An effective risk assessment looks at your unique assets and business processes, identifies threats against them, and allows you to make rational decisions on how best to protect them. In this way, a risk assessment is unique to every organization, even those in identical industries. For example, two nearly identical organizations might have a slightly different tolerances for risk, they may choose to mitigate a risk differently, or they have different technology that gives them different risk profiles.
This is why conducting a risk assessment is so important to do periodically, and anytime you invest in new technologies. If you don’t, you may over-invest in some areas and under-invest in others.
One of the latest trends in cybersecurity is Managed Detection and Response or MDR. While MDR uses new technologies and improves security exponentially, a risk assessment will give you the confidence to take advantage of this latest technology in a way that truly suits your organization's unique needs.
MDR begins with Endpoint Protection. Endpoint Protection is vital today for three reasons:
As described in our recent blog post on security acronyms, XDR is the leading toolset for Endpoint Protection, and there are many vendors. Unlike passive signature-based scanning, XDR does this plus looks at system behaviors. XDR then uses AI to respond to threats automatically.
XDR may be the latest advancement in detection and response, but it is not without its flaws. The all-encompassing scope of XDR is such that it monitors and generates alerts for threats across all endpoints, email, cloud infrastructure, and more. While Artificial intelligence handles many of these alerts, XDR still creates a lot of manual work in tuning and responding to indicators of compromise (IOCs).
The additional work is creating an increased demand for Managed Detection and Response (MDR), which outsources XDR capabilities to a managed service provider. That is, an MDR service provider monitors XDR data feeds and handles further investigation and response.The demand for MDR is big, and the market is expected to grow from $335.5 million back in 2016 to $1.6 billion by 2022.
While MDR services provide a cost-effective means of obtaining advanced detection and response capabilities, it’s important not to treat MDR as a plug-and-play cybersecurity solution. In practice, all systems are not equal, and it’s prudent to align detection and response with critical business operations.
Do you need XDR on every system? Can IOCs on one network segment prompt a need to tighten security on another? How fast do you need to move in your purchase and deployment of a solution?
You really don’t want your MDR vendor answering these questions for you. You need to answer these questions first with a risk assessment tuned to XDR/MDR. Without a risk assessment that indicates whether to tune the XDR on the device up or down depending on the system and circumstance, you can end up with alerts and responses that unnecessarily disrupt important business operations. Consider the following example of a medium-sized wealth management company:
In this example, a lack of risk assessment results in poor alignment between detection and response and critical business operations. Before buying any type of endpoint security solution, you need to conduct a risk assessment that identifies:
Conducting and documenting this risk assessment before entering into a contract with an MDR vendor is vital for getting detection and response capabilities suited to your unique business.
The lack of a risk assessment is often compounded by some issues with generic MDR services. Most MDR services treat all systems equally. For example, a desktop workstation used by a senior accountant is treated no differently in terms of detection and response than an infrequently used tablet belonging to a junior salesperson.
In the real world, different systems and users have more varying levels of access to critical business data and processes. It makes sense that the closer proximity a system has to important resources, the more sensitive the detection and response should be. The opposite is also true—you probably don’t need to shut down a production application for a minor event.
Furthermore, MDR vendors have an incentive to tune down the XDR system so that fewer alerts are generated. Fewer alerts mean lower costs for the MDR vendor in terms of hiring SOC analysts to triage and respond to those alerts. Businesses can get more value from an MDR service by providing them with the guidance and insights gleaned from a risk assessment.
At Security Pursuit, we encourage a risk assessment for MDR to ensure they are getting the most for their security budget. Using the results of the risk assessment, your XDR system will be aligned to your organization's unique risk profile. This results in response strategies are appropriate for given alerts, IOCs, and threats. Your system is tuned up for high-risk situations and tuned down where low-risk alerts could affect normal business operations.
Ultimately, we work with you and your knowledge of your business to make your XDR/MDR system respond to threats swiftly and appropriately, no matter where they happen.
Partner with us at Security Pursuit to get the most out of your security investments. Fill out this form to contact us.