Should You Outsource Your Managed Security Services to an MDR Provider?
During 2018, we have seen a 350% increase in ransomware attacks, a 250% increase in spoofing or business email compromise (BEC) attacks and a 70% increase in spear-phishing attacks in companies overall. Further, the average cost of a cyber-data breach has risen from $4.9 million in 2017 to $7.5 million in 2018, according to the U.S. Securities and Exchange Commission.
If you still believe your company is immune to these types of cyber-attacks because you use an antivirus solution, next-gen firewalls, and endpoint protection or endpoint detection and response platforms, guess again.
Cyber threats are growing in both volume and sophistication, and every company – large or small – is considered at risk. And while anti-virus tools are considered a worthwhile investment, they are, by no means, enough to prevent all (or even most) types of attacks. Every organization needs layers of security tools to protect their digital assets and resources—and sometimes even that isn’t enough.
The fact is, prevention efforts are critically important, but detection and response capabilities are also essential in today’s computing environment. There’s no silver bullet for preventing all cyber-attacks, so companies must be equipped to detect the presence of an attacker on their systems and respond to the threat to mitigate it.
“Being equipped” for threat and vulnerability detection and further, being equipped to respond to security incidents means acquiring and maintaining both the tools and the expertise to successfully detect attacks and stop them before serious damage is done. Needless to say, this can be expensive. What’s more, there is a global shortage of cybersecurity experts with the skills to detect and stop attacks in their early stages. Thus, attempting to do threat detect and response with in-house resources can be a real struggle.
There is another way to get those essential cybersecurity capabilities without making a huge investment in tools and expertise, which is becoming harder to find… Outsource your managed detection and response (MDR) services to an MDR provider.
What is MDR?
Very few organizations have the in-house resources to do their own threat hunting and incident response. Managed detection and response (MDR) is a service that arose from the need for companies to be proactive in looking for security threats and vulnerabilities in their environment, and doing something about them once they are discovered.
MDR providers, often associated with managed security service providers (MSSPs) use proprietary detection and incident response tools and platforms to manage your proactive and reactive cybersecurity operations. The tools and platforms in use by MDR security service providers are also managed and maintained by their own skilled security experts and engineers who monitor a customer’s network for suspicious activity, analyze incidents when they are discovered, and respond in a manner that will mitigate the threat.
Most of the responses are automated using scripts, machine learning, and APIs, while others may require human intervention – or both – to effectively neutralize or eliminate the security threat or vulnerability. MDR allows you to contract for dedicated, specialized services that operate 24×7.
Why are cyber threats so hard to detect?
Cybersecurity professionals say their jobs are growing more difficult because it’s getting harder to detect and respond to threats in a reasonable amount of time for numerous reasons. Companies often have a variety of tools that detect unusual or anomalous activity that is considered suspicious which then raise an alert about this activity. So many alerts are raised in a single day that it’s impossible for the security team to look at all of them to see if they are worthy of investigation. Consequently, hundreds or even thousands of alerts that might signal the presence of a legitimate threat are ignored for lack of resources to address them.
A single incident that raises an alert might not, in and of itself, be problematic. For example, suppose there is a failed user login. It could be that the end user mistyped his password. Or, it could be a hacker’s attempt to login by guessing a password. Without further evidence, such as correlating this incident with others that are happening, the failed login alert is likely to be ignored. Tools such as Security Information and Event Management (SIEM) help to correlate events and prioritize the alerts, but such tools can be complicated to setup and tune so that correlation and prioritization of events is optimized. Nevertheless, correlation of all security event information is key. Some security tools operate in silos, which minimizes their effectiveness for the organization.
Another reason cyber threats and vulnerabilities are difficult to detect is the growing sophistication of the threats. For example, a hacker might use an exploit that operates only in a computer’s memory, so there is no trace of the threat on disk, on the network, or anywhere else. What’s more, good hackers have learned how to defeat detection mechanisms, making threat detection a high stakes game of cat and mouse.
One more factor contributes to the difficulty of threat detection and that’s the global shortage of skilled cybersecurity professionals. (ISC)² estimates the worldwide shortage to be approaching 3 million people, with approximately half a million of those job openings in North America. The problem is obvious: if you don’t have the people looking, you aren’t going to find the threats.
The benefits of MDR for small and mid-market organizations
The most obvious benefit of MDR security services is that your organization gains affordable access to specialized detection tools and processes as well as the human security experts that would otherwise be too expensive to buy and hire. And that’s assuming you can even find the security experts available to hire, due to the vast skills shortage.
