A visit to major security conferences, such as RSA and Black Hat, quickly demonstrates the industry’s love of hyperbolic rhetoric and absolutist promises of pan-threat protection. Of course, once the hype is replaced with deployments, real world delivery falls short of visionary promises. It’s a cycle of holy grail to fail.

Recently, Gartner released the third edition of its Market Guide for Managed Detection and Response (MDR) Services. Enter the new disruptor. The vendor list has doubled from the original fourteen. The list contains new vendors to the stage, and the group of usual suspects, who up until last year, were in other vendor categories. The optimist will say these vendors are adopting a better approach; the cynic will say it’s more marketing sizzle than product steak, and a way of riding the hype wave. Either way, it leaves the industry confused wondering if the sheep or the wolf is wearing the other’s clothes.

The MDR guide certainly acknowledges this ambiguity, arguing that MDR vendors provide turnkey solutions that detect threats and respond with a mix of reporting, disruption, or containment actions, wrapped in a 24x7 service. Fractured from the traditional MSSP category, MDR brings near real-time threat management to smaller and medium companies that cannot afford to build their own in-house SOC and security team, the way larger firms, such as banks and insurances companies do. What sets MDR apart from its MSSP genres, is lightweight incident response as an intentional focus on threat management, rather than device or alert management. It’s a clever approach, and certainly gets the point of security: Find attacks and stop them before they metastasize and become a business disrupting event.

In terms of disruption, it moves companies closer to the goal line. Considering MDR on an evolutionary line, it pushes the industry away from an instrumental approach of managing devices towards an intrinsic mindset determined to protect the firm, its investors, employees, and clients. We can now see the forest instead of worrying about the trees.

One way to classify this change is to think of three levels of advancement in risk management. The first stage is device-focused, moving through to alert-focused, to threat focus. In other words, we are moving from a reactionary response to attacks by deploying prevention technology through an era of log and alert mania driven by compliance requirements, to a later stage of self-actualized threat management.

For decades the industry focused on prevention technology designed to stop various attacks from hitting their mark, but woefully inadequately. As the number of devices grew in number and complexity, and few replaced their predecessor, the demand on security teams increased in terms of patch and policy management. This friction created the demand for outsourced management and log aggregation, and managed security services was born. In most cases, the MSSP approach was more about devices and post-event aggregation of logs and reports.

Heavily regulated industries also grappled with compliance requirements which created the first generation of log management tools, such as SIEM (Security Information and Event Management). This compliance 1.0 stage advanced the industry from device-centric thinking to a focus on logs and alert management. But, as many heavily regulated businesses will tell you, you can be 100 percent compliant, but also 100 percent owned by cyber criminals. Compliance and security are not synonymous; they are related but do overlap somewhat.

Managed SIEM goes some way to better securing companies, but it relies on logs generated by prevention technology. Thus, if one of these systems does not detect a potential threat, then the logging system is blind.Enter MDR. Through a combination of user behavior analytics, deep network traffic analysis (full packet capture and analysis), endpoint protection, cloud-services protection, and lightweight incident response, MDR builds on managed SIEM to catch what evades other systems, but leaves breadcrumbs picked up by other approaches. Often called threat hunting, companies, especially smaller businesses, could meet more stringent compliance standards that include 24x7 monitoring (compliance 2.0), and better protect their business. Let’s call this MDR 1.0. The hope is that artificial intelligence, machine learning, and other technology to come will finally move the security industry from a reactive mode to a predictive model (MDR 2.0?).

In the meantime, MDR comes in many flavors, with varying heritages of MSSP, risk management, managed SIEM, or in some cases, pure-play. Luckily, Gartner recognizes this and suggests that when selecting an MDR vendor, you align your needs to their services, examine response capabilities closely, and determine whether you need a vendor with experience in regulated markets.

In the end, if you want to know whether MDR disrupts your security approach, make the vendor prove what they claim through a comprehensive proof of concept evaluation. The only way to determine if you are selecting a wolf or a sheep, is to watch them hunt. Their true nature will come out, and you will know which beast you are selecting.

This article is published as part of the IDG Contributor Network.Want to Join?

本文网络安全相关术语:网络安全工程师 网络信息安全 网络安全技术 网络安全知识

tags: MDR,management,security,threat,The,will
分页:12
转载请注明
本文标题:IDG Contributor Network: Managed detection and response: disruptive approach or ...
本站链接:https://www.codesec.net/view/578052.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 网络安全 | 评论(0) | 阅读(26)