6 Questions and 6 Answers about Active Cyber Defense, the Managed Detection and Response Service (MDR).
by Tina Siering
Question 1: What is a Managed Detection and Response (MDR) service?
Regardless of the industry, many IT managers have the same problem with regard to IT security: too many requirements and too few staff. An external service provider can help with targeted expertise to redesign processes and also minimize risks of operational blindness. By booking a Managed Detection and Response Service (MDR), a company outsources competencies in the area of "cyber threat hunting" (goal: timely detection of attack activities in the network) to an external cyber security service provider. The contracted IT security experts actively search for possible compromises around the clock and contact the customer immediately if action is required - even before any damage occurs.
Allgeier secion's Active Cyber Defense (ACD) service is such an MDR service, a solution installed in the customer's infrastructure to detect unusual network communications that deviate from a defined standard communication and indicates a potential attack. ACD identifies security-related incidents based on a continuous threat scan of network data. Cybercriminals are thus not even given the chance to move around the system undetected for months. The time-critical gap between "detection" and "response" is significantly reduced by an MDR service.
ACD is particularly worthwhile for medium-sized companies that do not have the necessary internal human and financial resources to monitor their systems themselves around the clock. In view of the acute shortage of skilled personnel, one of the biggest advantages is that by hiring ACD, a complete team of experts is permanently on hand, including effective tools and proven detection methods.
The main features of Active Cyber Defense - summarized as an overview:
- ACD monitors all network systems, including servers, desktops, IoT and network devices, printers, ICS as well as smartphones, notebooks, tablets and BYOD.
- No installation of agents on clients is required to use the service. It checks at the network level to see if systems are communicating to Command & Control servers and if a compromise may have occurred.
- By exposing unusual and malicious communication behavior, ACD can quickly identify, isolate and clean up compromised systems.
- In the event of an active ongoing attack, the client can count on the support of Allgeier secion's Incident Response (IR) experts, who are available for consultation as needed.
- All IR processes are specially adapted to ACD: The client immediately receives a comprehensive picture of the situation and, if necessary, is supported in initiating effective countermeasures.
Question 2: How complex is the implementation of ACD and how does it proceed?
The implementation of the ACD service usually takes one to three days. The time required depends on the complexity of the customer's network. The required hardware in the form of network sensors is sent to the customer in advance for installation. Port mirroring on a network switch is also set up during this phase. The analysis unit of the Active Cyber Defense Service requires its own secure VPN connection, the setup and configuration of which is handled by the ACD analysts. By comparison, you can expect the implementation of a SIEM solution to take several months, mainly due to the long configuration and customization phases.
The initial setup is followed by the safe-listing phase, which takes an average of three weeks. During this phase, communication metadata is analyzed and the "normal state" of the system is learned. For the customer, this means no additional effort. Possible findings by Allgeier secion security analysts are communicated in a weekly customer update during these three weeks. As soon as the process is complete, the system can detect irregularities on its own and is ready for use.
Question 3: What are you required to do as an ACD customer?
In short: nothing. Since ACD is a fully managed service, you do not need your own human resources. Allgeier secion's security experts take over 24/7 monitoring for incident detection after implementation of the analysis unit and successful completion of the safe-listing phase. If any conspicuous activities take place in your IT infrastructure, you will be informed immediately, giving you enough time to take appropriate defensive measures before any damage occurs. By the way: Since ACD is implemented completely as an on-premise service, all data remains with your company. On the one hand, to comply with legal data protection requirements and, on the other hand, because of the passive positioning of the network sensors in the network: a data leakage (e.g., to a cloud instance) would cause visible traffic for attackers.
Question 4: How does ACD relieve the burden on your company's internal IT security team?
Many mid-market IT departments struggle with issues that ACD can reduce, primarily due to thin staffing and limited budgets:
- Supporting the assessment of alerts
Every day, IT departments at mid-sized companies receive thousands of alerts. Smaller security teams are quickly overwhelmed with this abundance of alerts, even in terms of time.
