Cyber Advisors Business Blog

Managed Detection and Response – Why It’s Needed and How it Works

Written by John Hallqvist | Jan 2, 2020 8:15:01 PM

According to a report from the FBI’s Internet Crime Complaint Center, financial losses from cyber-crime grew 90% from 2017 to 2018, while the number of complaints only grew 16%1. These numbers indicate that cyber criminals are getting more effective at siphoning large sums of money when they do succeed in compromising systems. This is likely due to the higher levels of sophisticated methods and tools they leverage to bypass traditional security measures such as next generation firewall and antivirus solutions. IT and Cyber Security Professionals in turn must also implement more sophisticated methods and tools to protect their organization’s digital assets.

One tool which has grown prominence is the Security Incident and Event Management (SIEM) solution. At a high-level overview, a SIEM solution monitors an IT environment for anomalous behavior and send alerts when indications of compromise surface. How it works is what sets it apart from traditional security monitoring and threat prevention tools like Intrusion Detection and Prevention Systems (IDS/IPS).

At the heart of the SIEM tool is a Log Correlation Server. This server takes two categories of input: event data and contextual data. Event data can be logs from operating systems, applications, databases, and network devices like routers, switches, and firewalls. Other environments monitored may include cloud applications like office 365, as well as security tools like Cloud Access Security Brokers (CASB) and Privileged Account Management (PAM) solutions. Contextual data puts event data into context by correlating it to data such as user permission changes, known vulnerabilities, known global blacklists, and sensitive information within the environment. From these data sources, a SIEM solution enables the IT or cyber security professional to create logical rules, known as correlation rules, that dictate what to do in response to certain scenarios.

Correlation rules are applied to security scenarios to help an organization detect and respond to potential threats. For example, a correlation rule might state that if a domain administrator account experiences three failed logons and then has a successful logon on the fourth attempt, an alert be generated to mitigate the potential breach of an account with escalated privileges. Another example could be a configuration change within a firewall, VPN, access point, or other network device.

Another component to the SIEM solution is log retention. For compliance purposes, logs are stored in WORM format (write once, read many). This ensures that logs can’t be tampered. Compliance requirements from regulatory authorities have requirements for log retention from anywhere of 1 year to 7 years, depending on the industry and regulatory authority.

SIEM solutions can effectively help mitigate against the risk of a bad compromise, however, they are only as effective as the team deploying and maintaining it. Without a team of highly skilled and trained cyber security professionals, SIEM solutions are not effective in enhancing an organization’s security posture. Unfortunately, cyber security professionals are in high demand, and there is an ever-growing talent gap for organizations looking to employ them. According to Cyberseek.org, there were over 504,000 job openings for cybersecurity professionals in November of 2019. One solution to this problem is to outsource this function to a Managed Detection and Response (MDR) Provider, a trusted vendor partner who will implement the SIEM solution, manage it, and detect and respond to incoming threats to better protect the organization. This solution frees IT and Cyber Security staff to focus on strategic projects, while reducing efforts spent attracting and hiring cyber security talent to monitor and respond to threats. By deploying a Managed Detection and Response solution, an organization can reduce the risk of sophisticated cyber security breaches by detecting indications of compromise at early stages, and quickly applying measures to contain them.

 

Resources

April, 2019. “IC3 Annual Report Released”. Retrieved from: https://www.fbi.gov/news/stories/ic3-releases-2018-internet-crime-report-042219