Levelling the odds: the value of a Managed Detection & Response approach

In 2024, the average amount of time required for organisations to detect malicious activity within their environments continues to be measured in weeks and months. Cyber criminals, meanwhile, are capable of initiating and completing the entirety of their attacks in a matter of hours, effectively evading traditional preventative defences. Such lengthy detection times are obviously no longer fit for purpose, but many organisations are still hobbled by a combination of siloed technology stacks deployed within their environments, a lack of threat visibility, and the resources required to analyse and act upon threats becoming increasingly stretched. Facing all of this, it’s not hard to see why many are unable to easily pivot to a more proactive approach to cyber defence.

With these challenges in mind, organisations are frequently turning to a Managed Detection and Response (MDR) approach, which can disarm most modern cyber crime activities faster and more efficiently than traditional preventative methods. Today, we’ll explore the virtues of MDR, how it compares to more traditional methods, and explore the value of a modern approach and the benefits it will pass on to an organisation.

Traditional approaches struggle against a changing threat landscape

Traditional security assets – such as antivirus software, network firewalls, and SIEM systems – are long-standing cornerstone tools for IT and SecOps teams. However, while each of these continues to have an important part to play, the digital landscape has continued to evolve since their introduction, dramatically changing the attack surface along with it – becoming broader, and featuring increasingly sophisticated threats.

Alongside this, cyber crime has continually matured its business models and attack techniques, with a focus on increased speed (or shorter ‘time to value’), and the continuing evasion of automatic preventative security controls. For example, we’re regularly seeing successful attacks that can complete a full phishing-to-business email compromise (BEC) attack chain within ten minutes, or obtain domain administrator privileges just an hour after initial access.

It’s clear that we can no longer rely on traditional so-called ‘first lines of defence’ to detect and eradicate these new anomalies and threats. Most organisations still struggle with poor threat visibility across their digital environments, due to a lack of integration between telemetry sources. Where correlation tools are used, there is still a heavy reliance on in-house (or contracted) resources to manage and maintain them. This introduces limitations in the speed at which an organisation is able to detect and remediate threats and vulnerabilities, and increases the time required to catch up with these adversaries – adversaries who, in contrast, are well prepared, can execute their attacks quickly, and are often in and out before anyone is aware.

The IBM X-Force Threat Intelligence Index report from earlier this year noted a significant rise (71% year-on-year) in valid credentials and identities being hijacked and used as initial entry points into an organisation’s network, before being rapidly escalated in order to achieve the attacker’s intended outcome. These types of attacks use sophisticated AI-driven social engineering techniques that are becoming increasingly hard to spot; successfully bypassing authentication using Adversary in the Middle (AITM) techniques can be achieved in minutes, and is very difficult to detect using traditional methods. We’re seeing this become a continuing trend, against which static preventative measures are only partially effective – meaning that organisations that still heavily rely on more traditional preventative techniques, such as MFA, antivirus software, and firewalls, are most at risk. As attackers adapt and introduce new techniques to bypass these controls, it’s vital that we rethink our approach in order to more quickly detect the symptoms of such attacks.

Included in the 2023 IBM Threat Intelligence Index was the worrying fact that only one in three breaches are successfully identified by the organisation itself – underlining the weaknesses present in traditional preventative approaches and understaffed SecOps teams. The reported average detection time for credential-based attacks is still being recorded in many months, while our adversaries are working to timeframes of hours or minutes. This imbalance has to be addressed if we are to stand a chance of levelling the odds against our attackers.

To counter these challenges, many organisations are taking steps to implement more sophisticated preventative measures, such as least-privilege (zero trust) systems. Unfortunately, even this is not sufficient to curb the continual innovation and increasing pace of attackers, who are reliably exploiting gaps in these systems caused by the need for business flexibility and the burden of legacy technology present within the organisation. Only by adopting a philosophy of ‘assume breach’ has the wider industry learned that effective detection and response can address these large, residual risks, by spotting and stopping attacks as soon as they enter our environments.

A new dawn in defence

MDR services are highly effective because they combine advanced technology, human expertise, and continuous monitoring to detect and respond to threats quickly. Unlike traditional security solutions that rely on passive alerts, MDR services provide proactive threat hunting, 24/7 monitoring, and rapid incident response – significantly reducing the time to detect and mitigate potential breaches.

