This is the second in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.
In this multipart blog series, we’re exploring how an effective managed detection and response (MDR) service helps organizations achieve their goals. Specifically, we’ll examine them through the context of four key strategic security outcomes:
- Align your security strategy to your business
- Protect your digital users, assets and data
- Manage your defenses against growing threats
- Modernize your security with an open, multicloud platform
In part 1, we discussed alignment. Today, we’ll discuss protection.
Protect Your Digital Users, Assets and Data
Protection is about stopping attacks, but is more than just preventing malicious activity. With MDR, protection consists of a number of essential building blocks. Together, these ensure threats are not only prevented, but also that the security team can detect and respond to them as quickly and efficiently as possible.
Managed Detection and Response With Custom Threat Intelligence
For protection to be effective, we must first be able to detect threats often. These days, almost all endpoint detection and response (EDR) platforms come with some form of next-gen antivirus functionality that leverages both classic atomic indicators and behavioral detection capabilities to trigger security alerts. When the risk of false positive alerting is sufficiently low, alert generation can include automatic prevention as well.
While default EDR detections are a good baseline, consider them a starting point. No two groups are alike, and having more threat intelligence and customized detections improve your chances of detecting threats. They also limit false positive noise from taking up valuable analysis time.
In short, ongoing enhancement of both the baseline intelligence and detection aspects is a must-have. It should be part of any MDR workflow to provide a service tailored to and prioritized for each customer’s needs.
Focus on Behaviors and TTPs
As noted in the previous installment of this series, critical asset prioritization is key. This directly translates to which alerts should get our attention first. Alerting based on atomic indicators like known bad hash, IP or domain values allows for easy detection of threats.
At the same time, an attacker can easily change these types of atomic indicators or indicators of compromise (IOCs). Switching to a new command and control IP address or modifying a binary so the associated hash value changes as well are trivial from the perspective of an attacker. They are easy ways to circumvent detection in any system that only detects on these types of indicators.
The low impact that prevention and detection of static IOCs and atomic indicators have on a persistent attacker means protection based on those indicators will always be short-lived. To be effective in the long term and have a larger impact on an attacker, detection and prevention should first and foremost be focused on behavior. Being able to effectively detect based on tactics, techniques and procedures (TTPs) used by an attacker has a much larger impact in the long term. After all, behavior is inherently harder to change.
Access to Full Telemetry
Once alert prioritization is done and analysis of the activity begins, or when it’s time to kick off a new proactive threat hunt, the full endpoint telemetry captured by the EDR platform comes into play and allows MDR analysts to start their investigation and respond to the threat with confidence.
Other platforms often do not provide the required level of detail into endpoint activity to support a thorough enough deep dive or high confidence conviction. From the perspective of MDR, these additional data sources are most useful to help fill in specific gaps (e.g. network logs, proxy logs) or provide additional context to the ongoing activity.
Having access to the full telemetry captured by EDR platforms allow analysts to respond to threats in several different ways. They can tell their customers where the threat came from and what the full scope and impact are. Additionally, they can find what specific remediation steps are needed to contain the problem and return to a known clean state.
Managed Detection and Response And Handling Problems Before They Start
When, not if, the time comes to contain a threat, responders and application owners no longer have the luxury of hours or days to assess would-be business impact should one or more systems need to be isolated. This drives the need to take a much more proactive approach in identifying critical resources and establishing pre-authorized courses of action. The goal then is to make as many decisions and authorizations in advance as possible.
You can establish pre-authorized containment playbooks ahead of time for high-value assets. In addition, you can select scenarios matching high-risk threat actor behaviors and TTPs (e.g. data exfiltration). When you do make a decision to isolate, the reaction should be contain first and ask questions later. Once you identify them, drill or rehearse containment procedures in a safe and controlled fashion to ensure successful outcomes. Lastly, measure key performance indicators in this area often to ensure the containment procedures are working.
Assessing Your Endpoint Protection Maturity
Take care when switching to a proactive containment and remediation process. Don’t consider it a one-time action. Ask yourself the following questions to determine your maturity level as it pertains to protecting your endpoints:
- Are we leveraging threat intelligence tailored to our needs? Is this intelligence based on both TTPs and static IOCs?
- Can we use outcomes of security incidents to fine-tune EDR detections?
- Are we running regular, tailored proactive hunts? Do we use hunt outcomes to add new or enhance existing detections?
- Can we rapidly isolate systems if needed?
- Do we exercise and test our pre-approved containment procedures on a regular basis and realign them when needed?
- How proficient are we at reducing or getting rid of business impact when we perform a proactive containment action?
Check out Part 3 of this series to explore how to manage defenses against growing threats, and learn more about IBM Security Managed Detection and Response Services.
Senior Threat Response Analyst, IBM