Buyer's Guide to Managed Detection & Response (MDR)

Introduction

In this article we assume that you have a basic understanding what MDR is about. If not, please have a look at The Definitive Guide to Managed Detection & Response (MDR) to get a general introduction to MDR.

The intent of this article is primarily to describe what is required for a modern SOC and to outline what elements will be important in an MDR service in the upcoming years, to provide resilience against advanced cyber-attacks. The elements mentioned in this document are therefore specifically intended for organizations that have to deal with targeted attacks, or for those organizations for which it is likely that they will have to deal with targeted attacks. Defending against targeted (and therefore often advanced) attacks requires a different approach than currently the standard for security monitoring by  traditional MSSPs. With these security monitoring providers, the emphasis lies on the 'alert' handling that is generated by the various implemented security devices. In the case of targeted and/or advanced attacks, unlike with an MSSP, a more intelligence-oriented service is required. This also (usually) requires customization around the specific environment of a customer as well as a combination of the complete security architecture of prevention, detection and response solutions. This is actually the domain of specialized MDR service providers.

Hunt & Hackett advises those organizations, that are dealing or might have to deal with targeted attacks, are considering - or are about to - deploy a modern monitoring/MDR service, to consider the following elements in order to arrive at a selection of appropriate solutions and vendors:

Cybersecurity Risk Management, Strategy & Governance

1. The degree of linkage with business risk management;
2. The degree of visibility into the threat landscape of the industry and/or organization;
3. The degree to which existing security investments can be used in service delivery.

Quality aspects of the detection solution

4. The degree to which the threat landscape is translated into detection logic;
5. The degree of visibility on relevant (potential) attack paths;
6. Frontline formed by security experts, data-scientists & developers;
7. Threat Hunting in conjunction with detection logic;
8. Response at the speed of an attacker.

Research, validation & continuous improvement

9. Extent of research on threat actors and (continuous) improvement of detection logic;
10. Validation of security measures (detection logic & prevention measures) and overall resilience.

Cybersecurity Risk Management, Strategy & Governance

Security monitoring has long been relatively operationally oriented and often lacks the link to (proactive) risk management, strategy and governance of cybersecurity. This is understandable given the large volume of security alerts that the SOC or the monitoring service provider have to deal with. However, it is also a missed opportunity because security monitoring provides among other things excellent insights into the threat landscape, the security awareness of staff and the general resilience of the organization. When cybersecurity monitoring is set up to form the 'senses' of the digital environment, it can provide valuable insights on an operational, tactical and strategic level to support the cybersecurity strategy & roadmap, security governance and risk management. To achieve this, the elements hereafter are among others important.

1. The link with risk management

Security monitoring does not stand alone, but is an important element for controlling cyber security related business risks and improving structural resilience against them. For example, in the (high-tech) agriculture, maritime and industrial sectors, the risks involved are:

• Disruption (e.g. ransomware);
• Information theft (corporate espionage: stealing technical information such as IP or professional knowledge);
• Commercial information (e.g. pricing, customer lists);
• Economic espionage (e.g. intellectual property, research & development projects, R&D ecosystem).

These activities cover a spectrum from short-term pain (e.g. CEO fraud, ransomware) to long-term pain: the targeted removal of an organization's knowledge position, and with it, its competitive position. Security monitoring forms the foundation for an organization to defend itself against such risks. Ideally, security monitoring forms the senses of the digital environment of an organization whereby it provides detailed insight into anything suspicious or unusual. For this, it is important that the MDR service not only provides insights at operational level, but also makes the link between the (changing) threat landscape and the corresponding business risks on the one hand, and the complete security setup, the organization's resilience level, the security budgets and the risk acceptance level of the organization on the other hand.

