Security tools can be an extremely confusing topic. All organizations know that they need to protect themselves from cyber threats, but it can be hard to differentiate between the myriad of acronyms and offerings available in the I.T. industry.
One of the most important, but also complicated tools in I.T. security, is Managed Detection and Response (MDR). I sat down with NetGain’s Director of Security Scott Logan, and Arctic Wolf Systems Engineer Tim Smoot, who between them have more than 50 years of I.T. security experience, to learn just what Managed Detection and Response is – and what it isn’t.
What Is Managed Detection and Response?
Managed Detection and Response is a security tool that monitors and reports on the events in your organization’s technological environment. However, the tool is only collecting data, nothing beyond. Scott and Tim go into details beyond the definition below.
MDR as a Standalone Tool vs. Utilizing a Security Team behind MDR
Scott: Managed Detection and Response is a tool that provides you an understanding of threat within your enterprise. The better MDR tools also have security analysts that sit alongside the tool. These individuals provide you with more understanding, direction, and responsibility for how to remediate threats that are identified. In some cases, because they are looking for behaviors in the data, the analysts can be active in their threat analysis.
Tim: That’s exactly what I wanted to say; mixing the word “proactive” in MDR can be tricky. A traditional off the shelf MDR tool is going to look for very specific things, and it is going to be a reactive tool. You can add the people and process to the MDR deliverable, so now it’s an active tool. It can be reactive and active, but it’s not proactive.
Maddie: I think if you look at the name, Managed Detection and Response, you’re looking to detect specific things in order to respond to them, so that process can’t really ever be proactive, would you all agree?
Scott: Yes. It has to identify a threat, so therefore the threat exists, and then you have to react to [the threat]. Therefore it cannot be proactive. If analysts are actively looking for threats before they become threatening, then it’s an active approach, but it is still not a proactive approach.
Tim: When you have someone watching the tool in that active component, you’re looking for indicators of compromise (IOCs). They could see a couple of indicators of compromise before there truly is a compromise, so in that vein, it is less of a reactive approach. However, that can only be leveraged if the MDR tool is being watched by a security analyst.
Scott: Right. And in most cases when a MDR tool is structured, it only knows what it knows; it can only see what is turned on. When you have a security team behind that tool, they can say “Hey, we need to turn X on so we can become more aware of your enterprise”, that becomes an effective MDR process.
Maddie: So, if you had to break down MDR without technical jargon, how would you explain it?
Tim: If you think about it in terms of your pantry; If you look in your pantry and see flour, baking powder, sugar, and pie filling, you don’t see a pie. You know you have the components of a pie, but you don’t see a pie. MDR is looking for those different ingredients, but until that threat is a “pie”, the tool itself is not going to recognize it as that. If you have security analysts on the back end, however, they can look at individual ingredients (individual threat components) and see a pie.
MDR tools based off Artificial Intelligence (AI) and machine learning have large downfalls. Those tools only know what they’ve been taught; they have no ability to dynamically find an intrusion or a threat. Most MDR tools leverage AI for something, because it is beneficial, but it cannot be the core tenant of the tool. If it is, it is already behind and has no ability to keep up with dynamic threats. You cannot separate from that active component that uses security analysts and truly have a real MDR tool. Without the active layer, the tool is really more Detection and Response; there is no management behind it.
MDR In Your Organization’s Security Plan
Maddie: There are so many cyber security tools available to organizations today. When looking at level of importance, where does MDR fall?
Tim: A MDR solution should be the first step in creating an organization’s security posture. It is the most critical aspect of security. Risk is a close second, but MDR should come first as it acts on current threats. It will be a big investment from a cost perspective. It is also going to be the most traumatic; because in many implementations, a threat will be found, which is traumatizing. With MDR you’re going to be introduced to the concept of maintaining a security posture, because MDR tools will constantly be showing you where you are lacking and that you must make changes.
What Managed Detection and Response Isn’t
In this series of questions, Scott, Tim, and I discussed the common misconceptions around MDR. I’ve summed them up below with our expert’s comments.
#1: MDR Isn’t Less Work for Your I.T. Team
Tim: If you deploy a traditional MDR tool off the shelf, without security analysts, it is going to mean more work for your I.T. people, not less, because they have a lot more information they have to look at very specifically now.
Scott: MDR tools are just feeding you a ton of data, it doesn’t differentiate between what is real versus a false positive, so it magnifies the amount of work your team has to do by a lot. When you implement a MDR Tool, your I.T. team has to assess all of that information.
A MDR tool has to have a Security Operations Center (SOC) to be effective, and it has to be a mature SOC. A SOC with 20-25 engineers is not enough to look at all the components of one organization’s system. You need hundreds of engineers to keep an eye on the entire system which is why we recommend purchasing a MDR solution that has a team of security experts ready to help you.
#2: Other Security Tools Get Mistaken for MDR
Scott: MDR doesn’t manage your environment’s perimeter; it is not your managed firewall program. It does not turn on and turn off “things” that are going on in your firewall. MDR will look at your logs and give you information on what is occurring in your firewall, but it doesn’t have control of the firewall. A common question I get is: “If I implement MDR, can I get rid of my managed firewall program?” And the answer is no, because that does have control over the firewall where MDR does not.
MDR is also not Endpoint Detection Response (EDR). EDR is limited to the endpoints of the network. MDR is an umbrella over the entire network, it is not limited to the Endpoints; it’s enterprise wide.
Tim: A catch 22 in the security industry is that people think they have a choice between running a MDR tool and a Managed Risk tool. One does not do the other, and they are two pieces of the security posture equation. Risk is different than identifying active threats.
Another tool that gets confused with MDR – Managed Security Information and Event Management (SIEM) is not the same as MDR. The SIEM should be a consequence of the MDR solution, but it is not the entire MDR solution. Having the SIEM is like buying a car – you need tires with your car; you need a SIEM with your MDR; you have to have both for the tools to work properly.
#3 MDR Isn’t Inexpensive
Tim: It’s important to recognize that since MDR is a large investment, you get what you pay for. MDR tools that are less expensive are typically not going to look across your entire system. A MDR tool with limited visibility hampers the effectiveness of detecting and responding to threats. A MDR tool and security team should truly believe that information is power and be willing to ingest each and every log that a customer can send to them. Since this tool is such a big investment, you want to make sure it’s as comprehensive as possible. With the diverse and confusing market space of security tools, lots of customers are sold insufficient tools compared to what they really need. This is especially true when customers are sold less expensive tools that fall short in the amount of information they can process.
While MDR can be a confusing topic, the more you are informed by an experienced security professional, the better you can understand the tool and how to leverage it to protect your organization.