Managed IT services, from print to communications, have been a mainstay of enterprise IT operations for some years now but the landscape never stands still. In this, managed security is no different and today businesses are increasingly deploying managed detection and response (MDR) services to halt intrusions before they occur.
The reason for deploying advanced techniques such as MDR are simple, said Richard Ford, group technical director at Integrity360: it’s a wild west out there. “Companies deal with an ever-growing threat.”
Indeed, it can seem like the least safe place in the world is online, and yet all businesses today rely on both their own IT infrastructure and the public internet to transact and interact with customers.
“Huge amounts of money are being stolen or extorted. In addition, all organisations will have gone through some form of transformation, so their attack surface will have changed,” said Ford.
Fundamentally, MDR works as a kind of ‘scouting’ process that seeks out, checks and alerts organisations of current or incoming threats. The process combines massive computational power with human expertise and intelligence.
“It is a service that we use to hunt actively for threats and respond to those threats,” said Ford. “The endpoint detection and response platform will have elements of machine learning and behaviour analysis, but where it doesn’t have the confidence to outright block that’s where we bring a human in.”
Indeed, cyber security expertise – something that is in short supply in the labour market in general – is central to the MDR proposition, which Ford said was the next step beyond managed security.
Telemetry data is analysed 24/7 by security teams to ensure threat detection with the goal of identifying malicious activity as early as possible. This results in a new and deeper understanding of how threats work.
“One of the problems is that people [typically] only look at the critical, high-priority alerts, and they look at them individually rather than at the entire picture. We often find the ones we should be most concerned about are the string of lower-level activities,” said Ford.
Active detection tools are out there hunting threats then, in combination with full, human manual threat hunting.
“That starts with having the intelligence to understand what threat actors are doing in specific regions and using that information to build the searches and hypotheses that need to be tested,” he said.
The intent is to ensure that the coverage is both broad and deep, and the response rapid.
“We really are looking across the board at all of the alerts, and we’re not just looking alert by alert. We try to provide an overall picture and have the experts call them out, and then either carry out, or collaborate with internal teams to carry out, the mitigation strategy,” he said.
The new normal
Avant garde as it sounds, MDR is well on its way to mainstream adoption, Ford said. “We’ve gone past the tipping point where it’s the cutting edge and are moving to the point where it is the security service that people are looking for.”
This is because the ongoing battle to remain secure sees the stakes raised and raised again.
“Most organisations have already got to the point where they’ve looked in-house at the telemetry and then may have outsourced to a managed security service provider. This is the next step because it gives clients the embedded security team and it also gives them the response actions that they need.”
It sounds like a job for supercomputers, but the mainstream adoption of cloud technology means that companies like Integrity360 can deploy computational resources as required to their teams, who then work on clients’ behalf. This also means that the benefits can be reaped from day one.
“Everything has moved to being cloud hosted, cloud driven and delivered as a service: Part of the ability to rapidly stand up an MDR service demands that. A three-month delay on getting started is not good enough. We can pull the data back into cloud storage and identify the threats straight away,” said Ford.
In addition, it means that MDR, as a technology, is not the sole preserve of global multinationals.
“It’s definitely not something that is only targeted at large enterprises. Actually, I would say it gives the most value at the mid-market – 250, 500 seats and upwards – where they won’t have the dedicated security personnel, definitely won’t have them 24/7, which is key,” said Ford.
In the end, Integrity360’s goal is to boost its clients’ confidence in their own operational IT.
“What it does is really move all of that responsibility across to the MDR provider. It’s very important that we have the outlook to give organisations that confidence as they know we have their backs in relation to the threats in the environment and in our response to them.”