As cyber attacks grow in frequency and complexity, it is urgent to shift from prevention alone to detection and response. Many businesses still rely on outdated, reactive approaches, even though Managed Detection and Response (MDR) is not a new concept. Without proactive cyber threat management these reactive methods leave organisations vulnerable to sophisticated attacks.
The reality of modern cyber threats
High-profile attacks worldwide demonstrate that cyber criminals often bypass organisations’ perimeter defences. Breaches are now practically inevitable in today’s environment.
Companies often describe themselves as victims of “sophisticated” attacks in their public relations statements. However, 95% of these attacks are not as advanced as claimed. Instead, attackers usually remain undetected long enough to cause significant damage.
Businesses tend to focus heavily on defending against complex threats. However, early detection is the key to staying ahead of attackers.
By centralising telemetry and monitoring anomalies across environments, threats can be identified early. Organisations must act quickly because attack dwell times have decreased significantly. In 2021, the average dwell time was around 150 days, but it is now less than ten days.
Understanding true MDR
Cyber resilience depends on true MDR, which detects attacks and mitigates their impact rapidly. Gartner defined MDR in 2016, distinguishing it from services like Security Information Event Management (SIEM) and Security Operations Centres (SOCs).
The definition included:
24/7 threat monitoring, detection, and lightweight response services using host and network technologies, advanced analytics, and human expertise.
Despite its benefits, many vendors claiming to provide MDR fall short of true MDR capabilities. Instead, businesses often purchase managed Endpoint Detection and Response (EDR) or extended detection and response (XDR) services mislabeled as MDR.
The managed component of MDR is straightforward, but detection requires more sophistication. Many vendors rely on external technologies, like firewalls or antivirus tools, for detection. True MDR involves analysing all telemetry and logs from every source in the environment. Response is equally critical and requires the service provider to investigate incidents, identify root causes, and assist with remediation.
Comprehensive monitoring and analysis
Alerts are investigated using telemetry from over 120 technologies, providing contextual insights into attacks.
Monitoring spans networking, authentication, cloud infrastructure, and security tools. Unlike stereotypical vendors relying on antivirus logs, we employ additional tools and monitors Windows utilities and Active Directory. Multiple log sources provide a more comprehensive view of incidents. Advanced tools, like the AI bot JARVIS, support rapid investigations.
True MDR should include both proactive and retroactive threat hunting to uncover incidents beyond traditional alerts. Real-time access to in-house and external threat intelligence is essential for effective threat detection.
In conclusion
As cyber threats evolve and grow more sophisticated, organisations must adapt their security strategies. True MDR provides a comprehensive approach, combining advanced technology with human expertise for robust protection.
South African organisations can benefit from locally developed MDR solutions which are tailored to local needs and shielded from currency fluctuations. Proactive cyber threat management makes advanced cybersecurity accessible without straining budgets.
Stephen Osler | Co-Founder | Director | Business Development | Nclose | mail me |
