Conventional security operations centers (SOCs) face many challenges, such as the global talent gap, the growing volume and complexity of security data, and the need to detect, analyze, and respond more rapidly and with greater precision to threats. Traditional tools and practices are no longer as effective as they used to be, so many organizations are moving towards managed detection and response (MDR) and extended detection and response (XDR) solutions. These approaches do a better job at reducing the time between threat detection and response and ultimately help security leaders strengthen the cyber posture and reduce risk.
The change is long overdue. The threat landscape is evolving so quickly that cyber defenders are increasingly only able to contain the growing challenge rather than proactively fight back. Ransomware continues to present a major concern to security leaders alongside identity-based attacks, fraud, and the need to navigate a more complex regulatory landscape. Some of the greatest current dangers lie in attacks on critical infrastructure and attempts at fraud. Phishing campaigns that use social engineering to target a company’s finance department have become more sophisticated and scalable with the help of artificial intelligence (AI), which has made it even more difficult to distinguish a phishing email from a ‘real’ email, even for trained eyes.
While many companies may recognize the need to better prepare themselves for a security breach and look to invest more in their security infrastructures and their threat detection and response capabilities, the real challenge is how to keep up with the rapid pace of technological change.
Contents
A Traditional SOC vs Next-Generation MDR
A traditional approach can leave security teams struggling to adapt their processes and defenses quickly enough. The standard process for a traditional in-house SOC or outsourced managed security is to use a variety of tooling and technology that enables security analysts to analyze and investigate anomalies. The potential issue here is that alerts might be investigated in isolation from the broader context and give an incomplete picture of an attack. The result? Threats can be missed, or significant time can be spent separating false alerts from true positives.
The need for a more flexible, future-proof model that can adapt to the evolution of the threat landscape is perhaps one of the biggest drivers behind the growth in the adoption of next-generation MDR services. MDR is often powered by Extended Detection and Response (XDR) platforms, which is why they’re sometimes referred to as MXDR services, and allow for a limitless amount of data to be automatically ingested, normalized, enriched, and cross-correlated with other business data to flesh out the bigger picture. The outcomes have a real impact on risk as they fast-track the detection of anomalies, the implementation of defensive measures, and the analysis of the threats that matter.
Related: MDR vs XDR: Everything you need to know
MDR Cybersecurity and Data Lakes
With newer iterations of MDR, there’s a fundamental shift in the approach to data. Large volumes of data, regardless of data type or format, are ingested and stored centrally in a data lake to be used jointly for detection, contextualization, and visualization. In contrast to conventional security information and event management (SIEM) technology, customers no longer pay according to the amount of data they forward to the provider, but instead pay for the number of assets that are to be protected. This means they do not have to limit themselves to certain data sets or volumes and risk missing relevant information. A higher quantity of much more detailed information is available, which can be correlated and put into context with the help of artificial intelligence.
Related: What’s the Difference Between SIEM, XDR and SOAR?
Setting up a data lake not only offers tangible benefits like the ability to quickly identify and respond to security incidents. The extensive data storage can also be used for other purposes – for example, to gain important insights outside the security operations. A security team could leverage the comprehensive data pool to find out how many USB sticks are in use in the company or to find out how many top managers have received phishing emails over a certain period.
But the most important benefit of a robust MDR-enabled approach is that security analysts are no longer limited to analyzing individual alerts and escalating them to the customer; they can take a step back to view an incident comprehensively and as part of an attack story.
MDR Lets You Investigate More Incidents, Quicker, and More Thoroughly
This approach not only allows more anomalies to be detected but also facilitates more thorough investigations. Access to XDR dashboards enables new capabilities such as dynamic risk management and cyber hygiene reporting. The teams managing the process can quickly recognize whether they are dealing with an actual criminal attack or just an application error by a user, they can see whether only one computer or several users are affected, and they can judge how serious an attack is.
They can also see failed attacks – a sign that an attempt has been made to exploit a vulnerability and a risk that the attacker will repeat the attempt at a later date. By analyzing large volumes of different data, anomalies, and vulnerabilities are detected proactively.
Beyond MDR Cybersecurity Approaches
This innovative approach to security, built on a turnkey MDR solution, enables companies of any size to augment their in-house security. Actionable insights, security visibility, and better outcomes are driven by the support of an expert team with a dedicated focus on understanding not just the client’s business context, but also the broader threat landscape and evolving security technology, and on removing the complexity of effective 24/7 threat detection and response.
But to be truly effective, companies should not stop with MDR. MDR needs to be complemented by additional services and programs that build resilience such as offensive and defensive security testing.
Conclusion: New Security Approaches for a New Era
With the dissolution of an organization’s cybersecurity perimeter, the continuous emergence of new specialized security controls, and an increase in the attack surface, the stakes are higher than ever before. What’s needed is a new data-driven approach that delivers advanced analytics from a single platform. This approach is a compelling answer to the challenge of rapid threat detection and response.
The power of attack stories cannot be underestimated: Security teams no longer need to process alerts and users, one by one. They now have a holistic view of the incident – across departmental and national boundaries as well as time zones. This is a game-changer. The faster and more targeted defensive measures that they enable – unlike the traditional SOC-based approaches – truly have a material impact on a company’s ability to minimize the impact of a breach and move the needle on risk.
That’s why, at Kudelski Security, our MDR services are powered not by a traditional SOC, but by the Cyber Fusion Center, a next-generation SOC which operates 24/7 and is staffed by a team of security experts, threat hunters, and incident responders. Request a consultation to see how our Cyber Fusion Center can benefit your business.