? Once trained, SOC analysts typically walk out the door within a year for twice their current salary. When it comes to maturity, how quickly will your program stand up to C-suite scrutiny when they ask: “Are we secure?”
It is simply too expensive and time-consuming to tackle these requirements on your own. But by partnering with an MDR provider, you’ll meet and even exceed organizational expectations with more conclusive data to back up your performance claims.
About The Author
Lyndon Brown is the Chief Strategy Officer at cybersecurity firm Pondurance.