Managed Detection & Response: Prevention is Not Enough, You Need to Become Cyber-Resilient

Pablo Alarcón Padellano    25 January, 2018

You want your organization to be cyber-resilient but you have no means?

You have advanced security solutions in place, but you lack skilled staff trained to take advantage of them?

You are unable to detect and respond to a security breach and you fear the consequences for your business of the NIS and GDPR legislation?

If you are concerned about these issues, we are also concerned, and that is why we have been working with our skilled analysts, Test Lab and Strategic Partners strive to offer our customers a Managed Detection and Response service beyond the traditional approaches.

Most information security professionals in Europe believe a cyber attack will breach critical infrastructure across multiple countries within the next two years, according to Black Hat’s annual report¹ “The Cyberthreat in Europe”.  Security professionals in Europe feel they do not have the time, budget, or staff to meet the growing security challenges and the additional burdens imposed on them by regulations such as GDPR and NIS Directive:

  • Nearly two-thirds of the respondents believe it is likely their organizations will have to respond to a major security breach in the next 12 months.
  • 62% say they do  not  have  enough  security  staff  to  defend adequately  against  modern cyberthreats. In  fact, just 38 % say they are adequately staffed on the security front.
  • 39% believe  that  a  lack  of  required skills is the primary reason why security strategies fail (skills shortage).
  • Nearly 6 in 10 of the respondents believe they do not have the budget to defend adequately against current and emerging threats.
  • 29% said the largest portion of the budget went toward compliance-related tasks. Measures for dealing with targeted attacks ranked only third.

A traditional Security Operations Center (SOC), using blocking, monitoring and vulnerability management techniques, can mitigate up to 90% of attacks. The remaining 10% of attacks, caused by sophisticated attacks aimed directly at the organization, is the main concern for 48% of security professionals, according to the Black Hat report.

Threat hunting helps with threats that bypass both preventative and detective controls, and enables organizations to uncover threats that would otherwise remain hidden. According to Gartner’s threat hunting report², hunting success relies on a mature security operations center (SOC) and cyberincident response team (CIRT) functions. In the same way concluded McAfee³ at the end of July, with his new interesting report “Disrupting the Disruptors, Art or Science?”, by investigating the role of cyberthreat hunting and the evolution of the security operations center (SOC).

The study found that 71% of SOCs with a level 4 maturity closed incident investigations in less than a week because of the context provided by skilled threat hunters.

Managed Detection & Response cybersecurity screen capture imagenThese organizations were twice as likely to automate parts of the attack investigation process, and they devote 50% more time to actual hunting.

Perhaps the SOC of your organization may effectively cover SIEM, IDP, vulnerability management and other areas. However, the next phase of maturity is to build the APT Threat Hunting capability. Gartner⁴ has called Managed Detection and Response Services (MDR) those new security service providers that are focused on detecting previously undetected threats that have breached an organization’s perimeter and are moving laterally through the IT environment. Gartner recommends to augment existing security monitoring capabilities to address gaps in advanced threat detection and incident response, and anticipates that by 2020, 15% of midsize and enterprise organizations will be using services like MDR, up from less than 1% today.

Do you have ability to detect threats within your organization? When do you detect them?

According to last SANS Insitute’s report⁵ about effective threat hunting, the chances are very high that hidden threats are already in your organizations networks. Organizations internally realize the discovery of the security breach only in 53% of the cases, compared to 47% that are communicated to the organization by an external third party, according to last FireEye’s M-Trends 2017 report⁶. The median dwell time (the duration a threat actor has in an environment before they are detected) of EMEA organisations is 106 days.

When do you have proof in your organization that you have a security breach? Can you detect it by yourself, or by third parties? You may need to accelerate your advanced threat detection capabilities through an MDR service.

As of May 2018, NIS Directive identified operators of essential services (OESs) and digital service providers (DSPs), and GDPR identified controllers and data processors, will have to take appropriate security measures and to notify serious incidents to the relevant national authority. In the case of the NIS Directive, breach notifications must be done by “without undue delay⁷”, and in the case of GDPR also “without undue delay and, where feasible, not later than 72 hours after having become aware of it⁸”. 

What can constitute an undue delay? What happens if your organization has been breached, but is not aware of this fact due to lack of care? The regulation is deliberately vague to allow a wide range of possible eventualities, and this is where having a complete process of detection and response shows its value, because all this information must be explained to the competent authority or the CSIRT.

In relation to the security measures to be adopted according to the NIS Directive and GDPR, it is indicated that “having regard to the state of the art¹⁰” or “taking into account the state of the art” respectively, these measures will guarantee a level of security of networks and information systems (NIS) and data protection (GDPR). Artificial Intelligence (AI), automated threat detection and proactive threat hunting are powerful tools that need to be leveraged by businesses if they are going to stand a chance of meeting the new requirements set out by NIS Directive and GDPR. And if you do not have your own means, there are already MDR services available in the market that offer specific experience to support organizations that seek to improve their threat detection and response capabilities.

ElevePaths’ Managed Detection & Response 

Organizations can’t afford to believe that their security measures are perfect and impenetrable, no matter how thorough their security precautions might be. Having a perimeter and defending it are not enough because the perimeter has faded away as new technologies and interconnected devices have emerged.

The objective should therefore be to reduce the window of exposure to a potential security breach and reduce those tasks that require a lot of time to allow rapid detection and action, and conveniently manage risks (cyber-resilience). Companies need to reduce threat identification and response processes from years, months and weeks, to just hours and minutes.

As part of our Cybersecurity Services, we offer our Customers our Managed Detection & Response services, based on skilled and specialized security analysts focused on Endpoint Detection & Response (EDR) for advanced malware and targeted attacks, and high value Indicators of Compromise (IoCs) for early identification of sophisticated threats.

ElevenPaths is an Affiliate Member of the Cyber Threat Alliance to contribute to the development of a new, automated threat intelligence-sharing platform to exchange actionable threat data, and also an Associate Partner of the No More Ransomware initiative, to disrupt cybercriminal businesses with ransomware connections. Please stay tuned to discover soon what new solutions and alliances with the state-of-the-art Partners we add to our Managed Detection & Response services.

Leave a Reply

Your email address will not be published.