Protect. Detect. Respond: The Case for Managed Detection and Response

Cyber security is on the mind of every business executive in the world. Modern security challenges are not easy to fix or even identify, and despite some misleading advertising from vendors, there is no one-size-fits-all solution. We frequently observe large visibility gaps in existing security implementations, providing even obvious red flags to slip under the radar. Firewalls and traditional antivirus software are important, but only react to known threats. Too many organizations rely on passive preventative technology for network security. Good attackers employ stealth and polymorphic tools that defy signature-based detection, allowing them to bypass these technologies all together. We must assume that threats will get in, and no system is impenetrable.A successful attack can be broken down into a number of phases that a threat actor will necessarily take. This “kill chain” involves reconnaissance, exploitation, gaining a foothold, scanning the network, pivoting, identifying trophy data, and finally exfiltrating that data. Managed Detection and Response’s (MDR) goal is to disrupt an attacker at any phase of the kill chain.MDR compensates for the network visibility and detection capability that firewalls and antiviruses lack by proactively hunting for threat and continuously monitoring network activity. Hunt criteria is often comprised of a chain of data points or behaviors, versus static files or singular events. Discovering a breach may not be possible by identifying one suspicious activity; often advanced correlation is required.This can seem like an insurmountable task. Modern Next-Generation Firewalls/Network Intrusion Prevention Systems easily generate tens of millions of logs daily, making it difficult to identify what is important. Additionally, quality security personnel are difficult to find and security training is expensive. Maintaining an effective in-house security team is often one of the greatest challenges for business due when recruitment, retention, and training are considered.NetWork’s Group relies on proprietary code developed in-house to triage all potential security events. This allows us to determine what needs to be actioned immediately and what can wait. Clients also craft customized security event notification scheme in order to accelerate time to response.MDR alleviates the need for a SIEM for many organizations, which despite popular conception, is not an effective detection solution out of the box. While it is a useful tool, SIEM is better utilized for a post-detection investigation and system auditing. Rolling your own SIEM is often complicated to deploy and costly both in terms of licensing and specialized hardware.MDR also pairs well with other technologies for comprehensive visibility, including advanced endpoint protection, traditional antivirus, and NGFW/IPS.As a security provider, NetWorks Group aims to simplify our partner’s security needs while advancing their security posture. Our goal is thorough and actionable intelligence. With MDR, we are able to address the greatest and most difficult modern security challenges, supply security expertise, and offer a customizable the notification schema to fit each businesses individual needs. For any business, this can be an incredible leap forward in security maturity.