Issue link: https://insights.oneneck.com/i/1233447
5 M MANAGEMENT IN MDR The Management leg of managed detection and response is the most important differentiator between external MDR providers. Responsibility for promptly identifying and mitigating attacks in progress is a serious challenge and requires two capabilities: Operational Competency and Security Authority. Before any vendor can present themselves as providers of meaningful MDR, they must demonstrate both in order to support the security or IT department case for adopting MDR. OPERATIONAL COMPETENCY There are five operational elements within MDR that describe Management capable of delivering effective detection and response: • The MDR provider has visibility across the environment. Organizations require an understanding of the systems and images that support their objectives to be sure that they see all incidents and understand the scope of any event once discovered. This includes identification of new systems, of critical software revision levels, and insight into traffic passing within the organization. • The MDR provider measures the current risk profile and recommends changes. To minimize the potential for successful attacks while simplifying detection of a real incident when it occurs, organizations must have a clear view of their current threat surface in order to remove known attack vectors and needlessly open networks that complicate detection with unnecessary traffic. This profile must identify: » All assets and network locations » Unpatched and vulnerable versions of critical software » Network exposures and impact assessments • The MDR provider gathers information from all assets under management. Modern attackers employ attack and infection techniques that spread across multiple system types. Detecting these attacks and understanding their spread requires continuous information from the different types of systems that may be targeted. Reporting on compliance, governance, and risk, also requires information from different systems across the organization. Blind spots allow drift to introduce new areas of exposure on a previously secure system and create havens for long-lived attacks. • The MDR provider adjusts information gathering during periods of change. Like attacks, environments are rapidly changing because of technical and corporate evolution, personnel and system alterations, and simple growth. In order to maintain a consistent level of awareness and protection, organizations must be able to reprioritize, reassess, and reconfigure their detection and response tolerances and activities. • The MDR provider maintains visibility and interactivity 24/7. Attacks are not limited to standard business hours in any geography and more sophisticated attacks are not strictly serial. A given campaign or exploit can be triggered at any time and individual elements of a complicated campaign may be executed with significant intermediating delays to avoid detection. In order to effectively manage detection and response to attacks, information gathering systems and staff must be continuously monitored to ensure their uptime and responsiveness. MDR Defined.