Jun 02, 2022

Managed Detection and Response (MDR): Technology-enabled security solutions for the evolving cyber threat landscape

Current challenges of organizational cybersecurity

Enterprise IT environments have never been more connected than they are now. To thrive in a rapidly evolving digital industry, enterprises need to proactively protect themselves against dynamic threat vectors. With the ever-evolving threat landscape, it is imperative for enterprises to assess the current state and define evolving cybersecurity postures to mitigate risk and build cyber resilience.

Let’s understand in detail some of the reasons why having a strong cybersecurity posture is important for any enterprise.

  • To err is human

One of the most prominent concerns in the organizational cybersecurity is the human factor. Accounting for over 50% of all data breaches and attacks, it is common across all systems and enterprises. Insider negligence is the single largest contributor to cybersecurity failure, and must be the primary focus area for all cybersecurity professionals.

  • Considering Edward Murphy

Murphy’s Law states that anything that can go wrong will go wrong, and this must be acknowledged at all levels within an organization. It not only helps prepare personnel within an enterprise, but also helps the organization prepare against those personnel.

  • End-to-end visibility across multiple data sources

In the realm of cybersecurity, visibility can be understood as the ability to view an organization’s digital footprint, the vulnerabilities of its systems, and the risk profile of its data.

Visibility across the organization has always been a key focus area for cybersecurity teams. The growing digital presence of organizations has enabled them to leverage the immense capabilities of advanced systems. However, the increased reliance on machines has put companies at risk of breach and unlawful access initiated by threat actors. Hence, visibility becomes critical for companies to be able to address the three most critical questions of cybersecurity:

  • What to protect?
  • What to protect against?
  • How to protect?

A 2021 survey by Deloitte indicated that 41% of all CIOs and CISOs believed visibility to be one of the toughest challenges of enterprise cybersecurity.

  • The ransomware obsession

Although ransomware remains one of the most common forms of cyber attacks, absolute focus on it can expose companies to other vulnerabilities. It is critical that companies focus equally on a variety of attack vectors to protect themselves from a wide spectrum of ever-evolving threats. To achieve holistic visibility is necessary within the organization.

  • Adapting to complexities

The use of complex digital ecosystems and interwoven solutions has proliferated throughout the world. This has prompted cybersecurity professionals to demand investment for increasing visibility of adversarial activity and the larger threat landscape. Such investment also helps improve the visibility of internal factors affecting the risk profile of enterprise data and applications.

Advanced threat detection in the wake of AI / ML

  • AI for Cybersecurity

The cybersecurity industry has been one of the earliest adopters of artificial intelligence and machine learning tools to enhance their service and efficiency. However, owing to the Moore’s law and the ever-increasing computing speed, the use of AI/ ML has come a long way from traditional automation functions.

Companies now leverage the cognitive capabilities of AI tools and couple them with human intelligence to create a hybrid cybersecurity ecosystem, capable of making intuitive decisions at record speeds.

In a report by AT&T, the market for AI in cybersecurity is projected to reach over $30 billion by 2025. This indicates that more organizations are relying on AI to improve their cybersecurity posture.

However, the use of AI in cybersecurity is faced with several challenges such as:

  • Lack of clean data for making models and predictions
  • Vulnerability of AI systems and algorithmic integrity in the training phase
  • Limitations of handling uncertain events different than the data fed in the learning phase
  • Limitations of governance, and lack of industry standards and regulations, making compliance difficult
  • Instances of a non-cohesive environment between humans and machines arising out of disagreements and the lack of trust in technology
     
  • Cybersecurity against AI

A 2018 survey by Deloitte indicated that 43% of the companies were extremely concerned about AI risks. Furthermore, another report by Forrester reported that 88% of cybersecurity experts believed that AI-powered cyber attacks are likely to become common in the near future. In the same report, 75% of cybersecurity experts opined that AI was capable of increasing the speed and scale of cyber attacks.

Two of the biggest concerns of cybersecurity professionals against AI are:

  • AI Manipulation and Bias

During the training stage of the AI, if the system is vulnerable, threat actors can tamper with the data sets used to train the AI. This weakens the AI or creates an environment where threat actors are able to bypass certain security measures.

  • Weaponized AI

While cybersecurity teams use AI for faster detection and response, threat actors also use AI-powered tools to increase the efficiency, speed, and damage of their attacks. The weaponized AI can be used to navigate security measures placed on a system or to mimic the human attacker to launch massive cyberattacks.

Need for organizational compliance

Today, companies span across continents operating in multiple jurisdictions and markets. This requires them to comply with statutory regulations and fulfill different eligibility criteria as required by different companies from different regions. This has posed a major challenge for companies that wish to expand out of regions where cybersecurity compliance is rudimentary.

