Skip content

Elements of managed detection and response

Security Information and Event Management (SIEM) Services have matured hugely in the last ten years. Moving from a compliance driven requirement, to becoming security best practice, SIEM Services are now recognised by various Security Frameworks. As the marketplace has developed, so too have the Managed Service offerings that protect SIEM technologies. As a result, it is no longer enough to deploy a SIEM technology with reliance on only the most basic of filtering to detect a potential threat.

This blog post will look at the development of Security Information and Event Management Services and will consider what additional security measures are now needed.

What should a “good” Security Operations Centre (SOC) cover?

Offering a logging solution or deploying just  one technology is unlikely to cover an attack lifecycle and could be highly ineffective.  When looking for a good SOC provider, it’s now important to look for someone who is also capturing and correlating logs, as this is now the standard for any competent SOC or MDR Managed Service and has been recognised as such by CREST.

Gartner recognises that an MDR service really relies on three services and have published their “visibility triad”. In this triad, we can see that SIEM remains an important feature, but we also need the Endpoint and Network Detection elements to plug that gaps that the SIEM cannot offer. 

What does an attack look like?

If we take a look at the cyber kill-chain, we can see the attack lifecycle, in which we can also use that to map technology and process around it to give a MDR service the best chance of catching an attack in progress.

The above component of the cyber kill-chain encompasses the following:

  • External Reconnaissance – Firewall or IDS logs or Threat Intelligence
  • Intrusion – Firewall, IDS and OS logs
  • Local Exploitation – Network behaviour and Endpoint activity
  • Persistence - Network behaviour and Endpoint activity
  • Internal Reconnaissance – Network behaviour
  • Privilege Escalation – OS logs
  • Lateral Movement – Network behaviour
  • Actions on Objective – Endpoint activity

People, Process and Technology

Identifying  technical solutions to cover all the elements of the kill chain is not particularly difficult. However, all  vendors will tell you theirs is the best product, which can make the process a little confusing. The good news is that these products do not vary greatly and in many circumstances, it probably won’t make a big difference whether you choose SIEM vendor A or SIEM vendor B.  One of the most crucial elements of an MDR service is the use of the technology and the knowledge of the people behind the Managed Service. 

Anybody with a good grasp of technology could deploy a SIEM tool, an EDR server and distribute the software agents, but what happens then?  The “out of the box” vendor rules may not be applicable to the environment which they are in and there may be huge gaps where there should be applicable rules, how does technology then be a success as part of the service?

The answer lies in the people (the old mantra of People, Process and Technology is never truer than in a MDR service).  The service must provide a depth of knowledge of cybersecurity as well as a depth of knowledge of technology.  This knowledge is transferred to the technology in the form of successful baselining to give a customer value from the service, and also the additional correlation rules that can be applied to detect more sophisticated persistent attacks.  Vendors are often reluctant to update their “out of the box” rules as they have to cover such a wide variety of environments. Rules which work well for one customer may cripple performance in another, therefore, it’s a fine line between value and scalability.  The people behind an MDR service can use their knowledge to tailor the rules to each customer, ensuring suitability for each environment. 

Supplier choice

When choosing an MDR service, it is important that the supplier has a well-rounded cybersecurity knowledge, as just being a defensive team can be seen as a weakness. When making your decision, it’s important to consider questions such as  ;how do analysts cybersecurity knowledge not become stale as new techniques are developed?’.  A supplier with offensive capability can inform the defensive side about new TTP’s (Tactics, Techniques and Procedures) that they have developed or are using, and exercises can be conducted with the defensive team (often call Purple teaming as it mixes the offensive (red) team with the defensive (blue) team) and that transfer of knowledge ensures currency.

After detection – Incident Response

Should an attack be detected and the customer informed, what triage action should follow?  Perhaps the customer is happy to remediate a simple alert themselves, but perhaps they are seeing something unusual or there is a possibility that data is being stolen.  This falls out of the Gartner triad and into Incident Response territory. It is important, not only during an attack but also after, to set up policy, and testing it on a regular basis.  Whilst an attack is in flow,  an IR team should be able to correlate events from all three corners of the triad to give the client  the best visibility into the event(s), and from that falls out the best remediation and the quickest root cause analysis.

What should I take away?

We can see that both the technology and a Managed Service should be carefully considered to ensure that any solution matches the perceived risk, the scoped environment and in-house capability.  IT teams running their own solution can relatively easily change their technology if it proves a bad fit, however doing so with a Managed Service is complex, time consuming and involves contract discussions.  Overall, the reality is that running any type of MDR service well is incredibly difficult, but choosing a managed service is just as hard.

To help make the process of implementing a Managed Detection and Response Service a little easier, get in touch with our LRQA team. Whether you are running your own MDR, or are looking for a Managed Service provider, we’re here to offer our honest opinion and advice.