Blog

IT Insight: MDR-Managed Detection and Response

Growing threats to your personal and professional data are mounting worldwide. Cybersecurity threats must be monitored and responded to in real time as hackers work just as hard to develop and exploit new vulnerabilities. Without the necessary expertise or dedicated budget to fight this battle, your business may be falling behind in resources and falling prey to intruders.

Enter MDR, Managed Detection and Response, the combination of human expertise and technology to rapidly identify and limit the possibility of threats with immediate response and remediation. It is a sensible and scalable approach to threats that involves planning and application of technology expertise to your network and endpoint security.

MDR draws upon an endpoint detection and response tool that provides visibility into security breaches and events on an endpoint, such as a workstation, server, laptop, cloud system or IoT “Internet of Things”) device. This offers fast detection, mitigation and remediation of malicious activity and incidents. Manual and automated actions are then enabled to contain threats on that endpoint such as isolating that threat from the network or wiping and reimaging the endpoint device.

Many of the systems in your IT environment are logging events through time. Servers, workstations, firewalls, and even your Office 365 service does that. MDR then collects and views all the logs that are generated by these systems. Then, additional agents or software programs are added to certain devices, servers and sometimes to workstations that can look for additional information. Further, a SIEM (security information and event management tool) is utilized that gathers all this data, helps organize it, analyze it, and correlate this data within your network in real time.

To understand what type of event you are looking at a human analyst is involved to determine the appropriate response and reduce the impact and risk associated. Initially it needs to be determined that this is not a false positive. For instance, an intentional upgrade of a system could cause a security monitoring system to react. Being aware of false positives is managed and reported by your IT provider through a process called white listing, where upgrades and additional services that may generate a false positive are known ahead of time. However, a thorough system never pauses should human information not be readily available. Cyber-attacks can happen very quickly, and a response must happen immediately. Assuming that there is no immediate indication that it is a false positive, then stopping the attack is imminent.

In cases, a threat can be killed. In some cases, it can be blocked. Sometimes you can quarantine these operations. However, nothing is destroyed; it is stopped from infecting the endpoint or any other segments of your network. When the process is stopped and contained and the environment is protected, the human investigation begins. It needs to be determined what the source of the problem was. Were there weaknesses in protection that need to be addressed? This needs to be classified, tracked, and reported.

The last step is recovery. MDR restores systems to their pre-attack state by removing malware, cleaning the registry, removing intruders, and ensuring that the network is returned to a healthy state with further compromise prevented.

The MDR services in the form that exists today are relatively new, but the things that they can do, large enterprises have done for at least the last decade and very security-sensitive organizations have done for a longer period. Like all things that involve cyber-crime, targets have become smaller and smaller. New developments like ransomware as a service allows small criminals to attack small organizations. Therefore, smaller organizations that do not have the capabilities in their own staff to monitor these instances need to be very concerned. MDR was developed to provide these capabilities to a smaller organization.

Cyber-attacks have become more sophisticated. Initially an attack would infiltrate the system from the outside and the concern was protecting the perimeter of the system. They would attack one workstation or one server at a time. Initially we worried about the antivirus software and the endpoint text and respond, which is really protecting one workstation, one computer at a time.

Now, more sophisticated attacks include small steps, each of which independently, may not look unusual. For instance, a completely innocuous file may be sent to one individual. Further, a lateral attack is launched with an attempt to move elsewhere within the network environment. Accordingly, if you are only looking at things one workstation at a time, those kinds of attacks are overlooked. It is truly that level of sophistication that has made MDR critical, even for the SMB environment.

As a business without cybersecurity expertise, it is not just about detecting and blocking attacks. It is about making sure that your business is protected preventatively as attack methods and techniques change over time.

Look for this support from someone that will be your security advisor, rather than just provide a commoditized service. It is critical that these services are running 24/7/365, as cyber criminals do not take time off. In fact, they are most active while you are sleeping.

The security environment has changed enormously and things that businesses could once safely ignore, they just cannot afford anymore. The scope of integrated security is vast – trust your information security to experts that build, execute, and manage this end to end.

JoAnn Hodgdon is vice president and co-founder of Portsmouth Computer Group (PCGiT) with her husband David. PCG provides comprehensive managed IT services, business continuity, security, cloud computing and Virtual CIO services to their clients.  You may reach her at joann@pcgit.com  or at www.pcgit.com.