Tag Archive for: tips

Five Tips for Selecting a Managed Detection and Response Service Provider

Relentless threat actors and complex technology stacks make it challenging for IT teams to keep up with the volume of cybersecurity threats – and even more difficult to respond to them rapidly. Compounding matters is the tight cybersecurity labor market characterized by too many job openings and a growing talent shortage. In this environment, security leaders are increasingly partnering with Managed Detection and Response (MDR) service providers for cost-effective 24/7 security monitoring and breach prevention. 

The growth in demand for MDR services is attracting new entrants such as commodity resellers looking to pivot to a services business model. When evaluating providers from the pool of new and established players, vendor selection can be difficult as many claim similar capabilities. While reputable analysts, like Gartner, have helped narrow the field by recognizing some of the top organizations offering MDR capabilities, here are our five key requirements to look for when selecting a Managed Detection and Response service provider:  

Rapid Response Capabilities 

Organizations must be able to effectively detect and respond to threats around-the-clock regardless of whether it is an evening, weekend or holiday. One of the main motivations behind partnering with an MDR service provider is to improve your company’s security posture with a team that can quickly respond to and contain security threats.  

While most organizations can only investigate and respond during business hours, the ability to quickly contain threats on a 24/7 basis is crucial to any organization. Automated response capabilities provide incident responders time to further investigate and remediate before there is a serious breach. While many MDR service providers claim they offer response services, not all capabilities are equal. Some providers only focus on accelerating response times for your security team through actionable guidance and recommendations, relying on a manual action to contain a threat.  

True MDRs have developed automated and/or semi-automated containment capabilities, such as isolating infected host systems or blocking IP addresses. An effective service provider will correlate high-fidelity events to detect indicators of attack as well as help you determine what actions best align with your business requirements and the type of automated remediation that will be most effective. Secondary validation plays an important role to reduce the risk of responding to false positives, especially where business critical users or operations could be affected.  

Given that the use of identity-based attacks and credential abuse are growing rapidly, and frequently at the core of ransomware and supply chain breaches, advanced response offerings should also protect users’ identities. Identity Threat Detection and Response solutions can suspend a user account when an identity-based threat is detected.  

When selecting a Managed Detection and Response service provider, make sure you know what level of response capabilities you want in a provider and find one whose capabilities extend beyond mitigation guidance into response actions. Industry leading MDR providers combine Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) to maximize protection from targeted attacks. 

Support for Cloud Environments 

Motivated by cost savings, greater flexibility, and more efficient collaboration, businesses continue to adopt and expand their cloud infrastructure. In fact, a majority of businesses planned to host or move more than 50% of their workloads in the cloud over the next 12-18 months. However, while there are many benefits of moving to the cloud, the complications of setup can be overlooked. Issues such as misconfigurations, API vulnerabilities, account compromise, and malicious insiders all pose threats to the security of your environment and your sensitive assets hosted in the cloud. 

Given that cloud infrastructure can pose a risk to organizations, how can you work with your MDR provider to secure these assets? When sourcing a suitable provider, it’s best to look at the amount of cloud support that a provider offers. One that has limited monitoring capabilities for cloud environments may leave a significant part of your IT infrastructure unprotected, unmonitored, and exposed to threats that you won’t have visibility into. In addition, some MDR service providers may be able to help guide you in best practices for proper setup and maintenance, ensuring your cloud environments aren’t being left open to cybercriminals. 

At a minimum, select a Managed Detection and Response service provider that supports the three main public cloud vendors—AWS, Azure, and Google Cloud Platform. They should not only be able to monitor these critical log sources but also have experts on their team who can provide guidance. If your organization is using virtual servers and firewalls, find a provider who can manage these and help you implement best practices, so you can ensure your cloud hosting platform of choice is set up to vendor recommended standards.  

If you host your own SIEM, using a vendor such as Splunk Cloud, seek out an MDR provider that has the capability to work with that type of system as well. They should have a team of certified experts on the platform, dedicated to helping maximize the value of your investment.  

