FINAL WORD whether data has been exfiltrated . That includes whether privileged user accounts are being leveraged for unauthorised access .
Jan van Vliet , EMEA VP and GM at Digital Guardian
With remote working models set to become the norm for the long term , the growing need for a no-compromise data protection strategy is prompting organisations to re-evaluate how they identify and mitigate against data loss or damage . Since spinning up a Security Operations Centre ( SOC ) takes time , resources and expertise , enterprises are turning to MDR services in a bid to improve their ability to detect and respond to threats .
Scoping the requirements
With the security landscape growing more complex and the costs of maintaining adequate in-house security teams high , it makes sense for many companies to outsource the tasks of threat hunting and response to MDR providers that can integrate specialist tools like end detection and response , analyse risk and correlate threat data to pinpoint patterns that could indicate a larger attack . Prior to partnering with an MDR provider , however , companies should undertake a detailed evaluation to define a detailed set of identified needs . This should include consulting with all stakeholders to identify what assets – endpoint assets , databases , applications , IP , content delivery – need to be protected and if the technology stack in place is appropriate for an EDR deployment .
Next , clear rules of engagement and SLAs will need to be defined and established . Since MDR isn ’ t a ‘ passive ’ service , close integration with the company ’ s existing cybersecurity strategy means action plans need to be generated . For example , pathways covering how threat notifications from an EDR provider are escalated and actioned together with pathways for intelligence sharing and investigation requests will need to be defined . If there is limited internal capability to respond to potential incidents , to what extent will the MDR provider be allowed to engage with the organisation ’ s environment – in other words , can they take action beyond simply quarantining endpoints ?
Since the provider will be acting as an extension of the IT team , it will be important that security event information is communicated in a way that is both understandable and actionable . In today ’ s volatile threat environment , a weekly retrospective report simply won ’ t cut it – plus , IT leaders will need to consider if API integrations will enable the automated flow of threat data into existing workflows .
Undertaking a detailed internal needs evaluation is essential for organisations that want to ensure they engage only with providers that can offer the tools , capabilities and services most appropriate to their specific environment and protection needs .
Provider evaluation – the top areas to check
An effective provider should be able to monitor user , system and data events to spot suspicious behaviours , protect against malware and prevent data compromise , delivering insights on everything from what critical systems have been affected – on what devices , whether a third party represents an entrance vector for attacks , the downtime to production systems and
Generate a list of documented use-cases you expect a provider to solve covering visibility ( system , user , data ), remediation and response ( indicator blocking , malware removal , endpoint isolation ) and forensics ($ MFT , registry , memory ) and then test their services , using penetration or threat simulation services . This will give you a full experience of their technology and service offering . A good MDR provider will handle advanced threats – such as lateral movement by hackers , credential theft and escalation and C2 activity – but won ’ t let less sophisticated attacks slip through its fingers either .
Finally , organisations should expect a truly human interaction with the provider ’ s security analysts . Be wary of being forced to rely on dashboards , e-mails or portals when it comes to alerting , investigating security events , case management and other activities .
Expectations vs . reality
Not all MDR providers offer the same services and since no one size fits all , so understanding the tools and procedures on offer and carefully weighing all considerations will be vital for selecting a provider that represents the ideal fit for the organisation ’ s size , existing security controls and needs .
Asking detailed questions about the standard practices and technologies vendors utilise should help companies benchmark and compare providers and provide insights on how they would react to a specific security incident . Finally , it will be vital to assess if their threat response can be tailored to your processes – or if these are out of the box , with no flexibility .
There is no technology-based silver bullet for addressing cybersecurity challenges . Ultimately , it is the human factors , threatprotection techniques and process-based responses that make the difference between success and failure , so partnering with an MDR provider that can offer the right combination of technology , support and strategic guidance will be essential for elevating and optimising enterprise data security . •
86 INTELLIGENTCIO www . intelligentcio . com