Issue link: https://insights.oneneck.com/i/1348189
AlertLogic.com H OW TO C H O OSE A N E FFEC T I V E M A N AG E D D E T EC T I O N A N D R E SP O N SE (M D R ) PR OV I D E R 3 1. Will Successful Attacks Be Reduced? The first, and most important, aspect to consider when evaluating MDR solutions is how well – or whether – it can reduce the likelihood of a successful attack against your environment. When an attack does occur, you need the technology and expertise to recognize and mitigate the threat to prevent or minimize the potential damage. The MDR solution must proactively analyze your environment and the threat landscape. Vulnerability scans and configuration audits help to identify and address gaps in your security, while active threat research and intelligence keep you informed of emerging attacks, and how to best recognize and respond to them. MDR needs to enable you to quickly identify suspicious or malicious activity in your environment, so you can take immediate action to limit the access of vulnerable or compromised assets by restricting network access or reducing user roles and privileges. 2. Is There Comprehensive Visibility? It's a simple fact that you cannot effectively protect things you cannot see. If you are unaware of devices connected to your network, or cloud apps being used to store data, you can't ensure they are patched, updated, and protected against unauthorized access or exploits. Your MDR provider needs to have comprehensive visibility across your complete environment—as well as platforms that you may add to your environment in the future. Visibility of your on-premise network, remote endpoints and mobile devices, and the major cloud providers – AWS (Amazon Web Services), Azure, and GCP (Google Cloud Platform) – is crucial for effective MDR. Aside from visibility of every platform and asset, it is also essential to have continuous visibility because cyber attacks do not follow "business hours." The MDR provider should have skilled professionals keeping an eye on the environment around the clock. Does the MDR provider offer 24/7 monitoring? Does the provider have multiple / redundant SOCs (security operations centers) for constant vigilance and response? 3. How are Research and Threat Intelligence Incorporated? The threat landscape changes quickly, and attackers are constantly developing new exploits and techniques. It is imperative to have continuous research performed by experienced analysts to augment your security tools and technologies. Understanding the scope and impact of a threat also enables proper prioritization of risk from those threats, based on analysis of current instances of similar attacks in the wild. When evaluating MDR, ask if the provider conducts its own vulnerability and threat research, and whether it incorporates internal and/or third-party threat intelligence feeds in its analysis of threats. How does the MDR provider get value from the output of threat research, and what is the approach to ensuring threat intelligence is current?