11 April 2023
Welcome to part 2 of my blog on what I believe the future of Managed Detection and Response (MDR) looks like.
In the last blog I covered AI, security monitoring in the cloud and automation. Three big topics for one relatively small blog!
In this second part I’d like to focus on something that ties into all three of those topics – asset intelligence.
Do you know where all your assets are? If I had to bet, I would say no. Asset management has always been hard but now it is harder than ever.
The type of assets you have to protect now is far more diverse than 10 or even 5 years ago. Things like:
The list could go on. But even just listing a few of the asset types gives us cause to hold our head in our hands and despair. How can we even begin to understand which assets we have, what protection they have? More importantly what protection or visibility are we lacking?
We must try to do better.
As the next evolution of our intelligence-led security strategy, we see that Managed Detection and Response must do better as well. In Managed Services in general, we see a lot of assets. And we have a lot of information about them too. The key is to implement a form of asset intelligence that can identify known and unknown assets, and often Managed Detection and Response services might have one of the best views of those unknown assets.
It won’t be easy, but here are the challenges we see that must be overcome if we are to gain maximum asset intelligence:
4. There is also a need to continuously identify new assets, providing an ability to monitor the enterprise attack surface
5. It is also important to be able to absorb any business context such as that of a CMDB. We see often in practice that a CMDB might be incomplete, but nonetheless, where there is valuable contextual information there, it should be incorporated
Asset intelligence is important to MDR and the future of developing MDR because context is everything. The better the context, the better the Managed Detection and Response provider can be at correctly assessing the priority of any incident. The net effect of that is less false positives, more comprehensive and business-centric incident reports and better interoperability with other critical security functions such as security posture management, vulnerability management and attack surface management.
There is still a general lack of understanding of the concept of assets in many of the tools that one has to utilize for Detection and Response – from XDR platforms to SIEM, to SOAR. And where there is, it remains very siloed and focused on the known assets.
Asset intelligence is the answer and it is something we continue to progress as a concept. It is fundamental to an intelligence-led approach because asset intelligence allows you (or indeed us as a managed service provider) to know you best.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu, The Art of War
There is a reason we probably overquote this in the cybersecurity industry…because it remains true. And we are succumbing in too many battles because we need to get better are knowing ourselves, there is too much focus on the enemy.
But with asset intelligence, combined with threat intelligence we can give ourselves hope.