2. The link between the threat assessment and the resilience of an organization

In order to properly manage business risks, insight into the current threat landscape is required at all times, as a basis for translating this into an integral prevention, detection and response strategy and/or security roadmap. For this reason, it helps if the MDR provider is aware of the strategic themes that play a role within the sector, as well as transitions to, for example, 'Industry 4.0' or sustainability. This knowledge combined with the threat landscape provides insight into where the risks are and what needs to be protected. Such sector and/or organization themes often also include new threats. The knowledge position of the MDR provider is significantly strengthened if it also conducts its own research into this. The more knowledge the MDR party has of the sector and organization, the better it is able to map out the threat landscape of the sector and understand the context of the sector, the more targeted it can support organizations in making cyber security-related business risks manageable.

3. The extent to which existing security investments can be used in the provision of services

Risk management in cybersecurity consists of balancing the (changing) threat landscape and the resulting business risks on the one hand, and the complete security set-up, resilience level of the organization, the security budgets and the risk acceptance level of the organization on the other hand. Security budgets play an important role in this and thus also the best possible use of the investments already made in security solutions. MDR vendors will of course have their preferences for applying certain technologies, but ideally the MDR service provider is technology agnostic and uses as much as possible the already generated relevant security telemetry data within the digital environment for the benefit of the service. Where solutions may not yet be available, the MDR service provider can supplement them with newly implemented technology. This makes the best use of the investments already made.

Quality aspects of detection solution

The quality aspects of an MSSP or MDR service are difficult to assess remotely. Of course, reputation and credentials are important but these are primarily preconditions and not in themselves factors that say anything about the extent to which the solution is appropriate to the challenges ahead. For this, it is important to decompose the MDR service into elements that determine the quality of the service itself. For a forward-looking MDR service, the quality elements indicated hereafter are important.

4. The extent to which the threat landscape is translated into detection logic

The quality of security monitoring is largely determined by the extent to which it matches the threat landscape. A monitoring service can have such good intelligence and detection 'coverage' and logic, but if these are not relevant to the actors (APTs) and attack methods used in the sector then this is of little value to the organization. To properly manage business risks, a permanent view of the current threat landscape is required as a basis for translating it into detection logic. Ideally, this should be part of the implementation and on-boarding process so that there is coverage against the threat landscape at the time the service becomes fully operational. If this is not possible, a roadmap would offer a solution to gain insight into the development process to achieve more complete coverage, taking into account that the threat image is not static and that translating it into detection logic requires a continuous process.

A modern MDR service understands the threat landscape in which the client operates and can indicate how this translates into detection logic as part of the service.

5. The degree of visibility on relevant attack paths

To be able to detect advanced threat actors (APTs), it is important that the relevant data sources are monitored to gain visibility into complete attack paths. Security monitoring providers often focus on the technology to be applied, with a preference for one or more of the following options:

1. Logs/telemetry
2. Endpoint
3. Network
4. Honeypot monitoring.

However, the technology should flow from the data sources to be monitored to detect a set of relevant attack paths. These attack paths follow a kill-chain: starting with an initial intrusion, then further spreading within the network (lateral movement), to finally perform the final action, such as stealing data. Once this insight is available, the detection technologies with which the most coverage can be achieved can be examined. This is particularly relevant when, for budgetary reasons, it is not possible to use all four detection technologies mentioned.

A modern MDR provider indicates which data sources should ideally be monitored in order to be able to detect a set of relevant attacks from the threat landscape and can translate this into a set of detection technologies that is most suitable in order to get the most complete picture possible of the potential attack paths.

