7 minute read
Insights
by Secon
Demystifying detection and response
by Andrew Gogarty, Chief Security Evangelist
Advertisement
There is a lot of hype around detection and response, largely driven by the fact that in 2020, the average time to detect and contain a breach was 280 days, according to IBM. Cyber crime continues to impact organisations and the time is takes to identify and respond to a threat is paramount to minimising any potential impact to operations or reputation.
And this is where we need to leave the hype behind and focus on what organisations actually need: the ability to quickly detect a breach, identify its impact, and determine how it got in so swift, appropriate action can be taken to effectively respond and contain the breach. There is not a one size fits all solution to this. Some organisations have large cyber security teams, where others are limited on resource, or cyber security might be one of many shared priorities for smaller IT teams.
Not wanting to buck the trend, the cyber security industry has rallied to address the problem with a number of approaches, each with their own acronyms, leaving organisations confused with which approach best suits their requirements and internal capabilities.
Whichever route you choose to take, you need to focus on the desired outcome, which is how do we detect malicious activity and respond faster to minimise the impact to our organisation?
How do we improve our detection and respond faster?
Better Detection
• Bring together and correlate the alerts from our siloed security tools • Leverage threat intelligence to hunt for zero day threats
• Monitor your security alerts 24x7
• Ensure security tools are up-to-date and configured optimally
• Ensure focus on genuine threats instead of wasting time trawling through false positives
Faster Response
• Monitor your security alerts 24x7 • Leverage automated response to genuine threats • Have all the relevant data points to hand for a targeted response
Before exploring which option is most suited to help your organisation realise your desired outcome, let’s consider the options and how they fit with your environment.
EDR - Endpoint Detection and Response
XDR - Extended Detection and Response
MDR - Managed Detection and Response
SIEM - Security Incident & Event Monitoring
SOC - Security Operations Centre
EDR - Endpoint Detection and Response
Ideally suited for: Organisations with an in-house security operations centre with threat hunting and incident response skills.
Typically a new feature or add-on offered by traditional endpoint security vendors, or “next-gen” endpoint security vendors, EDR is designed to give better clarity and facilitate a faster detection and response to threats on endpoints for IT teams. It sometimes incorporates automation to isolate affected endpoints. In the event of a breach, the solution pulls together the relevant security logs and provides a graphical map of what endpoints have been impacted and what changes to the endpoint were made. This enables IT teams to quickly focus on impacted endpoints instead of wasting valuable time trying to manually search through logs to get an understanding of how to respond.
Most EDR vendors also have the ability to support threat hunting, where you can leverage threat intelligence to search for threats that have not yet been identified by your endpoint security tool. For example, with WannaCry in 2017, many endpoint security vendors did not detect the payload when WannaCry was initially propagating. However, through threat intelligence, we knew about the attributes (or indicators of compromise) associated with WannaCry. Threat hunting empowers IT teams to search for such indicators of compromise in the EDR platform, which then provides information on which endpoints have IOCs associated with that threat. It enables a more proactive and faster response to endpoint threats to minimise any associated impact.
Limitations of EDR: Only focused on endpoint security, the last line of defence. It will not help against account takeovers, perimeter breaches or other attacks beyond the endpoint.
XDR - Extended Detection and Response
Ideally suited for: Organisations with an in-house security operations centre with threat hunting and incident response skills.
XDR is very similar to EDR, but with the addition of insights provided by other security tools such as firewalls, email security gateways and web gateways. Again, XDR is typically offered by traditional security vendors leveraging their technologies to provide insights from multiple vectors to enrich the information available to IT teams. This provides IT teams with a clearer understanding of how a threat entered their environment in addition to the endpoints that have been impacted.
Leveraging the data from multiple security products empowers a more holistic approach to identifying and containing a breach. Having all the benefits of EDR, XDR also enables teams to stop threats coming in by understanding what changes can be made to firewalls, email gateways or web gateways to prevent further infection entering the environment.
The power of threat hunting is improved in XDR with more data points to search for potential indications of a threat.
Limitations of XDR: Often positioned as centralised visibility but typically requires a Single Vendor approach to security, which limits threat intelligence to a single source. No or limited support for other security products from different vendors in your environment, thus limiting the total amount of visibility.
MDR – Managed Detection and Response
Ideally suited for: Organisations with limited IT resource and no security operations centre or 24x7 support coverage.
MDR is a service offered by security vendors or service providers that provides the manpower, expertise and platform (EDR, XDR or SIEM) to monitor and respond to incidents identified by the platform 24x7. To ensure better detection of zero day threats, MDR providers typically leverage the platform, their security intelligence from other customers and threat feeds to perform proactive threat hunting to be able to detect threats that may have circumvented your security solutions.
When a threat is identified, the service provider will work with the organisation to perform remedial actions or provide recommendations to effectively respond to and contain a breach.
Limitations of MDR: Usually limited by the ecosystem supported by the provider. For example, security vendors’ services will focus on their own products, and service providers will typically require a specific EDR tool on the endpoint to be able to deliver the service. When considering an MDR service, look for a provider that will enable you to leverage your existing investments to feed their platform for a faster time to value.
SIEM – Security Incident & Event Monitoring
Ideally suited for: Organisations with an in-house security operations centre with threat hunting and incident response skills.
SIEM tools are designed to ingest security logs from all the security tools in an organisation’s environment, giving a central store for security logs. This central store can be used in conjunction with analytics and correlation rules to generate incidents using the data from all the security tools in the environment. SIEM tools help remove the noise of false positives generated by security tools to help identify and focus on genuine threats or risks faced by an organisation.
SIEM is available on the market in two main flavours: SIEM that you procure, install and maintain using your own in-house resource, or SIEM as a Service, which is typically a SIEM solution hosted and maintained by a service provider for organisations that lack the required in-house resource.
To realise the benefits of the SIEM, it is recommended to have the SIEM monitored 24x7 by an experienced security operations centre.
Limitations of SIEM: Typically requires significant effort for ingestion of logs and development of correlation rules. Existing IT teams may not have enough resource, knowledge or experience on how to develop effective correlation rules and perform the required ongoing maintenance. SIEM tools are often licensed by “events per second,” making sizing the right solution difficult for most organisations. This often leads to under or over scoping the solution. These limitations can be overcome by considering SIEM as Service which provides the desired outcomes at a fixed monthly or annual price.
SOC – Security Operations Centre
Ideally suited for: All organisations that want to be prepared to be able to detect and respond to threats faster.
A SOC (whether in-house or outsourced) compliments the above technologies with the skilled resource to monitor the output from security tools and hunt for threats. They usually leverage one or more of the above detection and response tools to focus the SOC team’s efforts on genuine threats, rather than wasting time on false positives.
Limitations of SOC: Typically requires a significant investment in skilled human resource to build an in-house SOC. Monitoring and responding to threats is a 24x7 necessity in today’s threat landscape. Resource investment needs to consider how to ensure a consistent approach is maintained around the clock and that teams have appropriate experience and training to respond to cyber threats effectively. Many organisations are now outsourcing their security operations centres to get the required expertise without the significant investment of building one in-house.
If you are still unsure on the best approach for your requirements, that’s what we are here for. Reach out to us so we can take the time to understand your situation and advise on the most suitable approaches for your organisation.
