MDR: What does the future hold - Part 2

Welcome to part 2 of my blog on what I believe the future of Managed Detection and Response (MDR) looks like. 

In the last blog I covered AI, security monitoring in the cloud and automation. Three big topics for one relatively small blog! 

In this second part I’d like to focus on something that ties into all three of those topics – asset intelligence. 

Do you know where all your assets are? If I had to bet, I would say no. Asset management has always been hard but now it is harder than ever. 

The type of assets you have to protect now is far more diverse than 10 or even 5 years ago. Things like: 

• Endpoints 
• User identities 
• Virtual machines 
• Container hosts 
• Public cloud resources 
• Social media accounts 
• Mobile applications 

The list could go on. But even just listing a few of the asset types gives us cause to hold our head in our hands and despair. How can we even begin to understand which assets we have, what protection they have? More importantly what protection or visibility are we lacking? 

We must try to do better. 

As the next evolution of our intelligence-led security strategy, we see that Managed Detection and Response must do better as well. In Managed Services in general, we see a lot of assets. And we have a lot of information about them too. The key is to implement a form of asset intelligence that can identify known and unknown assets, and often Managed Detection and Response services might have one of the best views of those unknown assets. 

It won’t be easy, but here are the challenges we see that must be overcome if we are to gain maximum asset intelligence: 

1. We must have a common understanding of an asset 
2. This must be translated regardless of the source (in our case for example, different managed services) 
3. We must be able to centrally view key information about that asset, such as: 

• What vulnerabilities does it have? 
• What is the actual risk of those vulnerabilities? 
• What is the criticality of the asset? 
• How many times is it being attacked? 
• Has it been successfully compromised (confidentiality, availability or integrity?) 
• How securely is it configured? Does it present any risks through misconfiguration, that could be remediated? 
• Which of the above visibility do we have on that asset and which is missing? 

4. There is also a need to continuously identify new assets, providing an ability to monitor the enterprise attack surface 

5. It is also important to be able to absorb any business context such as that of a CMDB. We see often in practice that a CMDB might be incomplete, but nonetheless, where there is valuable contextual information there, it should be incorporated 

Asset intelligence is important to MDR and the future of developing MDR because context is everything. The better the context, the better the Managed Detection and Response provider can be at correctly assessing the priority of any incident. The net effect of that is less false positives, more comprehensive and business-centric incident reports and better interoperability with other critical security functions such as security posture management, vulnerability management and attack surface management. 

There is still a general lack of understanding of the concept of assets in many of the tools that one has to utilize for Detection and Response – from XDR platforms to SIEM, to SOAR. And where there is, it remains very siloed and focused on the known assets. 

Asset intelligence is the answer and it is something we continue to progress as a concept. It is fundamental to an intelligence-led approach because asset intelligence allows you (or indeed us as a managed service provider) to know you best. 

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu, The Art of War 

There is a reason we probably overquote this in the cybersecurity industry…because it remains true. And we are succumbing in too many battles because we need to get better are knowing ourselves, there is too much focus on the enemy. 

But with asset intelligence, combined with threat intelligence we can give ourselves hope.