Skilled MDR providers can deal with sophisticated threats that are difficult to detect and contain, and they follow through with mitigation until the threat is neutralized or eliminated, thus reducing risk to your company.
Your organization benefits from crowd-sourced threat intelligence and best practices on how to respond to threats without the burden of recruiting, managing, and maintaining your own detection and response platforms or security personnel.
Decision criteria for determining if your company needs an MDR provider
Although detection and response capabilities vary by organization, both large and small businesses may face similar challenges:
- Can you quickly detect the presence of an attacker on your systems and respond to the threat effectively?
- Do you have the tools and expertise to successfully detect attacks and stop them?
- Do you have in-house resources with the necessary skills and capacity to detect and respond to threats?
- Are able to leverage automation to augment human resources and provide 24/7 detection and mitigation coverage?
- Can your in-house resources investigate and respond to alerts in a reasonable time frame? Are your Mean-time-to-detect (MTTD) and Mean-time-to-respond (MTTR) acceptable?
- Can you detect emerging sophisticated threats, such as fileless malware and memory implants and can you remediate these threats?
- Can you find and retain the necessary security resources to provide an effective threat response program?
The inability to answer with a resounding yes to any of these questions is a clear indicator that you may benefit from managed security services—specifically Managed Detection and Response (MDR) services.
Justifying the investment in MDR services to your board
In recent years, cyber-risk has started appearing on the agendas of corporate boards. Board members are becoming aware of their fiduciary responsibilities to ensure that shareholders’ and customers’ interests are served by having a comprehensive cybersecurity strategy and program. CISOs are often asked to justify their desired investments to bolster security. If you have a role in justifying the investment in MDR, it’s important to talk in terms that the board cares about (and it’s not the nitty gritty details of cyber threats).
This article in the Wall Street Journal suggests it’s important to talk about the “big picture” business metrics, such as:
- Security incidents: Are they trending up or down?
- Compliance: How are we serving our cybersecurity obligations while also managing any deficiencies that may come with meeting compliance standards?
- Security disruption: How much downtime did critical systems experience due to security incidents?
- Business alignment: How many corporate projects were delayed or accelerated by cybersecurity initiatives? What was the cost added (for delays) or cost savings (for acceleration)?
- Business cyber risk trends: How has the cyber risk, for each of our company’s internal divisions, increased or decreased?
- Incident response: How prepared is the company to respond to major security incidents? Have we defined our processes and done “dress rehearsals” for incident response?
You will need to gather your own statistics that reflect your organization’s readiness to respond to major security incidents. There is one important metric that you may not have (or even have the ability to know without a detection and response solution) and that is “average dwell time.”
Dwell time is defined as the combination of time to detect a threat (or vulnerability) and the time to respond/neutralize/eliminate it. As a security metric, average dwell time ranges widely depending on the types and severity of threats and the capabilities of the organization impacted.
Average dwell time for threats globally is reported in the low hundreds of days. However, findings from our Mid-market Threat and Incident Response Report show that low priority threats reside for much longer and average 950+ days (two and a half years!) of dwell time. This is often overlooked but we find a strong correlation between presence and dwell time of low priority threats and overall readiness and ability to respond to a larger threat. A clean environment is an indicator of positive control.
Cybersecurity is a challenge unlike any other business issues. The enemy is unseen and unknown, and you don’t know how, if or when this enemy will come at you. Prevention of breaches is important but not infallible. The only way to know if you are already compromised (and thus at risk for a breach) is to hunt for signs of compromise.
As you make your pitch to the board to contract for an MDR service, you can mention that your needs for detection and response capabilities exceed your current resources, skills, and available time. Outsourcing MDR provides access to specialized skills and competency that you don’t have the time or budget to develop in-house.
Learn more about engaging with MDR security service providers to protect your environment
Infocyte has developed a sophisticated platform for automated threat and vulnerability detection and on-demand incident response. Our platform enables managed security service providers to deliver cost-effective MDR services, supported by our global network of certified partners—including some of the world’s leading cybersecurity firms.
Download the 451 Research report outlining how Infocyte delivers cost-effective MDR security services across physical, virtual, and cloud environments.
Infocyte is an easy path to implement EDR or MDR for mid-size organizations. Learn more from Forrester's Now Tech Report here.
Interested in Sunburst and how to address compromises on your network?
Test out Infocyte's endpoint detection and response platform for free with our community edition: