Outsourcing security operations via a third-party managed detection and response service will improve your organization’s security posture, so choosing the right provider is crucial. Not every company’s needs are the same, so you need some knowledge of MDR to determine which provider’s approach is best placed to help you.
Businesses are increasingly turning to MDR providers to combat an ever-more complex security environment. According to Gartner, 50% of organizations will be using MDR services by 2025. Security experts are struggling to keep up with the rate of attack and the speed at which new techniques develop, and the number of attacks continues to escalate: Cisco data estimates that distributed denial-of-service (DDoS) attacks will grow to 15.4 million by 2023.
This is why it’s important to consider the key aspects when evaluating what service suits you ”“ to ensure that the MDR provider you choose is the right fit for your business.
MDR (Managed Detection and Response) is the service provided by a third-party SOC (Security Operations Center). MDR refers to a complex network of alerts and triggers around a company’s operations. Attacks on the infrastructure ”“ whether derived from phishing attacks, physical infiltration, or DDoS ”“ are flagged immediately so remedial action can be taken.
We often see the same two vulnerabilities lead to fatal flaws in a company’s security posture. Suppose an employee receives a phishing email and enables macros, downloads something from an unknown source, or executes a process they shouldn’t. In that case, an attacker can gain access to the system immediately. Phishing attacks are no longer poorly-spelt or bizarre spam emails but take the form of persuasive communications. In 2021, 83% of organizations reported experiencing phishing attacks, and experts predict that an additional six billion will occur in 2022. Alarmingly, 30% of phishing emails are opened.
Poor configuration across the infrastructure is another vulnerability we often see. As with phishing attacks, unwieldy endpoint distribution and lack of regularly organized configurations open up a company to vulnerabilities. If an attacker targets a weak point, such as an unprotected laptop, they can gain access to internal infrastructure and rapidly grant themselves increasing user privileges, moving laterally across the system.
To address these risks, security staff must be responsible for continually training and educating employees regarding security best practices, as well as monitoring the system for unprotected endpoints: both are tasks that consume a considerable amount of time, energy, and goodwill.
The most critical element of the MDR is its capacity to find, respond to, and investigate threats. Look for a provider that actively and proactively searches out threats and reacts to them rapidly in the “golden hour” of incident response.
Prioritization helps in dealing with the vast number of alerts generated daily. Combining human intelligence with automated systems allows you to distinguish between genuine threats and false positives effectively. Applying those false positives to exclusions means that the MDR becomes tailored to your company’s idiosyncrasies.
Ingesting the information embedded in a threat is vital in preventing the next one. With a deep analysis of attempted attacks, the MDR should assess where the attack came from, when it happened, what was affected, and what protocols failed to prevent it. In this way, they can respond to the specific threat at hand.
Behavioral analysis embedded in the software means that the solution is intelligent, learning from the telemetry and artifacts it’s ingesting during its operation. A good MDR solution should not only protect but improve with each new version to match the evolving threat landscape.
Seek out a provider that utilizes technology to scan the network for unprotected endpoints and that can implement a blanket security solution. With fewer layers of security on endpoints, you can make the running of your company smoother and speedier.
The benefit of an automated system is that support is always available, meaning you’re always protected. It’s essential to select a provider who can offer customer support at all times and rapid response times. Even in instances where there hasn’t been an incident: communication and transparency are key.
With increasingly strict laws governing information security, MDR can give you peace of mind in avoiding a possibly illegal data breach ”“ and the resulting hefty fine.
Ackcent’s approach to managed detection and response services is summarized in three main priorities.
Prevention ”“ educating customers on best practices, detecting and protecting vulnerable endpoints, and installing firewalls and antivirus software to protect against everyday attacks.
Detection ”“ a robust alert system identifies potential issues as soon as they arrive, and our sophisticated configuration process differentiates between false and real positives.
Response ”“ if we detect a legitimate attack, we immediately launch protocols to detect, trace, and immobilize it. We then gather as much information as possible to identify the breadth of the damage and support the customer in restoring their data and functionality.
Combined with years of industry experience and 24/7 availability, these protocols provide a shield around your business: one that is proactive rather than static.