Detection in Depth 

While tools such as Intrusion Prevention Systems (IPS), anti-virus solutions, and firewalls, strengthen your perimeter, they may not be enough to keep your networks secure from advanced cyberattacks. Many of today’s cyber threats, like ransomware, are complex, multi-phased attacks that often evade perimeter controls and can lurk undetected for a long period of time. That is why it’s essential to use a combination of narrow-band and broad-band approaches to best detect adversarial actions. This additional visibility allows providers to better detect and discover threat activity, such as ransomware pre-cursor activities. 

This use of a detection in depth approach can make valuable use of log or telemetry data from these tools to detect indicators of suspicious activity and threats that might have bypassed your systems. As a natural expansion of defense in-depth, detection in depth was evolved to emphasize multiple layers of visibility into network activity. This layered approach reduces the risks associated with dependency on a specific solution or vendor and better enables you to catch one of the many early warning signs of an attack.  

For example, today’s ransomware attacks are often complex, multi-stage attacks that attack that attempt to compromise one or more endpoint devices and install malicious software that blocks access to those devices. With multiple security monitoring tools at both the endpoint and network levels, it is easier to detect and discover the early stages of ransomware related activities, allowing you to stop cybercriminals before they get into your networks. 

When selecting a Managed Detection and Response service provider, look for one whose detection capabilities provide benefits beyond the level of preventative controls. Using machine learning models and advanced correlation analysis can power detection in depth through identifying signals of suspicious behavior, making your MDR service provider better able to spot potential threats and act quickly.  

There are various frameworks and models an MDR service provider can use to break down the typical cyber-attack into a series of several tactics, objectives, or stages. The MITRE ATT&CK matrix, for example, has 14 distinct objectives while the cyber kill chain traces out 7 attack stages. Whatever model you or the MDR service provider follows, it’s prudent to seek out a partner that goes deep with their detection capabilities across all phases of cyberattacks rather than being limited to the surface level controls.  

Investment in Threat Hunting  

Your MDR service provider should have a threat hunting team that takes a proactive approach to search through your network, data, and systems to unearth hidden threats and adversaries lurking in your environment. These threats may have gone undetected by existing tools or use cases, but with the help of a dedicated threat hunting team, the risk of a data breach can be minimized. 

Global MDR service providers can add more value from threat hunting by applying their findings from one client’s network to improve threat hunting efforts for other clients. Machine learning models that identify anomalies and score them based on how unusual they are in the context of baseline behavior should be part of your MDR provider’s  threat hunting tool chain. Many MDRs have some senior advisors that can play an important role by digging through client logs, dashboards, and visualizations to hunt for threats.  

Clear Communication and Visibility 

When evaluating an MDR service provider, it’s critical that you set expectations for how you would like to be able to communicate with your partner. Some MDR service providers might have limitations on communication hours or specific mediums that might not work well for your business. Given that an attack can happen at any time, you should look for a team of SOC analysts who not only monitor your environment around-the-clock but also one you can access when you need additional help. It is also beneficial to have multiple communication options, such as phone, web portal and email.  

Select a Managed Detection and Response service provider that goes the extra mile by displaying real-time data, dashboards, and other valuable security information. Some MDR providers can improve your security posture by identifying gaps in controls that can be exploited by attackers. Executives can use this data to demonstrate team improvement over time or justify spending for additional headcount or tools.  

Proficio’s MDR services provide your business with around-the-clock security monitoring, advanced threat detection, investigations, and automated response capabilities. You can learn more about our Managed Detection and Response or find out what Gartner recommends you ask MDR providers and Proficio’s answers. 

Establishing a Modern SOC With Splunk APAC Director for Specialization | Matthew Joseff

In the on-going war against cybercrime, many organizations are looking for ways to modernize their Security Operations Centers (SOCs) to keep up with the ever-evolving threat landscape. On this episode of Cyber Chats, Proficio’s Shane Talbot is joined by Matthew Joseff of SplunkThey provide their tips to companies looking to stay ahead of the curve and why moving to the cloud is key. 

While moving to the cloud is a critical part, it’s just one piece of the puzzle for a comprehensive cybersecurity strategy. However, often cybersecurity executives have a hard time justifying to the Board the need for additional resources. Shane and Matthew debate this often-complex scenario and discuss how to demonstrate the importance of security. What do they suggest? Tune in to find out. 