For conglomerates that operate in several industries simultaneously, compliance becomes all the more challenging since regulatory requirements are different from sector to sector.

Another challenge faced by organizations is the cost of compliance owing to the requirement of curated policies for different jurisdictions and/or industries, training and education for staff, and increased technology budgets.

Security tools sprawl – how much is too much?

Tool sprawl is the deployment of an excessive number of software and solutions for achieving a goal. Contrary to the expectations of an organization, a tool sprawl generally results in unnecessary expenditure and reduced productivity.

Tools sprawl is one of the major challenges in the cybersecurity ecosystem. As organizations often misunderstand the requirements of an SOC (security operations center), they tend to deploy a large number of tools in an attempt to block all possible cyber-attacks.

However, more often than not cybersecurity professionals have discovered that deploying a large number of tools makes management difficult, creates more room for errors, and makes the overall security infrastructure less effective. In 2020, IBM and the Ponemon Institute conducted a study that sought to identify cyber resilience in organizations. The study showed that companies that used more than 50 cybersecurity tools “ranked themselves 8% lower in their ability to detect, and 7% lower in their ability to respond to an attack, than those respondents with less tools.”

The fallacy of next-gen cybersecurity solutions

The next-generation bandwagon is tempting, to say the least, appearing as a silver bullet solution to resolve all vulnerabilities within the system. However, the essence of a robust cybersecurity infrastructure lies in its foundation. Organizations are easily appeased by the use of marketing terminologies such as “next-gen” and “advanced”, however, it remains important to cover the basics first.

The basics of cybersecurity, including, policy, preparedness, and prevention, must be the primary focus of an organization for any next-generation solution to work. The right tools are important for a decent cybersecurity posture, however, without the best practices in place, all tools are destined to fail.

Making cybersecurity a digital transformation priority

Digital transformation involves several components ranging from automation to the adoption of the new technologies. These processes pose varying degrees of risk to enterprise data. Therefore, to be able to develop a comprehensive cybersecurity strategy, companies must secure each component of the digital transformation initiative.

In recent times, digital transformation initiatives have been advancing throughout several industries. Furthermore, the ever-increasing need for companies to improve the way they interact with data and race towards the most efficient systems has prompted companies to integrate the digital ecosystem with more business processes than ever before. Such interactions between the technology and the enterprise, however, exposes organizations to a myriad of cyber threats.

To address the variety and intensity of cyber threats, enterprises should prioritize cybersecurity in across their digital transformation initiatives. This helps them with the following:

  • Digital asset protection

When each component of the transformation process is protected, it helps companies enhance their overall security posture. This also helps them protect their key digital assets by preventing loopholes in the system.

  • Enhanced visibility

When a cybersecurity strategy is developed with a transformation plan, information about and from multiple sources is recorded and analyzed. Consequently, upon deployment of a cyber-defense strategy, the system gains superior visibility across the enterprise.

  • Risk profile assessment

When cybersecurity is prioritized during digital transformation, companies are able to handle the risk associated with various data and application sources. This allows companies to predict exposure in the event of a breach and make the requisite adjustments to a strategy.

  • Awareness

During transformation, companies discover several aspects of the future of digital enterprise. Therefore, when cybersecurity is prioritized, companies can simultaneously understand the threat landscape and educate their workforce.

To address the challenges faced by organizational cybersecurity in the fast-evolving business and IT landscape, managed detection and response (MDR) service goes a long way. Let’s dig deeper to understand some of the benefits of having an MDR in place for organizations.

To address the challenges faced by organizational cybersecurity in the fast-evolving business and IT landscape, managed detection and response (MDR) service goes a long way. Let’s dig deeper to understand some of the benefits of having an MDR in place for organizations.

Next-generation Security Information and Event Management (SIEM) and Extended Detection and Response (XDR)

  • Understanding next-gen SIEM

The threat landscape is an ever-evolving domain that cybersecurity professionals have had to struggle with and adapt to. From threats being static and generic, attackers have now moved on to breaches which are polymorphic, capable of changing their behavior. Such characteristics allow modern threats to evade cyber defenses and make lateral movements within a system.

Enter next-gen SIEM systems, which leverage analytics to help monitor, detect and highlight anomalies within the enterprise infrastructure. Legacy SIEM systems relied on inflexible data sets which were difficult to maintain, resulting in false positives. However, the new generation is capable of processing larger volumes of data more efficiently offering more integrations and better visualization.

