Managed-detection-and-response services are set for a phase change, Critical Start Chief Technology Officer Randy Watkins tells Security Weekly's Bill Brenner in an interview last week at the Black Hat 2023 security conference in Las Vegas.
The next step is what Watkins calls managed cyber risk reduction (MCRR), which Watkins says "is really an expansion of MDR past the reactive controls and into the proactive posture."
Watkins says MCRR will let MDR providers and clients prevent security incidents by identifying assets unprotected by EDR. It discovers and prioritizes vulnerabilities, improving a client's security posture.
"MCRR is the expansion beyond [MDR] to address risk in a more holistic fashion," Watkins tells Brenner. "MCRR is really building up those proactive security controls, bolstering up the security maturity and then having the detection and response for those targeted attacks that still get past the basic security controls."
Watkins thinks that telemetry from other security tools will soon make MCRR commonplace and make for "a more powerful and effective kind of security augmentation from a third-party provider."
He also addresses how to figure out which MDR provider might be best for your company.
"There's definitely an MDR out there for just about every organization," Watkins says. "Most organizations are using it for staff augmentation to really boost their internal resources because everybody's suffering from the resource gap."
He urges potential MDR clients to examine their own tech stacks to see how an MDR might fit in, determine in which areas in-house security needs help, and, finally, what exactly is in the MDR's standard service-level agreement (SLA).
"One thing that we've seen is SLAs based on notification of alert, which seems a little odd. I mean, that's just an alert in and of itself," Watkins says. "When you're looking at MDR, you're not looking for managed detection and recommendation, you're looking for managed detection and response."
He stresses that an MDR provider should stick to a client firm's "rules of engagement," i.e., to not impede the client's business practices while hunting down potential threats.
"If you don't want them to isolate your CEO's laptop at two in the morning," Watkins says, "then you should be able to declare that out of bounds while still maintaining a response capability across the rest of the environment to stop that threat from moving laterally."
Brenner prompts Watkins to address the big invisible elephant in the room at Black Hat — AI, and how it might be used to augment or undermine security practices.
"Oh man, you can't walk down the hallway [at Black Hat] without hearing AI mentioned at least once or twice," Watkins laughs.
But he says that AI will prove to be a boon in the fight against attackers, especially as ransomware attackers adopt a "low and slow" technique, in which they quietly infiltrate a network for months and exfiltrate data before eventually deploying a malware payload.
"What we're seeing more now is interactive attack behavior inside of the network before they launch ransomware," he says. "Ransomware is really just a parting gift. It's a 'Thanks for having us, we'll see you next time!'"
This segment is sponsored by Critical Start. Visit https://securityweekly.com/criticalstartbh to learn more about them!
Notable points along the way:
00:00 - MDR vs. MCRR: Key Distinguishing Factors
01:32 - Investing in tech stacks and third-party providers
03:17 - MDR pros and cons, key differentiators
06:30 - Interactive ransomware attack behavior
07:56 - MCRR: Managed Cyber Risk Reduction
09:24 - MCRR expands beyond detection to include proactive controls
13:25 - Conclusion
