5 min read

Managing Detections Is Not the Same as Stopping Breaches

Enterprises interested in managed detection and response (MDR) services to monitor endpoints and workloads should make sure the providers have rock-solid expertise in detecting and responding to threats.

The fundamental challenge in cybersecurity is that adversaries move quickly. We know from observation that attackers go from initial intrusion to lateral movement in a matter of a couple hours or less.

If security teams are going to successfully stop a breach, they need to operate within the same timeframe , containing and remediating threats within minutes, 24 hours a day, 7 days a week. Such constant vigilance can be challenging for in-house staff. This is why many organizations engage a provider of managed detection and response (MDR) security services, which monitors endpoints, workloads, and other systems to detect and monitor threats.

Unfortunately, even most managed services have several fundamental flaws that prevent them from executing on the core mission of stopping breaches.

How Most MDRs Fail Security Teams
First, MDRs frequently filter out low-severity alerts and direct human attention only to the ones that are deemed most critical. Unfortunately, attacks don’t start out as critical alerts. They tend to start with a long trail of lower-severity events that eventually add up to higher-severity incidents. A network breach evolves like a house fire—it starts small and quickly grows out of control. If defenders miss the early signals, the intruder has more time to become entrenched within the victim’s environment. The defender misses the opportunity to put out the fire at the earliest stages.

Second, the staffing model at many MDRs doesn’t scale. The structure of a typical security operations center (SOC) looks like a pyramid, with a few highly skilled analysts supported by tiers of more junior analysts. This structure can work in a small service provider, but as the MDR service firm takes on more and more clients, each gets less time with the real experts. This redirects most of the heavy lifting to junior analysts who may not have the experience to identify and disrupt a sophisticated threat in time. Before you know it, an intrusion has become a breach.

Next, many MDR service providers say they are tech agnostic which might not always work to your advantage. Not every provider can be an expert in all the available cybersecurity technologies and tools, so they become generalists and many powerful capabilities of individual technology components go underutilized. For example, a next-generation firewall may have a powerful logging and data analytics capability, but because the MDR doesn’t know the specifics of that platform, that capability is not used. A lack of focused expertise in the underlying tools slows analysts down. Worse, such an approach distills information from all application programming interfaces (API) down to the lowest common denominator. Critical context gets lost when you pull data from the native platform into a security information and event management (SIEM) repository. You need experts familiar with your specific type of platform, not generalists to evaluate threat graphs and deliver context and actionable insights.

Finally, and most crucially, most MDR services are not going to go that last mile for you: they focus on filtering and prioritizing alerts and meeting the terms of a narrowly defined agreement, but stop short of committing to the real mission of stopping breaches. Merely delivering threat alerts to you on a platter is not enough. The very reason you outsource key components of your cybersecurity strategy to an MDR is that you want to stop threats 24/7, not just have eyes on them. If you still need experts to evaluate the ones that surface, that means you will still need a bench of experts working around the clock. The final action of actually stopping the breach gets routed back to you, which defeats the point of hiring the MDR in the first place.

Must-Have Capabilities for a Modern MDR Service
Given the inadequacies of most MDR services, evaluate what you are getting and if these providers can truly achieve your goal of stopping breaches.

A modern MDR service provider leans on proprietary machine learning models to address low-level alerts, not ignore them entirely. That may mean following up with users and fixing the issues that led to the alerts, or putting in new controls that would take care of future alerts. Muscle memory from a learned playbook is valuable expertise for security teams. Look for MDR teams that are not built like a pyramid. Instead, look for teams of teams, each comprising a deep talent bench of experts so you get the customized client attention you need to detect and stop breaches.

Look for MDR services that have demonstrated skills in resolving compromised systems. For example, in a vast majority of instances with compromised endpoints, MDR firms are recommending that their customers rebuild compromised endpoints from scratch. While not a wrong approach, it is often entirely unnecessary and much too expensive. If your “Check Engine” light comes on in your car, you wouldn’t replace the entire vehicle, would you? You would rely on a skilled technician who can fix the problem.

Similarly, kick the tires and look under the hood when MDR services claim they can solve your cybersecurity challenges. Managing detections is not the same as stopping breaches. The last thing you need is more homework burdens on security teams that are already stretched thin. You instead need MDR anchored on a robust platform, broadest threat intelligence, and rock-solid expertise.