Tag Archive for: MDR

Decoding the Differences: MDR, XDR, and MEDR

As technology continues to advance and the threat landscape continues to evolve, many organizations are looking for a cybersecurity partner to help them stay protected. However, with so many different solutions on the market, it is crucial for organizations to stay informed and understand the different options available.

MDR, XDR, and MEDR are three commonly used acronyms in the cybersecurity industry – yet each describes different approaches to detecting and responding to cyberthreats. Despite the similar-sounding acronyms, there are important differences between these solutions. Before you select which is right for you, it is essential to understand what each one offers, so you can make an informed decisions about which approach is best for your organization.

What is Managed Detection and Response

Managed Detection and Response (MDR) MDR is a service providing an outcome. This comprehensive security solution utilizing a combination of vendor tools integrated with customer security tools and monitored by the providers Security Operations Center (SOC) security analysts and security engineers. MDR service providers give organizations with real-time visibility and control over their security posture, allowing them to quickly detect, respond to, and prevent cyber-attacks.

Benefits of MDR include:

  • Advanced threat detection: MDR leverages cutting-edge technologies such as artificial intelligence, machine learning, and behavioral analytics to identify potential security threats in real-time.
  • Rapid incident response: In the event of a security incident, MDR provides organizations with a dedicated team of security experts who can quickly assess the situation, contain the threat, and minimize the damage.
  • Managed security services: MDR services are delivered and managed by security experts, taking the burden of security management off the organization and freeing up valuable resources.
  • Real-time visibility and control: MDR provides organizations with real-time visibility into their security posture, enabling them to quickly identify and address potential threats.
  • Customized security solutions: MDR services can be tailored to meet the specific security needs of an organization, ensuring that their security posture is aligned with their overall business goals.

MDR is ideal for organizations of all sizes and industries and can be used to address a variety of security needs, including meeting compliance requirements, reducing the risk of a data breach, improving your overall security posture and streamlining security management to free up valuable resources internally.

What is Extended Detection and Response

Extended Detection and Response (XDR) is a security tool or platform that collects a set of logs and security events from multiple sources to provide a comprehensive view of an organization’s security posture. Paired with a set of basic use cases for threat detection, it can perform automated or centralized manual response action through integration with a set of endpoint protection / detection platforms, perimeter firewalls, or other security controls

An XDR platform is often considered a “SIEM (Security Information and Event Management) lite” with response automation capabilities. Often it is focused on a single vendor set of security tools for log collection, threat discovery, and automation to perform response actions. If the platform supports a broad number of vendors, it is often referred to as an Open XDR. MDR providers can leverage most major XDR tools. XDR capabilities have more recently been incorporated into SOAR (Security Orchestration and Automated Response) platforms.

Benefits of XDR include:

  • Rapid detection of threats: XDR enables organizations to detect and respond to security incidents in real-time.
  • Better visibility: By integrating data from multiple sources, XDR provides a more complete picture of an organization’s security posture
  • Advanced capabilities: XDR also provides advanced analytics and threat intelligence, allowing organizations to quickly identify and respond to emerging threats
  • Cost effectiveness: XDR tools may provide a more cost-effective solution for organizations, as it integrates multiple security solutions into one platform

However, it’s important to note that XDR solutions can be complex and require a significant investment in time and resources to implement and manage. Organizations must also have a strong security posture and expertise in place to effectively use XDR to detect and respond to security incidents. However, by integrating data from multiple sources and providing real-time detection and response capabilities, XDR can provide organizations with a comprehensive view of their security posture and enables them to respond to security incidents more effectively.

What is Managed Endpoint Detection and Response

Managed Endpoint Detection and Response (MEDR) is an endpoint protection platform that can respond to compromises by performing actions like isolating an endpoint from the network, blocking a process, or removing artifacts by using a central EDR console. This solution is designed to monitor and detect threats on endpoint devices in real-time. There are also MEDR as a Service, which is often provided by an MDR provider that will manage the EDR platform rules, monitor and investigate advanced threats, and perform response actions to contain and remediate threats or compromises.

Benefits of MEDR include:

  • Real-time threat detection: MEDR monitors endpoint devices in real-time and can quickly detect and respond to threats before they become a problem.
  • Automated response: MEDR solutions can be programmed to automatically respond to security incidents, reducing the need for manual intervention and speeding up the response time.
  • Centralized management: MEDR solutions provide centralized management, making it easier to track and manage security incidents across multiple devices.
  • Cost savings: MEDR solutions can reduce costs by automating many manual processes and reducing the need for a large security team.

With the high number of endpoints in most organizations, having an Endpoint Detection and Response (EDR) platform in place is critical to defend against a wide range of cyber threats, such as malware, ransomware, and advanced persistent threats (APTs). MEDR is particularly useful for large enterprises that have a large number of endpoint devices and require a centralized solution to manage security incidents. Having an MEDR solution, or MEDR as a Service, allows large organizations to better protect themselves with automated remediations against high fidelity threats.

What’s the Difference?

In conclusion, MDR, XDR, and MEDR are all valuable security solutions that can help organizations detect and respond to security threats. The best solution will depend on the specific security needs of an organization. It’s important to understand the pros and cons of each solution and choose the solution that best meets the organization’s specific security needs.

As cyber threats continue to evolve, it’s increasingly important for organizations to understand the various security solutions that are available to help protect against these threats. MDR, XDR, and MEDR are all valuable solutions that can help organizations detect and respond to security incidents, but they each have different strengths and weaknesses. By understanding these solutions and choosing the best one for their specific needs, organizations can reduce the risk of data breaches and other security incidents.

