What Is Managed Detection and Response and How Can It Help Me?
When you plan to outsource data security, you find yourself wandering in a maze of buzzwords. Managed Security Services (MSS). Managed Detection and Response (MDR). Security Information and Event Management (SIEM). Security Orchestration, Automation, and Response (SOAR). What do they all mean? How are they different?
Like any terminology, these terms have evolved over time, and what one provider offers under a name isn’t always the same as other services with the same label. What is called MDR could be simple monitoring or a comprehe
nsive service. BitLyft’s Automated Incident Response platform is more than just MDR. It takes the concept to its highest level and adds the skills and experience of a world-class Security Operations Center.
What is MDR?
With MDR, we can point at a definite point of origin and definition for the name. Gartner coined the term in 2016 and gave a definition:
Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection and lightweight response services to customers leveraging a combination of technologies deployed at the host and network layers, advanced analytics, threat intelligence, and human expertise in incident investigation and response. MDR providers undertake incident validation, and can offer remote response services, such as threat containment, and support in bringing a customer’s environment back to some form of “known good.”
That’s a lot of detail. Let’s look at it a piece at a time, to understand where it fits into a security strategy.
Managed Detection and Response providers. The first thing to notice is that Gartner doesn’t define MDR, but “MDR provider.” That’s because it is a service, not a technology. MDR is delivered by a managed security services provider (MSSP). Its purpose is to find threats quickly so they won’t linger on the customer’s machines and cause ongoing damage. It encompasses a range of technologies, and its human side is essential to effective protection.
Host and network layer technology. The terminology is a little odd here. “Host layer” isn’t a standard term, but in practice it means anything from the OSI transport layer up to the application layer. The technology that MDR uses covers TCP/IP connections, session management, data formats, and application-specific functions.
Threat monitoring and detection. MDR monitoring may come from software installed by the provider or a dedicated monitoring appliance. Increasingly, though, it uses cloud services. It scans traffic for attempts to penetrate security as well as signs of successful intrusion. Malicious probing is a constant fact of life, but if an effort is persistent or shows any signs of success, it needs to be addressed. A successful penetration tries to exfiltrate data or download more malware, and monitoring can detect its presence.
At one time, the main method of threat detection was the matching of “signatures,” bit patterns associated with specific malware. Today there are too many kinds of malware to keep up with their signatures, and they mutate to avoid being detected that way. Modern detection uses “advanced analytics” to look for behavioral patterns.
Lightweight response services. When Gartner coined the definition, MDR may have been light on the response side, but that has changed considerably. While some services focus primarily on the detection side, the best of them include automated remediation and offer on-call incident response to remove malware and cut intrusions short.
Threat intelligence. New threats constantly appear on the Internet. MDR relies on threat intelligence repositories to keep up with them. An MDR service stays up to date so it can handle the very newest threats.
Human expertise. Managed Detection and Response tools are only part of the story. Security analysts look at the reports and decide what action to take. Some reports indicate critical issues that require an immediate remedy, possibly including taking systems down. Others need dealing with but are less urgent. Some are false alarms requiring no action. The effectiveness of MDR is highly dependent on the skill and judgment of the team handling the reports. It works best when a security operations center (SOC) with highly qualified analysts stands behind it.
“Known good” state restoration. An important part of incident response is repairing the damage. This includes removing the malware completely and restoring lost or maliciously altered data. In cases such as ransomware, the damage can be extensive. Quick restoration of data reduces the impact of an attack and lets normal operations resume.
The origins of MDR
The history of threat detection and mitigation is nearly as old as the Internet. A 1980 paper by James Anderson dealt with “How to Use Accounting Audit Files to Detect Unauthorized Access.” At first, businesses had their own IT staff install protection measures, review logs, and deal with malware. They often didn’t have the necessary expertise, so they brought in consultants. The first outsourced services appeared in the late 1990s. These services weren’t much more than remote firewalls.
Outsourced intrusion detection really got going after the 2001 rush to register domains and get onto the Web. The “response” part came later; at first, fixing the damage was a manual, case-by-case task. Specialty companies started selling appliances to monitor incoming and outgoing traffic and issue alerts when something seemed wrong.
