Mandiant Fortifying Cyber Defenses with MDR Service User Guide

Mandiant Fortifying Cyber Defenses with MDR Service

Product Information

The product is an EBOOK titled “Fortifying Cyber Defenses with MDR” that serves as a definitive guide to critical managed detection and response capabilities.

• Specifications
  • Product Type: EBOOK
  • Title: Fortifying Cyber Defenses with MDR

Product Usage Instructions

• Introduction
  • The EBOOK provides insights into the challenges faced by SOC teams in managing security alerts, skills shortages, and the importance of managed detection and response services in fortifying cyber defences.
• Reducing Mean-Time-to-Detect with MDR
  • The EBOOK discusses the concept of Mean-time-to-detection (MTTD) and how an MDR provider can help reduce the dwell time of attackers in a network.
  • It emphasizes the significance of quality threat intelligence and threat-hunting expertise in minimizing breach impact.
• Key Points:
  • MTTD Measurement: Measurement of attacker dwell time in a network before detection.
  • Impact Reduction: Quality threat intelligence and threat-hunting expertise can minimize breach impact.
  • Figure: A simulated example of activities within the first two hours of dwell time.

FAQs

• What is Mean-time-to-detection (MTTD)?
  • MTTD is a measurement of how long an attacker dwells in a network before being detected. It is crucial for assessing the efficiency of detection capabilities.
• How can MDR help reduce MTTD?
  • An MDR provider with quality threat intelligence and deep threat-hunting expertise can proactively detect and respond to threats, thereby reducing MTTD and minimizing breach impact.
• Why is reducing detection and response times important?
  • Reduced detection and response times indicate improved cyber security maturity, enabling security teams to mitigate risks effectively.

Introduction

Detection and response are critical cyber defence functions for organizations of all sizes and industries However, budget and resource constraints often limit their capabilities, which puts them at greater risk.

To help organizations reduce risk, a managed detection and response (MDR) service provider can:

• Supplement internal capabilities,
• Fill critical gaps, or
• Provide a complete end-to-end detection and response function.

However not all MDR providers are equal, and many do not offer the required skills and expertise to ensure organizations are well-protected against the threats that matter most. According to Gartner®, “Managed detection and response (MDR) services provide customers with remotely delivered security operations centre (SOC) functions. These functions allow organizations to rapidly detect, analyze, investigate and actively respond through threat disruption and containment.”1

To optimize their cyber defence capabilities, security leaders and teams must ask the right questions to confidently evaluate MDR providers:

• What is the mix of threat intelligence, detection capabilities, threat hunting, investigation, response actions and customer communication the MDR provider offers?
• How broad, deep, and useful are the provider’s intelligence and human expertise?
• How consistent and scalable are their offerings?
• Are they available through software-as-as-service (SaaS) offerings or as fully managed services?

Common Challenges Facing SOC Teams

• Too many alerts, not enough time limit an organization’s ability to detect intrusions quickly.
  • Security analysts are tasked with monitoring, triaging, and investigating the high-volume of security alerts generated throughout the environment.
  • Security engineers are often forced to manually stitch together data from disparate systems, taking time away from trying to make sense of data and identify malicious behaviour.
  • Without advanced automation and analytics technologies, organizations cannot effectively scale data collection, processing and analysis.
• Limited attacker insight and relevant intelligence required to understand the most critical threats at any given time.
  • According to Forrester, organizations subscribe to an average of 7 threat intelligence feeds.2
  • Not all threat intelligence feeds are created equal. Security operations teams need a deep understanding of the threat landscape and specific adversary groups targeting their organization.
  • The threat intelligence needs to be operationalized to ensure that the right threat details are seen by the right people.
  • Otherwise, it becomes harder to effectively monitor, triage and prioritize alerts. It also becomes more difficult to investigate and reconstruct events to determine the scope of a breach and to find adversaries that have evaded technical controls.
• Shortage of cybersecurity skills puts organizations at a disadvantage.
  • Skills such as cyber threat hunting require expertise and resources that few individual organizations can maintain on their own without proper training programs. This makes it hard to find, train and retain security analysts with essential skillsets.
  • A properly equipped and empowered MDR can address these challenges.

Reducing Mean

Reducing Mean-Time-to-Detect with MDR

Mean-time-to-detection (MTTD) is a measurement of how long an attacker “dwells” in a network before being detected. Mandiant research shows that the global median dwell time across organizations is 16 days as of 2023. While it is taking less days to identify a compromise, many organizations are “detecting” the activity by way of third-party organizations, with 63% of breach notifications coming from external sources.3

FIGURE. A simulated example of what can happen in the first two hours of dwell time. (Disclaimer: Timing will vary based on individual customer circumstances.)

