Managed Security’s Evolution, from an MDR Provider’s Perspective – It’s Alphabet Soup
By: Bruce Johnson | Director, Enterprise Security
Updated February 21, 2023 – I’ve been in IT for a minute – so long there should be a Stones song about me. I’ve been involved for decades, and experienced the evolution of execution platforms that provided innovative solutions to improve the “ilities.” But it has been a rarity to see security advances built hand-in-hand with those core platform improvements. So it was with client/server, and so it is now with microservices, the cloud, and mobile platforms.
The challenge now is exponentially more complex than it was when I was a wee nerdling. At this point, the security challenge is so varied, dynamic, and effective that our threat surface looks like a quilt stitched by Edward Scissorhands. Our approach to security must rapidly adapt, and it has to start with the assumption that hackers are inside the house using tools that aren’t on standard threat lists.
The only thing propagating as quickly as threats are acronyms. From FW to NGFW, or IDS to IPS, MSSP to [N|M|E|X]DR, the alphabet soup of acronyms of security keeps expanding. Rather than focusing on terminology, TekStream came up with a simple and effective measure of clients’ security maturity several years ago based on three dimensions: visibility, fidelity and automation. We view these as the principal measures that differentiate modern SOC performance effectiveness. These measures have held up as the environment has evolved, and they serve as a way of simplifying the evaluation and application of technologies and appliances in the security space across security layers and solutions. You can look at any security solution and map its evolution along those lines:
- Visibility is essentially an expanding field of view to internal and external threat sources, data sources, appliance feeds, partners, and intelligence.
- Fidelity is a measure of the degree of accuracy in identifying threats. Every tool has an ML layer that evolved from simplistic standard deviations to identify outliers. The degree of accuracy depends upon empirical, easily measured results. The search for noise reduction never ends. Data fidelity in cybersecurity is perfected when you don’t have false positives…and let those among you without any false positives cast the first stone.
- Automation is a continuum that goes from manual detection to fully automated prevention. Automation never stops growing as we interact with a widening variety of tools across security layers and discover new Indicators of Compromise (IOCs) that determine malignancy or lack thereof.A static security solution is a false sense of security, and people tend to underestimate the care and feeding. Detection is great but responding is better and preventing is best.Prevention seems to be the trend from security-focused orchestration registries for micro-services to XDR (Extended Detection and Response) technologies that lock down lateral movement. Security Information and Event Management (SIEM) tools are adopting integrated Security Orchestration, Automation, and Response (SOAR) tools to move to a closed-loop security process. Detecting a threat is fine, but it mirrors the analogy that differentiates a dental consultant from a dentist.
Using those measures, it becomes easy to evaluate or categorize solutions into the following areas:
- Intrusion Detection Systems (IDS) evolved into Intrusion Prevention Systems (IPS) or Intrusion Detection Prevention Systems (IDPS), increasing fidelity and automation.
- Network Detection and Response (NDR) solutions (originally Network Traffic Analysis) are evolving to include expanding fidelity and automation. The strength of analyzing north/south and east/west traffic patterns is inherent in the solutions. The ML models to identify outliers in terms of network traffic patterns are improving and there is some limited automation to interact with network devices or surface alerts in response to identified threats. Automation for any specific layer of security solutions seems to be limited to the visibility inherent in that domain, so, outside of enterprise SIEM/SOAR solutions, automation is rarely comprehensive.
- Endpoint Detection and Response (EDR) do exactly what they describe: They detect and respond to threats against endpoints. They provide a high degree of detection, automation, threat response, and threat prevention across managed endpoints. They have been expanding to include greater visibility to layers supporting endpoints to include LDAP, authentication, antivirus, etc. They often optionally incorporate managed service solutions or managed detection and response (MDR) services that cover those endpoints. SIEM solutions are underlying some of those solutions and their scope is expanding to cover more and more of the threat surface.
- Extended Detection and Response (XDR) is an up-and-coming cybersecurity service offering and is an evolutionary step to expand detection and response beyond endpoints and SIEM/SOAR solutions. Gartner defines it as “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system.” It promotes a natively integrated, unified vendor approach. XDR emphasizes containment, remediation, and repair across the security infrastructure. It limits access to portions of the network, revokes credentials, restricts the use of cloud-based applications, removes messages from inboxes, etc. But, as there are no limitations to enterprise SOAR tools from performing these same types of automation steps, the distinctions are often amorphous. XDR solutions provide higher fidelity with limitations to visibility, while enterprise SIEMS provide broader visibility with a need to improve fidelity. XDR does seem to be expanding upon automation to encompass endpoints which we find to be an essential extension to a pure SIEM/SOAR solution
Managed Security Service Providers (MSSP) are morphing into Managed Detection and Response (MDR) providers largely by expanding automation – becoming proactive in response rather than reactive/prescriptive. Of course, as we’re in the MDR game, we actually expanded along all three maturity dimensions. We started our security journey with Splunk’s solutions. The Security solutions from Splunk are still uniquely able to provide enterprise-level visibility and correlation/orchestration across the entire threat surface, solving the swivel-chair security process. The inclusion of SOAR has elevated our ability to automate time-critical tasks and provide more elegant triage and response workflows. There is still room to grow in this world as there is limited ability to prevent intrusions without owning endpoints or network devices. Augmenting this platform with a superior EDR solution effectively covers some of the more critical threat responses that protect the core security layers (1-4) – see diagram below. These layers are broadly garnering more attention in light of supply chain threats and compromised third-party ingress points. APTs (Advanced Persistent Threats) are obviously successfully breaching outer layers.
As the cybersecurity battlefield continues to get more sophisticated in both offensive and defensive strategies and armament, we are fully aware that our clients’ security maturity is never at 100% and the process is one of continuous learning, adapting, and adopting the most effective tools and processes to help clients keep their data, business operations, and reputations secure. And the alphabet soup we swim in is just part of the deal.