This is the third in a five-part blog series on managed detection and response as it drives strategic security outcomes for businesses.

In this multipart blog series, we’re exploring how effective managed detection and response (MDR) services help organizations achieve their goals. MDR services can lead to four key strategic security outcomes:

  • Align your security strategy to your business
  • Protect your digital users, assets and data
  • Manage your defenses against growing threats
  • Modernize your security with an open, multicloud platform

In part 1, we discussed alignment. In part 2, we discussed protection. Here, we take a look at the management side.

MDR Services Help Face Growing Threats

Like any military leader will tell you, your defenses are only as good as your visibility. A good MDR services provider should do more than just threat detection, prevention and response; they must help you manage your environment better.

Asset Inventory

For threat management to be effective, it’s essential to know and understand your assets, as well as their relative importance to your line of business. The Center for Internet Security recommends a baseline hardware and software inventory as one of the most basic controls. As noted in the first installment of this series, prioritizing which assets are most important is key. This directly impacts which alerts should get attention first and which hosts should get the most aggressive protection policies. MDR services can help with this.

Prioritizing your most important assets also helps you figure out how you should orchestrate your response playbooks. An alert on a server is more important than an alert on a workstation, for instance. However, you need to balance the risk of containing a server-based threat with the impact of stalling key business functions if that server was isolated. You may be OK with removing one workstation from the network, but what if it’s the CEO’s laptop?

Outside of prioritization and response, a solid asset inventory benchmark is important to spot any visibility or control gaps. Are there assets in which you can’t install endpoint detection and response (EDR) tools, such as for legacy reasons? Or maybe you can install it, but don’t have control over that asset or part of the network in order to respond to a threat located on it. Often, when dealing with clients that have a global presence, you may be working with more than one team or resolver group depending on their location. Is your MDR services provider flexible in cases like this?

Asset management and prioritization may seem complex, but it is the foundation for improved threat management.

Data Management

Once you’ve achieved visibility into all of your assets, it’s time to decide how to manage the telemetry obtained from them. Most EDR products store data in the cloud, but some offer on-premise solutions. Often, they also generate highly sensitive, personal data, such as usernames and passwords. For compliance, data residency or other reasons, it’s imperative to understand what data is collected, where the data is stored, who has access and how it’s deleted.

Agent Optimization

Another facet to consider is agent optimization. Many MDR services providers focus only on threat management. Don’t forget about basic care and feeding. Making sure your sensors are healthy, available and running the correct version contributes to giving you the best possible threat management experience. If a sensor stops reporting in, then you have a blind spot. Do you have a plan to identify and fix these problems before they become a bigger issue? In terms of upgrades, what is your plan to deploy to a test group and verify it before completing a full-scale rollout?

When considering agent management, think about the partnership with the product vendor, as well as how that ties in to future threat defense. What is the plan for testing and enabling new product features and functions? What about in the case of features and functions that may require more work before using them safely and swiftly across the entire landscape?

Preventing Downstream Problems

While the practices described above may seem like basic hygiene measures, not doing them will cause a bigger headache down the road. We have seen clients who suffered a breach because the endpoints affected stopped reporting in and introduced a visibility gap. This allowed an attacker to expand their footprint unnoticed. We’ve seen others who failed to complete essential product upgrades, which caused performance and stability issues on the endpoints and resulted in disabling key functions. A good MDR services provider should be able to assist you with overall best practices in managing assets and agents to give you the best possible threat protection.

Developing Your MDR Services Management Plan

Proper management requires a partnership between MDR services providers who manage the agents and clients who own the endpoints. Some questions to ask your MDR services provider could include:

  • How can I pinpoint and document my key assets, users and data?
  • What customization options do you offer for response playbooks and incident routing?
  • Do you offer a solution to meet data localization requirements?
  • How are you ensuring the health and availability of my agents?
  • What is your process for upgrades, testing and verification and enabling of new features?

Stay tuned for Part 4 of this series to explore how to modernize your security with a hybrid multicloud environment, and learn more about IBM Security Managed Detection and Response Services.

More from Risk Management

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery

Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking. Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up. How Caffeine PhaaS is Different PhaaS vendors advertise and sell their…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…