August 20, 2019 by Nick Griffin and Elad Sherf
Endpoint security started to change a few years ago circa 2015 when EDR started to become a hot topic. After the successes of malware sandboxes, vendors quickly began to realise that the same behavioural analysis techniques could just be used on endpoints themselves in real-time. Attacks could be detected and stopped not by detecting malware files before execution, but preventing them from effectively infecting a machine after execution before any damage can be done.
Security vendors in this space also realised that they themselves don’t hold all the answers and that it isn’t possible to detect 100% of the bad 100% of the time. So, many next-generation endpoint security solutions began to report not only the known bad, but to also continuously forensically record machine activity to expose suspicious and malicious endpoint behaviours. This also allows security teams to perform threat hunting (aligning to frameworks like MITRE ATT&CK and TaHiTI), leveraging their own hypotheses and threat intelligence to augment vendor detection and find badness that slips through the cracks.
Top Considerations for Managed Detection & Response (MDR)
Having an in-house security team to manage incidents and hunt for threats as part of a SOC is a great start, but has its limitations. Whilst in most cases it will reduce your mean time to detect (MTTD) out-of-the-box and increase threat visibility in general, it is not enough. This is true not only for in-house security monitoring, but also when using a managed security provider.
Ensure that you have threat monitoring and response around the clock, adopting a follow-the-sun approach where possible
- Endpoint Visibility in the Cloud
Remote containment and remediation, as well as remote forensic investigations, will greatly improve your mean time to respond (MTTR).
- Security Orchestration, Automation, and Response (SOAR)
Automate your incident response (IR) processes instead of doing them by hand every time. This will also drastically reduce your MTTR.
- Incorporate Threat Intelligence
For example, hunt for attacker techniques relevant to your industry and bolster your defences in those areas, and contextualise incidents to help determine if they are targeted or run-of-the-mill. Monitoring for emerging threats (e.g. the recent CVE-2019-0708 RDP vulnerability) and prioritising what to patch is also vital.
- Defence in Depth Assessment
Assess your security control gaps to form an improvement plan and reduce your overall risk. Rework any changes or additions back into your detection and response processes.
For most small-to-medium businesses, a fully fledged detection and response team utilising all of the techniques above is tough to achieve in-house due to budget and resource constraints. This is where a managed detection and response (MDR) service would be more cost effective, putting trust in a service provider that has extensive and proven experience fending off both cyber-crime and nation state-backed attackers.