Over the years, we have become accustomed to a series of conventional approaches to the implementation of security controls and threat monitoring procedures. These approaches have often forced organizations to invest their budgets in one or more event collectors.
These event collectors feed SIEM technologies and processes, enhanced by teams of individuals working 24/7, to implement a Security Operations Centre (SOC). This approach is valid and is still very common. It implements a straightforward event response workflow that can, at a high-level, described in the following steps:
- One of the detection rules in the SIEM triggers an alert; this is then raised to SOC operators.
- The operators initiate the analysis of the event with the intent of validating the threat or identifying a false positive.
- Should the event be confirmed as a real threat, this triggers the incident management procedure to respond and limit damages immediately.
Over the last few years, we have been observing more sophisticated attacks by cyber criminals who have been crafting their tactics, techniques, and procedures (TTP) to penetrate their victim’s systems better and infiltrate beyond their endpoints. This development in attack techniques has introduced a need for organizations to improve their visibility of these attacks’ vectors and their life cycles through leveraging multiple source threat intelligence gathering and correlating attack vectors to preempt and better identify criminal activity and respond and react accordingly .
To better understand the new approaches required for organizations, let us look at some of the standard terms and definitions in use.
SIEM – Security Incident and Event Management
A SIEM refers to the collection of technologies, processes, and management activities that facilitate the collection of events from different sources (i.e., networks and systems) to correlate that data and identify potential security issues that require further investigation. The management function of a SIEM can have many faces, including outsourcing to knowledgeable partners who can provide security countermeasures as a reaction to SIEM events. What is true is that implementing a SIEM can be costly and complicated as it needs to fit perfectly to each organizational structure and technology stack and often requires having dedicated staff on board.
MSSP – Managed Security Service Provider
Managed Security Service Providers offer threat management capabilities to organizations wishing to outsource essential security functions such as network monitoring and firewall management. However, this service is gradually being replaced by security providers who are evolving to the provision of more complex and comprehensive services such as MDR.
MDR – Managed Detection and Response
MDR is defined as a holistic approach to security monitoring and response, combining different technologies, processes, and tools to provide 24/7 expert threat management. MDR can effectively identify and circumvent security issues by designing and, often directly applying, relevant countermeasures needed to isolate affected assets and reduce the impact on the asset's confidentiality, availability, and integrity.
MDR also has the potential to reduce an organization's exposure to vulnerabilities and reduce the time to identify compromised assets compared to other approaches (from almost 200 days as reported by IBM to potentially just hours). Depending on the variation of the service and the provider, MDR can reduce costs and optimize security spending when compared to classic SIEM and SOC solutions.
EDR – Endpoint Detection and Response
Endpoint Detection and Response, defined as a subset of MDR, where the focus is limited only to endpoints or individual hosts, typically achieved by installing software agents that can perform advanced analysis (i.e., combining anti-malware and vulnerability assessments). EDR can then identify potential attacks and quarantine the affected endpoints immediately. This service (or technology) is less comprehensive than the others services described above but is widely used and is a common and dependable approach to protect organizations that distribute hundreds or thousands of similar endpoints (i.e., workstations,), but becomes incompatible as a concept when dealing with more complex environments with a multitude of different endpoints and assets.
The Rise of XDR and the encompassment of MDR
Above, we mentioned the need for organizations to better visualize their asset status from the perspective of a cyber-criminal using advanced attack techniques. In a modern complex technological environment limiting a security solution to EDR will not provide enough levels of protection required to respond to and defend against sophisticated attack techniques.
Modern application environments run on cloud infrastructures or hybrids where cloud networks extend on-premise assets. Applications leverage the use of end-user messaging techniques, such as email, which are exposed to threats and vulnerabilities via web exposed interfaces and internal backends. A solution is needed whereby technologies and processes allow organizations to observe the evolution of potential attacks not only on the surface but ideally during lateral movements and exfiltration. Such a solution would improve the opportunity to limit damages and identify the real attack vector and its intentions, thus reducing outages and preventing data loss.
To achieve the above objectives, the threat monitoring industry must move to the concept of XDR (X Detection and Response), where “X” supports a diverse infrastructure environment and the complexity of today’s attacks. MDR solutions need to leverage this concept and provide their toolkits with all the necessary instruments to make sure the lifecycle of the attack can be monitored and tracked appropriately. This approach would require; finally, some standardization within the Detection and Response field and some level of integration within the security industry, and its players, to advance the steps towards consolidated, affordable, and rock-solid detection and response frameworks for organizations.
We feel confident that the research in this field can today leverage advanced technologies such as multi-source event collectors and correlators, enhanced by AI algorithms, that can immensely reduce the “noise” in new detection and response solutions. This approach, coupled with the explosion of security frameworks and compliance programs, means it is possible to picture a state of consolidation where XDR solutions and MDR, in general, will be able to reduce or eliminate the risk of dangerous compromises significantly.
Contact us to discuss your MDR and XDR needs and understand if Advantio's solution is the right one for you.