Issue link: https://insights.oneneck.com/i/1233447
6 D SECURITY AUTHORITY Security must be understood and managed across multiple technical disciplines to address the wide variety of potential security requirements and security events. For the management of detection and response to be effective in customer environments, the provider must be familiar with the platforms, environments, and threats that comprise these security challenges, demonstrated through: EXPERIENCE – An MDR provider must have an established infrastructure, processes, and staffing that have been proven to scale and respond with security developments and challenges associated with the service descriptions and levels they are offering. As examples, management must apply to more than a single technology, like EDR, and to threats from multiple vectors against the protected assets. Organizations cannot rely on vendor claims and should seek access to customers and analysts who can speak to management capabilities in real deployments. INTELLIGENCE – An MDR provider must be able to demonstrate past performance in identifying new and complex attacks, and must be able to describe the process through which threat intelligence and threat identification continually evolves. EXPERTISE – Recommendations around protective measures, as well as remediation, require ongoing exposure and learning about threat impact and attack mitigation. An MDR provider must have trained and certified personnel who can respond to questions, events, configuration changes, and new technologies. DETECTION IN MDR Detection is the element of MDR that requires the most attention, speed, and knowledge. Speed and scope of understanding are important because organizations want their systems, that they know are vulnerable, to never experience a successful attack that causes meaningful harm. There are four elements to the term Detection that define appropriate capability to ensure protection of customers: • Detection begins with a comprehensive knowledge of threats. Whether it is understanding exploitable vulnerabilities or recognizing attacks in progress, detection is driven by continuous research performed by experienced analysts who know where to look. This research also enables prioritization of risk from those threats, measured by the likelihood and current instances of these attacks in progress. • Some detection occurs prior to attacks and incidents taking place. Minimizing risk includes identifying threats before attacks and incidents occur, by also minimizing exposed vulnerabilities. Detection of vulnerable systems, of insecure configuration changes, and of new unprotected systems joining the network are required to identify and limit those vulnerabilities. To be effective, this information must also be enriched with exposure, likelihood, and severity data, providing a basis for triaging and remediating known issues. • Detection is enhanced with human expertise to increase accuracy. Alarm fatigue and false positives lead to analyst burnout and missed incidents. To be trusted and effective, detection must be combined with credible validation prior to any calls for response. The complexity and changing context of some potential security events calls for the intermediation of expert reviewers who can validate events and their seriousness, while enriching them with additional data. • Detection must occur in near real time. Reducing impacts and lateral spread requires attack identification in minutes, not hours or days. Automated continuous information gathering and analytics provide high-quality indications of attack for further analysis, eliminating dwell time and improving upon traditional retrospective log and traffic review.