Some key advantages of deploying a SIEM solution are:

  • Threat and malfunction detection;
  • Unified management of multiple security events across different sources;
  • Comprehensive reporting and analysis; and
  • Reduced cost of operations

 

  • Understanding XDR

An XDR tool allows companies to consolidate their cybersecurity arsenal. The solution unifies visibility across multiple systems and allows cybersecurity teams to monitor and control access to endpoints, the cloud, the network, and more. The tool offers advanced threat detection to companies by helping companies analyze multiple threat vectors simultaneously.

XDR’s unification capabilities allow companies to convert massive logs and alerts into smaller information sets that are easy to comprehend and act upon. Further, it helps companies automate several repetitive tasks which can increase the overall reaction time of threat response.

Some key advantages of deploying an XDR solution are:

  • Enhanced system and protocol visibility
  • Reduced alert fatigue
  • Post-breach recovery and quick restoration of the host
  • Extensive system protection through indiscriminate blocking of known and unknown threats

 

Forces involved in Next-Gen SIEM and XDR

  • Data enrichment

Data enrichment is the process of integrating third-party data into existing systems. This process adds event and non-event data to the existing raw data stream of cybersecurity systems to transform the raw data into actionable insights. Enriched data helps security systems better understand the threat landscape and improve detection and response capabilities.

  • UEBA

User and Entity Behavior Analytics (UEBA) is a cybersecurity process that allows cybersecurity teams to detect anomalous activity on a system. UEBA leverages machine learning, continuously recording and learning from the behavior of users and other entities. The process monitors the usual conduct of users and runs a comparative analysis with current behavior. If the system detects deviations in such behavior, it can report and respond to the malicious activity by requesting authentication or blocking access.

  • Proactive threat hunting

Proactive threat hunting is the process of searching for threats within a system that may have passed undetected into a network or system. Cyber defenses are not absolute, and are liable to face a breach in some form at all points. However, with the help of proactive threat hunting, breaches can be identified, even if cybersecurity tools have failed to detect them at their inception.

  • Automated incident response

Automated incident response is the process of responding to threats, allowing companies to increase the speed and efficiency of detection and response efforts. The process also eliminates the bulk of false positives, highlighting key events for a SOC to handle.

The way forward

Cybersecurity can be overwhelming and can starve an enterprise of resources. The evolving nature of threats coupled with the need to constantly upgrade systems in order to keep up with the emerging attacks can dwindle the ability of an enterprise to deal with threats. Therefore, a major component of new-age cyber defense is the use of a managed detection and response (MDR) solution.

MDR allows companies to outsource their cybersecurity operations to a vendor which provides a comprehensive suite of defense strategies and services. This helps companies reduce the burden on internal teams while reducing the cost of operations. MDR is an intuitive way for companies to achieve cutting-edge cyber defense without investing in resource-intensive solutions.

In a report published by Gartner, 50% of organizations throughout the world will rely on MDR solutions for threat detection and response by 2025. As adoption rates increase, MDR is likely to become the norm, helping companies achieve an enhanced cyber defense posture, enabling them to deal with advanced threats. 

The Microland cybersecurity ecosystem

  • Cyber Resilient First Approach

With our 'Cyber Resilient First' approach, our vision is to help clients stay ahead, be prepared to protect clients against security risks in an extremely dynamic threat landscape and quickly recover to keep our customer business running.

  • Microland's MDR Solution with Microsoft Azure Sentinel

Our MDR service is powered by open and composable XDR stack, providing agile architecture designed to protect all enterprise assets (across IT/OT modern edge computing infrastructure), with cross signal correlation from multiple security platforms for better detection and granular visibility. Our technology stack built on Sentinel natively supports telemetry and log data fusion aggregation on a unified Cloud Powered Security Data Lake platform with advanced UEBA & analytics for cohesive security operations.

Our approach to modern SOC with Azure Sentinel leveraging our MicroShield platform is depicted below:

  • Our MDR Services Catalogue

Our MDR service layer provides a flexible model with offshore, onshore, hybrid, co-managed capabilities, supporting data residency for North America, Europe, APAC & Middle East regions.

Microland’s MDR team operates as an extension to the client’s team and collaborates to defend our clients’ crown jewels and help further elevate their security posture aligning to global industry frameworks – Manage and Protect | Identify and Detect | Respond and Recover | Govern and Assure

Microland has a co-sell ready MDR solution on Azure Sentinel, to know more about it, visit Microsoft Azure Marketplace.

About the Author

Vasudev Surabhi, Director, Network & Cybersecurity.

Vasudev Surabhi has 16 years of consulting experience in the Cybersecurity domain. At Microland, he creates methodologies that help organizations achieve robust defense controls and is credited with innovative approaches in building ground up Nextgen cybersecurity solutions. He is also an author, cyber trends researcher, and covers emerging security technologies at various Cybersecurity forums.