This is the third in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.
In this multipart blog series, we’re exploring how effective managed detection and response (MDR) services help organizations achieve their goals. MDR services can lead to four key strategic security outcomes:
- Align your security strategy to your business
- Protect your digital users, assets and data
- Manage your defenses against growing threats
- Modernize your security with an open, multicloud platform
In part 1, we discussed alignment. In part 2, we discussed protection. Here, we take a look at the management side.
MDR Services Help Face Growing Threats
Like any military leader will tell you, your defenses are only as good as your visibility. A good MDR services provider should do more than just threat detection, prevention and response; they must help you manage your environment better.
For threat management to be effective, it’s essential to know and understand your assets, as well as their relative importance to your line of business. The Center for Internet Security recommends a baseline hardware and software inventory as one of the most basic controls. As noted in the first installment of this series, prioritizing which assets are most important is key. This directly impacts which alerts should get attention first and which hosts should get the most aggressive protection policies. MDR services can help with this.
Prioritizing your most important assets also helps you figure out how you should orchestrate your response playbooks. An alert on a server is more important than an alert on a workstation, for instance. However, you need to balance the risk of containing a server-based threat with the impact of stalling key business functions if that server was isolated. You may be OK with removing one workstation from the network, but what if it’s the CEO’s laptop?
Outside of prioritization and response, a solid asset inventory benchmark is important to spot any visibility or control gaps. Are there assets in which you can’t install endpoint detection and response (EDR) tools, such as for legacy reasons? Or maybe you can install it, but don’t have control over that asset or part of the network in order to respond to a threat located on it. Often, when dealing with clients that have a global presence, you may be working with more than one team or resolver group depending on their location. Is your MDR services provider flexible in cases like this?
Asset management and prioritization may seem complex, but it is the foundation for improved threat management.
Once you’ve achieved visibility into all of your assets, it’s time to decide how to manage the telemetry obtained from them. Most EDR products store data in the cloud, but some offer on-premise solutions. Often, they also generate highly sensitive, personal data, such as usernames and passwords. For compliance, data residency or other reasons, it’s imperative to understand what data is collected, where the data is stored, who has access and how it’s deleted.
Another facet to consider is agent optimization. Many MDR services providers focus only on threat management. Don’t forget about basic care and feeding. Making sure your sensors are healthy, available and running the correct version contributes to giving you the best possible threat management experience. If a sensor stops reporting in, then you have a blind spot. Do you have a plan to identify and fix these problems before they become a bigger issue? In terms of upgrades, what is your plan to deploy to a test group and verify it before completing a full-scale rollout?
When considering agent management, think about the partnership with the product vendor, as well as how that ties in to future threat defense. What is the plan for testing and enabling new product features and functions? What about in the case of features and functions that may require more work before using them safely and swiftly across the entire landscape?
Preventing Downstream Problems
While the practices described above may seem like basic hygiene measures, not doing them will cause a bigger headache down the road. We have seen clients who suffered a breach because the endpoints affected stopped reporting in and introduced a visibility gap. This allowed an attacker to expand their footprint unnoticed. We’ve seen others who failed to complete essential product upgrades, which caused performance and stability issues on the endpoints and resulted in disabling key functions. A good MDR services provider should be able to assist you with overall best practices in managing assets and agents to give you the best possible threat protection.
Developing Your MDR Services Management Plan
Proper management requires a partnership between MDR services providers who manage the agents and clients who own the endpoints. Some questions to ask your MDR services provider could include:
- How can I pinpoint and document my key assets, users and data?
- What customization options do you offer for response playbooks and incident routing?
- Do you offer a solution to meet data localization requirements?
- How are you ensuring the health and availability of my agents?
- What is your process for upgrades, testing and verification and enabling of new features?
Stay tuned for Part 4 of this series to explore how to modernize your security with a hybrid multicloud environment, and learn more about IBM Security Managed Detection and Response Services.