An MDR provider with quality threat intelligence and deep threat-hunting expertise can significantly reduce an organization’s MTTD and minimize the business impact of a breach. Better service capabilities enable security experts to focus on threats that matter and root out emerging attacks. Reduced detection and response times represent the ability of security teams to reduce risk and are one measure of cyber security maturity.

Detection and Response

Critical Components of Effective Detection and Response

The most effective approach to MDR is a combination of technology and expertise. Industry research and analyst perspectives support this notion and highlight several components for effective detection and response: threat intelligence, threat detection, threat hunting, investigations, remediation and response and a solid customer support model.

• Threat Intelligence
  • The Intelligence function feeds directly into every other cyber defense function, from providing indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that can be used to develop use cases within the Detect function, providing guidance to build mission-critical Hunt function activities and developing adversary emulation to test security controls.
• Threat Detection
  • Threat detection includes enhancing contextualization and providing detection analytics through automation and machine learning. As a result, organizations gain a clearer picture of threats to the environment and a more comprehensive view of the environment itself.
• Threat Hunting
  • Threat hunting is a proactive cyber defence activity used to identify active threats within the environment. It includes advanced capabilities such as insider threat identification, deception tactics, and threat modelling exercises.
• Investigation
  • Investigation blends threat intelligence, automation, and correlation with human analytical skills and experience. The combination of analyst-driven investigations with correlated event data gathered by threat detection, investigation, and response (TDIR) technologies ensures that providers can deliver fast, scalable response activities.
• Remediation and Response
  • Remediation and response focus on returning business to normal after a compromise. A response team’s actions must match the scope of the attack. Capabilities such as containment should be augmented with automation and orchestration to drive faster remediation of incidents and minimize impact.
• Customer Support Model
  • An MDR provider should serve as an organization’s cyber defence partner. The customer support function should understand the organization’s needs, act as an advisor and contributor to their SOC team and offer a dedicated expert or team of on-demand experts.

Expert Threat Intelligence: Prioritize based on your unique threat profile
Effective threat intelligence, the core of all detection and response activities, needs to be:

• Quickly actionable
• Have broad ranging visibility across the entire threat landscape not just a single source or aspect of the landscape
• Personalized and relevant. You can’t waste time with the clutter we need to understand our unique threat landscape and how the threats may impact you

Building the Foundation of Detection and Response through Integration
Expert intelligence is best activated and used at a foundational level to guide security monitoring. It provides visibility into the cyber threats most relevant to the organization and prioritizes the detection of those threats. Threat intelligence should be integrated across tools and processes for:

• Precise threat hunting
  • Using data on active adversary groups and current, relevant attacks, threat hunting teams can identify both active compromises and evidence of past (undetected) incidents.
• Activity prioritization
  • Threat intelligence helps IT and security groups determine patch and upgrade priorities based on the potential impact of the threats most likely to target the organization.
• Informed monitoring
  • Security engineers know where to look, what to monitor for, and when to alert security analysts of activities tied to active APT groups.
• ** Refined security strategy**
  • As adversary targets and tactics continually shift, intelligence empowers security operations groups to update their strategy and maintain their security posture.
• Confident, capable incident response
  • Intelligence bolsters incident response teams’ ability to scope and rapidly contain breaches and prevent repeat attacks.
• Up-to-date security validation
  • Effective validation efforts incorporate the latest adversary tactics, techniques and procedures (TTPs) to ensure controls and operations can stop an attack or reduce its impact.

Importance of Varied, Credible Threat Intelligence Sources
A quality MDR vendor should have a broad set of intelligence sources operationalized into comprehensive, actor-specific playbooks that inform detection, investigation and response activities.

Their sources should include:

• Human curated intelligence: Threat intel analysts manually research, verify and analyse information to provide high-quality contextualized intelligence including threat actor motivations, tactics, techniques, and procedures and likely targets.
• Frontline intelligence: Insights from incident response provide a detailed and contextual view of real-world threats, the latest TTPs, used by adversaries, and the latest tools they leverage.
• Crowdsourced intelligence: Intel sourced from files, URLs, and other potential threat indicators provides real-time visibility into emerging trends, and highlights the IOCs to use to within threat-hunting missions.
• Open-source intelligence: Publicly available information like blogs, security forums, new articles, vendor reports, social media, etc.