Our SOC is made up of the:
Let’s look at an example. In Ackcent’s SOC, an analyst receives an alert: someone working for a client company based in Portugal has logged into the central server from another country. We know this employee often works in Spain, and we have a configuration already in place that recognizes that. However, this login attempt has come from Canada.
Firstly, we review the employee’s mailbox to detect the action that might have instigated the alert. There, we find a phishing email that supposedly has come from Microsoft Office, but on inspection, it’s from a different source. We take steps to immediately block the logged-in session and enable two-factor authentication during the containment phase. Then, we embark on eradication and recovery.
To support us with these tasks, we employ a blend of automated services:
Like an explorer in a jungle, hunting down threats means hacking through an awful lot of wilderness. When it comes to the vast amount of telemetry a single company generates on any given workday, it’s vital to know how to efficiently hunt down threats as they move through a network infrastructure.
When an attack penetrates a device, we “take the device apart” by analyzing its logs. We’ll trace the IP address of that user to confirm that they have come from outside of the organization and derive what information we can from the location of that IP address. We then take Indicators of Compromise (IOC), such as a command and control order or a hash, to see if other devices in the enterprise are compromised. The information we recover helps us at every stage to understand the origin, purpose, and scale of the attack. We’re not only hacking through the jungle but gaining information from the environment.
Neutralizing a threat can be a delicate business as, initially, it’s crucial not to alert the attacker to your presence. For example, say the attacker has aimed for the Domain Controller (DC). This is the most critical network device, offering the threat actor access to all the devices in the company. You see that there are connections to a command and control, but if you cut this connection, it might trigger malicious activity from the attacker if they have access to a backdoor. A targeted investigation is required to ascertain the nature of the threat.
Once we contain the incident, we must eradicate and eliminate any traces of it, such as any malicious code. With SentinelOne, you can recover compromised systems and services, meaning that files can be repaired even after an attack.
Scheduling meetings regularly is vital for continuing transparency and providing weekly reports directly to you. In the event of a significant threat, we will notify you immediately, from an email for a low-level attack to a call for a critical one. If an attack has penetrated, we will work collaboratively to mitigate its effects as soon as possible.
The architect ”“ the player providing an overarching structure for the MDR ”“ maintains the system and provides constant feedback regarding the network infrastructure. The architect will design and build an MDR service that responds to your needs.
The Security Device Manager (SDM) provides reporting on the MDR to the customer, ensuring that channels of communication are open at all times. Their job is to know you, so that corresponding security measures represent any changes in your business.
The SOC will alert the customer in case an alert is triggered, and provide comprehensive support during the incident response period.
After dealing with the attack, we use the information gathered during the investigation to make our protective services more sophisticated. We will create a detailed report of the incident to share with the customer, laying out the attack and how we responded.
Every attempted attack is a test of the robustness of the MDR defense, so each one is an opportunity to strengthen our position. This also helps us stay up to date with new threats and vulnerabilities, which allows us to create new custom rules that effectively mitigate actions that might otherwise go undetected.
Our job is made easier by having good tools at our disposal and a set of sophisticated protocols for immediate action. We have developed an approach that utilizes a suite of industry-leading automated services. We have also built relationships with their providers, meaning you don’t have to worry about handling several external connections. Our SOC works 24/7, 365 days a year, so you’ll benefit from knowing there’s never a time when your company is unprotected.
The key to our approach is found in our name.
“Ackcent” is drawn from three concepts: Ack, accent, and copyleft. Ack is an indication that positively acknowledges the reception of messages. The word accent means the emphasis of a particular word or phrase. Copyleft is a play on copyright and is the practice of using copyright law to offer people the right to freely and legally distribute copies and modified versions of a work. These key concepts combine to emphasize our brand mission: to facilitate sharing knowledge, expertise, and resources to create a safer and better-connected world. When it comes to MDR, receptivity, communication, and alertness are crucial. As our name suggests, these are the qualities we always seek to embody.
Get in touch with an MDR expert today so we can help your organization detect and respond to cybersecurity threats.
Like this article? Follow us on LinkedIn or Twitter to see the content we publish.
Get resources in your mailbox for free