Essential Elements of MDR

For cybersecurity professionals, 2021 has been an eventful year from start to finish. After opening with a massive effort to address the effects of the SolarWinds attack, the U.S. grappled with attacks that targeted fuel, food, and healthcare industries. While the effects of these attacks created significant shortages and delays throughout the country, a sobering realization has come to light. With the right opportunity and a highly sophisticated attack, the effects of a major cyberattack could be catastrophic.  Alongside the growth of remote work and IoT devices comes the growth of the cyberthreat and cybersecurity landscape. This makes cybersecurity a top priority for many businesses and organizations across all industries. In the search for a complete solution, Managed Detection and Response (MDR) has come to the forefront of the cybersecurity conversation. 

MDR provides businesses and organizations with customized services that allow organizations to rapidly detect threats, analyze the danger, investigate the damage, and respond to contain and mitigate the threat. This is accomplished through the use of a predefined technology stack and ongoing assistance from cybersecurity professionals in an off-site security operations center (SOC).

Not surprisingly, the need for MDR services ignites a variety of solutions from various companies with different ideas about what the service entails. To help cut through the noise and confusion associated with MDR, we've compiled this guide of essentials a true MDR solution should include.

MDR Characteristics Defined

Managed detection and response is defined by Gartner as services provided by a remotely delivered modern security center with functions that allow organizations to rapidly detect, analyze, investigate, and actively respond to cybersecurity threats. Providers offer a turnkey experience using a predefined technology stack to collect relevant logs, data, and contextual information, a range of analysis techniques, and investigation by experts.

MDR Requirements

The definition provided by Gartner gives us an outline of certain elements that must be present for service providers to classify services as MDR. 

• Remote Security Center: MDR services are provided by a third-party MSSP. These offerings are tailored to your organization and installed by the provider. Ongoing assistance is offered by communication with off-site security professionals.
• Detection: Complete network visibility and log collection are supplied through up-to-date security tools designed to detect abnormal behavior likely to indicate a threat.
• Analysis: A combination of automated actions and human analysis is used to further respond to and gain an understanding of the severity of threats.
• Investigation: Even as the threat is being contained, an investigation is launched to determine the depth of the breach and vulnerabilities that need to be addressed.
• Response: A combination of automation and human response is used to ensure the threat is contained and mitigated to avoid further damage.
• Turnkey Experience: Your provider will install and deploy specific tools designed to provide a complete cybersecurity solution designed for your organization.
• Technology: Specific technologies and tools are used to collect logs and data, provide analysis, and complete an investigation into potential threats and active attacks.

Tools to Achieve MDR Requirements

Your MDR provider will use a predefined technology stack exclusively designed by the company or curated from existing solutions. While these tools vary from one provider to the next, they're likely to include some combination of the following.

• EDR
• SIEM
• Network Traffic Analysis
• User Entity Behavior Analytics (UEBA)
• Asset Discovery
• Vulnerability Management
• Intrusion Detection
• Cloud Vulnerability

Essential Pieces for Effective Managed Detection and Response

While the definition of MDR provides an outline to ensure companies and organizations are getting specific tools to maintain a healthy cybersecurity posture, there are many ways each portion of MDR can be interpreted. This can make it difficult for businesses to determine exactly what they need for a comprehensive MDR solution. To protect your entire network from devices to endpoints and remote workers, your MDR solution should include these essential components.

MDR with Log Management: SIEM

Complete visibility into your network is key to protecting the data that is handled and stored by your organization. Security Information and Event Management (SIEM) forms a complete picture of network activity from logs on all the components, applies advanced analytics to this information, and alerts designated professionals about potential threats and attacks.

Whether your organization is a start-up with a small network composed of only a few devices, or you run a major enterprise with thousands of working parts, your network generates countless activities from every user each day. This amount of information is impossible for humans to manually categorize and digest in real-time. SIEM log management systems automatically categorize and apply context to huge amounts of data so it can be easily analyzed for typical behavior and abnormalities that could indicate a threat. This information is made visible to your internal IT team and external SOC through the use of easy-to-use dashboards that provide continuous, complete visibility into the actions of all devices connected to your network. 

Upon installation, your SIEM software must be optimized to work effectively within your network in a way that addresses relevant threats and helps avoid false alerts. SIEM is a complex cybersecurity tool that can become useless (or even a stumbling block) without proper preparation and implementation. For a SIEM system to work properly, it must be customized to your network. This means cybersecurity professionals teach the system to recognize relevant threats by taking these actions.

• Identification of crucial information and data sources within the network
• Education for staff and network users on best practices
• Determination of critical data to protect
• Establishment of the types of data that should be collected
• Test runs to provide feedback about the context of threats
• A schedule for additional growth with your network and technology changes

With an effective setup of your SIEM solution, you can achieve a powerful launch point for complete protection with comprehensive MDR. Your SIEM system should provide log collection and data interpretation, recognition of suspicious activity, automated alerts, visibility through dashboards, simplification of compliance requirements, and elimination of cumbersome manual tasks.

