We have been hearing about a cybersecurity talent shortage for a while now. The need for these types of skilled professionals has been great and although this problem existed prior to the pandemic, the shift to remote work and continued adoption of cloud services has led to an increase in vulnerabilities, exacerbating global demands for more talent. Due to this shortage, many organizations have decided to engage with security service providers to help protect critical assets and ensure round-the-clock detection and response to threats.
A managed detection and response provider (MDR) is the best bet for this type of security, offering a well-equipped security operations center (SOC) staffed with the brightest human engineers examining alerts and determining what is truly a threat and what is a false positive. Other security providers, like managed security service providers (MSSP), are notorious for forwarding alerts to an organization for that organization to go through on its own. This can lead to confusion and the organization wondering why it engaged with a provider in the first place when it created more work for them. With a good MDR that is actively threat hunting and providing 24/7 support, alerts are never simply forwarded along and a mission-driven approach to fully operationalized cybersecurity is in place.
Mission-driven cybersecurity is about maximizing an organization’s people, processes and technology to implement a comprehensive and optimally configured security operation. Fully operationalizing cybersecurity in this manner is the best approach for quickly, efficiently and effectively responding to threats. Most organizations, however, struggle to operationalize their security efforts due to the scarcity of cybersecurity talent and the complexity caused by an overreliance on tools. Engaging an MDR service provider can help, but it needs to go beyond detection and response to operate like NASA’s Mission Control, keeping the following five key factors in mind:
- Mission: This involves having the outcome in mind and then having every action tie back to this outcome – or stated mission. Establish the parameters and clear communicate them within whatever organization the provider is protecting during the formal onboarding meeting.
- Environment: the engineer must be familiar with what is normal to an organization and what is anomalous to it and can be deemed as suspicious and posing a threat risk to that organization. The engineer must be familiar with the attack surface and the critical assets and know where they are located. Being proficient in the organization’s environment will help the engineer know when to flag activity as suspicious and when to deem it as normal for that specific organization.
- Collaboration: Security is a team sport. Everyone in an organization needs to interact with a security service provider and each other for fully operationalized cybersecurity. Without collaboration between various teams, it is impossible to mitigate threats and reduce risks. It is essential that various departments within an organization check in with one another regularly, ensuring that they are on the same page. Collaboration between professionals in a SOC is also crucial so workers feel excited about their roles and are not prone to burnout from repetitive activity. There are many tasks that an engineer can perform within the SOC – rather than having to stick with just one activity – and they should be able to switch up activities. This will help them so they feel they are growing professionally, learning new skills and becoming more interested in actively devising ways to prevent and fight attacks.
- System: A system for detecting and responding to threats involves knowing exactly where people and technology fit in and knowing which tools to utilize and which to discard. With fewer tools to monitor, security teams can rely on a consolidated control plane to focus on investigating suspicious activity and running real threats to the ground. This eliminates errors and speeds response.
- Measurements: Security providers should be able to assess risks using metrics indicating preparedness to defend against future attacks. All of the metrics used should reflect a deep environmental understanding of the organization.
An effective MDR also uses a framework to benchmark its detection capabilities and assess its overall coverage, such framework is MITRE. The MITRE framework is a tremendous asset for strengthening an organization’s security posture.
Due to the impact that limited talent and resources have on cybersecurity, an MDR provider can be a lifesaver, providing an organization with the technology, people and processes so that its security posture is not just good, but excellent.