Proficio offers a wide range of cybersecurity services to help your organization stay better protected. To learn how Proficio can help you, contact us.

Cyber Insurance in 2024: What Every Organization Should Know

In the last few years, cybercrime has increased considerably, often leading to significant costs, reputational damage, and operational disruptions to the companies affected. And while there is no full-proof way to avoid an attack, many organizations are taking steps to further reduce their risks. On top of this, these organizations often take additional steps to reduce the high costs of dealing with a security breach if one were to occur.

Enter cyber insurance—also known as cybersecurity insurance or cyber liability insurance.

Having cyber insurance coverage has become imperative for many organizations due to the rise of cyber incidents and the growing sophistication of these attacks, paired with the potential financial impacts of a successful breach.

In fact, the global cyber insurance market is projected to grow from $12.83 billion in 2022 to $63.62 billion by 2029. This growth is largely driven by the continued rise in the number of data breaches, as well as a greater awareness of cyber risks.

While there is no question having cyber insurance is smart, organizations are often challenged when sorting through the options. Not only do organizations need to understand exactly what each policy covers, but they also must determine the types of digital assets they need to protect to satisfy the basic insurance requirements and they have to worry about getting approved (or if currently covered, how they can avoid the steep increase in premiums). Let’s take a deeper look:

What Do Cyber Insurance Policies Cover?

While cyber insurance can’t prevent a breach or a security incident from happening, this type of policy helps organizations more successfully weather the storm when a data breach or network security failure takes place. Typically, cyber insurance policies cover the following:

  • Breach costs: Costs associated with responding to a breach, including identifying the breach, alerting affected individuals, credit protection services, and crisis management/public relations costs.
  • Cyber extortion: Response costs and financial payments associated with network-based ransom demands.
  • Cybercrime: Financial losses associated with social engineering and funds transfer fraud.
  • Business Interruption: Lost business income that takes place when a company’s network-dependent revenue is interrupted.
  • Data recovery: Costs required to replace, restore, or repair damaged or destroyed data and software.
  • Privacy protection: Costs to resolve claims with regard to the handling of personally identifiable or confidential corporate information.
  • Digital media: Costs to resolve claims related to online content, such as copyright or trademark infringement, invasion of privacy, and defamation.

While cyber insurance provides fairly comprehensive coverage, it is very important to note that not every cost or claim is covered. The following is typically not covered by most cyber insurance policies:

  • Criminal proceedings: Claims brought in the form of a criminal proceeding, such as a criminal investigation, grand jury proceeding, or criminal action.
  • Funds transfer: Other than transfers associated with cybercrime coverage, most uncovered claims include loss, theft, or transfer of funds, monies, or securities.
  • Infrastructure interruption: Claims stemming from failure or interruption of water, gas, or electric utility providers.
  • Intentional acts: Fraud, dishonesty, criminal conduct, or knowingly wrongful act of the business or its employees.
  • Property damage: Property damage stemming from a data breach or cyberattack, such as hardware that was destroyed during the cyber incident.
  • Intellectual property: Property losses and lost income associated with attacks are commonly excluded from coverage.
  • Costs for proactive preventive measures: Measures to avoid a future attack, such as training employees or developing an incident response plan.

Common Insurance Requirements

Most insurance companies require organizations to have certain safety protocols in place before being accepted for coverage. While these requirements tend to vary by insurance company and by the size of the company being insured, today’s insurance companies they all require organizations to have some basic security controls in place.

The reason for this is quite simple: insurance companies need to know organizations are addressing the highest likelihood of attacks, which in turn reduces the insurance company’s risk. And while most insurance companies currently allow organizations to self-verify these requirements, the industry is moving in the direction of requiring a professional IT service company to confirm that these standards are in place and up to date.

These requirements typically include the following:

  • Centralized security device log collection and threat detection analytics platform (Security Information and Event Management (SIEM) monitoring)
  • Active 24×7 security event monitoring, investigation, and alerting (Security Operations Center or SOC)
  • Active incident response and threat remediation
  • Regular software patching and automatic updates
  • Strong endpoint security, often times an Endpoint Detection & Response (EDR) solution
  • Access control methods to protect critical systems, apps, and data. These include multi-factor authentication, least-privilege access policies, securing system administrator access to key data, and securing third party access to all systems.
  • Use of strong password management policies
  • Backup and disaster recovery methods that employ cloud or off-premises offline storage
  • Financial controls to verify fund transfers and access change control requests
  • Data protection methods for personal or other private information, including encryption and network segmentation
  • Use of network security methods, such as network segmentation and firewalls
  • Adhering to common email security recommendations
  • Employee management policies to control account access
  • A specific security risk manager employed by the organization
  • Employee security training
  • Formal incident response plans
  • Written privacy and data security policies

Selecting a Policy – and Getting Approved

When selecting a cyber insurer, organizations should consider several factors, including the financial stability of the insurer, the type of coverage provided, and the cost. It is also important to keep in mind that some insurance companies provide supplementary services to help protect against and respond to breaches, while others have strong partnerships with cybersecurity vendors to help mitigate a breach.

If you are trying to get approved for cyber insurance, and want to get lower rates, it’s critical you not only have the bare minimum requirements in place, but also take extra precautions to ensure you’re a desirable candidate for cyber insurance. Many organizations are looking for outside security vendors that will not only help them be more secure, but also will ensure they check off the requirements for cyber insurance approval.