Questions to Ask MDR Providers:

• What intelligence sources do you use beyond simple data feeds?
• Can your threat intelligence reveal who is targeting our industry? And how?
• How well do you align threat intelligence to relevant industry attack frameworks such as MITRE ATT&CK and NIST?
• Is your threat intelligence completely transparent and available to your customers?

Detection: Accelerate and augment threat visibility with threat detection, investigation, and response (TDIR) technologies Extended detection and response (XDR) provides visibility into telemetries across an organization. However, it greatly increases the amount of data monitored and tends to further stress overextended, resource-constrained security operations—even when offered as a managed service. An advanced technology platform that can enable the growing volume of data to be processed and analyzed at scale. To cover all possible threat vectors, XDR can include telemetry collection: alerts, events and logs from the endpoint, network, cloud and OT/IoT/ IIoT devices, and more. Again, while valuable, this can also lead to higher volumes of data, creating further challenges. Automation and machine learning can help normalize, enrich, and analyze data coming in from multiple sources.

TDIR technologies offer several detection benefits:

• Minimize the risk of human bias in the monitoring and triage process
• Accelerate detection at scale across all integrated technologies to enable rapid response
• Maintain correctly prioritized customer interactions with transparent communication.

Questions to Ask MDR Providers:

• How many sources of telemetry are ingested (for example, endpoint, network, cloud, email, OT/IoT/IIoT)?
• Can you work with customers’ technology stacks, or do you use a proprietary stack?
• Do you regularly update and maintain your data science models?
• Do you use cyber threat intelligence to help automate detection or enhance remediation?

Single- or Multi-Vendor Option?

• Single vendor: Requires deployment of its proprietary technology and point solutions
• Multi-vendor: Supports the customer’s existing technology and is equipped to deliver detection and response across multiple telemetries
• Threat Hunting: Uncover attacks before impact with intelligence, human expertise, and automation
• An example is SUNBURST, a covert backdoor that was distributed by a software update as a result of a supply chain attack on one organization’s widely used IT management software. The adversary used multiple techniques to evade detection across the entire attack lifecycle, enabling them to operate within both public and private organizations around the world for over 15 months.
• Stealthy attacks force mature MDR providers to go beyond sweeping the environment against new indicators of compromise (IOCs) to a more continuous, expert-led function. More accomplished providers adopt both automated and human-led hunting strategies to adapt to changes in the threat landscape and attacker behaviour.
• This approach allows MDR providers to systematically reduce an organization’s threat exposure through proactive detection and enables them to identify security control gaps.

Threat hunting, a differentiating facet among
MDR service providers should be reviewed with these traits in mind:

• Flexible: Demonstrable adaptability to adversaries’ changing TTPs.
• Scalable: Automation of data collection and preparation to improve effectiveness and efficiency.
• Intuitive: Expert threat hunters in place to proactively search for covert signs of active or unknown compromises across multiple telemetries including endpoint, network, cloud and OT/IoT/IIoT.
• Industry framework-compatible: Mapping to frameworks such as MITRE ATT&CK enables analysts to see which controls may have been subverted and take decisive action based on attacker motives even when technology detections fail or attackers use new or unknown behaviours.

Questions to Ask MDR Providers:

• How do you define threat hunting and how do you find unknowns in the environment?
• How do you hunt for threats beyond searching for common IOCs?
• How often do you hunt for threats?
• Are your threat-hunting capabilities human-led or automated, or a combination of the two?
• Which threat vectors are covered by your hunting efforts?

Investigation: Lead with intelligence for rapid, scalable response Top- tier providers have experts conduct comprehensive investigations using an intelligence-led approach. They combine analyst-driven investigations with correlated event data gathered by TDIR technologies to deliver fast, scalable response activities. Providers should make analyst actions and findings directly available to customers. Investigations should be conducted through a comprehensive, iterative process that scopes incidents well enough for providers to answer:

• What happened?
• How did it happen?
• What do we know about the actors behind this activity?
• What should be done to respond to this activity?
• What should be done to prevent it from happening again?

An MDR provider’s investigation capabilities are distinguished when they:

• Continually update investigative reports: The provider should deliver the context needed to fully understand the scope of the attack, help assess risk and impact and recommend remediation strategies.
• Communicate transparently: The provider must render and communicate an in-depth understanding of the TTPs based on reliable threat intelligence and their expert analysis.
• Produce comprehensive investigative reports: The provider should report findings that include a timeline of attacker behavior supplemented with evidence, an interpretation of attacker activities based on threat research and data analysis and attributed threat intelligence for necessary context.

