I was recently invited to The Next Phase of Cybersecurity podcast to share insights on the current threat landscape and how managed detection and response (MDR) can help organizations adapt and defend in today’s world. With so many new products and acronyms in cybersecurity and technology, customers are right to have healthy skepticism. In the podcast, we discussed the history of MDR, the current threat landscape, common challenges for organizations, and how MDR can help businesses of all sizes. As a bonus, we chatted about extended detection and response (XDR) and how that fits in. Listen to the full podcast here and get the highlights below.
Why are SIEMS and MSSPs not enough?
For a bit of history, cybersecurity issues first arose when people started to meaningfully connect to the internet in the mid-to-late ‘90s. That’s when managed security service providers (MSSPs) started offering security prevention solutions. MSSPs were developed in a world where people believed you could build a wall big enough to keep attackers out with antivirus and firewalls. MSSP services focused on managing security technology to stop attackers at the front door, but that is no longer enough protection as attackers are now getting around the proverbial castle walls.
Security information and event management (SIEM) services started to pop up shortly after MSSPs, as companies tried to meet compliance mandates to log everything and also fix their cybersecurity issues by improving monitoring. However, there simply weren’t enough experts to look at the data and maintain the complex tapestries of security rules. This approach led to an industry littered with half-implemented or shelved projects. MSSP raised its hands to help but ultimately didn’t have the visibility or expertise to do anything but produce more noise for the customer. Technologies like endpoint detection and response (EDR) popped up to help with visibility and detection, and that’s when MDR providers started offering end-to-end detection and response for companies. When done right, MDR providers partner with customer teams, bringing the expertise and technology that most organizations are not able to select, maintain, and improve on their own.
What is MDR?
MDR is a way for companies with limited budgets to finally achieve an effective 24/7 detection and response strategy. This includes monitoring their networks, endpoints, logs, and cloud infrastructure to detect cyber threats that are constantly evolving in sophistication. Unlike MSSPs, true MDR services deliver technology and human intervention to proactively search for threats, validate those threats, and respond in time to minimize damage or loss. They are designed to efficiently and consistently perform detection and response while managing the underlying technology.
What’s happening in the current threat landscape and how is it leading to more adoption of MDR services?
Attackers are constantly evolving their techniques and looking for new ways to get the biggest payoff with minimal effort. Ransomware attacks alone have increased 62% globally since 2019 and 158% in North America. Ransomware is a household name often in front-page news and highlighted on 60 Minutes. There are more attackers joining the business of cybercrime, resulting in more compromised companies. The economics favor the attackers. It only takes a few dollars of offense from attackers to defeat millions of dollars of defense from defenders.
Gartner estimates that by 2025, 75% of organizations will face one or more cyberattacks. The number of attacks is increasing daily by a rate of 50% over the last year alone. Organizations want to do more. They want to keep up with the alert volume and be able to investigate alerts to find out what’s happening underneath the surface, but they don’t necessarily have the time or resources. Alert fatigue is a common contributor to false positives that can get overlooked, especially if an organization is understaffed.
What is a common challenge organizations face today?
Every sector has been touched by ransomware or other cyber threats. The prior belief was that only the top 1% was getting attacked — top banks, top defense contractors, large organizations, etc. However, that’s not the case. Everyone is a target, and not everyone is able to defend against cyberattacks. Cybersecurity talent shortages are widespread as there are simply not enough people with hands-on experience to support and keep up with the current threat landscape. Once organizations hire employees and train them, the employees can leave and often double their salaries somewhere else. It’s a tough environment to build and retain cybersecurity talent.
How is MDR helping organizations tackle cyberattacks?
MDR brings the people, processes, and technology together to solve the issue of visibility into an organization’s network. Organizations are either overwhelmed with alerts that they are not able to fully investigate or they don’t receive enough security alerts and are likely missing a possible attack or compromise.
As long as there’s a human attacker, you’ll need human defenders. Human beings are too creative, motivated, and ingenious to be stopped with machines alone. MDR providers are able to attract and retain this human expertise and apply it across a customer base, where organizations have a hard time retaining this level of talent. There is also an intelligence aspect — understanding the threat landscape, what the latest attackers are doing, and keeping up with the best ways to prevent attacks.
When you detect something, you need to take action to deal with it. This requires an understanding of the business and solid incident response expertise. Unfortunately, only a select set of MDR providers are really equipped with this combination of skills.
Where do you see XDR heading and what potential does it have in contrast to EDR?
Full visibility should be a tenet of any detection and response strategy. Our Scope platform has been performing extended detection and response (XDR) since before there was a term dedicated to this type of work. We started with network analysis in 2013, added endpoint, detection, and response (EDR) in 2014, and include cloud and log analytics as the core of our approach. We believe today, and have always believed, that XDR is a requirement to be an effective MDR provider.
As a tool, I predict that XDRs will be similar to SIEMs. Many organizations will adopt them but realize limited success because of the people and process requirements to get the most out of the technology. The big banks will do it right. But, if you’re a midmarket organization, it will be hard to retain a full-time dedicated staff focused on getting the device up, running, and configured. At Pondurance, our managed XDR Platform, Scope, along with the smartest humans we can find, power our 24/7 MDR services.
There is no one-size-fits-all approach to MDR. Every organization has different needs, and they are all at different stages in their journeys. It’s important to identify a partner that can be on that journey with you to navigate the various tech trends and threat evolution points that will continue to occur.
Want more? Watch our webinar where I discuss MDR with our CEO Doug Howard and Jim Malone of CIO.com: Making the Case for Managed Detection and Response.
Lyndon Brown
Chief Strategy Officer | Pondurance
Lyndon Brown brings a career focus in building high-growth technology companies to Pondurance where he is responsible for Product Management, Corporate Development, Marketing, and driving cross-functional performance. Prior to joining Pondurance, Lyndon served as Vice President of Business Development at FireEye Mandiant, where he focused on strategic growth initiatives. As an executive, Lyndon has successfully led product management, M&A, and global partnerships at firms such as Verodin (acquired by FireEye) and Endgame (acquired by Elastic).
