The proliferation of cybersecurity attacks and greater adoption of cloud applications and services is proving that traditional, prevention-only approaches are ineffective. Instead, organizations are focusing more on a detection and response strategy to manage their cybersecurity risk. However, staying up to date with the latest cybersecurity risks, managing multiple point security products, and finding skilled security resources is proving too challenging for many organizations that are instead looking to invest in Managed Detection and Response (MDR) services from their service providers, including MSPs and MSSPs.
For service providers, the MDR trend creates an opportunity to stay competitive and add value that helps clients defend and respond to cyber threats. Here are 10 opportunities to embrace and deliver competitive MDR services:
1. Provide 24-hour monitoring: Most organizations today are online and continuously connected, but many do not have the resources to monitor their IT security across all hours of every day. Offering round-the-clock monitoring takes the burden off resource constrained organizations, and helps reduce their cybersecurity risk both during and outside of regular business hours.
2. Monitor cloud environments and applications: Many organizations are considering, or have already begun, the drive towards deploying infrastructure in the cloud or even using cloud applications for workloads like e-mail, collaboration, CRM, payroll, identity, and more. However, traditional security tools and existing expertise lack the capability and know-how of monitoring these environments, creating an increasing opportunity for service providers to help organizations on their respective journeys to the cloud.
3. Identify the attack surface with asset discovery: The assets deployed across an organization’s environment represents the surface against which a malicious entity will conduct one or more attacks. That in mind, a common challenge for IT and security teams—both in terms of managing cost and cybersecurity risk—is keeping track of what assets are deployed and where. Particularly with the ease and speed in which new virtual machines can be created on virtualized and cloud environments, keeping track of any changes is critical. Service providers can solve this problem for clients by including asset discovery in their MDR services, providing awareness and visibility into all assets on-premises and in the cloud.
4. Perform vulnerability scanning: Finding and addressing vulnerabilities is critical because they are often exploited to deliver zero-day threats and ransomware, and it’s no surprise to see regular vulnerability scanning a requirement for compliance with many regulations. Once you know where all assets are in the environment, the next logical step is to assess them for vulnerabilities which, given that an average of 14 vulnerabilities are discovered each month, needs to be performed regularly. While some customers may wish to patch systems on their own, service providers can also offer vulnerability remediation, namely the application of available patches, as an additional service.
5. Provide log management: Identifying risks and attacks requires analyzing events and logs, and being able to determine the root cause of an attack typically requires piecing together events from across multiple systems. The manual approach of collecting logs from individual systems is resource intensive, and that’s assuming the device still has the logs for the desired timeframe. Service providers can offer a better way with log management, automating the collection of events and logs into a central location, normalizing the log data for easier analysis and investigation, and storage of the data for at least one year to help customers satisfy any regulatory or standards-based log retention requirements (e.g. for PCI DSS), and for security best practice.
6. Offer advanced intrusion detection and security analysis: These will facilitate the rapid detection of threats across customers’ on-premises and cloud environments and applications. Host IDS and file integrity monitoring (FIM), network IDS, and cloud IDS can all offer quick warning of attacks and unauthorized activities. Additionally, advanced correlation—including the use of machine learning and behavioral monitoring—can accurately identify threats that may not be clearly apparent to traditional defenses
7. Provide threat intelligence and context: To get the latest cyber threat indicators and context, some organizations opt to do their own research and analyze threat intelligence on their own, and some choose to acquire threat intelligence from a 3rd party. Both of these approaches often prove too expensive for many organizations, both in up-front cost and time, and especially considering that some have to procure multiple commercial threat intelligence feeds to meet their needs. Service providers who offer threat intelligence as part of their portfolio will have a distinct advantage, being able to be proactive against new threats, and have the right context on threats so that they can deliver optimal protection, response, and quickly show their customers that they are knowledgeable of the who, what, why and when questions that surround cyber threats.
8. Deliver incident validation and response: Once an incident has been detected, the first step is to validate whether it is an actual threat or just noise, which often requires advanced knowledge and experience. The next step is delivering relevant information about each threat—what it is, its strategy and method, its origin and target, the threat actor, and the recommended response. While some organizations may wish to respond on their own, there is an accelerating trend for service providers to contain and/or fully remediate incidents, as well as perform post-incident forensics to identify the root cause.
9. Deliver backup and recovery capabilities: The simplest form of business continuity, but one that is often poorly implemented across many organizations, is backup and recovery. This provides opportunity for service providers to deliver verified backup, along with the option to fully or partially recover systems and data, in the event of an outage or loss such as from a ransomware attack. Service providers can choose to offer additional business continuity services, such as the provision of warm and hot sites, as additional differentiators.
10. Provide security consultation: Organizations often invest in disparate protection tools that don’t always work together, that require expertise they lack, or that may not be adequate for the environments they are trying to protect. This is exacerbated by the lack of skilled talent on the market, and new challenges such as protecting cloud and mobile assets. Service providers can address this space by offering consulting services to guide customers on understanding their environment, identify where there are risks, and helping develop and implement a cybersecurity management plan. In addition, service providers can offer training services, such as how customers can recognize phishing attacks, and how to respond if they discover them.