This is the third in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how effective managed detection and response (MDR) services help organizations achieve their goals. MDR services can lead to four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. In part 2, we discussed protection. Here, we take a look at the management side.

MDR Services Help Face Growing Threats

Like any military leader will tell you, your defenses are only as good as your visibility. A good MDR services provider should do more than just threat detection, prevention and response; they must help you manage your environment better.

Asset Inventory

For threat management to be effective, it’s essential to know and understand your assets, as well as their relative importance to your line of business. The Center for Internet Security recommends a baseline hardware and software inventory as one of the most basic controls. As noted in the first installment of this series, prioritizing which assets are most important is key. This directly impacts which alerts should get attention first and which hosts should get the most aggressive protection policies. MDR services can help with this.

Prioritizing your most important assets also helps you figure out how you should orchestrate your response playbooks. An alert on a server is more important than an alert on a workstation, for instance. However, you need to balance the risk of containing a server-based threat with the impact of stalling key business functions if that server was isolated. You may be OK with removing one workstation from the network, but what if it’s the CEO’s laptop?

Outside of prioritization and response, a solid asset inventory benchmark is important to spot any visibility or control gaps. Are there assets in which you can’t install endpoint detection and response (EDR) tools, such as for legacy reasons? Or maybe you can install it, but don’t have control over that asset or part of the network in order to respond to a threat located on it. Often, when dealing with clients that have a global presence, you may be working with more than one team or resolver group depending on their location. Is your MDR services provider flexible in cases like this?

Asset management and prioritization may seem complex, but it is the foundation for improved threat management.

Data Management

Once you’ve achieved visibility into all of your assets, it’s time to decide how to manage the telemetry obtained from them. Most EDR products store data in the cloud, but some offer on-premise solutions. Often, they also generate highly sensitive, personal data, such as usernames and passwords. For compliance, data residency or other reasons, it’s imperative to understand what data is collected, where the data is stored, who has access and how it’s deleted.

Agent Optimization

Another facet to consider is agent optimization. Many MDR services providers focus only on threat management. Don’t forget about basic care and feeding. Making sure your sensors are healthy, available and running the correct version contributes to giving you the best possible threat management experience. If a sensor stops reporting in, then you have a blind spot. Do you have a plan to identify and fix these problems before they become a bigger issue? In terms of upgrades, what is your plan to deploy to a test group and verify it before completing a full-scale rollout?

When considering agent management, think about the partnership with the product vendor, as well as how that ties in to future threat defense. What is the plan for testing and enabling new product features and functions? What about in the case of features and functions that may require more work before using them safely and swiftly across the entire landscape?

Preventing Downstream Problems

While the practices described above may seem like basic hygiene measures, not doing them will cause a bigger headache down the road. We have seen clients who suffered a breach because the endpoints affected stopped reporting in and introduced a visibility gap. This allowed an attacker to expand their footprint unnoticed. We’ve seen others who failed to complete essential product upgrades, which caused performance and stability issues on the endpoints and resulted in disabling key functions. A good MDR services provider should be able to assist you with overall best practices in managing assets and agents to give you the best possible threat protection.

Developing Your MDR Services Management Plan

Proper management requires a partnership between MDR services providers who manage the agents and clients who own the endpoints. Some questions to ask your MDR services provider could include:

  • How can I pinpoint and document my key assets, users and data?
  • What customization options do you offer for response playbooks and incident routing?
  • Do you offer a solution to meet data localization requirements?
  • How are you ensuring the health and availability of my agents?
  • What is your process for upgrades, testing and verification and enabling of new features?

Stay tuned for Part 4 of this series to explore how to modernize your security with a hybrid multicloud environment, and learn more about IBM Security Managed Detection and Response Services.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today