MDR with Endpoint Detection and Response

A network is only as secure as its weakest endpoint. The endpoints in your network include every device that is connected to the network. Every device that communicates with your network presents a risk. For most organizations, this includes computers, tablets, laptops, IoT devices, servers, workstations, and cloud-based tools and services. 

Sophisticated cyberattacks rarely target the most vital data within a network. Instead, they begin at the most vulnerable point and move laterally through the system to access critical information. As Industry 4.0 brings about a variety of new ways for machines and people to communicate remotely, threat actors recognize these new advances as potential vulnerabilities. Endpoint detection and response (EDR) works to address these vulnerabilities through the use of data analytics to identify potential endpoint threats before they occur, block malicious activity, and offer remediation suggestions. 

Similar to the way SIEM collects and parses data for your network, EDR logs data from endpoint activity and sends alerts when abnormal behavior is detected. EDR is sometimes offered by MDR providers as a single tool, or it may be included with other services. For instance, Securonix SIEM utilized by BitLyft automatically includes EDR within the SIEM system for complete visibility into the entire network. Whether it's a separate tool or incorporated into other services, EDR must provide these capabilities.

• Detection of security incidents
• Endpoint containment of the incident
• Security incident investigation
• Remediation guidance

Endpoints are widely regarded as vulnerabilities because they are often mass-produced with a generic password that can be easily hacked if a business or organization fails to assign new, stronger passwords for each device. The growth of remote work also raises added concerns about the protection of mobile devices and other tools that could be used by criminals to access a network without raising alerts. EDR is designed to protect the entire network through continuous visibility of the activities logged on any and all endpoint devices connected to your network. When threats are detected, automated alerts are sent out to designated professionals and automated response activity works to contain the threat within the endpoint, so access to the network is never achieved.

MDR with AI for Proactive Threat Protection (UEBA From Securonix)

Advanced persistent threats and zero-day attacks make it essential to protect against attacks before they occur. In the past, cybersecurity was reactive. While software that reacts to an active threat is vital, today's sophisticated attacks illustrate the need for a proactive approach as well. An important part of effective MDR services is the ability to customize software and tools to recognize relevant threats to your unique network and provide specific reactions to certain threats. To accomplish this, your MDR tools must have the capability to recognize normal behavior and create alerts for behaviors that fall outside of the spectrum of normal.

User entity behavior analytics (UEBA) uses the power of machine learning and artificial intelligence to create a baseline of behavioral patterns within your network and uncover anomalous activity while minimizing false alerts. This is accomplished through the use of powerful machine learning algorithms that analyze interactions among users, systems, apps, IP addresses, and data to establish a baseline of typical behavior. By building a complete profile of every entity in the network, analysis of events includes the context of the data derived from the baseline, making threats more clear. UEBA is especially effective when addressing threats introduced to cloud services and the identification of insider threats. The combination of these actions provides insight into complex threats and covert attacks that map to both the MITRE ATT&CK and US-CERT frameworks.

UEBA is an important key to proper customization of your MDR services for complete protection without facing alert fatigue. Some MDR providers offer UEBA as an add-on or part of an MDR package. Securonix SIEM includes built-in UEBA that works in conjunction with log collection and automated alerts. UEBA combines user analytics and the knowledge of existing threats to provide proactive responses to known threats before they can damage your system. BitLyft takes UEBA in MDR one step further with the addition of central threat intelligence (CTI) to utilize threat information from all users and clients on our platform (as well as outside sources) to create herd immunity against attacks that haven't yet targeted your organization.

MDR With SOAR to Decrease Response Time

How your network responds to a threat is a vital part of the success of your MDR system. Immediate response is the best way to contain a threat and limit the potential damage that could occur. Cyberattacks are carried out by sophisticated hackers who work to remain undetected for as long as possible. For this reason, the most successful attacks are carried out late at night or during weekends and holidays. By carrying out attacks during off-hours, threat actors recognize the potential for a slower response from your cybersecurity team. This is why it's essential for your technology stack to do some of the heavy liftings when it comes to an effective response.

Security Orchestration Automation and Response (SOAR) brings together the alerts provided during log collection and the actions that need to be taken to protect your network against threats that arise. While a variety of cybersecurity tools can be automated to offer responses based on suspicious activity, SOAR connects the tools and services together to trigger an appropriate chain of responses. When your SIEM system sends out an alarm, SOAR responds with a series of events that work to define the severity of the threat, contain an active threat to a single endpoint or device, conduct actions to mitigate damage and begin actions that repair damage from an attack.

Security orchestration brings together diverse tools and services to create a full picture of your network and the related actions of an attack. Automated responses reduce dwell time and minimize the damage that can be accomplished by sophisticated threats and zero-day attacks. When these responses are tuned to your network, security professionals can enable incident responses that work across multiple levels to correspond with SOC security activities. BitLyft's automated incident response modules integrate into major brands, products, and software, providing you with automation capabilities for tools you're already using to exponentially increase the speed and efficiency of our security team.