6. Frontline formed by security experts, data-scientists & developers

Monitoring on the basis of static detection logic is no longer sufficient. For this reason, a modern MDR service is a combination of security experts on the one hand and data scientists and developers on the other. The security expert conducts in-depth and far-reaching research into the detection possibilities in consultation with the data scientist and developer, so that a detection model can be put together based on, for example, 'behavioral rules' or 'machine learning' algorithms. Because of the level of abstraction of these types of detection techniques, you can not only detect an attacker based on current attack techniques, but also, for example, on unknown attack techniques that are yet to be developed. Despite the hype surrounding automation, machine learning and Artificial Intelligence (AI) in detection and response solutions, it is mainly the knowledge of the security experts that make the difference. A good MDR party is not only an operator of tooling but has multidisciplinary security expert teams with extensive frontline experience in Threat Intelligence (TI), Threat Hunting (TH), Incident Response (IR) and Red-Teaming (RT) in house. This is important in order to gain insight into attack methods from APTs (TI) and for the moments when things go wrong in practice despite all the security measures already implemented (TH & IR). In addition, it ensures better service when an MDR party has the knowledge to carry out attacks itself and to be able to bypass known prevention and detection solutions (RT), in order to develop new detection logic for this.

7. Threat Hunting in conjunction with detection logic

Nothing in the world of cybersecurity is infallible and certainly not an MDR provider. Partly for this reason, Threat Hunting (TH) has become an essential part of a modern MDR service. Not only is it a "nice" add-on to MDR service delivery, but it is ultimately a quality feature of a high-quality MDR provider. Using Threat Hunting (TH), when new threat information about attackers becomes known, it is for examplepossible to look retrospectively into security telemetry data going back up to a year or more to determine if this type of attack has occurred and may have been missed. These are the reactive Threat Hunts, where, based on new Threat Information (e.g. IOCs, artifacts), a check is made as to whether there are possible indications of such an attack. In addition, there are also proactive Threat Hunts. Here, on the basis of hypotheses, the security telemetry data is examined to see whether there are foundations for the hypotheses stated. Within the cybersecurity domain and by many MSSP/MDR providers, this is positioned as a modern form of detection, which actually breathes new life into IOC checking. Especially since reactive hunting takes fewer resources than proactively developing and improving detection logic. Threat Hunting is an important element in an MDR service, however it is not a replacement for detection logic development, but another detection technique that is complementary to detection logic, where the outcomes of a threat hunt are also translated and refined into detection logic. To be able to do Threat Hunting properly, the security environment needs to be set up accordingly and as much security telemetry data as possible needs to be stored. However, this is often at odds with the pricing models used by most SIEM vendors because these are based on the volume of uploaded telemetry data, which means that it must be determined beforehand which telemetry data will or will not be processed and stored. For effective Threat Hunting it is important that as much telemetry data as possible is stored, which in practice is often only economically feasible when using (third generation) SIEMs that do not use pricing models based on data volume.

8. Response at the speed of an attacker

For a successful detection solution against advanced threat actors, a rapid response is critical. Gone are the days when the managed detection (MSSP/SOC) provider at an alert went to investigate the potential incident, prepared a report and then contacted the customer and handed over the report for further follow-up at the customer's site. A modern MDR service uses a Security Orchestration Automation & Reponse (SOAR) solution so that it can provide an (automated) response immediately after an alert triage by, for example, deploying a firewall rule or quarantining an endpoint. This is particularly relevant in ransomware attacks where every second counts from the moment the attacker has obtained "privileged access" and from that point on is often (technically) ready to start encrypting systems. For this purpose, the MDR party develops, manages and refines 'playbooks' for the automation of research and response steps. Of course this is done in close collaboration with the end customer to ensure that the response fits the (security) policy, (operating) processes and (response) procedures. With a professionally organized SOAR, with playbooks tailored to the attack methods in the threat landscape, it is possible for the defenders to operate at the same speed as the attackers.

Research, validation & continuous improvement

The threat landscape is by no means static, which means that a modern MDR service cannot be either. Even if the aforementioned elements are well incorporated into the service, it is important that it is kept up to date. This requires research, validation and continuous improvement to truly ensure that the organization remains resilient to the most current attack methods from the industry's threat landscape.

