What is Managed Detection and Response (MDR)?
When it comes to cybersecurity, it's easy to feel like solution vendors are constantly exploiting your worst fears to sell you the latest and greatest solution you need to keep your business safe.
You know that strong cybersecurity is an important part of your business, but it's hard to know what you need to make sure your network is safe. Plus, your budget is not endless. Sure, the financial impact of a cyberattack could devastate your business. But what good are cybersecurity solutions if the continuous costs of adding new tools eventually put you out of business?
The frustrating reality is that threats are constantly evolving and changing, and so are the solutions necessary to protect your network from malicious attacks.
As the provider of security solutions, Innovative has some obvious bias in this area. But even though cybersecurity threats are infinite, your budget certainly is not.
You likely don't need every security solution on the market to stay in business. But you should understand the realities of your ever-changing security risks and how different types of security solutions could mitigate those risks. Then, you and your IT partners can implement a mix of solutions that align with your security and compliance needs, risk tolerance, and budgetary realities.
In this article, we'll dive into managed detection and response (MDR), one of the security solutions many small and mid-sized businesses should consider.
What is Managed Detection and Response (MDR)?
Managed Detection Response (MDR) is a cybersecurity service that combines technology and human expertise to seek out, monitor, and respond to threats. This is typically a 24/7/365 monitoring operation, with the singular goal of preventing cyber threats and quickly rectifying them when they occur. MDR will ALWAYS cover your endpoints (computers, servers), and some MDRs also protect cloud services.
Other Cybersecurity Terms to Know
Before we continue, it's important to note that there are a wide variety of names and acronyms for similar cybersecurity solutions.
In addition to MDR, here are some other common terms you might come across in the world of cybersecurity solutions:
Antivirus
Antivirus is the OG defense for computers and servers (i.e., endpoints). Antivirus is software installed on a device that identifies threats by searching for files and programs found in its database of known threats.
Endpoint Detection and Response (EDR)
Endpoint detection and response (EDR) is next-generation antivirus and anti-malware. EDR goes beyond traditional antivirus by detecting known threats and suspicious-looking files or programs that behave like a threat. Plus, EDR can respond to potential threats.
Security Information and Event Management (SIEM)
Security information and event management (SIEM) pulls data from all devices and tools on your network and in the cloud to create a master log of all events. Then, it analyzes the logs and generates alerts for any events that meet the defined criteria of a potentially suspicious event.
Extended Detection and Response (XDR)
Extended detection and response (XDR) is extended EDR. It works like EDR but looks at more than just endpoints. Typically scans all network traffic entering through things like cloud solutions, email, firewalls, routers, etc. XDR and MDR can be used very interchangeably.
Security Operations Center (SOC)
A security operations center (SOC) is the people, process, and technology that continuously monitor (and possibly react to) security issues for a business. It's typically staffed 24/7/365 by highly trained security professionals who evaluate and, when necessary, initiate reactions to the information your security and alerting tools generate.
what do these terms have to do with MDR?
You'll sometimes see any combination of the terms above used interchangeably with MDR. It's confusing because not all MDRs are created equal. For example, some MDR solutions are simply an EDR supported by a SOC. Others are more comprehensive and could include more than one EDR solution, have the logging functions of a SIEM, and cover the cloud and network traffic like XDR. But the one consistent is that the functions of an MDR solution always (or should always) include a SOC.
All MDR solutions have a SOC. The SOC is the analysis and response element of MDR.
Not all SOCs are MDR. A SOC could analyze and respond to alerts and information generated from any combination of security and monitoring tools.
We'll touch on Innovative's flavor of MDR later, but in most of this article, we're speaking in non-vendor-specific terms about MDR. Don't ever be afraid to ask clarifying questions, especially when talking with a cybersecurity vendor, to determine what the term means to them and what you should expect from their specific version of the service.
OK, now that we've established some basic vocabulary, let's get back to MDR specifically.
What Problem Does MDR Solve?
As technology has evolved in your business, so have the ways threats can enter your network. And no one security solution can do everything.
Multi-Layered Solution: The Swiss Cheese Analogy
Think of each security product as a piece of Swiss cheese. They each have their own unique set of holes. But the more slices of cheese you stack together, the fewer holes are open the entire way through the stack. MDR is a stack of Swiss cheese, not just one piece.