The perpetrators in those days committed pranks and simple vandalism. They were dismissively known as “script kiddies.” Fixing the damage they did wasn’t hard, as long as a good backup was available. But as online business grew, serious criminals noticed that there were valuable assets to grab. Businesses didn’t understand the need to protect them, and stealing confidential data could be incredibly easy. An arms race between the people who held data and the people who wanted to take it began.
The stakes really increased with the appearance of APTs — advanced persistent threats. They didn’t just get onto a machine and do damage. They lurked, sending private information or carrying out tasks for their masters for days or even months. APTs included botnet malware, which harnessed the power of millions of computers while their owners didn’t know anything was wrong. They often found out, if at all, only when other systems blocked their IP addresses or their service providers suspended them for spamming.
At this point, malware became a serious concern and cybersecurity became a high priority. Security awareness grew, but the attacks became more devious. Incident response became more urgent and more difficult. Managed service providers and security consultants saw the need for automated defenses supporting expert analysts. The defenses they developed grew into what we know today as MDR.
To be fully effective, MDR has to cover an entire network. The whole attack surface — all the points that are reachable from the Internet — need to be inventoried and protected. The attack surface includes cloud applications as well as on-premises systems. Systems that aren’t directly on the Internet need to be in the inventory too, since they become vulnerable when a threat gets a foothold. Only complete coverage of the network gives the best chance of keeping intruders out.
Managed detection and response pricing depends on the level of service you need. The cost of a plan depends on factors like turnaround time, frequency of scans, and the scope of the systems to be protected. The managed detection and response market is growing rapidly, and Gartner predicts that by 2025, 50% of all organizations will be using it.
MDR and other security service terms
Where does MDR fit in with other security terms? Let’s go down a list of commonly encountered ones.
Managed security services
A managed security service provider, or MSSP, offers several kinds of services, including MDR. Monitoring is often available as a standalone service from an MSSP or MSP. It’s relatively inexpensive since it’s entirely software-based and doesn’t require experts to run it. The customer gets alerts and periodic reports and decides what to do with them.
MSSPs may offer incident response on a per-call basis, often as an adjunct to monitoring. The security team addresses issues when asked to. It identifies intrusions, finds data damage, and fixes the problem. That’s often dismissively called the “break-fix model.” It gives longer turnaround times than MDR, during which important systems could be unavailable.
The range of security services is broad, from software-only solutions to full-spectrum protection. MDR is a comprehensive service that includes monitoring, threat identification, analysis, and remediation. The customer might not have to do anything more during a security incident than wait for its resolution.
Attackers have repertoires of tactics, techniques, and procedures, called TTPs for short. Recognizing threats is a matter of spotting TTPs in action. Threat intelligence repositories, such as ATT&CK and the SANS Internet Storm Center, use crowdsourcing to collect information on TTPs and the malware that uses them. They get constant updates to keep up with the latest threats.
When a zero-day threat appears, it has to get into threat intelligence repositories as quickly as possible. It takes time to patch a vulnerability, but identifying it allows actions like blocking the attacker’s IP address.
MDR needs to turn threat intelligence into concrete procedures for stopping and removing threats. The data provided includes the threat’s characteristic behavior, such as files that it alters or URL patterns it uses. Without up-to-date threat intelligence, it will miss the latest attacks, potentially allowing an expensive data breach.
Software used with MDR
Service providers have a large array of MDR tools available to them. They normally are cloud-based but include cooperating software on the customer site. Sometimes the customer installs a hardware appliance from the provider to perform the local tasks.
Analysts use a software dashboard to get a security overview without switching among applications. It gives information about the overall state of the system and combines all alerts in one place. They can spot issues more quickly than if they had to manually poll several applications.
MDR, before it had that name, used intrusion detection systems (IDS) and intrusion prevention systems (IPS) to manage the growing amount of information they had to analyze. At first, these systems used signature-based detection, looking for the characteristic bit patterns of malware. They didn’t help against unknown or zero-day threats. The technique shifted toward behavior-based detection, looking for activities such as file alteration and connection to unauthorized remote hosts. Machine learning and artificial intelligence, working with the latest threat intelligence, let the systems adapt quickly to new threats.
Two developments have significantly raised the ability of security software to catch and respond to threats: SIEM and SOAR.