Logging and Monitoring of Event Logs

One of the top requirements from cyber insurance providers is log monitoring. Proficio’s Managed Detection and Response (MDR) solution provides you all the benefits of having a SIEM, without the complexity of owning and managing it through our shared SIEM service. For those with a current SIEM, Proficio can help you manage the platform and provide content from our large library of threat detection use cases. Proficio also provides 24×7 Security Operations Center monitoring, alerting and response solutions with either our SIEM and SOAR (Security Orchestration and Automated Response platform) or utilizing your security tools and platforms.

Patch Management/Vulnerability Management

Knowing what systems are most vulnerable enables your team to quickly patch the biggest risks first. With Proficio’s Risk-Based Vulnerability Management (RBVM), you can prioritize patching based on the risk of a vulnerability being exploited and the relative importance of each system. In addition, Proficio offers security device management to help you ensure your security devices are being maintained to vendor-recommended best practices.

Endpoint Detection and Response

Many of today’s biggest data breaches were the result of a cybercriminal getting access to one endpoint, and laterally moving through their networks. Proficio’s Managed Endpoint Detection and Response (EDR) helps you secure their critical devices through device monitoring and management, helping to detect risks in real time.

When it comes to cyber insurance requirements, Proficio can also help with the scenarios such as:

  • You have a new requirement for security log collection, active threat monitoring, and threat response solution
  • You have an MSSP but want a new provider with better threat detection and response capabilities
  • You had a breach and need a provider (new or replacement)
  • You have an internal SOC but are having trouble keeping staff and getting desired outcomes

As we enter into a new year and cybercrime hits record highs, it seems inevitable for every business to be affected in some way. And as a result, preparation is key. There is no question that cyber insurance is a great way to mitigate risk but remember – having insurance does not reduce your risk. However, cyber insurance is a great layer of protection to add to your complete security stack.

To learn more about how Proficio can help you choose the right cyber insurance for your organization, click here.

Three Cybersecurity Strategies for Healthcare Leaders in a Digital-First World

This post was originally published on elastic.co. Blog by Suranjeeta Choudhury, Elastic, and Carl Adasa, Proficio.

From on-demand healthcare services like telehealth to wearable technologies, predictive healthcare to blockchain technologies for electronic health records, 5G for healthcare services to AI and augmented reality for state-of-the-art medical treatments, the healthcare industry is at an inflection point. These digital transformations also bring along elevated cybersecurity risks. Earlier this year, in a comprehensive cybersecurity benchmarking study conducted by ThoughtLab, the healthcare industry was found to be lacking in maturity from a cybersecurity implementation standpoint, to be placed only slightly ahead of the media and entertainment industry and industrial manufacturing.

[Download the report: Cybersecurity solutions for a riskier world]

Healthcare companies can take advantage of some proven cybersecurity strategies, accelerating their readiness to operate in a highly digital world.

Continuous monitoring of critical assets

On an average, organizations take 128 days to detect a breach – a timeline that could completely cripple mission critical applications and services in healthcare. To detect a threat in real-time, healthcare companies need the ability to continuously monitor their critical assets, analyze user behavior in their networks, track smart devices, and look for anomalies in events and end-user activity. Choosing the right SIEM solution can be the very first step in addressing vulnerabilities across people, processes, and technologies. Infact, the COO of a German healthcare provider believes that his organization’s investment in the right SIEM was the most effective cybersecurity investment towards detecting and identifying threats at scale and even recommending the right remediation plan.

[Check out the SIEM buyer’s guide to help you pick the right SIEM for your business.]

Outsourcing security operations for enhanced security with optimal spend

Approximately 30% of the world’s data volume is generated by healthcare.  In a post-pandemic world, this trend will only see an uptick with massive data collection efforts to thwart risks of another pandemic. Compound that with the unprecedented shortage of skilled cybersecurity workers , and we can see why many healthcare firms prefer to outsource security operations to managed security service providers (MSSP) and managed detection and response (MDR) firms. MSSPs and MDRs can help healthcare organizations with their cybersecurity needs by bringing in industry best practices, monitoring and responding to cyber threats for healthcare services and assets 24/7, and relieving internal resources for better patient care and healthcare services, while ensuring organizations remain fully compliant to mandates like the Health Insurance Portability and Accountability Act (HIPAA).

[Find out how Proficio helps healthcare organizations meet stringent cybersecurity needs.]

[Learn more about Elastic Security and Compliance.]

Protecting applications and workloads in the cloud

While compliance, operational agility, and better patient care have driven cloud adoption in the healthcare industry, cloud security continues to be a major challenge . Legacy security solutions are not designed to cope with the complexity and ephemeral nature of cloud-based applications.

Cloud adoption is also a journey and as multi clouds and hybrid cloud architectures evolve, healthcare organizations will need security solutions that can protect their workloads, irrespective of where the information resides and how it flows in the data architecture. Having access to security experts and their research work can be of significant advantage to internal IT and security teams in reducing mean time to identify, detect, and respond to threats in the network. Healthcare companies can also seek support from MSSPs and MDRs to configure their systems correctly, avoiding security loopholes and as needed, consult experts for their overall security strategy along their cloud transformation journey.

[Learn more about Elastic Security Labs.]

Towards a better patient experience

In today’s digital first world, cybersecurity is an imperative, especially when it comes to a mission critical service such as healthcare. The healthcare industry needs trusted partners in security to continue delivering the best patient care while keeping their patient data secure. It also needs the right tools, processes, and people to minimize the impact in case of an unfortunate security breach. Find out how Elastic Security and Proficio can bring the best of security solutions and managed security services.

