Ed Williams, EMEA Director of SpiderLabs, Trustwave
After years of a severe skills drought, the availability of security professionals appears to be gradually improving. The global shortfall in security professionals dropped from 3.12 million to 2.72 million last year. However, although this is notable progress, it is not taking place fast enough. Cyberattacks have become highly intense in nature, as threat actors are constantly using new attack vectors and target mechanisms to carry out large-scale attacks.
To address this evolved intensity and pace of cybersecurity risks, organizations are choosing to invest in proactive solutions like managed detection and response (MDR). Gartner has predicted that nearly half of all organizations will be using MDR services by 2025. Vendors are also recognizing this trend and providing more defensive solutions rather than only offering reactive services like the investigation of automated alerts. As a result, the MDR services of today are much more extensive and dynamic than what had previously been available, which is why we believe MDR is one of the most sustainable security investments a business can make.
So, what should be the key consideration for security leaders when investing in MDR?
Conventional security solutions cannot provide a proactive response
Organizations today cannot solely rely on reactive response as an effective cybersecurity strategy, as aggressive attacks like ransomware, supply chain attacks, and malware injection can compromise valuable assets in a very short span of time. Reactive response means that organizations have already suffered some form of impact from the breach, which is not feasible for establishing a sustainable security infrastructure. Simply securing endpoints and putting up firewalls is not effective, as zero-day threats can slip under the radar and compromise the system before it is detected by endpoint solutions.
That’s why a proactive defense is the best way to respond to potential cyber risks. Organizations should be actively searching for threats, identifying vulnerabilities, monitoring risks, and responding quickly once a potential attack or risk has been identified. A proactive cyber defense structure should combine real-time risk monitoring with threat hunting and effective threat response. However, conventional technologies such as security information and event management (SIEM) and extended detection and response (XDR) are often missing these key elements.
These solutions can provide the data regarding threats and security investigations, but they require critical human intervention to be interpreted. More specifically, organizations need to recruit professional and highly skilled analysts to interpret the data provided by these conventional security technologies and take responsive actions. However, such human resources are not always available due to the ongoing skills shortage, even though this situation has improved of late. Moreover, conventional solutions like SIEM and XDR require significant organizational resources to be implemented, including extensive time, knowledge, and effort from the security teams. Even when a successful implementation has been achieved, organizations must continually train their security teams to maintain and configure the new systems.
Attaining MDR services can solve all these issues by improving upon XDR, SIEM, and other existing security solutions. Efficient MDR providers have a vault of skilled resources that can provide high-quality threat intelligence and round-the-clock risk monitoring services. MDR allows organizations to free up their resources, reduce the burden of in-house security teams and receive proactive support from experienced professionals who can bring out the best from existing security tools.
Key considerations when choosing an MDR vendor
While most MDR vendors might offer the same range of services, the detection and threat hunting methods offered by vendors differ substantially. It is important that security leaders look for vendors that can provide human-led threat hunting and investigations, along with around-the-clock 24/7 monitoring and real-time analysis. MDR providers must have the expertise and capabilities to take remote actions immediately after a threat is detected.
Providers must be able to go beyond the endpoint, meaning that MDR should collect forensic data from all associated networks, clouds, email, and other parts of the IT infrastructure. Threat intelligence is a critical part of effective MDR services. Therefore, it is important to choose a supplier that has its own research department and expertise to draw from external intelligence. This will allow organizations always to remain a step ahead of their adversaries.
When choosing a provider, organizations must also understand how it conducts research and attains threat intelligence. An organization must consider if a product can monitor the dark web, reverse engineer malware, conduct behavioral analysis of the threat actors, and achieve profound visibility over open-source intelligence (OSINT) sources? These questions should guide the decision to choose the perfect MDR vendor.
As previously emphasized, a vendor’s experience is critical. MDR providers are not just security suppliers to an organization, rather they are security partners. They must have a positive portfolio of providing proactive responses to cyber threats in an organizational or enterprise environment. Finally, the provider’s culture should align with the organization’s culture to enable a sustainable and long-term partnership.
If the attained MDR services are not aligned with the business needs and operations, it can have an adverse impact on financial and security resources. That’s why businesses should consider the discussed points when choosing an MDR vendor, as it will guide them towards making a positive security investment for the present as well as for the future.
Security investment becomes sustainable when it helps bolster the business’ overall resilience. Choosing the right MDR vendor can help businesses to achieve security sustainability and stronger cyber resilience. An efficient MDR vendor becomes the strategic partner of the business and helps the company build a security infrastructure that is always ready to detect and deter both internal and external threats. Effective MDR partners do not just improve the security capability of a company, but also shape its decision-making process and provide a strategic guidance for improving its overall security posture.
