As the threat landscape continues to evolve, so does the need for organizations’ approaches to defending against the business impact of cyber attacks. In light of this trend, cyber security provider F-Secure is calling for greater emphasis on both the preparedness for a breach as well as fast and effective containment that covers the correct balance of people, process and technology.
“Cyber breaches are now a fact of life for many companies. It’s no longer a matter of ‘if’ a company will be breached, the question is ‘when’. And that calls for a shift in how organizations handle many aspects of security,” said F-Secure Countercept Managing Director Tim Orchard.
Research highlights one current area of weakness as the lack of investment in effective incident response strategies. 44 percent of respondents to a recent MWR InfoSecurity (acquired by F-Secure in 2018*) survey said they invested less in their response capabilities than in threat prediction, prevention, or detection. Only 12 percent said response was prioritized over their other security capabilities.
Continuous response, the art and science of having the right people in the right place at the right time armed with the information they need to take control of the situation, is an emerging concept in cyber security that’s central to boosting response capabilities. The aim is to combine elements of collaboration, context, and control into a fluid process. In practice, this could mean a single team of threat hunters, first responders, administrators and other personnel working together to actively identify and remediate potential threats before they escalate.
“Having the tools and techniques in place to quickly detect, contain and frustrate attacks as they unfold buys you time, and gives you an opportunity to understand the full picture about how attackers are exploiting your weaknesses and moving through your network. And they need to be sophisticated enough to avoid tipping off an attacker that you’re onto them, and prepared to evict them in one concerted push,” explained Orchard. “And it’s important to put these tools and techniques into the hands of the right team if you want them to work.”
The MDR blend of collaboration, context, and control
According to the Gartner’s “Answers to Questions About 3 Emerging Security Technologies for Midsize Enterprises”** report, “MDR is about ’renting trained eyes’ you can’t find or afford to detect incidents that go undiscovered...It’s about finding the 10% of incidents that bypass traditional firewall and endpoint protection security.”
MDR solutions typically offer 24/7 threat monitoring, detection, and response services that leverage advanced analytics and threat intelligence to help protect organizations. Generally, MDR vendors deploy sensors (such as an endpoint agent or a network probe) to gather data from a client’s systems. The data is then analyzed for evidence of compromise and the client is notified when a potential incident is detected.
After detection, clients either respond on their own or bring in external IR teams and approaches, which can include local or remote investigations and forensics, as well as advice on a possible orchestrated technical response. But at best, response activities stop at isolating hosts using EDR agents or firewalling.
But effective solutions can potentially do much more. Treating response as a continuous activity means team members will be in constant communication and collaboration with one another, able to discuss suspicious events happening anywhere within their infrastructure. MDR solutions can facilitate this process, giving defenders the edge they need to stop, contain, and ultimately, eject an adversary.
“Finding a balanced MDR solution, regardless of whether its an in-house solution or outsourced, is key. I think our approach to preparing our clients to assume the breaches have already happened, and then help them hunt down those threats, is the essence of continuous response,” said Orchard. “Getting this right lets defenders evict attackers quickly on their first try, and prevent those adversaries from repeating their attack.”