Feature Highlight: Log Search and Visualization

In security, it’s often the little details that matter. Whether it’s considering the business context of your alerts, tracking locations of attempted logins that don’t add up, or finding the needle in the haystack, knowing the details around an event is important to understanding the cause – and preventing it from happening again.

At Proficio, we pride ourselves in being an extension of our clients’ teams. Working in cybersecurity, you know the value of real-time intelligence and alert enrichment, and we want to empower our clients to have this knowledge at their fingertips. Proficio gives our clients direct access to search their logs and events through our Threat Investigator portal as a standard part of our MDR offering.

With direct access to their logs, clients can easily search through their own data to perform internal investigations. They can also use this data for reporting and statistical analysis. This depth of access is critical to many internal IT and security teams, so it has always been a core part of our offering. This is a unique benefit we provide for our clients in order to make their cybersecurity journey as successful as possible.

Today, we’re excited to share we’ve expanded this capability to allow clients to visualize that data directly in our Threat Investigator portal. With our expanded visualization capabilities, a search query can be visualized in a variety of formats with the click of a button.

 

Figure 1: Multiple types of visualizations are available on demand

 

Figure 2: An example of a bar chart in creation, highlighting suggestions, axis customization, and breakdown capabilities

 

Figure 3: A truncated list of potential available fields and the data preview accompanying each field

Proficio is dedicated to enabling our clients to be as successful as possible. Giving clients the power to access, search, and visualize their own logs and data is a fundamental service in that mission. If you’re interested in getting a demo, or learning more about our MDR services, contact us.

If you’re a current Proficio client and want to learn more about your visualization capabilities, please reach out to your Client Success Manager.

Protecting Your Identity – A CEOs Perspective

Rarely a day goes by without cybersecurity in the news. Whether it’s another ransomware attack, data breach, or leaked information on the dark web, the cyberthreat landscape is ever-changing – and it’s an ongoing battle to stay ahead. As a global Managed Detection and Response (MDR) provider, we see trillions of security events come through every day. While many of these incidents have little risk, throughout the years, we have seen several notable security attacks.

One of the biggest surprises we have observed this year is an 275% increase in identity attacks. We have also seen a nearly 50% increase in hands-on intrusion hacking post unauthorized authenticated access. In years past, attackers focused primarily on big organizations or specific industries, but today, they target a broader range of companies including different verticals, small and mid-size organizations, local governments, and education providers. Gartner has highlighted the threat to identity systems (calling it “the new perimeter”), and in their “Top Trends in Cybersecurity” report, listing Identity Threat Detection and Response as a top priority objective for companies to focus on.

So, what can you do?

We have all heard about the need for long and complex passwords to reduce risk; however, experience shows that often times, these are so difficult to remember that users have the same password for multiple applications, both corporate and personal. It is commonplace for people to utilize their company email address as a username for social media sites or common commercial applications, like a golf scheduling website, while using the same password from company applications. The risk becomes apparent when one of these commercial sites gets hacked (and we know how frequently they do), and now their user data – and access to your networks – gets compromised too. As a CEO, this risk is often on my mind, and no amount of cybersecurity training (which is a critical requirement in any organization) will alleviate it. At Proficio, we continuously monitor the dark web and too often discover our corporate clients compromised email passwords available on the dark web. This is a helpful step to protecting user identities, but it is no longer enough.

When it first was launched, Multi-Factor Authentication (MFA) was going to be the answer to solving identity compromise. However, as great as a solution as it is, it still seems a lot of organizations aren’t taking advantage of it. Of all the enterprises we speak to, we see that many are not using MFA, or at least not using it for all access. And we’ve all seen the recent high-profile compromises of MFA systems. Attackers will always find a way to compromise new security controls given enough time, resources, and focus.

Having great protections in place is a great start, but it’s time for organizations to add another layer of protection. Threat detection and response for identity attacks has proven to be exponentially more critical to protecting enterprises and preventing business disruption. More importantly, quick actions need to be taken. But many companies struggle to respond to compromises fast enough, if they have to create tickets and wait for multiple teams to suspend accounts or isolate endpoints, leaving time for attackers to do lateral propagation, steal data, or disrupt business. Response automation and orchestration is essential to protecting organizations in a cybersecurity environment where speed wins in the battle between attacker and defender.

That’s why we introduced our Identity Threat Detection and Response (ITDR) solution, a first in the MDR industry. Proficio’s solution aims to solve this problem. Our ITDR service detects attacks or compromises to your identity for any application that is managed by your Identity and Access Management (IAM) platform and enables automatic or orchestrated response actions like suspending the compromised user account. We continuously add new identity threat detection use case rules and machine learning models, detecting attacks on O365/M365, VPN, Domain Controller, SaaS, IAM and more. Our Active Defense service can also orchestrate your Endpoint Detection and Response (EDR) platform to isolate an endpoint or communicate to your firewall to block an IP address.

To learn more about how Proficio can help your organization stay better protected, contact us.

Proficio Announces First Half Growth and Top 25 Placement in MSSP Alert’s Top 250 MSSPs

CARLSBAD   September 21, 2022 – Proficio, a leading Managed Detection and Response (MDR) service provider, today announced their significant growth in the first half of 2022, as well as a top 25 placement in MSSP Alert’s recent MSSP 250.

Proficio has continued to see steady growth since its founding in 2010. For the first half of their fiscal year, they had a 60% growth in their Managed Detection and Response (MDR) service business. Additionally, Proficio is excited to once again be placed in the top spot on MSSP Alert’s Top 250 MSSP list for 2022. This list annually identifies and honors the top MSSPs, MDR, and Security Operations Center as a Service (SOCaaS) providers worldwide. Proficio has moved up four spots this year, from number 27 in 2021.

