Today I want to talk about managed detection and response. In 2016 Gartner published a paper introducing a new term, managed detection and response. Their research indicated that the traditional approach to managing threats inside corporate networks had huge deficiencies. The challenge they were facing, and everyone faces, is that prevention only gets you so far. In order to prevent an attack you generally have to know about the attack. You have to either know about the bad guy or you have to know about his weaponry, you have to know about all of the vulnerabilities that exist inside your infrastructure, and you don't have perfect knowledge of that.
Prevention is useful because there are a lot of bad things we know about. The traditional approach keeps those things out of the network, the things that we at eSentire consider background radiation. For detecting the threats that get by the traditional prevention technologies, that's the key focus of managed detection and response. We make the assumption that bad things are going to get in. Your job is to identify when that's happened, investigate, respond, and keep that incident small. It's critical to have a human analyst, a skilled human cyber security professional who can use the forensics capabilities to turn a gray signal, enrich it, investigate it, and decide what the right course of action's going to be.
The traditional approach with MSSPs has been largely about managing devices and consuming logs and generating some insights from those logs. The hunter is a critical part of managed detection and response. You can't do managed detection and response without having great human analysts. The trick and the real challenge for those in this space is to do this efficiently, have high efficacy so we can investigate the threats, drill down and take the right action, but do it in an efficient way. This is why we focus in our soc infrastructure and enrichment of those core signals. The ability to take something that might be dangerous but we don't know yet. Could be something as simple as SSH running over port 80. Maybe that's evasion behavior. Maybe that's a piece of malware trying to trick it's way to a commatic control connection through the firewall. Maybe it's totally innocuous. Maybe it's an Adobe update that has some sort of new weird capability.
Until you investigate that you don't know and there's no way your firewall's ever going to be able to figure that out. If you're the CTO or IT director at a midsize organization and you're responsible for cyber security you've got a tough job. No question about it. There's a lot of complexity you need to manage, and you don't have a lot of resources. The skills required to actually effectively manage cyber security are in short supply. You're typically going to be looking for a capable partner to help you through this.
Our focus is entirely different than the traditional MSSP world, and it works. This is why our clients are constantly reassured by the fact that our SOC is finding things and taking action on them, and at most, the disruption is typically I have to reimage a laptop. Our CTOs and IT directors in our client portfolio, they will take that all day every day rather than the FBI showing up at their door with a petabyte of their client data.