Cybersecurity is facing both a headcount and skills shortage challenge, and automation isn’t solving the issue because attackers are constantly changing their tactics, techniques, and procedures, observed Randy Watkins, CTO of Critical Start. Professionals are still needed in tandem with automation, and this is exacerbating the expertise gap.
If you don’t have the right skills or enough security pros, you need to look at managed detection and response (MDR), which has evolved in recent years, said Watkins, speaking at RSA with Matt Alderman, vice president of product at Living Security and host of Business Security Weekly.
MDR started with endpoint detection and response (EDR) and basic remediation and containment capabilities, but then the question became, what do you do with all the alerts being flagged? Then, identity came in as another focal point for attackers, primarily through email.
“You realize that just covering endpoints isn’t enough,’’ Watkins said. That led to managed extended detection and response (MXDR), which brings in additional signals outside of endpoints, such as identity, email, and third-party signals coming in from the SIEM to get a more holistic view of an attack approach, he said.
How do differentiate MXDR vendors from MSSPs
MSSPs, which Watkins referred to as a “legacy” approach, did “minimum value add,” by providing 24/ support and escalating alerts, but not going after attackers. “They weren’t really doing anything with the data they were bringing in,’’ he said.
“Fast forward to today, and the cost of a breach is almost outpacing the cost of non-compliance,” he observed. So there is a mind shift change among CISOs, who need their MSSPs to do more. The MSSP role is geared at the console, firewall, and patch management, and MDR is doing more cyberthreat prevention, according to Watkins.
Some MSSPs do MDR work, he added. But the “line of delineation” will continue to be, are you managing a device or a technology, or are you mitigating and preventing cyber risk?
Anything that is detection and response is reactive, he said. Stopping a breach is more proactive.
There is now a shift left to look at security posture. For example, Critical Start does configuration validation of all the products the firm monitors—"garbage in, garbage out,’’ Watkins said.
What to look for in an MDR provider
There are a number of considerations when selecting an MDR provider. Alignment from a tech and strategy perspective is first and foremost, according to Watkins. You want to make sure the MDR system will support technologies you’re already using.
“The level of risk mitigation they’re going to perform in terms of alert resolution is key,’’ he said. One of the big differentiator Critical Start sees is service level agreements. A similar term that is sometimes used is service level objectives, which means the vendor will make their best effort to do mitigation--but there is no contractual obligation to fulfill the duty and no penalty for failing to do so, he said.
“That’s kind of dangerous,’’ Watkins said.
This raises the discussion of who dictates what is a critical, high, medium, or low alert, he noted. So organizations should really look at what their MDR provider is resolving and in what time period, and whether they will contain the threat, or if they are going to recommend containment.
By Esther Shein
