Jan van Vliet, EMEA VP and GM at Digital Guardian
Despite increased technology spend and growing levels of regulation, financial services remain among the industries most vulnerable to cyberattack. Building a cybersecurity team with the capability to maximise the impact of today’s sophisticated detection and response platforms can be difficult. External threats are increasing in volume and sophistication, while internal breaches present another worrying area of risk. For security teams in retail and commercial banking, investment services and insurance, there is a clear and urgent need for digital innovation and data privacy controls.
These issues have been further exacerbated by the recent massive shift to remote working, which has placed thousands of users outside the corporate network. Organisations are also having to rethink data resilience strategies in the face of a significant activity uptick by external threat actors.
These emerging risks are very real. The widespread move to home working was almost immediately accompanied by an avalanche of malicious activity from opportunistic cyber criminals. Recent research revealed that organisations experienced a 41% increase in endpoint malware infections and a 27% jump in phishing attempts during the early stages of the pandemic.
With remote working set to become the norm for the long term, the growing need for a no-compromise data protection strategy means organisations are re-evaluating how they raise their game to prevent data loss or damage. But, since building a typical security operations centre (SOC) takes time, resources, and expertise, security teams are turning to outsourced Managed Detection and Response (MDR) providers to improve their ability to detect and respond to threats.
Defining the requirement
Before choosing an MDR provider, companies should take time to identify their unique needs. This includes consulting with all stakeholders to identify what assets (including end point assets, databases, applications, IP, content delivery) must be protected and if the technology stack in place is appropriate for a deployment.
Next, clear rules of engagement and SLAs must be defined and established, and because MDR isn’t a ‘passive’ service, this must be closely integrated with existing cyber security strategy. For example, processes covering how threat notifications from a MDR provider are escalated and actioned together with pathways for intelligence sharing and investigation requests will need to be defined. If there is limited internal capability to respond to potential incidents, to what extent will the provider be allowed to engage with the organisation’s environment – in other words, can they take action beyond simply quarantining endpoints?
Undertaking this kind of detailed internal needs evaluation is essential for organisations that want to engage with providers that can offer the tools, capabilities, and services most appropriate to their specific environment and protection needs.
Provider evaluation
In an ideal world, the provider should be able to monitor user, system, and data events to identify suspicious behaviours, protect against malware, and prevent data compromise. In doing so, they should also deliver insight on everything from what critical systems have been affected and whether a third party represents an entrance vector for attacks, to production system downtime and whether data has been exfiltrated. This should include whether privileged user accounts are being leveraged for unauthorised access.
This should be accompanied by a list of documented use-cases the organisation expects a provider to address. These should include visibility (system, user, data), remediation and response (indicator blocking, malware removal, endpoint isolation) and forensics. Their effectiveness in dealing with these issues should be tested, using penetration or threat simulation services.
A good MDR provider will handle advanced threats – such as lateral movement by hackers, credential theft and escalation, and C2 activity – but won’t let less sophisticated attacks slip through its fingers either.
Finally, organisations should expect genuine human interaction with the provider’s security analysts. That means being wary of an over-reliance on dashboards, e-mails, or portals when it comes to alerting, investigating security events, case management and other activities.
At every stage, asking detailed questions about the standard practices and technologies vendors utilise should help companies benchmark and compare providers on how they would deal with a specific security incident.
Remember, not all MDR providers offer the same breadth of services, so it’s important to carefully assess all these issues in order to select a provider that represents the ideal fit for the organisation’s size, existing security controls and needs. Ultimately, it often comes down to human factors, threat-protection techniques, and process-based responses that make the difference between success and failure. Partnering with an MDR provider that can blend the right combination of technology, support and sexperience is key to optimising enterprise data security.