In addition, Proficio has announced several key new hires and strategic promotions to grow their expanding business.

  • Nathaniel O’Brien joins Proficio from Tanium, where he served as Director of Product Management. He brings a wealth of industry experience with a passion for gaining outcomes from technology to help lead the strategic direction of Proficio.
  • Tim DeMarco joins Proficio from PagerDuty, as their Senior Director of Partnerships and Alliances. He has extensive industry experience on the sales and partnership side and will be leading the charge to build up their alliance partnerships and drive continued growth in the channel partner space.
  • Jessica Doyle has been promoted to Head of Global SOC Operations and will now lead Proficio’s three global SOCs, focusing on analysis and investigations, incident response, threat intelligence, and operational excellence.
  • Bryan Borra has been promoted to Proficio’s Head of Global Threat Detection, where he will help their teams better leverage advanced capabilities. including big data, SOAR, and machine learning, to continually enhance threat detection and response for their global clients.
  • James Crabb has been promoted to Vice President, Global Engineering and Managed Services, where he will continue to spearhead their growth of managed security services and managed endpoint detection and response.

“We are excited about the continued growth and industry recognition for Proficio in the MDR and Managed Security Services sector,” says Brad Taylor, CEO. “It’s an honor to once again be recognized as a top managed security service provider by MSSP Alert and continues to demonstrate the dedication of our team and our focus on bringing our clients unapparelled value. With our new leadership team, alongside the significant investments made in advanced managed detection and response technologies, we will continue to see improvements that help our clients stay better protected.”

Proficio delivers an array of security services, including 24/7 security monitoring, incident alerting, and response capabilities from a global network of Security Operations Centers (SOCs). To further help their customers to reduce risk and meet their security and compliance goals, they have a comprehensive security offering, including Risk-Based Vulnerability Management (RBVM), Identity Threat Detection and Response (ITDR), and Managed Infrastructure Services.

About Proficio

Founded in 2010, Proficio is an award-winning managed detection and response (MDR) service provider. We help prevent cybersecurity breaches by performing and enabling responses to attacks, compromises, and policy violations. We have been recognized in Gartner’s Market Guide for MDR services annually since 2017. Our team of experts provides 24/7 security monitoring and alerting from global security operations centers (SOCs) in San Diego, Barcelona, and Singapore.  www.proficio.com

Contacts:
Kim Maibaum
kmaibaum@proficio.com

Five Tips for Selecting a Managed Detection and Response Service Provider

Relentless threat actors and complex technology stacks make it challenging for IT teams to keep up with the volume of cybersecurity threats – and even more difficult to respond to them rapidly. Compounding matters is the tight cybersecurity labor market characterized by too many job openings and a growing talent shortage. In this environment, security leaders are increasingly partnering with Managed Detection and Response (MDR) service providers for cost-effective 24/7 security monitoring and breach prevention. 

The growth in demand for MDR services is attracting new entrants such as commodity resellers looking to pivot to a services business model. When evaluating providers from the pool of new and established players, vendor selection can be difficult as many claim similar capabilities. While reputable analysts, like Gartner, have helped narrow the field by recognizing some of the top organizations offering MDR capabilities, here are our five key requirements to look for when selecting a Managed Detection and Response service provider:  

Rapid Response Capabilities 

Organizations must be able to effectively detect and respond to threats around-the-clock regardless of whether it is an evening, weekend or holiday. One of the main motivations behind partnering with an MDR service provider is to improve your company’s security posture with a team that can quickly respond to and contain security threats.  

While most organizations can only investigate and respond during business hours, the ability to quickly contain threats on a 24/7 basis is crucial to any organization. Automated response capabilities provide incident responders time to further investigate and remediate before there is a serious breach. While many MDR service providers claim they offer response services, not all capabilities are equal. Some providers only focus on accelerating response times for your security team through actionable guidance and recommendations, relying on a manual action to contain a threat.  

True MDRs have developed automated and/or semi-automated containment capabilities, such as isolating infected host systems or blocking IP addresses. An effective service provider will correlate high-fidelity events to detect indicators of attack as well as help you determine what actions best align with your business requirements and the type of automated remediation that will be most effective. Secondary validation plays an important role to reduce the risk of responding to false positives, especially where business critical users or operations could be affected.  

Given that the use of identity-based attacks and credential abuse are growing rapidly, and frequently at the core of ransomware and supply chain breaches, advanced response offerings should also protect users’ identities. Identity Threat Detection and Response solutions can suspend a user account when an identity-based threat is detected.  

When selecting a Managed Detection and Response service provider, make sure you know what level of response capabilities you want in a provider and find one whose capabilities extend beyond mitigation guidance into response actions. Industry leading MDR providers combine Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) to maximize protection from targeted attacks. 

Support for Cloud Environments 

Motivated by cost savings, greater flexibility, and more efficient collaboration, businesses continue to adopt and expand their cloud infrastructure. In fact, a majority of businesses planned to host or move more than 50% of their workloads in the cloud over the next 12-18 months. However, while there are many benefits of moving to the cloud, the complications of setup can be overlooked. Issues such as misconfigurations, API vulnerabilities, account compromise, and malicious insiders all pose threats to the security of your environment and your sensitive assets hosted in the cloud. 

