August 19, 2022

White Paper
13 min

How Managed Detection and Response Can Improve Security Posture

Many organizations will benefit from outsourcing MDR to supplement existing security strategies.

Dominick Daidone

Michael Cappiello

IN THIS ARTICLE


How MDR Services Prepare Organizations to Minimize the Effects of a Security Breach


An Evolving Threat Landscape and Work Environment

Before the COVID-19 pandemic upended the world of work, enterprise cybersecurity teams were comfortable following a “castle and moat” strategy. For the most part, the people and systems that they needed to protect were in a small set of offices, and teams could focus on building out controls that protected those resources from cyberthreats.

Of course, the pandemic transformed the way that almost every organization works by displacing entire workforces and requiring the rapid deployment of new technology solutions. Organizations shifted massive portions of their IT infrastructures to the cloud and relied on many new services to facilitate internal collaboration among teams and external communication with customers and other stakeholders. In many cases, IT leaders made conscious decisions to compromise on cybersecurity controls in the interest of getting people back to work as quickly as possible.

The Great Resignation that followed the pandemic has also created a challenging environment for cybersecurity leaders. Most organizations now suffer a gap between the number of team members they need to implement their cybersecurity strategies and the number who are available to hire. An expanding skills gap also means that many employees lack the sophisticated cybersecurity skills that their roles demand. Whether that gap is the result of attrition or a shift to new cloud-based services, managed detection and response (MDR) capabilities can address these workforce challenges by providing professional services that reduce the burden on internal team members, allowing them to leave incident response to trained specialists.

Finally, some small and midsized organizations simply don’t have the expertise, workforce or resources required to maintain the 24/7 threat monitoring capability they need to meet their security objectives. And some larger organizations that are sufficiently staffed may prefer to allocate those resources to IT innovation and modernization efforts. Whatever an organization’s size or circumstances, MDR service vendors can alleviate the burden of handling increasingly complex security needs in an ever-expanding threat landscape.

Drivers for Managed Detection and Response

Recent changes in the way we work create new challenges for cybersecurity professionals that increase the need for MDR.

network expansion

Employees are now consistently working from home and using a variety of personal and corporate devices to access enterprise data. Some of those devices lack appropriate security controls.

cloud performance

Increased reliance on virtual private network technology has created a new avenue for attackers. In particular, networks that lack multifactor authentication pose a serious problem.

consistent security

As IT teams respond quickly to evolving business needs, they risk introducing misconfigurations that may open new vulnerabilities for attackers to exploit.

Pointers to Keep in Mind When Selecting an MDR Vendor

Many organizations offer MDR services, and it’s often difficult to find the best fit for a particular customer’s needs. Here’s some advice for organizations evaluating their options:

ALL VENDORS AREN’T CREATED EQUAL

Evaluate services carefully to ensure that you’re working with a reputable vendor using trusted endpoint/extended detection and response tools.

FIND TOOLS THAT SUPPORT INTEGRATION

Security strategies frequently employ different tools for response and reporting. Effective security requires tools that work well together.

CONSIDER EMPLOYEE TURNOVER

Every customer has unique requirements. Ensure that the vendor offers each customer they serve a robust process for training new employees.

VERIFY THE STRENGTH OF VENDOR CAPABILITIES

Vendors must have strong detection and response capabilities, and evaluation of these should be a key vendor selection criterion.

How MDR Services Prepare Organizations to Minimize the Effects of a Security Breach

Breaches are simply inevitable in today’s ever-expanding threat landscape. While the tactics and techniques used by attackers haven’t changed a great deal, attackers are putting much more research, planning and time into their attacks, increasing their sophistication. 

At the same time, organizations have significantly increased the attack surface and complexity of their IT environments, creating new opportunities for threat actors to gain access. Remote employees are more susceptible to targeted social engineering and phishing attacks, which can leave their personal and professional data vulnerable. 

Organizations must be prepared to detect unauthorized access or malicious activity as soon as possible so they can minimize risk and limit downtime. A good MDR vendor will take on the responsibilities of threat hunting, detection, response and recovery, freeing an organization’s internal IT staff to focus on other needs. 

MDR products provide three key capabilities to cybersecurity programs:

  • Detection: MDR vendors incorporate standard cybersecurity tools, such as static malware analysis, sandboxing, automation, third-party integrations, network traffic analysis, heuristics, deception technology and threat hunting capabilities. At the same time, they monitor the user behavior information that is crucial in a zero-trust environment. Vendors should also offer centralized management of detection efforts to reduce false positives and alert fatigue. These tools and services are designed to reduce the mean time to detect (MTTD). Minutes here can be the difference between a minor incident and a data breach. 
  • Response: MDR providers must be able to quickly and effectively contain attacks by isolating devices, reducing network capabilities and quarantining affected systems. Adding root cause analysis capabilities also facilitates handing off serious cases to a formal incident response team. Our customers are continuously looking for ways to reduce their mean time to respond (MTTR) to an incident. Downtime of any length can cost millions of dollars.
  • Recovery: Large MDR providers offer a range of recovery services, from guided remediation to full remediation. They may even provide automated rollback services for common ransomware events. These services may be tightly integrated with incident response teams for more robust recovery capabilities.

Using a well-known MDR vendor also provides an organization’s customers with confidence in the organization’s cybersecurity posture. Customers see a trusted cybersecurity name and rest easy, knowing they’re placing their data and systems in the hands of a vendor who prioritizes cybersecurity.