The more technology you use, the more avenues become available to an attacker trying to break into your network. Most MDR solutions reach beyond just endpoints to identify and ideally stop threats from entering your network through the cloud or other network traffic.
Bad actors don't need you to be logged in to your computer or sitting at your desk for an attack to occur. Even the best IT staff or managed services provider can't look at logs and traffic for signs of an attack 24 hours a day. Their scope is too broad, and many attack signs are too subtle. MDR gives you a SOC dedicated to analyzing logs of network events 24 hours a day, specifically looking for signs of a potential attack.
These signs are subtle because they're events or tools that could be legitimate. A perfect example is an event that happened at Innovative recently. One of our administrators created a new administrator account and realized he entered a typo in the username. So, he deleted the account and started over. Everything he did was totally on the up and up.
Our MDR solution picked up on creating multiple new administrator accounts, and the SOC called our security team immediately. We investigated the activity, discovered it was legitimate, and everything was fine. But attackers often create new administrator accounts from which they deploy malicious programs or steal information. Had these not been authorized administrator accounts, we could have shut off access before an attacker could do too much (or hopefully any) damage.
It's not just human actions that show subtle signs of attacks. Attackers can leverage trusted IT administration tools your IT team uses daily. A great example is PowerShell, a fantastic tool created by Microsoft and built into Windows operating system for administrators to manage Windows networks. Your IT team can use PowerShell to install software, change user permissions, create network rules, and so much more. But hackers can utilize the same tool to wreak havoc on your network.
The line between good and bad tools can be blurry, and solutions like EDR alone can't necessarily tell the difference. An MDR solution reaches throughout your technology ecosystem and identifies potential problems by leveraging humans and AI technologies to analyze how tools are being used or what actions are occurring.
How Do I Know if I Need MDR?
We might argue that all businesses need MDR. But we know not everyone will adopt the next level of cybersecurity defenses.
Before you decide that MDR isn't for you, consider that large corporations aren't the only ones under attack. They're just more likely to make national headlines than small businesses. In reality, small businesses are three times more likely to be targeted by cybercriminals than large companies. In fact, according to a recent report by researchers at Barracuda Networks, employees at companies with less than 100 employees experience 350% more social engineering attacks than employees of larger companies.
More than 30% of US small businesses have weak points that attackers can exploit. Companies with the least defenses are the biggest target since attackers have a greater chance of succeeding even if the payout is smaller. Most cyberattacks are not targeted. Attackers launch through multiple avenues: phishing emails, port scanning, embedding malware on USB sticks, etc. The attacker doesn't know where they'll land until something gets through. And that's when they begin planning what they'll steal or how they'll attack.
So, here are two questions to ask yourself as you consider whether to move to an MDR solution or not.
What impact would an attack or breach have on my business?
Cybersecurity isn't about if you're attacked. It's about when. Sixty percent of small and mid-sized businesses go out of business within six months of a cyberattack. A sound disaster recovery strategy ensures you can resume operations as soon as possible after an attack, but how much would recovery cost? Could the damage to your business' reputation ruin you? What would your insurance provider require to cover the loss?
These are all things to consider as you evaluate the potential implications of an attack on your business. The average cyber-attack costs a small business $690,000 to recover. But the more you invest in an appropriate cyber defense, the more you can minimize the cost of a potential attack. MDR is an ideal solution for most businesses looking to step up their security strategy and reduce the cost and impact of an attack.
What would I need to know about an attack or breach if it occurred?
Most MDR solutions provide event logs and can even track a potential threat as it makes its way through your network. This is critical information for businesses required to meet security and compliance regulations –healthcare, finance, government, etc. It can also help provide the necessary documentation for a cybersecurity insurance claim.
Even if your traditional antivirus or EDR solution identified an attack at an endpoint, it can't track everywhere the threat traveled before landing at the endpoint. You may not have documentation of all information the attacker may have accessed. Many MDR solutions do provide that documentation.
How to Choose an MDR Solution
The benefits and functions we've covered touch on what most MDR solutions can or should do. But when it comes to shopping for a cybersecurity solution. Don't make any assumptions.
