In recent years, managed detection and response (MDR) has evolved significantly in its ability to reduce organizations’ risk of cyberattacks proactively. In the recent 2024 IDC Worldwide Managed Detection and Response Vendor Assessment, respondents noted that employees of MDR providers felt like extensions of their own teams.
An MDR vendor lowers network vulnerability by using tools such as the SIM and endpoint event logs to manage security controls. In addition to using such tools, the MDR teams monitor the endpoint devices and correlate them with telemetry and signals from other controls. When suspicious behavior is spotted through threat hunting and triaging, the team prioritizes where to target threat actors proactively.
Because an MDR cannot detect every single attack, the goal is to give the company — through an attack life cycle or an attack path — more high-fidelity detection opportunities to spot an attacker. For example, an effective MDR vendor can more quickly spot a cyber criminal who has elevated their permissions and is going after sensitive data. With the extra time gained, the vendor can often evict the criminal before a breach of the data set or service disruption.
Ensuring the MDR is set up most effectively through red-teaming
Chris Thompson, Global Head of IBM X-Force Red at IBM, says that some companies simply install an MDR and leave it. However, you must ensure that the MDR is optimized for your environment, such as ingesting the right logs and using the correct custom-built manual detection alerts on top of the SIM. He recommends using both red teaming and MDR as part of a proactive cybersecurity approach.
“With red teaming, you are getting a sparring partner to evaluate whether or not the security controls that the MDR team manages are working as intended,” says Thompson. “Red teaming can provide validation that a particular tool is working correctly or identify that it hasn’t been deployed correctly. It also can determine if a tool hasn’t been tuned and customized to the environment correctly.”
Download the report
How red teaming evaluates your MDR
Many mistakenly assume that a complicated network means attackers will struggle to get up to speed on how to target an internal system. For example, a bank with a capital markets division may think that its complex networks make it too hard for a cyber criminal to steal trading algorithms or access trade data.
“Red teaming challenges these assumptions on how well protected a network is. It also tests if the security controls that are in place are configured and operating correctly as well as whether the monitoring teams are effective,” says Thompson.
Red teaming, which typically takes one to three months, depending on the complexity of the objectives, simulates an advanced adversary and validates if the key elements of the network are working correctly. The team starts by evaluating the threat actor groups that are typically targeting the industry and interested in a certain subset of data or disruption of service. Next, the team ensures that they can detect the least sophisticated threat actors likely to be targeting the company.
This happens by simulating a threat actor at various levels of sophistication to get a feel for the maturity of the sophistication level and the effectiveness of the controls. The results of these simulations show where the team needs to focus remediation efforts and how to proactively identify gaps not receiving telemetry from a portion of devices on your network.
Thompson says that his team commonly sees miscommunication between MDR vendors and the internal blue team. With a realistic end-to-end attack, they can show that a team didn’t hand off the alert properly or the team didn’t configure event logs to be correctly ingested. He finds that proactively identifying the gaps revealed in a simulated attack can prevent vulnerabilities from leading to serious real-world issues in the event of a compromised network.
“Over time, red teaming works to mature your ability to detect and respond to more and more sophisticated threat actors as you mature your internal security program,” says Thompson. “The goal is to ultimately reduce the time it takes to spot and evict an attacker that successfully gains a foothold in your network, for example, by spear phishing or compromising an externally exposed service.”
Further reducing vulnerabilities through AI
AI in cybersecurity is often viewed as a two-edged sword. On one hand, the offensive attackers are using AI to move faster, such as with open-source toolkit attacks, as well as to attack in different languages that bypass detection. Thompson says that in the future, he expects to see AI being used offensively to help conduct attacks faster and to automate some of the attackers’ actions.
On the opposite side, AI is also being used defensively in MDR solutions to help triage events and investigate them faster. However, Thompson recommends that companies validate the claims of MDR providers. He says that if the AI is not properly vetted, the tool can miss detections, misclassify alerts, downgrade alerts or miss correlations that a human MDR investigator would spot.
“Both of these types of issues can be simulated and verified through red teaming to ensure that the MDR vendor isn’t overly relying on AI,” says Thomspon. “On the offensive, you can validate that the MDR is prepared to detect and respond to modern, more AI-assisted attacks.”
Where red team testing and MDR intersect
IDC stated that most MDR buyers prefer to have a separate provider to handle offensive security testing like red team engagements. Companies often feel this provides the neutrality needed for successful red team testing. However, the report also noted that it felt it could use IBM for red team exercises, even though it is rare for an organization to utilize the customer’s MDR provider for offensive security testing. The reason given was that IBM’s large size made an independent red team possible.
Thompson said that many organizations, including IBM, are able to successfully provide independent evaluations of their own MDR solutions through red teaming. The key, he explained, is that the teams operate completely separately, without interactions or overlap. Thompson recommended that companies considering using the same vendor for both be sure that the vendor offers the best services for the specific circumstances.
“MRD is only part of what makes a mature security program within an organization. Having an MDR vendor that you trust that’s monitoring a tier one EDR solution and you properly incorporated telemetry from other security controls and correlate that in your SIM are all key to the success of an effective blue team and security program,” says Thompson. “However, it’s important to not rely on just the vendor to be responsible for all the detections because there are a lot of pieces to take into consideration. Red teaming really helps validate some of those assumptions on how mature the controls are and who’s effectively responsible for monitoring them end to end.”
To find out more about how the IBM X-Force Red Team can help your organization optimize your MDR, visit this page.