Solutions and Strategies to Optimize MDR

Choosing an MDR vendor is a critical decision for cybersecurity leaders. They must be trusted partners that the organization can rely on in the event of an incident. Strong vendors offer five critical capabilities:

VISIBILITY

MDR vendors need to collect and view as much data as possible to build out an accurate picture of the cybersecurity landscape. This data should come from on-premises systems, connectors to cloud applications, agents deployed on assets and integrations with third-party services.

CLOUD SECURITY

Large-scale migration to the cloud requires that organizations adopt cloud-centric cybersecurity strategies. Sophisticated MDR vendors can scan cloud workloads and containers to evaluate them for security problems such as malware or compliance issues such as configuration drift.

ZERO TRUST

Organizations can no longer rely on outdated “trust, but verify” approaches to cybersecurity that focus on a user’s or device’s network location to grant security permissions. Modern MDR vendors should implement a continuous verification process that helps customers mitigate risk.

IDENTITY MANAGEMENT

Zero-trust strategies can’t succeed without strong identity and access management programs. MDR vendors should help organizations evaluate the context of user actions through robust identification of the user population. This approach helps organizations reduce their attack surface.

ARTIFICIAL INTELLIGENCE

Artificial intelligence and machine learning capabilities enhance organizations’ abilities to automate cybersecurity tasks. MDR platforms that incorporate AI technology can speed incident response time, close gaps in cybersecurity programs, and reduce the burden on security analysts and other first responders.

CDW can help your organization apply this guidance to select an MDR vendor.

The State of Incident Response

90%

The percentage of organizations that are not fully confident in their ability to determine the root cause of a cybersecurity incident1

39%

The percentage of organizations that suffered a cybersecurity breach in the past 12 months2

58%

The percentage of security breaches that are not discovered until attackers disclose their actions; for instance, by demanding a ransom or defacing a website3

55%

The percentage of organizations that believe a shortage of internal staffing and skills is the most significant impediment to effective incident response4

30%

The percentage of organizations that currently use managed detection and response; an additional 42 percent intend to adopt MDR over the next 12 months5

46%

The percentage of organizations that are unable to contain a cybersecurity incident within the first hour of the initial compromise1

Sources:  1Information Security Media Group, "Zero Trust Strategies for 2022," January 2022; 2Cymulate, "Data Breaches Study: Methods, Implications, and Prevention," June 2022; 3Verizon, 2022 Data Breach Investigations Report, May 2022; 4SANS Institute, 2020 SANS Enterprise Cloud Incident Response Survey, September 2020; 5LogicHub, "The Rush to MDR: Achieving the Promise of Elevated Security Posture," June 2022

Drivers for Zero Trust

The modern threat landscape is increasingly diverse and sophisticated, moving organizations toward zero-trust models of network security.

Attackers are now well funded and organized into highly skilled teams of professionals. They operate with the full backing and resources of military units, intelligence agencies and organized crime syndicates.

Cybercrime is a highly profitable business. From ransomware to the zero-day economy, talented hackers are able to sell their skills on the black market, creating strong incentive to continue their work.

Cloud computing provides attackers with the same flexibility, agility and economies of scale that it offers to business customers. Attackers open accounts faster than providers can detect and remove them.

Incident Response as a Security Program Component

Managed detection and response services are an important component of any organization’s cybersecurity program, but they are only effective when used in conjunction with complementary services. CDW offers a variety of tools that can help organizations assess the state of their current cybersecurity programs and develop strategic roadmaps for maintaining a high level of preparedness.

  • Penetration Testing: During a penetration test, CDW’s skilled red team members use the same tools, tactics and techniques used by potential adversaries to probe the security of customer infrastructure. The results of these tests provide a realistic assessment of the organization’s ability to withstand real-world attacks.
  • Security Assessment: Security is a complex undertaking, and organizations deploy a dizzying array of administrative, technical and physical controls to protect their information and systems. CDW security assessments help organizations determine if they have the right controls in place and if those controls are operating efficiently and effectively.
  • Identity Program Development: Identity and access management programs form the core of any cybersecurity program. They allow organizations to accurately identify individuals, securely authenticate them when they need access to resources and verify that user requests are within their authorized scope of activity. CDW helps organizations build out advanced IAM programs that meet modern cloud-focused needs.
  • Zero-Trust Workshops: As organizations move away from a perimeter-based approach to security, it’s no longer prudent to place trust in devices based on their network location alone. The modern remote workforce requires a zero-trust approach to security to operate effectively. CDW specialists can help you create a roadmap for developing and implementing a zero-trust strategy.
  • Incident Response: Every organization eventually suffers a serious cybersecurity incident, and it is reassuring to have experts on call who are ready to assist at a moment’s notice. CDW offers customers zero-cost retainer agreements that provide rapid, 24/7 access to cybersecurity incident response experts.
  • Gap Analysis: Organizations seeking to comply with regulatory requirements or meet the specifications of a cybersecurity standard often wonder how to quickly measure up. CDW gap analysis engagements assess your organization for compliance with legal requirements and adherence to industry best practices, identifying areas that need improvement.
  • Playbook Services: Automation is the key to effective incident response. Time is of the essence when seeking to contain, eradicate and recover from an attack, and the more automation organizations use, the more quickly they can close out an incident. CDW helps organizations develop manual and automated playbooks that outline standard responses to common cybersecurity incidents.

Story by Dominick Daidone and Michael Cappiello

Learn more about the ways that CDW can help your organization build out a robust cybersecurity program.