This is the second in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how an effective managed detection and response (MDR) service helps organizations achieve their goals. Specifically, we’ll examine them through the context of four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. Today, we’ll discuss protection.

Protect Your Digital Users, Assets and Data

Protection is about stopping attacks, but is more than just preventing malicious activity. With MDR, protection consists of a number of essential building blocks. Together, these ensure threats are not only prevented, but also that the security team can detect and respond to them as quickly and efficiently as possible.

Managed Detection and Response With Custom Threat Intelligence

For protection to be effective, we must first be able to detect threats often. These days, almost all endpoint detection and response (EDR) platforms come with some form of next-gen antivirus functionality that leverages both classic atomic indicators and behavioral detection capabilities to trigger security alerts. When the risk of false positive alerting is sufficiently low, alert generation can include automatic prevention as well.

While default EDR detections are a good baseline, consider them a starting point. No two groups are alike, and having more threat intelligence and customized detections improve your chances of detecting threats. They also limit false positive noise from taking up valuable analysis time.

In short, ongoing enhancement of both the baseline intelligence and detection aspects is a must-have. It should be part of any MDR workflow to provide a service tailored to and prioritized for each customer’s needs.

Focus on Behaviors and TTPs

As noted in the previous installment of this series, critical asset prioritization is key. This directly translates to which alerts should get our attention first. Alerting based on atomic indicators like known bad hash, IP or domain values allows for easy detection of threats.

At the same time, an attacker can easily change these types of atomic indicators or indicators of compromise (IOCs). Switching to a new command and control IP address or modifying a binary so the associated hash value changes as well are trivial from the perspective of an attacker. They are easy ways to circumvent detection in any system that only detects on these types of indicators.

The low impact that prevention and detection of static IOCs and atomic indicators have on a persistent attacker means protection based on those indicators will always be short-lived. To be effective in the long term and have a larger impact on an attacker, detection and prevention should first and foremost be focused on behavior. Being able to effectively detect based on tactics, techniques and procedures (TTPs) used by an attacker has a much larger impact in the long term. After all, behavior is inherently harder to change.

Access to Full Telemetry

Once alert prioritization is done and analysis of the activity begins, or when it’s time to kick off a new proactive threat hunt, the full endpoint telemetry captured by the EDR platform comes into play and allows MDR analysts to start their investigation and respond to the threat with confidence.

Other platforms often do not provide the required level of detail into endpoint activity to support a thorough enough deep dive or high confidence conviction. From the perspective of MDR, these additional data sources are most useful to help fill in specific gaps (e.g. network logs, proxy logs) or provide additional context to the ongoing activity.

Having access to the full telemetry captured by EDR platforms allow analysts to respond to threats in several different ways. They can tell their customers where the threat came from and what the full scope and impact are. Additionally, they can find what specific remediation steps are needed to contain the problem and return to a known clean state.

Managed Detection and Response And Handling Problems Before They Start

When, not if, the time comes to contain a threat, responders and application owners no longer have the luxury of hours or days to assess would-be business impact should one or more systems need to be isolated. This drives the need to take a much more proactive approach in identifying critical resources and establishing pre-authorized courses of action. The goal then is to make as many decisions and authorizations in advance as possible.

You can establish pre-authorized containment playbooks ahead of time for high-value assets. In addition, you can select scenarios matching high-risk threat actor behaviors and TTPs (e.g. data exfiltration). When you do make a decision to isolate, the reaction should be contain first and ask questions later. Once you identify them, drill or rehearse containment procedures in a safe and controlled fashion to ensure successful outcomes. Lastly, measure key performance indicators in this area often to ensure the containment procedures are working.

Assessing Your Endpoint Protection Maturity

Take care when switching to a proactive containment and remediation process. Don’t consider it a one-time action. Ask yourself the following questions to determine your maturity level as it pertains to protecting your endpoints:

  • Are we leveraging threat intelligence tailored to our needs? Is this intelligence based on both TTPs and static IOCs?
  • Can we use outcomes of security incidents to fine-tune EDR detections?
  • Are we running regular, tailored proactive hunts? Do we use hunt outcomes to add new or enhance existing detections?
  • Can we rapidly isolate systems if needed?
  • Do we exercise and test our pre-approved containment procedures on a regular basis and realign them when needed?
  • How proficient are we at reducing or getting rid of business impact when we perform a proactive containment action?

Check out Part 3 of this series to explore how to manage defenses against growing threats, and learn more about IBM Security Managed Detection and Response Services.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today