MDR: What does the future hold - Part 1

As we come closer to leaving winter behind, our Product Manager for Detect and Respond services, Grant Paling, looks ahead to the rest of 2023 and beyond. What does the future look like? 

I wrote last year that the world was a crazy place moving into 2022. 2023 doesn’t seem to have dialled down the mayhem. As I also wrote last year, social media continues to infiltrate our lives and influence what we do, how we behave and what we believe in. Privacy continues to be a global concern – not only with how companies use our data but as evidenced by the recent TikTok controversies, how governments may access one another’s data. And of course, there is a little thing called ChatGPT that everyone is talking about! 

As far as cybercrime goes, things just keep moving faster and faster too. The pressure is ramping up now on being a cyber resilient business. We had nothing like this 16 years ago when I started in cybersecurity – the question then was “do we need it?” The question now is “how much can we afford to do?” And it is not easy to balance. The global economy remains pressured and so as is often the case, we must do more with less. That is part of the reason Microsoft for example has been successful in claiming a huge amount of security market share but you can read more on that here. 

The impacts on society as well are beginning to be felt by those outside of the compromised businesses themselves. When we think about Colonial Pipeline and other incidents since, we see that such incidents affect the very basic things, we just expect to be stable in our lives – fuel, water supply, power supply, food, technology components – the list goes on and all these things now can be disrupted in a matter of minutes. And this is not due to a plethora of attacks specifically on OT infrastructure itself, if you look at our recent blog on the topic, but it remains a concern and almost a “when not if” scenario. After all, ransomware attacks and cyber extortion (Cy-x) weren’t always this easy to execute were they? So the outlook is bleak perhaps. 

I see lots of discussion about ChatGPT and now AI in general. 

• Can AI really help us up our game in cybersecurity? To give us a helping hand or even replace entire jobs? 
• Or will it be used by cybercriminals to just inflict more misery upon us? 

My current inclination is neither. I remain a fan of Rodney Brooks’ writings on the topic of AI. And the first of his “seven deadly sins”1 is overestimating and underestimating. He refers to Amara’s Law - “We tend to overestimate the effect of technology in the short run and underestimate the effect in the long run.” 

I re-read that very poignant statement and immediately think of the ChatGPT hype right now.The truth is that AI has been present in cybersecurity for some years now. AI represents the replacement of specific functions, not the replication of the human mind in its entirety. But that is the definition of AI – it is just sadly misrepresented a lot of the time by people who actually have no deeper knowledge of the AI itself other than a few other buzzwords like “deep learning” and “data science”. 

So what is my view on the impact of AI and the impact on cybersecurity? 

I believe it will continue to assist our defenders (and with the growing complexity of defending a business from cyberattack – we need it).I also believe it will continue to be misused but again, not really to bring new attack vectors but to enhance the efficiency of using existing ones.I recently demonstrated in a presentation that it took ChatGPT 40 seconds to create me the basis of a nice fake LinkedIn profile. That’s where its primary use is today. Social engineering. Because it is beautifully efficient at that, sadly. 

I said last year that I felt that MDR had a lot of growing up to do. And alongside it, our concepts of MDR have to also be perhaps re-aligned. You can find the previous blog here.

Still some cloudy issues. 

Yep, as an industry we’re still saying “I want to monitor AWS” and “I want to monitor Azure”. So I’m going to repeat a little of last year’s blog – not because I am lazy (after all, I could’ve gotten ChatGPT to write it if I wanted right?) but because everything I said then, I still see is relevant now. 

The main message of MDR we push to our customers has always been to “do the basics right”. Customization can come later, but the majority of threats we face today will come via pretty standardized techniques. Cybercrime is big business and that means that the ecosystem needs to scale with demand. Which in turn has spawned “businesses” such as Ransomware-as-a-Service. Focusing on key, common threats is a good place to start and when it comes to cloud, that same mantra holds true. The basics in this case might be slightly different, but there are still key things we can do that will have a huge impact on stopping attacks before it is too late. Examples like: 

• Detecting compromised identities/accounts that are performing suspicious activities in your cloud environment 
• Detecting exposed data on unsecured cloud resources such as connected storage, exposed databases, or GitHub pages 
• Detection of misuse of cloud-based collaboration technologies, to ensure that they don’t open a back door into the business 
• Adapting incident response processes and procedures to cater for the shared responsibility model in the cloud 

There remain different ways (all within the capability of the traditional SOC triad of log, endpoint and network-based detection) to detect attacks in the cloud but we should start with the risks. 

In summary, “the cloud” is not a risk. It is a source of many risks. And so, we need to recognize the risks to detect them and respond accordingly. If you’re interested to know more, come, and talk to us about the risks we see that should be addressed in cloud security at different security maturity levels. We’ll help get you started with a comprehensive detection strategy, whether you’re an Azure, AWS, GCP, or a multi-cloud house.

SOAR is the new SIEM. 

I kid you not, I have received multiple requests in the past year asking us if we can do any kind of automation and orchestration? Whether we offer a managed service around SOAR technology? 

My answer is always the same “sure…what do you want to automate?” 

Automation is a powerful strategy and one that we should all be embracing; I do not doubt that for a second. If you are not automating as much as you possibly can, then your business is not as efficient as it could be. 

But at the same time, you’ll see I referred to automation as a strategy. Because it needs to be thought about, programme managed, planned and executed continuously. You cannot automate what you do not already do. You can’t make processes more efficient when they do not exist. 

So whilst the technology is there, it takes time. Perhaps building demos that demonstrate a simple playbook being created in a couple of minutes do not help. They create the illusion of simplicity when it comes to automation and orchestration. It is not that simple. 

So let us look at outcomes. I started with the statement “SOAR is the new SIEM” because they are very similar technologies in that they are highly flexible, highly powerful but if you do not know what you are doing or more importantly why they become very expensive mistakes. 

We are here to prevent you from making those mistakes! We continue to work heavily on automation ourselves, to constantly spot the opportunities and to evaluate and prioritise those opportunities. It all comes from a solid continuous improvement process. Automation programmes should be part of that, and then you will find that there are gains aplenty to be made. 

These are some key points I see that are driving the future of Managed Detection and Response.

In part two we will look at the growing importance of asset intelligence in MDR and why it can be a difference maker.