So, all of that said, what should you look for when it comes to selecting and implementing the right MDR service for you? There are many approaches offered by different vendors and partners, but they are all focused on the same objective: significantly reducing the time taken to detect and remediate threats. Nevertheless, the approach that best fits your organisation will  come down to a personal choice based on your existing organisational security maturity, the underlying security tools in which your organisation has already invested and deployed, and any third party you choose to use, based on how well they integrate with and complement your own resources.

Regardless, the first step should be a third-party assessment of your current security posture, to provide you with a clear picture of where your organisation currently stands and identify gaps in your security. From there, you can engage with MDR providers to discuss and evaluate how well they align to your specific needs and goals.

As part of Conscia Group, the internationally renowned cyber solution specialist, ITGL has developed an industry-leading best practice MDR approach and platform to support our clients’ needs. We’ve detailed the building blocks of this model below, to help organisations to understand and critically evaluate the elements of such services. Here are some of the core fundamentals to look out for:

• 24/7 continuous monitoring and management of data sources and security platforms. These processes are governed by strict SLA guarantees, high process assurance, and the tailoring of detection use cases to the customer’s environment.

• Pre-authorised threat disruption responses as soon as malicious, unprevented activity has been confirmed. This includes the application of automatic or fast manual containment actions, such as endpoint isolation, user logout, user disabling, or network blocking to stop the detected threat from spreading further in your environment.

• Zero-trust integration with your environment, with the lowest privileges possible, and with the aim to place telemetry data lakes under your governance, where you configure and monitor the level of access that is required.

• Continuous customer maturity improvement provides regular reporting to senior business and security personnel, with recommendations on security posture improvements across a broad spectrum of cyber risk management. These recommendations focus on security control configuration and performance, more efficient use of preventative tools that are already available, user education, and policy improvements.

• Continuous detection improvement research results in the creation of new cases in the Conscia Threat Detection Framework (CTDF), thereby directly increasing the detection coverage and capability. The process is based on either specific customer business needs (a business-process-specific or environment-specific use case), or continuous reviews of commercial and OSINT threat intelligence, as well as the service feedback from SOC investigation and incident response processes.

• Continuous customer care provides a 24/7 direct security hotline to the security experts who are responsible for keeping your business safe, hold intimate knowledge about your environment, and are able to provide meaningful improvement recommendations.

• Continuous customer education stems from a dedicated threat intelligence (TI) team, the goals of which are to curate and distribute both human- and machine-readable threat intelligence information. This enables you to gauge external risk factors that are important to your environment.

There are, of course, additional options that can further enhance the capability and efficacy of the core service. These include vulnerability management, brand protection services, penetration testing, and red/purple teaming exercises – all of which form part of a tailored service that is built to suit each organisation’s specific needs.

The value of MDR is realised through careful onboarding – a combination of the optimisation of the client’s telemetry and the seamless integration into the detection platform, which itself will have prebuilt, custom integrations to provide additional contextual value based on each organisation’s security tool stack and desired outcomes. A focus is given to appropriate Endpoint integration and optimisation, where we can monitor a wider range of tactics, techniques, and procedures (or TTPs) and see over 70% threat visibility. When combined with identity, cloud, and network telemetry inputs, through an XDR approach, we can detect, contain, and eradicate 99% of threats early-on in the MITRE ATT&CK kill chain – blocking the majority of threats at the initial access and execution stages of an attack.

When implemented correctly, and with the right support partnership and framework in place, this approach can overcome the barriers that stop organisations from realising the true value of their existing security investments – in turn relieving pressure on internal resources, and providing an affordable and predictable financial model for the future. That’s not to mention the significant improvement to cyber resilience for the business.

This is how organisations can rapidly and cost-effectively combat the next generation of threats. By introducing innovative techniques that advance their defensive capabilities and pivoting the organisation towards proactive threat hunting, rapid threat detection, and effective containment at the earliest possible stage, you can ensure that you remain one step ahead of your adversaries.

For more information, or to discuss how we can support you in your journey towards a proactive defence strategy, please reach out to security@itgl.com.