One of the basic cybersecurity needs for retirement systems is to be able to detect threats to networks and effectively respond to those threat signatures. However, choosing the right solutions that meet this need is challenging and always changing. While Retirement System Administrators are generally conservative, your IT environments have changed a lot recently. Work-from-home and the move to cloud systems are creating distributed endpoints, expanding your threat surface.
Furthermore, anyone tasked with researching the detection and response solutions has to negotiate a landscape of confusing acronyms. These acronyms may seem indistinguishable from each other, which makes it hard to know what solutions you need. This article breaks down the acronym soup of detection and response and helps your organization make a more informed decision.
Here is a run-through of the main acronyms in detection and response.
An Endpoint Protection Platform (EPP) is a prevention-focused solution that attempts to block malware on endpoint devices.These endpoints include employee workstations, BYOD laptops, and IoT devices.
As the number of endpoints on the average network has increased and workforces have become increasingly remote, endpoint security risks have risen. In fact, a 2020 industry survey found that 68 percent of respondents saw the frequency of attacks against their endpoints increase over the last 12 months.
Typically, EPP solutions use signature-based detection coupled with personal firewalls and port control. The main drawback of EPP is that it can’t detect advanced threats that evade these front-line controls, and they don’t respond to threats…they only alert and block.
Coined by Gartner’s Anton Chuvakin, endpoint detection and response (EDR) is the name given to a type of security solution that detects and responds to threats that have got past anti-malware controls and are already in your environment.
The detection capabilities stem from continuous monitoring of endpoint events and endpoint data analytics. The response capabilities use automated rule-based decisions to respond to threats whether through containment or alerting. A drawback of EDR is that it only addresses threat detection and response on a single layer—your endpoints—so it’s not enough to defend against all threats.
Network detection and response (NDR) is a more recent innovation that you can think of like EDR but for the traffic and communication channels on your network. In many high-profile cyber-attacks, threat actors lurked on target networks, often for months at a time, probing for vulnerabilities and ways to escalate privileges.
It’s important for Retirement Plan Administrators to be able to detect and respond to advanced threats on their networks, not just on their endpoints. The now infamous SolarWinds attack exemplified how hackers can stealthily infiltrate a network and remain undetected for months at a time.
NDR uses centralized real-time monitoring and analysis of network traffic to detect these threats. The response capabilities include dropping suspicious traffic with automated workflows or alerting security teams who can investigate threats. Once again, because NDR is focused on just one layer of defense it’s not sufficient alone.
Relying on multiple independent point solutions for detection and response on different layers of your IT infrastructure arguably makes it harder for security teams to keep up with the current threat landscape. Retirement Administrators need to detect and respond to threats targeting email, member data, mobile devices, investment systems, payment systems, cloud-based solutions, and virtual machines.
Extended detection and response (XDR) attempts to unify detection and response across this threat landscape. XDR provides a single platform for gathering and correlating data, detecting advanced threats and response capabilities across email, endpoints, servers, network traffic, and cloud workloads.
Managed Detection and Response (MDR) essentially outsources XDR capabilities to a managed provider that monitors your environment, detects emerging and active threats, and responds accordingly.
Naturally, the scope of XDR platforms is such that they generate a lot of security alerts, many of which turn out to be false positives. Many Retirement Administrators have small IT teams that already have a lot to do. Alert fatigue can be a real problem.
This translates to a strong incentive to tune down different aspects of the XDR systems to combat this alert overload.The problem with tuning down is that it can lead to genuine threats going undetected. Outsourcing to an MDR is one way to combat this alert fatigue. However,MDR service providers are not immune to this either, as you will read shortly.
For Retirement Administrators, managedsolutions also have the advantage of being more cost-effective than setting upyour own 24/7 dedicated team to detect and respond to threats.
Managed Security Services Provider (MSSP) is an old term but shouldn’t be forgotten. Traditionally, an MSSP remotely monitors your environment and alerts you about potential threats either by email or through a portal. An MSSP does important work of monitoring a variety of security tools and logging and retaining event records. This is usually done thru a Security Information and Event Management tool (SIEM-see below). Those needs still exist and are not part of XDR.
Most, but not all, MSSP’s have dropped that acronym and use the more market driven MDR acronym. Is your MSSP using an XDR solution? Is that all they are using? A strict MDR provider that only uses an XDR is not enough. You still have other tools to monitor. Plus, many Retirement Administrators need to retain event records for compliance and forensic purposes..
The key is to make sure you know what your partner is providing.
So, we’ve talked about end points, network devices, and the comprehensive XDR tools.
Security Information and Event Management (SIEM) is a key tool in the Security Operation Center(SOC). It captures alerts and data feeds from systems, tools and outside sources, normalizes and correlates them, and provides deep insight into the potential security events in real time. Most SOC’s use them as a dashboard to understand the full nature of what’s happening on the network.
With a SIEM, SOC operators then must dig deeper into the events to determine if/how to remediate the threat.
SecurityOrchestration, Automation and Response (SOAR) is the latest tool used in theSOC. Like a SIEM, the SOAR solution takes in log and event data, but easily captures XDR inputs and outside data feeds on threats. They also allow you to create automated playbooks to respond quickly to a variety of common threats that you may be seeing in your environment. This ability to respond thru playbooks is what really sets SOAR apart.
SOAR does not, however, retain logs or allow for after-the-fact analysis. This is something you need, so a SOAR does not replace a SIEM.
The challenge for your IT team is that many of the tools are adding features that crossover. XDR is a good example of converging EPP, EDR and NPR. Many SIEM tools are building SOAR capabilities and visa-versa. Some vendors are simply latching onto the latest acronym and not changing their capabilities.
I’m sorry to say that you will have to dig deep into tools and services to really understand what you are getting.
Whether you call it MSSP, MDR or even SOC-as-a-Service (don’t get me started), it makes sense to outsource all of this to a service provider. And there are a lot of them!
Keep in mind that generic MDR providers, some with thousands of clients, must also address alert fatigue at huge scale.They also have financial incentives That is, the more alerts they get, the more people they need, and the less profit they make. So, they have incentive to tune-down their monitoring to lessen the alerts.
In addition, to a generic MDR service, it doesn’t matter what industry you are in. They look at retirement administrators, software companies and fast-food chains the same way. It’s just more devices to monitor. It’s true that most malware doesn’t know or care about your business, either. But the hackers do. More than ever, security events are targeted at specific industries and specific organizations in those industries. And, Retirement System Administrators are excellent targets.
Do you want your security monitored by someone who knows nothing about you and treats you just like any other business?
A key difference that Security Pursuit offers is tailoring our solution to Retirement Administrators. We believe this focus allows us to balance alerts (everything gets thoroughly scrutinized) while providing aggressive response to protect your key assets. For example, we may see some early malicious indicators on a low-level marketing laptop, but we may respond with quick isolation on the systems that need to get retiree checks out tomorrow.
We do this through a risk-balanced approach that is specific to your organization and Retirement System Administrators. We call it Bespoke MDR.
Security Pursuit uses the market driven MDR acronym to describe our managed service, and we use the latest and best XDR technology. However, we also capture alerts from your existing tools and normalize, monitor, and retain records through our SIEM and overlay our SOAR to provide the best possible security available. We have tuned SOAR Playbooks for this industry that we then further customize to your organization. This allows us to provide the most flexible and comprehensive security services in the Retirement Administrator industry.