Five MDR Service Principles to Reduce Risk in Mid-Sized Enterprises
This post was last updated on November 1st, 2021 at 04:04 pm
If you are responsible for IT security for an organization with less than 2,500 employees and the “core” Microsoft security, you might think that hackers have bigger fish to fry and won’t set their sites on you. That line of thinking is risky. As cybercrime skyrockets, no organization is immune to attack, but implementing an MDR Service in advance is easy, affordable and will stop even the most advanced attacks. To truly reduce your risk, though, the solution you choose must be appropriate for your IT environment. These five principles will help you shift your thinking and reduce your cyber risk.
1. Assume the mindset: Defenses can and will be penetrated
- Even though the top cyber headlines are focused on large, Fortune 500 breaches, you are not immune. Cybercriminals do not discriminate by business scale now that they have automated threats and tools like Ransomware as a Service.
- The two most common types of cyber attacks for mid-size companies are Microsoft 365 Account Takeover (via phishing watering hole, brute force attacks and combolist purchase) and Ransomware (via advanced endpoint exploit, session hijack and SAML token theft). Both of these are devastating to any organization. They can lead to financial damage including wire fraud, ransom payments, business interruption, brand damage, and massive increases in cyber insurance renewals.
- Based on the NIST model, the MDR Service must directly invest in the Detect, Respond, and Recover portions of the security lifecycle to be effectively protected from these attacks across endpoint and your Microsoft 365 services (which contains your identity and must be included)
2. The MDR service must be optimized for YOUR IT team and environment.
- Mid-Market MDR organizations below 2,500 endpoints typically have fragmented networks, a highly remote workforce and large investments in Microsoft 365 and their security stack. Your MDR partner should leverage the existing Microsoft Security and focus their service on the gaps in Detection and Response.
- Microsoft 365 is an important component of your MDR Service and must be included. Microsoft provides world class security, but with 250M+ active global subscribers, account level services, touch and follow up on a key incident is impossible.
- Most MDR providers are focused on large businesses, citing Fortune 500 client lists. These environments are highly complex with 30+ security vendors supported by 100s of IT personnel spanning the globe. Their baseline service likely doesn’t reflect your needs with a focus on endpoints connected to cloud based or SaaS applications.
- A dedicated function and service to proactively perform real time threat detection and analysis across endpoints and Microsoft 365 services is crucial.
- Time to value: Is the service easy to deploy and able to produce value in the first day or even hours?
- Purpose built, focused MDR / XDR platforms optimized for Mid Market leverage cloud and speed. They beat the broad legacy on prem, SIEM based approach that powers most of the traditional MSSP market.
3. Ensure the MDR Service includes Advanced Detection with the following critical capabilities:
- Cloud based data collection, aggregation and analysis across endpoint and MS 365 cloud services
- Behavioral monitoring to covers the top adversary TTPs prescribed by MITRE
- Machine learning based alerts with data correlation capabilities
- Rules based alerting to filter out large volumes of data and alerts down to the critical few
4. Ensure the MDR Service includes Scalable and Automated Response with the following capabilities:
- Predefined automated actions to mitigate malicious activity and stop attacks in progress across ALL your endpoints and Microsoft 365.
- Can push these actions in MINUTES across the entire network and off network without using Active Directory or other central services that are usually compromised early in the attack lifecycle
5. Ensure your service provider includes expert SOC services with 24×7 monitoring that fit well with your IT team.
- Fit and Dependability: Is their team a good fit for yours? Do the references they provide know their names and swear by their dependability during a time of need?
- Expertise: Do they know how the strengths and weaknesses with Microsoft Defender? Detection and Response is a highly specialized skill set and requires 1,000s of hours of training and real world experience for analysts to be effective against highly trained adversaries.
- Proactive detection must be performed by a dedicated team that is reviewing alerts and will not be sidetracked with day to day firefighting in IT.
- 24X7: Attacks typically occur during nights, weekends and holidays when traditional teams are not as responsive. Make sure you have experts always on call with an investigate and response SLA for critical threats.