Light Dark
December 3, 2020 By Miranda Ritchie 3 min read
Risk Management
Security Services

This is the third in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how effective managed detection and response (MDR) services help organizations achieve their goals. MDR services can lead to four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. In part 2, we discussed protection. Here, we take a look at the management side.

MDR Services Help Face Growing Threats

Like any military leader will tell you, your defenses are only as good as your visibility. A good MDR services provider should do more than just threat detection, prevention and response; they must help you manage your environment better.

Asset Inventory

For threat management to be effective, it’s essential to know and understand your assets, as well as their relative importance to your line of business. The Center for Internet Security recommends a baseline hardware and software inventory as one of the most basic controls. As noted in the first installment of this series, prioritizing which assets are most important is key. This directly impacts which alerts should get attention first and which hosts should get the most aggressive protection policies. MDR services can help with this.

Prioritizing your most important assets also helps you figure out how you should orchestrate your response playbooks. An alert on a server is more important than an alert on a workstation, for instance. However, you need to balance the risk of containing a server-based threat with the impact of stalling key business functions if that server was isolated. You may be OK with removing one workstation from the network, but what if it’s the CEO’s laptop?

Outside of prioritization and response, a solid asset inventory benchmark is important to spot any visibility or control gaps. Are there assets in which you can’t install endpoint detection and response (EDR) tools, such as for legacy reasons? Or maybe you can install it, but don’t have control over that asset or part of the network in order to respond to a threat located on it. Often, when dealing with clients that have a global presence, you may be working with more than one team or resolver group depending on their location. Is your MDR services provider flexible in cases like this?

Asset management and prioritization may seem complex, but it is the foundation for improved threat management.

Data Management

Once you’ve achieved visibility into all of your assets, it’s time to decide how to manage the telemetry obtained from them. Most EDR products store data in the cloud, but some offer on-premise solutions. Often, they also generate highly sensitive, personal data, such as usernames and passwords. For compliance, data residency or other reasons, it’s imperative to understand what data is collected, where the data is stored, who has access and how it’s deleted.

Agent Optimization

Another facet to consider is agent optimization. Many MDR services providers focus only on threat management. Don’t forget about basic care and feeding. Making sure your sensors are healthy, available and running the correct version contributes to giving you the best possible threat management experience. If a sensor stops reporting in, then you have a blind spot. Do you have a plan to identify and fix these problems before they become a bigger issue? In terms of upgrades, what is your plan to deploy to a test group and verify it before completing a full-scale rollout?

When considering agent management, think about the partnership with the product vendor, as well as how that ties in to future threat defense. What is the plan for testing and enabling new product features and functions? What about in the case of features and functions that may require more work before using them safely and swiftly across the entire landscape?

Preventing Downstream Problems

While the practices described above may seem like basic hygiene measures, not doing them will cause a bigger headache down the road. We have seen clients who suffered a breach because the endpoints affected stopped reporting in and introduced a visibility gap. This allowed an attacker to expand their footprint unnoticed. We’ve seen others who failed to complete essential product upgrades, which caused performance and stability issues on the endpoints and resulted in disabling key functions. A good MDR services provider should be able to assist you with overall best practices in managing assets and agents to give you the best possible threat protection.

Developing Your MDR Services Management Plan

Proper management requires a partnership between MDR services providers who manage the agents and clients who own the endpoints. Some questions to ask your MDR services provider could include:

  • How can I pinpoint and document my key assets, users and data?
  • What customization options do you offer for response playbooks and incident routing?
  • Do you offer a solution to meet data localization requirements?
  • How are you ensuring the health and availability of my agents?
  • What is your process for upgrades, testing and verification and enabling of new features?

Stay tuned for Part 4 of this series to explore how to modernize your security with a hybrid multicloud environment, and learn more about IBM Security Managed Detection and Response Services.

 | 
Miranda Ritchie
Global Service Delivery Executive, IBM Security

More from Risk Management
November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature