The OFFSITE Blog

Protecting your Organization with MDR

Cyber liability insurance, also known as cyber insurance, is a type of insurance policy designed to protect businesses in the aftermath of a cyberattack, minimizing disruption and covering some costs of the incident. Many prominent cyber insurers have imposed minimum security control requirements to provide cyber insurance coverage terms. Any CIO or CISO that is involved with obtaining cyber insurance for their organization has discovered that the providers are now expecting companies to have a SIEM (Security Information & Event Management system) in place.  Without a SIEM, the premiums will be significantly higher, or insurers won’t write the policy at all.

Understanding the Cybersecurity Language

If your company is regulated or adheres to standards like ISO or NIST, you most likely have a SIEM or Syslog server collecting and preserving security data.  The market is full of confusing tech terminology and acronyms (Logs, SNMP, Syslog, SIEM, EDR, MDR, XDR). Here is a simplified infographic to help:

Log Files

All systems produce raw log files.  When you log into your notebook, a new row is appended to a log file on your hard drive.  Writing to a log file like this is referred to as a “security event” and it can be found in a systems event log menu.  In a corporate network, these logs found of workstations and servers are typically written to a Syslog server via SNMP (Simple Network Management Protocol) for smaller companies, retaining the data in a Syslog server may be sufficient.  The data will be there for forensic analysis if needed after a problem comes up.

Security Information and Event Management (SIEM)

For larger companies (or companies with higher risk profiles) a SIEM becomes an important tool.  A SIEM goes to that next step, layering correlation to Syslog data.  The SIEM ingests all the important security events from workstations, servers, and network devices where logs can be correlated to provide sophisticated real-time alerts and offer a console where a security analyst can have an aggregated view into the network.

Incident Detection and Response (IDR) & Managed Detection and Response (MDR)

Incident Detection & Response (IDR) and Managed Detection & Response (MDR) are essentially the same, except for MDR is managed by a third party, whereas IDR is managed in-house.  With an MDR service, a third-party vendor will configure the SIEM to collect logs from devices and servers throughout the corporate enterprise (including public cloud instances at Azure, AWS, or Google).  The vendor should have analysts watching system consoles for alerts and be ready to respond to anomalies flagged for manual review.

The next level, and an evolving technology, would be MDR systems that go further by offering autonomous responses using artificial intelligence (AI).  These systems are the best protection against Zero Day threats.  This is because they are not dependent on external threat feeds. The downside to this approach can be false positives that shut down benign processes.  If you value security over convenience, then look at AI-driven MDR systems, like Darktrace.  Please don’t think that you can cut costs with these systems.  An analyst is still necessary to fix false positives.  The human element is still needed to handle exceptions.

Why use a Third Party to Manage your Cybersecurity?

Depending on the size and internal resources, a company may have an MDR program that is “co-managed.”  Many will use their own internal resources for setup and management of the SIEM but escalate to the third party for reacting to anomalies.  Another popular model is utilizing internal resources for standard business hours, then using a third party for management of off-hours and holidays.

When it comes to system log files, there is an important benefit to having a vendor take full responsibility.  As a “disinterested third party” the vendor can provide attestations and evidence supporting chain-of-custody.  This is a crucial point in the event of a data breach, where attorneys and law enforcement need to get involved.  Just as in the physical brick & mortar world, employees are the number one source of losses.  In the world of valuable data, the same employee that can steal data might have permission to alter log records.

Lastly, do not shortcut the qualitative part of this entire process, even if a third party is handling it.  Before rolling out any of these systems, it is essential to have white-board sessions with your CIO, COO, CCO, CFO, attorneys, & insurance specialists.  They must be involved in defining what pools of data are critical to revenue streams and which data presents a great risk if stolen. Organizations that carry out Risk Assessments have templates and workflows to guide you through the process.  Without a formal Risk Assessment to identify assets (data and systems), your cybersecurity specialist will be flying blind, stuck in a never-ending reactive mode.

Contact OFFSITE today

OFFSITE has a team of engineers working around the clock to provide support to our clients. If you’d like guidance from OFFSITE’s Security Operations Center, email info@off-site.com or call (262) 564-6500.