Cybersecurity threats have been on the rise, with dispersed workforces and increasing cloud adoption leading to more vulnerabilities. Dave Martin, vice president of managed detection and response (MDR) at Open Systems, discusses why the DIY approach is failing in a market where talent is scarce, the limitations of managed security service providers, and why managed detection and response is the best approach for now.
With increased threats to cybersecurity since the pandemic coupled with the shift to remote work causing a rise in entry points vulnerable to attack, many companies have recognized that the DIY, best-of-breed approach to security is not protecting them.Â
The practice of assembling comprehensive security stacks with the best firewall, endpoint sensor, cloud access security broker (CASB) and many other tools from multiple vendors seemed like a great strategy on paper. However, as good as these tools might be, for them to function properly, each must be correctly configured – and often reconfigured – to meet a company’s changing security circumstances. Configuring and reconfiguring so many tools is arduous and time-consuming, but if not done correctly, it creates gaps and vulnerabilities that bad actors can exploit. This has all too often resulted in successful attacks that might have otherwise been prevented.
See More: How to Stop the Advancement of Ransomware Attacks
DIY Just Won’t FlyÂ
Compounding this, a significant number of these breaches go undetected. Even when tools are configured properly, they often generate a constant stream of low fidelity alerts generating excessive noise, making it more difficult for understaffed and overstressed SecOps teams to identify and investigate alerts indicating a real incident. This scenario is quite common, particularly for companies with limited resources that cannot hire enough security experts due to the ongoing cybersecurity talent shortage.Â
It is essential to have help from an experienced engineer – or more ideally, a team of experienced engineers – monitoring for threats around the clock, investigating true positive alerts, eliminating unneeded tools and supplementing the essential ones with managed services that support an organization’s cybersecurity capabilities. Â
The Limitations of MSSPsÂ
Managed security service providers (MSSPs) arrived on the scene to help many small to mid-sized businesses (SMBs) with their cybersecurity needs, allowing them to either supplement their internal efforts or offload security entirely. MSSPs offer network security services to organizations and help to alleviate the strain on IT teams, freeing up time for the organizations to focus on their operations. These MSSPs have earned a mixed reputation; some have simply forwarded alerts of potential threats to customers to then handle themselves – rather than examining each alert to determine whether a real threat exists.Â
Most MSSPs offer outsourced management of tools and devices (including firewalls and VPNs), vulnerability scanning, security assets, SIEM and a security operations center (SOC). While an MSSP will alert the customer about a threat detected, it is usually up to the customer to respond. That – in addition to identifying the critical alerts to prioritize – is another aspect of cybersecurity that demands significant time and attention from an organization.Â
Customers have seen success with MSSPs when the expectations are clear from the beginning, and they know what the MSSPs can supplement their existing in-house cybersecurity capabilities.Â
An MSSP is a great option for a company that already possesses the ability to threat-hunt and respond internally. But a company that does not have those abilities will end up working overtime to manage their security despite signing on to work with the MSSP. Â
How Can MDR Save the Day?
Managed detection and response (MDR) has emerged as a more optimal way to manage and detect threats early on by actively looking for threats and bypassing existing controls. It provides the added benefit of an active response to attacks so that it is not left to the organization to handle, which is often the case with MSSPs. MDR has emerged as the latest managed security service to address the limitations of a cybersecurity talent shortage and the problem of too many tools generating too many false positive alerts. Rather than focusing on alerts, an MDR service provider focuses on outcomes, detecting breaches at the earliest possible stage to prevent them and responding with a remediation plan if a breach does happen. Â
According to a recent study by Osterman ResearchOpens a new window , “The managed cybersecurity services market is undergoing a significant shift. As organizations struggle with too many alerts, too few security analysts, and increasingly complex security stacks, they are rapidly upgrading from Managed Security Service Providers (MSSPs) and legacy security tools such as SIEMs that aggregate alerts, to action-oriented MDR services. Although detection remains a core capability, MDRs add automated response capabilities and access to seasoned cybersecurity professionals, enabling organizations to address alert overload, talent shortages and budget constraints.â€Â
The Osterman study identified that 79% of legacy MSSP users plan to upgrade to MDR services. The key reasons for adopting MDR? To augment existing security teams, automate response capabilities, improve threat detection and support for cloud services, and implement 24/7 security operations.Â
An MDR service provider begins the operation with a stated mission in service of the outcome. While getting buried in the details and tactics is easy, everything needs to be tied to that higher-level objective – the end result. After the mission is established, a good MDR service provider assesses the environment (what is normal and anomalous to a particular organization). It then collaborates with the different teams within that organization to put a plan together and develop a system and measurements. The latter goes beyond mean time to detect (MTTD) and respond (MTTR) to security breaches. Also, it is comprised of other metrics that require a deep understanding of the attack surface and the organization’s operational realities.
Customers must evaluate an MDR service provider to ensure it is the right fit. For example, an organization using AWS will be optimally served by an MDR provider specializing in AWS solutions. Additionally, companies with existing security investments should look for an MDR provider to leverage these rather than entirely replace them. For instance, many companies that use Microsoft Azure will also possess the Microsoft E5 security suite, which is quite capable. Â
Managing Cyber Risks Better
For most mid-market companies that don’t have a SOC, an MDR service provider can use an existing security plane, eliminating the need to purchase separate and competing security stack components. In these cases, customers are shielded from additional technology costs and are only required to pay a regular service fee. This is an incredible cost saving in a time of ever-increasing security concerns. Providing an organization with a SOC means they’ll have cybersecurity analysts working to protect them and their critical assets around the clock.Â
In a nutshell, an MDR service provider saves organizations both time and money by taking care of the nitty-gritty essentials for fully operationalized cybersecurity. It is the optimal solution to secure and staff organizations as attack surfaces continue to expand, talent is limited, and companies are facing more threats than ever before. Â
What are you looking for in an MDR service provider to tackle cybersecurity threats better? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear all about it!
MORE ON MDR Â
- How Enterprises Can Secure Endpoints With Extended and Managed Detection and Response
- Endpoint Security: Why Organizations Need to Move Beyond Signature-based Detection
- Why BAS Platforms Should Be Part of Your Enterprise Security Stack
- Mitigating Zero Day Attacks With a Detection, Prevention and Response Strategy