Light Dark
November 13, 2020 By Thomas Bouve 4 min read
Intelligence & Analytics
Security Services

This is the second in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how an effective managed detection and response (MDR) service helps organizations achieve their goals. Specifically, we’ll examine them through the context of four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. Today, we’ll discuss protection.

Protect Your Digital Users, Assets and Data

Protection is about stopping attacks, but is more than just preventing malicious activity. With MDR, protection consists of a number of essential building blocks. Together, these ensure threats are not only prevented, but also that the security team can detect and respond to them as quickly and efficiently as possible.

Managed Detection and Response With Custom Threat Intelligence

For protection to be effective, we must first be able to detect threats often. These days, almost all endpoint detection and response (EDR) platforms come with some form of next-gen antivirus functionality that leverages both classic atomic indicators and behavioral detection capabilities to trigger security alerts. When the risk of false positive alerting is sufficiently low, alert generation can include automatic prevention as well.

While default EDR detections are a good baseline, consider them a starting point. No two groups are alike, and having more threat intelligence and customized detections improve your chances of detecting threats. They also limit false positive noise from taking up valuable analysis time.

In short, ongoing enhancement of both the baseline intelligence and detection aspects is a must-have. It should be part of any MDR workflow to provide a service tailored to and prioritized for each customer’s needs.

Focus on Behaviors and TTPs

As noted in the previous installment of this series, critical asset prioritization is key. This directly translates to which alerts should get our attention first. Alerting based on atomic indicators like known bad hash, IP or domain values allows for easy detection of threats.

At the same time, an attacker can easily change these types of atomic indicators or indicators of compromise (IOCs). Switching to a new command and control IP address or modifying a binary so the associated hash value changes as well are trivial from the perspective of an attacker. They are easy ways to circumvent detection in any system that only detects on these types of indicators.

The low impact that prevention and detection of static IOCs and atomic indicators have on a persistent attacker means protection based on those indicators will always be short-lived. To be effective in the long term and have a larger impact on an attacker, detection and prevention should first and foremost be focused on behavior. Being able to effectively detect based on tactics, techniques and procedures (TTPs) used by an attacker has a much larger impact in the long term. After all, behavior is inherently harder to change.

Access to Full Telemetry

Once alert prioritization is done and analysis of the activity begins, or when it’s time to kick off a new proactive threat hunt, the full endpoint telemetry captured by the EDR platform comes into play and allows MDR analysts to start their investigation and respond to the threat with confidence.

Other platforms often do not provide the required level of detail into endpoint activity to support a thorough enough deep dive or high confidence conviction. From the perspective of MDR, these additional data sources are most useful to help fill in specific gaps (e.g. network logs, proxy logs) or provide additional context to the ongoing activity.

Having access to the full telemetry captured by EDR platforms allow analysts to respond to threats in several different ways. They can tell their customers where the threat came from and what the full scope and impact are. Additionally, they can find what specific remediation steps are needed to contain the problem and return to a known clean state.

Managed Detection and Response And Handling Problems Before They Start

When, not if, the time comes to contain a threat, responders and application owners no longer have the luxury of hours or days to assess would-be business impact should one or more systems need to be isolated. This drives the need to take a much more proactive approach in identifying critical resources and establishing pre-authorized courses of action. The goal then is to make as many decisions and authorizations in advance as possible.

You can establish pre-authorized containment playbooks ahead of time for high-value assets. In addition, you can select scenarios matching high-risk threat actor behaviors and TTPs (e.g. data exfiltration). When you do make a decision to isolate, the reaction should be contain first and ask questions later. Once you identify them, drill or rehearse containment procedures in a safe and controlled fashion to ensure successful outcomes. Lastly, measure key performance indicators in this area often to ensure the containment procedures are working.

Assessing Your Endpoint Protection Maturity

Take care when switching to a proactive containment and remediation process. Don’t consider it a one-time action. Ask yourself the following questions to determine your maturity level as it pertains to protecting your endpoints:

  • Are we leveraging threat intelligence tailored to our needs? Is this intelligence based on both TTPs and static IOCs?
  • Can we use outcomes of security incidents to fine-tune EDR detections?
  • Are we running regular, tailored proactive hunts? Do we use hunt outcomes to add new or enhance existing detections?
  • Can we rapidly isolate systems if needed?
  • Do we exercise and test our pre-approved containment procedures on a regular basis and realign them when needed?
  • How proficient are we at reducing or getting rid of business impact when we perform a proactive containment action?

Check out Part 3 of this series to explore how to manage defenses against growing threats, and learn more about IBM Security Managed Detection and Response Services.

 |  | 
Thomas Bouve
Senior Threat Response Analyst, IBM

More from Intelligence & Analytics
February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

December 19, 2023

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

December 14, 2023

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature