Gartner released the 2017 market guide for Managed Detection and Response Services (MDR) early this month, describing the service and listing representative vendors in this space. Last week, Gartner also included MDR in their list of top security technologies for 2017.
The question is, do you now need to engage MDR providers for your cyber security?
To state the obvious, threats today can’t be fully detected or prevented with speed through a traditional Security Operation Center (SOC) built on SIEM solutions only. The next generation SOC with MDR capabilities needs many complementary technologies such as network & packet analytics (NTA), user analytics (UEBA), end point analytics (EDR), response automation and fast orchestration. We recently released a guide, in collaboration with Frost & Sullivan, on “How to Build an Adaptive, Future Ready SOC” with MDR capabilities (available here) that is a good read if you are planning to set up an internal SOC yourself.
For most organizations, setting up a next gen SOC internally is not viable. In our discussions with clients that are building an internal next gen SOC, we consistently hear three challenges:
- Architecting the right big data solution for large scale ingestion and real time correlation as well as running longer term analytical algorithms takes time and effort. There are no ready solutions in the market and security teams are already hard pressed for time to start experimenting with a variety of big data solutions.
- Difficult to integrate various point products for UEBA, NTA, EDR, security response, forensic analysis, and workflow orchestration to existing SIEM based SOC. The goal of MDR is to have a seamless process for rapid threat detection and response. This lack of an integrated solution creates inherent obstacles to speed.
- The biggest challenge is probably the availability of people to run the next gen SOC. Here is the conundrum- a next gen SOC is not only intelligent but is based on the concept of extreme automation. However, it still needs more people to run the operations than a traditional SOC despite this focus on automation. Why do I say this; when the current paradigm is one where intelligent machines and automation are taking over jobs? In addition, a next gen SOC is built on machine learning and automation, so why more people?
The answer lies in letting machines do what they are best at and letting humans do what they are best at. Machines are good at finding answers, but can they find questions? In cyber security, any analyst will tell you that the key is to keep asking questions, continue formulating hypotheses, and then let machines provide answers. You see a suspicious event, you start formulating a hypothesis of what could have gone wrong, you ask questions for proving or disproving these hypotheses, and then continue this iteration. And the underlying machine (be it big data machine learning AI technology or something else) should keep answering these questions using intelligence and automation.
With this perspective, the tasks between human and machines can be broken down as-
- Machines will provide analytics while humans will do threat hunting using those analytics, asking a series of questions to determine if there is an incident/ compromise/ breach in this analytical output.
- Machines will provide forensics data collection and analytics while humans will investigate, ask questions around what/ who/ when/ how to decode the incident
- Machines will provide threat intelligence feeds while humans will do threat anticipation, asking questions regarding what can go wrong, or have an impact on the organization based on that TI feed.
- Machines can provide automated playbooks while humans provide incident response, asking questions on what can break in the system once the playbook is executed and, what alternate steps can be taken.
Formulating hypotheses, asking the right questions, and discovering new knowledge can be defined as general purpose intelligence, which is still in the human domain. Answering questions with intelligence and automation is specialized narrow intelligence that is now the machine’s domain. The next gen SOC needs a high dose of both types of intelligence.
Now, instead of building a next gen SOC and trying to overcome challenges around big data architecture, integration of point products around analytics, and orchestration; and then staffing a higher number of people for hunting, investigation, anticipation, and response, an organization can now opt for a seamless service that delivers all this. That is the promise of MDR vendors- a unified platform integrated with skilled resources to offer advanced cyber defense as a service. We, at Paladion, are working on making this a reality with our MDR offering, which is built around intelligence, automation, and high people index.The What, How and Why of MDR blog Request a Demo of Paladion’s Managed Detection and Response Solution
Rajat Mohanty is the Co-founder, Chairman of the Board of Directors and Chief Executive Officer of Paladion Networks. He has been Paladion’s Chairman & CEO since the inception of the Company in July 2000