The cyber threat environment has never been more active. In Australia, we are seeing more targeted attacks by an increasingly diverse and determined group of threat actors. At the time of writing this article there are at least five well-known Australian companies making headlines for data breaches or cyber-related compromises.
Now, more than ever, organisations need to forge partnerships to protect themselves against these threats. Selecting the right security partner is a big decision. If mitigating cyber risk is your end goal – and it should be – choosing the right Managed Detection and Response partner is the critical element to any comprehensive approach to cyber security.
Traditional Security Operations Centre (SOC) services are no longer enough to proactively detect a cyber event. Organisations of today know this, they have learnt it the hard way. The organisations of tomorrow will look to build an active defence capability that is underpinned by specialist Managed Detect and Response (MDR) providers to fight their adversaries.
If you are a Chief Information Security Officer looking to uplift your active defence capability, what do you need to know, and what do you need to be asking when out in market? Here are our top three questions to get you started.
1. HOW DO YOU RESPOND TO A CYBER EVENT?
Traditional MDR services focused on building exuberant alerting engines that generated highly technical detections information back to the customers in the form of a ‘service ticket’.
The alerts provided little context to the customer’s business environment and the burden fell to an already stretched security and IT team to solve the underlying security issue. To put it simply, they added little value in helping customers respond when they needed them most.
A good MDR provider is as invested in your security wellbeing as you are, and that means having skin in the response game. They extend traditional detection offerings by empowering analysts to leverage the security technologies in your environment to undertake a response action. These actions can include device isolation, network isolation, address blocking, search and purge. This can be the difference between an adversary getting initial access and maintaining complete persistence across your environment. Work with your MDR provider to develop mutual playbooks you can have in place to accelerate a SOC analyst’s ability to help you when you need it most, enabling them to undertake actions that have been pre-agreed based on your organisational context. A traditional MDR provider calling you to tell you that you have been hacked is bad news, a good MDR provider calling you to tell you they have isolated a threat in your network is much better news.
An organisation well versed in incident response services and that has a detailed history assisting organisations with large and complex containment and eradication events can be your biggest asset when things do go wrong. Protective controls will fail. Digital Forensics and Incident Response Services are a must in helping you respond to, and recover from, a cyber-attack.
2. HOW DO YOU CONDUCT THREAT INTELLIGENCE AND THREAT HUNTING?
MDR services are informed by external, curated threat intelligence and augmented by specialist threat hunters. Many providers implement a threat intelligence capability that focusses on fear mongering and delivering their hunting capability using automated scripts that are not context driven or customer curated. This leaves a low value capability for customers and a tick-box exercise for the provider. We see threat intelligence and threat hunting as a systematic routine and hypothesis-based service that takes curated information, relevant to you and your industry vertical, that is hunted for within your environment to improve. It applies a security in context approach to give you a snapshot of active adversaries likely to impact your organisation and overlays this with visibility into your susceptibility to these attacks. A good MDR service is backed and guided by a strong Threat Intelligence and Threat Hunting capability that provides the customer with insight into what specialist threat hunters have done in your environment and gives you regular reporting on opportunities to improve your security posture with respect to contextual threats.
3. SHOULD YOU CHOOSE VENDOR CONSOLIDATION OR A SPECIALIST CAPABILITY?
Many IT leaders are looking to consolidate their vendor landscape to improve vendor management and achieve cost-benefits from scale. Consolidation sounds simple, and therefore, appealing.
Australian organisations need a specialist capability to accurately detect sophisticated cyber threats. While a broad-based MSSP partner can work on a broad range of IT services, you will find yourself working harder to have them deliver on detection, containment and response during a cyber event. This is because the persona for a SOC Analyst or Incident Responder is vastly different to that of an IT engineer. These individuals have spent their careers honing their craft to ascertain anomalies in your environment. Additionally, there is a value to what they are working on. You want to partner with the organisation where their people are constantly monitoring and bringing learnings about detecting events from multiple environments. You don’t want to partner with the organisation whose cyber security analysts are distracted with addressing wider IT service requests. Organisations such as those simply don’t have the right mix of people with the depth of skills needed to detect and respond to sophisticated attacks. At the end of the day, MDR is a human-driven service.
Where security operating models have worked significantly better is where an IT or security leader has introduced a vendor environment with interplay between the IT team, the MSSP and the MDR provider. This allows a symbiotic relationship where the IT team can manage the outcome, the MSSP can implement the outcome, and the MDR provider can check that the outcome was achieved.
OUR FINAL PIECE OF ADVICE: GOOD MDR PROVIDERS OFTEN SAY NO.
Like many things, your logging and monitoring capability is subject to the law of diminishing returns. Traditionally, the focus was on building bloated Security Incident and Event Monitoring (SIEM) systems that logged everything. Now we know this approach is not helpful. First, the cost of logging everything in modern consumption based SIEM platforms is huge. Second, focusing on high fidelity information in your environment saves an analyst time, rather than wading through an ocean of logs. This is time that an analyst can be using to save your organisation from a major attack.
Good MDR providers are trusted security specialists. They are well versed at advising their clients on what log sources are best for creating accurate detections based on well-known security frameworks. More so, they are able to effectively categorise sources in your environment based on security or operational outcomes and can determine a well-balanced, cost-effective logging architecture that meets security outcomes. When going out to market for security services consider asking respondents for their recommended approach to detection and response based on your environments variables rather than dictating which sources should be included. This will set apart good from great responses.
Ultimately, you need a security partner that says no, and is prepared to push back to put you on the correct security path. You also need to partner with a provider who can leverage their collective experience to advise you on balanced security outcomes – taking into consideration cost and the business operations.