5 best practices to maximize ROI on MDR

Taj El-khayat, Area VP for South EMEA at Vectra AI, underlines the importance of five best practices that will allow organizations to optimize their ROI on MDR services

The extent to which the region is under attack from cyber-villains continues to startle and unsettle even the most seasoned security professionals. One study shows a 151% year-on-year surge in UAE-based incidents during the third quarter of last year. Another shows that more than one in three of the nation’s OT (operational technology) computers — workstations used as part of industrial-control systems (ICS) in sectors such as manufacturing and petrochemicals — were targeted by threat actors in 2022.

Unfortunately, the tactics, techniques and procedures (TTPs) used by the modern threat actor have become more sophisticated. In what could arguably be called a “gentrification” of the digi-criminal underground, backroom louts have become part of an industry that offers cloud services such as Malware-as-a-Service and Ransomware-as-a-Service and organizes itself into formal teams like RansomOps. We may refer to them in criminal terms (“gangs”, “cabals”), but they are no less effective as a result. If we want to beat them, we must meet them on their terms. And that means round-the-clock detection and response capabilities deployed at scale. It is the only way to empower under-equipped, attrition-plagued SOCs to become the threat hunters we need them to be.

But delivering such capabilities is a challenge, as is ensuring coverage for ever-expanding environments that encompass premises, clouds, identity platforms, and all the sub-environments, workloads, applications, and services within. Attempts at addressing this tech swamp often reach for more and more point solutions. Over-tooling makes more work for overburdened teams, leading to burnout and an exacerbation of the problem.

Managed detection and response (MDR) is an antidote to all this. It applies a shared-responsibility model, supplying top-grade, on-demand, industry expertise, while also returning control of the environment to its proprietor. It does this through advanced, contextualized AI that delivers superior Attack Signal Intelligence™ to security stakeholders. Attack Signal Intelligence greatly reduces the demands on security personnel, all but dispelling alert noise and taking responsibility for manual tasks. MDR can be used for either outsourcing or team augmentation. Either way, it solves many of the problems posed by the current landscape.

Here are five best practices that allow organizations to optimize their ROI on MDR services.

1. Shared responsibility
Whether utilizing MDR to supplement an existing SOC or using it as a security-outsourcing model, the best outcomes will emerge from a clear understanding of roles and responsibilities among the various stakeholders on the client and provider sides. Transparency around who does what will infuse the security ecosystem with a critical element of predictability. Not only will SLAs assign tasks, but system logs will record who does them and when. Omissions and errors then become clear for everyone and much-needed trust can be built between MDR and customer teams.

2. Collective onboarding
Strategy and policy should be understood by both teams. Even if the customer is outsourcing the security function, a liaison team should be in place to oversee plans, decisions, and actions. Much of the activity that occurs during an incident is time-sensitive, but also must account for the nature of the business. Response teams, whether they be MDR, customer, or a combination, must be able to act quickly with due consideration of a customer’s business operations. Actions and priorities must be thoroughly documented in a runbook and updated immediately when needs change.

3. Seamless integration
MDR must integrate with existing tools, solutions, and cloud infrastructures — those that serve the cybersecurity function, IT, and core business operations. One of the goals of MDR is to reduce complexity, but it must do so with zero impact to day-to-day operations. Investigation expertise, configuration optimization, and global visibility through Attack Signal Intelligence allows the MDR provider to navigate integration to the benefit of the customer and minimize disruption. MDR’s cloud-native offerings should integrate with leading endpoint detection and response (EDR) solutions to enhance the effectiveness of Attack Signal Intelligence.

4. Erase noise and tackle unknown threats
Zero-days can easily slip under the radar at the quietest of times. MDR’s AI clamps down on the alert noise that attackers can use to mask their infiltrations. MDR teams are in constant tuning mode — tweaking policies and configurations to ensure the security apparatus becomes an active listener and not a reactionary alert factory. MDR, as a function, learns from each alert and incident to perfect the security ecosystem and ensure that only genuine threats consume the time of human professionals.

5. Extend the security team
A recent study indicates a third of UAE cybersecurity teams see increased absenteeism after an attack and 46% of the national industry’s professionals intend a job change inside the next two years. The expertise and policing abilities of MDR allow inhouse analysts and threat hunters to enjoy a more positive employee experience, which dials down attrition rates. MDR gives organizations whatever they previously lacked. If they have no security team, MDR can perform the role in its entirety, under adequate supervision from a customer’s liaison team. If the customer’s SOC simply needs more staff, this too can be provided, and the MDR team can report to the customer’s CISO. More tools? No problem. MDR is a repository of knowledge, experience, technology, and more. It is elastic to the precise augmentation needed by a customer’s security function.

MDR brings Attack Signal Intelligence
Being able to see and mitigate a threat before it does damage. It seems like such a simple requirement and yet the challenges behind it consume the region’s cleverest CISOs. MDR removes many of these challenges — lack of resources and staff, for example — and puts the owner of the IT stack back in control of their digital assets. Attack Signal Intelligence emanates naturally from MDR setups, scooping up the most valuable telemetry and empowering SOCs to shore up defenses and build a safer digital estate.