The time taken to detect a cybersecurity incident may impact the consequences of an attack. For example, according to our latest research, small and medium businesses (those with less than 1000 employees) that identified an issue right after it happened, suffered 17% less financial damage from a data leak than those that detected it a week or more after the attack.
The same survey found that only 10% of businesses in this segment managed to detect a breach immediately. So, how is it that businesses can overlook such a large issue?
Advanced attacks have become more affordable…
Cybercriminals are more likely to conduct advanced attacks when the cost of organizing it is lower than the potential revenue – for example, the amount of money received as a ransom for decrypting files or income from selling stolen sensitive data. That’s why sophisticated attacks usually target large enterprises – as there are more chances to hit the jackpot.
However, attacks against small and medium businesses have also become profitable. First, there is no need for malefactors to develop their own malware that evades detection by security solutions. They can just re-use the ‘best practices’ of their ‘peers’ – for example, by buying a necessary toolkit. Thus, advanced attacks on medium-sized businesses are worth the trouble as well.
Besides, cybercriminals may not use malware at all. They can misuse the legitimate functionality of an operating system or remote administration software to collect credentials or gain access to information without being noticed by endpoint prevention products. Our incident response team estimated that this kind of software was involved in almost a third of customers’ requests (30%).
Such threats are not only difficult to spot, but they often cannot be blocked automatically as they are too similar to the everyday actions of an IT security administrator. Without further investigation, these response measures can disrupt important business processes.
…and companies’ resources are still limited
All in all, to deal with such threats, businesses need both advanced solutions that can collect and correlate security-related data, as well as a seasoned security team — to analyze and respond to the incident.
However, security budgets are falling behind the needs of protection. According to our research, on average, companies with less than 1000 employees spent about $275k on IT security protection in 2020. This amount did not increase much compared to the year before. That’s not surprising given the difficult economic conditions, which means companies are investing more in revenue-driving areas of the business.
Additionally, when it comes to qualified personnel, small enterprises also need to do more with less. With one employee responsible for cybersecurity, according to 49% of SMBs, the team can hardly deal with suspicious events around-the-clock.
In these circumstances, the most cost-effective option would be to “share” costs of a security operation center (SOC), or a dedicated unit responsible for proactive searches of potential threats and analysis of alerts, with other companies. This is exactly what managed detection and response (MDR) offers. The vendors’ specialists inspect the information coming from security solutions installed in client organizations and suggest ways a company should respond to a certain attack.
What to look at when choosing an MDR provider
How to choose an MDR provider? First and foremost, its qualification in finding attacks is the key factor to consider. The obvious proof of expertise is the presence of the vendor’s own research. Self-produced research allows SOC analysts to quickly find new threats in a customer’s infrastructure, as they know about new malicious tactics first-hand and do not have to wait until this information becomes publicly available.
It is also recommended that you pay attention to the technologies that the service is built on. Primarily, they should be effective enough so that most threats can be prevented without involvement of a vendor’s security analysts or internal cybersecurity staff. In addition, some vendors implement machine learning algorithms in alert processing. As automation takes over routine tasks, security analysts can deal with real incidents, which, as a result, cuts the time needed to react to an attack.
Secondly, it is worth considering the cost of the solution and ease of its deployment. Often, an MDR provider works on information gathered from a sophisticated Endpoint Detection and Response solution that collects and analyzes data from endpoints to give analysts more visibility over its security. Such a tool may be too expensive a purchase and given the lack of experience in-house it is likely to be used only by MDR specialists. This approach is not cost-effective and negates all the financial benefits of outsourcing.
You also need to pay attention to the response options the vendor offers. Ideally, it should be flexible and combine two opportunities: in some cases, an MDR team carries out response measures remotely, while in others, internal staff can react on their own following instructions and using a provided tool stack. The latter is helpful in the beginning of the cooperation, as a customer would like to ensure that the recommendations work well and take into the account the specifics of their network and business processes. Also, some prefer to respond on their own in case incidents happen on critical assets, for example, on computers belonging to executives. It grants better control over the situation and its outcome on the business, as even an hour with a top manager’s computer offline can lead to lost business opportunities.
We also recommend ensuring that the contract defines a clear reaction time in the service level agreements, depending on the assigned priority of a detected incident. It’s important to choose an MDR provider who is most quickly able to react to incidents that may cause huge damage to your business. And of course, 24/7 operations are vital to prevent an attack at an early stage, no matter when it happens.
The ability to consult with an MDR team of SOC analysts is also a significant factor. This will help in situations when an internal team needs more comprehensive help or advice in addition to theirs.
EDR, MDR or both?
MDR can help organisations that need to quickly improve their threat detection and response capabilities. However, it does not mean that the company stops developing internal expertise. It all depends on the strategy of a particular business.
If they would like to grow a mature cybersecurity function in-house, an MDR service will be a helping hand in this transition period. And later on, MDR can be a supporting force that allows internal security analysts to focus on the most critical incidents.
In case a company prefers to outsource threat hunting and incident response, it is worth polishing third-party management skills, to better handle outsourced functions.