Managed Detection and Response (MDR) helps organisations identify and respond to threats in a cost-effective manner. Many organisations don’t have enough resource to be able to manage the tools they have and installing yet another dashboard over the top isn’t a realistic option for most of them. The logical option is to make someone else responsible for being the eyes and ears on the network, looking at the logs and identifying any nefarious activity. This is the basis of MDR, but don’t take our word for it. Gartner introduced this concept at their Security and Risk Management summit in 2014 when they talked about the need for “an adaptive security architecture”.
Why not just buy a SIEM?
The 2017 Cisco Annual Cybersecurity Report noted that security professionals are reasonably confident in the tools they have but are less sure that they are using them effectively. This is particularly true of SIEM solutions.
SIEM brings together Security Information Management (SIM) and Security Event Management (SEM) systems and aims to correlate historical log entries with current events and vice-versa. By reviewing logs it should be possible to find out what triggered an event and in what context. This should allow organisations to remediate and prevent future events. The reality is that many are complicated to set up, need dedicated hardware and/or software, need skilled resource to configure and manage and take a lot of time to review and refine.
Prevention and protection, external activities, are usually based on the ‘known knowns’ or the ‘known unknowns’ but there are also the ‘unknown unknowns’ and zero-day threats. Dealing with these has traditionally been very difficult, time consuming and usually expensive. It is nearly impossible to protect against all eventualities unless vast amounts of money are spent, and infrastructure is invested in. Detection is key.
Our cloud-based MDR service does the hard work by taking the logs and events of various products and technologies, performing look-ups against lists of known and unknown events and provides near real-time alerting.
Ultimately a breach or incident may occur and it’s how businesses respond and how quickly, that determine how damaging it is in the long run. Prolonged events tend to have far reaching consequences to the extent that companies go out of business.
Response is coordinated by our skilled engineers who triage an incident, make changes and/or recommendations and who provide actionable intelligence about the incident back to your security teams. It is this actionable piece that adds real value to the business.
The same team perform case management for any incident, breach or test and while this may sound like an insignificant step, it is one that is often overlooked and is where most problems occur or why there are repeat failures. This is just another part of the ‘response’ element of our MDR service
The golden bullet?
The Holy Grail for many organisations is having a single pane of glass that shows them their security stance. Failing that, ensuring someone else has that level of visibility and can aggregate all your tools in to a single dashboard. Our MDR service has a very simple risk-based dashboard that can show open tickets, the status of your environment and assure you logs are being sent and received. Beyond that are a number of other screens and reporting options should further information be required. This is supported by regular review meetings where information about events can be discussed.
SIEM vs MDR
This is based on an article, written by David King, that appeared in the British Computer Society magazine and can be read in its entirety here.