MSP_Dragos-1

MSP Blueprint for Efficient Detection and Response

Reading time: 16 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

The complex security solution landscape makes it difficult for organizations to design the right security stack or processes and select vendors that can enable them to become cyber resilient.  These complexities are compounded when trying to implement effective detection and response capabilities that leverage high operational and cost efficiencies 

As a result, the amount of manual work, staffing or security spending needed to achieve the same outcomes varies significantly from one organization to the next, with many businesses facing one or more of the following challenges: 

  • Over-reliance on detection, increasing data breach risks and manual work 
  • Security visibility gaps as solutions or technologies don’t work together 
  • Alert fatigue due to the profusion of alerts that need to be analyzed 
  • Ineffective or late detection and response 
  • Lack of security specialists to undertake investigations or ensure 24/7 response 
  • High costs associated with security tools or manual investigation 
  • Lack of MSP customization and automation 

Blueprint for MSPs on cyber resilience

This article provides a blueprint of technologies, best practices and criteria that Managed Service Providers (MSPs) should consider forging cyber resilience and integrate detection and response efficiently into their security stack: 

1.Start from your MSP’s focus and customer needs when adding new tools and services

There are a variety of ways to integrate tools and services such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Security Orchestration, Automation, and Response (SOAR), Security Information and Event Management (SIEM), or Managed Detection and Response (MDR). 

To achieve cost and operational efficiencies, it’s important to start with your organization’s strategy. If you aim to specialize and differentiate using security, you may want to invest and develop an in-house Security Operations Center (SOC). For most customers, detection and response has become essential, but it’s important to evaluate whether your customers are highly sensitive to data breaches – if so, threat hunting and more advanced security expertise will likely be required. 

If security is not strategic for you, MDR services are a rapid way to add advanced capabilities to your offering without investing in your own SOC and without losing focus. However, Managed Detection and Response services can also be used to complement your operations and achieve 24/7 monitoring and response, to extend your capabilities as you ramp up or when it is more profitable to use external services. 

While EDR typically focuses on detecting potential breaches on individual endpoints, XDR goes beyond this and correlates telemetry across multiple endpoints as well as network, cloud or email. Emerging more recently, XDR can be seen as the natural evolution from EDR, but the capabilities still differ significantly between vendors. For increased efficiency, it’s important to look for XDR tools that unify information across sensors into a single incident and are not limited to endpoint incidents requiring manual queries to identify potential links or impact to email, cloud or network.  

With XDR, SOAR or SIEM capabilities overlapping in some areas, it’s best to start with a blueprint of the security use cases you want to cover, how a streamlined workflow will look, then select the tools.

2. Build detection on top of a strong defense-in-depth foundation and proven effectiveness

Insufficient or ineffective hardening and prevention layers lead to overreliance on detection. Without a strong defense-in-depth foundation, organizations implementing tools such as EDR may struggle to manually detect and respond to incidents that could have been stopped earlier in the attack chain. 

A defense-in-depth approach has become critical with the new work-from-anywhere paradigm. It starts by understanding the risks and properly mitigating application or configuration vulnerabilities and reducing the attack surface.  This can be done with technology layers such as patch management, full disk encryption, content and device control or firewall. By adding a comprehensive set of automated prevention and detection layers such as email and network protection, exploit defense, tunable machine learning or cloud sandboxing, your organization can gain the ability to stop even advanced attacks before the attackers gain access to the network. 

Beyond the number of layers, utilizing reputable independent testing benchmarks by top organizations such as AV Comparatives and looking for consistent performance across time are some of the best ways to identify the most effective solutions against sophisticated threats. 

3. Maximize automation across layers and minimize need for additional consoles

Selecting security products that include most of the layers mentioned, and use a single agent, policy and dashboard, minimize the time needed to monitor and respond to incidents and even report compliance. Wide coverage of operating systems and physical as well as private and public cloud infrastructures could further reduce operational overhead.  
Of course, no single product can do everything, so ease of integration, such as from an XDR tool to a SIEM, should also be considered.  Do not adopt inadequate solutions just because they come in one package. Beyond the operational time savings that come with consolidating information and incidents into one platform, there are also significant benefits from having technologies that natively communicate with each other.  This feature can prevent visibility gaps and reduce needless manual work.  

For example, a sophisticated threat using a zero-day exploit might pass the email filters and regular machine learning prevention, but it can be detected as suspicious by tunable machine learning algorithms. It is then automatically sent to a cloud sandbox where a ‘malicious’ verdict is reached, and the threat is automatically stopped and changes are reverted. A security analyst will see that the incident was stopped and there’s no need to investigate it but will also be able to analyze it in order to understand potential gaps and improve protection in the future. 

4. Compare detection and response effectiveness, automation and MSP customization

Security operations are only as robust as the technologies they depend on to identify suspicious behavior. Choosing EDR or XDR products with a proven high detection rate as well rich context around alerts in tests, such as MITRE ATT&CK, can significantly reduce the impact and costs of remediating security incidents or data breaches and will accelerate incident investigation. 
Tools that enable automation or include effective ways to investigate and respond may also trim time and effort, while enabling even non-security specialists the ability to efficiently manage a security portfolio. 

Beyond the generic security automation capabilities, integration with MSP remote monitoring and management or ticketing systems is critical for time and cost efficiency. Some tools only offer superficial integrations and require further scripting or customization to automate deployment, ticketing or alerting while others automate and integrate most functions within RMM dashboards. Being able to easily administer hardening, prevention and detection and response for all customers and environments with flexible provisioning and automated monthly licensing are also capabilities available from detection and response vendors that have a historic focus on MSP needs but are less common among other vendors.  

Detection and response tools can be compared based on feature sets and detection rates in independent tests but the differences in time savings from automation and usability can only be compared by trialing the tools and even deploying them to a limited number of customers or endpoints.

MSP best practices

With growing data security and privacy regulations to meet, organizations need more advanced protection capabilities, particularly for small and mid-sized businesses that may lack security skills and resources. 

Managed Service Providers are ideally positioned to meet the need for managed detection and response capabilities but, in an increasingly competitive environment, time and cost efficiencies are critical. The criteria and best practices outlined above offer a blueprint of how efficient detection and response should look and detail the best steps to build a security architecture that minimizes security costs and time inefficiencies.  

Learn more about a unified, highly effective cloud cybersecurity solution for managed service providers (MSPs).

 

CONTACT AN EXPERT