Given that cloud infrastructure can pose a risk to organizations, how can you work with your MDR provider to secure these assets? When sourcing a suitable provider, it’s best to look at the amount of cloud support that a provider offers. One that has limited monitoring capabilities for cloud environments may leave a significant part of your IT infrastructure unprotected, unmonitored, and exposed to threats that you won’t have visibility into. In addition, some MDR service providers may be able to help guide you in best practices for proper setup and maintenance, ensuring your cloud environments aren’t being left open to cybercriminals. 

At a minimum, select a Managed Detection and Response service provider that supports the three main public cloud vendors—AWS, Azure, and Google Cloud Platform. They should not only be able to monitor these critical log sources but also have experts on their team who can provide guidance. If your organization is using virtual servers and firewalls, find a provider who can manage these and help you implement best practices, so you can ensure your cloud hosting platform of choice is set up to vendor recommended standards.  

If you host your own SIEM, using a vendor such as Splunk Cloud, seek out an MDR provider that has the capability to work with that type of system as well. They should have a team of certified experts on the platform, dedicated to helping maximize the value of your investment.  

Detection in Depth 

While tools such as Intrusion Prevention Systems (IPS), anti-virus solutions, and firewalls, strengthen your perimeter, they may not be enough to keep your networks secure from advanced cyberattacks. Many of today’s cyber threats, like ransomware, are complex, multi-phased attacks that often evade perimeter controls and can lurk undetected for a long period of time. That is why it’s essential to use a combination of narrow-band and broad-band approaches to best detect adversarial actions. This additional visibility allows providers to better detect and discover threat activity, such as ransomware pre-cursor activities. 

This use of a detection in depth approach can make valuable use of log or telemetry data from these tools to detect indicators of suspicious activity and threats that might have bypassed your systems. As a natural expansion of defense in-depth, detection in depth was evolved to emphasize multiple layers of visibility into network activity. This layered approach reduces the risks associated with dependency on a specific solution or vendor and better enables you to catch one of the many early warning signs of an attack.  

For example, today’s ransomware attacks are often complex, multi-stage attacks that attack that attempt to compromise one or more endpoint devices and install malicious software that blocks access to those devices. With multiple security monitoring tools at both the endpoint and network levels, it is easier to detect and discover the early stages of ransomware related activities, allowing you to stop cybercriminals before they get into your networks. 

When selecting a Managed Detection and Response service provider, look for one whose detection capabilities provide benefits beyond the level of preventative controls. Using machine learning models and advanced correlation analysis can power detection in depth through identifying signals of suspicious behavior, making your MDR service provider better able to spot potential threats and act quickly.  

There are various frameworks and models an MDR service provider can use to break down the typical cyber-attack into a series of several tactics, objectives, or stages. The MITRE ATT&CK matrix, for example, has 14 distinct objectives while the cyber kill chain traces out 7 attack stages. Whatever model you or the MDR service provider follows, it’s prudent to seek out a partner that goes deep with their detection capabilities across all phases of cyberattacks rather than being limited to the surface level controls.  

Investment in Threat Hunting  

Your MDR service provider should have a threat hunting team that takes a proactive approach to search through your network, data, and systems to unearth hidden threats and adversaries lurking in your environment. These threats may have gone undetected by existing tools or use cases, but with the help of a dedicated threat hunting team, the risk of a data breach can be minimized. 

Global MDR service providers can add more value from threat hunting by applying their findings from one client’s network to improve threat hunting efforts for other clients. Machine learning models that identify anomalies and score them based on how unusual they are in the context of baseline behavior should be part of your MDR provider’s  threat hunting tool chain. Many MDRs have some senior advisors that can play an important role by digging through client logs, dashboards, and visualizations to hunt for threats.  

Clear Communication and Visibility 

When evaluating an MDR service provider, it’s critical that you set expectations for how you would like to be able to communicate with your partner. Some MDR service providers might have limitations on communication hours or specific mediums that might not work well for your business. Given that an attack can happen at any time, you should look for a team of SOC analysts who not only monitor your environment around-the-clock but also one you can access when you need additional help. It is also beneficial to have multiple communication options, such as phone, web portal and email.  

Select a Managed Detection and Response service provider that goes the extra mile by displaying real-time data, dashboards, and other valuable security information. Some MDR providers can improve your security posture by identifying gaps in controls that can be exploited by attackers. Executives can use this data to demonstrate team improvement over time or justify spending for additional headcount or tools.  

Proficio’s MDR services provide your business with around-the-clock security monitoring, advanced threat detection, investigations, and automated response capabilities. You can learn more about our Managed Detection and Response or find out what Gartner recommends you ask MDR providers and Proficio’s answers. 

PROFICIO NAMED GLOBAL SECURITY OPERATIONS CENTER (SOC) TEAM OF THE YEAR

Carlsbad, Calif. – February 3, 2022 (updated February 11, 2022) – Proficio, a managed security services provider (MSSP) delivering managed detection and response (MDR) services, today announced they received 3 2022 Cybersecurity Excellence Gold awards for SOC Team of the Year, Managed Detection and Response (MDR) Provider of the Year, and AWS Cloud Security Provider of the Year. The Cybersecurity Excellence Awards honor companies that demonstrate excellence and innovation and receive acclaim from the broader cybersecurity community.

“We are honored to be named Global SOC Team of the Year,” said Carl Adasa, VP of Global SOC Operations, Proficio. “This award reflects the hard work and commitment of our security experts who provide our clients 24/7 protection from our global network of SOCs.”

