Data breaches and cyberattacks have become so commonplace that they barely elicit much reaction, unless it’s a new type of attack or an especially large or well-known entity (like Yahoo! or the Democratic National Committee) is the victim. But organizations are (or should be) more attentive about cyberattacks with good reason. Here is just a partial list of potential outcomes:
- Ransomware attacks, where your data is locked up and may be stolen or permanently destroyed, even if you
pay the ransom;
- DDoS attacks that take down your websites and your systems;
- Loss of data, including health records, credit card information and intellectual property;
- Stolen funds, often through targeted phishing scams.
The Challenges of IDR (Incident Detection and Response)
Why do so many organizations fall victim to these attacks? The most common reason is that they failed to detect and then remediate a threat in a timely fashion. The dwell time globally has dropped from a mean of 146 days in 2016 to 99 days in 2017; nevertheless, giving cybercriminals a head start of more than three months, on average, just doesn’t bode well for defenders.
I’m not pointing out these things to berate or cause panic. Breach identification frankly is a huge challenge. Few organizations have the human resources, let alone the technologies, to effectively find suspect files or incidents out of the millions of packets and sessions that enter or exit a network or move across a network.
Moreover, even organizations with robust security budgets lack the time needed to continuously monitor their networks for incidents. The recently released SANS 2017 Security Awareness Report states:
This year we … discovered that time, not budget, is the critical resource for success. … We define [time] as the combined effort of people who contribute to an awareness program, measured as total number of full-time employees (FTEs). For example, if you have two people each working half time on your awareness program, combined their efforts are one FTE. Far too many organizations view awareness as a part-time job, crippling their awareness team’s ability to effectively get things done. We found the minimum number of FTEs required to change behavior at an organizational level was 1.4 FTEs, while the most successful awareness programs had at least 2.6 FTEs dedicated to awareness.
Simply hiring more FTEs doesn’t necessarily solve this problem, especially when you think about the fact that hiring another employee doesn’t necessarily add much to the number SANS recommends and also the fact that most FTEs have other responsibilities besides full-time awareness of potential threats.
Why You Need MDR
Managed detection and response (MDR) services is a fairly new space and one that is often confused with other managed security services. But MDR is pretty much as it’s described. An outside provider takes over the job of detecting threats and either supplies directives to clients for response or handles remediation directly. Research firm Gartner writes in its 2017 report that MDR services “focus on threat-detection-only use cases, especially attacks that have bypassed preventative security controls.” In other words, it manages the detection and remediation process with a thoroughness that you probably cannot replicate in-house and at a price point that is far less expensive than hiring more incident responders to make up that time gap, per SANS’ description.
But choosing the right MDR partner isn’t straightforward. Many vendors, including anti-virus software vendors and MSSPs, are flooding the MDR space, bolting on services that don’t necessarily add up to effective incident detection and response. My upcoming series of posts will discuss MDR in more detail and help you choose the best MDR partner for your organization’s needs. Stay tuned!