Emerging from the traditional managed security service provider (MSSP) model, Managed Detection and Response (MDR) is an answer to the fact that threat actors have increased their ability to circumvent traditional detection measures. As early as 2011, MDR emerged (uncategorized at the time) with a single guiding principal: Acknowledge that a breach will happen. When it does, minimize threat actor dwell time to reduce risk.
However, as the MDR market has evolved, four criteria remain constant as key to minimizing threat actor dwell time in the event of a breach: visibility, fidelity, detection capabilities and response. When these criteria are measured against in-house resources, risk tolerance and available budget, they can be used to choose the appropriate MDR vendor based on your organizational requirements.
To help organizations make an informed cybersecurity solutions choice, eSentire has authored, The Definitive Guide to Managed Detection and Response (MDR) (and this blog series) which examines seven categories of MDR providers, measured across four criteria, which include:
- Visibility: Signal sources such as endpoints, IPS/IDS, logs, cloud, vulnerabilities, etc.
- Fidelity: The depth of information provided by each of the signal sources
- Detection capabilities: Ability for the provider to detect known and unknown attacker methodologies using commoditized and advanced methodologies
- Response: Delineation of provider and client responsibilities from investigation, alert, containment and recovery
MDR Category #1 - SOCaaS/Managed SIEM
SOCaaS/Managed SIEM providers offer a cost-effective, but limited-capability, option to organizations that are looking to outsource expertise but have limited budgets.
Profile
Security Operations Center as a Service (SOCaaS), also referred to as Managed SIEM, is a category of MDR provider commonly exemplified by MSSPs that are evolving services from alert-driven to more comprehensive coverage across the IR Lifecycle. Capitalizing on the breadth of log visibility, SOCaaS/Managed SIEM providers offer a cost effective option to organizations that are looking to outsource expertise but have limited budgets.
Coverage
- Breadth across network signals and technologies (including cloud providers with available APIs)
Strengths
- Use of best-in-class SIEM technology
- Can offer ability to bring your own SIEM
- APIs for log visibility across a wide breadth of signal sources
- Can offer automated known threat response via APIs
- Proven development and use of runbooks
- Established SOCs with global coverage
- Established investigation processes
- Detailed portals and visualizations
- Meets broad level of regulatory requirements
- Lower-cost provider
Weaknesses
- Newer entrants to MDR market; relatively inexperienced
- Require high client-side resources to complete investigation, correlation and confirmation of threat presence
- Limited visibility beyond logs
- Limited signal fidelity
- Limited forensic and correlation capabilities
- Typically, limited threat hunting coverage
- Higher incidence of false positives
- Limited maturity in advanced detection responsibilities
- Limited IR Lifecycle coverage
- Limited scope can lead to longer threat actor dwell time
Questions and considerations:
- Does log data alone provide appropriate visibility across current and future network infrastructure? What else is required to manage and provision to complete the missing visibility?
- Does log data provide the appropriate depth of data that covers the contextual threat landscape?
- Does the MDR provider have integrated automated response for known threats available via APIs?
- How can data be ingested into existing technologies and processes to facilitate additional client-side investigation?
- Does the provider have adequate detection capabilities that enable detection of known and unknown threats?
- How will threat hunting be conducted? Are additional internal resources required to conduct forensic investigation and confirm threat presence in a timely manner?
While this blog provides a snapshot of one category of MDR, the intricacies and interdependencies are the varying types is complex. To learn more about the strengths and weaknesses for each of the seven MDR categories and how you can make an informed decision about what MDR solution best suits your organization, download The Definitive Guide to Managed Detection and Response (MDR) here: https://www.esentire.com/resource-library/the-definitive-guide-to-managed-detection-and-response-mdr