MDR and Network Monitoring for Complete Visibility

You can't defend your network against threats you can't see. Network visibility is a blanket term that describes your knowledge of the data circulating throughout your network. This visibility is achieved through the monitoring and analysis of traffic with a combination of tools and human interaction. Whether you refer to the activity as network monitoring or network traffic analysis (NTA), your MDR system must be capable of monitoring all traffic throughout your network and providing digestible information that can be viewed by your staff and off-site SOC team.

Network visibility provides security experts with the ability to parse and track relevant data in ways that make threats easier to see and completely eliminate. Gaps in visibility leave places where malware can remain undetected and later reestablish a foothold to continue an attack. This is especially concerning in light of the exponential growth of ransomware attacks. Nearly 500 million ransomware attacks were reported by the end of September, and the banking industry alone saw ransomware attacks increase by more than 1,300% in 2021. The Colonial Pipeline attack and the ransomware attack on meat processing company JBS foods highlighted the dangers of attacks on critical infrastructure and supply chains, reminding businesses of the crucial impact of limited visibility.

Network visibility is accomplished by the collection of raw data and converting it into a useable form to provide information that explains:

• The type and purpose of data
• Where data is coming from and going
• Authorization of lack of any
• The quantity of data

Along with tracking normal behavior and providing alerts when suspicious behavior occurs, Network traffic analysis provides an inventory of devices, servers, and services running on the network and generates network activity reports for management and auditors. Complete visibility also helps cybersecurity professionals identify unauthorized use and find troubleshooting network issues. When these activities are displayed on user-friendly dashboards, it's easy to see what types of activity are occurring in your network.

MDR with Expert Level Analysts

There's no doubt that automation plays a vital part in log collection, alerts, responses, and even remediation. Yet, even the most advanced technology can't replace human expertise in cybersecurity. The main component that separates MDR from other cybersecurity tools is the fact that it's an ongoing service that includes 24/7 assistance from cybersecurity professionals. Machine learning and technology growth aren't possible without the innovation of cybersecurity professionals who continue to investigate and remediate new threats as they arise. More importantly, software and technology can't anticipate human behavior and react in ways that depend on human interaction.

The off-site SOC is one of the most important pieces of your MDR puzzle.  This team can provide the right level of interaction with your existing security personnel to create around-the-clock supervision for your entire network. Most organizations can't afford to hire a full on-premise SOC team. Those that can, may have trouble finding cybersecurity experts to fill the roles. due to a talent shortage in the industry. Expert-level analysts who work as a part of your MDR solution may provide any or all of these services for your organization.

• Installation and optimization of software and tools
• Testing to reduce false alarms and ensure the system is working properly
• Routine communications about your cybersecurity posture and how your current solution is working 
• 24/7 monitoring of your network to identify threats while your team sleeps, eats, and vacations
• Apply updates and patches to software 
• Provide emergency response for real threats and attacks 
• Investigate breaches and close vulnerabilities
• Make decisions based on facts about a company's inner workings
• Active threat hunting to uncover new risks and advanced persistent threats

Expert-level analysts act as an extension of your team to provide ongoing communication about your cybersecurity posture and all the elements of your network security solution. When a threat does arise, these individuals provide emergency responses in the form of incident triage and investigation, remote remediation methods, and incident reporting, and continued investigation. Security analysts use existing threats to identify new threats and eliminate vulnerabilities in your security software. These professionals understand the fundamentals of MDR and how to apply them in ways that are relevant to your unique network. 

Finding a Complete MDR Solution

In the face of rising cybersecurity concerns, any MDR solution can look like a life raft on a sinking vessel. However, services that don't meet the needs of your organization can lull you into a false sense of security, making your company more susceptible to threats. By learning more about the necessary components of MDR, you can make an informed decision about finding a provider that meets your needs.

MDR stands apart from other cybersecurity tools because it's an ongoing set of services that is customizable to your organization's unique network. This means you can choose the services you need for a complete 24/7 cybersecurity solution, whether you have an on-premise SOC or limited security personnel. Before comparing service providers, take into consideration your current cybersecurity posture and your security goals for the future. Determine the responsibilities you want to maintain in-house vs those you'd prefer your provider to take care of. 

MDR from BitLyft is a single turn-key solution for managed detection and response that goes above and beyond traditional MDR services. With a complete technology stack designed to offer complete visibility into your network, lightning-fast automated responses, and central threat intelligence to provide automatic immunity to existing threats, we take your security to the next level. By providing our customers with direct access to the dedicated cybersecurity team that knows your environment, technology, and unique organizational goals, you get the same professional services you'd enjoy with an in-house SOC team that works around the clock. To learn more about our complete MDR solution, schedule a demo today.