MDR use cases: How to tune MDR to the specialized needs of the industry where it is deployed

Managed detection and response (MDR) is giving resource-strapped organizations a fighting chance against increasingly sophisticated cyberthreats. A lot of time, money and effort goes into staffing and maintaining a security operations center, but MDR makes maintaining one easier and more affordable by providing coveted access to elite threat hunting professionals and providing around-the-clock monitoring of customer attack surfaces.

In spite of all the attention MDR has generated, less has been said about the degree to which MDR services can satisfy the particular requirements and challenges of any given industry.

Can MDR tailor its services to address the shortcomings unique to each industry? Or is it generic in application, a jack of all trades while being a master of none? The famous 20th century psychologist Abraham Maslow reportedly once quipped, “If all you have is a hammer, then everything looks like a nail.” Is MDR the hammer in this case, or is it something more?

We believe it’s the latter, and here’s why.

MDR knows industries inside and out

On any given day, some MDR vendors collect and process more data than most organizations will in a whole year. That’s because these vendors tend to operate on an international scale, with hubs established in multiple countries to better serve a global clientele.

This unique position affords MDR teams a front row seat to all threat activity within each industry they serve, allowing them to pinpoint where things go wrong and making sure customers are aware of common mistakes.

“We recognize the mistakes that people in a given sector often make and can help them rectify those proactively because we've seen so many of them breached before,” says Chester Wisniewski, Field CTO of Applied Research at Sophos. “K-12 schools are a great example of that. They’re notoriously short on resources and often don't have a big security team, and, unfortunately, they also have more adversaries than any other sector in the world because every student is a potential adversary in addition to the criminals that are trying to get in.”

“Thousands of three-foot tall hackers,” adds his colleague John Shier, Senior Security Advisor at Sophos.

The members of each industry tend to purchase the same types of tools due to word of mouth. And if one product worked well for other CISOs and CIOs, then why change the formula?

Unfortunately, this homogeneity of services means that if even one of these products goes belly up, attackers are quick to seize the moment and target vulnerable peers using the same technologies.

“You see this across industries where the CIOs or the CISOs all talk to one another, and they all end up using the same tools,” says Wisniewski. “For example, you may never see these tools anywhere else, but you'll see them all over K-12 schools. And that's the way criminals are getting into your network.”

Shier also stresses that MDR providers should be aware of the realities facing each industry in the context of their mission. Take healthcare for an example where saving lives is the paramount goal.

“Many hospitals have these drug delivery carts or what we like to call COWs — computers on wheels. Nurses and doctors use COWs on an ongoing basis in rotating shifts to provide speedy care at a moment’s notice. Well, we wouldn’t want to just apply multifactor authentication on COWs because the delay of somebody trying to fish out their YubiKey could potentially cause damage to a human being.

“That means,” he continues, “that we have to put additional safeguards around those machines and understand more contextually how they're being used and the types of things that are normal and what are not. And that's where we can work with the customer to understand their environment. The fact that we've been in this game for so long means we have some of this institutional knowledge about how certain industries work, and then we can help create detections, a set of conditions where –  when when those are breached, then it's an alert for you but not necessarily an alert for a financial organization or for a retail organization that has a different type of mission.”

MDR is flexible to industry needs

Within each industry, companies do have control and influence over how the MDR partnership can best meet their needs. At Sophos, for example, Shier and his team pride themselves on meeting customers where they are, not the other way around.

“We give you flexibility in how you consume the service and the types of tools that you use,” says Shier. “So if you want to be a complete Sophos shop and use all of our tools, you'll obviously get a much richer, more granular level of inspection, obviously, because we know our tools better. If you want to use a hybrid where you have a Palo Alto firewall but a Sophos endpoint, we can integrate and aggregate those two data feeds together to be able to get that telemetry and understand the context of what's going on.

“Or, let’s say you just plan to use everyone else's tools – you’ve got SentinelOne Endpoint, you've got a Fortinet Firewall, and you're using Okta for authentication — we can do that as well. So as far as the technological makeup of your organization and the types of security products that you have in-house, we can meet you where you are and can work with you that way.

In other words, the MDR provider should be able to tailor their services to the customer’s requirements in their industry — whether that means providing the whole workshop, integrating MDR tools with those the customer already uses, or even working exclusively with third-party tools altogether.

The scale of MDR operations benefits multiple industries

At the same time, there’s a lot of value in using a service that is versatile enough to meet the needs of multiple industries rather than any one alone. The sheer diversity in clients that a MDR provider works with gives it a level of scale and reach that is nearly impossible for a single organization to match on its own.

“In a single organization, every incident is bespoke and you don't get to call back on previous experiences to help you relate to what's happening,” says Wisniewski. “Whereas for MDR services, because of the quantity of customers they’re handling, they’re often able to spot those new techniques more quickly and then scan across their entire customer base to see if that new technique or tool has been weaponized elsewhere and proactively help all those organizations before it gets to the next step.”

In other words, customizing to a particular industry is valuable, but so is the context and intelligence that comes from having a bird’s-eye view of threat activity across multiple industries.

“Having as wide a spectrum of organization under this service as possible is really important for a customer to understand,” says Andrew Mundell, Principal Sales Engineer at Sophos. “What that means is that the MDR provider can house a much more varied set of those signals. So now, when they start to see something that might be initially targeting healthcare, the service can quickly pivot to give that protection to all of their other customers in other industries as well.”

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.