Which technology has been the most influential in the history of cybersecurity?
A decade ago, most security professionals would have suggested a physical device such as the firewall or perhaps software anti-virus. In hindsight, the limitation of that perspective is that it was formed by an era still dominated by belief in a secure perimeter, stable notions of identity (the user and credentials), and the understanding that organisations should provision complex needs such as security for themselves.
These days, it’s clear that Internet connectivity and the data explosion ended the idea of a static perimeter, even if this is a reality some organisations still struggle with. The perimeter now shifts as devices and people move around, and often surrounds individual applications and software processes hosted externally from the cloud. In a world where credentials are easy to steal, even identity itself has become unreliable.
If in the old era of security was defined by the principle of access control, the new era of cybersecurity is about controlling access to multiple perimeters. This is an order of magnitude more complex, which has fueled the struggle organisations have in keeping up with new technologies, hiring experienced IT staff, and managing and investing in security systems.
Traditional technologies have struggled to cope with this move to new applications and a distributed workforce, hamstrung by complexity, different technology generations, and poor integration between systems. The ability to detect threats let alone react to them is always compromised by slow response and an inability to understand threats in a multi-dimensional way.
This has provided the context for the dramatic growth in cybersecurity as a service, led most notably by the managed detection and response (MDR) sector. Indeed, the MDR sector has grown so rapidly Gartner predicts it will be adopted by 50% of all organisations by 2025. Organisations have been buying cybersecurity services for years but for half of them to hand over a central element of their security function to a third party would represent a huge change in security architecture.
What is MDR's Appeal?
The clue to the meaning of MDR is in its name: the detection and response to security events by a third party. This solves the expertise problem – the MDR provider is full of people with cybersecurity skills. It also solves the investment problem as the MDR provider upgrades their detection platform, removing or reducing the need for that investment by the customer. In return for a fixed monthly fee, organisations get 24/7 monitoring, forward threat intelligence, and advanced analytics switched on within hours.
MDR is a Service
However, it’s important to understand that MDR is not a technology so much as a suite of technologies and tools presented as a service, usually on top of an underlying bought-in or proprietary platform. Although the term is used in a general way by numerous providers, what is on offer varies from provide to provider.
Up close, MDR services offer to meet several deeper requirement, starting with alert handling. One of the most time-consuming and complex tasks for any inhouse IT department is investigating and resolving alerts. MDR services relieve this burden, using their own security tools alters from a wide range of endpoint and network security systems to separate the ones that require more investigation from the background alerts that don’t.
This focus on detection means that an important measurement of cybersecurity fitness, mean time to detection (MTTD), should be dramatically shorter using an MDR service than it might be using inhouse processes. Of course, exactly how much shorter will depend on the industry vertical and the size of the company with smaller and medium-sized companies showing the greatest benefits.
Ransomware
One important use case for MDR is ransomware, a type of cyberattack that relies on speed and shock to infect and make unavailable as many systems as possible. Accurate real-time, automated detection is essential to counter ransomware, as is the ability to detect the scope of an infection as part of optional incident response and remediation.
Assessing MDR
MDRs providers set out to provide analyse data from a range of security interfaces, turning that into actionable response. That doesn’t mean that all MDR providers will execute response. In some cases, high priority issues are passed back to the customer for their inhouse teams to respond to. That makes it important it understand how each MDR presents this information to the customer, something that also varies from platform to platform.
MDR takes an event and incident-driven approach to cybersecurity with specified outputs. It is not designed to protect data per se, which presents a separate architectural challenge.
Conclusion: Beyond Silver Bullets
To return to the original question about the influence of technologies, the rise of cybersecurity services reframes the question: do technologies matter or does their integration and availability count more? The growth of the services market suggests the latter had become more important.
The limitation of old perimeter security was that individual technologies – intrusion prevention, next generation firewalls, privilege management - managed one element of security. Integrating these to get a global view proved nigh impossible across generations of technology. Designed from the ground up to integrate event and alert data, MDR services represent the best chance yet to evolve beyond that failure.