With the threat landscape constantly evolving, identifying the best cybersecurity service for your organization can be challenging. A lot of organizations turn to outsourced cybersecurity services such as Managed Detection and Response (MDR) as a way to enhance security layers in a cost-efficient way.
We’ve covered why every SMB should consider Managed Detection and Response. In this blog, you’ll learn the core elements of an MDR service so you can fully understand what the service entails and are able to compare providers knowing the three fundamental areas of the service.
Security Information and Event Monitoring Software
SIEM software combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware. SIEM software matches events against rules and indexes them to detect and analyze advanced threats using globally gathered intelligence. This gives security teams both insights and a track record of the activities within their IT environment by providing data analysis, event correlation, aggregation, reporting, and log management.
The threat detection element is able to catch abnormalities in emails, cloud resources, applications, external threat intelligence sources, and endpoints. This can include user and entity behavior analytics (UEBA) which analyzes behaviors and activities to monitor for malicious behaviors which could indicate a threat.
Now, every Managed Detection and Response service should have a SIEM software, but having a SIEM software doesn’t mean you have a Managed Detection and Response team. Just like every hotdog should have a sausage, but just a sausage doesn’t make it a hotdog.
Oftentimes businesses with an internal IT team decide to invest in a SIEM software as part of their cybersecurity strategy, but they lack the cybersecurity knowledge to truly take action upon the insights, techniques and procedures (TTPs), and known indicators of compromise (IOC) a SIEM software provides. So if you are considering investing in a SIEM thinking it will streamline the cybersecurity efforts of your team that won’t be the case, unless they have a high level of cybersecurity knowledge and expertise.
Threat Intelligence feeds
Given how fast attackers are developing new malware, defenders need to be able to rapidly respond to a growing number of attack vectors. Visibility here is key, the more data points are collected and analyzed, the faster the response time and the ability to scale and replicate automated responses to attacks at large.
Global threat intelligence feeds collect multiple data points coming from the network, using artificial intelligence and machine learning they are able to identify patterns and mark them as potential threats. Imagine a group of the savviest hackers in the world, working for the good guys, so instead of hacking the systems, they are just aiming to discover vulnerabilities before bad hackers do. They feed all this information back to cybersecurity groups around the world that work to update their SIEM software and other cybersecurity technologies to detect and protect against this newly found attack vector. This is what threat intelligence feeds such as Cisco Talos Intelligence does.
For this reason, an MDR solution needs to be tuned to not only one but multiple threat intelligence feeds so they can rapidly adapt the security layers to identify, detect, and respond in real-time. The more data points an MDR service receives the more accurate every proactive response becomes.
Here is a shortlist of the top threat intelligence feeds most MDR services use to update the SIEM and security operations:
- Department of Homeland Security: Automated Indicator Sharing
- FBI: Infragard Portal
- Cisco: Talos Intelligence
- SANS: Internet Storm Center
A team of expert security analysts who can alert you, but also advise and discuss the threat with you
Now, having a SIEM system that receives insights from threat intelligence feeds is one thing. Acting on the alerts, prioritizing responses is another. Businesses that invest in SIEM can quickly realize that they are unable to manage it without a large team of security experts that respond to the high volume of alerts. Alert fatigue is a common problem for security teams, especially without the proper training, often leading to important alerts being missed or overlooked.
In our recent blog about selecting a Managed Detection and Response Service Provider, we talk about some of the characteristics a great MDR team should have. Is not just about prioritizing alerts and responding effectively, but is also about helping your organization understand the impact of such decisions.
In terms of technical expertise, this must go beyond cybersecurity best practices or firewall configurations. It’s about understanding all the moving pieces of your technology environment and how they all work together. How will the failure to detect a threat in one part of the system affect others? What is the business continuity, financial and operational impact of failing to prevent a breach? Having all that information at hand will help you make smart strategic decisions for your organization and the technologies you should be investing on. That’s the power of having a great team of cybersecurity experts.