As a managed service provider with more than two decades of experience managing hundreds of business networks, Innovative recommends that any MDR service you consider includes the following features and functions.
Multiple EDRs
Remember the Swiss cheese analogy? MDR is a stack of slices of Swiss cheese, and the tools it uses are the individual slices. EDR to protect your endpoints is one of those slices. But not all EDRs catch everything. If one EDR misses something, chances are good that the secondary EDR will catch it. A good MDR solution should include at least two EDRs.
Cloud and Email Monitoring
OK, we have two pieces of Swiss cheese layered to protect our endpoints, but holes are still open to other network areas. So, we stack on more slices.
The same type of technology that protects your endpoints must reach your environment's cloud aspects.
Your MDR solution should monitor and look for potential threats in places like:
- Microsoft365
- Google Workspace
- Slack
- Dropbox
- Salesforce
Threat Analytics
Once you've protected the places on your network, you must layer in protections for various cloud services like M365 or Google Workspace. This is where threat analytics come in. Your MDR should look for red flags in cloud analytics and activities. This layer of protection looks for suspicious things like login times, odd remote login locations, account creations or deletions, admin role elevation or removals, 2FA changes, etc. The alarm should sound as soon as possible when these suspicious events occur.
24/7/365 SOC with Remediation Capabilities
Make sure your MDR can remediate issues as well as detect them. Knowing about a threat or attack doesn't do much good if you don't have a team that can quickly do something about it. You don't want a SOC to alert you of an issue and move on with their day. You need them to do everything possible to stop destructive processes. Sometimes your SOC will perform the remediation efforts themselves. Other times they'll consult with your IT team to investigate further and work together to take the necessary steps. Either way, your SOC should be accountable for prompt action when they identify threats.
Expertise in Tool Stack
Leveraging MDR often means leveraging tools the SOC has mastered. It is hard to be an expert in every security tool out there. So, Innovative recommends partnering with a team that has a long history of mastering their set of tools, even if that means getting rid of tools that your IT team prefers. Going with the MDR's tool stack ensures you can hold their team accountable.
For example, you may already have an EDR solution in place. But your MDR provider likely specializes in a specific EDR, ideally, two specific EDRs. Your EDR is likely just as good as theirs, but you'll get the best results when you let them use the tools they've built their systems, processes, and communication channels around.
You can certainly find MDR providers that work with the tools you already have in place. But partnering with a provider that has mastered a specific set of tools typically gives you the best results.
Final Thoughts On MDR
The world of cybersecurity is confusing and overwhelming. Vendors are waiting around every corner looking to play on your worst fears to sell you the latest and greatest solution.
There's no security silver bullet, and any vendor who tells you their solution is guaranteed to stop all attacks is looking for a quick sale. Find a security partner you can trust who will take the time to learn about your business and recommend reasonable solutions that fit your industry requirements, budget, and tolerance for risk.
For many businesses, MDR is an excellent solution to consider if you're finding that stand-alone products like antivirus and EDR no longer offer an acceptable level of security for your business.
Innovative might be a good fit if you need a partner to help you evaluate and implement a sound technology and cybersecurity strategy.
Innovative's Cybersecurity Philosophy
Innovative believes in multiple layers of defense against cyberattacks and strongly recommends our managed and co-managed services clients consider adding MDR to their security strategy.
Innovative's MDR service includes:
- Multi EDR.
- 24/7/365 SOC US-based SOC.
- Cloud and email security.
- Cloud analytics.
- Event logging.
Other cybersecurity solutions available to Innovative's managed and co-managed clients include:
- Password management – ensures users are saving their critical passwords securely.
- Vulnerability management – an optional layer added to your MDR service that ensures applications are free from known exploitable vulnerabilities.
- Security awareness program – regular phishing testing, training, and reporting.
- Dark web monitoring – identifies compromised credentials available for sale on the dark web.
- Two-factor authentication – includes a 2FA application with time-saving push notifications as well as configuration, maintenance, and end-user support.
- Email encryption – ensures that only intended recipients can view email contents.
- HIPAA Compliance as a Service – a third-party compliance verification program for HIPAA covered entities and business associates.