Proficio’s global team of security analysts and engineers monitor security events, investigate suspicious behavior, and hunt for targeted attacks. We use an extensive library of threat discovery use cases, the MITRE ATT&CK ® framework, machine learning-based threat hunting models, and our advanced threat intelligence platform to provide superior threat detection for our clients. Proficio also offers automated response and containment services, as well as Risk-Based Vulnerability Management (RBVM) services to prioritize vulnerabilities based on the likelihood of exploitation and the criticality of the assets at risk.

ABOUT PROFICIO

Founded in 2010, Proficio is an award-winning managed detection and response (MDR) service provider. We help prevent cybersecurity breaches by performing and enabling responses to attacks, compromises, and policy violations. We have been recognized in Gartner’s Market Guide for MDR services annually since 2017. Our team of experts provides 24/7 security monitoring and alerting from global security operations centers (SOCs) in San Diego, Barcelona, and Singapore. Proficio’s cloud-native Threat Management Platform uses a combination of industry leading commercial software and proprietary technology to provide clients with advanced analytics, threat intelligence, Security Orchestration, Automation, and Response (SOAR), patented risk scoring, AI-based threat hunting, Open XDR, and Risk-Based Vulnerability Management. www.proficio.com.

Contacts:
Brock Watson
bwatson@proficio.com

The Cybersecurity Acronym Overload

What is the difference between an MSSP and an MDR service provider (and everything in between)?

As any industry evolves, it is common for new categories of products and services to proliferate. In the case of cybersecurity services, many of the new services have been introduced to respond to the evolving threat landscape or to support new technologies – but in some respects, it’s also become a way for vendors to differentiate themselves.

So, it is not surprising that questions like, “what is the difference between an MSSP and an MDR service provider,” and “what is a SOC-as-a-Service provider” are some of the top managed security services Google searches.

As a co-founder of Proficio I have a unique perspective on how this proliferation of labels came about and what the future holds.

People, Process and Technology

These three pillars are the building blocks of a security operations. People, process, and technology are the threads that run through MSSP, MSS, SOC-as-a-Service (SOCaaS), MDR, and XDR services. However, many organizations are constrained by a limited budget to achieve desirable cybersecurity outcomes which is why the managed security services industry exists.

Let’s quickly put some context around each:

People: Cybersecurity-Skills-Gap

The difficulty of hiring and retaining cybersecurity experts is one of the primary motivations behind outsourcing security operations to service providers. People challenges are due in part to the cyber skills gap and in part a function of scale. Large organizations are better able to staff a 24/7 SOC (requires a minimum team of 10 to 12 people) and train their teams on technologies like AI, next-generation endpoint software, and cloud infrastructures. Medium-sized organizations (and smaller) are often not be big enough to dedicate headcount to specialist roles like SIEM Administrator, Content Developer, Incident Responder, or Data Scientist.

Process:

Process is the glue that ensures consistent and effective action. Process encompasses the definition of roles and responsibilities, workflow, policies and procedures, and more. The time and effort needed to harden and document processes is frequently underestimated. Look back in time at some of the largest security breaches and you will find process issues in many cases. The 2013 data breach of the retail giant Target is a prime example. While multiple issues related to this breach, the fact that Target’s SOC did not respond to FireEye alerts resulted in the breach being undetected. How an indicator of compromise is investigated and remediated is fundamentally a process issue.

Technology:

Technology is the third building block supporting security operations. Building and managing a technology stack for cybersecurity is challenging and doubly difficult for organizations with limited resources. The complexity of Security Information and Event Management (SIEM) software is often sufficient reason for businesses to turn to managed service providers. SIEM systems collect event logs from an organization’s network, endpoints, cloud infrastructure and security tools. Log data is analyzed and alerts are generated for further investigation and remediation. However, the quality of security alerts is only as good as the data ingested by the system, alongside the rules and use cases used to filter and prioritize the alerts. While there are tips to maximizing the value of your SIEM, time erodes the efficacy of a SIEM; products and log formats will change, new threats make old rules irrelevant, and the experts that originally set up the SIEM often move on to greener pastures.

What is a Managed Security Services Provider (MSSP)?

The role of an MSSP starts with log management, as collecting and retaining logs is a requirement for compliance mandates like PCI and HIPAA. But before centralized log management, the event data collected from each security device was siloed. As a result, if a firewall engineer saw an alert for a port scan and a Windows administrator saw failed login attempts followed by a successful login, they may not realize that the same host is involved in both events. Minimally, an MSSP is responsible for alerting their clients to threats and suspicious events with the goal of reducing the risk of a security breach. MSSPs offer a wide range of capabilities including vulnerability management, incident response, and pen testing.

According to Wikipedia, “the roots of MSSPs are in the Internet Service Providers (ISPs) in the mid to late 1990s. Initially, ISP(s) would sell customers a firewall appliance, as customer premises equipment (CPE), and for an additional fee would manage the customer-owned firewall.” Today, MSSPs continue to manage security products such as firewalls, IDS/IPS, and WAFs on behalf of their clients. The management of security devices typically includes making configuration changes, patching, tuning, and health and performance monitoring. Managed Security Services (MSS) has been used to connote both device management and the security monitoring functions offered by MSSPs.

The terms fully managed and co-managed describe the service models used by MSSPs. Fully managed applies where security technologies, like SIEM software, are owned and operated by the MSSP and used for the benefit of their clients who are users of security information. A co-managed approach provides the client more control, for example a SIEM owned by the client where the MSSP and the client share administrative responsibilities.

What is SOC-as-a-Service? Difference-between-MSSP-and-MDR

The term SOC-as-a-Service was created “to describe how clients benefit from 24/7 monitoring and the same advanced threat detection technology that is used in sophisticated SOCs serving large enterprises and governments.” In 2010, Software-as-a-Service (SaaS) was already a significant industry with adoption being driven by the advantages of an on-demand, subscription model with no dependency on the existing IT infrastructure.

