Issue link: https://insights.oneneck.com/i/1233447
7 R RESPONSE IN MDR Response varies according to the nature of the security event detected, the value and type of asset under threat, and the outcome desired by the managed organization. In some cases, victims simply want the attack to stop so that they can move on. At the other end of the spectrum are organizations that are more interested in understanding the source and motivation behind the attack; those who are willing to allow an attack to continue in order to examine it. As a result, response is not a simple activity, but is often a blend of multiple actions, ordered based on the priority of the information or action that each delivers. There are five general response types with associated outcomes and activities: • Investigate – Immediate action is to enrich security event notification with additional data prior to taking any active step to mitigate the threat. Example: A new vulnerability is identified within a retailer's ERP system leading up to the holiday season. Patching or isolating the system immediately isn't possible because taking down a revenue generating system at the height of the busy season is a non-starter. The right response is to investigate the exposure of the application to identify appropriate mitigating controls and monitoring changes until a reasonable service window is available. • Eliminate – Immediate action is to disrupt the attack, patch or block access to the vulnerable service, or disable the threatening/anomalous user account. Example: A destructive attack, like ransomware, infects a patient admitting system at a healthcare clinic. These attacks can spread rapidly. The right response is to eliminate the attack, by either shutting down the system, killing the malicious process, or isolating all affected devices. • Notify – Immediate action is to inform appropriate responders of the security event with sufficient detail to enable response planning and decision-making. Example: A financial services firm's IT administrator's credentials are being used to access and modify systems which were previously untouched. The right response is to notify the admin of the anomaly to ensure this is an approved activity. This could be an early warning to a potential insider threat or could be nothing at all. • Contain – Immediate action is to limit the access of the vulnerable or compromised entity, which may mean limiting system services, restricting network access and egress, or reducing user roles and privileges. Example: Privileged credentials of a senior executive are being used to manipulate company information from an unusual geography. The right response is to contain the potential threat by limiting the privileges of the credentials until the executive can be contacted to verify the legitimacy of the activity. • Remediate – Action (usually not immediate) is to address the underlying condition that created the window for the threat, which could be to update policy, change control, misconfigured software, or stolen credentials. Example: A new vulnerability is discovered in a widely deployed application on a manufacturer's factory floor, meaning it is installed on multiple devices. The right response is to remediate the vulnerability by rolling out the patches to the affected systems in groups, while applying additional protections and monitoring for the systems waiting to get patched. MDR MANIFESTO AND YOU As the threat landscape and complexity of attacks continue to evolve, so will the definition of MDR. We invite you and all security experts, advocates, and champions that embrace the MDR manifesto to share it forward with others in your community. Contribute to the conversation for advancing MDR: #MDRmanifesto