The most robust providers offer highly specialized services such as:

• Malware analysis
• Forensic analysis
• Intelligence gathering
• Incident response

Questions to Ask MDR Providers:

• What type of information do you provide beyond reporting alerts?
• How effectively do your reports convey the context around likely threats and correlated activity?
• What sort of evidence do you provide to establish the identity, methodology and attack timeline of suspected threat actors?
• How do you scale detection and customize response actions for individual customers?

Focused, Definitive Response: Reduce the impact of a compromise

Response and remediation services are critical to minimizing attack impacts and rapidly returning operations to normal. Reliable MDR providers should offer a broad range of response capabilities and adjust actions based on the type of attacks their customers experience. They must assure their customers that investigations are thorough and assess the full extent of a compromise.

A full-service MDR provider should offer these response and remediation capabilities:

• Containment
  • Appropriate actions must be taken to disrupt the attacker and limit their access to the environment. Remote containment is dependent on each client organization’s endpoint security tools.
• Eradication and Remediation
  • Understanding the full extent of the compromise is critical. The MDR provider may have to work with the customer to remove any residual attack infrastructure and restore secured system configurations.
• Enhacement and Fortification
  • With information from the investigation, MDR providers can recommend defence strategies to prevent or withstand future attacks with the same TTPs.

Questions to Ask MDR Providers:

• What range of response services do you provide?
• What types of remediation do you recommend beyond “wiping the box”?
• How will your analysts collaborate with our internal team?
• Which response actions are taken by your team, and which are our responsibility?
• What incident response capabilities do you offer to extend your base service?

Customer Support: Gain confidence through a reliable, flexible partner

• Security professionals are looking for more than an MDR service provider; they want a true cybersecurity partner.
• Their ideal MDR partner offers a dedicated customer support team that understands their unique SOC environment and amplifies the capabilities of their security team, both as advisors and contributors.
• Organizations also need flexibility and on-demand access to a dedicated expert or a pool of experts who augment specific functions.
• An MDR provider that offers reliable customer support delivers unique and differentiated cyber security knowledge and skills to address challenges facing security teams.

MDR providers should deliver:

• Experience across a broad range of technologies such as OT, IoT and cloud.
• Technical experience and specialized services to aid investigations, such as:
  • Malware analysis
  • Forensic analysis
  • Intelligence gathering
  • Onsite incident response

The customer support models of top-tier MDR providers include:

• Knowledge and skills drawn from years of experience: Experience refers to direct involvement with cyber attacks and the aftermath of a compromise, which may involve response, remediation and advanced forensic analysis. Specialized support team skills should include:
  • SOC expertise
  • Deep analysis capability to fully understand the adversary
  • Forensics and malware reverse engineering
  • Threat hunting
  • IR expertise
• Transparency through accessibility: Attacks don’t sleep, which means that the CISO or SOC manager often feels like they can’t either. Data connectivity through APIs, full visibility into environments and 24×7 access to world-class experts add tremendous value to security operations and the MDR-SOC partnership.
• Ability to use automation and machine learning: These capabilities enable accelerated detection and swift response. MDR providers that can quickly operationalize and scale the latest intelligence and attacker TTPs to protect customers stand out.

Questions to Ask MDR Providers:

• What is your customer support model?
• What does collaboration between our teams look like?
• What activities are taken to enhance our overall security posture? How frequently?
• What options are available to further enhance security (i.e., assessments, attack simulation, validation)?

Comprehensive MDR Coverage with Mandiant Managed Defense

The combined power of intelligence, expertise and automation in Mandiant Managed Defense delivers unique, differentiated and high-demand cyber security capabilities, knowledge and skills to SOC managers and their security teams. It minimizes many critical SOC challenges with:

• A dedicated onboarding team to ensure smooth implementation from day one
• A designated Managed Defense consultant who becomes part of the client’s security team and acts as their conduit and incident handler
• An early knowledge advantage through world-leading threat intelligence that delivers advanced detections and notifications of ongoing adversary activity from the latest frontline experiences
• The ability to integrate disparate data types with Mandiant technology and gain a cohesive, single vantage point to secure their environment
• A combination of skilled threat hunting and proprietary Mandiant intelligence to help discover and identify headline-worthy threats, adversaries and vulnerabilities.

The full benefits of Mandiant Managed Defense extend to the C-Suite. Executive leadership gains peace of mind, knowing that their SOC managers and security teams understand the threats that matter to their organization. They become more confident in their ability to secure and defend their organization, critical assets and people.

For more information visit cloud.google.com. MD- EXT-EB-US-EN-000435-04 1 Gartner, Market Guide to Managed Detection and Response Services. Pete Shoard, Al Price, Mitchell Schneider, Craig Lawson, Andrew Davies February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>