Networks have become vastly more complex over the past decade. They interact with cloud services, break up software into microservices, and contain large numbers of devices (e.g., mobile devices and the Internet of Things). The information needed to identify threats is scattered over the messages and logs from all of these units.
Threats operate by stealth. They avoid a fixed signature and may hide in any directory on any machine. Finding a threat, even when looking in the right place, is harder than it used to be.
The answers lie in huge amounts of widely scattered log file data. Going through the files with searches and pattern matches can’t even start to find them. This is why SIEM was developed. Security Information and Event Management collects information from many logs on a network and intelligently analyzes them. Not only does it handle a greater volume of log data than human analysts could manage, it discovers connections that trace the course of a threat. Clever attacks move laterally from one system to another. They install ways to restore themselves if they are partially removed.
SIEM uses regularly updated threat intelligence to track the latest tactics, techniques, and procedures intruders are using. It applies machine learning to discover threats based on the traces they leave. When it finds a threat, it can take actions such as replacing infected files with known good versions. Security analysts receive alerts when a threat is discovered, as well as regular reports on the state of network security.
Using SIEM lets a SOC team identify threats more quickly and have fewer distractions from false alarms. Up-to-date MDR operations treat SIEM as one of the most important parts of their toolkit. BitLyft provides SIEM as a service with Securonix Managed Detection and Response.
SIEM isn’t the whole toolkit, though. Not everything that helps to diagnose threats comes through log files. By itself, SIEM doesn’t address the remediation side as much as it could. The next step up is to get all the available tools working as a unit and automate the removal of weaknesses and malware where possible. Often these tools come from different vendors and weren’t designed to talk to each other.
It takes some effort to unify them, but it’s happening. The technology that does it is called SOAR: Security Orchestration, Automation, and Response. It carries the automation of threat detection and response to a higher level. “Orchestration” means using techniques that let diverse tools carry out an automated process together, using APIs and scripting interfaces. The tools can include firewalls, spam filters, monitors, and anything else that helps to diagnose threats. They also include cloud applications that could be points of entry or targets for exploitation.
SOAR builds on SIEM and enlarges its scope. It’s better at finding internal threats since actions by logged-in accounts don’t trigger as many alerts. “Insider threats” are often actually compromised accounts, and additional information about their usage patterns helps to recognize when someone other than their legitimate owner is using them.
Like SIEM, SOAR includes incident response in its scope, and it carries it a step further. Automated responses can stop intrusions within seconds of their occurrence, stopping the attacker at the starting gate. Integration with user authentication and authorization services lets it quickly disable or limit an account that has been hijacked. If necessary, SOAR can quarantine an entire machine to keep malware from spreading.
Complementary services and software
Some tools and services fall outside the scope of MDR but have their own value. A SOAR system can work with them to augment the information it uses.
Web Application Firewalls (WAF), also known as next-generation firewalls (NGFW), are a type of intrusion prevention system. They monitor incoming and outgoing traffic intelligently, blocking malicious requests. They prevent attacks rather than reporting them and are generally considered a separate function from MDR.
Vulnerability scanning doesn’t look for threats but for known issues that a threat could exploit. Most often the problem is software that isn’t up to date. A vulnerability scan allows correction of security issues before they become active problems.
Penetration testing is an advanced service that attempts to break security but doesn’t do actual harm, so the customer knows what real threats could succeed. It’s an occasional exercise, not an ongoing process. Pen testing, as it’s called for short, often comes from companies that specialize in it. It can be intrusive and expensive, but it’s valuable for organizations with very sensitive data.
Offerings that are called MDR can range from simple monitoring and alerting to a full set of advanced software and expert support. Look at what the service does, not just what it’s called.
BitLyft’s AIR, Automated Incident Response, goes beyond standard MDR to create a high level of automation in both the detection and the resolution of security incidents. It combines SIEM and SOAR with an expertly run SOC to give the best of computer-based security and human intervention.
Cybersecurity failures are costly. Downtime, liability, mitigation costs, and loss of reputation can inflict major damage on a business. A state-of-the-art Managed Detection and Response service guards against disaster, ensuring that your business will continue to run smoothly and safely. Talk with our engineers to find out how BitLyft Air Platform, more than just MDR, can give your business safety and peace of mind.