This is the second in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how an effective managed detection and response (MDR) service helps organizations achieve their goals. Specifically, we’ll examine them through the context of four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. Today, we’ll discuss protection.

Protect Your Digital Users, Assets and Data

Protection is about stopping attacks, but is more than just preventing malicious activity. With MDR, protection consists of a number of essential building blocks. Together, these ensure threats are not only prevented, but also that the security team can detect and respond to them as quickly and efficiently as possible.

Managed Detection and Response With Custom Threat Intelligence

For protection to be effective, we must first be able to detect threats often. These days, almost all endpoint detection and response (EDR) platforms come with some form of next-gen antivirus functionality that leverages both classic atomic indicators and behavioral detection capabilities to trigger security alerts. When the risk of false positive alerting is sufficiently low, alert generation can include automatic prevention as well.

While default EDR detections are a good baseline, consider them a starting point. No two groups are alike, and having more threat intelligence and customized detections improve your chances of detecting threats. They also limit false positive noise from taking up valuable analysis time.

In short, ongoing enhancement of both the baseline intelligence and detection aspects is a must-have. It should be part of any MDR workflow to provide a service tailored to and prioritized for each customer’s needs.

Focus on Behaviors and TTPs

As noted in the previous installment of this series, critical asset prioritization is key. This directly translates to which alerts should get our attention first. Alerting based on atomic indicators like known bad hash, IP or domain values allows for easy detection of threats.

At the same time, an attacker can easily change these types of atomic indicators or indicators of compromise (IOCs). Switching to a new command and control IP address or modifying a binary so the associated hash value changes as well are trivial from the perspective of an attacker. They are easy ways to circumvent detection in any system that only detects on these types of indicators.

The low impact that prevention and detection of static IOCs and atomic indicators have on a persistent attacker means protection based on those indicators will always be short-lived. To be effective in the long term and have a larger impact on an attacker, detection and prevention should first and foremost be focused on behavior. Being able to effectively detect based on tactics, techniques and procedures (TTPs) used by an attacker has a much larger impact in the long term. After all, behavior is inherently harder to change.

Access to Full Telemetry

Once alert prioritization is done and analysis of the activity begins, or when it’s time to kick off a new proactive threat hunt, the full endpoint telemetry captured by the EDR platform comes into play and allows MDR analysts to start their investigation and respond to the threat with confidence.

Other platforms often do not provide the required level of detail into endpoint activity to support a thorough enough deep dive or high confidence conviction. From the perspective of MDR, these additional data sources are most useful to help fill in specific gaps (e.g. network logs, proxy logs) or provide additional context to the ongoing activity.

Having access to the full telemetry captured by EDR platforms allow analysts to respond to threats in several different ways. They can tell their customers where the threat came from and what the full scope and impact are. Additionally, they can find what specific remediation steps are needed to contain the problem and return to a known clean state.

Managed Detection and Response And Handling Problems Before They Start

When, not if, the time comes to contain a threat, responders and application owners no longer have the luxury of hours or days to assess would-be business impact should one or more systems need to be isolated. This drives the need to take a much more proactive approach in identifying critical resources and establishing pre-authorized courses of action. The goal then is to make as many decisions and authorizations in advance as possible.

You can establish pre-authorized containment playbooks ahead of time for high-value assets. In addition, you can select scenarios matching high-risk threat actor behaviors and TTPs (e.g. data exfiltration). When you do make a decision to isolate, the reaction should be contain first and ask questions later. Once you identify them, drill or rehearse containment procedures in a safe and controlled fashion to ensure successful outcomes. Lastly, measure key performance indicators in this area often to ensure the containment procedures are working.

Assessing Your Endpoint Protection Maturity

Take care when switching to a proactive containment and remediation process. Don’t consider it a one-time action. Ask yourself the following questions to determine your maturity level as it pertains to protecting your endpoints:

  • Are we leveraging threat intelligence tailored to our needs? Is this intelligence based on both TTPs and static IOCs?
  • Can we use outcomes of security incidents to fine-tune EDR detections?
  • Are we running regular, tailored proactive hunts? Do we use hunt outcomes to add new or enhance existing detections?
  • Can we rapidly isolate systems if needed?
  • Do we exercise and test our pre-approved containment procedures on a regular basis and realign them when needed?
  • How proficient are we at reducing or getting rid of business impact when we perform a proactive containment action?

Check out Part 3 of this series to explore how to manage defenses against growing threats, and learn more about IBM Security Managed Detection and Response Services.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…