Managed Detection and Response providers – do you need them?
Gartner released the 2020 market guide for Managed Detection and Response Services (MDR), describing the MDR service and listing representative vendors in this space. Gartner has also included MDR in their list of top security technologies. The question is, do you now need to engage MDR providers for your cybersecurity?
To state the obvious, threats today can’t be fully detected or prevented with speed through a traditional Security Operation Center (SOC) built on SIEM solutions only. The next generation SOC with MDR capabilities needs many complementary technologies such as network & packet analytics (NTA), user behavior analytics (UEBA), endpoint analytics (EDR), response automation, and fast orchestration.
For most organizations, setting up an internal next-gen SOC is not viable. In our discussions with clients that are building an internal next-gen SOC, we consistently hear three challenges:
- Architecting the right big data solution for large-scale ingestion, real-time correlation, and running longer-term analytical algorithms takes time and effort. There are no ready solutions in the market, and security teams are already hard-pressed for time to start experimenting with a variety of big data solutions.
- It is challenging to integrate various point products for UEBA, NTA, EDR, security response, forensic analysis, and workflow orchestration to existing SIEM-based SOC. The goal of MDR is to have a seamless process for rapid threat detection and response. This lack of an integrated solution creates inherent obstacles to speed.
- The biggest challenge is probably the availability of people to run the next-gen SOC. Here is the problem – a next-gen SOC is intelligent and based on the concept of extreme automation. However, it still needs more people to run the operations than a traditional SOC despite this focus on automation. Why do I say this; when the current paradigm is one where intelligent machines and automation are taking over jobs? In addition, a next-gen SOC is built on machine learning and automation, so why more people?
The answer lies in letting machines do what they are best at and letting humans do what they are best at. Machines are good at finding answers, but can they find questions? In cybersecurity, any analyst will tell you that the key is to keep asking questions, continue formulating hypotheses, and then letting machines provide answers. You see a suspicious event, you start formulating a hypothesis of what could have gone wrong, you ask questions for proving or disproving these hypotheses, and then continue this iteration. And the underlying machine (be it big data, machine learning, AI technology, or something else) should keep answering these questions using intelligence and automation.
Machines are good at finding answers, but can they find questions? In cybersecurity, any analyst will tell you that the key is to keep asking questions, continue formulating hypotheses, and then letting machines provide answers.
With this perspective, the tasks between human and machines can be broken down as follows:
- Machines will provide analytics while humans will do threat hunting using those analytics, asking a series of questions to determine if there is an incident, compromise, or breach in this analytical output.
- Machines will provide forensics data collection and analytics while humans will investigate, ask questions around what, who, when, and how to decode the incident.
- Machines will provide threat intelligence feeds while humans will do threat anticipation, ask questions regarding what can go wrong, or impact the organization based on that TI feed.
- Machines can provide automated playbooks while humans create a meticulous incident response plan, ask questions on what can break the system once the playbook is executed and what alternate steps can be taken.
Formulating hypotheses, asking the right questions, and discovering new knowledge can be defined as general-purpose intelligence, which is still in the human domain. Answering questions with intelligence and automation is narrow, specialized intelligence that is now the machine’s domain. The next-gen SOC needs a high dose of both types of intelligence.
Now, instead of building a next-gen SOC and trying to overcome challenges around big data architecture, integration of point products around analytics, and orchestration; and then staffing a higher number of people for hunting, investigation, anticipation, and response; an organization can instead choose a seamless service that delivers all this. That is the promise of MDR vendors – a unified platform integrated with skilled resources to offer advanced cyber defense as a service.