SOC-as-a-Service or SOCaaS is a logical extension of the SaaS where SIEM software is delivered as a service, and instead of staffing up an in-house SOC, multiple clients share the capabilities of a 24/7 SOC responsible for threat detection, altering, and response.

The goal for many SOC-as-a-Service providers, like Proficio, is to provide businesses the same quality of service that a large enterprise receives in-house, at an affordable price. This requires a true partnership with clients and the flexibility to act as an extension of their IT security team.

So how does SOC-as-a-Service differ from the offerings of an MSSP and what sort of business should use it? SOC-as-a-Service focuses on fully managed cloud-based services which are ideal for small to medium-sized organizations. Vendors providing SOC-as-a-Service are less likely to work with client-owned SIEMs and manage security devices, but this is not an absolute rule.

While SOCaaS providers offer many of the same capabilities as MSSPs, they are less likely to manage security devices and may not support as broad a set of log sources.

What is the difference between an MSSP and an MDR service provider?

MDR service providers offer more advanced threat detection and response capabilities than MSSPs. Key capabilities to expect from MDRs include:

When Gartner issued their first Market Guide for Managed Detection and Response Services, they categorized MSSPs as being more focused on monitoring perimeter security and lacking threat detection capabilities for the cloud and endpoints. Gartner also posited that MSSPs are more focused on meeting compliance requirements than MDRs. Fewer MDRs manage security devices – a service offered by many MSSPs.

MDRs must continue to adapt to new challenges to meet the demands of a Next-Generation MDR Service Provider.

What is an XDR Service

XDR is a new evolution of MDR, that includes threat detection and response capabilities. The X stands for eXtended capabilities, that go beyond EDR. XDR integrates multiple security control points (endpoint, network, cloud, email, authentication) to automate threat detection and response. The concept of XDR has been promoted by leading industry analysts (notably Gartner) and is starting to be adopted, and perhaps hyped, by vendors.

You might ask, how is XDR different from SOAR? Both approaches apply use cases to log data to trigger automation and orchestrations. However, XDR will have broader integration among security controls using native APIs. For example, where an event might result in SOAR triggering containment of an endpoint and even orchestrating a remediation workflow, XDR could also automate responses from other layers of security such as blacklisting the source of malware at the perimeter.

One challenge for prospective users of XDR is they risk being locked into a single vendor solution. Most enterprises have multiple existing security vendors and unless they are already budgeted for a broad refresh, adopting this approach may be a protracted and expensive process.

Proficio and others are addressing the shortfall of XDR with Open XDR. Like XDR, Open XDR  integrates multiple layers of security while also supporting more than one vendor for each control point to provide customers with more flexibility and security.

What Does it All Mean? MSSP and MDR business person question marks

When you think to yourself, “what is the difference between an MSSP and an MDR service provider?”, it’s obvious there is no clear-cut answer. There continues to be some fluidity around the labels used to describe the providers of managed security services or security tools. Buyers of these services need to assess if the core capabilities of a prospective partner complement their existing capabilities and align with their goals.

 

Here are 5 areas to explore:

  1. Compliance

If your organization must adhere to one or more compliance mandates, validate the service achieves that goal. Can your MSSP or MDR retain logs for the required period? Does your MSSP or MDR support industry specific requirements such as file integrity monitoring in the case of PCI? These are important criteria to discuss before selecting a partner.

  1. Threat Discovery

Effective threat detection is a precondition to protecting your organization from damaging cyberattacks. Understand how the provider uses threat intelligence, security analytics, and automation for cost effective threat discovery and what expert human resources are applied to event investigations and threat hunting. Determine what is important for you and realistic within your budget.

  1. Response Automation

The ability to rapidly contain a threat is a good reason to select a specific MDR service provider. Some MDR providers support third party SOAR products and others offer automated response using native capabilities in their threat management platform. But don’t assume anything – you should always validate that the MDR provider supports your preferred endpoint and firewall vendors. Before implementing, it is also important to check that you have organizational buy in to automating changes to endpoints or network configurations.

  1. Technology Stack

Whichever label your vendor uses to describe their services, they will come to you with a predefined technology stack. This will affect how well your existing and planned technologies integrate with your provider. For example, your provider may support one or several SIEM vendors or they may have developed their own threat management platform. Ask if your vendor requires you to install a hardware sensor or add endpoint agents; these requirements can create network clutter and negatively impact performance and compactivity. Not all vendors are able to parse data from critical points of telemetry in your environment or support automation and orchestration for your existing security products.

  1. Control

Ask yourself how much control you need of the infrastructure and data involved in security operations. Do you want to use your own SIEM or do you prefer a platform hosted by your managed security service provider? Will this change in the future? Do you need to own the log data that has been collected? How important is it to have the ability to do granular searching and run reports with the providers system? Conventional wisdom is organizations are willing to devolve control to reduce cost and complexity, but this should be a conscious decision.

Final Thoughts

Choosing a cybersecurity partner is a major decision. Proficio has been acting an extension of our clients’ team to help them achieve their cybersecurity goals for over 10 years. If you’re currently using, or considering using, an MDR Service Provider, download our MDR Checklist to ensure you’re getting an effective service. Tune into our video podcast series called Cyber Chats to hear industry experts discuss cybersecurity issues and best practices. If there’s anything more we can do to help, please let us know.

 

IDC Technology Spotlight | Next-Gen MDR