A New Generation of MDR for a New Era of Threats
The stakes for cyber threat detection and response have never been higher. Digital infrastructure and communications have kept schools, hospitals, governments, and private businesses afloat during the pandemic. In many cases they’re even helping to drive major improvements to staff productivity, work-life balance, and organisational agility.
But they’re also coming under intense scrutiny from threat actors. As digital investments grow, so does an organisation’s attack surface. In this environment, where zero trust and protective monitoring is more important than ever before, outsourcing the Security Operations Centre (SOC) or Threat Detection and Response capability to a trusted partner is a smart move for many organisations. But not all providers are created equal.
It’s time to take a fresh look at just what’s possible with Managed Detection and Response (MDR) using the latest approaches and technology platforms. You may be surprised.
The Challenges with First Gen MDR
Adopting an MDR service makes a lot of sense. It provides outsourced security expertise where in-house skills may be lacking, boosting your speed and efficacy in detecting and containing threats. If done right, customers benefit from their provider’s economies of scale, and the MDR expert’s enhanced threat insight gleaned from a broad customer base. It also resolves the major financial and management headache of finding and retaining skilled SOC analysts, and kitting out a SOC with the requisite tech.
However, there are problems with what we’ll call the “first gen” of MDR providers, which are too often wedded to legacy technology and rigid, outdated approaches. These include:
Threat detection using siloed data sets as a result of using separate technologies to tackle different areas of the IT environment. Visibility gaps can occur, making it harder for analysts to correlate and prioritise events and alerts pertaining to threats. Exhausted analysts and longer mean-time-to-respond (MTTR) will usually follow.
A lack of orchestration and automation is often part of the problem outlined above. It opens the door to extra complexity, human error, slow & manual response, in turn resulting in attacker dwell time being lengthy enough for the threat actor to achieve their objectives (lateral movement, encryption, ransom demands, data destruction, data exfiltration, and extortion).
Staffing challenges can affect some MDR providers too — after all, talented individuals are at a premium in the cyber security sector. This is where the outdated belief that MDR staff need to be in the same room to be effective can cause problems. This approach reduces the potential talent pool for providers and makes them less adaptable from a business continuity perspective. Due to the pandemic, analysts may be at home for now, but how many providers are intending to once again require analysts to make use of that office space and all those big screens displaying pew-pew maps once the pandemic begins to subside?
Building and maintaining their own infrastructure to host SIEM and other MDR technology introduces more inefficiencies to the first gen MDR’s business. It takes focus and investment away from their raison d’être (detecting and responding to threats). If they’re not using public cloud infrastructure or SaaS for their tech stack, they’ll need a dedicated infrastructure engineering team to feed and water their tech, and they’ll be less agile, less scalable, and their MDR service charge will no doubt be recouping some of that unnecessary expense. Should you be paying for your provider’s inefficiencies?
Many MDR providers will limit data collection because their costs usually increase the more data is collected and stored. The MDR provider will therefore try to balance cost against risk by choosing to ingest specific data in specific volumes and hope to catch most threats. It’s not hard to see the problem here: incomplete data means incomplete visibility and often ineffective threat detection.
No historical insight into data is another knock-on effect of MDR providers that limit data collection due to cost pressures. It means they’re only looking for signs of recent malicious activity but can’t see far enough back for root cause analysis, which leaves investigations woefully incomplete and potentially leaves the door open for the attacker to return (which they invariably do).
The Socura difference
At Socura, we’ve learnt from the first gen MDR challenges to create a new model.
At its heart lies a partnership with Palo Alto Networks and Google Cloud Chronicle, providing a cloud-based Security Analytics platform combined with cloud-based Security Orchestration, Automation and Response (SOAR). This partnership means that we can ingest all of our customer’s security data with no data volume cap nor volume-based pricing – and retain it all for 12 months.
Even better, we can search this enormous dataset in milliseconds and continually match new indicators of compromise (IoCs) – then respond with SOAR playbooks to provide optimal automation, supporting swift action by our experienced SOC analysts. The result is rapid MTTR, reducing attacker dwell time to minutes and limiting cyber-related risk for our customers.
That’s not all. The Socura platform also features:
Extended detection and response (XDR) which correlates and analyses threats across networks, cloud, identity, and endpoint to simplify and strengthen threat protection.
Orchestration and automation built into everything that we do to simplify case management, collaboration and threat intelligence management. Our Security Orchestration, Automation, and Response (SOAR) capabilities aggregate alerts from XDR and other sources before executing automatable, process-driven playbooks for enhanced response.
A fantastic team of highly skilled SOC analysts chosen for their talent, not where they live. Socura was designed to function with a distributed workforce from day one, for maximum agility and no limit to the available SOC analyst talent pool. We’ve also designed and built our systems based on analyst and customer feedback to optimise triage and hunting processes.
This is MDR built for a world of heightened digital risk. With Socura you get a trusted partner that works as an extension of your own security team, but with the support of the latest cloud-based and machine-powered security technologies.