Forrester’s recent report ‘NowTech: Managed Detection And Response Services Providers, Q4 2020’ provides an overview of Managed Detection and Response (MDR) vendors and the capabilities that customers expect to receive.
CyberProof was recognized in a segment that Forrester describes as bringing mature threat hunting and having high functionality in threat intelligence, Extended Detection and Response (XDR), available response actions, and on-premises infrastructure investigative methodologies.
This blog post provides a preview of some of our key takeaway points from Forrester’s report, while adding context and recommendations based on what we’re seeing in the market:
1. MDR Services Help You Pivot from Reactive Response to Proactive Threat Hunting
Forrester highlights the common but thorny issue that security teams simply don’t have the bandwidth to be proactive, due to the constant stream of security incidents they need to handle. Adding an MDR service helps establish proactive threat hunting. But what exactly are the primary components of good threat hunting?
Know What You are Hunting For
The different use cases for threat hunting must be defined based on an organization’s maturity and requirements. For example, these could include:
- Investigation of known threats – You may want to take advantage of the large volumes of IOC feeds, generated by your threat intelligence platform, to search for known threats.
- IR investigation – If you recently experienced an incident – or if you received technical intelligence reports about a targeted attack – you may need to identify associated Tactics, Techniques and Procedures (TTPs) and ascertain that the rest of your network has not been breached.
- Continuous behavior analysis – Let’s say your business is under constant threat and requires a dedicated team to continuously search for evidence of infection. This requires an ability to leverage the massive amounts of data available – from your network, hosts, security logs, cloud, insiders, etc. – in order to spot anomalies in baseline behavior, throughout your enterprise.
Hunt within the Context of Your Adversaries’ TTPs
Because attackers’ tactics and techniques change daily, your attack surface changes rapidly too. In addition to leveraging the MITRE ATT&CK matrix, a threat hunting team should utilize threat intelligence gathered from clear, deep and dark web sources. To help you stay ahead, the threat hunting team should work with the monitoring and incident response personnel to turn hunt results into new detection rules in a timely fashion.
Ensure Depth and Breadth of Data Visibility
Threat hunting is crucial in providing visibility into threats that may have bypassed an organization’s perimeter controls. It allows you to leverage both security and non-security related information, and to supplement wide coverage with more in-depth investigation. But this visibility can be overwhelming.
Tools such as Endpoint Detection and Response (EDR), for example, collect huge amounts of endpoint activity data covering processes, operating system activities, registry keys, memory activity, command lines and more – and this data needs to be analyzed and put into the context of an incident.
If your organization’s in-house team does not have the experience or contextual insights, you can augment their capabilities with an outsourced team that gives immediate access to that knowledge.
Threat hunting is crucial in providing visibility into threats that may have bypassed an organization's perimeter controls.
2. Expect XDR by Default – With Qualified MDR Providers
In the report, Forrester notes that the quality of MDR services depends on their ability to incorporate extended detection and response (XDR) visibility from endpoint, network, and security log data. But let’s take a step back, and explore why this is so important.
Endpoints are a Common Target
Increasingly, cyber attacks target endpoints to compromise users, and to directly access other systems such as cloud workloads, applications, critical databases in the network and even IoT environments.
The endpoint is a node in the extended network that must be focused on; but other telemetry needs to be collected and correlated against, as well, in order to fully understand attacker behavior and identify whether other areas are infected.
This is crucial because of how today’s advanced attackers steal data. Attackers are patient – often relying on changes in permissions or new vulnerabilities that allow them to move throughout the network as legitimate users. MDR services seek to use extended visibility to pick up on these threats and counter them with timely containment and remediation.
But XDR isn’t just about the analysis – it’s also about the scalability of data collection
Adopt a Smart Approach to Data Collection and Analysis
In assessing MDR providers, it’s important to evaluate how they collect and analyze data at scale – particularly for large organizations.
For example, at CyberProof, we use our own Log Collection platform to parse, tag and normalize all data before it enters our cloud data lake which is deployed in region and can ingest terabytes of data. This ultimately saves time and money, especially when you need to comply with regional data regulations, ingest logs into multiple SIEM or EDR tenants, or migrate from on-premise to cloud-native platforms.
CyberProof’s smart virtual analyst, SeeMo, automatically pulls data from multiple sources at scale covering network, endpoint, cloud and ICS/OT data and enriches the alerts with vulnerability, threat intelligence, host and user information. We call these “smart alerts.” This not only leads to faster response times from our Level 2 analysts but also helps the Threat Hunting team by providing more context so that they can proactively search for the advanced threats.
In assessing MDR providers, it's important to evaluate how they collect and analyze data at scale — particularly for large organizations.
3. View MDR with a Big ‘R’
Perhaps it goes without saying that effective detection is only half the battle in reducing dwell time. Responding correctly – and in a timely manner – is often the most difficult activity for organizations. This is due to the coordination needed between various teams, and a lack of understanding of the risk to the business that is inherent in taking a potentially disruptive remediation action (such as disconnecting a critical server).
Responses Should be Comprehensive and Timely
Forrester notes in its report that MDR providers should offer comprehensive response actions that leverage existing infrastructure. The ability to offer a variety of response actions is indeed important, as each incident is unique. But it’s not just the type of response action that will lead to reduced impact – it is also the timing of the response. The reason that teams often find both components difficult, is threefold:
- Lack of documented playbooks that cover every incident scenario
- No clarity about who is responsible for containing and remediating an incident
- Not enough expertise to carry out deeper investigations
Optimize Remediation Processes
At CyberProof, we’ve developed an agile methodology called a Use Case Factory. The Use Case Factory enables us to continuously and quickly deploy and optimize detection rules, customized response playbooks, integrations and automations on behalf of each customer, based on the most likely attack scenarios facing their business.
Use cases are developed in line with the customer’s incident response procedures and risk appetite. Responsibilities are clearly defined, and the use cases are easily accessible through our Use Case Library. Depending on the type of attack scenario, responses can include anything from policy enforcements and containments to forensic investigations and remote process kill.
Customers can use the real-time chat functionality in our service delivery platform to ask for support from our analysts for remediation efforts, help analyze specific strains of malware, or carry out tailored investigations – in what we refer to as “Collaborative Response.”
Organizations seeking MDR services should evaluate the provider’s ability to provide proactive threat hunting based on their needs but also their approach to gaining both the depth and breadth of visibility. They should also appreciate the importance of the provider’s data collection and analysis capabilities with regards to extended detection and response, and seek providers who can demonstrate comprehensive response options.
This post summarizes some of our key takeaways from Forrester’s report, though we’ve also added some further context based on what we believe is important for security leaders to know – and our own recommendations reflecting what we’re seeing in the market.