9. The degree of continuous improvement of detection logic

The day-to-day operation that security monitoring vendors often show is the operational SOC analysis activities. This is where security alerts are examined to validate whether there is really something going on that needs immediate action. This is an important part of the service and the underlying SLA, but not the aspect where MDR providers make the difference. This is in the mostly invisible and continuous process of threat intelligence and detection logic development. In this process, relevant threats and new information about attack methods are continuously translated into detection logic. Even when a possible event is missed, the feature of a modern MDR service is that the detection logic can be developed in-house immediately, and also a threat hunt can be performed over the past period. Many of the MDR/SOC providers do not do this in-house, but rely on purchased intelligence feeds. These feeds primarily include IOCs (e.g. signatures, URLs, IP addresses, hashes). Although valuable in their own right, such IOCs concern mostly static information and need exact matches to generate alerts. It is therefore wise not to let the detection depend (entirely) on intelligence feeds, but also to work on detection based on behavior (e.g. behavior, anomalies, artifacts, tools, TTPs). The latter category is a lot trickier as shown in David Bianco's Pyramid of Pain and requires an internal operation from the MDR/SOC provider to continuously improve the detection logic based on TTPs, in which the behaviors of an attack can be detected to provide coverage against the threat landscape. Doing research on detection of TTPs leads to detection logic at the highest level of abstraction and contributes to sustainable rules, which are difficult to circumvent by an attacker.

10. Continuous validation of detection logic & overall resilience

To find out how well the detection solution tailored for a customer ultimately works, it is important to test the detection logic. With Breach & Attack Simulation (BAS) tooling, a system test for the detection logic can be set up. This involves testing not just one specific attack (as in a pen testing or red-teaming exercise), but all known variants of a specific attack type. This makes the evaluation of detection logic no longer binary but a statistical affair, where X% is directly detected, Y% partially and possibly Z% still gets through unnoticed. On this, the detection logic can be fine-tuned to perform optimally. In addition to the system test, BAS can also be used to perform chain tests. This not only gives insight into the effectiveness of the detection logic but also into the cohesion and integration with other security controls, with which the system can be fine-tuned against a particular type of attack. Finally, complete attack scenarios across multiple attack types can be simulated to test the system as a whole and thus the resilience of the organization.

With BAS, this testing can also be performed periodically or continuously, so that changes in the resilience due to, for example, configuration changes with an impact on security become immediately visible. This is relatively new technology with which the effectiveness of security measures/technical measures can be tested in a fine-grained manner. The results of the validation not only provide information about the effectiveness of the measures themselves, but also about whether these measures as a whole actually offer the envisaged resistance against an organization's specific threat landscape. The BAS technology is designed to be deployable in the production environment, without posing a risk to the continuity, integrity, or availability of the environment and users' data. However, the MDR provider will need to add high-level offensive knowledge to the technology (such as customized payloads) when testing in particular for system testing and complete attack scenarios in order to actually use the tooling as validation of systems.

Conclusion

The above ten points are intended to help organizations evaluate MDR services. The points mentioned are not meant to be exhaustive criteria but mainly to give organizations that are dealing with targeted attacks - or might be dealing with targeted attacks - relevant points for the selection of a modern monitoring/MDR service.

The 10 elements described are not chosen because Hunt & Hackett can already fully implement them today. They are elements that Hunt & Hackett believes will be increasingly important in the coming years to be able to offer (continued) resistance to advanced cyber attacks. Defending against targeted attacks requires an intelligence-driven service and customization around the specific environment of an organization as well as an interplay between the complete security architecture of prevention, detection and response solutions. This is the domain of specialized Managed Detection & Response (MDR) service providers. This MDR buyer's guide thus also provides insight into Hunt & Hackett's direction and roadmap for further developing and improving its own MDR services.

Hunt & Hackett hopes that with this 'MDR buyer's guide' organizations can make a careful and future-proof choice for the MDR service that best suits their organization.

Additional resources

Hunt & Hackett's Krijn de Mik during NLSecure[ID] about the questions you should ask your MDR service provider:
(in Dutch)