- Determining the threat potential - analysis and evaluation
The Managed Service does not require agents to be installed on clients. It checks at the network level whether systems are communicating with command & control servers - and are therefore compromised. By detecting conspicuous communication behavior, ACD identifies compromised systems very early in the attack chain, namely during the so-called intrusion phase. How it works: The metadata generated in companies by communication is calculated into risk scores using statistics and algorithms. Once a risk score has reached a certain threshold, the cyber analysts take a closer look and channel any underlying attack activities via high-, middle- and low-risk assessments. Appropriately weighted info adds real value to the customer, as the ACD analysts' interpretation and prioritization of the data allows for an isolated view of which anomalies need to be acted upon.
- Provision of skilled personnel
There is already a shortage of millions of IT security professionals worldwide - and this will not change in the coming years. With ACD, a full managed service team is available to you in the shortest possible time and is on call around the clock.
- Monitoring all systems on your network
Active Cyber Defense (ACD) service involves monitoring all systems on your network, such as desktops, laptops, cell phones, tablets, servers, network devices, printers, IoT, ICS, BYOD.
Question 5: Why is a rapid response to cyberattacks so important?
In the event of a successful cyberattack, it is important to respond as quickly as possible. The longer an attacker can move around the network unnoticed, the greater the damage to your company as a rule. On average, it takes a full six months for a cyberattack to be discovered. During this time, hackers have plenty of time to spread throughout the system and leak data.
To identify compromises within the shortest possible time, ACD analysts rely on targeted threat-hunting methods and appropriate software. The managed service enables proactive protection against cyberattacks by permanently analyzing network traffic so that conspicuous behavior patterns can be detected immediately. By detecting conspicuous communication behavior, ACD identifies compromised systems. Incident response measures are also carried out by the ACD team as required. These can be added via an appropriate IR contingency.
Question 6: Why ACD instead of a SIEM solution?
A Security Information and Event Management (SIEM) is a highly complex security solution for identifying cyber threats. Core SIEM functions include log management and centralization, security event detection, where temporal accuracy and assignability of events are extremely important. Since a SIEM tool sifts through a large number of events daily (depending on the size of the enterprise), clear rules are required in the SIEM system to define and identify truly relevant events.
Since SIEM solutions thus check security-relevant data for anomalies in real time and actively draw attention to threats, they ensure very short response times in the event of an attack, but they also bring disadvantages:
- The implementation of a SIEM solution is very costly and time-consuming. Since the entire system landscape and other security solutions have to be integrated, it usually takes several months before the system is ready for use.
- SIEM solutions are cost-intensive and often go beyond the budget of medium-sized companies. In addition to the high purchase price, you should not underestimate the maintenance, servicing and update costs.
- A SIEM solution only makes sense if you also have an in-house SOC with IT security specialists. This is because comprehensive expertise is required to analyze, configure and integrate SIEM reports. In addition, only a team of experts can make appropriate recommendations for action and initiate countermeasures independently.
- SIEM solutions not only report relevant threats, but also generate vast numbers of irrelevant alerts. So you need a relatively large team to prioritize and process the alerts. However, the timely identification of real attacks can only succeed if the rules for data analysis are also defined in such a way that the incoming messages are classified correctly. Appropriate expert know-how and regular updating of the rules are essential for this.
- If a SIEM tool is configured incorrectly or if important alerts are ignored due to an excessive workload, the effectiveness of the security solution is reduced.
ACD analysts collect and evaluate communication artifacts in network traffic. The analysis does not rely on conventional communication, such as the use of signatures (patterns), but detects malicious attacker communication to command & control servers even when it occurs for the first time (zero-day). This is a big and important difference to the way a SIEM works.
Managed detection and response services are a great relief, especially for smaller IT teams without their own IT security specialists and with a manageable budget. They take over the all-round monitoring of all network systems and alerts and can correctly identify and prioritize them on the basis of a comprehensive threat analysis. MDR services such as Active Cyber Defense (ACD) ensure a high level of IT security by focusing on proactive early attack detection in the network, thus identifying successful cyber attacks in good time and preventing major damage. ACD is available at an attractive flat monthly service fee and thus also protects your budget!