Proficio Cyber Chats With Qualys CISO | Ben Carr

One of best ways to stay safe, and maximize your time, is to prioritize your risk. Ben Carr, Qualys CISO, and Zane West, Proficio’s VP of Products and Development, chat about the benefits of solutions like Risk-Based Vulnerability Management and what’s key to better understanding your risk profile. This is critical when dealing with a hybrid workforce, but what else is essential? Learn what they recommend and also hear their tips on how to stay compliant in an increasingly challenging time.

Proficio Cyber Chats With Oliver Rochford

One of the most popular buzzwords today is SOAR, Proficio’s EMEA SOC Director, Carlos Valderrama, and former Gartner Analyst, Oliver Rochford dive into the concept of SOAR in cybersecurity. Oliver provides his unique perspective of how the term came to be while he was working as an analyst at Gartner. Does he think SOAR lived up to its potential? Tune in to find out!

The conversation leads off with their ideas on what the SOC of the Future will look like; they also provide their insight into what aspects are critical for these to be successful. Carlos notes, “we see a lot of vendors push for buzzwords… instead of looking for real solutions.” So where will they go from there?

Proficio Cyber Chats With ePlus

How are cybersecurity teams adjusting to the current threat landscape and what can they do to stay ahead? Hear what Proficio CEO and Co-Founder, Brad Taylor and VP of Solutions for ePlus, Lee Waskevich, had to say about this and other topics influencing todays cybersecurity industry.

With many cybersecurity teams facing resource constraints, Brad and Lee talk about some alternatives for those organizations. These include adding automation to augment staffing or using a risk-based approach to focus on your most critical vulnerabilities. What else do they suggest? Listen to find out!

Proficio Cyber Chats With VMware Carbon Black

How do you develop a mature cyber program? A question that many organizations struggle with. On this episode of Cyber Chats, Proficio’s Carl Adasa and Rick McElroy of Carbon Black discussion kicks off with possible answers to that question. Their experience both from the provider and vendor side gives them a unique perspective on how companies can build up a strong internal program.

With this goal in mind, they go on to address the challenges many teams face, with the lack of qualified cybersecurity professionals available to hire. This leads many organizations to outsourcing some or all of their security needs, which means finding the right partner is critical. So, what should you look for? And what can you do to help win the war on cybercrime? Tune in to find out.

Tips for Email Security

May 5th, 2016 is World Password Day – a day created to encourage safe password practices. The best defense against external threats is staying informed and diligent with your security practices, especially when it comes to email security.

Here are some tips to help stay safe from email threats:

  • Never share your password. If someone is requesting this information via email, they are phishing for access to your account. Understand that reputable businesses would never ask for personal information via email.
  • Change your password often and create strong passwords – use a combination of letters (capital and lower case), numbers, and special characters that is at least eight characters long
  • DO NOT open email attachments unless you know the sender, are expecting attachments from them, or can verify that the approved sender sent the attachment. If you receive an attachment you cannot verify, DELETE IT – it’s better to have someone have to resend the attachment.
  • DO NOT reply to spam messages or emails that seems suspicious.
  • Learn how to recognize phishing and spear phishing attacks. Some examples of frequently used techniques to steal your credentials are:
  • Messages that contain threats to stop services or shut down your accounts
  • Emails that request personal information (i.e. account numbers, PHI, credit card information, passwords, etc.)
  • Emails that use words such as “Urgent” or Immediate Response Requested”. These words usually raise a sense of alarm, and make feel like a reply is warranted
  • Forged email addresses. These are sometimes hard to notice as some email programs leave out email addresses in the body. If you are suspicious of messages in the body you can check the senders true Identity in the email headers
  • Poor writing or grammar errors
  • Be aware of links in email. Before clicking anything, verify the links are valid by hovering over link to see if the URL looks legitimate. You can also check links by typing them into virustotal.com or using Google search engine
  • Be aware of where you are posting your personal information. Spammers tend to “troll” social media sites for information they can use to make their email seem legitimate or guess your password.

Just following these few tips will help to keep your email more secure and ensure your password protected information is safe.