Search

MDR: what does the future hold?

As we come closer to leaving 2021 behind, our Product Manager for Detect and Respond services, Grant Paling, looks ahead to 2022 and beyond. What does the future look like?

The work we are doing in cybersecurity is more important and every week it seems, security issues gain more and more credence at the board level of businesses. And why shouldn’t they? For so long governments across the world have waged war on drugs. But as criminal enterprises go, cybercrime is safer, easier and has far fewer barriers to entry.

The impacts on society as well are beginning to be felt by those outside of the compromised businesses themselves. When we think about Colonial Pipeline and other incidents since that affect the very basic things, we just expect to be stable in our lives – fuel, water supply, power supply, food, technology components – the list goes on and all these things now can be disrupted in a matter of minutes. Then more recently the role of cyber-attacks in the Ukraine/Russia cyber conflict, something that now underpins modern conflict between nation-states. Cybersecurity has never been more important to preserving our way of life.

What can we do to combat cybercrime?

Managed Detection and Response (MDR) has long been touted as the solution, yet as a concept, we still feel it has a lot of growing up to do. And alongside it, our concepts of MDR have to also be perhaps re-aligned.

Firstly, we need to understand what all this jargon means. You can find our thoughts on that here. Then we need to really understand what we are expecting from MDR as Pete Shoard from Gartner outlines in his blog here. After that, it is up to leading MDR providers like Orange Cyberdefense to meet those expectations and in many cases, to take the lead in redefining those expectations.

For me, 2022 needs to be the year that MDR grows up. And here is how.

We need to stop talking loosely about cloud detection and response

Cloud is a mega-trend. It is not a detection source. AWS alone has over 200 services now. So, saying “I want to monitor AWS” doesn’t quite cut it. Similar notions apply to Microsoft, Google, and any other cloud provider.

The main message of MDR we push to our customers has always been to “do the basics right”. Customization can come later, but the majority of threats we face today will come via pretty standardized techniques. Cybercrime is big business and that means that the ecosystem needs to scale with demand. Which in turn has spawned “businesses” such as Ransomware-as-a-Service. Focusing on key, common threats is a good place to start.

And when it comes to cloud, that same mantra holds true. The basics in this case might be slightly different, but there are still key things we can do that will have a huge impact on stopping attacks before it is too late. Examples like:

  • Detecting compromised identities/accounts that are performing suspicious activities in your cloud environment
  • Detecting exposed data on unsecured cloud resources such as connected storage, exposed databases, or GitHub pages
  • Detection of misuse of cloud-based collaboration technologies, to ensure that they don’t open a back door into the business
  • Adapting incident response processes and procedures to cater to the shared responsibility model in the cloud

There remain different ways (all within the capability of the traditional SOC triad of log, endpoint, and network-based detection) to detect attacks in the cloud but we should start with the risks.

And in summary, “the cloud” is not a risk. It is a source of many risks. And so, we need to recognize the risks to detect them and respond accordingly. If you’re interested to know more, come, and talk to us about the risks we see that should be addressed in cloud security at different security maturity levels. We’ll help get you started with a comprehensive detection strategy, whether you’re an Azure, AWS, GCP, or a multi-cloud house.

MDR provides an outcome, it is not platform management

So much effort goes into providing MDR services to a high standard. My heart sinks whenever we get asked to “support” a technology. The outcome is what is going to make the difference. We get it, you invested a lot of money in a bunch of tools. But when the plumber comes to fix the leak, do you hand him the tools and say, “fix the leak with these tools please”? Or do you just tell the plumber to fix the leak?

It takes a lot more than technology to provide an agile and scalable service that delivers on the outcomes promised. Some key elements that really make MDR work are:

  • Research & development: Without a dedicated research team, without a solid detection engineering function, it is almost impossible to be as agile and as accurate as you need to be in the modern world. Threats emerge and change constantly. Relying on technology updates and “shipped rules” just doesn’t cut it.
  • Continuous improvement: Detection and response capabilities must continually be measured and evolved. It is about as far from set and forgets as you could possibly be with a solution. And ultimately, without such a mindset – customer satisfaction is going to suffer.
  • Strong processes: for the purpose of both security and consistency, processes must be mature. Especially in the MDR world, where you and your customers are both a target and the work is unforgiving of any kind of lackadaisical approach.
  • Cyber Threat Intelligence: it’s a given for providing MDR services. But it’s also not all created equal. Linking back to research & development, the creation of your own intelligence (not just relying on commercial or open-source indicator lists) is key, as well as the application of that intelligence at different levels – from technical (such as more efforts to proactively identify attacker infrastructure) to more tactical (log4j troubles anyone?) and strategic (like understanding the entire chain of how ransomware groups work and finding ways to track attacks throughout the whole cyber extortion process).
  • Security Automation and Orchestration: speed remains key. Automating boring and repeatable processes is great for the soul (of the security analyst!). There are not only efficiency gains but also the very human fact of doing the interesting bits where the real thinking needs doing and letting computers do what they do best – handle large swathes of the same data processing, over and over again.
  • Recruitment program: All five of the points above have one thing in common. They don’t work without humans. And the number of humans we need is not reducing, because the workload is not reducing but growing exponentially. So being able to identify, train and provide a solid set of career options for the next generation of security analysts has never been more important.

I’ve given you our view at Orange Cyberdefense. Now ask yourself honestly. Who is going to give you the best outcome? The one who supports your set of platforms and does whatever you ask them to? Or the one who brings all the above to the table?

Okay, maybe both might be achievable. But give me the outcome over the tech, any day of the week.

Read more in part 2, coming to you next week!

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.